Kyle Auble : Tighten up URL validation in news plugin
Jeremy Newman
jnewman at winehq.org
Thu May 17 13:52:26 CDT 2018
Module: website
Branch: master
Commit: 5cd195b1ac9ff47e92b8b31526212c4915be048e
URL: https://source.winehq.org/git/website.git/?a=commit;h=5cd195b1ac9ff47e92b8b31526212c4915be048e
Author: Kyle Auble <kauble7 at gmail.com>
Date: Sat May 12 20:21:31 2018 -0400
Tighten up URL validation in news plugin
>From d3a7af7eca5c14ec48202eef65e3d8eb55aee459 Mon Sep 17 00:00:00 2001
From: Kyle Auble <kauble7 at gmail.com>
Date: Thu, 10 May 2018 17:19:24 -0400
Subject: [PATCH website] Tighten up URL validation in news plugin
Fixes https://bugs.winehq.org/show_bug.cgi?id=44764
Signed-off-by: Kyle Auble <kauble7 at gmail.com>
Signed-off-by: Jeremy Newman <jnewman at codeweavers.com>
---
include/plugins/news.php | 59 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 47 insertions(+), 12 deletions(-)
diff --git a/include/plugins/news.php b/include/plugins/news.php
index 3d78b74..94f18e3 100644
--- a/include/plugins/news.php
+++ b/include/plugins/news.php
@@ -10,19 +10,53 @@
if (!empty($_GET['lang']) and in_array($_GET['lang'], $config->languages))
$html->lang = $_GET['lang'];
-// display news based on page params
-switch (true)
+// Display news based on page params
+// The news plugin expects a narrow range of options though...
+// ... so scrub out anything except relevant values
+
+// If there are no potential parameters in the URL...
+if (!defined('PAGE_PARAMS'))
+ $flag = 'default';
+
+// If a specific date is referenced...
+else if (preg_match("/[0-9]{10}/", PAGE_PARAMS, $matches))
+{
+ $item = $matches[0] . '.xml';
+ $vars = array();
+
+ // Ensure valid news actually exists for this date
+ if (file_exists($config->news_xml_path.'/'.$html->lang.'/'.$item))
+ {
+ $vars = get_xml_tags($config->news_xml_path.'/'.$html->lang.'/'.$item, array('date', 'title', 'link', 'body'));
+ $flag = 'single';
+ }
+ else if (file_exists($config->news_xml_path.'/'.$config->lang.'/'.$item))
+ {
+ $vars = get_xml_tags($config->news_xml_path.'/'.$config->lang.'/'.$item, array('date', 'title', 'link', 'body'));
+ $flag = 'single';
+ }
+ else
+ $flag = 'default';
+}
+
+// If the RSS feed is requested specifically...
+else if (preg_match("/rss/", PAGE_PARAMS))
+{
+ $feed = 'xml';
+ $flag = 'rss';
+}
+
+// Anything else...
+else
+ $flag = 'default';
+
+// Now handle the details based on the control flag
+switch ($flag)
{
// single issue view
- case (defined('PAGE_PARAMS') and preg_match("/[0-9]{10}/", PAGE_PARAMS)):
+ case 'single':
- // get data from XML file
- $item = PAGE_PARAMS . '.xml';
- $vars = array();
- if (file_exists($config->news_xml_path.'/'.$html->lang.'/'.$item))
- $vars = get_xml_tags($config->news_xml_path.'/'.$html->lang.'/'.$item, array('date', 'title', 'link', 'body'));
- else
- $vars = get_xml_tags($config->news_xml_path.'/'.$config->lang.'/'.$item, array('date', 'title', 'link', 'body'));
+ // The single flag guarantees vars already has the news path
// set open graph tags
$html->meta_og['title'] = trim($vars['title']);
@@ -57,12 +91,13 @@ switch (true)
echo $html->template('base', 'news_row', $vars);
echo $html->p($html->ahref('<span class="glyphicon glyphicon-backward"></span>', "{$html->_web_root}/news", 'class="btn btn-default"'));
break;
+ // end single issue
// RSS view
- case (defined('PAGE_PARAMS') and PAGE_PARAMS == "rss"):
+ case 'rss':
// get list of news items
- $news = get_files($config->news_xml_path."/".$config->lang, "xml");
+ $news = get_files($config->news_xml_path."/".$config->lang, $feed);
$news = array_reverse ($news);
// clear cache and output the rss file
More information about the wine-cvs
mailing list