[dokuwiki] Re: Security Tracker "bug", Request Patch

Here is the patch which motivated my email:




--- old-dokuwiki/inc/auth.php 2006-06-03 05:11:55.000000000 +0200
+++ new-dokuwiki/inc/auth.php 2006-05-31 21:12:40.000000000 +0200
@@ -458,8 +458,8 @@
$_POST['login'] = preg_replace('/.*:/','',$_POST['login']);
$_POST['login'] = cleanID($_POST['login']);
//clean fullname and email
- $_POST['fullname'] = trim(str_replace(':','',$_POST['fullname']));
- $_POST['email'] = trim(str_replace(':','',$_POST['email']));
+ $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%]+/','', $_POST['fullname']));
+ $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%]+/','', $_POST['email']));
if( empty($_POST['login']) ||
empty($_POST['fullname']) ||
@@ -533,8 +533,8 @@
}
//clean fullname and email
- $_POST['fullname'] = trim(str_replace(':','',$_POST['fullname']));
- $_POST['email'] = trim(str_replace(':','',$_POST['email']));
+ $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%]+/','', $_POST['fullname']));
+ $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%]+/','', $_POST['email']));
if (empty($_POST['fullname']) || empty($_POST['email'])) {
msg($lang['profnoempty'],-1);



On Jun 3, 2006, at 4:43 AM, Chris Smith wrote:

Burton Rosenberg wrote:

Specific to this patch, isn't it a bit stronger to clean user input by matching positively against the format desired, versus stripping just some
bad characters? I don't know PHP well enough, but you are allowing the pipe through, which causes mischief for Perl.

Names are tough, I know, but email address should be limited by RFC1035 for domain names, and RFC 2822 for user names. (I think.)

-burt
Userids and emails are strictly matched to allowed character set & pattern. The user name has less strict matching - prevention of control characters and the three characters special to xhtml.
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: