[Lsb-messages] /var/www/bzr/lsb/devel/dbadmin r252: More paranoia on request vars in include files.

Jeff Licquia licquia at linuxfoundation.org
Thu May 17 02:06:14 UTC 2012


------------------------------------------------------------
revno: 252
committer: Jeff Licquia <licquia at linuxfoundation.org>
branch nick: dbadmin
timestamp: Wed 2012-05-16 22:06:14 -0400
message:
  More paranoia on request vars in include files.
modified:
  class.inc
  interface.inc
-------------- next part --------------
=== modified file 'class.inc'
--- a/class.inc	2012-04-18 08:11:35 +0000
+++ b/class.inc	2012-05-17 02:06:14 +0000
@@ -359,6 +359,7 @@
         $select.= "WHERE ACcid=".$CIid." ";
     }
     else {
+        check_request_numeric_params('CIid');
         $select.= "WHERE ACcid=".$_REQUEST['CIid']." ";
     }
     $select.= "AND ACpos=".$vtab["CVpos"];
@@ -373,6 +374,7 @@
         $select.= "WHERE VTcid=".$CIid." ";
     }
     else {
+        check_request_numeric_params('CIid');
         $select.= "WHERE VTcid=".$_REQUEST['CIid']." ";
     }
     $select.= "AND VTvtpos=".$vtab["CVpos"]." ";

=== modified file 'interface.inc'
--- a/interface.inc	2012-04-18 08:11:35 +0000
+++ b/interface.inc	2012-05-17 02:06:14 +0000
@@ -458,6 +458,8 @@
     //
     global $Header, $tmpInterface;
 
+    check_request_numeric_params('Hid');
+
     if( !isset($Header[$Hid]) ) {
         print( "<em>Illegal Header identifier</em><br/>\n" );
         return;



More information about the lsb-messages mailing list