From 7245dc2ec3ec6f1299235617a57d8a8b5a25795c Mon Sep 17 00:00:00 2001 From: rurban Date: Tue, 13 Oct 2009 07:46:22 +0000 Subject: [PATCH] Revert r7194 Properly fix "limit" database injection. limit mostly has a "," It is encoded as [offset,]count git-svn-id: svn://svn.code.sf.net/p/phpwiki/code/trunk@7209 96ab9672-09ca-45d6-a79d-3d69d39ca109 --- lib/PageList.php | 23 +++++++++++++++++++---- lib/WikiDB/backend.php | 15 ++++++++++++--- lib/plugin/AllPages.php | 4 ---- lib/plugin/AllUsers.php | 4 ---- lib/plugin/BackLinks.php | 4 ---- lib/plugin/FullTextSearch.php | 4 ---- lib/plugin/LikePages.php | 4 ---- lib/plugin/LinkDatabase.php | 4 ---- lib/plugin/LinkSearch.php | 4 ---- lib/plugin/ListPages.php | 4 ---- lib/plugin/ListRelations.php | 5 ----- lib/plugin/ListSubpages.php | 5 ----- lib/plugin/MostPopular.php | 5 ----- lib/plugin/RandomPage.php | 5 ----- lib/plugin/RecentReferrers.php | 5 ----- lib/plugin/SemanticSearch.php | 5 ----- lib/plugin/SemanticSearchAdvanced.php | 5 ----- lib/plugin/TitleSearch.php | 5 ----- lib/plugin/UnfoldSubpages.php | 5 ----- lib/plugin/WantedPages.php | 5 ----- lib/plugin/WikiAdminSelect.php | 5 ----- 21 files changed, 31 insertions(+), 94 deletions(-) diff --git a/lib/PageList.php b/lib/PageList.php index ef082e9b6..37091167b 100644 --- a/lib/PageList.php +++ b/lib/PageList.php @@ -1359,11 +1359,26 @@ class PageList { } function limit($limit) { - if (is_array($limit)) return $limit; - if (strstr($limit, ',')) - return split(',', $limit); - else + if (is_array($limit)) { + list($from, $count) = $limit; + if ((!empty($from) && !is_numeric($from)) or (!empty($count) && !is_numeric($count))) { + return $this->error(_("Illegal 'limit' argument: must be numeric")); + } + return $limit; + } + if (strstr($limit, ',')) { + list($from, $limit) = split(',', $limit); + if ((!empty($from) && !is_numeric($from)) or (!empty($limit) && !is_numeric($limit))) { + return $this->error(_("Illegal 'limit' argument: must be numeric")); + } + return array($from, $limit); + } + else { + if (!empty($limit) && !is_numeric($limit)) { + return $this->error(_("Illegal 'limit' argument: must be numeric")); + } return array(0, $limit); + } } function pagingTokens($numrows = false, $ncolumns = false, $limit = false) { diff --git a/lib/WikiDB/backend.php b/lib/WikiDB/backend.php index 11934e9e4..688f64bc8 100644 --- a/lib/WikiDB/backend.php +++ b/lib/WikiDB/backend.php @@ -524,10 +524,19 @@ class WikiDB_backend * list($offset,$count) = $this->limit($args['limit']); */ function limit($limit) { - if (strstr($limit, ',')) - return split(',', $limit); - else + if (strstr($limit, ',')) { + list($from, $limit) = split(',', $limit); + if ((!empty($from) && !is_numeric($from)) or (!empty($limit) && !is_numeric($limit))) { + return $this->error(_("Illegal 'limit' argument: must be numeric")); + } + return array($from, $limit); + } + else { + if (!empty($limit) && !is_numeric($limit)) { + return $this->error(_("Illegal 'limit' argument: must be numeric")); + } return array(0, $limit); + } } /** diff --git a/lib/plugin/AllPages.php b/lib/plugin/AllPages.php index ce9491ce5..42c1ef975 100644 --- a/lib/plugin/AllPages.php +++ b/lib/plugin/AllPages.php @@ -66,10 +66,6 @@ extends WikiPlugin function run($dbi, $argstr, $request, $basepage) { $args = $this->getArgs($argstr, $request); - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - $pages = false; // Todo: extend given _GET args if (defined('DEBUG') && DEBUG && $args['debug']) { diff --git a/lib/plugin/AllUsers.php b/lib/plugin/AllUsers.php index 19a72707d..3fd88dffe 100644 --- a/lib/plugin/AllUsers.php +++ b/lib/plugin/AllUsers.php @@ -67,10 +67,6 @@ extends WikiPlugin function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - extract($args); if (defined('DEBUG') && DEBUG && $debug) { $timer = new DebugTimer; diff --git a/lib/plugin/BackLinks.php b/lib/plugin/BackLinks.php index 944754cec..448c0a34d 100644 --- a/lib/plugin/BackLinks.php +++ b/lib/plugin/BackLinks.php @@ -60,10 +60,6 @@ extends WikiPlugin function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - extract($args); if (empty($page) and $page != '0') return ''; diff --git a/lib/plugin/FullTextSearch.php b/lib/plugin/FullTextSearch.php index c123f0fc1..716756a2d 100644 --- a/lib/plugin/FullTextSearch.php +++ b/lib/plugin/FullTextSearch.php @@ -73,10 +73,6 @@ extends WikiPlugin $args = $this->getArgs($argstr, $request); - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - if (empty($args['s'])) { return HTML(); } diff --git a/lib/plugin/LikePages.php b/lib/plugin/LikePages.php index 954de6c89..f1105670f 100644 --- a/lib/plugin/LikePages.php +++ b/lib/plugin/LikePages.php @@ -59,10 +59,6 @@ extends WikiPlugin function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - extract($args); if (empty($page) && empty($prefix) && empty($suffix)) return ''; diff --git a/lib/plugin/LinkDatabase.php b/lib/plugin/LinkDatabase.php index 2afae2089..0bed275aa 100644 --- a/lib/plugin/LinkDatabase.php +++ b/lib/plugin/LinkDatabase.php @@ -76,10 +76,6 @@ extends WikiPluginCached global $WikiTheme; $args = $this->getArgs($argstr, $request); - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - $caption = _("All pages with all links in this wiki (%d total):"); if ( !empty($args['owner']) ) { diff --git a/lib/plugin/LinkSearch.php b/lib/plugin/LinkSearch.php index dc684d01c..a7cbc42e2 100644 --- a/lib/plugin/LinkSearch.php +++ b/lib/plugin/LinkSearch.php @@ -130,10 +130,6 @@ function dirsign_switch() { global $WikiTheme; $args = $this->getArgs($argstr, $request); - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - if (empty($args['page'])) $args['page'] = "*"; $form = $this->showForm($dbi, $request, $args); diff --git a/lib/plugin/ListPages.php b/lib/plugin/ListPages.php index 92673f8b4..fab2d2622 100644 --- a/lib/plugin/ListPages.php +++ b/lib/plugin/ListPages.php @@ -68,10 +68,6 @@ extends WikiPlugin function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - extract($args); // If the ratings table does not exist, or on dba it will break otherwise. // Check if WikiTheme isa 'wikilens' diff --git a/lib/plugin/ListRelations.php b/lib/plugin/ListRelations.php index 295ba7cbd..67b799e3a 100644 --- a/lib/plugin/ListRelations.php +++ b/lib/plugin/ListRelations.php @@ -50,11 +50,6 @@ extends WikiPlugin } function run ($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - extract($args); $pagelist = new PageList($info, $exclude, $args); // should attributes be listed as pagename here? diff --git a/lib/plugin/ListSubpages.php b/lib/plugin/ListSubpages.php index 0919fe6e9..de9e7ff1e 100644 --- a/lib/plugin/ListSubpages.php +++ b/lib/plugin/ListSubpages.php @@ -61,11 +61,6 @@ extends WikiPlugin function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - if ($args['basepage']) $pagename = $args['basepage']; else diff --git a/lib/plugin/MostPopular.php b/lib/plugin/MostPopular.php index c346e8049..992f5c458 100644 --- a/lib/plugin/MostPopular.php +++ b/lib/plugin/MostPopular.php @@ -60,11 +60,6 @@ extends WikiPlugin function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - extract($args); if (strstr($sortby,'mtime')) { trigger_error(_("sortby=mtime not supported with MostPopular"), diff --git a/lib/plugin/RandomPage.php b/lib/plugin/RandomPage.php index 343b4ef9a..5f4d95228 100644 --- a/lib/plugin/RandomPage.php +++ b/lib/plugin/RandomPage.php @@ -56,11 +56,6 @@ extends WikiPlugin function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - extract($args); // fix deprecated arg diff --git a/lib/plugin/RecentReferrers.php b/lib/plugin/RecentReferrers.php index e968ce21c..b2c306245 100644 --- a/lib/plugin/RecentReferrers.php +++ b/lib/plugin/RecentReferrers.php @@ -38,11 +38,6 @@ class WikiPlugin_RecentReferrers extends WikiPlugin return HTML::div(array('class' => "error"), "Error: no ACCESS_LOG"); } $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - $table = HTML::table(array('cellpadding' => 1, 'cellspacing' => 2, 'border' => 0, diff --git a/lib/plugin/SemanticSearch.php b/lib/plugin/SemanticSearch.php index 3e6f2cc46..32c2fe1fc 100644 --- a/lib/plugin/SemanticSearch.php +++ b/lib/plugin/SemanticSearch.php @@ -276,11 +276,6 @@ extends WikiPlugin $this->_supported_operators = array(':=','<','<=','>','>=','!=','==','=~'); $this->_text_operators = array(':=','==','=~','!='); $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - if (empty($args['page'])) $args['page'] = "*"; if (!isset($args['s'])) // it might be (integer) 0 diff --git a/lib/plugin/SemanticSearchAdvanced.php b/lib/plugin/SemanticSearchAdvanced.php index a07ce8c16..0d98cc72f 100644 --- a/lib/plugin/SemanticSearchAdvanced.php +++ b/lib/plugin/SemanticSearchAdvanced.php @@ -133,11 +133,6 @@ extends WikiPlugin_SemanticSearch $this->_supported_operators = array(':=','<','<=','>','>=','!=','==','=~'); $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - $posted = $request->getArg('semsearch'); $request->setArg('semsearch', false); if ($request->isPost() and isset($posted['help'])) { diff --git a/lib/plugin/TitleSearch.php b/lib/plugin/TitleSearch.php index 03e11778a..a2cfe7099 100644 --- a/lib/plugin/TitleSearch.php +++ b/lib/plugin/TitleSearch.php @@ -73,11 +73,6 @@ extends WikiPlugin function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - if (empty($args['s'])) { return HTML(); } diff --git a/lib/plugin/UnfoldSubpages.php b/lib/plugin/UnfoldSubpages.php index 870736ae2..c40eafaef 100644 --- a/lib/plugin/UnfoldSubpages.php +++ b/lib/plugin/UnfoldSubpages.php @@ -82,11 +82,6 @@ extends WikiPlugin_IncludePage if (!$included_pages) $included_pages = array($basepage); $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - extract($args); $query = new TextSearchQuery($pagename . SUBPAGE_SEPARATOR . '*', true, 'glob'); $subpages = $dbi->titleSearch($query, $sortby, $limit, $exclude); diff --git a/lib/plugin/WantedPages.php b/lib/plugin/WantedPages.php index 2d5cf5c60..ea939f213 100644 --- a/lib/plugin/WantedPages.php +++ b/lib/plugin/WantedPages.php @@ -62,11 +62,6 @@ extends WikiPlugin // exclude arg allows multiple pagenames exclude=HomePage,RecentChanges function run($dbi, $argstr, &$request, $basepage) { $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - if (!empty($args['exclude_from'])) $args['exclude_from'] = is_string($args['exclude_from']) ? explodePageList($args['exclude_from']) diff --git a/lib/plugin/WikiAdminSelect.php b/lib/plugin/WikiAdminSelect.php index 9ef47cdab..28f8314d0 100644 --- a/lib/plugin/WikiAdminSelect.php +++ b/lib/plugin/WikiAdminSelect.php @@ -120,11 +120,6 @@ extends WikiPlugin //if ($request->getArg('action') != 'browse') // return $this->disabled("(action != 'browse')"); $args = $this->getArgs($argstr, $request); - - if (!empty($args['limit']) && !is_numeric($args['limit'])) { - return $this->error(_("Illegal 'limit' argument: must be numeric")); - } - $this->_args = $args; extract($args); $this->preSelectS($args, $request); -- 2.45.0