Commit 39950fe2 authored by Dries's avatar Dries

- Committed a modified version of Ulf's input checking changes.  Patch #95.
  I added an error message, changed a few things around and fixed tw typos.
parent e2f098af
......@@ -482,7 +482,7 @@ function referer_load() {
}
}
function xss_check_input_data($data) {
function valid_input_data($data) {
if (is_array($data)) {
/*
......@@ -490,7 +490,9 @@ function xss_check_input_data($data) {
*/
foreach ($data as $key => $value) {
xss_check_input_data($value);
if (!valid_input_data($value)) {
return 0;
}
}
}
else {
......@@ -512,9 +514,11 @@ function xss_check_input_data($data) {
if ($match) {
watchdog("warning", "terminated request because of suspicious input data: ". drupal_specialchars($data));
die("terminated request because of suspicious input data");
return 0;
}
}
return 1;
}
function check_url($uri) {
......@@ -1049,7 +1053,9 @@ function drupal_page_header() {
*/
if (!user_access("bypass input data check")) {
xss_check_input_data($_REQUEST);
if (!valid_input_data($_REQUEST)) {
die("terminated request because of suspicious input data");
}
}
}
......
......@@ -291,7 +291,7 @@ function import_refresh($feed) {
*/
if (!ereg("^http://|ftp://", $feed["url"])) {
return t("failed to parse RSS feed '%site': incorrect or missing URL.", array("%side" => $feed["title"]));
return t("failed to parse RSS feed '%site': incorrect or missing URL.", array("%site" => $feed["title"]));
}
/*
......@@ -306,7 +306,9 @@ function import_refresh($feed) {
fclose($fp);
// filter the input data:
xss_check_input_data($data);
if (!valid_input_data($data)) {
return t("failed to parse RSS feed '%site': suspicious input data.", array("%site" => $feed["title"]));
}
// parse the data:
$xml_parser = xml_parser_create();
......
......@@ -291,7 +291,7 @@ function import_refresh($feed) {
*/
if (!ereg("^http://|ftp://", $feed["url"])) {
return t("failed to parse RSS feed '%site': incorrect or missing URL.", array("%side" => $feed["title"]));
return t("failed to parse RSS feed '%site': incorrect or missing URL.", array("%site" => $feed["title"]));
}
/*
......@@ -306,7 +306,9 @@ function import_refresh($feed) {
fclose($fp);
// filter the input data:
xss_check_input_data($data);
if (!valid_input_data($data)) {
return t("failed to parse RSS feed '%site': suspicious input data.", array("%site" => $feed["title"]));
}
// parse the data:
$xml_parser = xml_parser_create();
......
......@@ -291,7 +291,7 @@ function import_refresh($feed) {
*/
if (!ereg("^http://|ftp://", $feed["url"])) {
return t("failed to parse RSS feed '%site': incorrect or missing URL.", array("%side" => $feed["title"]));
return t("failed to parse RSS feed '%site': incorrect or missing URL.", array("%site" => $feed["title"]));
}
/*
......@@ -306,7 +306,9 @@ function import_refresh($feed) {
fclose($fp);
// filter the input data:
xss_check_input_data($data);
if (!valid_input_data($data)) {
return t("failed to parse RSS feed '%site': suspicious input data.", array("%site" => $feed["title"]));
}
// parse the data:
$xml_parser = xml_parser_create();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment