Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Removed untrustworthy user_id from MBTiles upload form

  • Loading branch information...
commit addc2bc6444b86d197aa7ef208d7a6e64c9a8d55 1 parent aee9c07
Michal Migurski authored
View
1  site/templates/upload_mbtiles.html.tpl
@@ -9,7 +9,6 @@
<div class="container">
<form enctype="multipart/form-data" action="{$base_dir}/mbtiles_uploader.php" method="POST">
Upload your file: <input name="uploaded_mbtiles" type="file"><br>
- <input type="hidden" name="user_id" value="{$user.id}">
<input type="submit" value="Upload">
</form>
{include file="footer.htmlf.tpl"}
View
5 site/www/mbtiles_uploader.php
@@ -21,15 +21,12 @@
// Post the file
post_file($target_mbtiles_path, $mbtiles_content_bytes, $mime_type);
- // Keep a record in the database
- $user_id = $_POST['user_id'];
-
$filename = explode('.', basename($_FILES['uploaded_mbtiles']['name']));
$slug = $filename[0];
$mbtiles_url = 'http://'.get_domain_name().get_base_dir().'/mbtiles.php/'.$slug. '/{Z}/{X}/{Y}.png';
- $mbtiles = add_mbtiles($context->db, $user_id, $mbtiles_url, $mbtiles_filename,'files/'.$target_mbtiles_path);
+ $mbtiles = add_mbtiles($context->db, $context->user['id'], $mbtiles_url, $mbtiles_filename,'files/'.$target_mbtiles_path);
$display_mbtiles_url = 'http://'.get_domain_name().get_base_dir().'/display_mbtiles.php?id='.urlencode($mbtiles['id']).'&filename='.urlencode($slug);
header("Location: $display_mbtiles_url");
View
3  site/www/upload_mbtiles.php
@@ -4,7 +4,6 @@
$context = default_context();
- $context->sm->assign('user', $context->user);
-
print $context->sm->fetch("upload_mbtiles.html.tpl");
+
?>
Please sign in to comment.
Something went wrong with that request. Please try again.