mirror of
https://github.com/pierre42100/ComunicAPI
synced 2024-11-27 07:49:27 +00:00
Fixed security breach issue
This commit is contained in:
parent
19292b70b0
commit
7a0cbc3214
@ -57,8 +57,8 @@ class SettingsController {
|
||||
//Create and fill a GeneralSettings object with the new values
|
||||
$settings = new GeneralSettings();
|
||||
$settings->set_id(userID);
|
||||
$settings->set_firstName(postString("firstName", 3));
|
||||
$settings->set_lastName(postString("lastName", 3));
|
||||
$settings->set_firstName(removeHTMLnodes(postString("firstName", 3)));
|
||||
$settings->set_lastName(removeHTMLnodes(postString("lastName", 3)));
|
||||
$settings->set_publicPage(postBool("isPublic"));
|
||||
$settings->set_openPage(postBool("isOpen"));
|
||||
$settings->rationalizePublicOpenStatus();
|
||||
@ -69,6 +69,12 @@ class SettingsController {
|
||||
$settings->set_virtualDirectory($virtualDirectory);
|
||||
$settings->set_allowComunicMails(postBool("allow_comunic_mails"));
|
||||
|
||||
//Check personnal webiste
|
||||
if($settings->has_personnalWebsite()){
|
||||
if(!filter_var($settings->get_personnalWebsite(), FILTER_VALIDATE_URL))
|
||||
Rest_fatal_error(401, "Invalid personnal URL!");
|
||||
}
|
||||
|
||||
//Try to update settings
|
||||
if(!components()->settings->save_general($settings))
|
||||
Rest_fatal_error(500, "Coud not save user settings!");
|
||||
|
@ -96,8 +96,8 @@ class accountController {
|
||||
|
||||
//Create new account object
|
||||
$newAccount = new NewAccount();
|
||||
$newAccount->firstName = $firstName;
|
||||
$newAccount->lastName = $lastName;
|
||||
$newAccount->firstName = removeHTMLnodes($firstName);
|
||||
$newAccount->lastName = removeHTMLnodes($lastName);
|
||||
$newAccount->email = $email;
|
||||
$newAccount->password = $password;
|
||||
|
||||
|
@ -500,7 +500,7 @@ function checkUserDirectoryValidity(string $directory) : bool {
|
||||
return FALSE;
|
||||
|
||||
//Check if the domain contains forbidden characters
|
||||
if(str_replace(array(".html", ".txt", ".php", "à", "â", "é", "ê", "@", "/", "\"", "'", '"'), "", $directory) != $directory)
|
||||
if(str_replace(array(".html", ".txt", ".php", "à", "â", "é", "ê", "@", "/", "\"", "'", '"', "<", ">", "?", "&", "#"), "", $directory) != $directory)
|
||||
return FALSE;
|
||||
|
||||
//If we get there, the domain is valid
|
||||
|
Loading…
Reference in New Issue
Block a user