[Mapbender-commits] r8929 - trunk/mapbender/http/plugins
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Wed Jun 25 01:42:15 PDT 2014
Author: armin11
Date: 2014-06-25 01:42:15 -0700 (Wed, 25 Jun 2014)
New Revision: 8929
Modified:
trunk/mapbender/http/plugins/mb_downloadFeedClient.php
Log:
Secure script against XSS vulnerability - pentest 03/2014
Modified: trunk/mapbender/http/plugins/mb_downloadFeedClient.php
===================================================================
--- trunk/mapbender/http/plugins/mb_downloadFeedClient.php 2014-06-25 07:31:49 UTC (rev 8928)
+++ trunk/mapbender/http/plugins/mb_downloadFeedClient.php 2014-06-25 08:42:15 UTC (rev 8929)
@@ -1,20 +1,20 @@
<?php
- //http://localhost/mapbender_trunk/plugins/mb_downloadFeedClient.php
- require_once dirname(__FILE__) . "/../../core/globalSettings.php";
- require_once dirname(__FILE__) . "/../classes/class_user.php";
+//http://localhost/mapbender_trunk/plugins/mb_downloadFeedClient.php
+require_once dirname(__FILE__) . "/../../core/globalSettings.php";
+require_once dirname(__FILE__) . "/../classes/class_user.php";
if (isset($_REQUEST['url']) & $_REQUEST['url'] != "") {
- //validate to iso date format YYYY-MM-DD
+ //validate
$testMatch = $_REQUEST["url"];
- $pattern = '/^http\:\/\/[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(\/\S*)?$/';
- if (!preg_match($pattern,$testMatch)){
- //echo 'url: <b>'.$testMatch.'</b> is not a valid url.<br/>';
- //die();
- }
- $url = urldecode($testMatch);
+ if (preg_match('#^(http|https):\/\/#i', $testMatch) && filter_var($testMatch, FILTER_VALIDATE_URL)) {
+ $testMatch = htmlspecialchars($testMatch, ENT_QUOTES);
+ $url = urldecode($testMatch);
+ } else {
+ echo 'Parameter <b>url</b> is not a valid url.<br/>';
+ die();
+ }
$testMatch = NULL;
-}
-
+}
?>
<html>
<head>
More information about the Mapbender_commits
mailing list