Commit a3acb770 authored by Jim Fenton's avatar Jim Fenton

release 1.1.9.1: fix XSS function lost in rebuild of always.php

parent e2070c9b
Pipeline #100456231 passed with stages
in 4 minutes and 56 seconds
......@@ -8,6 +8,47 @@
if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');
// XSS Protection
function filter_post(&$val, $index) {
if(in_array($index, ["newpass1", "newpass2"])) return;
switch (gettype($val)) {
case "string":
$val = htmlspecialchars($val);
break;
case "array":
array_walk_recursive($val, function(&$v) {
if (gettype($v) == "string") {
$v = htmlspecialchars($v);
}
});
break;
}
}
function clean_get() {
$temp = [];
foreach($_GET as $key => $value) {
// XSS is possible in both key and values
$k = htmlspecialchars($key);
$v = htmlspecialchars($value);
$temp[$k] = $v;
}
return $temp;
}
// Before anything else is executed we filter all the user input, a lot of code in this project
// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
if(isset($_POST)) array_walk($_POST, 'filter_post');
$_GET = clean_get();
$_SERVER['REQUEST_URI'] = str_replace("&", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']);
// Ensure the configuration starts out as an empty object.
$c = (object) array();
$c->script_start_time = microtime(true);
......@@ -246,7 +287,7 @@ if ( function_exists('awl_set_locale') ) {
*/
$c->code_version = 0;
$c->want_awl_version = '0.60';
$c->version_string = '1.1.9'; // The actual version # is replaced into that during the build /release process
$c->version_string = '1.1.9.1'; // The actual version # is replaced into that during the build /release process
if ( isset($c->version_string) && preg_match( '/(\d+)\.(\d+)\.(\d+)(.*)/', $c->version_string, $matches) ) {
$c->code_major = $matches[1];
$c->code_minor = $matches[2];
......
......@@ -8,6 +8,47 @@
if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');
// XSS Protection
function filter_post(&$val, $index) {
if(in_array($index, ["newpass1", "newpass2"])) return;
switch (gettype($val)) {
case "string":
$val = htmlspecialchars($val);
break;
case "array":
array_walk_recursive($val, function(&$v) {
if (gettype($v) == "string") {
$v = htmlspecialchars($v);
}
});
break;
}
}
function clean_get() {
$temp = [];
foreach($_GET as $key => $value) {
// XSS is possible in both key and values
$k = htmlspecialchars($key);
$v = htmlspecialchars($value);
$temp[$k] = $v;
}
return $temp;
}
// Before anything else is executed we filter all the user input, a lot of code in this project
// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
if(isset($_POST)) array_walk($_POST, 'filter_post');
$_GET = clean_get();
$_SERVER['REQUEST_URI'] = str_replace("&", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']);
// Ensure the configuration starts out as an empty object.
$c = (object) array();
$c->script_start_time = microtime(true);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment