Skip to content

Commit 4f948ba

Browse files
committed
Merge remote-tracking branch 'holman/fix-user-edit-injection' into v4.1
2 parents 77e2ad9 + 1ee5e12 commit 4f948ba

File tree

2 files changed

+9
-4
lines changed

2 files changed

+9
-4
lines changed

Diff for: newscoop/application/modules/admin/controllers/LanguagesController.php

+8-3
Original file line numberDiff line numberDiff line change
@@ -120,11 +120,16 @@ public function deleteAction()
120120
*/
121121
private function getLanguage()
122122
{
123-
$id = $this->getRequest()->getParam('language');
124-
$language = $this->repository->find($id);
123+
$id = (int) $this->getRequest()->getParam('language');
124+
if (!$id) {
125+
$this->_helper->flashMessenger(array('error', getGS('Language id not specified')));
126+
$this->_helper->redirector('index');
127+
}
128+
129+
$language = $this->repository->findOneBy(array('id' => $id));
125130
if (empty($language)) {
126131
$this->_helper->flashMessenger->addMessage(getGS('Language not found.'));
127-
$this->_forward('index');
132+
$this->_helper->redirector('index');
128133
}
129134

130135
return $language;

Diff for: newscoop/application/modules/admin/controllers/UserController.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,7 @@ public function editPasswordAction()
281281
*/
282282
protected function getUser()
283283
{
284-
$id = $this->_getParam('user', false);
284+
$id = (int) $this->_getParam('user', false);
285285
if (!$id) {
286286
$this->_helper->flashMessenger(array('error', getGS('User id not specified')));
287287
$this->_helper->redirector('index');

0 commit comments

Comments
 (0)