Permalink
Browse files

* Fix SQL injection problem.

* Update versions, WHATSNEW, etc. in prep for release.
  • Loading branch information...
1 parent 16d33f1 commit 5e4085878d397ad9e5d2f36618097069f2534adf @perusionmike perusionmike committed Sep 22, 2005
Showing with 70 additions and 20 deletions.
  1. +2 −2 README
  2. +11 −0 WHATSNEW
  3. +50 −11 dist/foundation/pages/forum/submit.html
  4. +7 −7 scripts/interchange.PL
View
4 README
@@ -2,9 +2,9 @@
I N T E R C H A N G E
-Interchange 5.2.0
+Interchange 5.2.1
-Copyright (C) 2002-2004 Interchange Development Group
+Copyright (C) 2002-2005 Interchange Development Group
Copyright (C) 1996-2002 Red Hat, Inc.
Originally based on Vend 0.2 and 0.3, copyright 1995-96 by Andrew M. Wilcox.
View
@@ -6,6 +6,17 @@
------------------------------------------------------------------------------
+Interchange 5.2.1 released 2005-09-22.
+
+
+Security
+---------
+
+* Fix SQL injection vulnerability in pages/forum/submit.html.
+
+------------------------------------------------------------------------------
+
+
Interchange 5.2.0 released 2004-05-05.
@@ -28,6 +28,15 @@
@_LEFTONLY_TOP_@
+[if cgi product]
+[perl tables=products]
+ ## Set the subject if coming from product page
+ my $desc = tag_data('products', $Config->{DescriptionField}, $Session->{arg});
+ $CGI->{subject} = $desc;
+ return;
+[/perl]
+[/if]
+
[perl tables="forum"]
#code parent artid mod_time created username host score lastscore reason anon extended subject comment
sub scrub {
@@ -39,13 +48,16 @@
my $noscrub;
if(! $type) {
# do nothing
+ $value =~ s/\[/[/g;
}
elsif($type eq '2') {
$value = $Tag->filter('text2html', $value);
+ $value =~ s/\[/[/g;
}
elsif($type eq '4') {
unless ($value =~ m{</\s*xmp\s*>}i) {
$noscrub = 1;
+ $value =~ s/\[//g;
$value = "<XMP>$value</XMP>";
}
}
@@ -54,6 +66,10 @@
unless $noscrub;
return $value;
}
+ if($CGI->{product}) {
+ $Session->{forum_start} ||= {};
+ $Session->{forum_start}{$CGI->{product}} = 1;
+ }
return;
[/perl]
@@ -64,8 +80,10 @@
<table>
<tr>
<td bgcolor="#eeeeee">
- <B>[cgi name=subject filter=restrict_html]<br>
- by [either][value fname][or]Shrinking Violet[/either] on [convert-date fmt="%A, %B %e, %Y @%H:%M"][/convert-date]<B>
+ [restrict enable=cgi]
+ <B>[cgi name=subject filter="restrict_html"]<br>
+ [/restrict]
+ by [either][value fname][or]Guest user[/either] on [convert-date fmt="%A, %B %e, %Y @%H:%M"][/convert-date]<B>
</td>
</tr>
<tr>
@@ -102,7 +120,7 @@
my $db = $Db{forum}
or return "Database error.";
$v{host} = $Session->{host};
- $v{score} = 0;
+ $v{score} = 1;
my $noscrub;
if(! $CGI->{commtype}) {
# do nothing
@@ -123,11 +141,29 @@
$v{mod_time} =
$v{created} = $Tag->time( { body => "%Y-%m-%d %H:%M:%S" });
$v{subject} = $Tag->filter('encode_entities', $CGI->{subject}, 'subject');
- $v{artid} = '0';
- $v{parent} = '0';
- $Scratch->{tmp_code} = $db->set_slice(undef, [ keys %v ], [values %v])
+ $v{artid} = $CGI->{artid} || 0;
+
+ my $code;
+
+ if($CGI->{parent}) {
+ my $existing = $db->query("select * from forum where parent = '$CGI->{parent}'");
+ if($existing and ! @$existing) {
+ $v{artid} = $CGI->{parent};
+ $code = $CGI->{parent};
+ $v{parent} = 0;
+ }
+ else {
+ $v{parent} = $CGI->{parent};
+ }
+ }
+ $Scratch->{tmp_code} = $db->set_slice($code, \%v)
or return "Error submitting reply!";
$Scratch->{tmp_code} =~ s/'//g;
+
+ unless ($code) {
+ $Scratch->{tmp_code} = $v{parent};
+ }
+
## This is special processing only if there is a submission email address
## is found
if($Variable->{FORUM_SUBMIT_EMAIL}) {
@@ -174,11 +210,14 @@
return;
[/perl]
- [if scratch tmp_code]
- Your story has been submitted. You will receive a response when it
- is handled. For questions, contact <A HREF="mailto:webmaster@perusion.com">webmaster@perusion.com</A>
- <P>
- [page index]Return to the Intranet home</A>
+ [if cgi parent]
+ Your comment has been submitted.
+ [if type=data term="products::sku::[cgi parent]"]
+ [page href="[cgi parent]"]Return to product</a>.
+ [else]
+ [page href="forum/display" arg="[cgi parent]"]See in context.
+ [/else]
+ [/if]
[/if]
[else]
[include include/forum/submit_form]
View
@@ -1,11 +1,11 @@
#!/usr/bin/perl
##!~_~perlpath~_~
#
-# Interchange version 5.2.0
+# Interchange version 5.2.1
#
-# $Id: interchange.PL,v 2.79.2.2 2004-05-05 13:20:02 jon Exp $
+# $Id: interchange.PL,v 2.79.2.3 2005-09-22 17:52:57 mheins Exp $
#
-# Copyright (C) 2002-2004 Interchange Development Group
+# Copyright (C) 2002-2005 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
# http://www.icdevgroup.org/
#
@@ -140,7 +140,7 @@ use vars qw($VERSION);
require Exporter;
BEGIN {
- $VERSION = '5.2.0';
+ $VERSION = '5.2.1';
unless ($] >= 5.006) {
die "Interchange $VERSION requires Perl 5.6.0 or later,\nbut you're trying to run it under Perl $]. Exiting.\n";
@@ -341,7 +341,7 @@ sub dontwarn {
}
sub version {
- print "Interchange version $VERSION copyright 2002-2004 Interchange Development Group and others.\n";
+ print "Interchange version $VERSION copyright 2002-2005 Interchange Development Group and others.\n";
}
=head1 NAME
@@ -354,7 +354,7 @@ interchange [--options] [file]
=head1 VERSION
-5.2.0
+5.2.1
=head1 DESCRIPTION
@@ -960,7 +960,7 @@ GNU General Public License.
=head1 COPYRIGHT
-Copyright (C) 2002-2004 Interchange Development Group
+Copyright (C) 2002-2005 Interchange Development Group
Copyright (C) 1995-2002 Red Hat, Inc.
All rights reserved except those granted in the license.

0 comments on commit 5e40858

Please sign in to comment.