summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan McGee <dan@archlinux.org>2011-03-01 19:31:35 +0100
committerLukas Fleischer <archlinux@cryptocrack.de>2011-03-01 20:27:49 +0100
commit90485e8f422cec6d23af38574a53705fa7de008b (patch)
tree9df70fc784fd2ff604a58bbbace7ca9dfd7ea938
parenta10ce40cbe410836a6bffc6026be3c9544636f3e (diff)
downloadaur-90485e8f422cec6d23af38574a53705fa7de008b.tar.gz
aur-90485e8f422cec6d23af38574a53705fa7de008b.tar.xz
Fix potential injection vulnerability
We trusted the values we pulled out of the IDs array and never coerced them to integers, passing them to the backend unescaped and uncasted. Ensure they are treated as integers only and validate the resulting value is > 0. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--web/html/packages.php9
1 files changed, 7 insertions, 2 deletions
diff --git a/web/html/packages.php b/web/html/packages.php
index 741ffb17..f84a6c32 100644
--- a/web/html/packages.php
+++ b/web/html/packages.php
@@ -9,7 +9,9 @@ check_sid(); # see if they're still logged in
# Set the title to the current query if required
if (isset($_GET['ID'])) {
- if ($pkgname = pkgname_from_id($_GET['ID'])) { $title = $pkgname; }
+ if ($pkgname = pkgname_from_id($_GET['ID'])) {
+ $title = $pkgname;
+ }
} else if (!empty($_GET['K'])) {
$title = __("Search Criteria") . ": " . $_GET['K'];
} else {
@@ -27,7 +29,10 @@ if (isset($_COOKIE["AURSID"])) {
$ids = array();
if (isset($_POST['IDs'])) {
foreach ($_POST['IDs'] as $id => $i) {
- $ids[] = $id;
+ $id = intval($id);
+ if ($id > 0) {
+ $ids[] = $id;
+ }
}
}