[97681] trunk/www/ports.php

wsiegrist at apple.com wsiegrist at apple.com
Tue Sep 11 15:49:50 PDT 2012


Revision: 97681
          http://trac.macports.org//changeset/97681
Author:   wsiegrist at apple.com
Date:     2012-09-11 15:28:59 -0700 (Tue, 11 Sep 2012)
Log Message:
-----------
Guard against XSS by stripping non-numeric values from page and pagesize

Modified Paths:
--------------
    trunk/www/ports.php

Modified: trunk/www/ports.php
===================================================================
--- trunk/www/ports.php	2012-09-11 21:51:30 UTC (rev 97680)
+++ trunk/www/ports.php	2012-09-11 22:28:59 UTC (rev 97681)
@@ -19,8 +19,8 @@
     }
     $by = isset($_GET['by']) ? $_GET['by'] : '';
     $substr = isset($_GET['substr']) ? $_GET['substr'] : '';
-    $page = isset($_GET['page']) ? max($_GET['page'], 1) : '1';
-    $pagesize = isset($_GET['pagesize']) ? max($_GET['pagesize'], 1) : 50; # arbitrary setting
+    $page = isset($_GET['page']) ? max(intval($_GET['page']), 1) : '1';
+    $pagesize = isset($_GET['pagesize']) ? max(intval($_GET['pagesize']), 1) : 50; # arbitrary setting
 
     print_header('The MacPorts Project -- Available Ports', 'utf-8');
 ?>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20120911/ddc2a71b/attachment.html>


More information about the macports-changes mailing list