[evolvis-commits] r10960: Cross-site scripting fixes for the account login and project r =?UTF-8?Q?egistration=E2=86=B5=20page?=. ↵ ↵ Simply ensure =?UTF-8?Q?s=20these=20pages=20have=20ht?==?UTF-8?Q?mlspecialchars?=() and stripslashes() ↵ called before sho =?UTF-8?Q?wing=20things=20in=20the=20HT?==?UTF-8?Q?ML=20forms?=. ↵ ↵ Resolves patc =?UTF-8?Q?h=20=231279=20from=20Vittal=20A?==?UTF-8?Q?ithal?=. ↵

mirabilos at evolvis.org mirabilos at evolvis.org
Thu Feb 24 17:58:36 CET 2011


Author: mirabilos
Date: 2011-02-24 17:58:35 +0100 (Thu, 24 Feb 2011)
New Revision: 10960

Modified:
   trunk/gforge_base/evolvisforge-5.1/gforge/www/account/login.php
   trunk/gforge_base/evolvisforge-5.1/gforge/www/account/register.php
   trunk/gforge_base/evolvisforge-5.1/gforge/www/register/projectinfo.php
Log:
Cross-site scripting fixes for the account login and project registration
page.

Simply ensures these pages have htmlspecialchars() and stripslashes()
called before showing things in the HTML forms.

Resolves patch #1279 from Vittal Aithal.


Modified: trunk/gforge_base/evolvisforge-5.1/gforge/www/account/login.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/www/account/login.php	2011-02-24 16:58:35 UTC (rev 10959)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/www/account/login.php	2011-02-24 16:58:35 UTC (rev 10960)
@@ -102,10 +102,10 @@
 <span style="color:red"><strong><?php echo $Language->getText('account_login', 'cookiewarn'); ?></strong></span>
 </p>
 <form action="<?php echo $PHP_SELF; ?>" method="post">
-<input type="hidden" name="return_to" value="<?php echo $return_to; ?>" />
+<input type="hidden" name="return_to" value="<?php echo htmlspecialchars(stripslashes($return_to)); ?>" />
 <p>
 <?php echo $Language->getText('account_login', 'loginname'); ?>
-<br /><input type="text" name="form_loginname" value="<?php echo $form_loginname; ?>" />
+<br /><input type="text" name="form_loginname" value="<?php echo htmlspecialchars(stripslashes($form_loginname)); ?>" />
 </p>
 <p>
 <?php echo $Language->getText('account_login', 'passwd'); ?>

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/www/account/register.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/www/account/register.php	2011-02-24 16:58:35 UTC (rev 10959)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/www/account/register.php	2011-02-24 16:58:35 UTC (rev 10960)
@@ -73,7 +73,7 @@
 <form action="<?php echo $PHP_SELF; ?>" method="post">
 <p>
 <?php echo $Language->getText('account_register','loginname'); echo utils_requiredField(); ?><br />
-<input type="text" name="unix_name" value="<?php print($unix_name); ?>" />
+<input type="text" name="unix_name" value="<?php print(htmlspecialchars(stripslashes($unix_name))); ?>" />
 </p>
 <p>
 <?php echo $Language->getText('account_register','password'); echo utils_requiredField(); ?><br />
@@ -85,15 +85,15 @@
 </p
 ><p>
 <?php echo $Language->getText('account_options', 'title2'); ?><br />
-<input type="text" name="title" value="<?php echo $title; ?>" size="10" />
+<input type="text" name="title" value="<?php echo htmlspecialchars(stripslashes($title)); ?>" size="10" />
 </p>
 <p>
 <?php echo $Language->getText('account_register','firstname'); echo utils_requiredField(); ?><br />
-<input size="30" type="text" name="firstname" value="<?php print($firstname); ?>" />
+<input size="30" type="text" name="firstname" value="<?php print(htmlspecialchars(stripslashes($firstname))); ?>" />
 </p>
 <p>
 <?php echo $Language->getText('account_register','lastname'); echo utils_requiredField(); ?><br />
-<input size="30" type="text" name="lastname" value="<?php print($lastname); ?>" />
+<input size="30" type="text" name="lastname" value="<?php print(htmlspecialchars(stripslashes($lastname))); ?>" />
 </p>
 <p>
 <?php echo $Language->getText('account_register','language'); ?><br />
@@ -113,13 +113,14 @@
 </p>
 <p>
 @<?php echo $Language->getText('account_register','emailaddr', $GLOBALS['sys_users_host']); ?>
-<br /><input size="30" type="text" name="email" value="<?php print($email); ?>" />
+<br /><input size="30" type="text" name="email" value="<?php print(htmlspecialchars(stripslashes($email))); ?>" />
 </p>
 <p>
 <?php
 if ($sys_use_jabber) {
 	echo $Language->getText('account_register','jabberaddr').'<br />
-	<input size="30" type="text" name="jabber_address" value="'. $jabber_address .'" /><br />
+	<input size="30" type="text" name="jabber_address" value="'. 
+	htmlspecialchars(stripslashes($jabber_address)) .'" /><br />
 	<input type="checkbox" name="jabber_only" value="1" />
 	'.$Language->getText('account_register','jabberonly').'.';
 }
@@ -127,19 +128,19 @@
 </p>
 <p>
 <?php echo $Language->getText('account_options', 'address'); ?><br />
-<input type="text" name="address" value="<?php echo $address; ?>" size="80" />
+<input type="text" name="address" value="<?php echo htmlspecialchars(stripslashes($address)); ?>" size="80" />
 </p>
 <p>
 <?php echo $Language->getText('account_options', 'address'); ?><br />
-<input type="text" name="address2" value="<?php echo $address2; ?>" size="80" />
+<input type="text" name="address2" value="<?php echo htmlspecialchars(stripslashes($address2)); ?>" size="80" />
 </p>
 <p>
 <?php echo $Language->getText('account_options', 'phone'); ?><br />
-<input type="text" name="phone" value="<?php echo $phone; ?>" size="20" />
+<input type="text" name="phone" value="<?php echo htmlspecialchars(stripslashes($phone)); ?>" size="20" />
 </p>
 <p>
 <?php echo $Language->getText('account_options', 'fax'); ?><br />
-<input type="text" name="fax" value="<?php echo $fax; ?>" size="20" />
+<input type="text" name="fax" value="<?php echo htmlspecialchars(stripslashes($fax)); ?>" size="20" />
 </p>
 <p>
 <input type="checkbox" name="mail_site" value="1" checked="checked" />

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/www/register/projectinfo.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/www/register/projectinfo.php	2011-02-24 16:58:35 UTC (rev 10959)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/www/register/projectinfo.php	2011-02-24 16:58:35 UTC (rev 10960)
@@ -56,6 +56,7 @@
 	$license_other = trim($license_other);
 	$description = trim($description);
 	$unix_name = strtolower($unix_name);
+	$feedback = "";
 
 	if ($sys_use_scm && !$scm) {
 		$feedback .= $Language->getText('register','scm_not_selected');
@@ -111,13 +112,13 @@
 
 <?php echo $Language->getText('register','project_full_name') ?>
 
-<input size="40" maxlength="40" type=text name="full_name" value="<?php echo stripslashes($full_name); ?>">
+<input size="40" maxlength="40" type=text name="full_name" value="<?php echo htmlspecialchars(stripslashes($full_name)); ?>">
 
 <?php echo $Language->getText('register','purpose_and_summarization', array($GLOBALS['sys_name']))?>
 <p>
 <font size="-1">
 <textarea name="purpose" wrap="virtual" cols="70" rows="10">
-<?php echo stripslashes($purpose); ?>
+<?php echo htmlspecialchars(stripslashes($purpose)); ?>
 </textarea>
 </font>
 
@@ -130,7 +131,7 @@
 <?php echo $Language->getText('register','other_license') ?>
 <br />
 <textarea name="license_other" wrap=virtual cols=60 rows=5>
-<?php echo stripslashes($license_other); ?>
+<?php echo htmlspecialchars(stripslashes($license_other)); ?>
 </textarea>
 <p>
 
@@ -138,13 +139,13 @@
 </p>
 <font size="-1">
 <textarea name="description" wrap="virtual" cols="70" rows="5">
-<?php echo stripslashes($description); ?>
+<?php echo htmlspecialchars(stripslashes($description)); ?>
 </textarea>
 </font>
 
 <?php echo $Language->getText('register','project_unix_name',array($GLOBALS['sys_default_domain'])) ?>
 
-<input type=text maxlength="15" SIZE="15" name="unix_name" value="<?php echo $unix_name; ?>">
+<input type=text maxlength="15" SIZE="15" name="unix_name" value="<?php echo htmlspecialchars(stripslashes($unix_name)); ?>">
 
 <?php
 	$SCMFactory=new SCMFactory();



More information about the evolvis-commits mailing list