Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize query strings #1639

Merged
merged 3 commits into from
Dec 30, 2014
Merged

Sanitize query strings #1639

merged 3 commits into from
Dec 30, 2014

Conversation

protich
Copy link
Member

@protich protich commented Dec 28, 2014

This pull request addresses potential XSS exploit due to incorrect handling of user inputs used on query strings.

@protich
http: Add http_build_query wrapper
cf4b4ce 
This is necessary so we can sanitize/encode inputs.
@protich
html: Replace htmlentities with htmlspecialchars
670bf5c
@protich
http: Use http build query
f0b18da 
Use http::build_query instead of inline urlencode
greezybacon added a commit that referenced this pull request Dec 30, 2014
@greezybacon
Merge pull request #1639 from protich/issue/query-string
38b2e79 
Sanitize query strings

Reviewed-By: Jared Hancock <jared@osticket.com>
@greezybacon greezybacon merged commit 38b2e79 into osTicket:develop Dec 30, 2014
greezybacon
greezybacon reviewed Dec 31, 2014
View reviewed changes
include/staff/pages.inc.php
$pageNav->setURL('pages.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
//Ok..lets roll...create the actual query
$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
$qstr = '&amp;'. Http::build_query($qs);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This just looks wrong. $qs is now an empty array, and why should $qstr start with &amp;? It's used below directly following the ? in a query string.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree it looks wrong -- basically we don't have query strings to collect. $qstr starts with &amp; for consistency reasons -- in some pages e.g include/staff/tickets.inc.php it's used at the end as opposed to directly following ?.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@protich @greezybacon