[Mrbs-commits] SF.net Hg: hg-code [9fe6d6ffe075]: Restricted passing of usernam...

MRBS commits Thu, 16 Mar 2017 07:25:15 -0700

Changeset:
        9fe6d6ffe075
        
https://sourceforge.net/p/mrbs/hg-code/ci/9fe6d6ffe075762320444b7afb4947973626fc0b
Author:
        Campbell Morrison <[email protected]>
Date:
        Thu Mar 16 13:47:06 2017 +0000
Log message:


Restricted passing of username and password to POST variables as a security
measure.  See SF Feature Requests #351.

diffstat:

 web/grab_globals.inc.php          |  16 +++++++++++-----
 web/session/session_cookie.inc    |  10 +++++-----
 web/session/session_joomla.inc    |  10 +++++-----
 web/session/session_php.inc       |  10 +++++-----
 web/session/session_wordpress.inc |  10 +++++-----
 5 files changed, 31 insertions(+), 25 deletions(-)

diffs (118 lines):

diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/grab_globals.inc.php
--- a/web/grab_globals.inc.php  Thu Mar 16 12:00:52 2017 +0000
+++ b/web/grab_globals.inc.php  Thu Mar 16 13:47:06 2017 +0000
@@ -30,9 +30,13 @@
 
 
 
-// Gets a form variable.   Takes an optional third parameter which
-// is the default value if nothing is found from the form.
-function get_form_var($var, $var_type='string', $default=null)
+// Gets a form variable.
+//    $var        The variable name
+//    $var_type   The type of the variable ('int', 'string' or 'array')
+//    $default    The default value for the variable
+//    $source     If set, then restrict the search to this source.  Can be
+//                INPUT_GET or INPUT_POST.
+function get_form_var($var, $var_type='string', $default=null, $source=null)
 {
   // We use some functions from here
   require_once "functions.inc";
@@ -55,13 +59,15 @@
   {
     $value = $cli_params[$var];
   }
-  else if (!empty($post) && isset($post[$var]))
+  else if ((!isset($source) || ($source === INPUT_POST)) &&
+           (!empty($post) && isset($post[$var])))
   {
     $value = $post[$var];
   }
   
   // Then get the GET variables
-  if (!empty($get) && isset($get[$var]))
+  if ((!isset($source) || ($source === INPUT_GET)) &&
+      (!empty($get) && isset($get[$var])))
   {
     $value = $get[$var];
   }
diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/session/session_cookie.inc
--- a/web/session/session_cookie.inc    Thu Mar 16 12:00:52 2017 +0000
+++ b/web/session/session_cookie.inc    Thu Mar 16 13:47:06 2017 +0000
@@ -22,11 +22,11 @@
 global $auth;
 
 // Get non-standard form variables
-$Action = get_form_var('Action', 'string');
-$NewUserName = get_form_var('NewUserName', 'string');
-$NewUserPassword = get_form_var('NewUserPassword', 'string');
-$target_url = get_form_var('target_url', 'string');
-$returl = get_form_var('returl', 'string');
+$Action = get_form_var('Action', 'string', null, INPUT_POST);
+$NewUserName = get_form_var('NewUserName', 'string', null, INPUT_POST);
+$NewUserPassword = get_form_var('NewUserPassword', 'string', null, INPUT_POST);
+$target_url = get_form_var('target_url', 'string', null, INPUT_POST);
+$returl = get_form_var('returl', 'string', null, INPUT_POST);
 
 // We need to preserve the original calling page, so that it's there when we 
eventually get to the
 // target_url (especially if that's edit_entry.php).  If this is the first 
time through then $HTTP_REFERER
diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/session/session_joomla.inc
--- a/web/session/session_joomla.inc    Thu Mar 16 12:00:52 2017 +0000
+++ b/web/session/session_joomla.inc    Thu Mar 16 13:47:06 2017 +0000
@@ -10,11 +10,11 @@
 global $auth;
 
 // Get non-standard form variables
-$Action = get_form_var('Action', 'string');
-$NewUserName = get_form_var('NewUserName', 'string');
-$NewUserPassword = get_form_var('NewUserPassword', 'string');
-$target_url = get_form_var('target_url', 'string');
-$returl = get_form_var('returl', 'string');
+$Action = get_form_var('Action', 'string', null, INPUT_POST);
+$NewUserName = get_form_var('NewUserName', 'string', null, INPUT_POST);
+$NewUserPassword = get_form_var('NewUserPassword', 'string', null, INPUT_POST);
+$target_url = get_form_var('target_url', 'string', null, INPUT_POST);
+$returl = get_form_var('returl', 'string', null, INPUT_POST);
 
 // We need to preserve the original calling page, so that it's there when we 
eventually get to the
 // target_url (especially if that's edit_entry.php).  If this is the first 
time through then $HTTP_REFERER
diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/session/session_php.inc
--- a/web/session/session_php.inc       Thu Mar 16 12:00:52 2017 +0000
+++ b/web/session/session_php.inc       Thu Mar 16 13:47:06 2017 +0000
@@ -19,11 +19,11 @@
 global $auth;
 
 // Get non-standard form variables
-$Action = get_form_var('Action', 'string');
-$NewUserName = get_form_var('NewUserName', 'string');
-$NewUserPassword = get_form_var('NewUserPassword', 'string');
-$target_url = get_form_var('target_url', 'string');
-$returl = get_form_var('returl', 'string');
+$Action = get_form_var('Action', 'string', null, INPUT_POST);
+$NewUserName = get_form_var('NewUserName', 'string', null, INPUT_POST);
+$NewUserPassword = get_form_var('NewUserPassword', 'string', null, INPUT_POST);
+$target_url = get_form_var('target_url', 'string', null, INPUT_POST);
+$returl = get_form_var('returl', 'string', null, INPUT_POST);
 
 // We need to preserve the original calling page, so that it's there when we 
eventually get to the
 // target_url (especially if that's edit_entry.php).  If this is the first 
time through then $HTTP_REFERER
diff -r 0c7a8ece7592 -r 9fe6d6ffe075 web/session/session_wordpress.inc
--- a/web/session/session_wordpress.inc Thu Mar 16 12:00:52 2017 +0000
+++ b/web/session/session_wordpress.inc Thu Mar 16 13:47:06 2017 +0000
@@ -5,11 +5,11 @@
 require_once MRBS_ROOT . '/session/functions_session.inc';
 
 // Get non-standard form variables
-$Action = get_form_var('Action', 'string');
-$NewUserName = get_form_var('NewUserName', 'string');
-$NewUserPassword = get_form_var('NewUserPassword', 'string');
-$target_url = get_form_var('target_url', 'string');
-$returl = get_form_var('returl', 'string');
+$Action = get_form_var('Action', 'string', null, INPUT_POST);
+$NewUserName = get_form_var('NewUserName', 'string', null, INPUT_POST);
+$NewUserPassword = get_form_var('NewUserPassword', 'string', null, INPUT_POST);
+$target_url = get_form_var('target_url', 'string', null, INPUT_POST);
+$returl = get_form_var('returl', 'string', null, INPUT_POST);
 
 // We need to preserve the original calling page, so that it's there when we 
eventually get to the
 // target_url (especially if that's edit_entry.php).  If this is the first 
time through then $HTTP_REFERER

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

[Mrbs-commits] SF.net Hg: hg-code [9fe6d6ffe075]: Restricted passing of usernam...

Reply via email to