[fix] Unescaped user input could lead to XSS attacks.

Thanks to Jake Gordon and the Duke Univeristy Security team for finding
 this.
This commit is contained in:
Solomon Peachy 2016-01-17 10:05:41 -05:00
parent f12a8ca011
commit 54f988cd45
5 changed files with 13 additions and 7 deletions

View File

@ -34,6 +34,7 @@ v2.38 (Unreleased)
[misc] Early support for using darktable to import RAWs
[misc] Allow photo worker to recover from a failed database connection
[fix] Errors upon emptying the trash weren't displayed properly
[fix] Unescaped search strings could lead to XSS bugs.
v2.37.1 (December 3, 2012)

View File

@ -54,8 +54,9 @@ $folder_id = "";
$album_id = "";
$search_string = isset($_REQUEST['search_string']) ? $_REQUEST['search_string'] : "";
$sql_search_string = validate_search_string($search_string);
$search_string = htmlentities($search_string);
$search_string = validate_search_string($search_string);
$current_user_id = isset($_REQUEST['current_user']) ? $_REQUEST['current_user'] : $po_user['id'];
if ($current_user_id == 'null')
$current_user_id = $po_user['id'];
@ -81,7 +82,7 @@ site_header($strings['generic_search']);
site_navigator(2);
$keywords = extract_keywords($search_string, $po_options['search_enable_stemming']);
$keywords = extract_keywords($sql_search_string, $po_options['search_enable_stemming']);
if (!$keywords) {
site_navigator_status($strings['search_string'], "");

View File

@ -124,12 +124,14 @@ if (($offset + $limit) > $num_of_matches) {
$items = $limit;
}
$search_data = htmlentities($search_data);
site_navigator_status($strings['search_searched_for']."<strong>$search_data</strong>", $strings['search_displaying'] ." ". display_photo_index_status($offset, $limit, $num_of_matches));
print "&nbsp;<br/>\n";
$search_string = "keyword=".$search_data;
$search_string_exp = str_replace(" ", "+", $search_string);
$search_string = str_replace(" ", "+", $search_string);
print "<form name=\"photoList\" method=\"post\" action=\"folder.content.php\" accept-charset=\"".$strings['formats_encoding']."\">";
print "<input type=\"hidden\" name=\"return\" value=\"".generate_link('tag', $search_data, array('offset'=>$offset))."\"/>";

View File

@ -55,8 +55,9 @@ $folder_id = "";
$album_id = "";
$search_string = isset($_REQUEST['search_string']) ? $_REQUEST['search_string'] : "";
$sql_search_string = validate_search_string($search_string);
$search_string = htmlentities($search_string);
$search_string = validate_search_string($search_string);
$current_user_id = isset($_REQUEST['current_user']) ? $_REQUEST['current_user'] : $po_user['id'];
if ($current_user_id == 'null')
$current_user_id = $po_user['id'];
@ -84,7 +85,7 @@ site_header($strings['generic_search']);
site_navigator(2);
$keywords = extract_keywords($search_string, $po_options['search_enable_stemming']);
$keywords = extract_keywords($sql_search_string, $po_options['search_enable_stemming']);
if (!$keywords) {
if (!$master && ($po_options['search_masters_only'] != 'f')) {

View File

@ -68,8 +68,9 @@ function build_users_search_string($search_string, $identifier) {
}
$search_string = isset($_REQUEST['search_string']) ? $_REQUEST['search_string'] : "";
$sql_search_string = validate_search_string($search_string);
$search_string = htmlentities($search_string);
$search_string = validate_search_string($search_string);
$current_user_id = isset($_REQUEST['current_user']) ? $_REQUEST['current_user'] : $po_user['id'];
if ($current_user_id == 'null')
$current_user_id = $po_user['id'];
@ -86,7 +87,7 @@ site_header($strings['generic_search']);
site_navigator(2);
$keywords = extract_keywords($search_string, $po_options['search_enable_stemming']);
$keywords = extract_keywords($sql_search_string, $po_options['search_enable_stemming']);
if (!$keywords) {
site_navigator_status($strings['search_string'], "");