Bugtracker #3700 - restrict field names to alphanumeric characters

2025-07-31 03:40:37 +02:00 · 2007-01-28 20:49:54 +00:00
parent d01f93b489
commit 884f0691e1
2 changed files with 17 additions and 8 deletions
--- a/e107_admin/users_extended.php
+++ b/e107_admin/users_extended.php
@@ -11,9 +11,9 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_admin/users_extended.php,v $
-|     $Revision: 1.5 $
-|     $Date: 2007-01-20 16:54:48 $
-|     $Author: mrpete $
+|     $Revision: 1.6 $
+|     $Date: 2007-01-28 20:49:28 $
+|     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 require_once("../class2.php");
@@ -91,6 +91,9 @@ if (isset($_POST['catdown_x']))

 if (isset($_POST['add_field']))
 {
+  $ue_field_name = str_replace(' ','_',trim($_POST['user_field']));		// Replace space with underscore - better security
+  if (preg_match('#^\w+$#',$ue_field_name) === 1)						// Check for allowed characters, finite field length
+  {
 	if($_POST['user_type']==4)
 	{
    	$_POST['user_values'] = array($_POST['table_db'],$_POST['field_id'],$_POST['field_value'],$_POST['field_order']);
@@ -99,18 +102,23 @@ if (isset($_POST['add_field']))
 	$new_parms = $tp->toDB($_POST['user_include']."^,^".$_POST['user_regex']."^,^".$_POST['user_regexfail']."^,^".$_POST['user_hide']);
 	
 // Check to see if its a reserved field name before adding to database
-	if($ue->user_extended_reserved($_POST['user_field']))
+	if($ue->user_extended_reserved($ue_field_name))
 	{  // Reserved field name
-	  $message = "[user_".$tp->toHTML($_POST['user_field'])."] ".EXTLAN_74;
+	  $message = "[user_".$tp->toHTML($ue_field_name)."] ".EXTLAN_74;
 	}
 	else
 	{
-	  $result = admin_update($ue->user_extended_add($_POST['user_field'], $_POST['user_text'], $_POST['user_type'], $new_parms, $new_values, $_POST['user_default'], $_POST['user_required'], $_POST['user_read'], $_POST['user_write'], $_POST['user_applicable'], 0, $_POST['user_parent']), 'insert', EXTLAN_29);
+	  $result = admin_update($ue->user_extended_add($ue_field_name, $_POST['user_text'], $_POST['user_type'], $new_parms, $new_values, $_POST['user_default'], $_POST['user_required'], $_POST['user_read'], $_POST['user_write'], $_POST['user_applicable'], 0, $_POST['user_parent']), 'insert', EXTLAN_29);
 	  if(!$result)
 	  {
 		$message = EXTLAN_75;
 	  }
 	}
+  }
+  else
+  {
+    $message = EXTLAN_76." : ".$tp->toHTML($ue_field_name);
+  }
 }

 if (isset($_POST['update_field'])) {