functions.php: url parsing checks in distromatic pages to prevent security issues

This commit is contained in:
Silvan Calarco 2020-09-20 12:15:42 +02:00
parent f6eabf0f13
commit 8d001c03f4
3 changed files with 36 additions and 12 deletions

View File

@ -63,17 +63,29 @@ function set_title($title) {
parse_str($urlargs, $args); parse_str($urlargs, $args);
$newtitle = $title; $newtitle = $title;
if ($args['arch']) { if ($args['arch']) {
$newtitle = $args['arch'] . " - " . $newtitle; if (preg_match('/^[a-zA-Z0-9._]*$/', $args['arch'])) {
$newtitle = urlencode($args['arch']) . " - " . $newtitle;
} else {
$newtitle = " Invalid request - " . $newtitle;
}
} }
if ($args['tag']) { if ($args['tag']) {
$newtitle = $args['tag'] . " - " . $newtitle; if (preg_match('/^[a-zA-Z0-9._-]*$/', $args['tag'])) {
$newtitle = urlencode($args['tag']) . " - " . $newtitle;
} else {
$newtitle = " Invalid request - " . $newtitle;
}
} }
if ($args['pkg']) { if ($args['pkg']) {
if ($args['pkg'] == '_index') if ($args['pkg'] == '_index')
$newtitle = 'Index - ' . $newtitle; $newtitle = 'Index - ' . $newtitle;
else { else {
$e = explode('.', $args['pkg']); if (preg_match('/^[a-zA-Z0-9._+-]*$/', $args['pkg'])) {
$newtitle = $e[0] . " - " . $e[1] . " - " . $newtitle; $e = explode('.', urlencode($args['pkg']));
$newtitle = $e[0] . " - " . $e[1] . " - " . $newtitle;
} else {
$newtitle = " Invalid request - " . $newtitle;
}
} }
} }
return $newtitle; return $newtitle;
@ -267,10 +279,14 @@ function openmamba_distroquery_func() {
else else
$outputlang = "en_US.UTF-8"; $outputlang = "en_US.UTF-8";
$ret = "<div id=\"noajax_msg\"></div>"; if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
$ret .= "<span id=\"queryform\">Loading, please wait...</span><br>"; $ret = "<div id=\"noajax_msg\"></div>";
$ret .= "<span id=\"querystatus\"></span><br><span id=\"queryreply\">&nbsp;</span>"; $ret .= "<span id=\"queryform\">Loading, please wait...</span><br>";
$ret .= "<script>$(document).ready(function(){ distroquery_request(\"" . $urlargs . "\"); })</script>"; $ret .= "<span id=\"querystatus\"></span><br><span id=\"queryreply\">&nbsp;</span>";
$ret .= "<script>$(document).ready(function(){ distroquery_request(\"" . $urlargs . "\"); })</script>";
} else {
$ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
}
return $ret; return $ret;
} }
@ -289,8 +305,12 @@ function openmamba_distromatic_func() {
else else
$outputlang = "en_US.UTF-8"; $outputlang = "en_US.UTF-8";
$ret = "<span id=\"distromatic\">" . __("Loading, please wait...", "responsive") . "</span><br>"; if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
$ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/distromatic.naked.html?" . $urlargs . "'); })</script>"; $ret = "<span id=\"distromatic\">" . __("Loading, please wait...", "responsive") . "</span><br>";
$ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/distromatic.naked.html?" . $urlargs . "'); })</script>";
} else {
$ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
}
return $ret; return $ret;
} }
@ -303,8 +323,12 @@ function openmamba_showfile_func() {
$urlargs = substr($_SERVER['REQUEST_URI'], $urlargspos + 1); $urlargs = substr($_SERVER['REQUEST_URI'], $urlargspos + 1);
} }
$ret = "<span id=\"distromatic\">" . "Loading, please wait..." . "</span><br>"; if (preg_match('/^[a-zA-Z0-9._\=\-\+\/\.\&\:]*$/', $urlargs)) {
$ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/showfile.naked.html?" . $urlargs . "'); })</script>"; $ret = "<span id=\"distromatic\">" . "Loading, please wait..." . "</span><br>";
$ret .= "<script>$(document).ready(function(){ $('#distromatic').load('/distribution/showfile.naked.html?" . $urlargs . "'); })</script>";
} else {
$ret = "<span id=\"distromatic\">" . __("Invalid request.", "responsive") . "</span><br>";
}
return $ret; return $ret;
} }

Binary file not shown.

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 10 KiB

BIN
images/openmamba-64x64.png Normal file → Executable file

Binary file not shown.

Before

Width:  |  Height:  |  Size: 2.7 KiB

After

Width:  |  Height:  |  Size: 2.4 KiB