summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
authorMichael Tänzer <neo@nhng.de>2014-05-01 01:05:17 +0200
committerMichael Tänzer <neo@nhng.de>2014-05-01 02:11:07 +0200
commitdebc6736b5f380d6a023389f3151fe5a2cb144cf (patch)
tree3c8bcfedc5e669b62d32f8ba1bda729b99b7063b /includes
parent554493552e248fcd15d5523a5904ca38eda44680 (diff)
downloadcacert-devel-debc6736b5f380d6a023389f3151fe5a2cb144cf.tar.gz
cacert-devel-debc6736b5f380d6a023389f3151fe5a2cb144cf.tar.xz
cacert-devel-debc6736b5f380d6a023389f3151fe5a2cb144cf.zip
bug 1138: Avoid double escaping of $_SESSION['_config']['OU'] and fix XSS
Signed-off-by: Michael Tänzer <neo@nhng.de>
Diffstat (limited to 'includes')
-rw-r--r--includes/account.php8
1 files changed, 4 insertions, 4 deletions
diff --git a/includes/account.php b/includes/account.php
index 9f5946f..bf503ec 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -1436,7 +1436,7 @@ function buildSubjectFromSession() {
$_SESSION['_config']['emails'][] = $val;
}
$_SESSION['_config']['name'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['name'])));
- $_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU'])));
+ $_SESSION['_config']['OU'] = stripslashes(trim($_REQUEST['OU']));
$_SESSION['_config']['description']= trim(stripslashes($_REQUEST['description']));
}
@@ -1503,7 +1503,7 @@ function buildSubjectFromSession() {
if($_SESSION['_config']['name'] != "")
$emails .= "commonName = ".$_SESSION['_config']['name']."\n";
if($_SESSION['_config']['OU'])
- $emails .= "organizationalUnitName = ".$_SESSION['_config']['OU']."\n";
+ $emails .= "organizationalUnitName = ".mysql_real_escape_string($_SESSION['_config']['OU'])."\n";
if($org['O'])
$emails .= "organizationName = ".$org['O']."\n";
if($org['L'])
@@ -2436,7 +2436,7 @@ function buildSubjectFromSession() {
else
$masteracc = $_SESSION['_config'][masteracc] = 0;
$_REQUEST['email'] = $_SESSION['_config']['email'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['email'])));
- $OU = $_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU'])));
+ $_SESSION['_config']['OU'] = stripslashes(trim($_REQUEST['OU']));
$comments = $_SESSION['_config']['comments'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['comments'])));
$res = mysql_query("select * from `users` where `email`='".$_REQUEST['email']."' and `deleted`=0");
if(mysql_num_rows($res) <= 0)
@@ -2458,7 +2458,7 @@ function buildSubjectFromSession() {
set `memid`='".intval($row['id'])."',
`orgid`='".intval($_SESSION['_config']['orgid'])."',
`masteracc`='$masteracc',
- `OU`='$OU',
+ `OU`='".mysql_real_escape_string($_SESSION['_config']['OU'])."',
`comments`='$comments'");
}
}