Skip to content
This repository
Browse code

* Fix SQL injection problem.

* Update versions, WHATSNEW, etc. in prep for release.
  • Loading branch information...
commit 5e4085878d397ad9e5d2f36618097069f2534adf 1 parent 16d33f1
perusionmike authored September 22, 2005
4  README
@@ -2,9 +2,9 @@
2 2
 
3 3
                            I N T E R C H A N G E
4 4
 
5  
-Interchange 5.2.0
  5
+Interchange 5.2.1
6 6
 
7  
-Copyright (C) 2002-2004 Interchange Development Group
  7
+Copyright (C) 2002-2005 Interchange Development Group
8 8
 Copyright (C) 1996-2002 Red Hat, Inc.
9 9
 
10 10
 Originally based on Vend 0.2 and 0.3, copyright 1995-96 by Andrew M. Wilcox.
11  WHATSNEW
@@ -6,6 +6,17 @@
6 6
 ------------------------------------------------------------------------------
7 7
 
8 8
 
  9
+Interchange 5.2.1 released 2005-09-22.
  10
+
  11
+
  12
+Security
  13
+---------
  14
+
  15
+* Fix SQL injection vulnerability in pages/forum/submit.html.
  16
+
  17
+------------------------------------------------------------------------------
  18
+
  19
+
9 20
 Interchange 5.2.0 released 2004-05-05.
10 21
 
11 22
 
61  dist/foundation/pages/forum/submit.html
@@ -28,6 +28,15 @@
28 28
 
29 29
 @_LEFTONLY_TOP_@
30 30
 
  31
+[if cgi product]
  32
+[perl tables=products]
  33
+	## Set the subject if coming from product page
  34
+	my $desc = tag_data('products', $Config->{DescriptionField}, $Session->{arg});
  35
+	$CGI->{subject} = $desc;
  36
+	return;
  37
+[/perl]
  38
+[/if]
  39
+
31 40
 [perl tables="forum"]
32 41
 #code	parent	artid	mod_time	created	username	host	score	lastscore	reason	anon	extended	subject	comment
33 42
 	sub scrub {
@@ -39,13 +48,16 @@
39 48
 		my $noscrub;
40 49
 		if(! $type) {
41 50
 			# do nothing
  51
+			$value =~ s/\[/[/g;
42 52
 		}
43 53
 		elsif($type eq '2') {
44 54
 			$value = $Tag->filter('text2html', $value);
  55
+			$value =~ s/\[/[/g;
45 56
 		}
46 57
 		elsif($type eq '4') {
47 58
 			unless ($value =~ m{</\s*xmp\s*>}i) {
48 59
 				$noscrub = 1;
  60
+				$value =~ s/\[//g;
49 61
 				$value = "<XMP>$value</XMP>";
50 62
 			}
51 63
 		}
@@ -54,6 +66,10 @@
54 66
 			unless $noscrub;
55 67
 		return $value;
56 68
 	}
  69
+	if($CGI->{product}) {
  70
+		$Session->{forum_start} ||= {};
  71
+		$Session->{forum_start}{$CGI->{product}} = 1;
  72
+	}
57 73
 	return;
58 74
 [/perl]
59 75
 
@@ -64,8 +80,10 @@
64 80
 	<table>
65 81
 	<tr>
66 82
 	<td bgcolor="#eeeeee">
67  
-	<B>[cgi name=subject filter=restrict_html]<br>
68  
-	by [either][value fname][or]Shrinking Violet[/either] on [convert-date fmt="%A, %B %e, %Y @%H:%M"][/convert-date]<B>
  83
+	[restrict enable=cgi]
  84
+	<B>[cgi name=subject filter="restrict_html"]<br>
  85
+	[/restrict]
  86
+	by [either][value fname][or]Guest user[/either] on [convert-date fmt="%A, %B %e, %Y @%H:%M"][/convert-date]<B>
69 87
 	</td>
70 88
 	</tr>
71 89
 	<tr>
@@ -102,7 +120,7 @@
102 120
 	my $db = $Db{forum}
103 121
 		or return "Database error.";
104 122
 	$v{host} = $Session->{host};
105  
-	$v{score} = 0;
  123
+	$v{score} = 1;
106 124
 	my $noscrub;
107 125
 	if(! $CGI->{commtype}) {
108 126
 		# do nothing
@@ -123,11 +141,29 @@
123 141
 	$v{mod_time} =
124 142
 	$v{created} =  $Tag->time( { body => "%Y-%m-%d %H:%M:%S" });
125 143
 	$v{subject} =  $Tag->filter('encode_entities', $CGI->{subject}, 'subject');
126  
-	$v{artid}  =  '0';
127  
-	$v{parent} =  '0';
128  
-	$Scratch->{tmp_code} = $db->set_slice(undef, [ keys %v ], [values %v])
  144
+	$v{artid}  =  $CGI->{artid} || 0;
  145
+
  146
+	my $code;
  147
+
  148
+	if($CGI->{parent}) {
  149
+		my $existing = $db->query("select * from forum where parent = '$CGI->{parent}'");
  150
+		if($existing and ! @$existing) {
  151
+			$v{artid} = $CGI->{parent};
  152
+			$code = $CGI->{parent};
  153
+			$v{parent} = 0;
  154
+		}
  155
+		else {
  156
+			$v{parent} =  $CGI->{parent};
  157
+		}
  158
+	}
  159
+	$Scratch->{tmp_code} = $db->set_slice($code, \%v)
129 160
 		or return "Error submitting reply!";
130 161
 	$Scratch->{tmp_code} =~ s/'//g;
  162
+
  163
+	unless ($code) {
  164
+		$Scratch->{tmp_code} = $v{parent};
  165
+	}
  166
+
131 167
 	## This is special processing only if there is a submission email address
132 168
 	## is found
133 169
 	if($Variable->{FORUM_SUBMIT_EMAIL}) {
@@ -174,11 +210,14 @@
174 210
 	return;
175 211
 [/perl]
176 212
 
177  
-	[if scratch tmp_code]
178  
-		Your story has been submitted. You will receive a response when it
179  
-		is handled. For questions, contact <A HREF="mailto:webmaster@perusion.com">webmaster@perusion.com</A>
180  
-		<P>
181  
-		[page index]Return to the Intranet home</A>
  213
+	[if cgi parent]
  214
+		Your comment has been submitted.
  215
+		[if type=data term="products::sku::[cgi parent]"]
  216
+		 [page href="[cgi parent]"]Return to product</a>.
  217
+		[else]
  218
+		 [page href="forum/display" arg="[cgi parent]"]See in context.
  219
+		[/else]
  220
+		[/if]
182 221
 	[/if]
183 222
 [else]
184 223
 	[include include/forum/submit_form]
14  scripts/interchange.PL
... ...
@@ -1,11 +1,11 @@
1 1
 #!/usr/bin/perl
2 2
 ##!~_~perlpath~_~
3 3
 #
4  
-# Interchange version 5.2.0
  4
+# Interchange version 5.2.1
5 5
 #
6  
-# $Id: interchange.PL,v 2.79.2.2 2004-05-05 13:20:02 jon Exp $
  6
+# $Id: interchange.PL,v 2.79.2.3 2005-09-22 17:52:57 mheins Exp $
7 7
 #
8  
-# Copyright (C) 2002-2004 Interchange Development Group
  8
+# Copyright (C) 2002-2005 Interchange Development Group
9 9
 # Copyright (C) 1996-2002 Red Hat, Inc.
10 10
 # http://www.icdevgroup.org/
11 11
 #
@@ -140,7 +140,7 @@ use vars qw($VERSION);
140 140
 require Exporter;
141 141
 
142 142
 BEGIN {
143  
-	$VERSION = '5.2.0';
  143
+	$VERSION = '5.2.1';
144 144
 
145 145
 	unless ($] >= 5.006) {
146 146
 		die "Interchange $VERSION requires Perl 5.6.0 or later,\nbut you're trying to run it under Perl $]. Exiting.\n";
@@ -341,7 +341,7 @@ sub dontwarn {
341 341
 }
342 342
 
343 343
 sub version {
344  
-	print "Interchange version $VERSION copyright 2002-2004 Interchange Development Group and others.\n";
  344
+	print "Interchange version $VERSION copyright 2002-2005 Interchange Development Group and others.\n";
345 345
 }
346 346
 
347 347
 =head1 NAME
@@ -354,7 +354,7 @@ interchange [--options] [file]
354 354
 
355 355
 =head1 VERSION
356 356
 
357  
-5.2.0
  357
+5.2.1
358 358
 
359 359
 =head1 DESCRIPTION
360 360
 
@@ -960,7 +960,7 @@ GNU General Public License.
960 960
 
961 961
 =head1 COPYRIGHT
962 962
 
963  
-Copyright (C) 2002-2004 Interchange Development Group
  963
+Copyright (C) 2002-2005 Interchange Development Group
964 964
 Copyright (C) 1995-2002 Red Hat, Inc.
965 965
 All rights reserved except those granted in the license.
966 966
 

0 notes on commit 5e40858

Please sign in to comment.
Something went wrong with that request. Please try again.