[Lsb-messages] /var/www/bzr/lsb/devel/dbadmin r254: Last bit of security audit changes for this go-round.

Jeff Licquia licquia at linuxfoundation.org
Thu May 17 18:51:11 UTC 2012


------------------------------------------------------------
revno: 254
committer: Jeff Licquia <licquia at linuxfoundation.org>
branch nick: dbadmin
timestamp: Thu 2012-05-17 14:51:11 -0400
message:
  Last bit of security audit changes for this go-round.
modified:
  browse/class.php
  browse/class_single.php
  browse/command.php
  browse/int_single.php
  browse/interface.php
  browse/lib_single.php
-------------- next part --------------
=== modified file 'browse/class.php'
--- a/browse/class.php	2011-08-29 07:50:40 +0000
+++ b/browse/class.php	2012-05-17 18:51:11 +0000
@@ -43,6 +43,7 @@
         $_REQUEST['CIid'] = $_REQUEST['id'];
         $Tid = isset($id) ? $id : 0;
     case "list-byid" :
+        check_request_literal_params("CIname");
         check_request_numeric_params("CIid");
         if( isset($_REQUEST['CIname']) ) {
             display_single_class($_REQUEST['CIname'], $_REQUEST['CIid']);

=== modified file 'browse/class_single.php'
--- a/browse/class_single.php	2012-05-16 23:46:37 +0000
+++ b/browse/class_single.php	2012-05-17 18:51:11 +0000
@@ -106,9 +106,7 @@
         if( isset($_REQUEST['CIname']) ) {
             $_REQUEST['Cname'] = $_REQUEST['CIname'];
         }
-        else {
-            check_request_literal_params("Cname");
-        }
+        check_request_literal_params("Cname");
 
         // Usually class name itself is not enough to identify the class;
         // additional arguments can be passed - CIid (class id in the ClassInfo table),

=== modified file 'browse/command.php'
--- a/browse/command.php	2012-04-18 08:11:35 +0000
+++ b/browse/command.php	2012-05-17 18:51:11 +0000
@@ -39,6 +39,7 @@
         }
         if( isset($_REQUEST['Cname']) ) {
 //            create_tmp_RawCmd_table();
+            check_request_literal_params("Cname");
             display_single_cmd($_REQUEST['Cname']);
             break;
         }

=== modified file 'browse/int_single.php'
--- a/browse/int_single.php	2011-08-29 07:50:40 +0000
+++ b/browse/int_single.php	2012-05-17 18:51:11 +0000
@@ -79,7 +79,7 @@
         display_int_by_app($_REQUEST['Iname'], $_REQUEST['Ilibrary']);
         break;
     case "list_int_by_component":
-        check_request_literal_params("Iname");
+        check_request_literal_params("Iname", "Ilibrary");
         print("<table class='limage' width=\"100%\"><tr><td valign=\"bottom\"><font class='topfont'>Interface '".$_REQUEST['Iname']);
         if( isset($_REQUEST['Ilibrary']) ) {
             print( " (".$_REQUEST['Ilibrary'].")" );
@@ -91,7 +91,7 @@
         display_int_by_component($_REQUEST['Iname']);
         break;
     case "list_int_by_library":
-        check_request_literal_params("Iname");
+        check_request_literal_params("Iname", "Ilibrary");
         print("<table class='limage' width=\"100%\"><tr><td valign=\"bottom\"><font class='topfont'>Interface '".$_REQUEST['Iname']);
         if( isset($_REQUEST['Ilibrary']) ) {
             print( " (".$_REQUEST['Ilibrary'].")" );
@@ -193,7 +193,7 @@
             display_single_int($row['Iname'], $row['Ilibrary']);
         }
         else if( isset($_REQUEST['Iname']) ) {
-            check_request_literal_params("Ilibrary");
+            check_request_literal_params("Iname", "Ilibrary");
             display_single_int( $_REQUEST['Iname'], $_REQUEST['Ilibrary'] );
         }
         else {

=== modified file 'browse/interface.php'
--- a/browse/interface.php	2011-08-29 07:50:40 +0000
+++ b/browse/interface.php	2012-05-17 18:51:11 +0000
@@ -16,6 +16,7 @@
 // if we have "list-by-library" request, set $archfilter to library's id;
 // however, do not do thi if user has changed Architecture filter
 if( isset($_REQUEST['Aid']) and !isset($_REQUEST['changearch']) and ctype_digit($_REQUEST['Aid']) ) {
+    check_request_numeric_params("Aid");
     $archfilter = $_REQUEST['Aid'];
 }
 else if( isset($_REQUEST['changearch']) ) {

=== modified file 'browse/lib_single.php'
--- a/browse/lib_single.php	2011-08-29 07:50:40 +0000
+++ b/browse/lib_single.php	2012-05-17 18:51:11 +0000
@@ -87,6 +87,8 @@
 
         print_app_category_filters();
         create_tmp_Application_table(true);
+        check_request_numeric_params("Lid");
+        check_request_literal_params("Lname");
         if( isset($_REQUEST["Lid"]) ) {
             display_lib_ints_app_usage($_REQUEST["Lid"]);
         }



More information about the lsb-messages mailing list