From c33f84fcc21dab5ff9e04559912e81afc20ddf29 Mon Sep 17 00:00:00 2001 From: Dag Date: Sun, 10 Jul 2022 19:50:51 +0200 Subject: [PATCH] fix: disallow non-strings in GET parameters (#2908) --- index.php | 28 +++++++++++++++++----------- templates/base.html.php | 2 +- templates/error.html.php | 5 ++++- 3 files changed, 22 insertions(+), 13 deletions(-) diff --git a/index.php b/index.php index 9eddc71b..fe1ed882 100644 --- a/index.php +++ b/index.php @@ -2,18 +2,24 @@ require_once __DIR__ . '/lib/rssbridge.php'; -/* -Move the CLI arguments to the $_GET array, in order to be able to use -rss-bridge from the command line -*/ -if (isset($argv)) { - parse_str(implode('&', array_slice($argv, 1)), $cliArgs); - $request = array_merge($_GET, $cliArgs); -} else { - $request = $_GET; -} - try { + if (isset($argv)) { + parse_str(implode('&', array_slice($argv, 1)), $cliArgs); + $request = $cliArgs; + } else { + $request = $_GET; + } + foreach ($request as $key => $value) { + if (! is_string($value)) { + http_response_code(400); + print render('error.html.php', [ + 'title' => '400 Bad Request', + 'message' => "Query parameter \"$key\" is not a string.", + ]); + exit(1); + } + } + $actionFactory = new ActionFactory(); if (array_key_exists('action', $request)) { diff --git a/templates/base.html.php b/templates/base.html.php index 39442706..702fab42 100644 --- a/templates/base.html.php +++ b/templates/base.html.php @@ -4,7 +4,7 @@ - <?= e($title ?? 'RSS-Bridge') ?> + <?= e($_title ?? 'RSS-Bridge') ?> diff --git a/templates/error.html.php b/templates/error.html.php index db2f233f..12f77b0b 100644 --- a/templates/error.html.php +++ b/templates/error.html.php @@ -1,6 +1,9 @@
-

Something went wrong

+

+ +

+