Changeset 10519

Show
Ignore:
Timestamp:
11/02/10 15:16:31 (3 years ago)
Author:
p_lindheimer
Message:

Merged revisions 10518 via svnmerge from
http://www.freepbx.org/v2/svn/modules/branches/2.7

................

r10518 | p_lindheimer | 2010-11-02 12:14:32 -0700 (Tue, 02 Nov 2010) | 16 lines


Merged revisions 10517 via svnmerge from
http://svn.freepbx.org/modules/branches/2.8


................

r10517 | p_lindheimer | 2010-11-02 12:12:08 -0700 (Tue, 02 Nov 2010) | 9 lines


Merged revisions 10516 via svnmerge from
http://svn.freepbx.org/modules/branches/2.9


........

r10516 | p_lindheimer | 2010-11-02 12:10:23 -0700 (Tue, 02 Nov 2010) | 1 line


fixes #4618 xss security issue and some other precations unreported

........

................

................

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • modules/branches/2.6

    • Property svnmerge-integrated changed from /modules/branches/2.5:1-7809,7812,7854,7858-7865,7878,7886,7890,7915,7967-7968,8036-8037,9751 /modules/branches/2.7:1-8497,8576-8578,8581,8585,8662-8669,8690,8709,8821,8883,8944,9219,9543,10300,10340,10392,10399-10422,10424-10426,10428-10429,10432,10436-10458 to /modules/branches/2.5:1-7809,7812,7854,7858-7865,7878,7886,7890,7915,7967-7968,8036-8037,9751 /modules/branches/2.7:1-8497,8576-8578,8581,8585,8662-8669,8690,8709,8821,8883,8944,9219,9543,10300,10340,10392,10399-10422,10424-10426,10428-10429,10432,10436-10458,10518

  • modules/branches/2.6/customappsreg/functions.inc.php

    r7132 r10519  
    115115  } 
    116116 
    117   $custom_dest = q($custom_dest); 
    118   $description = q($description); 
    119   $notes       = q($notes); 
     117  $custom_dest = sql_formattext($custom_dest); 
     118  $description = sql_formattext($description); 
     119  $notes       = sql_formattext($notes); 
    120120  $sql = "INSERT INTO custom_destinations (custom_dest, description, notes) VALUES ($custom_dest, $description, $notes)"; 
    121121  $results = $db->query($sql); 
     
    143143  } 
    144144 
    145   $custom_exten = q($custom_exten); 
    146   $description  = q($description); 
    147   $notes        = q($notes); 
     145  $custom_exten = sql_formattext($custom_exten); 
     146  $description  = sql_formattext($description); 
     147  $notes        = sql_formattext($notes); 
    148148  $sql = "INSERT INTO custom_extensions (custom_exten, description, notes) VALUES ($custom_exten, $description, $notes)"; 
    149149  $results = $db->query($sql); 
     
    191191 
    192192  $sql = "UPDATE custom_destinations SET ". 
    193     "custom_dest = ".q($custom_dest).", ". 
    194     "description = ".q($description).", ". 
    195     "notes = ".q($notes)." ". 
    196     "WHERE custom_dest = ".q($old_custom_dest); 
     193    "custom_dest = ".sql_formattext($custom_dest).", ". 
     194    "description = ".sql_formattext($description).", ". 
     195    "notes = ".sql_formattext($notes)." ". 
     196    "WHERE custom_dest = ".sql_formattext($old_custom_dest); 
    197197  $result = $db->query($sql); 
    198198  if(DB::IsError($result)) { 
     
    205205 
    206206  $sql = "UPDATE custom_extensions SET ". 
    207     "custom_exten = ".q($custom_exten).", ". 
    208     "description = ".q($description).", ". 
    209     "notes = ".q($notes)." ". 
    210     "WHERE custom_exten = ".q($old_custom_exten); 
     207    "custom_exten = ".sql_formattext($custom_exten).", ". 
     208    "description = ".sql_formattext($description).", ". 
     209    "notes = ".sql_formattext($notes)." ". 
     210    "WHERE custom_exten = ".sql_formattext($old_custom_exten); 
    211211  $result = $db->query($sql); 
    212212  if(DB::IsError($result)) { 

  • modules/branches/2.6/customappsreg/page.customdests.php

    r7792 r10519  
    2222$old_custom_dest = isset($_REQUEST['old_custom_dest']) ? $_REQUEST['old_custom_dest'] :  ''; 
    2323$custom_dest     = isset($_REQUEST['extdisplay']) ? $_REQUEST['extdisplay'] :  ''; 
    24 $description     = isset($_REQUEST['description']) ? $_REQUEST['description'] :  ''; 
    25 $notes           = isset($_REQUEST['notes']) ? $_REQUEST['notes'] :  ''; 
     24$description     = isset($_REQUEST['description']) ? htmlentities($_REQUEST['description']) :  ''; 
     25$notes           = isset($_REQUEST['notes']) ? htmlentities($_REQUEST['notes']) :  ''; 
    2626 
    2727switch ($action) { 
     
    105105  if (!empty($usage_list)) { 
    106106  ?> 
    107     <td><b><?php echo $custom_dest; ?></b></td> 
     107    <td><b><?php echo htmlentities($custom_dest); ?></b></td> 
    108108  <?php 
    109109  } else { 

  • modules/branches/2.6/customappsreg/page.customextens.php

    r7792 r10519  
    2020if (isset($_REQUEST['delete'])) $action = 'delete';  
    2121 
    22 $old_custom_exten = isset($_REQUEST['old_custom_exten']) ? $_REQUEST['old_custom_exten'] :  ''; 
    23 $custom_exten     = isset($_REQUEST['extdisplay']) ? $_REQUEST['extdisplay'] :  ''; 
    24 $description     = isset($_REQUEST['description']) ? $_REQUEST['description'] :  ''; 
    25 $notes           = isset($_REQUEST['notes']) ? $_REQUEST['notes'] :  ''; 
     22$custom_exten = preg_replace("/[^0-9*#]/" ,"", trim($custom_exten)); 
     23 
     24$old_custom_exten = isset($_REQUEST['old_custom_exten']) ? preg_replace("/[^0-9*#]/" ,"",$_REQUEST['old_custom_exten']) :  ''; 
     25$custom_exten     = isset($_REQUEST['extdisplay']) ? preg_replace("/[^0-9*#]/" ,"",$_REQUEST['extdisplay']) :  ''; 
     26$description     = isset($_REQUEST['description']) ? htmlentities($_REQUEST['description']) :  ''; 
     27$notes           = isset($_REQUEST['notes']) ? htmlentities($_REQUEST['notes']) :  ''; 
    2628 
    2729switch ($action) {