From fa95279e66b20a5e1b382c027cb762d7b3ba93ff Mon Sep 17 00:00:00 2001 From: xiaomlove Date: Sat, 20 May 2023 00:17:17 +0800 Subject: [PATCH] Fix some potential security hazards --- config/sanctum.php | 2 +- include/constants.php | 2 +- public/attachment.php | 2 +- public/faqactions.php | 7 ++++--- public/friends.php | 2 +- public/ipsearch.php | 2 +- public/staffbox.php | 2 +- public/subtitles.php | 2 +- public/userhistory.php | 2 +- public/viewnfo.php | 2 +- public/viewrequests.php | 6 +++--- 11 files changed, 16 insertions(+), 15 deletions(-) diff --git a/config/sanctum.php b/config/sanctum.php index 6dff450a..0fff0453 100644 --- a/config/sanctum.php +++ b/config/sanctum.php @@ -29,7 +29,7 @@ return [ | */ - 'expiration' => null, + 'expiration' => 129600, /* |-------------------------------------------------------------------------- diff --git a/include/constants.php b/include/constants.php index 51aa93cb..2b60f256 100644 --- a/include/constants.php +++ b/include/constants.php @@ -1,6 +1,6 @@ enable_attachment()) $dlkey = md5($db_file_location.".".$ext); sql_query("INSERT INTO attachments (userid, width, added, filename, filetype, filesize, location, dlkey, isimage, thumb) VALUES (".$CURUSER['id'].", ".$width.", ".sqlesc(date("Y-m-d H:i:s")).", ".sqlesc($origfilename).", ".sqlesc($filetype).", ".$filesize.", ".sqlesc($db_file_location.".".$ext).", ".sqlesc($dlkey).", ".($isimage ? 1 : 0).", ".($hasthumb ? 1 : 0).")") or sqlerr(__FILE__, __LINE__); $count_left--; - if (!empty($_REQUEST['callback_func'])) { + if (!empty($_REQUEST['callback_func']) && preg_match('/^preview_custom_field_image_\d+$/', $_REQUEST['callback_func'])) { $url = $httpdirectory_attachment."/".$db_file_location . ".$ext"; if ($hasthumb) { $url .= ".thumb.jpg"; diff --git a/public/faqactions.php b/public/faqactions.php index f4bc22f2..53dba628 100644 --- a/public/faqactions.php +++ b/public/faqactions.php @@ -36,7 +36,7 @@ function clear_faq_cache() // ACTION: reorder - reorder sections and items if (isset($_GET['action']) && $_GET['action'] == "reorder") { - foreach($_POST[order] as $id => $position) sql_query("UPDATE `faq` SET `order`=".sqlesc($position)." WHERE id=".sqlesc($id)) or sqlerr(); + foreach($_POST['order'] as $id => $position) sql_query("UPDATE `faq` SET `order`=".sqlesc($position)." WHERE id=".sqlesc($id)) or sqlerr(); header("Location: " . get_protocol_prefix() . "$BASEURL/faqmanage.php"); die; } @@ -113,7 +113,7 @@ elseif (isset($_GET['action']) && $_GET['action'] == "editsect" && $_POST['id'] // ACTION: delete - delete a section or item elseif (isset($_GET['action']) && $_GET['action'] == "delete" && isset($_GET['id'])) { - if ($_GET[confirm] == "yes") { + if ($_GET['confirm'] == "yes") { sql_query("DELETE FROM `faq` WHERE `id`=".sqlesc(intval($_GET['id'] ?? 0))." LIMIT 1") or sqlerr(); header("Location: " . get_protocol_prefix() . "$BASEURL/faqmanage.php"); die; @@ -122,7 +122,8 @@ elseif (isset($_GET['action']) && $_GET['action'] == "delete" && isset($_GET['id stdhead("FAQ Management"); begin_main_frame(); print("

Confirmation required

"); - print("\n\n
Please click here to confirm.
\n"); + $id = intval($_GET['id'] ?? 0); + print("\n\n
Please click here to confirm.
\n"); end_main_frame(); stdfoot(); } diff --git a/public/friends.php b/public/friends.php index 89eec82d..5e4bd350 100644 --- a/public/friends.php +++ b/public/friends.php @@ -65,7 +65,7 @@ if ($action == 'delete') { $targetid = $_GET['targetid']; $sure = $_GET['sure']; - $type = $_GET['type']; + $type = htmlspecialchars($_GET['type']); if ($type == 'friend') $typename = $lang_friends['text_friend']; diff --git a/public/ipsearch.php b/public/ipsearch.php index 3ecfa4fc..2f9cd5fb 100644 --- a/public/ipsearch.php +++ b/public/ipsearch.php @@ -8,7 +8,7 @@ if (!user_can('userprofile')) permissiondenied(); else { - $ip = trim($_GET['ip']); + $ip = htmlspecialchars(trim($_GET['ip'])); if ($ip) { $regex = "/^(((1?\d{1,2})|(2[0-4]\d)|(25[0-5]))(\.\b|$)){4}$/"; diff --git a/public/staffbox.php b/public/staffbox.php index 74722ca1..2f0c03e6 100644 --- a/public/staffbox.php +++ b/public/staffbox.php @@ -133,7 +133,7 @@ stdfoot(); ////////////////////////// if ($action == "answermessage") { - $answeringto = $_GET["answeringto"]; + $answeringto = intval($_GET["answeringto"] ?? 0); $receiver = intval($_GET["receiver"] ?? 0); int_check($receiver,true); diff --git a/public/subtitles.php b/public/subtitles.php index 0cbaf179..7d95a755 100644 --- a/public/subtitles.php +++ b/public/subtitles.php @@ -95,7 +95,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["action"]) && $_POST["a //start process torrent ID if(!$_POST["torrent_id"]) { - echo($lang_subtitles['std_missing_torrent_id']."$file[name] !"); + echo($lang_subtitles['std_missing_torrent_id'].htmlspecialchars($file['name'])." !"); exit; } else diff --git a/public/userhistory.php b/public/userhistory.php index 6faaf1ab..bce6d156 100644 --- a/public/userhistory.php +++ b/public/userhistory.php @@ -5,7 +5,7 @@ require_once(get_langfile_path()); loggedinorreturn(); parked(); -$userid = $_GET["id"]; +$userid = intval($_GET["id"] ?? 0); int_check($userid,true); if ($CURUSER["id"] != $userid && !user_can('viewhistory')) diff --git a/public/viewnfo.php b/public/viewnfo.php index 6d5b7ed6..a89188aa 100644 --- a/public/viewnfo.php +++ b/public/viewnfo.php @@ -4,7 +4,7 @@ dbconn(); require_once(get_langfile_path()); loggedinorreturn(); parked(); -$id = $_GET["id"]; +$id = intval($_GET["id"] ?? 0); if (!user_can('viewnfo') || !is_valid_id($id) || $enablenfo_main != 'yes') permissiondenied(); diff --git a/public/viewrequests.php b/public/viewrequests.php index a332d3a6..e08a134f 100644 --- a/public/viewrequests.php +++ b/public/viewrequests.php @@ -7,7 +7,7 @@ loggedinorreturn(); parked(); if (isset($_GET['id'])) { - $_GET['id'] = htmlspecialchars($_GET['id']); + $_GET['id'] = intval($_GET['id'] ?? 0); } $action = isset($_POST['action']) ? htmlspecialchars($_POST['action']) : (isset($_GET['action']) ? htmlspecialchars($_GET['action']) : ''); $allowed_actions = array("list", "new", "newmessage", "view", "edit", "takeedit", "takeadded", "res", "takeres", "addamount", "delete", "confirm", "message", "search"); @@ -200,7 +200,7 @@ else { print( "
\n - + "); print(""); tr("{$lang_functions['col_name']}:", "
", 1); @@ -247,7 +247,7 @@ else { print( - "\n\n"); + "\n\n"); print("
{$lang_functions['title_edit']}{$lang_viewrequests['request']}
\n"); print("
");