webinterface.git

Diverse shell-kritische zeichen raus
Parent 0dae127
bernd

bernd commited on 2007-06-16 14:33:33
Zeige 2 geänderte Dateien mit 6 Einfügungen und 2 Löschungen. 

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@505 87cf0b9e-d624-0410-a070-f6ee81989793
inc/security.php
Zeige Datei @ 19a2c96
... ... 
@@ -17,6 +17,10 @@ function filter_quotes( $input )
17 17 
         return ereg_replace('["\'`]', '', $input );
18 18 
 }
19 19
20 
+function filter_shell( $input )
21 
+{
22 
+        return ereg_replace('["\'` \t\r\n]', '', $input );
23 
+}
20 24
21 25
22 26 
 ?>
modules/jabber/include/jabberaccounts.php
Zeige Datei @ 19a2c96
... ... 
@@ -46,7 +46,7 @@ function create_jabber_account($local, $domain, $password)
46 46
47 47 
   $local = mysql_real_escape_string( filter_input_username($local) );
48 48 
   $domain = (int) $domain;
49 
-  $password = mysql_real_escape_string( filter_quotes( $password ) );
49 
+  $password = mysql_real_escape_string( filter_shell( $password ) );
50 50
51 51 
   if ($domain > 0)
52 52 
   {
... ... 
@@ -85,7 +85,7 @@ function change_jabber_password($id, $newpass)
85 85 
   require_role(ROLE_CUSTOMER);
86 86 
   $customerno = (int) $_SESSION['customerinfo']['customerno'];
87 87 
   $id = (int) $id;
88 
-  $newpass = mysql_real_escape_string( filter_quotes( $newpass ) );
88 
+  $newpass = mysql_real_escape_string( filter_shell( $newpass ) );
89 89
90 90 
   $query = "UPDATE jabber.accounts SET password='{$newpass}' WHERE customerno={$customerno} AND id={$id} LIMIT 1";
91 91 
   DEBUG($query);
92 92