[OBS-1152] Security fixes + other small fixes - Observium

Details

Type: Improvement
Resolution: Fixed
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: Web Interface
Labels:

Description

Attached patch escapes some more output show to user. Fixes XSS exploits.
Also added a wrapper function (escape()) for the htmlspecialchars (long and boring to type..). Let me know if another name may be more suitable for the function. I did not change all the htmlspecialchars yet, waste of time if this does not get commited

Other changes;
Changed $_POST/GET into $vars in multiple files in html/
Removed mres for place it was not needed or was redundant.
Fixed a typo in generic_definition.inc.php
Check if bill name is set when adding bill, if not don't add an empty entry to DB

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

security-and-misc-fixesv2.patch
63 kB
2015/01/24 10:44 AM

Activity

[OBS-1152] Security fixes + other small fixes

Mike Stupalov added a comment - 2015/01/28 07:57 AM

Commited in r6207.

Note, some changes not compatible with patch, you can get svn errors.

Mike Stupalov added a comment - 2015/01/28 07:57 AM Commited in r6207. Note, some changes not compatible with patch, you can get svn errors.

Kent Johannessen added a comment - 2015/01/24 10:44 AM

another update.. damn this is hard. time to sleep i think

Kent Johannessen added a comment - 2015/01/24 10:44 AM another update.. damn this is hard. time to sleep i think

Kent Johannessen added a comment - 2015/01/24 10:37 AM

see updated - went with escape_html()

Kent Johannessen added a comment - 2015/01/24 10:37 AM see updated - went with escape_html()

Adam Armstrong added a comment - 2015/01/24 10:25 AM

can you give escape() a more specific name? escape_web() or escape_html() or something.

Adam Armstrong added a comment - 2015/01/24 10:25 AM can you give escape() a more specific name? escape_web() or escape_html() or something.

Kent Johannessen added a comment - 2015/01/24 10:07 AM

small update

Kent Johannessen added a comment - 2015/01/24 10:07 AM small update

Kent Johannessen added a comment - 2015/01/19 06:57 PM

updated patch. removed php version check in escape function
fixed some other stuff

Kent Johannessen added a comment - 2015/01/19 06:57 PM updated patch. removed php version check in escape function fixed some other stuff

Kent Johannessen added a comment - 2015/01/05 03:19 AM

I see that, but the main reason of the wrapper is less typing, and in the future it's easier to change just one function instead of several places in many files

Kent Johannessen added a comment - 2015/01/05 03:19 AM I see that, but the main reason of the wrapper is less typing, and in the future it's easier to change just one function instead of several places in many files

Mike Stupalov added a comment - 2015/01/05 02:42 AM

This escape() function absolutely superfluous, there is absolutely no need to check the version of php, just always explicitly specify the encoding.

Mike Stupalov added a comment - 2015/01/05 02:42 AM This escape() function absolutely superfluous, there is absolutely no need to check the version of php, just always explicitly specify the encoding.

People

Assignee:: Mike Stupalov

Reporter:: Kent Johannessen

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2015/01/04 11:27 PM

Updated:: 2015/02/02 06:00 PM

Resolved:: 2015/01/28 07:57 AM