From 2e1e1d05352c014501b8ee361950d398c2f38b96 Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Sat, 25 Sep 2021 11:42:07 +0100 Subject: [PATCH] 100-run: fix XSS when action is not found --- Changelog.md | 1 + core/100-run.php | 7 +++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index 15405b15..9906f91f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -8,6 +8,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t - [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome) - [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) - [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to) + - [security] Fixed XSS when the `action` GET param doesn't match a known action ## v0.23 diff --git a/core/100-run.php b/core/100-run.php index 9f4ebca8..611f25a9 100644 --- a/core/100-run.php +++ b/core/100-run.php @@ -47,11 +47,10 @@ // Perform the appropriate action -$action_name = $env->action; -if(isset($actions->$action_name)) { - $req_action_data = $actions->$action_name; +if(isset($actions->{$env->action})) { + $req_action_data = $actions->{$env->action}; $req_action_data(); } else { - exit(page_renderer::render_main("Error - $settings->sitename", "

No action called " . strtolower($_GET["action"]) ." has been registered. Perhaps you are missing a module?

")); + exit(page_renderer::render_main("Error - $settings->sitename", "

No action called $env->action has been registered. Perhaps you are missing a module?

")); }