APPDB - patch
Chris Morgan
cmorgan at alum.wpi.edu
Wed Jun 14 20:06:12 CDT 2006
Looks better.
Why are we calling strip_tags() here and a few other locations but not
consistently? Should we be calling strip_tags() on nearly all of the input
parameters?
+$aClean['appId'] = makeSafe(strip_tags($_POST['appId']));
+$aClean['versionId'] = makeSafe(strip_tags($_POST['versionId']));
+$aClean['confirmed'] = makeSafe(strip_tags($_POST['confirmed']));
+$aClean['superMaintainer'] = makeSafe(strip_tags($_POST['superMaintainer']);
There is some inconsistent indenting here:
+
+ $aClean = array(); //array of filtered user input
+
+ $aClean['appCatId'] = makeSafe($_REQUEST['appCatId']);
+ $aClean['appName'] = makeSafe($_REQUEST['appName']);
+ $aClean['appVendorName'] = makeSafe($_REQUEST['appVendorName']);
+ $aClean['appVendorId'] = makeSafe($_REQUEST['appVendorId']);
+ $aClean['appDescription'] = makeSafe($_REQUEST['appDescription']);
+
I'll try to fix any of these I notice before applying the patch. The standard
with appdb code is to use spaces and not tabs btw.
Btw, have you tested that with this patch you are able to submit an
application and a version and that all of the html formatted contents of the
app description and the like comes through correctly?
Chris
On Wednesday 14 June 2006 8:25 pm, EA Durbin wrote:
> Security enhancements.
>
> Filter all potential user input for tainted data.
>
> I've removed my separate patches. Here is my updated security patch with
> the corrections as suggested.
More information about the wine-patches
mailing list