diff options
author | Dan McGee <dan@archlinux.org> | 2011-03-01 12:31:35 -0600 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-03-01 20:27:49 +0100 |
commit | 90485e8f422cec6d23af38574a53705fa7de008b (patch) | |
tree | 9df70fc784fd2ff604a58bbbace7ca9dfd7ea938 | |
parent | a10ce40cbe410836a6bffc6026be3c9544636f3e (diff) | |
download | aurweb-90485e8f422cec6d23af38574a53705fa7de008b.tar.xz |
Fix potential injection vulnerability
We trusted the values we pulled out of the IDs array and never coerced
them to integers, passing them to the backend unescaped and uncasted.
Ensure they are treated as integers only and validate the resulting
value is > 0.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r-- | web/html/packages.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/web/html/packages.php b/web/html/packages.php index 741ffb1..f84a6c3 100644 --- a/web/html/packages.php +++ b/web/html/packages.php @@ -9,7 +9,9 @@ check_sid(); # see if they're still logged in # Set the title to the current query if required if (isset($_GET['ID'])) { - if ($pkgname = pkgname_from_id($_GET['ID'])) { $title = $pkgname; } + if ($pkgname = pkgname_from_id($_GET['ID'])) { + $title = $pkgname; + } } else if (!empty($_GET['K'])) { $title = __("Search Criteria") . ": " . $_GET['K']; } else { @@ -27,7 +29,10 @@ if (isset($_COOKIE["AURSID"])) { $ids = array(); if (isset($_POST['IDs'])) { foreach ($_POST['IDs'] as $id => $i) { - $ids[] = $id; + $id = intval($id); + if ($id > 0) { + $ids[] = $id; + } } } |