Skip to content
This repository was archived by the owner on Sep 25, 2021. It is now read-only.

Commit 256a5f9

Browse files
committed
Number of secerity fixes & fix for setup fee #510
1 parent 3eb457d commit 256a5f9

20 files changed

+69
-51
lines changed

Diff for: active_auctions.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@
6666
$k = 0;
6767
while ($row = $db->fetch()) {
6868
if (strlen($row['pict_url']) > 0) {
69-
$row['pict_url'] = $system->SETTINGS['siteurl'] . 'getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&fromfile=' . UPLOAD_FOLDER . $row['id'] . '/' . $row['pict_url'];
69+
$row['pict_url'] = $system->SETTINGS['siteurl'] . 'getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&auction_id=' . $row['id'] . '&fromfile=' . $row['pict_url'];
7070
} else {
7171
$row['pict_url'] = get_lang_img('nopicture.gif');
7272
}

Diff for: admin/editauction.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ function load_gallery($auc_id)
3636
if ($dir = opendir(UPLOAD_PATH . $auc_id)) {
3737
while ($file = @readdir($dir)) {
3838
if ($file != '.' && $file != '..' && strpos($file, 'thumb-') === false) {
39-
$UPLOADED_PICTURES[] = UPLOAD_FOLDER . $auc_id . '/' . $file;
39+
$UPLOADED_PICTURES[] = $file;
4040
}
4141
}
4242
closedir($dir);

Diff for: bid.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -561,7 +561,7 @@ function extend_auction($id, $ends)
561561
'ERROR' => (isset($errmsg)) ? $errmsg : '',
562562
'BID_HISTORY' => (isset($ARETHEREBIDS)) ? $ARETHEREBIDS : '',
563563
'ID' => $id,
564-
'IMAGE' => (!empty($pict_url_plain)) ? '<img src="getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&fromfile=' . UPLOAD_FOLDER . $id . '/' . $pict_url_plain . '" border="0" align="center">' : '&nbsp;',
564+
'IMAGE' => (!empty($pict_url_plain)) ? '<img src="getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&auction_id=' . $id . '&fromfile=' . $pict_url_plain . '" border="0" align="center">' : '',
565565
'TITLE' => $item_title,
566566
'CURRENT_BID' => $system->print_money($cbid),
567567
'ATYPE' => $atype,

Diff for: closed_auctions.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@
6565
$starting_price = $row['current_bid'];
6666

6767
if (strlen($row['pict_url']) > 0) {
68-
$row['pict_url'] = $system->SETTINGS['siteurl'] . 'getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&fromfile=' . UPLOAD_FOLDER . $row['id'] . '/' . $row['pict_url'];
68+
$row['pict_url'] = $system->SETTINGS['siteurl'] . 'getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&auction_id=' . $row['id'] . '&fromfile=' . $row['pict_url'];
6969
} else {
7070
$row['pict_url'] = get_lang_img('nopicture.gif');
7171
}

Diff for: getthumb.php

+29-16
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,31 @@
1414

1515
include 'common.php';
1616

17+
// get passed values
1718
$w = (isset($_GET['w'])) ? intval($_GET['w']) : '';
18-
$_w = $w;
19-
$fromfile = (isset($_GET['fromfile'])) ? $_GET['fromfile'] : '';
19+
$fromfile = $_GET['fromfile'];
20+
$auction_id = $_GET['auction_id'];
21+
22+
// check passed values
23+
if (!isset($_GET['fromfile']) ||
24+
!isset($_GET['auction_id']) || !is_numeric($auction_id)) {
25+
ErrorPNG($ERR_716);
26+
exit;
27+
} elseif (!file_exists($_GET['fromfile']) && !fopen($_GET['fromfile'], 'r')) {
28+
ErrorPNG($ERR_716);
29+
exit;
30+
}
31+
32+
if ($fromfile != '') {
33+
// clean fromfile
34+
$fromfile = basename($fromfile);
35+
// build file path
36+
$file_path = UPLOAD_FOLDER . $auction_id . '/' . $fromfile;
37+
} else {
38+
// if empty filename just show default image
39+
$file_path = MAIN_PATH . 'images/email_alerts/default_item_img.jpg';
40+
}
41+
2042
$nomanage = false;
2143
$accepted_widths = array(
2244
$system->SETTINGS['thumb_show'],
@@ -47,17 +69,8 @@ function load_image($file, $mime, $image_type, $output_type)
4769
exit;
4870
}
4971

50-
// control parameters and file existence
51-
if (!isset($_GET['fromfile']) || $fromfile == '') {
52-
ErrorPNG($ERR_716);
53-
exit;
54-
} elseif (!file_exists($_GET['fromfile']) && !fopen($_GET['fromfile'], 'r')) {
55-
ErrorPNG($ERR_716);
56-
exit;
57-
}
58-
5972
if (file_exists(UPLOAD_PATH . 'cache/' . $w . '-' . md5($fromfile))) {
60-
$img = getimagesize($fromfile);
73+
$img = getimagesize($file_path);
6174
switch ($img[2]) {
6275
case IMAGETYPE_GIF:
6376
if (!(imagetypes() &IMG_GIF)) {
@@ -98,7 +111,7 @@ function load_image($file, $mime, $image_type, $output_type)
98111
mkdir(UPLOAD_PATH . 'cache', 0777);
99112
}
100113

101-
$img = @getimagesize($fromfile);
114+
$img = @getimagesize($file_path);
102115
if (is_array($img)) {
103116
switch ($img[2]) {
104117
case IMAGETYPE_GIF:
@@ -141,7 +154,7 @@ function load_image($file, $mime, $image_type, $output_type)
141154
}
142155
if ($w == '') {
143156
// just load the image
144-
load_image($fromfile, $img['mime'], $image_type, $output_type);
157+
load_image($file_path, $img['mime'], $image_type, $output_type);
145158
} else {
146159
// check image orientation
147160
if ($img[0] < $img[1]) {
@@ -156,9 +169,9 @@ function load_image($file, $mime, $image_type, $output_type)
156169
$ou = imagecreatetruecolor($w, $h);
157170
imagealphablending($ou, false);
158171
$funcall = "imagecreatefrom$image_type";
159-
imagecopyresampled($ou, $funcall($fromfile), 0, 0, 0, 0, $w, $h, $img[0], $img[1]);
172+
imagecopyresampled($ou, $funcall($file_path), 0, 0, 0, 0, $w, $h, $img[0], $img[1]);
160173
$funcall = "image$output_type";
161-
$funcall($ou, UPLOAD_PATH . 'cache/' . $_w . '-' . md5($fromfile));
174+
$funcall($ou, UPLOAD_PATH . 'cache/' . $w . '-' . md5($fromfile));
162175
header('Content-type: ' . $img['mime']);
163176
$funcall($ou);
164177
exit;

Diff for: includes/browseitems.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ function build_items($row)
116116

117117
// image icon
118118
if (!empty($row['pict_url'])) {
119-
$row['pict_url'] = $system->SETTINGS['siteurl'] . 'getthumb.php?w=' . $system->SETTINGS['thumb_list'] . '&fromfile=' . UPLOAD_FOLDER . $row['id'] . '/' . $row['pict_url'];
119+
$row['pict_url'] = $system->SETTINGS['siteurl'] . 'getthumb.php?w=' . $system->SETTINGS['thumb_list'] . '&auction_id=' . $row['id'] . '&fromfile=' . $row['pict_url'];
120120
} else {
121121
$row['pict_url'] = get_lang_img('nopicture.gif');
122122
}

Diff for: includes/functions_sell.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -398,7 +398,7 @@ function get_fee($minimum_bid, $just_fee = true)
398398
'extracat_fee' => 0
399399
);
400400
while ($row = $db->fetch()) {
401-
if ($minimum_bid >= $row['fee_from'] && $minimum_bid <= $row['fee_to'] && $row['type'] == 'setup') {
401+
if ($minimum_bid >= $row['fee_from'] && $minimum_bid <= $row['fee_to'] && $row['type'] == 'setup_fee') {
402402
if ($row['fee_type'] == 'flat') {
403403
$fee_data['setup_fee'] = $row['value'];
404404
$fee_value = bcadd($fee_value, $row['value'], $system->SETTINGS['moneydecimals']);

Diff for: index.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ function ShowFlags()
104104
'ENDS' => $ends_string,
105105
'ID' => $row['id'],
106106
'BID' => $system->print_money($high_bid),
107-
'IMAGE' => (!empty($row['pict_url'])) ? 'getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&amp;fromfile=' . UPLOAD_FOLDER . $row['id'] . '/' . $row['pict_url'] : 'images/email_alerts/default_item_img.jpg',
107+
'IMAGE' => (!empty($row['pict_url'])) ? 'getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&auction_id=' . $row['id'] . '&fromfile=' . $row['pict_url'] : '',
108108
'TITLE' => htmlspecialchars($row['title'])
109109
));
110110
$i++;
@@ -188,7 +188,7 @@ function ShowFlags()
188188
'ENDS' => $ends_string,
189189
'ID' => $row['id'],
190190
'BID' => $system->print_money($high_bid),
191-
'IMAGE' => (!empty($row['pict_url'])) ? 'getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&amp;fromfile=' . UPLOAD_FOLDER . $row['id'] . '/' . $row['pict_url'] : 'images/email_alerts/default_item_img.jpg',
191+
'IMAGE' => (!empty($row['pict_url'])) ? 'getthumb.php?w=' . $system->SETTINGS['thumb_show'] . '&auction_id=' . $row['id'] . '&amp;fromfile=' . $row['pict_url'] : '',
192192
'TITLE' => htmlspecialchars($row['title'])
193193
));
194194
}

Diff for: item.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -466,7 +466,7 @@
466466
'TITLE' => htmlspecialchars($auction_data['title']),
467467
'SUBTITLE' => htmlspecialchars($auction_data['subtitle']),
468468
'AUCTION_DESCRIPTION' => $auction_data['description'],
469-
'PIC_URL' => UPLOAD_FOLDER . $id . '/' . $auction_data['pict_url'],
469+
'PIC_URL' => $auction_data['pict_url'],
470470
'SHIPPING_COST' => ($auction_data['shipping_cost'] > 0) ? $system->print_money($auction_data['shipping_cost']) : $MSG['1152'],
471471
'ADDITIONAL_SHIPPING_COST' => $system->print_money($auction_data['additional_shipping_cost']),
472472
'COUNTRY' => $auction_data['country'],

Diff for: register.php

+9-9
Original file line numberDiff line numberDiff line change
@@ -448,15 +448,15 @@ function emailDomainIsBlacklisted($email)
448448

449449
'V_YNEWSL' => ((isset($_POST['TPL_nletter']) && $_POST['TPL_nletter'] == 1) || !isset($_POST['TPL_nletter'])) ? 'checked=true' : '',
450450
'V_NNEWSL' => (isset($_POST['TPL_nletter']) && $_POST['TPL_nletter'] == 2) ? 'checked=true' : '',
451-
'V_YNAME' => (isset($_POST['TPL_name'])) ? $_POST['TPL_name'] : '',
452-
'V_UNAME' => (isset($_POST['TPL_nick'])) ? $_POST['TPL_nick'] : '',
453-
'V_EMAIL' => (isset($_POST['TPL_email'])) ? $_POST['TPL_email'] : '',
454-
'V_YEAR' => (isset($_POST['TPL_year'])) ? $_POST['TPL_year'] : '',
455-
'V_ADDRE' => (isset($_POST['TPL_address'])) ? $_POST['TPL_address'] : '',
456-
'V_CITY' => (isset($_POST['TPL_city'])) ? $_POST['TPL_city'] : '',
457-
'V_PROV' => (isset($_POST['TPL_prov'])) ? $_POST['TPL_prov'] : '',
458-
'V_POSTCODE' => (isset($_POST['TPL_zip'])) ? $_POST['TPL_zip'] : '',
459-
'V_PHONE' => (isset($_POST['TPL_phone'])) ? $_POST['TPL_phone'] : ''
451+
'V_YNAME' => (isset($_POST['TPL_name'])) ? $system->cleanvars($_POST['TPL_name']) : '',
452+
'V_UNAME' => (isset($_POST['TPL_nick'])) ? $system->cleanvars($_POST['TPL_nick']) : '',
453+
'V_EMAIL' => (isset($_POST['TPL_email'])) ? $system->cleanvars($_POST['TPL_email']) : '',
454+
'V_YEAR' => (isset($_POST['TPL_year'])) ? $system->cleanvars($_POST['TPL_year']) : '',
455+
'V_ADDRE' => (isset($_POST['TPL_address'])) ? $system->cleanvars($_POST['TPL_address']) : '',
456+
'V_CITY' => (isset($_POST['TPL_city'])) ? $system->cleanvars($_POST['TPL_city']) : '',
457+
'V_PROV' => (isset($_POST['TPL_prov'])) ? $system->cleanvars($_POST['TPL_prov']) : '',
458+
'V_POSTCODE' => (isset($_POST['TPL_zip'])) ? $system->cleanvars($_POST['TPL_zip']) : '',
459+
'V_PHONE' => (isset($_POST['TPL_phone'])) ? $system->cleanvars($_POST['TPL_phone']) : ''
460460
));
461461

462462
include 'header.php';

Diff for: themes/adminClassic/editauction.tpl

+1-1
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@
7171
<!-- BEGIN gallery -->
7272
<div class="button" style=" height:100px; float:left; margin:5px; padding:10px 5px 20px 10px;">
7373
<a href="{SITEURL}/{gallery.V}" title="{gallery.V}" target="_blank">
74-
<img src="{SITEURL}getthumb.php?fromfile={gallery.V}" border="0" height="100px">
74+
<img src="{SITEURL}getthumb.php?fromfile={gallery.V}&auction_id={ID}" border="0" height="100px">
7575
</a><br>
7676
<input type="checkbox" name="gallery[]" value="{gallery.V}">
7777
</div>

Diff for: themes/adminModern/editauction.tpl

+1-1
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@
7171
<!-- BEGIN gallery -->
7272
<div style="width:50px; float: left;">
7373
<a href="{SITEURL}/{gallery.V}" title="{gallery.V}" target="_blank">
74-
<img src="{SITEURL}getthumb.php?fromfile={gallery.V}" border="0" hspace="10">
74+
<img src="{SITEURL}getthumb.php?fromfile={gallery.V}&auction_id={ID}" border="0" hspace="10">
7575
</a>
7676
<input type="checkbox" name="gallery[]" value="{gallery.V}">
7777
</div>

Diff for: themes/classic/item.tpl

+2-2
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ $(document).ready(function() {
8181
<table bgcolor="#ffffff">
8282
<tr>
8383
<td align='center'>
84-
<img src="{SITEURL}getthumb.php?w={THUMBWIDTH}&fromfile={PIC_URL}" border="0" align="center"><br>
84+
<img src="{SITEURL}getthumb.php?w={THUMBWIDTH}&fromfile={PIC_URL}&auction_id={ID}" border="0" align="center"><br>
8585
<!-- IF B_HASGALELRY -->
8686
<a href="#gallery"><img src="{SITEURL}images/gallery.gif" border="0" alt="gallery"> {L_694}</a>
8787
<!-- ENDIF -->
@@ -308,7 +308,7 @@ $(document).ready(function() {
308308
<!-- BEGIN gallery -->
309309
<td>
310310
<a href="{SITEURL}{UPLOADEDPATH}{ID}/{gallery.V}" title="" data-lightbox="gallery">
311-
<img src="{SITEURL}getthumb.php?w={THUMBWIDTH}&fromfile={UPLOADEDPATH}{ID}/{gallery.V}" border="0" hspace="10">
311+
<img src="{SITEURL}getthumb.php?w={THUMBWIDTH}&fromfile={gallery.V}&auction_id={ID}" border="0" hspace="10">
312312
</a>
313313
</td>
314314
<!-- END gallery -->

Diff for: themes/modern/item.tpl

+2-2
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ $(document).ready(function() {
5757
<div class="panel-heading"><span class="label label-default">{L_113}: {ID}</span></div>
5858
<div class="panel-body">
5959
<div class="col-md-12">
60-
<img class="img-rounded img-responsive center-block" src="{SITEURL}getthumb.php?w=430&fromfile={PIC_URL}" border="0" align="center" width="430px">
60+
<img class="img-rounded img-responsive center-block" src="{SITEURL}getthumb.php?w=430&fromfile={PIC_URL}&auction_id={ID}" border="0" align="center" width="430px">
6161
</div>
6262
<!-- IF B_HASGALELRY -->
6363
<div>
@@ -66,7 +66,7 @@ $(document).ready(function() {
6666
<!-- BEGIN gallery -->
6767
<div class="col-md-4 col-xs-4 col-sm-4">
6868
<a href="{SITEURL}{UPLOADEDPATH}{ID}/{gallery.V}" title="" data-lightbox="gallery">
69-
<img class="img-rounded img-responsive" src="{SITEURL}getthumb.php?w={THUMBWIDTH}&fromfile={UPLOADEDPATH}{ID}/{gallery.V}" border="0"></a>
69+
<img class="img-rounded img-responsive" src="{SITEURL}getthumb.php?w={THUMBWIDTH}&fromfile={gallery.V}&auction_id={ID}" border="0"></a>
7070
</div>
7171
<!-- END gallery -->
7272
</div>

Diff for: user_login.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,7 @@
124124

125125
$template->assign_vars(array(
126126
'ERROR' => (isset($ERR)) ? $ERR : '',
127-
'USER' => (isset($_POST['username'])) ? $_POST['username'] : ''
127+
'USER' => (isset($_POST['username'])) ? $system->cleanvars($_POST['username']) : ''
128128
));
129129

130130
include 'header.php';

Diff for: yourauctions.php

+3-2
Original file line numberDiff line numberDiff line change
@@ -99,8 +99,9 @@
9999
$_SESSION['oa_ord'] = 'title';
100100
$_SESSION['oa_type'] = 'asc';
101101
} elseif (!empty($_GET['oa_ord'])) {
102-
$_SESSION['oa_ord'] = $_GET['oa_ord'];
103-
$_SESSION['oa_type'] = $_GET['oa_type'];
102+
// check oa_ord && oa_type are valid
103+
$_SESSION['oa_ord'] = (in_array($_GET['oa_ord'], array('title', 'starts', 'ends', 'num_bids', 'current_bid'))) ? $_GET['oa_ord'] : 'title';
104+
$_SESSION['oa_type'] = (in_array($_GET['oa_type'], array('asc', 'desc'))) ? $_GET['oa_type'] : 'asc';
104105
} elseif (isset($_SESSION['oa_ord']) && empty($_GET['oa_ord'])) {
105106
$_SESSION['oa_nexttype'] = $_SESSION['oa_type'];
106107
}

Diff for: yourauctions_c.php

+3-2
Original file line numberDiff line numberDiff line change
@@ -204,8 +204,9 @@
204204
$_SESSION['ca_ord'] = 'title';
205205
$_SESSION['ca_type'] = 'asc';
206206
} elseif (!empty($_GET['ca_ord'])) {
207-
$_SESSION['ca_ord'] = $_GET['ca_ord'];
208-
$_SESSION['ca_type'] = $_GET['ca_type'];
207+
// check oa_ord && oa_type are valid
208+
$_SESSION['ca_ord'] = (in_array($_GET['ca_ord'], array('title', 'starts', 'ends', 'num_bids', 'current_bid'))) ? $_GET['ca_ord'] : 'title';
209+
$_SESSION['ca_type'] = (in_array($_GET['ca_type'], array('asc', 'desc'))) ? $_GET['ca_type'] : 'asc';
209210
} elseif (isset($_SESSION['ca_ord']) && empty($_GET['ca_ord'])) {
210211
$_SESSION['ca_nexttype'] = $_SESSION['ca_type'];
211212
}

Diff for: yourauctions_p.php

+3-2
Original file line numberDiff line numberDiff line change
@@ -109,8 +109,9 @@
109109
$_SESSION['pa_ord'] = 'title';
110110
$_SESSION['pa_type'] = 'asc';
111111
} elseif (!empty($_GET['pa_ord'])) {
112-
$_SESSION['pa_ord'] = $_GET['pa_ord'];
113-
$_SESSION['pa_type'] = $_GET['pa_type'];
112+
// check oa_ord && oa_type are valid
113+
$_SESSION['pa_ord'] = (in_array($_GET['pa_ord'], array('title', 'starts', 'ends'))) ? $_GET['pa_ord'] : 'title';
114+
$_SESSION['pa_type'] = (in_array($_GET['pa_type'], array('asc', 'desc'))) ? $_GET['pa_type'] : 'asc';
114115
} elseif (isset($_SESSION['pa_ord']) && empty($_GET['pa_ord'])) {
115116
$_SESSION['pa_nexttype'] = $_SESSION['pa_type'];
116117
}

Diff for: yourauctions_s.php

+3-2
Original file line numberDiff line numberDiff line change
@@ -81,8 +81,9 @@
8181
$_SESSION['sa_ord'] = 'title';
8282
$_SESSION['sa_type'] = 'asc';
8383
} elseif (!empty($_GET['sa_ord'])) {
84-
$_SESSION['sa_ord'] = $_GET['sa_ord'];
85-
$_SESSION['sa_type'] = $_GET['sa_type'];
84+
// check oa_ord && oa_type are valid
85+
$_SESSION['sa_ord'] = (in_array($_GET['sa_ord'], array('title', 'num_bids', 'current_bid'))) ? $_GET['sa_ord'] : 'title';
86+
$_SESSION['sa_type'] = (in_array($_GET['sa_type'], array('asc', 'desc'))) ? $_GET['sa_type'] : 'asc';
8687
} elseif (isset($_SESSION['sa_ord']) && empty($_GET['sa_ord'])) {
8788
$_SESSION['sa_nexttype'] = $_SESSION['sa_type'];
8889
}

Diff for: yourauctions_sold.php

+3-2
Original file line numberDiff line numberDiff line change
@@ -149,8 +149,9 @@
149149
$_SESSION['solda_ord'] = 'title';
150150
$_SESSION['solda_type'] = 'asc';
151151
} elseif (!empty($_GET['solda_ord'])) {
152-
$_SESSION['solda_ord'] = $_GET['solda_ord'];
153-
$_SESSION['solda_type'] = $_GET['solda_type'];
152+
// check oa_ord && oa_type are valid
153+
$_SESSION['solda_ord'] = (in_array($_GET['solda_ord'], array('title', 'starts', 'ends', 'num_bids', 'current_bid'))) ? $_GET['solda_ord'] : 'title';
154+
$_SESSION['solda_type'] = (in_array($_GET['solda_type'], array('asc', 'desc'))) ? $_GET['solda_type'] : 'asc';
154155
} elseif (isset($_SESSION['solda_ord']) && empty($_GET['solda_ord'])) {
155156
$_SESSION['solda_nexttype'] = $_SESSION['solda_type'];
156157
}

0 commit comments

Comments
 (0)