Fix user input from direct get post usage

Bug #1732987 reported by Robert Lyon on 2017-11-17
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Unassigned
16.10
High
Unassigned
17.04
High
Unassigned
17.10
High
Unassigned
18.04
High
Unassigned

Bug Description

Makes sure the data is using valid utf8, invalid characters are discarded
- avoid null chars and invalid unicode

Also change direct $_GET and $_POST calls
eg change
 isset($_POST['myparam']) to param_exists('myparam')
 $_POST['myparam'] = 'cats' to param_alpha('myparam', null)
etc

CVE References

Robert Lyon (robertl-9) wrote :

This has been begun with patch
https://reviews.mahara.org/#/c/8191/

Robert Lyon (robertl-9) on 2018-01-16
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers