From 90485e8f422cec6d23af38574a53705fa7de008b Mon Sep 17 00:00:00 2001
From: Dan McGee <dan@archlinux.org>
Date: Tue, 1 Mar 2011 12:31:35 -0600
Subject: Fix potential injection vulnerability

We trusted the values we pulled out of the IDs array and never coerced
them to integers, passing them to the backend unescaped and uncasted.
Ensure they are treated as integers only and validate the resulting
value is > 0.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/html/packages.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'web')

diff --git a/web/html/packages.php b/web/html/packages.php
index 741ffb17..f84a6c32 100644
--- a/web/html/packages.php
+++ b/web/html/packages.php
@@ -9,7 +9,9 @@ check_sid();                  # see if they're still logged in
 
 # Set the title to the current query if required
 if (isset($_GET['ID'])) {
-	if ($pkgname = pkgname_from_id($_GET['ID'])) { $title = $pkgname; }
+	if ($pkgname = pkgname_from_id($_GET['ID'])) {
+		$title = $pkgname;
+	}
 } else if (!empty($_GET['K'])) {
 	$title = __("Search Criteria") . ": " . $_GET['K'];
 } else {
@@ -27,7 +29,10 @@ if (isset($_COOKIE["AURSID"])) {
 $ids = array();
 if (isset($_POST['IDs'])) {
 	foreach ($_POST['IDs'] as $id => $i) {
-		$ids[] = $id;
+		$id = intval($id);
+		if ($id > 0) {
+			$ids[] = $id;
+		}
 	}
 }
 
-- 
cgit v1.2.3-24-g4f1b