Update of /cvsroot/fink/web/pdb In directory sc8-pr-cvs5.sourceforge.net:/tmp/cvs-serv7194
Modified Files: Tag: redesign_pdb browse.php header.inc package.php Log Message: Use new get_safe_param method from header.inc to get url parameters safely Index: package.php =================================================================== RCS file: /cvsroot/fink/web/pdb/package.php,v retrieving revision 1.43.2.13 retrieving revision 1.43.2.14 diff -u -d -r1.43.2.13 -r1.43.2.14 --- package.php 1 Feb 2007 19:28:45 -0000 1.43.2.13 +++ package.php 4 Feb 2007 00:09:35 -0000 1.43.2.14 @@ -18,28 +18,10 @@ <? } else { /* if (no package) */ -// Read the version and release field. We use basic HTML encoding for now, and -// cut off very long values, to make unforseen SQL injection hacks more difficult. -// -// TODO: -// This code should be streamlined in a global method (e.g. in header.inc) and -// also be used in browse.php etc. -$version = $_GET['version']; -if (strlen($version) > 35 || !preg_match("/^[0-9\-.:]+$/", $version)) { - $version = ''; -} else { - $version = htmlspecialchars($version); - if (strlen($version) > 35 || !preg_match("/^[0-9\-.:]+$/", $version)) - $version = ''; -} -$release = $_GET['release']; -if (strlen($release) > 35 || !preg_match("/^[a-z0-9\-.]+$/", $release)) { - $release = ''; -} else { - $release = htmlspecialchars($release); - if (strlen($release) > 35 || !preg_match("/^[a-z0-9\-.]+$/", $release)) - $release = ''; -} + +// Get url parameters +$version = get_safe_param('version', '/^[0-9\-.:]+$/'); +$release = get_safe_param('release', '/^[a-z0-9\-.]+$/'); // Get package data to display (use for version-nonspecific pkg metadata) $qtodisplay = "SELECT * FROM package WHERE name='$package' "; Index: header.inc =================================================================== RCS file: /cvsroot/fink/web/pdb/header.inc,v retrieving revision 1.10 retrieving revision 1.10.2.1 diff -u -d -r1.10 -r1.10.2.1 --- header.inc 28 Jun 2006 16:40:00 -0000 1.10 +++ header.inc 4 Feb 2007 00:09:35 -0000 1.10.2.1 @@ -58,4 +58,21 @@ include $fsroot."db.inc.php"; $dbh = mysql_pconnect($db_host, $db_user, $db_passwd); mysql_select_db($db_name, $dbh); + + +// Read url parameters. We use basic HTML encoding for now, and +// cut off very long values, to make unforseen SQL injection hacks more difficult. +function get_safe_param($param_name, $valid_regexp='.*', $max_length=35) { + $param_name = $_GET[$param_name]; + if (strlen($param_name) > $max_length || !preg_match($valid_regexp, $param_name)) { + $param_name = ''; + } else { + $param_name = htmlspecialchars($param_name); + if (strlen($param_name) > $max_length || !preg_match($valid_regexp, $param_name)) + $param_name = ''; + } + return $param_name; +} + + ?> Index: browse.php =================================================================== RCS file: /cvsroot/fink/web/pdb/browse.php,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -u -d -r1.1.2.1 -r1.1.2.2 --- browse.php 27 Jan 2007 04:03:23 -0000 1.1.2.1 +++ browse.php 4 Feb 2007 00:09:35 -0000 1.1.2.2 @@ -74,27 +74,9 @@ } } -// Read the maintainer field. We use basic HTML encoding for now, and cut off -// very long values, to make unforseen SQL injection hacks more difficult. -$maintainer = $_GET['maintainer']; -if (strlen($maintainer) > 15 || !preg_match("/[EMAIL PROTECTED] ]+$/", $maintainer)) { - $maintainer = ""; -} else { - $maintainer = htmlspecialchars($maintainer); - if (strlen($maintainer) > 15 || !preg_match("/^[a-zA-Z0-9@ ]+$/", $maintainer)) - $maintainer = ""; -} - -// Read the name field. We use basic HTML encoding for now, and cut off -// very long values, to make unforseen SQL injection hacks more difficult. -$name = $_GET['name']; -if (strlen($name) > 15 || !preg_match("/[EMAIL PROTECTED] ]+$/", $name)) { - $name = ""; -} else { - $name = htmlspecialchars($name); - if (strlen($name) > 15 || !preg_match("/^[a-zA-Z0-9@ ]+$/", $name)) - $name = ""; -} +// Read url parameters +$maintainer = get_safe_param('maintainer', '/[EMAIL PROTECTED] ]+$/'); +$name = get_safe_param('name', '/^[a-z0-9+\-.]+$/'); // Extract the distribution // TODO ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Fink-commits mailing list Fink-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fink-commits