Skip to content
Permalink
Browse files Browse the repository at this point in the history
Sanitize some request variables
  • Loading branch information
SecretR committed Jun 27, 2014
1 parent 072eeb5 commit f80e417
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions e107_admin/db.php
Expand Up @@ -35,6 +35,16 @@
$frm = e107::getForm();
$mes = e107::getMessage();

if(isset($_GET['mode']))
{
$_GET['mode'] = preg_match('/[^\w-]/', '', $_GET['mode']);
}

if(isset($_GET['type']))
{
$_GET['type'] = preg_replace('/[^\w-]/', '', $_GET['type']);
}

/*
* Execute trigger
*/
Expand Down

6 comments on commit f80e417

@CaMer0n
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does PHP 5 have a better way of doing this?

@myovchev
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

filter_var() and filter_input() are the options, but it's more matter of using a standard routine and secure the inputs in a centralized way - e.g. admin UI.

@fgeek
Copy link

@fgeek fgeek commented on f80e417 Jul 17, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What release has this security patch?

@Moc
Copy link
Member

@Moc Moc commented on f80e417 Jul 17, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the latest files from Github, they contain the most up to date files. You can easily download the zip file using the download button on the right hand side of the main page.

This commit is not included in any release yet as there haven't been any releases since alpha2 which was released very recently.

@fgeek
Copy link

@fgeek fgeek commented on f80e417 Jul 22, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Moc I'm developing pyfiscan-tool https://github.com/fgeek/pyfiscan to help detect non-updated web software. It would make it lot easier to communicate with end-users when there is actual release. Do you know when alpha3 is out?

@Moc
Copy link
Member

@Moc Moc commented on f80e417 Jul 22, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fgeek the releases are communicated through multiple channels: the github releases page, the news and blog items on the e107 website as well as the social media channels. The alpha3 release will take a while (hopefully in a month, or two). Unless there is a major security issue (this one was quite minor)

Please sign in to comment.