Fix user input from direct get post usage

Bug #1732987 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
16.10
Fix Released
High
Unassigned
17.04
Fix Released
High
Unassigned
17.10
Fix Released
High
Unassigned
18.04
Fix Released
High
Unassigned

Bug Description

Makes sure the data is using valid utf8, invalid characters are discarded
- avoid null chars and invalid unicode

Also change direct $_GET and $_POST calls
eg change
 isset($_POST['myparam']) to param_exists('myparam')
 $_POST['myparam'] = 'cats' to param_alpha('myparam', null)
etc

CVE References

Revision history for this message
Robert Lyon (robertl-9) wrote :

This has been begun with patch
https://reviews.mahara.org/#/c/8191/

Robert Lyon (robertl-9)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers