Changeset 2762

Timestamp:

10/16/08 21:34:46 (5 years ago)

Author:

plg

Message:

merge -c2755 from branch 2.0 to branch 1.7

- fix vulnerability  http://www.milw0rm.com/exploits/6755

Location:

branches/branch-1_7

Files:

• comments.php (modified) (2 diffs)
• plugins/event_tracer/event_list.php (modified) (3 diffs)

branches/branch-1_7/comments.php

@@ -70 +70 @@
 $page['sort_by'] = 'date';
 // if the form was submitted, it overloads default behaviour
-if (isset($_GET['sort_by']))
+if (isset($_GET['sort_by']) and isset($sort_by[$_GET['sort_by']]) )
 {
   $page['sort_by'] = $_GET['sort_by'];
@@ -79 +79 @@
 $page['sort_order'] = $sort_order['descending'];
 // if the form was submitted, it overloads default behaviour
-if (isset($_GET['sort_order']))
+if (isset($_GET['sort_order']) and isset($sort_order[$_GET['sort_order']]))
 {
   $page['sort_order'] = $sort_order[$_GET['sort_order']];

branches/branch-1_7/plugins/event_tracer/event_list.php

@@ -17 +17 @@
           {
             $files = array_merge($files, get_php_files($path.'/'.$node, $to_ignore));
-            
+
           }
           if ( is_file($path.'/'.$node) )
@@ -44 +44 @@
   $code = preg_replace( '#\/\*.*\*\/#m', '', $code);
   $code = preg_replace( '#\/\/.*#', '', $code);
-  
+
   $count = preg_match_all(
     '#[^a-zA-Z_$-]trigger_(action|event)\s*\(\s*([^,)]+)#m',
@@ -58 +58 @@
 }
 
-$sort= isset($_GET['sort']) ? $_GET['sort'] : 1;
+$sort= isset($_GET['sort']) ? (int)$_GET['sort'] : 1;
 usort(
   $events,