[fix] Ensure *all* data that comes in from EXIF/IPTC/XMP sources is

properly escaped.
This commit is contained in:
Solomon Peachy 2009-07-10 10:45:21 -04:00
parent b7e2015552
commit cd52dbd609
4 changed files with 5 additions and 12 deletions

View File

@ -18,6 +18,7 @@ For further information about Photo Organizer, see its web site at:
[fix] Fix a typo in the IPTC location-matching code.
[misc] Fix some CSS inefficiences
[misc] Include the sizecode in the pretty image/photo URLs.
[fix] Ensure all exif/iptc/xmp data imported is explicitly escaped.
2.37-rc1 (June 2, 2009)

View File

@ -148,8 +148,6 @@ function convert_exif_camera($database, $user_id, &$image_data, $camera_make, $c
}
function convert_exif_equipment($database, $user_id, &$image_data, $lens_id, $type) {
$lens_id = pg_escape_string($lens_id);
$lens = pg_query($database, "select identifier from view_equipment
where model = '$lens_id'
and type = $type
@ -168,7 +166,7 @@ function convert_exif_equipment($database, $user_id, &$image_data, $lens_id, $ty
}
function exif_string_helper(&$image_data, $exif_data, $image_key, $exif_key) {
$tmp = pg_escape_string($exif_data[$exif_key]);
$tmp = $exif_data[$exif_key];
if (strlen($tmp)) {
$image_data[$image_key] = $tmp;
}
@ -249,6 +247,7 @@ function photo_parse_exif($database, $index, $user_id, $image_data, &$output) {
/* Process the raw data */
foreach ($exif_data as $key => $value) {
$ignore_row = FALSE;
$value = pg_escape_string($value);
switch ($key) {
case "Artist":
@ -372,9 +371,6 @@ function photo_parse_exif($database, $index, $user_id, $image_data, &$output) {
// New: "metering" "program" "flash" and "flash mode"
/* Escape it for database sanity */
$image_data["exif"] = pg_escape_string($image_data["exif"]);
return $image_data;
}

View File

@ -244,6 +244,7 @@ function photo_parse_iptc($database, $index, $user_id, $image_data, &$output) {
/* Populate IPTC data */
$iptc_data = $image_data['exiftool_data_IPTC'];
foreach ($iptc_data as $key => $value) {
$value = pg_escape_string($value);
$image_data["iptc"] .= "<key>$key</key><value>$value</value>";
switch ($key) {
case "Caption-Abstract":
@ -328,9 +329,6 @@ function photo_parse_iptc($database, $index, $user_id, $image_data, &$output) {
}
}
/* Escape it for database sanity */
$image_data["iptc"] = pg_escape_string($image_data["iptc"]);
return $image_data;
}

View File

@ -63,6 +63,7 @@ function photo_parse_rdf($database, $index, $user_id, $image_data, &$output) {
/* Populate RDF data */
$rdf_data = $image_data['exiftool_data_XMP'];
foreach ($rdf_data as $key => $value) {
$value = pg_escape_string($value);
$image_data["rdf"] .= "<key>$key</key><value>$value</value>";
switch ($key) {
case "Creator": // and 'Owner' too
@ -194,9 +195,6 @@ function photo_parse_rdf($database, $index, $user_id, $image_data, &$output) {
*/
/* Escape it for database sanity */
$image_data["rdf"] = pg_escape_string($image_data["rdf"]);
return $image_data;
}