diff options
| author | Remi Collet <fedora@famillecollet.com> | 2014-12-22 09:23:02 +0100 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2014-12-22 09:23:02 +0100 |
| commit | c0011352162c9ebed6faea4c0f4bdf035d3feb92 (patch) | |
| tree | df3adb573794072729b2f182c7f7b258e13df005 /glpi-0.84-CVE-2014-9258.patch | |
| parent | d349e4be95ba37c97d9dbbee88241603f668aee8 (diff) | |
glpi: fix SQL Injection CVE-2014-9258
Diffstat (limited to 'glpi-0.84-CVE-2014-9258.patch')
| -rw-r--r-- | glpi-0.84-CVE-2014-9258.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/glpi-0.84-CVE-2014-9258.patch b/glpi-0.84-CVE-2014-9258.patch new file mode 100644 index 0000000..97f1966 --- /dev/null +++ b/glpi-0.84-CVE-2014-9258.patch @@ -0,0 +1,62 @@ +Index: branches/0.84-bugfixes/inc/dropdown.class.php +=================================================================== +--- branches/0.84-bugfixes/inc/dropdown.class.php (révision 23260) ++++ branches/0.84-bugfixes/inc/dropdown.class.php (révision 23261) +@@ -177,6 +177,11 @@ + } + } + ++ // Manage condition ++ if (!empty($params['condition'])) { ++ $params['condition'] = static::addNewCondition($params['condition']); ++ } ++ + $param = array('searchText' => '__VALUE__', + 'value' => $params['value'], + 'itemtype' => $itemtype, +@@ -259,6 +264,11 @@ + } + } + ++ static function addNewCondition($condition) { ++ $sha1=sha1($condition); ++ $_SESSION['glpicondition'][$sha1] = $condition; ++ return $sha1; ++ } + + /** + * Get the value of a dropdown +@@ -1095,7 +1105,7 @@ + 'entity_restrict' => $entity_restrict); + + if ($onlyglobal) { +- $params['condition'] = "`is_global` = '1'"; ++ $params['condition'] = static::addNewCondition("`is_global` = '1'"); + } + Ajax::updateItemOnSelectEvent("itemtype$rand", "show_$myname$rand", + $CFG_GLPI["root_doc"]."/ajax/dropdownAllItems.php", $params); +Index: branches/0.84-bugfixes/ajax/dropdownValue.php +=================================================================== +--- branches/0.84-bugfixes/ajax/dropdownValue.php (révision 23260) ++++ branches/0.84-bugfixes/ajax/dropdownValue.php (révision 23261) +@@ -72,13 +72,17 @@ + $_POST['permit_select_parent'] = false; + } + +-// No define rand +-if (!isset($_POST['rand'])) { ++ // No define rand ++ if (!isset($_POST['rand'])) { + $_POST['rand'] = mt_rand(); + } + + if (isset($_POST['condition']) && !empty($_POST['condition'])) { +- $_POST['condition'] = rawurldecode(stripslashes($_POST['condition'])); ++ if (isset($_SESSION['glpicondition'][$_POST['condition']])) { ++ $_POST['condition'] = $_SESSION['glpicondition'][$_POST['condition']]; ++ } else { ++ $_POST['condition'] = ''; ++ } + } + + if (!isset($_POST['emptylabel']) || ($_POST['emptylabel'] == '')) { |