diff options
| author | Michael Tänzer <neo@nhng.de> | 2014-05-01 01:05:17 +0200 |
|---|---|---|
| committer | Michael Tänzer <neo@nhng.de> | 2014-05-01 02:11:07 +0200 |
| commit | debc6736b5f380d6a023389f3151fe5a2cb144cf (patch) | |
| tree | 3c8bcfedc5e669b62d32f8ba1bda729b99b7063b /includes | |
| parent | 554493552e248fcd15d5523a5904ca38eda44680 (diff) | |
| download | cacert-devel-debc6736b5f380d6a023389f3151fe5a2cb144cf.tar.gz cacert-devel-debc6736b5f380d6a023389f3151fe5a2cb144cf.tar.xz cacert-devel-debc6736b5f380d6a023389f3151fe5a2cb144cf.zip | |
bug 1138: Avoid double escaping of $_SESSION['_config']['OU'] and fix XSS
Signed-off-by: Michael Tänzer <neo@nhng.de>
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/account.php | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/includes/account.php b/includes/account.php index 9f5946f..bf503ec 100644 --- a/includes/account.php +++ b/includes/account.php @@ -1436,7 +1436,7 @@ function buildSubjectFromSession() { $_SESSION['_config']['emails'][] = $val; } $_SESSION['_config']['name'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['name']))); - $_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU']))); + $_SESSION['_config']['OU'] = stripslashes(trim($_REQUEST['OU'])); $_SESSION['_config']['description']= trim(stripslashes($_REQUEST['description'])); } @@ -1503,7 +1503,7 @@ function buildSubjectFromSession() { if($_SESSION['_config']['name'] != "") $emails .= "commonName = ".$_SESSION['_config']['name']."\n"; if($_SESSION['_config']['OU']) - $emails .= "organizationalUnitName = ".$_SESSION['_config']['OU']."\n"; + $emails .= "organizationalUnitName = ".mysql_real_escape_string($_SESSION['_config']['OU'])."\n"; if($org['O']) $emails .= "organizationName = ".$org['O']."\n"; if($org['L']) @@ -2436,7 +2436,7 @@ function buildSubjectFromSession() { else $masteracc = $_SESSION['_config'][masteracc] = 0; $_REQUEST['email'] = $_SESSION['_config']['email'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['email']))); - $OU = $_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU']))); + $_SESSION['_config']['OU'] = stripslashes(trim($_REQUEST['OU'])); $comments = $_SESSION['_config']['comments'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['comments']))); $res = mysql_query("select * from `users` where `email`='".$_REQUEST['email']."' and `deleted`=0"); if(mysql_num_rows($res) <= 0) @@ -2458,7 +2458,7 @@ function buildSubjectFromSession() { set `memid`='".intval($row['id'])."', `orgid`='".intval($_SESSION['_config']['orgid'])."', `masteracc`='$masteracc', - `OU`='$OU', + `OU`='".mysql_real_escape_string($_SESSION['_config']['OU'])."', `comments`='$comments'"); } } |