Skip to content
Permalink
Browse files Browse the repository at this point in the history
Addressed an sql injection vulnerability in puncher.php.
  • Loading branch information
anuko committed Feb 21, 2022
1 parent 992bcdd commit 0e2d656
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
2 changes: 1 addition & 1 deletion initialize.php
Expand Up @@ -12,7 +12,7 @@
// Disable displaying errors on screen.
ini_set('display_errors', 'Off');

define("APP_VERSION", "1.20.0.5641");
define("APP_VERSION", "1.20.0.5642");
define("APP_DIR", dirname(__FILE__));
define("LIBRARY_DIR", APP_DIR."/WEB-INF/lib");
define("TEMPLATE_DIR", APP_DIR."/WEB-INF/templates");
Expand Down
7 changes: 7 additions & 0 deletions puncher.php
Expand Up @@ -19,6 +19,13 @@
header('Location: feature_disabled.php');
exit();
}
// If we are passed in a date, make sure it is in correct format.
// TODO: redo this temporary sql injection fix as we are not supposed to pass a date.
$date = $request->getParameter('date');
if ($date && !ttValidDbDateFormatDate($date)) {
header('Location: access_denied.php');
exit();
}
if ($request->isPost()) {
// Validate that browser_today parameter is in correct format.
$browser_today = $request->getParameter('browser_today');
Expand Down

0 comments on commit 0e2d656

Please sign in to comment.