[aur-dev] [PATCH] Sanitize input of package functions in pkg_funcs.inc
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com> --- web/lib/pkgfuncs.inc | 32 ++++++++++++++++++++++++++++++++ 1 files changed, 32 insertions(+), 0 deletions(-) diff --git a/web/lib/pkgfuncs.inc b/web/lib/pkgfuncs.inc index 06171fa..27b623a 100644 --- a/web/lib/pkgfuncs.inc +++ b/web/lib/pkgfuncs.inc @@ -1086,6 +1086,12 @@ function pkg_delete ($atype, $ids) { return __("You did not select any packages to delete."); } + foreach ($ids as $pid) { + if (!is_numeric($pid)) { + return __("You did not select any packages to delete."); + } + } + # Delete the packages in $ids array (but only if they are Unsupported) # $dbh = db_connect(); @@ -1175,6 +1181,16 @@ function pkg_adopt ($atype, $ids, $action = True) { return __("You did not select any packages to disown."); } } + + foreach ($ids as $pid) { + if (!is_numeric($pid)) { + if ($action) { + return __("You did not select any packages to adopt."); + } else { + return __("You did not select any packages to disown."); + } + } + } $dbh = db_connect(); @@ -1242,6 +1258,16 @@ function pkg_vote ($atype, $ids, $action = True) { return __("Your votes have been removed from the selected packages."); } } + + foreach ($ids as $pid) { + if (!is_numeric($ids)) { + if ($action) { + return __("You did not select any packages to vote for."); + } else { + return __("Your votes have been removed from the selected packages."); + } + } + } $dbh = db_connect(); $my_votes = pkgvotes_from_sid($_COOKIE["AURSID"]); @@ -1320,6 +1346,12 @@ function pkg_notify ($atype, $ids) { return __("Couldn't add to notification list."); } + foreach ($ids as $pid) { + if (!is_numeric($ids)) { + return __("Couldn't add to notification list."); + } + } + $dbh = db_connect(); $uid = uid_from_sid($_COOKIE["AURSID"]); -- 1.6.0.2
You've got a lot of code here that's essentially repeated. I would look at doing this another way, such as putting it in a function maybe and having a common error message. "Invalid PKGBUILD ID specified." or something.
participants (2)
-
Callan Barrett
-
Loui