[97681] trunk/www/ports.php
wsiegrist at apple.com
wsiegrist at apple.com
Tue Sep 11 15:49:50 PDT 2012
Revision: 97681
http://trac.macports.org//changeset/97681
Author: wsiegrist at apple.com
Date: 2012-09-11 15:28:59 -0700 (Tue, 11 Sep 2012)
Log Message:
-----------
Guard against XSS by stripping non-numeric values from page and pagesize
Modified Paths:
--------------
trunk/www/ports.php
Modified: trunk/www/ports.php
===================================================================
--- trunk/www/ports.php 2012-09-11 21:51:30 UTC (rev 97680)
+++ trunk/www/ports.php 2012-09-11 22:28:59 UTC (rev 97681)
@@ -19,8 +19,8 @@
}
$by = isset($_GET['by']) ? $_GET['by'] : '';
$substr = isset($_GET['substr']) ? $_GET['substr'] : '';
- $page = isset($_GET['page']) ? max($_GET['page'], 1) : '1';
- $pagesize = isset($_GET['pagesize']) ? max($_GET['pagesize'], 1) : 50; # arbitrary setting
+ $page = isset($_GET['page']) ? max(intval($_GET['page']), 1) : '1';
+ $pagesize = isset($_GET['pagesize']) ? max(intval($_GET['pagesize']), 1) : 50; # arbitrary setting
print_header('The MacPorts Project -- Available Ports', 'utf-8');
?>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20120911/ddc2a71b/attachment.html>
More information about the macports-changes
mailing list