From 02b0b681935185a1c4d2d64e76fe499f3d438d12 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sun, 8 Oct 2006 12:05:23 +0200
Subject: strip controlchars in fetch.php #935

Fixes a header injection/XSS vulnerability

darcs-hash:20061008100523-7ad00-be06a942badb6a2a9ed862be003ee0050504b4b0.gz
---
 inc/common.php    | 11 ++++++++++-
 lib/exe/fetch.php |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/inc/common.php b/inc/common.php
index 8b21c0585..845ca3634 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -41,7 +41,16 @@ function hsc($string){
  */
 function ptln($string,$intend=0){
   for($i=0; $i<$intend; $i++) print ' ';
-  print"$string\n";
+  echo "$string\n";
+}
+
+/**
+ * strips control characters (<32) from the given string
+ *
+ * @author Andreas Gohr <andi@splitbrain.org>
+ */
+function stripctl($string){
+  return preg_replace('/[\x00-\x1F]+/s','',$string);
 }
 
 /**
diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php
index 343145c54..f33f7b0cc 100644
--- a/lib/exe/fetch.php
+++ b/lib/exe/fetch.php
@@ -20,7 +20,7 @@
   $mimetypes = getMimeTypes();
 
   //get input
-  $MEDIA  = getID('media',false); // no cleaning - maybe external
+  $MEDIA  = stripctl(getID('media',false)); // no cleaning except control chars - maybe external
   $CACHE  = calc_cache($_REQUEST['cache']);
   $WIDTH  = (int) $_REQUEST['w'];
   $HEIGHT = (int) $_REQUEST['h'];
-- 
cgit v1.2.3