From c98f205e8a6265654072c7d3fea952552837b819 Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Fri, 13 Jul 2012 12:07:51 +0200 Subject: Fix HTML injection in mediaFileList (Secunia advisory SA49196) --- lib/exe/ajax.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lib/exe/ajax.php') diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index 3d1584244..945091f34 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -13,7 +13,6 @@ session_write_close(); header('Content-Type: text/html; charset=utf-8'); - //call the requested function if(isset($_POST['call'])){ $call = $_POST['call']; @@ -204,7 +203,7 @@ function ajax_medialist(){ global $conf; global $NS; - $NS = $_POST['ns']; + $NS = cleanID($_POST['ns']); if ($_POST['do'] == 'media') { tpl_mediaFileList(); } else { -- cgit v1.2.3 From 64273335d1bae12b2fe7d9664e1665d6e69d47af Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 24 Aug 2012 09:43:50 +0200 Subject: more $INPUT use FS#2577 --- lib/exe/ajax.php | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'lib/exe/ajax.php') diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index 945091f34..496b2f1a1 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -162,7 +162,8 @@ function ajax_lock(){ * @author Andreas Gohr */ function ajax_draftdel(){ - $id = cleanID($_REQUEST['id']); + global $INPUT; + $id = cleanID($INPUT->str('id')); if(empty($id)) return; $client = $_SERVER['REMOTE_USER']; @@ -218,11 +219,11 @@ function ajax_medialist(){ * @author Kate Arzamastseva */ function ajax_mediadetails(){ - global $DEL, $NS, $IMG, $AUTH, $JUMPTO, $REV, $lang, $fullscreen, $conf; + global $DEL, $NS, $IMG, $AUTH, $JUMPTO, $REV, $lang, $fullscreen, $conf, $INPUT; $fullscreen = true; require_once(DOKU_INC.'lib/exe/mediamanager.php'); - if ($_REQUEST['image']) $image = cleanID($_REQUEST['image']); + if ($INPUT->has('image')) $image = cleanID($INPUT->str('image')); if (isset($IMG)) $image = $IMG; if (isset($JUMPTO)) $image = $JUMPTO; if (isset($REV) && !$JUMPTO) $rev = $REV; @@ -237,25 +238,26 @@ function ajax_mediadetails(){ */ function ajax_mediadiff(){ global $NS; + global $INPUT; - if ($_REQUEST['image']) $image = cleanID($_REQUEST['image']); + if ($INPUT->has('image')) $image = cleanID($INPUT->str('image')); $NS = $_POST['ns']; - $auth = auth_quickaclcheck("$ns:*"); + $auth = auth_quickaclcheck("$NS:*"); media_diff($image, $NS, $auth, true); } function ajax_mediaupload(){ - global $NS, $MSG; + global $NS, $MSG, $INPUT; if ($_FILES['qqfile']['tmp_name']) { - $id = ((empty($_POST['mediaid'])) ? $_FILES['qqfile']['name'] : $_POST['mediaid']); - } elseif (isset($_GET['qqfile'])) { - $id = $_GET['qqfile']; + $id = $INPUT->post->str('mediaid', $_FILES['qqfile']['name']); + } elseif ($INPUT->get->has('qqfile')) { + $id = $INPUT->get->str('qqfile'); } $id = cleanID($id); - $NS = $_REQUEST['ns']; + $NS = $INPUT->str('ns'); $ns = $NS.':'.getNS($id); $AUTH = auth_quickaclcheck("$ns:*"); @@ -264,7 +266,7 @@ function ajax_mediaupload(){ if ($_FILES['qqfile']['error']) unset($_FILES['qqfile']); if ($_FILES['qqfile']['tmp_name']) $res = media_upload($NS, $AUTH, $_FILES['qqfile']); - if (isset($_GET['qqfile'])) $res = media_upload_xhr($NS, $AUTH); + if ($INPUT->get->has('qqfile')) $res = media_upload_xhr($NS, $AUTH); if ($res) $result = array('success' => true, 'link' => media_managerURL(array('ns' => $ns, 'image' => $NS.':'.$id), '&'), -- cgit v1.2.3 From 356d9c9ea239fe5fe0ac5ecc2c294e768f672059 Mon Sep 17 00:00:00 2001 From: Hakan Sandell Date: Sat, 8 Sep 2012 15:02:28 +0200 Subject: Replacing $_REQUEST variables with $INPUT wrapper, init.php --- lib/exe/ajax.php | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) (limited to 'lib/exe/ajax.php') diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index 496b2f1a1..9989269cf 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -14,10 +14,10 @@ session_write_close(); header('Content-Type: text/html; charset=utf-8'); //call the requested function -if(isset($_POST['call'])){ - $call = $_POST['call']; -}else if(isset($_GET['call'])){ - $call = $_GET['call']; +if($INPUT->post->has('call')){ + $call = $INPUT->post->str('call'); +}else if($INPUT->get->has('call')){ + $call = $INPUT->get->str('call'); }else{ exit; } @@ -43,9 +43,10 @@ if(function_exists($callfn)){ function ajax_qsearch(){ global $conf; global $lang; + global $INPUT; - $query = $_POST['q']; - if(empty($query)) $query = $_GET['q']; + $query = $INPUT->post->str('q'); + if(empty($query)) $query = $INPUT->get->str('q'); if(empty($query)) return; $query = urldecode($query); @@ -81,9 +82,10 @@ function ajax_qsearch(){ function ajax_suggestions() { global $conf; global $lang; + global $INPUT; - $query = cleanID($_POST['q']); - if(empty($query)) $query = cleanID($_GET['q']); + $query = cleanID($INPUT->post->str('q')); + if(empty($query)) $query = cleanID($INPUT->get->str('q')); if(empty($query)) return; $data = array(); @@ -121,8 +123,9 @@ function ajax_lock(){ global $lang; global $ID; global $INFO; + global $INPUT; - $ID = cleanID($_POST['id']); + $ID = cleanID($INPUT->post->str('id')); if(empty($ID)) return; $INFO = pageinfo(); @@ -137,15 +140,15 @@ function ajax_lock(){ echo 1; } - if($conf['usedraft'] && $_POST['wikitext']){ + if($conf['usedraft'] && $INPUT->post->str('wikitext')){ $client = $_SERVER['REMOTE_USER']; if(!$client) $client = clientIP(true); $draft = array('id' => $ID, - 'prefix' => substr($_POST['prefix'], 0, -1), - 'text' => $_POST['wikitext'], - 'suffix' => $_POST['suffix'], - 'date' => (int) $_POST['date'], + 'prefix' => substr($INPUT->post->str('prefix'), 0, -1), + 'text' => $INPUT->post->str('wikitext'), + 'suffix' => $INPUT->post->str('suffix'), + 'date' => $INPUT->post->int('date'), 'client' => $client, ); $cname = getCacheName($draft['client'].$ID,'.draft'); @@ -180,9 +183,10 @@ function ajax_draftdel(){ */ function ajax_medians(){ global $conf; + global $INPUT; // wanted namespace - $ns = cleanID($_POST['ns']); + $ns = cleanID($INPUT->post->str('ns')); $dir = utf8_encodeFN(str_replace(':','/',$ns)); $lvl = count(explode(':',$ns)); @@ -203,9 +207,10 @@ function ajax_medians(){ function ajax_medialist(){ global $conf; global $NS; + global $INPUT; - $NS = cleanID($_POST['ns']); - if ($_POST['do'] == 'media') { + $NS = cleanID($INPUT->post->str('ns')); + if ($INPUT->post->str('do') == 'media') { tpl_mediaFileList(); } else { tpl_mediaContent(true); @@ -241,7 +246,7 @@ function ajax_mediadiff(){ global $INPUT; if ($INPUT->has('image')) $image = cleanID($INPUT->str('image')); - $NS = $_POST['ns']; + $NS = $INPUT->post->str('ns'); $auth = auth_quickaclcheck("$NS:*"); media_diff($image, $NS, $auth, true); } @@ -310,9 +315,10 @@ function dir_delete($path) { */ function ajax_index(){ global $conf; + global $INPUT; // wanted namespace - $ns = cleanID($_POST['idx']); + $ns = cleanID($INPUT->post->str('idx')); $dir = utf8_encodeFN(str_replace(':','/',$ns)); $lvl = count(explode(':',$ns)); @@ -333,8 +339,9 @@ function ajax_index(){ function ajax_linkwiz(){ global $conf; global $lang; + global $INPUT; - $q = ltrim(trim($_POST['q']),':'); + $q = ltrim(trim($INPUT->post->str('q')),':'); $id = noNS($q); $ns = getNS($q); -- cgit v1.2.3