* Fix SQL injection problem.

* Update versions, WHATSNEW, etc. in prep for release.
interchange · Sep 22, 2005 · 5e40858 · 5e40858
1 parent 16d33f1
commit 5e40858
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 20 deletions.
diff --git a/README b/README
@@ -2,9 +2,9 @@
 
                            I N T E R C H A N G E
 
-Interchange 5.2.0
+Interchange 5.2.1
 
-Copyright (C) 2002-2004 Interchange Development Group
+Copyright (C) 2002-2005 Interchange Development Group
 Copyright (C) 1996-2002 Red Hat, Inc.
 
 Originally based on Vend 0.2 and 0.3, copyright 1995-96 by Andrew M. Wilcox.

diff --git a/WHATSNEW b/WHATSNEW
@@ -6,6 +6,17 @@
 ------------------------------------------------------------------------------
 
 
+Interchange 5.2.1 released 2005-09-22.
+
+
+Security
+---------
+
+* Fix SQL injection vulnerability in pages/forum/submit.html.
+
+------------------------------------------------------------------------------
+
+
 Interchange 5.2.0 released 2004-05-05.
 
 

diff --git a/dist/foundation/pages/forum/submit.html b/dist/foundation/pages/forum/submit.html
@@ -28,6 +28,15 @@
 
 @_LEFTONLY_TOP_@
 
+[if cgi product]
+[perl tables=products]
+	## Set the subject if coming from product page
+	my $desc = tag_data('products', $Config->{DescriptionField}, $Session->{arg});
+	$CGI->{subject} = $desc;
+	return;
+[/perl]
+[/if]
+
 [perl tables="forum"]
 #code	parent	artid	mod_time	created	username	host	score	lastscore	reason	anon	extended	subject	comment
 	sub scrub {
@@ -39,13 +48,16 @@
 		my $noscrub;
 		if(! $type) {
 			# do nothing
+			$value =~ s/\[/&#91;/g;
 		}
 		elsif($type eq '2') {
 			$value = $Tag->filter('text2html', $value);
+			$value =~ s/\[/&#91;/g;
 		}
 		elsif($type eq '4') {
 			unless ($value =~ m{</\s*xmp\s*>}i) {
 				$noscrub = 1;
+				$value =~ s/\[//g;
 				$value = "<XMP>$value</XMP>";
 			}
 		}
@@ -54,6 +66,10 @@
 			unless $noscrub;
 		return $value;
 	}
+	if($CGI->{product}) {
+		$Session->{forum_start} ||= {};
+		$Session->{forum_start}{$CGI->{product}} = 1;
+	}
 	return;
 [/perl]
 
@@ -64,8 +80,10 @@
 	<table>
 	<tr>
 	<td bgcolor="#eeeeee">
-	<B>[cgi name=subject filter=restrict_html]<br>
-	by [either][value fname][or]Shrinking Violet[/either] on [convert-date fmt="%A, %B %e, %Y @%H:%M"][/convert-date]<B>
+	[restrict enable=cgi]
+	<B>[cgi name=subject filter="restrict_html"]<br>
+	[/restrict]
+	by [either][value fname][or]Guest user[/either] on [convert-date fmt="%A, %B %e, %Y @%H:%M"][/convert-date]<B>
 	</td>
 	</tr>
 	<tr>
@@ -102,7 +120,7 @@
 	my $db = $Db{forum}
 		or return "Database error.";
 	$v{host} = $Session->{host};
-	$v{score} = 0;
+	$v{score} = 1;
 	my $noscrub;
 	if(! $CGI->{commtype}) {
 		# do nothing
@@ -123,11 +141,29 @@
 	$v{mod_time} =
 	$v{created} =  $Tag->time( { body => "%Y-%m-%d %H:%M:%S" });
 	$v{subject} =  $Tag->filter('encode_entities', $CGI->{subject}, 'subject');
-	$v{artid}  =  '0';
-	$v{parent} =  '0';
-	$Scratch->{tmp_code} = $db->set_slice(undef, [ keys %v ], [values %v])
+	$v{artid}  =  $CGI->{artid} || 0;
+
+	my $code;
+
+	if($CGI->{parent}) {
+		my $existing = $db->query("select * from forum where parent = '$CGI->{parent}'");
+		if($existing and ! @$existing) {
+			$v{artid} = $CGI->{parent};
+			$code = $CGI->{parent};
+			$v{parent} = 0;
+		}
+		else {
+			$v{parent} =  $CGI->{parent};
+		}
+	}
+	$Scratch->{tmp_code} = $db->set_slice($code, \%v)
 		or return "Error submitting reply!";
 	$Scratch->{tmp_code} =~ s/'//g;
+
+	unless ($code) {
+		$Scratch->{tmp_code} = $v{parent};
+	}
+
 	## This is special processing only if there is a submission email address
 	## is found
 	if($Variable->{FORUM_SUBMIT_EMAIL}) {
@@ -174,11 +210,14 @@
 	return;
 [/perl]
 
-	[if scratch tmp_code]
-		Your story has been submitted. You will receive a response when it
-		is handled. For questions, contact <A HREF="mailto:webmaster@perusion.com">webmaster@perusion.com</A>
-		<P>
-		[page index]Return to the Intranet home</A>
+	[if cgi parent]
+		Your comment has been submitted.
+		[if type=data term="products::sku::[cgi parent]"]
+		 [page href="[cgi parent]"]Return to product</a>.
+		[else]
+		 [page href="forum/display" arg="[cgi parent]"]See in context.
+		[/else]
+		[/if]
 	[/if]
 [else]
 	[include include/forum/submit_form]

diff --git a/scripts/interchange.PL b/scripts/interchange.PL
@@ -1,11 +1,11 @@
 #!/usr/bin/perl
 ##!~_~perlpath~_~
 #
-# Interchange version 5.2.0
+# Interchange version 5.2.1
 #
-# $Id: interchange.PL,v 2.79.2.2 2004-05-05 13:20:02 jon Exp $
+# $Id: interchange.PL,v 2.79.2.3 2005-09-22 17:52:57 mheins Exp $
 #
-# Copyright (C) 2002-2004 Interchange Development Group
+# Copyright (C) 2002-2005 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
 # http://www.icdevgroup.org/
 #
@@ -140,7 +140,7 @@ use vars qw($VERSION);
 require Exporter;
 
 BEGIN {
-	$VERSION = '5.2.0';
+	$VERSION = '5.2.1';
 
 	unless ($] >= 5.006) {
 		die "Interchange $VERSION requires Perl 5.6.0 or later,\nbut you're trying to run it under Perl $]. Exiting.\n";
@@ -341,7 +341,7 @@ sub dontwarn {
 }
 
 sub version {
-	print "Interchange version $VERSION copyright 2002-2004 Interchange Development Group and others.\n";
+	print "Interchange version $VERSION copyright 2002-2005 Interchange Development Group and others.\n";
 }
 
 =head1 NAME
@@ -354,7 +354,7 @@ interchange [--options] [file]
 
 =head1 VERSION
 
-5.2.0
+5.2.1
 
 =head1 DESCRIPTION
 
@@ -960,7 +960,7 @@ GNU General Public License.
 
 =head1 COPYRIGHT
 
-Copyright (C) 2002-2004 Interchange Development Group
+Copyright (C) 2002-2005 Interchange Development Group
 Copyright (C) 1995-2002 Red Hat, Inc.
 All rights reserved except those granted in the license.