diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-03-12 11:35:57 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-03-12 11:42:49 -0300 |
commit | e41ec5848f21015068255c1d61d01edf442e8e7e (patch) | |
tree | 45c3214c1e3d638dbacb217cd3de95fb4aa6e770 /usr/local/www/system_usermanager_addprivs.php | |
parent | 49f3f28fea92114b09d3b2d8103398c4adcb3635 (diff) | |
download | pfsense-e41ec5848f21015068255c1d61d01edf442e8e7e.zip pfsense-e41ec5848f21015068255c1d61d01edf442e8e7e.tar.gz |
Improve checks for params 'id', 'dup' and other similar ones to make sure they are numeric integer, also, pass them through htmlspecialchars() before print
Diffstat (limited to 'usr/local/www/system_usermanager_addprivs.php')
-rw-r--r-- | usr/local/www/system_usermanager_addprivs.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/usr/local/www/system_usermanager_addprivs.php b/usr/local/www/system_usermanager_addprivs.php index 8a69310..ff7cc64 100644 --- a/usr/local/www/system_usermanager_addprivs.php +++ b/usr/local/www/system_usermanager_addprivs.php @@ -46,8 +46,9 @@ require("guiconfig.inc"); $pgtitle = array("System","User manager","Add privileges"); -$userid = $_GET['userid']; -if (isset($_POST['userid'])) +if (is_numericint($_GET['userid'])) + $userid = $_GET['userid']; +if (isset($_POST['userid']) && is_numericint($_POST['userid'])) $userid = $_POST['userid']; $a_user = & $config['system']['user'][$userid]; @@ -195,7 +196,7 @@ function update_description() { <input id="submitt" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input id="cancelbutton" class="formbtn" type="button" value="<?=gettext("Cancel");?>" onclick="history.back()" /> <?php if (isset($userid)): ?> - <input name="userid" type="hidden" value="<?=$userid;?>" /> + <input name="userid" type="hidden" value="<?=htmlspecialchars($userid);?>" /> <?php endif; ?> </td> </tr> |