Changeset: 9fe6d6ffe075 https://sourceforge.net/p/mrbs/hg-code/ci/9fe6d6ffe075762320444b7afb4947973626fc0b Author: Campbell Morrison <cimorri...@hg.code.sf.net> Date: Thu Mar 16 13:47:06 2017 +0000 Log message:
Restricted passing of username and password to POST variables as a security measure. See SF Feature Requests #351. diffstat: web/grab_globals.inc.php | 16 +++++++++++----- web/session/session_cookie.inc | 10 +++++----- web/session/session_joomla.inc | 10 +++++----- web/session/session_php.inc | 10 +++++----- web/session/session_wordpress.inc | 10 +++++----- 5 files changed, 31 insertions(+), 25 deletions(-) diffs (118 lines): diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/grab_globals.inc.php --- a/web/grab_globals.inc.php Thu Mar 16 12:00:52 2017 +0000 +++ b/web/grab_globals.inc.php Thu Mar 16 13:47:06 2017 +0000 @@ -30,9 +30,13 @@ -// Gets a form variable. Takes an optional third parameter which -// is the default value if nothing is found from the form. -function get_form_var($var, $var_type='string', $default=null) +// Gets a form variable. +// $var The variable name +// $var_type The type of the variable ('int', 'string' or 'array') +// $default The default value for the variable +// $source If set, then restrict the search to this source. Can be +// INPUT_GET or INPUT_POST. +function get_form_var($var, $var_type='string', $default=null, $source=null) { // We use some functions from here require_once "functions.inc"; @@ -55,13 +59,15 @@ { $value = $cli_params[$var]; } - else if (!empty($post) && isset($post[$var])) + else if ((!isset($source) || ($source === INPUT_POST)) && + (!empty($post) && isset($post[$var]))) { $value = $post[$var]; } // Then get the GET variables - if (!empty($get) && isset($get[$var])) + if ((!isset($source) || ($source === INPUT_GET)) && + (!empty($get) && isset($get[$var]))) { $value = $get[$var]; } diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/session/session_cookie.inc --- a/web/session/session_cookie.inc Thu Mar 16 12:00:52 2017 +0000 +++ b/web/session/session_cookie.inc Thu Mar 16 13:47:06 2017 +0000 @@ -22,11 +22,11 @@ global $auth; // Get non-standard form variables -$Action = get_form_var('Action', 'string'); -$NewUserName = get_form_var('NewUserName', 'string'); -$NewUserPassword = get_form_var('NewUserPassword', 'string'); -$target_url = get_form_var('target_url', 'string'); -$returl = get_form_var('returl', 'string'); +$Action = get_form_var('Action', 'string', null, INPUT_POST); +$NewUserName = get_form_var('NewUserName', 'string', null, INPUT_POST); +$NewUserPassword = get_form_var('NewUserPassword', 'string', null, INPUT_POST); +$target_url = get_form_var('target_url', 'string', null, INPUT_POST); +$returl = get_form_var('returl', 'string', null, INPUT_POST); // We need to preserve the original calling page, so that it's there when we eventually get to the // target_url (especially if that's edit_entry.php). If this is the first time through then $HTTP_REFERER diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/session/session_joomla.inc --- a/web/session/session_joomla.inc Thu Mar 16 12:00:52 2017 +0000 +++ b/web/session/session_joomla.inc Thu Mar 16 13:47:06 2017 +0000 @@ -10,11 +10,11 @@ global $auth; // Get non-standard form variables -$Action = get_form_var('Action', 'string'); -$NewUserName = get_form_var('NewUserName', 'string'); -$NewUserPassword = get_form_var('NewUserPassword', 'string'); -$target_url = get_form_var('target_url', 'string'); -$returl = get_form_var('returl', 'string'); +$Action = get_form_var('Action', 'string', null, INPUT_POST); +$NewUserName = get_form_var('NewUserName', 'string', null, INPUT_POST); +$NewUserPassword = get_form_var('NewUserPassword', 'string', null, INPUT_POST); +$target_url = get_form_var('target_url', 'string', null, INPUT_POST); +$returl = get_form_var('returl', 'string', null, INPUT_POST); // We need to preserve the original calling page, so that it's there when we eventually get to the // target_url (especially if that's edit_entry.php). If this is the first time through then $HTTP_REFERER diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/session/session_php.inc --- a/web/session/session_php.inc Thu Mar 16 12:00:52 2017 +0000 +++ b/web/session/session_php.inc Thu Mar 16 13:47:06 2017 +0000 @@ -19,11 +19,11 @@ global $auth; // Get non-standard form variables -$Action = get_form_var('Action', 'string'); -$NewUserName = get_form_var('NewUserName', 'string'); -$NewUserPassword = get_form_var('NewUserPassword', 'string'); -$target_url = get_form_var('target_url', 'string'); -$returl = get_form_var('returl', 'string'); +$Action = get_form_var('Action', 'string', null, INPUT_POST); +$NewUserName = get_form_var('NewUserName', 'string', null, INPUT_POST); +$NewUserPassword = get_form_var('NewUserPassword', 'string', null, INPUT_POST); +$target_url = get_form_var('target_url', 'string', null, INPUT_POST); +$returl = get_form_var('returl', 'string', null, INPUT_POST); // We need to preserve the original calling page, so that it's there when we eventually get to the // target_url (especially if that's edit_entry.php). If this is the first time through then $HTTP_REFERER diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/session/session_wordpress.inc --- a/web/session/session_wordpress.inc Thu Mar 16 12:00:52 2017 +0000 +++ b/web/session/session_wordpress.inc Thu Mar 16 13:47:06 2017 +0000 @@ -5,11 +5,11 @@ require_once MRBS_ROOT . '/session/functions_session.inc'; // Get non-standard form variables -$Action = get_form_var('Action', 'string'); -$NewUserName = get_form_var('NewUserName', 'string'); -$NewUserPassword = get_form_var('NewUserPassword', 'string'); -$target_url = get_form_var('target_url', 'string'); -$returl = get_form_var('returl', 'string'); +$Action = get_form_var('Action', 'string', null, INPUT_POST); +$NewUserName = get_form_var('NewUserName', 'string', null, INPUT_POST); +$NewUserPassword = get_form_var('NewUserPassword', 'string', null, INPUT_POST); +$target_url = get_form_var('target_url', 'string', null, INPUT_POST); +$returl = get_form_var('returl', 'string', null, INPUT_POST); // We need to preserve the original calling page, so that it's there when we eventually get to the // target_url (especially if that's edit_entry.php). If this is the first time through then $HTTP_REFERER ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Mrbs-commits mailing list Mrbs-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mrbs-commits