Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-02-01 05:44:41 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Sanitize all redirects

Browse Source
This commit is contained in:
Fedor A. Fetisov 2013-10-28 17:10:10 +04:00
parent 4345070720
commit 12c3e2d60d
11 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/mibew/client.php
View File

@ -168,7 +168,7 @@ if( !isset($_GET['token']) || !isset($_GET['thread']) ) {
$threadid = $thread->id; $threadid = $thread->id;
$token = $thread->lastToken; $token = $thread->lastToken;
$chatstyle = verifyparam( "style", "/^\w+$/", ""); $chatstyle = verifyparam( "style", "/^\w+$/", "");
header("Location: $mibewroot/client.php?thread=$threadid&token=$token".($chatstyle ? "&style=$chatstyle" : "")); header("Location: $mibewroot/client.php?thread=" . intval($threadid) . "&token=" . urlencode($token) . ($chatstyle ? "&style=" . urlencode($chatstyle) : ""));
exit; exit;
} }

2
src/mibew/operator/agent.php
View File

@ -98,7 +98,7 @@ if (!isset($_GET['token'])) {
} }
$token = $thread->lastToken; $token = $thread->lastToken;
header("Location: $mibewroot/operator/agent.php?thread=$threadid&token=$token"); header("Location: $mibewroot/operator/agent.php?thread=" . intval($threadid) . "&token=" . urlencode($token));
exit; exit;
} }

4
src/mibew/operator/avatar.php
View File

@ -76,7 +76,7 @@ if (!$op) {
if ($opId && $avatar && $_SESSION[$session_prefix."operator"] && $operator['operatorid'] == $opId) { if ($opId && $avatar && $_SESSION[$session_prefix."operator"] && $operator['operatorid'] == $opId) {
$_SESSION[$session_prefix."operator"]['vcavatar'] = $avatar; $_SESSION[$session_prefix."operator"]['vcavatar'] = $avatar;
} }
header("Location: $mibewroot/operator/avatar.php?op=$opId"); header("Location: $mibewroot/operator/avatar.php?op=" . intval($opId));
exit; exit;
} else { } else {
$page['avatar'] = topage($op['vcavatar']); $page['avatar'] = topage($op['vcavatar']);
@ -85,7 +85,7 @@ if (!$op) {
} else { } else {
if (isset($_GET['delete']) && $_GET['delete'] == "true" && $canmodify) { if (isset($_GET['delete']) && $_GET['delete'] == "true" && $canmodify) {
update_operator_avatar($op['operatorid'], ''); update_operator_avatar($op['operatorid'], '');
header("Location: $mibewroot/operator/avatar.php?op=$opId"); header("Location: $mibewroot/operator/avatar.php?op=" . intval($opId));
exit; exit;
} }
$page['avatar'] = topage($op['vcavatar']); $page['avatar'] = topage($op['vcavatar']);

2
src/mibew/operator/canned.php
View File

@ -78,7 +78,7 @@ if (isset($_GET['act']) && $_GET['act'] == 'delete') {
if (count($errors) == 0) { if (count($errors) == 0) {
$db = Database::getInstance(); $db = Database::getInstance();
$db->query("delete from {chatresponses} where id = ?", array($key)); $db->query("delete from {chatresponses} where id = ?", array($key));
header("Location: $mibewroot/operator/canned.php?lang=$lang&group=$groupid"); header("Location: $mibewroot/operator/canned.php?lang=" . urlencode($lang) . "&group=" . intval($groupid));
exit; exit;
} }
} }

4
src/mibew/operator/group.php
View File

@ -184,7 +184,7 @@ if (isset($_POST['name'])) {
'chattitle' => $chattitle, 'chattitle' => $chattitle,
'hosturl' => $hosturl, 'hosturl' => $hosturl,
'logo' => $logo)); 'logo' => $logo));
header("Location: $mibewroot/operator/groupmembers.php?gid=" . $newdep['groupid']); header("Location: $mibewroot/operator/groupmembers.php?gid=" . intval($newdep['groupid']));
exit; exit;
} else { } else {
update_group(array( update_group(array(
@ -200,7 +200,7 @@ if (isset($_POST['name'])) {
'chattitle' => $chattitle, 'chattitle' => $chattitle,
'hosturl' => $hosturl, 'hosturl' => $hosturl,
'logo' => $logo)); 'logo' => $logo));
header("Location: $mibewroot/operator/group.php?gid=$groupid&stored"); header("Location: $mibewroot/operator/group.php?gid=" . intval($groupid) . "&stored");
exit; exit;
} }
} else { } else {

2
src/mibew/operator/groupmembers.php
View File

@ -74,7 +74,7 @@ if (!$group) {
} }
update_group_members($groupid, $new_members); update_group_members($groupid, $new_members);
header("Location: $mibewroot/operator/groupmembers.php?gid=$groupid&stored"); header("Location: $mibewroot/operator/groupmembers.php?gid=" . intval($groupid) . "&stored");
exit; exit;
} }

4
src/mibew/operator/invite.php
View File

@ -32,8 +32,8 @@ if (!$thread) {
// Open chat window for operator // Open chat window for operator
$redirect_to = $mibewroot . $redirect_to = $mibewroot .
'/operator/agent.php?thread=' . $thread->id . '/operator/agent.php?thread=' . intval($thread->id) .
'&token=' . $thread->lastToken; '&token=' . urlencode($thread->lastToken);
header('Location: ' . $redirect_to); header('Location: ' . $redirect_to);
?> ?>

2
src/mibew/operator/login.php
View File

@ -30,7 +30,7 @@ if (isset($_POST['login']) && isset($_POST['password'])) {
if ($operator && isset($operator['vcpassword']) && check_password_hash($operator['vclogin'], $password, $operator['vcpassword']) && !operator_is_disabled($operator)) { if ($operator && isset($operator['vcpassword']) && check_password_hash($operator['vclogin'], $password, $operator['vcpassword']) && !operator_is_disabled($operator)) {
$target = $password == '' $target = $password == ''
? "$mibewroot/operator/operator.php?op=" . $operator['operatorid'] ? "$mibewroot/operator/operator.php?op=" . intval($operator['operatorid'])
: (isset($_SESSION['backpath']) : (isset($_SESSION['backpath'])
? $_SESSION['backpath'] ? $_SESSION['backpath']
: "$mibewroot/operator/index.php"); : "$mibewroot/operator/index.php");

4
src/mibew/operator/operator.php
View File

@ -91,7 +91,7 @@ if ((isset($_POST['login']) || !is_capable(CAN_ADMINISTRATE, $operator)) && isse
if (count($errors) == 0) { if (count($errors) == 0) {
if (!$opId) { if (!$opId) {
$newop = create_operator($login, $email, $password, $localname, $commonname, "", $code); $newop = create_operator($login, $email, $password, $localname, $commonname, "", $code);
header("Location: $mibewroot/operator/avatar.php?op=" . $newop['operatorid']); header("Location: $mibewroot/operator/avatar.php?op=" . intval($newop['operatorid']));
exit; exit;
} else { } else {
update_operator($opId, $login, $email, $password, $localname, $commonname, $code); update_operator($opId, $login, $email, $password, $localname, $commonname, $code);
@ -104,7 +104,7 @@ if ((isset($_POST['login']) || !is_capable(CAN_ADMINISTRATE, $operator)) && isse
exit; exit;
} }
} }
header("Location: $mibewroot/operator/operator.php?op=$opId&stored"); header("Location: $mibewroot/operator/operator.php?op=" . intval($opId) . "&stored");
exit; exit;
} }
} else { } else {

2
src/mibew/operator/opgroups.php
View File

@ -66,7 +66,7 @@ if (!$op) {
} }
update_operator_groups($op['operatorid'], $new_groups); update_operator_groups($op['operatorid'], $new_groups);
header("Location: $mibewroot/operator/opgroups.php?op=$opId&stored"); header("Location: $mibewroot/operator/opgroups.php?op=" . intval($opId) . "&stored");
exit; exit;
} }
} }

2
src/mibew/operator/permissions.php
View File

@ -53,7 +53,7 @@ if (!$op) {
if ($opId && $_SESSION[$session_prefix."operator"] && $operator['operatorid'] == $opId) { if ($opId && $_SESSION[$session_prefix."operator"] && $operator['operatorid'] == $opId) {
$_SESSION[$session_prefix."operator"]['iperm'] = $new_permissions; $_SESSION[$session_prefix."operator"]['iperm'] = $new_permissions;
} }
header("Location: $mibewroot/operator/permissions.php?op=$opId&stored"); header("Location: $mibewroot/operator/permissions.php?op=" . intval($opId) . "&stored");
exit; exit;
} }