Comunic/ComunicAPI
1
0
Fork 0
mirror of https://github.com/pierre42100/ComunicAPI synced 2025-11-04 04:04:20 +00:00
Code Issues Projects Releases Wiki Activity

Fixed security breach issue

Browse Source
This commit is contained in:
Pierre
2018-04-20 14:11:14 +02:00
parent 19292b70b0
commit 7a0cbc3214
3 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
RestControllers/SettingsController.php
View File

@@ -57,8 +57,8 @@ class SettingsController {
//Create and fill a GeneralSettings object with the new values //Create and fill a GeneralSettings object with the new values
$settings = new GeneralSettings(); $settings = new GeneralSettings();
$settings->set_id(userID); $settings->set_id(userID);
$settings->set_firstName(postString("firstName", 3)); $settings->set_firstName(removeHTMLnodes(postString("firstName", 3)));
$settings->set_lastName(postString("lastName", 3)); $settings->set_lastName(removeHTMLnodes(postString("lastName", 3)));
$settings->set_publicPage(postBool("isPublic")); $settings->set_publicPage(postBool("isPublic"));
$settings->set_openPage(postBool("isOpen")); $settings->set_openPage(postBool("isOpen"));
$settings->rationalizePublicOpenStatus(); $settings->rationalizePublicOpenStatus();
@@ -69,6 +69,12 @@ class SettingsController {
$settings->set_virtualDirectory($virtualDirectory); $settings->set_virtualDirectory($virtualDirectory);
$settings->set_allowComunicMails(postBool("allow_comunic_mails")); $settings->set_allowComunicMails(postBool("allow_comunic_mails"));
//Check personnal webiste
if($settings->has_personnalWebsite()){
if(!filter_var($settings->get_personnalWebsite(), FILTER_VALIDATE_URL))
Rest_fatal_error(401, "Invalid personnal URL!");
}
//Try to update settings //Try to update settings
if(!components()->settings->save_general($settings)) if(!components()->settings->save_general($settings))
Rest_fatal_error(500, "Coud not save user settings!"); Rest_fatal_error(500, "Coud not save user settings!");

4
RestControllers/accountController.php
View File

@@ -96,8 +96,8 @@ class accountController {
//Create new account object //Create new account object
$newAccount = new NewAccount(); $newAccount = new NewAccount();
$newAccount->firstName = $firstName; $newAccount->firstName = removeHTMLnodes($firstName);
$newAccount->lastName = $lastName; $newAccount->lastName = removeHTMLnodes($lastName);
$newAccount->email = $email; $newAccount->email = $email;
$newAccount->password = $password; $newAccount->password = $password;

2
functions/requests.php
View File

@@ -500,7 +500,7 @@ function checkUserDirectoryValidity(string $directory) : bool {
return FALSE; return FALSE;
//Check if the domain contains forbidden characters //Check if the domain contains forbidden characters
if(str_replace(array(".html", ".txt", ".php", "à", "â", "é", "ê", "@", "/", "\"", "'", '"'), "", $directory) != $directory) if(str_replace(array(".html", ".txt", ".php", "à", "â", "é", "ê", "@", "/", "\"", "'", '"', "<", ">", "?", "&", "#"), "", $directory) != $directory)
return FALSE; return FALSE;
//If we get there, the domain is valid //If we get there, the domain is valid