Skip to content

Commit

Permalink
Avoid bypassing when editing site structure for the root level and ex…
Browse files Browse the repository at this point in the history 
…ecute PHP code
  • Loading branch information
@slackero
slackero committed Jul 31, 2022
1 parent a9533c9 commit 7efb450
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 12 deletions.
18 changes: 9 additions & 9 deletions include/inc_act/act_structure.php
View file
Expand Up @@ -82,9 +82,9 @@
if(isset($_POST["acat_id"]) && $_POST["acat_id"] === 'index') {
// write index page config to flat file
$sql = "<?php\n";
$sql .= "\$indexpage['acat_name'] = '". str_replace("''", "\\'", clean_slweg($_POST["acat_name"], 2000))."';\n";
$sql .= "\$indexpage['acat_title'] = '". str_replace("''", "\\'", clean_slweg($_POST["acat_title"], 2000))."';\n";
$sql .= "\$indexpage['acat_info'] = '". str_replace("''", "\\'", clean_slweg($_POST["acat_info"], 32000))."';\n";
$sql .= "\$indexpage['acat_name'] = '". sanitize_quote_backslash(clean_slweg($_POST["acat_name"], 2000))."';\n";
$sql .= "\$indexpage['acat_title'] = '". sanitize_quote_backslash(clean_slweg($_POST["acat_title"], 2000))."';\n";
$sql .= "\$indexpage['acat_info'] = '". sanitize_quote_backslash(clean_slweg($_POST["acat_info"], 32000))."';\n";
$sql .= "\$indexpage['acat_alias'] = '". proof_alias($_POST["acat_id"], $_POST["acat_alias"])."';\n";
$sql .= "\$indexpage['acat_aktiv'] = ". (isset($_POST["acat_aktiv"]) ? 1 : 0).";\n";
$sql .= "\$indexpage['acat_template'] = ". intval($_POST["acat_template"]).";\n";
Expand All @@ -93,7 +93,7 @@
$sql .= "\$indexpage['acat_regonly'] = ". (isset($_POST["acat_regonly"]) ? 1 : 0).";\n";
$sql .= "\$indexpage['acat_topcount'] = ". intval($_POST["acat_topcount"]).";\n";
$sql .= "\$indexpage['acat_maxlist'] = ". intval($_POST["acat_maxlist"]).";\n";
$sql .= "\$indexpage['acat_redirect'] = '". str_replace("''", "\\'", clean_slweg($_POST["acat_redirect"]))."';\n";
$sql .= "\$indexpage['acat_redirect'] = '". sanitize_quote_backslash(clean_slweg($_POST["acat_redirect"]))."';\n";
$cache_timeout = clean_slweg($_POST["acat_timeout"]);
if(isset($_POST['acat_cacheoff']) && intval($_POST['acat_cacheoff'])) $cache_timeout = 0; //check if cache = Off
$sql .= "\$indexpage['acat_timeout'] = '". $cache_timeout."';\n";
Expand All @@ -102,16 +102,16 @@
$sql .= "\$indexpage['acat_order'] = ". set_correct_ordersort() .";\n";
$sql .= "\$indexpage['acat_permit'] = '". $acat_permit."';\n";
$sql .= "\$indexpage['acat_cntpart'] = '". $acat_cntpart."';\n";
$sql .= "\$indexpage['acat_pagetitle'] = '". str_replace("''", "\\'", clean_slweg($_POST["acat_pagetitle"]))."';\n";
$sql .= "\$indexpage['acat_pagetitle'] = '". sanitize_quote_backslash(clean_slweg($_POST["acat_pagetitle"]))."';\n";
$sql .= "\$indexpage['acat_paginate'] = ". (isset($_POST["acat_paginate"]) ? 1 : 0).";\n";
$sql .= "\$indexpage['acat_overwrite'] = '". str_replace("''", "\\'", clean_slweg($_POST["acat_overwrite"]))."';\n";
$sql .= "\$indexpage['acat_overwrite'] = '". sanitize_quote_backslash(clean_slweg($_POST["acat_overwrite"]))."';\n";
$sql .= "\$indexpage['acat_archive'] = ". (empty($_POST["acat_archive"]) ? 0 : 1) .";\n";
$sql .= "\$indexpage['acat_class'] = '". str_replace("'", "\\'", $acat_class)."';\n";
$sql .= "\$indexpage['acat_keywords'] = '". str_replace("'", "\\'", $acat_keywords)."';\n";
$sql .= "\$indexpage['acat_class'] = '". sanitize_quote_backslash($acat_class)."';\n";
$sql .= "\$indexpage['acat_keywords'] = '". sanitize_quote_backslash($acat_keywords)."';\n";
$sql .= "\$indexpage['acat_cpdefault'] = ". intval($_POST["acat_cpdefault"]).";\n";
$sql .= "\$indexpage['acat_disable301'] = ". (empty($_POST["acat_disable301"]) ? 0 : 1).";\n";
$sql .= "\$indexpage['acat_opengraph'] = ". (empty($_POST["acat_opengraph"]) ? 0 : 1).";\n";
$sql .= "\$indexpage['acat_canonical'] = '". str_replace("'", "\\'", clean_slweg($_POST["acat_canonical"], 2000))."';\n";
$sql .= "\$indexpage['acat_canonical'] = '". sanitize_quote_backslash(clean_slweg($_POST["acat_canonical"], 2000))."';\n";
$sql .= "\$indexpage['acat_breadcrumb'] = ". $acat_breadcrumb .";\n";
$sql .= "\$indexpage['acat_onepage'] = ". $acat_onepage .";\n";

Expand Down
1 change: 0 additions & 1 deletion include/inc_front/front.func.inc.php
View file
Expand Up @@ -1883,7 +1883,6 @@ function get_related_articles($keywords, $current_article_id, $template_default,
foreach($keywordarray as $value) {
//build where keyword = blabla
$where .= ($where) ? " OR " : "";
//replace every "'" to "''" for security reasons with _dbEscape()
$where .= "article_keyword LIKE "._dbEscape($value, true, '%', '%');
}
$limit = ($max_cnt_links) ? " LIMIT ".$max_cnt_links : "";
Expand Down
12 changes: 12 additions & 0 deletions include/inc_lib/general.inc.php
View file
Expand Up @@ -1661,6 +1661,18 @@ function sanitize_filename($filename) {
return $filename;
}

/**
* Sanitize string which will be written to set the value of a PHP variable.
* Should avoid users from bypassing it and execute PHP code.
*
* @param string $text
*
* @return string
*/
function sanitize_quote_backslash($text) {
return str_replace(array('\\', "'"), array("\\\\", "\\'"), $text);
}

function saveUploadedFile($file, $target, $exttype = '', $imgtype = '', $rename = 0, $maxsize = 0) {
// imgtype can be all exif_imagetype supported by your PHP install
// see http://www.php.net/exif_imagetype
Expand Down
2 changes: 1 addition & 1 deletion include/inc_lib/revision/revision.php
View file
Expand Up @@ -10,5 +10,5 @@
**/

define('PHPWCMS_VERSION', '1.9.34-dev');
define('PHPWCMS_RELEASE_DATE', '2022/07/28');
define('PHPWCMS_RELEASE_DATE', '2022/07/31');
define('PHPWCMS_REVISION', '553');
2 changes: 1 addition & 1 deletion setup/inc/setup.func.inc.php
View file
Expand Up @@ -119,7 +119,7 @@ function clean_slweg($string_wo_slashes_weg, $string_laenge = 0) {
}

function escape_quote($text='') {
return str_replace(array('\\', "'"), array('\\\\', "\'"), $text);
return str_replace(array('\\', "'"), array('\\\\', "\\'"), $text);
}

function write_conf_file($val) {
Expand Down

0 comments on commit 7efb450

Please sign in to comment.