Issue Details (XML | Word | Printable)

Key: MDL-12793
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Minor Minor
Assignee: Petr Skoda (frankenstein)
Reporter: Petr Skoda (frankenstein)
Votes: 0
Watchers: 0
Operations

Add/Edit UI Mockup to this issue
If you were logged in you would be able to see more operations.
Moodle

PARAM_HOST incorrect cleaning

Created: 02/Jan/08 02:27 AM   Updated: 19/Jan/08 02:03 AM
Component/s: General
Affects Version/s: 1.6, 1.7, 1.8, 1.9
Fix Version/s: 1.6.6, 1.7.4, 1.8.4, 1.9

Participants: Petr Skoda (frankenstein)
Security Level: None
Resolved date: 02/Jan/08
Affected Branches: MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
Fixed Branches: MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE


 Description  « Hide
incorrect use of preg_replace:

case PARAM_HOST: // allow FQDN or IPv4 dotted quad
preg_replace('/[^\.\d\w-]/','', $param ); // only allowed chars
....



 All   Comments   Change History   Version Control      Sort Order: Ascending order - Click to sort in descending order
Petr Skoda (frankenstein) added a comment - 02/Jan/08 02:51 AM
fixed in cvs

Petr Skoda (frankenstein) added a comment - 19/Jan/08 02:03 AM
downgrading - no dangerous characters should be able to get through