functions.php: url parsing checks in distromatic pages to prevent security issues
This commit is contained in:
parent
f6eabf0f13
commit
8d001c03f4
@ -63,17 +63,29 @@ function set_title($title) {
|
|||||||
parse_str($urlargs, $args);
|
parse_str($urlargs, $args);
|
||||||
$newtitle = $title;
|
$newtitle = $title;
|
||||||
if ($args['arch']) {
|
if ($args['arch']) {
|
||||||
$newtitle = $args['arch'] . " - " . $newtitle;
|
if (preg_match('/^[a-zA-Z0-9._]*$/', $args['arch'])) {
|
||||||
|
$newtitle = urlencode($args['arch']) . " - " . $newtitle;
|
||||||
|
} else {
|
||||||
|
$newtitle = " Invalid request - " . $newtitle;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if ($args['tag']) {
|
if ($args['tag']) {
|
||||||
$newtitle = $args['tag'] . " - " . $newtitle;
|
if (preg_match('/^[a-zA-Z0-9._-]*$/', $args['tag'])) {
|
||||||
|
$newtitle = urlencode($args['tag']) . " - " . $newtitle;
|
||||||
|
} else {
|
||||||
|
$newtitle = " Invalid request - " . $newtitle;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if ($args['pkg']) {
|
if ($args['pkg']) {
|
||||||
if ($args['pkg'] == '_index')
|
if ($args['pkg'] == '_index')
|
||||||
$newtitle = 'Index - ' . $newtitle;
|
$newtitle = 'Index - ' . $newtitle;
|
||||||
else {
|
else {
|
||||||
$e = explode('.', $args['pkg']);
|
if (preg_match('/^[a-zA-Z0-9._+-]*$/', $args['pkg'])) {
|
||||||
$newtitle = $e[0] . " - " . $e[1] . " - " . $newtitle;
|
$e = explode('.', urlencode($args['pkg']));
|
||||||
|
$newtitle = $e[0] . " - " . $e[1] . " - " . $newtitle;
|
||||||
|
} else {
|
||||||
|
$newtitle = " Invalid request - " . $newtitle;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return $newtitle;
|
return $newtitle;
|
||||||
@ -267,10 +279,14 @@ function openmamba_distroquery_func() {
|
|||||||
else
|
else
|
||||||
$outputlang = "en_US.UTF-8";
|
$outputlang = "en_US.UTF-8";
|
||||||
|
|
||||||
$ret = "<div id=\"noajax_msg\"></div>";
|
if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
|
||||||
$ret .= "<span id=\"queryform\">Loading, please wait...</span><br>";
|
$ret = "<div id=\"noajax_msg\"></div>";
|
||||||
$ret .= "<span id=\"querystatus\"></span><br><span id=\"queryreply\"> </span>";
|
$ret .= "<span id=\"queryform\">Loading, please wait...</span><br>";
|
||||||
$ret .= "<script>$(document).ready(function(){ distroquery_request(\"" . $urlargs . "\"); })</script>";
|
$ret .= "<span id=\"querystatus\"></span><br><span id=\"queryreply\"> </span>";
|
||||||
|
$ret .= "<script>$(document).ready(function(){ distroquery_request(\"" . $urlargs . "\"); })</script>";
|
||||||
|
} else {
|
||||||
|
$ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
|
||||||
|
}
|
||||||
|
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
@ -289,8 +305,12 @@ function openmamba_distromatic_func() {
|
|||||||
else
|
else
|
||||||
$outputlang = "en_US.UTF-8";
|
$outputlang = "en_US.UTF-8";
|
||||||
|
|
||||||
$ret = "<span id=\"distromatic\">" . __("Loading, please wait...", "responsive") . "</span><br>";
|
if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
|
||||||
$ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/distromatic.naked.html?" . $urlargs . "'); })</script>";
|
$ret = "<span id=\"distromatic\">" . __("Loading, please wait...", "responsive") . "</span><br>";
|
||||||
|
$ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/distromatic.naked.html?" . $urlargs . "'); })</script>";
|
||||||
|
} else {
|
||||||
|
$ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
|
||||||
|
}
|
||||||
|
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
@ -303,8 +323,12 @@ function openmamba_showfile_func() {
|
|||||||
$urlargs = substr($_SERVER['REQUEST_URI'], $urlargspos + 1);
|
$urlargs = substr($_SERVER['REQUEST_URI'], $urlargspos + 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
$ret = "<span id=\"distromatic\">" . "Loading, please wait..." . "</span><br>";
|
if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
|
||||||
$ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/showfile.naked.html?" . $urlargs . "'); })</script>";
|
$ret = "<span id=\"distromatic\">" . "Loading, please wait..." . "</span><br>";
|
||||||
|
$ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/showfile.naked.html?" . $urlargs . "'); })</script>";
|
||||||
|
} else {
|
||||||
|
$ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
|
||||||
|
}
|
||||||
|
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
|
Binary file not shown.
Before Width: | Height: | Size: 21 KiB After Width: | Height: | Size: 10 KiB |
BIN
images/openmamba-64x64.png
Normal file → Executable file
BIN
images/openmamba-64x64.png
Normal file → Executable file
Binary file not shown.
Before Width: | Height: | Size: 2.7 KiB After Width: | Height: | Size: 2.4 KiB |
Loading…
Reference in New Issue
Block a user