Hi Attached you will find a patch, which should address the sitebar security issues. Of course, just packaging the new upstream version should fix the problem, but I think I filtered all the stuff out. I'll try to have a look over it tomorrow again and then maybe upload. Feel free to check yourself and give some feedback :)
Cheers Steffen
diff -u sitebar-3.3.8/command.php sitebar-3.3.8/command.php
--- sitebar-3.3.8/command.php
+++ sitebar-3.3.8/command.php
@@ -94,23 +94,15 @@
{
if (!$this->um->isAuthorized($this->command,
in_array($this->command, array('Log In', 'Log Out', 'Sign Up')),
- SB_reqVal('command_gid'), SB_reqVal('nid_acl'), SB_reqVal('lid_acl')))
+ SB_reqValInt('command_gid'), SB_reqValInt('nid_acl'), SB_reqValInt('lid_acl')))
{
- // begin snippet to prevent cross-site scripting
- // per http://secunia.com/advisories/20841/ (CVE-2006-3320)
- // Debian bug #377299
- // snippet provided by Ondrej Brabic. added by Kevin Coyner
- // maintainer for the sitebar Debian package
-
$bld = 'build' . $this->shortName();
$cmd = 'command' . $this->shortName();
if (!method_exists($this,$bld) && !method_exists($this,$cmd))
{
- $this->command = 'Unknown command name. XSS attack?';
+ $this->command = 'Unknown command!';
}
- // end snippet to prevent cross-site scripting
-
$this->um->accessDenied();
return;
}
@@ -864,6 +856,7 @@
// be otherwise lost. Needed to go back.
if ($disabled && $params['type'] == 'text')
{
+ $params['value'] = str_replace('"',"'",$params['value']);
?>
<input type="hidden" name="<?php echo SB_safeVal($params,'name') ?>" value="<?php echo $params['value']?>">
<?php
@@ -872,6 +865,7 @@
if ($name{0} == '-')
{
+ $params['value'] = str_replace('"',"'",$params['value']);
?>
<input type="hidden" name="<?php echo $params['name']?>" value="<?php echo $params['value']?>">
<?php
@@ -942,7 +936,7 @@
}
elseif (isset($params['type']) && ($params['type'] == 'button') || ($params['type'] == 'addbutton'))
{
- if (!$this->um->isAuthorized($name,false,null,SB_reqVal('nid_acl'),SB_reqVal('lid_acl'))) continue;
+ if (!$this->um->isAuthorized($name,false,null,SB_reqValInt('nid_acl'),SB_reqValInt('lid_acl'))) continue;
if ($params['type'] == 'button')
{
@@ -1679,7 +1673,7 @@
function buildDeleteTree()
{
- $node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
if (!$node) return null;
$fields['Folder Name'] = array('name'=>'name','value'=>$node->name, 'disabled'=>null);
@@ -1692,10 +1686,10 @@
function commandDeleteTree()
{
- $this->tree->removeNode(SB_reqVal('nid_acl'), false);
+ $this->tree->removeNode(SB_reqValInt('nid_acl'), false);
if ($this->um->getParam('user','use_trash'))
{
- $this->tree->purgeNode(SB_reqVal('nid_acl'));
+ $this->tree->purgeNode(SB_reqValInt('nid_acl'));
}
SB_unsetVal('nid_acl');
$this->forwardCommand('Maintain Trees');
@@ -1849,7 +1843,8 @@
return;
}
- if (SB_reqChk('forward'))
+ // This should handle login from translator.php, we should avoid external redirect
+ if (SB_reqChk('forward') && strpos(SB_reqVal('forward'),'/') === false)
{
header('Location: '.SB_reqVal('forward'));
exit;
@@ -2696,14 +2691,14 @@
return null;
}
- if (SB_reqVal('uid') == SB_ADMIN)
+ $uid = intval(SB_reqVal('uid'));
+
+ if ($uid == SB_ADMIN)
{
$this->error('Cannot modify administrator!');
return null;
}
- $uid = SB_reqVal('uid');
-
$fields = array();
$user = $this->um->getUser($uid);
$fields['Username'] = array('name'=>'email', 'value'=>$user['username'], 'disabled' => null);
@@ -3975,7 +3970,7 @@
function buildAddFolder()
{
$fields = array();
- $node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
if (!$node) return null;
if ($this->command == 'Add Folder')
@@ -4035,7 +4030,7 @@
function commandAddFolder()
{
- $nid = $this->tree->addNode(SB_reqVal('nid_acl'),SB_reqVal('name'),
+ $nid = $this->tree->addNode(SB_reqValInt('nid_acl'),SB_reqVal('name'),
SB_reqVal('comment'), SB_reqVal('sort_mode'));
if ($this->um->pmode && !$this->hasErrors())
@@ -4052,7 +4047,7 @@
$this->skipBuild = true;
$this->reload = !$this->um->getParam('user','extern_commander');
$this->close = $this->um->getParam('user','auto_close');
- $this->um->hiddenFolders[SB_reqVal('nid_acl')] = 1;
+ $this->um->hiddenFolders[SB_reqValInt('nid_acl')] = 1;
$this->um->setParam('user','hidden_folders', implode(':',array_keys($this->um->hiddenFolders)));
$this->um->saveUserParams();
}
@@ -4063,7 +4058,7 @@
$this->reload = !$this->um->getParam('user','extern_commander');
$this->close = $this->um->getParam('user','auto_close');
- $parent = $this->tree->getNode(SB_reqVal('nid_acl'));
+ $parent = $this->tree->getNode(SB_reqValInt('nid_acl'));
$this->tree->loadNodes($parent, false, 'select', true);
@@ -4088,7 +4083,7 @@
function buildFolderProperties()
{
- $node = $this->tree->getNode(SB_reqVal('nid_acl', true));
+ $node = $this->tree->getNode( intval(SB_reqValInt('nid_acl', true)) );
$fields = $this->buildAddFolder();
@@ -4115,13 +4110,13 @@
function commandFolderProperties()
{
- $node = $this->tree->getNode(SB_reqVal('nid_acl', true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl', true));
if ($node->id_parent && !$node->parentHasRight('update'))
{
return;
}
- $nid = SB_reqVal('nid_acl');
+ $nid = SB_reqValInt('nid_acl');
$columns = array
(
@@ -4146,7 +4141,7 @@
function buildCustomOrder()
{
- $node = $this->tree->getNode(SB_reqVal('nid_acl', true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl', true));
$this->tree->loadNodes($node);
$fields['-raw1-'] = "<table cellpadding='0'>";
@@ -4170,7 +4165,7 @@
function commandCustomOrder()
{
- $node = $this->tree->getNode(SB_reqVal('nid_acl', true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl', true));
$this->tree->loadNodes($node);
$order = array();
@@ -4211,7 +4206,7 @@
$fields['Delete Content Only'] = array('name'=>'content','type'=>'checkbox',
'title'=>SB_P('command::tooltip_delete_content'));
- $node = $this->tree->getNode(SB_reqVal('nid_acl', true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl', true));
if ($this->_deleteContentOnly($node))
{
@@ -4224,14 +4219,14 @@
function commandDeleteFolder()
{
- $node = $this->tree->getNode(SB_reqVal('nid_acl', true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl', true));
$deleteContentOnly = SB_reqVal('content') || $this->_deleteContentOnly($node);
- $this->tree->removeNode(SB_reqVal('nid_acl'), $deleteContentOnly);
+ $this->tree->removeNode(SB_reqValInt('nid_acl'), $deleteContentOnly);
if (!$this->um->getParam('user','use_trash') && $node->hasRight('purge'))
{
- $this->tree->purgeNode(SB_reqVal('nid_acl'));
+ $this->tree->purgeNode(SB_reqValInt('nid_acl'));
}
}
@@ -4244,7 +4239,7 @@
function commandPurgeFolder()
{
- $this->tree->purgeNode(SB_reqVal('nid_acl'));
+ $this->tree->purgeNode(SB_reqValInt('nid_acl'));
}
/******************************************************************************/
@@ -4256,7 +4251,7 @@
function commandUndelete()
{
- $this->tree->undeleteNode(SB_reqVal('nid_acl'));
+ $this->tree->undeleteNode(SB_reqValInt('nid_acl'));
}
/******************************************************************************/
@@ -4276,7 +4271,7 @@
$sourceId = SB_reqVal('sid',true);
$sourceIsNode = SB_reqVal('stype',true);
$sourceObj = null;
- $targetID = SB_reqVal('nid_acl',true);
+ $targetID = SB_reqValInt('nid_acl',true);
$targetNode = $this->tree->getNode($targetID);
$sourceNodeId = $sourceId;
@@ -4352,7 +4347,7 @@
function commandPaste()
{
- $targetID = SB_reqVal('nid_acl');
+ $targetID = SB_reqValInt('nid_acl');
$sourceId = SB_reqVal('sid',true);
$sourceIsNode = SB_reqVal('stype',true);
$move = SB_reqVal('mode',true)=='Move';
@@ -4416,10 +4411,10 @@
function buildEmailLink()
{
$fields = array();
- $link = $this->tree->getLink(SB_reqVal('lid_acl'));
+ $link = $this->tree->getLink(SB_reqValInt('lid_acl'));
if (!$link) return null;
- $fields['--hidden1--'] = array('name'=>'lid_acl', 'value'=> SB_reqVal('lid_acl'));
+ $fields['--hidden1--'] = array('name'=>'lid_acl', 'value'=> SB_reqValInt('lid_acl'));
if ($this->um->canUseMail())
{
@@ -4448,7 +4443,7 @@
return;
}
- $link = $this->tree->getLink(SB_reqVal('lid_acl'));
+ $link = $this->tree->getLink(SB_reqValInt('lid_acl'));
if (!$link) return null;
$subject = SB_T('SiteBar: Web site') . ' ' . $link->name;
@@ -4535,7 +4530,7 @@
if (SB_reqChk('nid_acl') && SB_reqVal('bookmarklet')!=1)
{
- $node = $this->tree->getNode(SB_reqVal('nid_acl'));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl'));
$fields['-hidden0-'] = array('name'=>'nid_acl','value'=>$node->id);
$fields['Parent Folder'] = array('name'=>'parent',
'value'=>$node->name,'disabled'=>null);
@@ -4619,7 +4614,7 @@
function commandAddLink()
{
- $nid = SB_reqVal('nid_acl',true);
+ $nid = SB_reqValInt('nid_acl',true);
$node = $this->tree->getNode($nid);
if (!$node) return;
@@ -4654,7 +4649,7 @@
if (!$page->isDead && $page->errorCode['FAVURL']<PP_ERR)
{
$favicon = $page->info['FAVURL'];
- $favurl = 'favicon.php?' . md5($favicon) . '=' . SB_reqVal('lid_acl');
+ $favurl = 'favicon.php?' . md5($favicon) . '=' . SB_reqValInt('lid_acl');
$this->message = SB_T('Favicon <img src="%s"> found at url %s.', array($favurl, $url));
}
else
@@ -4690,7 +4685,7 @@
function commandMarkasDefault()
{
- $this->um->setParam('user','default_folder',SB_reqVal('nid_acl'));
+ $this->um->setParam('user','default_folder',SB_reqValInt('nid_acl'));
$this->um->saveUserParams();
exit;
}
@@ -4727,7 +4722,7 @@
if ($this->command!='Add Link')
{
- $link = $this->tree->getLink(SB_reqVal('lid_acl'));
+ $link = $this->tree->getLink(SB_reqValInt('lid_acl'));
if (!$link) return null;
}
else
@@ -4820,7 +4815,7 @@
}
else
{
- $fields['-raw2-'] = $this->_buildFavicon(SB_reqVal('lid_acl'), $link->favicon);
+ $fields['-raw2-'] = $this->_buildFavicon(SB_reqValInt('lid_acl'), $link->favicon);
}
}
}
@@ -4925,7 +4920,7 @@
{
if (SB_reqVal('private'))
{
- $link = $this->tree->getLink(SB_reqVal('lid_acl'));
+ $link = $this->tree->getLink(SB_reqValInt('lid_acl'));
if (!$link) return;
if (!$this->tree->inMyTree($link->id_parent))
{
@@ -4956,7 +4951,7 @@
else
{
// Delete old URL favicon from cache on update to allow new version
- $fc->purge(SB_reqVal('lid_acl'));
+ $fc->purge(SB_reqValInt('lid_acl'));
}
}
@@ -4977,13 +4972,13 @@
$update['is_dead'] = 0;
}
- $this->tree->updateLink(SB_reqVal('lid_acl', true), $update);
+ $this->tree->updateLink(SB_reqValInt('lid_acl', true), $update);
}
function buildExportDescription()
{
$fields['Decode Using'] = array('type'=>'callback', 'function'=>'_buildDecodeUsing');
- $fields['-hidden1-'] = array('name'=>'lid_acl','value'=>SB_reqVal('lid_acl'));
+ $fields['-hidden1-'] = array('name'=>'lid_acl','value'=>SB_reqValInt('lid_acl'));
return $fields;
}
@@ -4999,7 +4994,7 @@
function commandExportDescription()
{
- $link = $this->tree->getLink(SB_reqVal('lid_acl'));
+ $link = $this->tree->getLink(SB_reqValInt('lid_acl'));
if (!strlen($link->comment))
{
$this->error('Cannot export empty description!');
@@ -5034,7 +5029,7 @@
{
$fields['Description File'] = array('type'=>'file','name'=>'file');
$fields['Encode Using'] = array('type'=>'callback', 'function'=>'_buildEncodeUsing');
- $fields['-hidden1-'] = array('name'=>'lid_acl','value'=>SB_reqVal('lid_acl'));
+ $fields['-hidden1-'] = array('name'=>'lid_acl','value'=>SB_reqValInt('lid_acl'));
return $fields;
}
@@ -5054,7 +5049,7 @@
return;
}
$filename = $_FILES['file']['tmp_name'];
- $link = $this->tree->getLink(SB_reqVal('lid_acl'));
+ $link = $this->tree->getLink(SB_reqValInt('lid_acl'));
if ($this->hasErrors())
{
@@ -5124,7 +5119,7 @@
function commandDeleteLink()
{
- $link = $this->tree->getLink(SB_reqVal('lid_acl'));
+ $link = $this->tree->getLink(SB_reqValInt('lid_acl'));
if (!$link)
{
@@ -5150,7 +5145,7 @@
function buildSecurity()
{
$fields = array();
- $node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
$fields['Folder Name'] = array('name'=>'name','value'=>$node->name,'disabled'=>null);
$fields['Security'] = array('type'=>'callback',
@@ -5278,7 +5273,7 @@
{
$groups = $this->um->getGroups();
$myGroups = $this->um->getUserGroups();
- $node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
$sameACL = true;
$updated = 0;
@@ -5350,7 +5345,7 @@
function buildValidateLinks()
{
$fields = array();
- $node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
if (!$node) return null;
$fields['Folder Name'] = array('name'=>'name','maxlength'=>255,
@@ -5385,7 +5380,7 @@
function buildValidation()
{
$fields = array();
- $node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
if (!$node) return null;
require_once('./inc/validator.inc.php');
@@ -5430,7 +5425,7 @@
function buildImportBookmarks()
{
$fields = array();
- $node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+ $node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
$loaders['auto'] = array('', true);
$dirName = './inc/loaders';
@@ -5550,7 +5545,7 @@
'Imported %s link(s) into %s folder(s) from the bookmark file.',
array($bm->importedLinks, $bm->importedFolders));
- $this->tree->importTree(SB_reqVal('nid_acl'), $bm->root, SB_reqChk('rename'));
+ $this->tree->importTree(SB_reqValInt('nid_acl'), $bm->root, SB_reqChk('rename'));
}
function optionalExportBookmarks()
@@ -5638,7 +5633,7 @@
if (!SB_reqChk('doall'))
{
- $fields['-hidden1-'] = array('name'=>'nid_acl','value'=>SB_reqVal('nid_acl'));
+ $fields['-hidden1-'] = array('name'=>'nid_acl','value'=>SB_reqValInt('nid_acl'));
}
else
{
@@ -5696,9 +5691,9 @@
}
}
- if (SB_reqChk('nid_acl') && SB_reqVal('nid_acl')>0)
+ if (SB_reqChk('nid_acl') && SB_reqValInt('nid_acl')>0)
{
- $params[] = 'root=' . SB_reqVal('nid_acl');
+ $params[] = 'root=' . SB_reqValInt('nid_acl');
}
if (count($params))
@@ -5733,7 +5728,7 @@
if (!SB_reqChk('doall'))
{
- $fields['-hidden1-'] = array('name'=>'nid_acl','value'=>SB_reqVal('nid_acl'));
+ $fields['-hidden1-'] = array('name'=>'nid_acl','value'=>SB_reqValInt('nid_acl'));
}
else
{
@@ -5824,7 +5819,7 @@
?>
<div id="<?php echo ($cw->hasErrors()?$errId:'command').'Head'?>" class="cmnTitle">
<div id="help" onclick="SB_openHelp('<?php echo $onlineHelp ?>')">?</div>
-<div id="command"><?php echo htmlspecialchars(SB_T($cw->command))?></div>
+<div id="command"><?php echo SB_T($cw->command)?></div>
</div>
<div id="<?php echo ($cw->hasErrors()?$errId:'command').'Body'?>">
<?php
diff -u sitebar-3.3.8/debian/changelog sitebar-3.3.8/debian/changelog
--- sitebar-3.3.8/debian/changelog
+++ sitebar-3.3.8/debian/changelog
@@ -1,3 +1,17 @@
+sitebar (3.3.8-12.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing-security team
+ * Fix multiple security issues in the translator module (translator.php)
+ Fixes: CVE-2007-5491, CVE-2007-5492, CVE-2007-5693, CVE-2007-5694
+ (Closes: #447135)
+ * Fix possible redirect to other websites via the forward parameter in
+ command.php
+ Fixes: CVE-2007-5695 (Closes: #448690)
+ * Fix multiple XSS by adding more checks for certain parameters
+ Fixes: CVE-2007-5692 (Closes: #448689)
+
+ -- Steffen Joeris <[EMAIL PROTECTED]> Tue, 04 Dec 2007 17:50:13 +0000
+
sitebar (3.3.8-12) unstable; urgency=low
* Updated French translation (fr.po). Closes: #439636.
only in patch2:
unchanged:
--- sitebar-3.3.8.orig/translator.php
+++ sitebar-3.3.8/translator.php
@@ -68,20 +68,20 @@
var $infofmt = './locale/%s/%s';
var $langs = array();
var $gid = null;
- var $dir = '.';
- var $dirCGI = '';
+ var $plugin = '';
+ var $pluginCGI = '';
function Translator()
{
- if (isset($_GET['dir']) || isset($_POST['dir']))
+ if (isset($_GET['plugin']) || isset($_POST['plugin']))
{
- $dir = isset($_GET['dir'])?$_GET['dir']:$_POST['dir'];
+ $plugin = isset($_GET['plugin'])?$_GET['plugin']:$_POST['plugin'];
- if ($dir != "." && $dir != "")
+ if ($plugin != "" && preg_match('/^\w+$/', $plugin))
{
- $this->dir = $dir;
+ $this->dir = './plugins/'.$plugin;
$this->fmt = $this->dir.'/locale/%s/%s';
- $this->dirCGI = "dir=".$this->dir."&";
+ $this->pluginCGI = "plugin=".$plugin."&";
}
}
@@ -283,8 +283,8 @@
<form method="get">
Translate
-<select name='dir' onChange="this.form.submit()">
-<option value='.'>SiteBar</option>
+<select name='plugin' onChange="this.form.submit()">
+<option value=''>SiteBar</option>
<?php
$dir = opendir('./plugins');
@@ -308,7 +308,7 @@
continue;
}
- echo "<option ". ($_GET['dir']==$plugdir?"selected":"") ." value='$plugdir'>Plugin $plugin</option>\n";
+ echo "<option ". ($_GET['plugin']==$plugin?"selected":"") ." value='$plugin'>Plugin $plugin</option>\n";
}
closedir($dir);
?>
@@ -443,9 +443,9 @@
if ($lang!=DEFAULT_LANGUAGE)
{
- ?>[<a href='translator.php?lang=<?php echo $lang?>&<?php echo $this->dirCGI ?>edit=<?php echo $part?>'>EDIT</a>]<?php
-if ($missing) : ?><br>[<a href='translator.php?lang=<?php echo $lang?>&<?php echo $this->dirCGI ?>cmd=add&edit=<?php echo $part?>'>ADD</a>]<?php endif;
-if ($update && !$this->parts[$part]['inline']) : ?><br>[<a href='translator.php?lang=<?php echo $lang?>&<?php echo $this->dirCGI ?>cmd=upd&edit=<?php echo $part?>'>UPD</a>]<?php endif;
+ ?>[<a href='translator.php?lang=<?php echo $lang?>&<?php echo $this->pluginCGI ?>edit=<?php echo $part?>'>EDIT</a>]<?php
+if ($missing) : ?><br>[<a href='translator.php?lang=<?php echo $lang?>&<?php echo $this->pluginCGI ?>cmd=add&edit=<?php echo $part?>'>ADD</a>]<?php endif;
+if ($update && !$this->parts[$part]['inline']) : ?><br>[<a href='translator.php?lang=<?php echo $lang?>&<?php echo $this->pluginCGI ?>cmd=upd&edit=<?php echo $part?>'>UPD</a>]<?php endif;
}
}
}
@@ -453,7 +453,7 @@
$server = defined("DOWNLOAD_SRV")?DOWNLOAD_SRV:"";
?>
- <td class='stat'>[<a href='<?php echo $server?>translator.php?<?php echo $this->dirCGI ?>download=<?php echo $lang?>'>Download</a>]</td>
+ <td class='stat'>[<a href='<?php echo $server?>translator.php?<?php echo $this->pluginCGI ?>download=<?php echo $lang?>'>Download</a>]</td>
</tr>
<?php
}
@@ -486,15 +486,22 @@
SB_Page::head('Edit Translation', 'locale');
?>
<h2>Edit Translation</h2>
-[<a href="translator.php?<?php echo $this->dirCGI ?>">Back to Translation List</a>]
+[<a href="translator.php?<?php echo $this->pluginCGI ?>">Back to Translation List</a>]
<p>
<?php
+ if (!isset($this->parts[$part]))
+ {
+ die("Unknown part in edit param!");
+ }
+
+ if (!preg_match('/^\w+$/',$lang))
+ {
+ die("Not allowed characters in lang param!");
+ }
+
$param = $this->parts[$part];
$file = sprintf($this->fmt,$lang,$param['file']);
- mkdir($this->dir.'/locale/'.$lang, 0777);
- chmod($this->dir.'/locale/'.$lang, 0777);
-
include($file);
eval('$data = $'.$part.';');
eval('$'.$part.'=array();');
@@ -518,7 +525,8 @@
if (!$fh = fopen($file,'w'))
{
- echo "Cannot write results to file: $file" .
+ echo "Cannot write results to file: $file<br>\n";
+ echo "Sorry for inconvinience, if possible keep this page open and inform admin. When the problem is fixed you could just reload this page and post the data once again.<br>\n";
exit;
}
@@ -572,9 +580,17 @@
else
{
$value = str_replace("\r\n","\n", $value);
- fwrite( $fh, "\$".$part."['".$label."'] = <<<_P\n");
+ fwrite( $fh, "\$".$part."['".$label."'] = <<<_SBHD\n");
+
+ // Do not allow here doc to be included in the string,
+ // otherwise any php code would be executed.
+ if (strstr($value,"_SBHD"))
+ {
+ die("Value must not contain _SBHD pattern!");
+ }
+
fwrite( $fh, $value);
- fwrite( $fh, "\n_P;\n\n");
+ fwrite( $fh, "\n_SBHD;\n\n");
}
}
}
@@ -601,6 +617,7 @@
<table class="edit">
<input type="hidden" name="dir" value="<?php $this->dir ?>">
<?php
+
$i = 0;
foreach ($default as $label => $value)
only in patch2:
unchanged:
--- sitebar-3.3.8.orig/inc/page.inc.php
+++ sitebar-3.3.8/inc/page.inc.php
@@ -48,6 +48,7 @@
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
+ $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
/******************************************************************************/
@@ -62,6 +63,16 @@
return $is?$_REQUEST[$name]:$default;
}
+function SB_reqValInt($name, $mandatory=false, $default='')
+{
+ $is = SB_reqChk($name);
+ if ($mandatory && !$is)
+ {
+ die('Expected field "'. $name .'" was not filled!');
+ }
+ return $is?intval($_REQUEST[$name]):$default;
+}
+
function SB_setVal($name, $value)
{
$_REQUEST[$name]=$value;
@@ -424,7 +435,15 @@
if ($trg === null)
{
$target = (SB_Page::isMSIE()||SB_Page::isOPERA()?'_main':'_content');
- if (isset($_REQUEST['target'])) $target = $_REQUEST['target'];
+ if (isset($_REQUEST['target']))
+ {
+ $newtarget = $_REQUEST['target'];
+
+ if (preg_match('/^\w+/', $newtarget))
+ {
+ $target = $newtarget;
+ }
+ }
$trg = $target;
}
return $trg;
only in patch2:
unchanged:
--- sitebar-3.3.8.orig/integrator.php
+++ sitebar-3.3.8/integrator.php
@@ -54,7 +54,10 @@
SB_Page::absBaseUrl($_COOKIE['sbi_url']);
SB_Skin::set($_COOKIE['sbi_skin']);
-SB_SetLanguage($_GET['lang']);
+if (preg_match('/^\w+/', $_GET['lang']))
+{
+ SB_SetLanguage($_GET['lang']);
+}
if (isset($_REQUEST['install']))
{
signature.asc
Description: This is a digitally signed message part.
