explorer: only allow hexa chars in query params

This commit is contained in:
Tanguy Pruvot 2018-04-23 15:52:24 +02:00
parent 10be25ee82
commit b22b599b3e
2 changed files with 17 additions and 10 deletions

View file

@ -40,6 +40,13 @@ function getparam($p,$default='')
return isset($_REQUEST[$p]) ? $_REQUEST[$p] : $default;
}
function gethexparam($p,$default='')
{
$str = getparam($p, NULL);
$hex = (is_string($str) && ctype_xdigit($str)) ? $str : $default;
return $hex;
}
function getiparam($p,$default=0)
{
// workaround for yii default /route/<id> ....

View file

@ -59,8 +59,8 @@ class ExplorerController extends CommonController
$coin = getdbo('db_coins', $id);
if($coin && $coin->no_explorer) {
$link = $coin->link_explorer;
//$txid = getparam('txid');
//$hash = getparam('hash');
//$txid = gethexparam('txid');
//$hash = gethexparam('hash');
//if (!empty($txid)) $link .= 'tx/'.$txid;
//elseif (!empty($hash)) $link .= 'block/'.$hash;
die("Block explorer disabled, please use <a href=\"$link\">$link</a>");
@ -71,11 +71,11 @@ class ExplorerController extends CommonController
$remote = new WalletRPC($coin);
$hash = $remote->getblockhash(intval($height));
} else {
$hash = getparam('hash');
$hash = gethexparam('hash');
}
$txid = getparam('txid');
$q = getparam('q');
$txid = gethexparam('txid');
$q = gethexparam('q');
if (strlen($q) >= 32 && ctype_xdigit($q)) {
$remote = new WalletRPC($coin);
$block = $remote->getblock($q);
@ -87,7 +87,7 @@ class ExplorerController extends CommonController
}
}
if($coin && !empty($txid) && ctype_xdigit($txid))
if($coin && !empty($txid))
{
$remote = new WalletRPC($coin);
$tx = $remote->getrawtransaction($txid, 1);
@ -96,7 +96,7 @@ class ExplorerController extends CommonController
$hash = arraySafeVal($tx,'blockhash');
}
if($coin && !empty($hash) && ctype_xdigit($hash))
if($coin && !empty($hash))
$this->render('block', array('coin'=>$coin, 'hash'=>$hash));
else if($coin)
@ -116,9 +116,9 @@ class ExplorerController extends CommonController
public function actionSearch()
{
$height = getiparam('height');
$txid = arraySafeVal($_REQUEST,'txid');
$hash = arraySafeVal($_REQUEST,'hash');
$q = arraySafeVal($_REQUEST,'q');
$txid = gethexparam('txid');
$hash = gethexparam('hash');
$q = gethexparam('q');
if (isset($_GET['SYM'])) {
// only for visible coins
$url = "/explorer/".$_GET['SYM']."?";