[OBS-1152] Security fixes + other small fixes - Observium

Details

Type: Improvement
Resolution: Fixed
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: Web Interface
Labels:

Description

Attached patch escapes some more output show to user. Fixes XSS exploits.
Also added a wrapper function (escape()) for the htmlspecialchars (long and boring to type..). Let me know if another name may be more suitable for the function. I did not change all the htmlspecialchars yet, waste of time if this does not get commited

Other changes;
Changed $_POST/GET into $vars in multiple files in html/
Removed mres for place it was not needed or was redundant.
Fixed a typo in generic_definition.inc.php
Check if bill name is set when adding bill, if not don't add an empty entry to DB

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

security-and-misc-fixesv2.patch
63 kB
2015/01/24 10:44 AM

Activity

[OBS-1152] Security fixes + other small fixes

Mike Stupalov added a comment - 2015/01/28 07:57 AM

Commited in r6207.

Note, some changes not compatible with patch, you can get svn errors.

Mike Stupalov added a comment - 2015/01/28 07:57 AM Commited in r6207. Note, some changes not compatible with patch, you can get svn errors.

Kent Johannessen added a comment - 2015/01/24 10:44 AM

another update.. damn this is hard. time to sleep i think

Kent Johannessen added a comment - 2015/01/24 10:44 AM another update.. damn this is hard. time to sleep i think

Kent Johannessen added a comment - 2015/01/24 10:37 AM

see updated - went with escape_html()

Kent Johannessen added a comment - 2015/01/24 10:37 AM see updated - went with escape_html()

Adam Armstrong added a comment - 2015/01/24 10:25 AM

can you give escape() a more specific name? escape_web() or escape_html() or something.

Adam Armstrong added a comment - 2015/01/24 10:25 AM can you give escape() a more specific name? escape_web() or escape_html() or something.

Kent Johannessen added a comment - 2015/01/24 10:07 AM

small update

Kent Johannessen added a comment - 2015/01/24 10:07 AM small update

Kent Johannessen added a comment - 2015/01/19 06:57 PM

updated patch. removed php version check in escape function
fixed some other stuff

Kent Johannessen added a comment - 2015/01/19 06:57 PM updated patch. removed php version check in escape function fixed some other stuff

People

Assignee:: Mike Stupalov

Reporter:: Kent Johannessen

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2015/01/04 11:27 PM

Updated:: 2015/02/02 06:00 PM

Resolved:: 2015/01/28 07:57 AM