Actually, the filtering is important, because it guards against all
the escaped utf chars:
Array('%','<','>','/','\\','*',':',',','~','@','+','^','!');
Still not sure how to exploit this kind of thing but my Essential PHP
security book recommends filtering everything possible. And BoltWire
does that fairly consistently...
Cheers
Dan
On Thu, Sep 3, 2009 at 8:13 AM, The Editor<[email protected]> wrote:
> Nope, The problem is the filtering BoltWire does to prevent wacky
> stuff from being entered blocked your page name. If you change the
> first few lines of BOLTFinclude to the following, it should fix it.
>
> if (isset($args['page'])) $page = $args['page'];
> else $page = $args[1];
> if (BOLTfilter(BOLTutf2url($page), 'page') == '') return;
>
> There may be other places this is an issue as well. Thanks for
> spotting this. These are generally easy to fix, just hard to find!
>
> Cheers,
> Dan
>
> P.S. It may be easier to set a special line in the filtering for when
> pages are being scanned to automatically convert to url encoded. But
> then of course, everything will pass and the filtering is useless...
> On the other hand, if all page names get url encoded, perhaps we don't
> need to worry about special chars anyway. I need to check into the
> security issues again. But I suspect that third line should just read
>
> if ($page == '') return;
>
>
>
> On Thu, Sep 3, 2009 at 7:33 AM, DrunkenMonk<[email protected]> wrote:
>>
>> [(include snippets.snabblänkar)]
>> [(include snippets.login)]
>>
>> Both pages exist. Only "login" is included. I added a log line to
>> BOLTFinclude, and found that it is only invoked once, for login. I
>> believe the problem is in BOLTMfunc, but I am still testing.
>>
>> Actually, I can't be bothered with this right now. I'll rename all my
>> backbone pages to english until someone needs includes on a content
>> page.
>>
>> But still, bug.
>> >>
>>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en
-~----------~----~----~----~------~----~------~--~---
