Merge pull request #43 from bram1000/master

Fix CVE-2023-36993, CVE-2023-36994, CVE-2023-36995
This commit is contained in:
Catalin Novgorodschi
2024-05-15 12:54:07 +03:00
committed by GitHub
7 changed files with 16 additions and 7 deletions
+1
View File
@@ -82,6 +82,7 @@ class adm_DB {
$bcrypted = false;
}
$username = htmlspecialchars($username);
if($pwOk) {
// update password to bcrypt, if correct
if (!$dbarray['is_bcrypt'] && !$bcrypted) {
+4
View File
@@ -3016,6 +3016,8 @@ class MYSQLi_DB implements IDbConnection {
function setAlliName($aid, $name, $tag) {
list($aid, $name, $tag) = $this->escape_input((int) $aid, $name, $tag);
$name = $this->RemoveXSS($name);
$tag = $this->RemoveXSS($tag);
$q = "UPDATE " . TB_PREFIX . "alidata set name = '$name', tag = '$tag' where id = $aid";
return mysqli_query($this->dblink,$q);
@@ -3109,6 +3111,8 @@ class MYSQLi_DB implements IDbConnection {
*****************************************/
function createAlliance($tag, $name, $uid, $max) {
list($tag, $name, $uid, $max) = $this->escape_input($tag, $name, (int) $uid, (int) $max);
$tag = $this->RemoveXSS($tag);
$name = $this->RemoveXSS($name);
$q = "INSERT into " . TB_PREFIX . "alidata values (0,'$name','$tag',$uid,0,0,0,'','',$max,0,0,0,0,0,0,0,0,0)";
mysqli_query($this->dblink,$q);
+1 -1
View File
@@ -18,7 +18,7 @@ class MyGenerator {
public function generateRandStr($length){
$randstr = "";
for($i = 0; $i < $length; $i++){
$randnum = mt_rand(0, 61);
$randnum = random_int(0, 61);
if($randnum < 10) $randstr .= chr($randnum + 48);
else if($randnum < 36) $randstr .= chr($randnum + 55);
else $randstr .= chr($randnum + 61);
+3 -3
View File
@@ -163,7 +163,7 @@
private function getStart($search) {
$multiplier = 1;
if(!is_numeric($search)) {
$_SESSION['search'] = $search;
$_SESSION['search'] = htmlspecialchars($search);
} else {
if($search > count($this->rankarray)) {
$search = count($this->rankarray) - 1;
@@ -172,8 +172,8 @@
$multiplier += 1;
}
$start = 20 * $multiplier - 19 - 1;
$_SESSION['search'] = $search;
$_SESSION['start'] = $start;
$_SESSION['search'] = htmlspecialchars($search);
$_SESSION['start'] = htmlspecialchars($start);
}
}
+2 -2
View File
@@ -36,12 +36,12 @@ if($_POST) {
if(substr($key, 0, 8) == 'linkname') {
$i = substr($key, 8);
$links[$i]['linkname'] = mysqli_real_escape_string($database->dblink, $value);
$links[$i]['linkname'] = htmlspecialchars(mysqli_real_escape_string($database->dblink, $value));
}
if(substr($key, 0, 8) == 'linkziel') {
$i = substr($key, 8);
$links[$i]['linkziel'] = mysqli_real_escape_string($database->dblink, $value);
$links[$i]['linkziel'] = htmlspecialchars(mysqli_real_escape_string($database->dblink, $value));
}
}
+4
View File
@@ -12,6 +12,10 @@
// don't let SQL time out when 30-500 seconds (depending on php.ini) is not enough
@set_time_limit(0);
if (file_exists("../var/installed")) {
die("<span class='f18 c5'>ERROR!</span><br />Installation appears to have been completed.<br />If this is an error remove /var/installed file in install directory.");
}
class Process {
function __construct() {
+1 -1
View File
@@ -186,7 +186,7 @@ Element.implement({
<tbody>
<tr class="top">
<th><?php echo NAME; ?></th>
<td><input class="text" type="text" name="user" value="<?php echo stripslashes(stripslashes(stripslashes($form->getDiff("user",$_COOKIE['COOKUSR'])))); ?>" maxlength="30" autocomplete='off' /> <span class="error"> <?php echo $form->getError("user"); ?></span></td>
<td><input class="text" type="text" name="user" value="<?php echo htmlspecialchars($form->getDiff("user",$_COOKIE['COOKUSR'])); ?>" maxlength="30" autocomplete='off' /> <span class="error"> <?php echo $form->getError("user"); ?></span></td>
</tr>
<tr class="btm">
<th><?php echo PASSWORD; ?></th>