SF Bug #3497660 - XSS flaws via 'export', 'add_value_form' and 'dn' variables

2012-09-03 07:16:34 +10:00 · 2012-09-03 07:16:34 +10:00 · 74434e5ca3
parent 88d41216f9
commit 74434e5ca3
3 changed files with 11 additions and 11 deletions
--- a/htdocs/add_value_form.php
+++ b/htdocs/add_value_form.php
@ -34,7 +34,7 @@ if ($request['attribute']->isReadOnly())
 # Render the form
 if (! strcasecmp($request['attr'],'objectclass') || get_request('meth','REQUEST') != 'ajax') {
 	# Render the form.
-	$request['page']->drawTitle(sprintf('%s <b>%s</b> %s <b>%s</b>',_('Add new'),$request['attr'],_('value to'),get_rdn($request['dn'])));
+	$request['page']->drawTitle(sprintf('%s <b>%s</b> %s <b>%s</b>',_('Add new'),htmlspecialchars($request['attr']),_('value to'),htmlspecialchars(get_rdn($request['dn']))));
 	$request['page']->drawSubTitle();

 	if (! strcasecmp($request['attr'],'objectclass')) {
--- a/htdocs/export.php
+++ b/htdocs/export.php
@ -29,12 +29,12 @@ if ($request['file']) {

 	header('Content-type: application/download');
 	header(sprintf('Content-Disposition: inline; filename="%s.%s"','export',$types['extension'].($request['export']->isCompressed() ? '.gz' : '')));
-	$request['export']->export();
+	echo $request['export']->export();
 	die();

 } else {
 	print '<span style="font-size: 14px; font-family: courier;"><pre>';
-	$request['export']->export();
+	echo htmlspecialchars($request['export']->export());
 	print '</pre></span>';
 }
 ?>
--- a/lib/export_functions.php
+++ b/lib/export_functions.php
@ -324,9 +324,9 @@ class ExportCSV extends Export {
 		}

 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}

 	/**
@ -428,9 +428,9 @@ class ExportDSML extends Export {
 		$output .= sprintf('</dsml>%s',$this->br);

 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 }

@ -506,9 +506,9 @@ class ExportLDIF extends Export {
 		}

 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}

 	/**
@ -633,9 +633,9 @@ class ExportVCARD extends Export {
 		}

 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 }
 ?>