[fix] Ensure *all* data that comes in from EXIF/IPTC/XMP sources is
properly escaped.
This commit is contained in:
parent
b7e2015552
commit
cd52dbd609
1
CHANGES
1
CHANGES
|
@ -18,6 +18,7 @@ For further information about Photo Organizer, see its web site at:
|
|||
[fix] Fix a typo in the IPTC location-matching code.
|
||||
[misc] Fix some CSS inefficiences
|
||||
[misc] Include the sizecode in the pretty image/photo URLs.
|
||||
[fix] Ensure all exif/iptc/xmp data imported is explicitly escaped.
|
||||
|
||||
2.37-rc1 (June 2, 2009)
|
||||
|
||||
|
|
|
@ -148,8 +148,6 @@ function convert_exif_camera($database, $user_id, &$image_data, $camera_make, $c
|
|||
}
|
||||
|
||||
function convert_exif_equipment($database, $user_id, &$image_data, $lens_id, $type) {
|
||||
$lens_id = pg_escape_string($lens_id);
|
||||
|
||||
$lens = pg_query($database, "select identifier from view_equipment
|
||||
where model = '$lens_id'
|
||||
and type = $type
|
||||
|
@ -168,7 +166,7 @@ function convert_exif_equipment($database, $user_id, &$image_data, $lens_id, $ty
|
|||
}
|
||||
|
||||
function exif_string_helper(&$image_data, $exif_data, $image_key, $exif_key) {
|
||||
$tmp = pg_escape_string($exif_data[$exif_key]);
|
||||
$tmp = $exif_data[$exif_key];
|
||||
if (strlen($tmp)) {
|
||||
$image_data[$image_key] = $tmp;
|
||||
}
|
||||
|
@ -249,6 +247,7 @@ function photo_parse_exif($database, $index, $user_id, $image_data, &$output) {
|
|||
/* Process the raw data */
|
||||
foreach ($exif_data as $key => $value) {
|
||||
$ignore_row = FALSE;
|
||||
$value = pg_escape_string($value);
|
||||
|
||||
switch ($key) {
|
||||
case "Artist":
|
||||
|
@ -372,9 +371,6 @@ function photo_parse_exif($database, $index, $user_id, $image_data, &$output) {
|
|||
|
||||
// New: "metering" "program" "flash" and "flash mode"
|
||||
|
||||
/* Escape it for database sanity */
|
||||
$image_data["exif"] = pg_escape_string($image_data["exif"]);
|
||||
|
||||
return $image_data;
|
||||
}
|
||||
|
||||
|
|
|
@ -244,6 +244,7 @@ function photo_parse_iptc($database, $index, $user_id, $image_data, &$output) {
|
|||
/* Populate IPTC data */
|
||||
$iptc_data = $image_data['exiftool_data_IPTC'];
|
||||
foreach ($iptc_data as $key => $value) {
|
||||
$value = pg_escape_string($value);
|
||||
$image_data["iptc"] .= "<key>$key</key><value>$value</value>";
|
||||
switch ($key) {
|
||||
case "Caption-Abstract":
|
||||
|
@ -328,9 +329,6 @@ function photo_parse_iptc($database, $index, $user_id, $image_data, &$output) {
|
|||
}
|
||||
}
|
||||
|
||||
/* Escape it for database sanity */
|
||||
$image_data["iptc"] = pg_escape_string($image_data["iptc"]);
|
||||
|
||||
return $image_data;
|
||||
}
|
||||
|
||||
|
|
|
@ -63,6 +63,7 @@ function photo_parse_rdf($database, $index, $user_id, $image_data, &$output) {
|
|||
/* Populate RDF data */
|
||||
$rdf_data = $image_data['exiftool_data_XMP'];
|
||||
foreach ($rdf_data as $key => $value) {
|
||||
$value = pg_escape_string($value);
|
||||
$image_data["rdf"] .= "<key>$key</key><value>$value</value>";
|
||||
switch ($key) {
|
||||
case "Creator": // and 'Owner' too
|
||||
|
@ -194,9 +195,6 @@ function photo_parse_rdf($database, $index, $user_id, $image_data, &$output) {
|
|||
|
||||
*/
|
||||
|
||||
/* Escape it for database sanity */
|
||||
$image_data["rdf"] = pg_escape_string($image_data["rdf"]);
|
||||
|
||||
return $image_data;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue