Changeset 4495

Timestamp:

Dec 15, 2009, 1:33:57 AM (14 years ago)

Author:

plg

Message:

bug 1329 fixed: add a check_input_parameter function to prevent hacking
attempts.

Location:

branches/2.0

Files:

• admin/cat_list.php (modified) (1 diff)
• admin/element_set.php (modified) (1 diff)
• admin/element_set_global.php (modified) (1 diff)
• admin/picture_modify.php (modified) (1 diff)
• include/constants.php (modified) (1 diff)
• include/functions.inc.php (modified) (1 diff)

branches/2.0/admin/cat_list.php

@@ -65 +65 @@
 // +-----------------------------------------------------------------------+
 
+check_input_parameter('parent_id', @$_GET['parent_id'], false, PATTERN_ID);
+
 $categories = array();
 

branches/2.0/admin/element_set.php

@@ -40 +40 @@
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('selection', @$_POST['selection'], true, PATTERN_ID);
+
 // +-----------------------------------------------------------------------+
 // |                          caddie management                            |

branches/2.0/admin/element_set_global.php

@@ -43 +43 @@
 // |                         deletion form submission                      |
 // +-----------------------------------------------------------------------+
+
+// the $_POST['selection'] was already checked in element_set.php
+check_input_parameter('add_tags', @$_POST['add_tags'], true, PATTERN_ID);
+check_input_parameter('del_tags', @$_POST['del_tags'], true, PATTERN_ID);
+check_input_parameter('associate', @$_POST['associate'], false, PATTERN_ID);
+check_input_parameter('dissociate', @$_POST['dissociate'], false, PATTERN_ID);
 
 if (isset($_POST['delete']))

branches/2.0/admin/picture_modify.php

@@ -34 +34 @@
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('image_id', $_GET['image_id'], false, PATTERN_ID);
+check_input_parameter('cat_id', @$_GET['cat_id'], false, PATTERN_ID);
+
 // +-----------------------------------------------------------------------+
 // |                          synchronize metadata                         |

branches/2.0/include/constants.php

@@ -38 +38 @@
 define('ACCESS_WEBMASTER', 4);
 define('ACCESS_CLOSED', 5);
+
+// Sanity checks
+define('PATTERN_ID', '/^\d+$/');
 
 // Table names

branches/2.0/include/functions.inc.php

@@ -1493 +1493 @@
     );
 }
+
+/*
+ * breaks the script execution if the given value doesn't match the given
+ * pattern. This should happen only during hacking attempts.
+ *
+ * @param string param_name
+ * @param mixed param_value
+ * @param boolean is_array
+ * @param string pattern
+ *
+ * @return void
+ */
+function check_input_parameter($param_name, $param_value, $is_array, $pattern)
+{
+  // it's ok if the input parameter is null
+  if (empty($param_value))
+  {
+    return true;
+  }
+  
+  if ($is_array)
+  {
+    if (!is_array($param_value))
+    {
+      die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array');
+    }
+
+    foreach ($param_value as $item_to_check)
+    {
+      if (!preg_match($pattern, $item_to_check))
+      {
+        die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');
+      }
+    }
+  }
+  else
+  {
+    if (!preg_match($pattern, $param_value))
+    {
+      die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid');
+    }
+  }
+}
 ?>