Fixed MANTIS-5696 (Improper filtering of either_param_string) (5b7f89cc) · Commits · Composr ecosystem / Composr

sources/global2.php

+9 −2

Original line number	Diff line number	Diff line
		@@ -1967,7 +1967,7 @@ function get_complex_base_url(string $at) : string
		* @param integer $filters A bitmask of INPUT_FILTER_* filters
		* @return ?string The parameter value (null: missing)
		*/
		function either_param_string(string $name, $default = false, int $filters = INPUT_FILTER_DEFAULT_GET) : ?string
		function either_param_string(string $name, $default = false, int $filters = INPUT_FILTER_DEFAULT_POST) : ?string
		{
		$ret = __param(array_merge($_POST, $_GET), $name, $default);
		if ($ret === null) {
		@@ -1986,8 +1986,15 @@ function either_param_string(string $name, $default = false, int $filters = INPU
		$ret = cms_urldecode_post_process($ret);
		}

		// GET is prioritised over POST, so change our filters accordingly
		$is_get = isset($_GET[$name]);
		if ($is_get) {
		$filters &= ~INPUT_FILTER_DEFAULT_POST;
		$filters &= INPUT_FILTER_DEFAULT_GET;
		}

		require_code('input_filter');
		check_input_field_string($name, $ret, true, $filters);
		check_input_field_string($name, $ret, !$is_get, $filters);

		return $ret;
		}