Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix an XSS issue in an error message
The issue was reported by Diego Di Nardo.
  • Loading branch information
infrastation committed Jun 11, 2019
1 parent a70b10d commit 2ce35ad
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
1 change: 1 addition & 0 deletions ChangeLog
@@ -1,5 +1,6 @@
0.21.3
update: add a log entry limit to the object page (Mantis#769)
bugfix: fix an XSS issue in an error message
0.21.2 2019-03-25
update: enable CSS and JavaScript from external URLs (GH#231)
update: 802.1Q: do permission check for changing native vlan while keeping the allowed vlans list unchanged
Expand Down
4 changes: 3 additions & 1 deletion wwwroot/index.php
Expand Up @@ -219,12 +219,14 @@
if ($op == 'addFile' && !isset($_FILES['file']['error']))
throw new RackTablesError ('File upload error, check upload_max_filesize in php.ini', RackTablesError::MISCONFIGURED);
fixContext();
// This could be a malformed request rather than an internal error, but spelling
// that in proper detail would require finer checks.
if
(
! isset ($ophandler[$pageno][$tabno][$op]) ||
! is_callable ($ophandler[$pageno][$tabno][$op])
)
throw new RackTablesError ("Invalid navigation data for '${pageno}-${tabno}-${op}'", RackTablesError::INTERNAL);
throw new RackTablesError ('This request has no ophandler function.', RackTablesError::INTERNAL);
// We have a chance to handle an error before starting HTTP header.
if (!isset ($delayauth["${pageno}-${tabno}-${op}"]))
assertPermission();
Expand Down

0 comments on commit 2ce35ad

Please sign in to comment.