LBRYFoundation/pool
1
0
Fork 0
mirror of https://github.com/LBRYFoundation/pool.git synced 2025-09-30 07:10:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: be more strict with algo param

Browse source
This commit is contained in:
Tanguy Pruvot 2018-04-10 11:03:01 +02:00
parent 580801f399
commit 60fb627ad9
2 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
web/yaamp/core/common/util.php
View file

@ -54,6 +54,12 @@ function getiparam($p,$default=0)
return isset($_REQUEST[$p]) ? intval($_REQUEST[$p]) : $default; return isset($_REQUEST[$p]) ? intval($_REQUEST[$p]) : $default;
} }
function getalgoparam()
{
$algo = strip_tags(substr(getparam('algo'), 0, 32));
return $algo;
}
////////////////////////////////////////////////////// //////////////////////////////////////////////////////
function downloadFile($url, &$size) function downloadFile($url, &$size)

6
web/yaamp/modules/site/SiteController.php
View file

@ -1077,7 +1077,7 @@ class SiteController extends CommonController
$this->goback(); $this->goback();
} }
public function actionCancelorder() public function actionCancelorder()
{ {
if(!$this->admin) return; if(!$this->admin) return;
$order = getdbo('db_orders', getiparam('id')); $order = getdbo('db_orders', getiparam('id'));
@ -1091,7 +1091,7 @@ class SiteController extends CommonController
public function actionAlgo() public function actionAlgo()
{ {
$algo = substr(getparam('algo'), 0, 32); $algo = getalgoparam();
$a = getdbosql('db_algos', "name=:name", array(':name'=>$algo)); $a = getdbosql('db_algos', "name=:name", array(':name'=>$algo));
if($a) if($a)
@ -1108,7 +1108,7 @@ class SiteController extends CommonController
public function actionGomining() public function actionGomining()
{ {
$algo = substr(getparam('algo'), 0, 32); $algo = getalgoparam();
if ($algo == 'all') { if ($algo == 'all') {
return; return;
} }