maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

secure scripts which should not be called directly (install/update stuff); avoid url-manipulation

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2014-12-27 15:13:25 +01:00
parent 4523ef87b7
commit 4b0507c4d3
4 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/functions/output/function.buildNavigation.php
View File

@@ -31,6 +31,14 @@ function buildNavigation($navigation, $userinfo) {
$returnvalue = '';
// sanitize user-given input (url-manipulation)
if (isset($_GET['page']) && is_array($_GET['page'])) {
$_GET['page'] = (string)$_GET['page'][0];
}
if (isset($_GET['action']) && is_array($_GET['action'])) {
$_GET['action'] = (string)$_GET['action'][0];
}
foreach($navigation as $box) {
if ((!isset($box['show_element']) || $box['show_element'] === true) &&
(!isset($box['required_resources']) || $box['required_resources'] == '' || (isset($userinfo[$box['required_resources']]) && ((int)$userinfo[$box['required_resources']] > 0 || $userinfo[$box['required_resources']] == '-1')))) {