Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix sql injection issue in notfound controller; reported by pang0lin
  • Loading branch information
dleffler committed Nov 6, 2016
1 parent e38aae6 commit 4327ea9
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions framework/modules/notfound/controllers/notfoundController.php
Expand Up @@ -32,14 +32,14 @@ static function description() { return gt("This controller handles routing to th
static function hasSources() { return false; }
static function hasViews() { return false; }
static function hasContent() { return false; }

public function handle() {
global $router;

$args = array_merge(array('controller'=>'notfound', 'action'=>'page_not_found'), $router->url_parts);
$args = array_merge(array('controller'=>'notfound', 'action'=>'page_not_found'), $router->url_parts);
header("Refresh: 0; url=".$router->makeLink($args), false, 404);
}

public function page_not_found() {
global $router;

Expand All @@ -60,7 +60,7 @@ public function page_not_found() {
if (get_magic_quotes_gpc()) {
$terms = stripslashes($terms);
}
$terms = htmlspecialchars($terms);
$terms = expString::escape(htmlspecialchars($terms));

// check for server requested error documents here instead of treating them as a search request
if ($terms == SITE_404_FILE) {
Expand Down

0 comments on commit 4327ea9

Please sign in to comment.