Skip to content
Permalink
Browse files Browse the repository at this point in the history
sanitize special characters in action gets
  • Loading branch information
lachlan-00 committed Jan 4, 2023
1 parent 1139fc2 commit d319150
Show file tree
Hide file tree
Showing 11 changed files with 13 additions and 13 deletions.
2 changes: 1 addition & 1 deletion public/templates/show_alphabet_form.inc.php
Expand Up @@ -26,5 +26,5 @@
<form style="display:inline;" name="f" method="get" action="<?php echo AmpConfig::get('web_path') . "/$action"; ?>" enctype="multipart/form-data">
<label for="match" accesskey="S"><?php echo $text; ?></label>
<input type="text" id="match" name="match" value="<?php echo $match; ?>" />
<input type="hidden" name="action" value="<?php echo scrub_out(filter_input(INPUT_GET, 'action', FILTER_SANITIZE_URL)); ?>">
<input type="hidden" name="action" value="<?php echo scrub_out(filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS)); ?>">
</form>
2 changes: 1 addition & 1 deletion public/templates/show_form_browse.inc.php
Expand Up @@ -28,7 +28,7 @@

$videoRepository = $dic->get(VideoRepositoryInterface::class);
$web_path = AmpConfig::get('web_path');
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS);
$showAlbumArtist = AmpConfig::get('show_album_artist');
$showArtist = AmpConfig::get('show_artist');
$albumString = (AmpConfig::get('album_group'))
Expand Down
2 changes: 1 addition & 1 deletion public/templates/show_form_highest.inc.php
Expand Up @@ -28,7 +28,7 @@

$videoRepository = $dic->get(VideoRepositoryInterface::class);
$web_path = AmpConfig::get('web_path');
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS);
$showAlbumArtist = AmpConfig::get('show_album_artist');
$showArtist = AmpConfig::get('show_artist');
$albumString = (AmpConfig::get('album_group'))
Expand Down
2 changes: 1 addition & 1 deletion public/templates/show_form_mashup.inc.php
Expand Up @@ -9,7 +9,7 @@

$videoRepository = $dic->get(VideoRepositoryInterface::class);
$web_path = AmpConfig::get('web_path');
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS);
$albumString = (AmpConfig::get('album_group'))
? 'album'
: 'album_disk'; ?>
Expand Down
2 changes: 1 addition & 1 deletion public/templates/show_form_newest.inc.php
Expand Up @@ -28,7 +28,7 @@

$videoRepository = $dic->get(VideoRepositoryInterface::class);
$web_path = AmpConfig::get('web_path');
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS);
$showAlbumArtist = AmpConfig::get('show_album_artist');
$showArtist = AmpConfig::get('show_artist');
$albumString = (AmpConfig::get('album_group'))
Expand Down
2 changes: 1 addition & 1 deletion public/templates/show_form_popular.inc.php
Expand Up @@ -28,7 +28,7 @@

$videoRepository = $dic->get(VideoRepositoryInterface::class);
$web_path = AmpConfig::get('web_path');
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS);
$showAlbumArtist = AmpConfig::get('show_album_artist');
$showArtist = AmpConfig::get('show_artist');
$albumString = (AmpConfig::get('album_group'))
Expand Down
2 changes: 1 addition & 1 deletion public/templates/show_form_recent.inc.php
Expand Up @@ -28,7 +28,7 @@

$videoRepository = $dic->get(VideoRepositoryInterface::class);
$web_path = AmpConfig::get('web_path');
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS);
$showAlbumArtist = AmpConfig::get('show_album_artist');
$showArtist = AmpConfig::get('show_artist');
$albumString = (AmpConfig::get('album_group'))
Expand Down
2 changes: 1 addition & 1 deletion public/templates/show_form_userflag.inc.php
Expand Up @@ -28,7 +28,7 @@

$videoRepository = $dic->get(VideoRepositoryInterface::class);
$web_path = AmpConfig::get('web_path');
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
$filter_str = (string) filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS);
$showAlbumArtist = AmpConfig::get('show_album_artist');
$showArtist = AmpConfig::get('show_artist');
$albumString = (AmpConfig::get('album_group'))
Expand Down
2 changes: 1 addition & 1 deletion public/templates/show_graphs.inc.php
Expand Up @@ -81,7 +81,7 @@
<input type="hidden" name="user_id" value="<?php echo $user_id; ?>" />
<input type="hidden" name="object_type" value="<?php echo $object_type; ?>" />
<input type="hidden" name="object_id" value="<?php echo $object_id; ?>" />
<input type="hidden" name="action" value="<?php echo filter_input(INPUT_GET, 'action', FILTER_SANITIZE_URL); ?>" />
<input type="hidden" name="action" value="<?php echo filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS); ?>" />
<input type="hidden" name="type" value="<?php echo $type; ?>" />
</form>
<script>
Expand Down
2 changes: 1 addition & 1 deletion src/Module/Application/ApplicationRunner.php
Expand Up @@ -68,7 +68,7 @@ public function run(
array $action_list,
string $default_action
): void {
$action_name = $request->getParsedBody()['action'] ?? $request->getQueryParams()['action'] ?? '';
$action_name = htmlspecialchars($request->getParsedBody()['action'] ?? $request->getQueryParams()['action'] ?? '');

if (array_key_exists($action_name, $action_list) === false) {
$action_name = $default_action;
Expand Down
6 changes: 3 additions & 3 deletions src/Module/Application/Playback/PlayAction.php
Expand Up @@ -419,7 +419,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat
}

// play the song instead of going through all the crap
header('Location: ' . $media->play_url('', $player, false, $user->id, $user->streamtoken));
header('Location: ' . $media->play_url('', $player, false, $user->id, $user->streamtoken), true, 303);

return null;
}
Expand Down Expand Up @@ -459,7 +459,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat
}

// play the song instead of going through all the crap
header('Location: ' . $media->play_url('', $player, false, $user->id, $user->streamtoken));
header('Location: ' . $media->play_url('', $player, false, $user->id, $user->streamtoken), true, 303);

return null;
}
Expand Down Expand Up @@ -533,7 +533,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat
if ($type == "song_preview" && $media instanceof Song_Preview) {
$media->stream();
} else {
header('Location: ' . $media->file);
header('Location: ' . $media->file, true, 303);

return null;
}
Expand Down

0 comments on commit d319150

Please sign in to comment.