[Gnuheter-dev] user: isRealUser, XSS

gnuheter-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnuheter-dev] user: isRealUser, XSS

From:	Ulf Harnhammar
Subject:	[Gnuheter-dev] user: isRealUser, XSS
Date:	Thu, 11 Jul 2002 10:52:44 +0200 (CEST)

Hej,

här är en patch för user.php. Den anropar isRealUser() för att undvika
spoofning av användaruppgiftsändringar. Den fixar också några XSS-problem.

// Ulf Härnhammar


--- user.php.old        Thu Jul 11 10:34:13 2002
+++ user.php    Thu Jul 11 10:44:30 2002
@@ -26,6 +26,7 @@
 # $Id: user.php,v 1.5 2002/06/22 14:18:31 pawal Exp $
 
 if(!isset($mainfile)) { include('mainfile.php'); }
+isRealUser($HTTP_COOKIE_VARS['user']);
 
 function user_nav() {
        html_page_head();
@@ -459,6 +460,11 @@
        } elseif (($pass != "") && (strlen($pass) < $minpass)) {
                echo "<div align=\"center\">".translate("Sorry, your password 
must be at least")." <b>$minpass</b> ".translate("characters long")."</div>\n";
        } else {
+               $name = strip_tags($name);
+               $email = strip_tags($email);
+               $femail = strip_tags($femail);
+               $url = strip_tags($url);
+
                if ($bio) { $bio = filter_text($bio); $bio = FixQuotes($bio); }
                if ($pass != "") {
                        dbconnect();

gnuheter_patch37
Description: Text document

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnuheter-dev] user: isRealUser, XSS, Ulf Harnhammar <=

Prev by Date: [Gnuheter-dev] diary: isRealUser, XSS, citat
Next by Date: [Gnuheter-dev] Masspatch för isRealUser()
Previous by thread: [Gnuheter-dev] diary: isRealUser, XSS, citat
Next by thread: [Gnuheter-dev] Masspatch för isRealUser()
Index(es):
- Date
- Thread