From 23e4577e02944567b8ac15581d9c0a0561d82046 Mon Sep 17 00:00:00 2001 From: Alexis Degrugillier Date: Sun, 21 Sep 2014 18:40:08 -0400 Subject: Change param filter for user queries Before, the filter was based on a blacklist so the user could add something and have unwanted behavior. Now, the filter is based on a whilelist so the user can use only predetermined parameters. --- app/Controllers/configureController.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'app/Controllers/configureController.php') diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php index a44ef3104..2bd13997f 100755 --- a/app/Controllers/configureController.php +++ b/app/Controllers/configureController.php @@ -493,18 +493,17 @@ class FreshRSS_configure_Controller extends Minz_ActionController { * It gets the GET parameters and stores them in the configuration query * storage. Before it is saved, the unwanted parameters are unset to keep * lean data. - * - * @todo change the way of keeping lean data to have a more defensive - * code. At the moment, the code accepts any parameters and discard - * those on the black list. I think it is safer if we maintain a - * whitelist instead. */ public function addQueryAction() { + $whitelist = array('get', 'order', 'name', 'search', 'state'); $queries = $this->view->conf->queries; $query = Minz_Request::params(); $query['name'] = _t('query_number', count($queries) + 1); - unset($query['output']); - unset($query['token']); + foreach ($query as $key => $value) { + if (!in_array($key, $whitelist)) { + unset($query[$key]); + } + } $queries[] = $query; $this->view->conf->_queries($queries); $this->view->conf->save(); -- cgit v1.2.3