- User web: fix XSS vulnerability, web code update recommended

svn path=/trunk/boinc/; revision=13586
2007-09-13 09:46:36 +00:00 · 2007-09-13 09:46:36 +00:00 · dd97f02834
parent 3838d16750
commit dd97f02834
4 changed files with 27 additions and 16 deletions
--- a/9
+++ b/9
@ -8459,3 +8459,12 @@ David  13 Sept 2007
    client/
        app.C
        cpu_sched.C
+        
+Rytis   13 Sep 2007
+    - User web: fix XSS vulnerability, web code update recommended
+    
+    html/
+        inc/util.inc
+        user/
+            forum_text_search_action.php
+            user_search_action.php
--- a/html/inc/util.inc
+++ b/html/inc/util.inc
@ -589,7 +589,7 @@ function get_int($name, $optional=false) {
        if ($optional) {
            return null;
        } else {
-            error_page("missing or bad parameter: $name $x");
+            error_page("missing or bad parameter: $name; supplied: ".htmlspecialchars($x));
        }
    }
    return (int)$x;
@ -602,7 +602,7 @@ function post_int($name, $optional=false) {
        if ($optional) {
            return null;
        } else {
-            error_page("missing or bad parameter: $name $x");
+            error_page("missing or bad parameter: $name; supplied: ".htmlspecialchars($x));
        }
    }
    return (int)$x;
--- a/html/user/forum_text_search_action.php
+++ b/html/user/forum_text_search_action.php
@ -1,4 +1,5 @@
 <?php
+$cvs_version_tracker[]="\$Id$";  //Generated automatically - do not edit

 require_once("../inc/forum.inc");
 require_once("../inc/time.inc");
@ -34,13 +35,13 @@ if (isset($_GET['titles'])) {
    mysql_free_result($result);

    if ($offset==0 && $n==0) {
-        echo sprintf(tr(FORUM_SEARCH_TITLES_NO),$search_string);//"No titles found containing '$search_string'";
+        echo sprintf(tr(FORUM_SEARCH_TITLES_NO),htmlspecialchars($search_string));//"No titles found containing '$search_string'";
    }
    
 } else if (isset($_GET['bodies'])) {
    $what .= 'bodies=1';

-    page_head(sprintf(tr(FORUM_SEARCH_BODIES),$search_string));
+    page_head(sprintf(tr(FORUM_SEARCH_BODIES),htmlspecialchars($search_string)));
    $q  = "SELECT * FROM post ";
    $q .= "LEFT JOIN thread ON post.thread = thread.id ";
    $q .= "WHERE MATCH(post.content) AGAINST ('$search_string_clean') ";
@ -59,7 +60,7 @@ if (isset($_GET['titles'])) {
    }
    mysql_free_result($result);
    if ($offset==0 && $n==0) {
-        echo sprintf(tr(FORUM_SEARCH_BODIES_NO),$search_string);
+        echo sprintf(tr(FORUM_SEARCH_BODIES_NO),htmlspecialchars($search_string));
    }
 }

--- a/html/user/user_search_action.php
+++ b/html/user/user_search_action.php
@ -1,4 +1,5 @@
 <?php
+$cvs_version_tracker[]="\$Id$";  //Generated automatically - do not edit

 require_once("../inc/db.inc");
 require_once("../inc/util.inc");
@ -96,7 +97,7 @@ if (strlen($search_string)>=3) {
    $n=0;
    while ($user = mysql_fetch_object($result)) {
        if ($n==0) {
-            echo "<h2>User names starting with '$search_string' $nice_name</h2>\n";
+            echo "<h2>User names starting with '".htmlspecialchars($search_string)."' $nice_name</h2>\n";
            print_table_header($urls, $nextd);
        }
        show_user($user, $n+$offset+1);
@ -105,7 +106,7 @@ if (strlen($search_string)>=3) {
    echo "</table>\n";
    mysql_free_result($result);
    if (!$n) {
-        echo "<h2>No user names found starting with '$search_string'</h2>\n";
+        echo "<h2>No user names found starting with '".htmlspecialchars($search_string)."'</h2>\n";
    }
    
    echo "<br><br>\n";