From 2cb02cd1e541a8f5d860fd643db53e38afe67ba6 Mon Sep 17 00:00:00 2001 From: Patrick Date: Thu, 14 Oct 2021 11:12:58 +0200 Subject: [PATCH] prevent code injection See: https://huntr.dev/bounties/ee5fba4a-dd6a-4bba-b9dd-d73bcca0f38e/ --- acp/core/functions.php | 6 ++++-- acp/core/pages.edit.php | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/acp/core/functions.php b/acp/core/functions.php index 56c6a6f4..39e76148 100644 --- a/acp/core/functions.php +++ b/acp/core/functions.php @@ -381,7 +381,9 @@ function fc_filter_filepath($str) { function fc_return_clean_value($string) { $string = stripslashes($string); + $remove_chars = array('$','`','{','}'); $string = htmlentities($string, ENT_QUOTES, "UTF-8"); + $string = str_replace($remove_chars, "", $string); return $string; } @@ -389,8 +391,8 @@ function fc_clean_permalink($str) { $str = stripslashes($str); $str = strip_tags($str); $str = strtolower($str); - $a = array('ä','ö','ü','ß',' + ','//','(',')',';','\'','\\','.','`','<','>'); - $b = array('ae','oe','ue','ss','-'.'/','','','','','','','','',''); + $a = array('ä','ö','ü','ß',' + ','//','(',')',';','\'','\\','.','`','<','>','$'); + $b = array('ae','oe','ue','ss','-'.'/','','','','','','','','','',''); $str = str_replace($a, $b, $str); $str = preg_replace('/\s/s', '_', $str); // replace blanks -> '_' $str = htmlentities($str, ENT_QUOTES, "UTF-8"); diff --git a/acp/core/pages.edit.php b/acp/core/pages.edit.php index f452e40a..c9f992ef 100755 --- a/acp/core/pages.edit.php +++ b/acp/core/pages.edit.php @@ -153,8 +153,8 @@ $page_sort = "$page_position.$page_order"; $page_version = $_POST['page_version']; - $page_title = strip_tags($_POST['page_title']); - $page_linkname = strip_tags($_POST['page_linkname']); + $page_title = fc_return_clean_value($_POST['page_title']); + $page_linkname = fc_return_clean_value($_POST['page_linkname']); if($page_position == "portal") { $page_sort = "portal";