From 90f1b7bd60332450b32e4ec0b189ddb0ab11fdf8 Mon Sep 17 00:00:00 2001 From: Tom N Harris Date: Wed, 27 Jun 2012 02:30:15 -0400 Subject: Input wrapper for action.php --- inc/actions.php | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) (limited to 'inc/actions.php') diff --git a/inc/actions.php b/inc/actions.php index e85cbfccc..0c35bc88c 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -20,6 +20,7 @@ function act_dispatch(){ global $ID; global $INFO; global $QUERY; + global $INPUT; global $lang; global $conf; @@ -131,14 +132,14 @@ function act_dispatch(){ //handle admin tasks if($ACT == 'admin'){ // retrieve admin plugin name from $_REQUEST['page'] - if (!empty($_REQUEST['page'])) { + if (($page = $INPUT->str('page', '', true)) != '') { $pluginlist = plugin_list('admin'); - if (in_array($_REQUEST['page'], $pluginlist)) { + if (in_array($page, $pluginlist)) { // attempt to load the plugin - if ($plugin =& plugin_load('admin',$_REQUEST['page']) !== null){ + if ($plugin =& plugin_load('admin',$page) !== null){ if($plugin->forAdminOnly() && !$INFO['isadmin']){ // a manager tried to load a plugin that's for admins only - unset($_REQUEST['page']); + $INPUT->remove('page'); msg('For admins only',-1); }else{ $plugin->handle(); @@ -300,13 +301,14 @@ function act_draftdel($act){ function act_draftsave($act){ global $INFO; global $ID; + global $INPUT; global $conf; - if($conf['usedraft'] && $_POST['wikitext']){ + if($conf['usedraft'] && $INPUT->post->has('wikitext')) { $draft = array('id' => $ID, - 'prefix' => substr($_POST['prefix'], 0, -1), - 'text' => $_POST['wikitext'], - 'suffix' => $_POST['suffix'], - 'date' => (int) $_POST['date'], + 'prefix' => substr($INPUT->post->str('prefix'), 0, -1), + 'text' => $INPUT->post->str('wikitext'), + 'suffix' => $INPUT->post->str('suffix'), + 'date' => $INPUT->post->int('date'), 'client' => $INFO['client'], ); $cname = getCacheName($draft['client'].$ID,'.draft'); @@ -335,6 +337,7 @@ function act_save($act){ global $SUM; global $lang; global $INFO; + global $INPUT; //spam check if(checkwordblock()) { @@ -346,7 +349,7 @@ function act_save($act){ return 'conflict'; //save it - saveWikiText($ID,con($PRE,$TEXT,$SUF,1),$SUM,$_REQUEST['minor']); //use pretty mode for con + saveWikiText($ID,con($PRE,$TEXT,$SUF,1),$SUM,$INPUT->bool('minor')); //use pretty mode for con //unlock it unlock($ID); @@ -669,6 +672,7 @@ function act_subscription($act){ global $lang; global $INFO; global $ID; + global $INPUT; // subcriptions work for logged in users only if(!$_SERVER['REMOTE_USER']) return 'show'; @@ -676,8 +680,8 @@ function act_subscription($act){ // get and preprocess data. $params = array(); foreach(array('target', 'style', 'action') as $param) { - if (isset($_REQUEST["sub_$param"])) { - $params[$param] = $_REQUEST["sub_$param"]; + if ($INPUT->has("sub_$param")) { + $params[$param] = $INPUT->str("sub_$param"); } } -- cgit v1.2.3 From 62baad0f61a13ec01791a8cdc8a7dbbd78f6a567 Mon Sep 17 00:00:00 2001 From: Martin Doucha Date: Thu, 14 Jun 2012 16:39:09 +0200 Subject: Split act_clean() into two functions so that plugins may use action string sanitization even for their own new actions --- inc/actions.php | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'inc/actions.php') diff --git a/inc/actions.php b/inc/actions.php index 0c35bc88c..2137d6b50 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -31,7 +31,7 @@ function act_dispatch(){ if ($evt->advise_before()) { //sanitize $ACT - $ACT = act_clean($ACT); + $ACT = act_validate($ACT); //check if searchword was given - else just show $s = cleanID($QUERY); @@ -184,8 +184,6 @@ function act_sendheaders($headers) { /** * Sanitize the action command * - * Add all allowed commands here. - * * @author Andreas Gohr */ function act_clean($act){ @@ -206,6 +204,18 @@ function act_clean($act){ if($act == 'export_htmlbody') $act = 'export_xhtmlbody'; if($act === '') $act = 'show'; + return $act; +} + +/** + * Sanitize and validate action commands. + * + * Add all allowed commands here. + * + * @author Andreas Gohr + */ +function act_validate($act) { + $act = act_clean($act); // check if action is disabled if(!actionOK($act)){ -- cgit v1.2.3 From daf0cdba5471dedf716e23fd4ab172391b6eb069 Mon Sep 17 00:00:00 2001 From: Martin Doucha Date: Mon, 18 Jun 2012 21:30:11 +0200 Subject: Fix act_validate() --- inc/actions.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'inc/actions.php') diff --git a/inc/actions.php b/inc/actions.php index 2137d6b50..d4bd5b20e 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -187,10 +187,6 @@ function act_sendheaders($headers) { * @author Andreas Gohr */ function act_clean($act){ - global $lang; - global $conf; - global $INFO; - // check if the action was given as array key if(is_array($act)){ list($act) = array_keys($act); @@ -215,6 +211,9 @@ function act_clean($act){ * @author Andreas Gohr */ function act_validate($act) { + global $conf; + global $INFO; + $act = act_clean($act); // check if action is disabled -- cgit v1.2.3