From 11be0066e989ea2f2f7970573847f0f28c2b4f60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dufraisse?= Date: Tue, 5 Oct 2021 09:05:29 +0200 Subject: [PATCH] fix(GererDroits): more secure usage of filter --- tools/templates/actions/gererdroits.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/templates/actions/gererdroits.php b/tools/templates/actions/gererdroits.php index 155514ee5..428307b4b 100755 --- a/tools/templates/actions/gererdroits.php +++ b/tools/templates/actions/gererdroits.php @@ -40,6 +40,7 @@ function reloadGererDroits(elem){ } services->get(DbService::class); + $filter = strval($filter); if ($filter == "pages") { $search = ' AND tag NOT IN ('. 'SELECT DISTINCT resource FROM '.$table.'triples ' . @@ -102,13 +105,13 @@ function reloadGererDroits(elem){ $search = ' AND tag IN ("BazaR","GererSite","GererDroits","GererThemes","GererMisesAJour","GererUtilisateurs","TableauDeBord"'. ',"PageTitre","PageMenuHaut","PageRapideHaut","PageHeader","PageFooter","PageCSS","PageMenu"'. ',"PageColonneDroite","MotDePassePerdu","ParametresUtilisateur","GererConfig","ActuYeswiki","LookWiki") '; - } elseif ($filter == intval($filter)) { + } elseif ($filter === strval(intval($filter))) { $requete_pages_wiki_bazar_fiches = 'SELECT DISTINCT resource FROM '.$table.'triples ' . 'WHERE value = "fiche_bazar" AND property = "http://outils-reseaux.org/_vocabulary/type" ' . 'ORDER BY resource ASC'; - $search = ' AND body LIKE \'%"id_typeannonce":"' . $filter . '"%\''; + $search = ' AND body LIKE \'%"id_typeannonce":"' . $dbService->escape($filter) . '"%\''; $search .= ' AND tag IN (' . $requete_pages_wiki_bazar_fiches . ')'; $search .= ' '; } else {