#43 config-user.php not escaping values

v0.9
pending
Liran Tal
5
2013-08-24
2012-05-30
Zack B
No

When entering special characters into the "Allowed Random Characters" text field ' and " make the config file fail.
addslashes($str) might help.

Discussion

  • Liran Tal
    Liran Tal
    2012-06-24

    Thanks for the info.
    Instead of adding slashes I think it makes more sense to deny ' and " altogether in random chars for password.

    Diff to apply the patch:
    Index: config-user.php
    ===================================================================
    --- config-user.php (revision 2111)
    +++ config-user.php (working copy)
    @@ -34,8 +34,11 @@

     if (isset($_REQUEST['submit'])) {
    
    • if (isset($_REQUEST['config_user_allowedrandomchars']))
    • $configValues['CONFIG_USER_ALLOWEDRANDOMCHARS'] = $_REQUEST['config_user_allowedrandomchars'];
    • if (isset($_REQUEST['config_user_allowedrandomchars'])) {
    • $config_user_allowedrandomchars = str_replace('\'', '', $_REQUEST['config_user_allowedrandomchars']);
    • $config_user_allowedrandomchars = str_replace('"', '', $config_user_allowedrandomchars);
    • $configValues['CONFIG_USER_ALLOWEDRANDOMCHARS'] = $config_user_allowedrandomchars;
    • }

      // this should probably move to some other page at some point
      if (isset($_REQUEST['config_db_pass_encrypt']))
      

      @@ -96,7 +99,7 @@

      <li class='fieldset'>
      <label for='config_user_allowedrandomchars' class='form'><?php echo $l['all']['RandomChars'] ?></label>
      
      • ['CONFIG_USER_ALLOWEDRANDOMCHARS'] ?>">
      • ['CONFIG_USER_ALLOWEDRANDOMCHARS']) ?>">
     


Anonymous


Cancel   Add attachments