Menu
▾
▴
[phpwiki-checkins] SF.net SVN: phpwiki:[7194] trunk/lib/plugin
|
From: <var...@us...> - 2009-10-06 17:20:01
|
Revision: 7194
http://phpwiki.svn.sourceforge.net/phpwiki/?rev=7194&view=rev
Author: vargenau
Date: 2009-10-06 17:19:52 +0000 (Tue, 06 Oct 2009)
Log Message:
-----------
Test 'limit' argument is numeric to avoid SQL injection
Modified Paths:
--------------
trunk/lib/plugin/AllPages.php
trunk/lib/plugin/AllUsers.php
trunk/lib/plugin/BackLinks.php
trunk/lib/plugin/FullTextSearch.php
trunk/lib/plugin/LikePages.php
trunk/lib/plugin/LinkDatabase.php
trunk/lib/plugin/LinkSearch.php
trunk/lib/plugin/ListPages.php
trunk/lib/plugin/ListRelations.php
trunk/lib/plugin/ListSubpages.php
trunk/lib/plugin/MostPopular.php
trunk/lib/plugin/RandomPage.php
trunk/lib/plugin/RecentReferrers.php
trunk/lib/plugin/SemanticSearch.php
trunk/lib/plugin/SemanticSearchAdvanced.php
trunk/lib/plugin/TitleSearch.php
trunk/lib/plugin/UnfoldSubpages.php
trunk/lib/plugin/WantedPages.php
trunk/lib/plugin/WikiAdminSelect.php
Modified: trunk/lib/plugin/AllPages.php
===================================================================
--- trunk/lib/plugin/AllPages.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/AllPages.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -65,6 +65,11 @@
// 2004-07-08 22:05:35 rurban: turned off &$request to prevent from strange bug below
function run($dbi, $argstr, $request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
$pages = false;
// Todo: extend given _GET args
if (defined('DEBUG') && DEBUG && $args['debug']) {
Modified: trunk/lib/plugin/AllUsers.php
===================================================================
--- trunk/lib/plugin/AllUsers.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/AllUsers.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -66,6 +66,11 @@
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
extract($args);
if (defined('DEBUG') && DEBUG && $debug) {
$timer = new DebugTimer;
Modified: trunk/lib/plugin/BackLinks.php
===================================================================
--- trunk/lib/plugin/BackLinks.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/BackLinks.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -59,6 +59,11 @@
// page=foo,bar : backlinks to both pages
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
extract($args);
if (empty($page) and $page != '0')
return '';
Modified: trunk/lib/plugin/FullTextSearch.php
===================================================================
--- trunk/lib/plugin/FullTextSearch.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/FullTextSearch.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -72,6 +72,11 @@
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
if (empty($args['s'])) {
return HTML();
}
Modified: trunk/lib/plugin/LikePages.php
===================================================================
--- trunk/lib/plugin/LikePages.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/LikePages.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -58,6 +58,11 @@
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
extract($args);
if (empty($page) && empty($prefix) && empty($suffix))
return '';
Modified: trunk/lib/plugin/LinkDatabase.php
===================================================================
--- trunk/lib/plugin/LinkDatabase.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/LinkDatabase.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -75,6 +75,11 @@
function run($dbi, $argstr, $request, $basepage) {
global $WikiTheme;
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
$caption = _("All pages with all links in this wiki (%d total):");
if ( !empty($args['owner']) ) {
Modified: trunk/lib/plugin/LinkSearch.php
===================================================================
--- trunk/lib/plugin/LinkSearch.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/LinkSearch.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -129,6 +129,11 @@
function run ($dbi, $argstr, &$request, $basepage) {
global $WikiTheme;
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
if (empty($args['page']))
$args['page'] = "*";
$form = $this->showForm($dbi, $request, $args);
Modified: trunk/lib/plugin/ListPages.php
===================================================================
--- trunk/lib/plugin/ListPages.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/ListPages.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -67,6 +67,11 @@
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
extract($args);
// If the ratings table does not exist, or on dba it will break otherwise.
// Check if WikiTheme isa 'wikilens'
Modified: trunk/lib/plugin/ListRelations.php
===================================================================
--- trunk/lib/plugin/ListRelations.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/ListRelations.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -50,6 +50,11 @@
}
function run ($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
extract($args);
$pagelist = new PageList($info, $exclude, $args);
// should attributes be listed as pagename here?
Modified: trunk/lib/plugin/ListSubpages.php
===================================================================
--- trunk/lib/plugin/ListSubpages.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/ListSubpages.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -61,6 +61,11 @@
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
if ($args['basepage'])
$pagename = $args['basepage'];
else
Modified: trunk/lib/plugin/MostPopular.php
===================================================================
--- trunk/lib/plugin/MostPopular.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/MostPopular.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -60,6 +60,11 @@
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
extract($args);
if (strstr($sortby,'mtime')) {
trigger_error(_("sortby=mtime not supported with MostPopular"),
Modified: trunk/lib/plugin/RandomPage.php
===================================================================
--- trunk/lib/plugin/RandomPage.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/RandomPage.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -56,6 +56,11 @@
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
extract($args);
// fix deprecated arg
Modified: trunk/lib/plugin/RecentReferrers.php
===================================================================
--- trunk/lib/plugin/RecentReferrers.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/RecentReferrers.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -38,6 +38,11 @@
return HTML::div(array('class' => "error"), "Error: no ACCESS_LOG");
}
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
$table = HTML::table(array('cellpadding' => 1,
'cellspacing' => 2,
'border' => 0,
Modified: trunk/lib/plugin/SemanticSearch.php
===================================================================
--- trunk/lib/plugin/SemanticSearch.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/SemanticSearch.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -276,6 +276,11 @@
$this->_supported_operators = array(':=','<','<=','>','>=','!=','==','=~');
$this->_text_operators = array(':=','==','=~','!=');
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
if (empty($args['page']))
$args['page'] = "*";
if (!isset($args['s'])) // it might be (integer) 0
Modified: trunk/lib/plugin/SemanticSearchAdvanced.php
===================================================================
--- trunk/lib/plugin/SemanticSearchAdvanced.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/SemanticSearchAdvanced.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -133,6 +133,11 @@
$this->_supported_operators = array(':=','<','<=','>','>=','!=','==','=~');
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
$posted = $request->getArg('semsearch');
$request->setArg('semsearch', false);
if ($request->isPost() and isset($posted['help'])) {
Modified: trunk/lib/plugin/TitleSearch.php
===================================================================
--- trunk/lib/plugin/TitleSearch.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/TitleSearch.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -73,6 +73,11 @@
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
if (empty($args['s'])) {
return HTML();
}
Modified: trunk/lib/plugin/UnfoldSubpages.php
===================================================================
--- trunk/lib/plugin/UnfoldSubpages.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/UnfoldSubpages.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -82,6 +82,11 @@
if (!$included_pages) $included_pages = array($basepage);
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
extract($args);
$query = new TextSearchQuery($pagename . SUBPAGE_SEPARATOR . '*', true, 'glob');
$subpages = $dbi->titleSearch($query, $sortby, $limit, $exclude);
Modified: trunk/lib/plugin/WantedPages.php
===================================================================
--- trunk/lib/plugin/WantedPages.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/WantedPages.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -62,6 +62,11 @@
// exclude arg allows multiple pagenames exclude=HomePage,RecentChanges
function run($dbi, $argstr, &$request, $basepage) {
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
if (!empty($args['exclude_from']))
$args['exclude_from'] = is_string($args['exclude_from'])
? explodePageList($args['exclude_from'])
Modified: trunk/lib/plugin/WikiAdminSelect.php
===================================================================
--- trunk/lib/plugin/WikiAdminSelect.php 2009-10-06 17:12:20 UTC (rev 7193)
+++ trunk/lib/plugin/WikiAdminSelect.php 2009-10-06 17:19:52 UTC (rev 7194)
@@ -120,6 +120,11 @@
//if ($request->getArg('action') != 'browse')
// return $this->disabled("(action != 'browse')");
$args = $this->getArgs($argstr, $request);
+
+ if (!empty($args['limit']) && !is_numeric($args['limit'])) {
+ return $this->error(_("Illegal 'limit' argument: must be numeric"));
+ }
+
$this->_args = $args;
extract($args);
$this->preSelectS($args, $request);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
