From f9af8cbf4831599c9092a22f9f931cf1db8c3876 Mon Sep 17 00:00:00 2001 From: Navigate CMS Date: Sun, 30 Jan 2022 17:23:50 +0100 Subject: [PATCH] * files.php: additional checks to prevent XSS attacks --- lib/packages/files/files.php | 12 ++++++++---- navigate_download.php | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/packages/files/files.php b/lib/packages/files/files.php index 47967508..9555d071 100644 --- a/lib/packages/files/files.php +++ b/lib/packages/files/files.php @@ -175,7 +175,7 @@ function run() break; case 'description': - $item->load($_REQUEST['id']); + $item->load(intval($_REQUEST['id'])); if(!empty($_POST)) { @@ -210,7 +210,7 @@ function run() break; case 'focalpoint': - $item->load($_REQUEST['id']); + $item->load(intval($_REQUEST['id'])); if(!empty($_POST)) { if(naviforms::check_csrf_token('header')) @@ -295,7 +295,11 @@ function run() case 2: // show/edit item properties case "edit": - $item->load($_REQUEST['id']); + $id = intval($_REQUEST['id']); + if(!empty($id)) + { + $item->load($id); + } if(@$_REQUEST['op']=='replace_file' && !empty($_FILES)) { @@ -349,7 +353,7 @@ function run() $item->save(); unset($item); $item = new file(); - $item->load($_REQUEST['id']); + $item->load(intval($_REQUEST['id'])); $layout->navigate_notification(t(53, "Data saved successfully."), false, false, 'fa fa-check'); } catch(Exception $e) diff --git a/navigate_download.php b/navigate_download.php index 6289c01b..0f94a456 100644 --- a/navigate_download.php +++ b/navigate_download.php @@ -50,7 +50,7 @@ $id = $_REQUEST['id']; if(!empty($_REQUEST['id'])) { - if(is_int($id)) + if(is_numeric($id) && $_REQUEST['id'] == intval($_REQUEST['id'])) { $item->load($id); }