Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix goback url to avoid security issues
  • Loading branch information
fmancardi committed Apr 4, 2020
1 parent 72271ef commit 2d17cd0
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 23 deletions.
21 changes: 11 additions & 10 deletions lib/cfields/cfieldsExport.php
Expand Up @@ -7,14 +7,9 @@
*
* @package TestLink
* @author Francisco Mancardi (francisco.mancardi@gmail.com)
* @copyright 2005-2009, TestLink community
* @version CVS: $Id: cfieldsExport.php,v 1.4 2010/03/15 20:23:09 franciscom Exp $
* @link http://www.teamst.org/index.php
* @copyright 2005-2020, TestLink community
* @uses config.inc.php
*
* @internal Revisions:
* 20100315 - franciscom - added tlInputParameter() on init_args + goback managament
* 20090719 - franciscom - db table prefix management
*
*/
require_once("../../config.inc.php");
Expand All @@ -25,6 +20,7 @@
$templateCfg = templateConfiguration();
$args = init_args();


$gui = new stdClass();
$gui->page_title = lang_get('export_cfields');
$gui->do_it = 1;
Expand Down Expand Up @@ -61,12 +57,17 @@ function init_args()
$args = new stdClass();
$_REQUEST = strings_stripSlashes($_REQUEST);

$iParams = array("doAction" => array(tlInputParameter::STRING_N,0,50),
"export_filename" => array(tlInputParameter::STRING_N,0,100),
"goback_url" => array(tlInputParameter::STRING_N,0,2048));
$iParams =
array("doAction"
=> array(tlInputParameter::STRING_N,0,50),
"export_filename"
=> array(tlInputParameter::STRING_N,0,100));

R_PARAMS($iParams,$args);
$args->userID = $_SESSION['userID'];
$args->userID = $_SESSION['userID'];

$args->goback_url = $_SESSION['basehref'] .
'lib/cfields/cfieldsView.php';

return $args;
}
Expand Down
22 changes: 9 additions & 13 deletions lib/cfields/cfieldsImport.php
Expand Up @@ -7,13 +7,10 @@
*
* @package TestLink
* @author Francisco Mancardi (francisco.mancardi@gmail.com)
* @copyright 2005-2013, TestLink community
* @filesource cfieldsImport.php,v 1.5 2010/03/15 20:22:42 franciscom Exp $
* @link http://www.teamst.org/index.php
* @copyright 2005-2020, TestLink community
* @filesource cfieldsImport.php
* @uses config.inc.php
*
* @internal revisions
* @since 1.9.9
*/
require('../../config.inc.php');
require_once('common.php');
Expand Down Expand Up @@ -64,17 +61,16 @@ function init_args()
$args = new stdClass();
$_REQUEST = strings_stripSlashes($_REQUEST);

$iParams = array("doAction" => array(tlInputParameter::STRING_N,0,50),
"export_filename" => array(tlInputParameter::STRING_N,0,100),
"goback_url" => array(tlInputParameter::STRING_N,0,2048));
$iParams =
array("doAction" => array(tlInputParameter::STRING_N,0,50),
"export_filename"
=> array(tlInputParameter::STRING_N,0,100));

R_PARAMS($iParams,$args);
$args->userID = $_SESSION['userID'];

// $args->doAction = isset($_REQUEST['doAction']) ? $_REQUEST['doAction'] : null;
// $args->export_filename=isset($_REQUEST['export_filename']) ? $_REQUEST['export_filename'] : null;
// $args->goback_url = isset($_REQUEST['goback_url']) ? $_REQUEST['goback_url'] : null;

$args->userID = $_SESSION['userID'];
$args->goback_url = $_SESSION['basehref'] .
'lib/cfields/cfieldsView.php';

return $args;
}
Expand Down

0 comments on commit 2d17cd0

Please sign in to comment.