verdnatura/hedera-web
verdnatura
/
hedera-web
0
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Solucionados fallos de seguridad en la configuracion y en inyeccion php

This commit is contained in:
Juan Ferrer Toribio 2014-05-10 12:47:57 +02:00
parent c30dbce493
commit 9943703f61
10 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
DEBIAN/conffiles Normal file
View File

@ -0,0 +1 @@
/etc/hedera-web/config.php

4
DEBIAN/control
View File

@ -1,8 +1,8 @@
Package: hedera-web Package: hedera-web
Version: 1.0-1 Version: 1.0-3
Architecture: all Architecture: all
Maintainer: Juan Ferrer Toribio <juan@verdnatura.es> Maintainer: Juan Ferrer Toribio <juan@verdnatura.es>
Depends: php5-mysql, php5-imap Depends: apache2, php5-mysql
Section: misc Section: misc
Priority: optional Priority: optional
Description: Verdnatura's web page Description: Verdnatura's web page

4
DEBIAN/postinst Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
service apache2 reload

4
DEBIAN/prerm Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
service apache2 reload

0
usr/share/hedera-web/config.php → etc/hedera-web/config.php
View File

2
usr/share/hedera-web/ajax.php
View File

@ -33,7 +33,7 @@ if (Hedera::login ())
if (isset ($_REQUEST['action'])) if (isset ($_REQUEST['action']))
$action = $_REQUEST['action']; $action = $_REQUEST['action'];
if ($action) if ($action && checkToken ($action))
{ {
$actionFile = 'ajax/'. $action .'.php'; $actionFile = 'ajax/'. $action .'.php';

2
usr/share/hedera-web/index.php
View File

@ -19,7 +19,7 @@ if (!Hedera::$sysConn->isOpen ())
// Getting the section // Getting the section
if (isset ($_GET['section'])) if (isset ($_GET['section']) && checkToken ($_GET['section']))
$section = $_GET['section']; $section = $_GET['section'];
else else
$section = 'login'; $section = 'login';

2
usr/share/hedera-web/module.php
View File

@ -5,7 +5,7 @@ require_once ('php/web/hedera.php');
Hedera::init (); Hedera::init ();
Hedera::login (); Hedera::login ();
if (isset ($_GET['module'])) if (isset ($_GET['module']) && checkToken ($_GET['module']))
$module = $_GET['module']; $module = $_GET['module'];
else else
$module = $conf['defaultModule']; $module = $conf['defaultModule'];

1
usr/share/hedera-web/php/vn/vn.php
View File

@ -1,6 +1,5 @@
<?php <?php
require_once ('config.php');
require_once ('php/vn/type.php'); require_once ('php/vn/type.php');
require_once ('php/vn/locale.php'); require_once ('php/vn/locale.php');
require_once ('php/vn/error.php'); require_once ('php/vn/error.php');

12
usr/share/hedera-web/php/web/hedera.php
View File

@ -1,8 +1,20 @@
<?php <?php
$homeConf = $_SERVER['CONTEXT_DOCUMENT_ROOT'].'/../.config/hedera-web/config.php';
if (file_exists ($homeConf))
require_once ($homeConf);
else
require_once ('/etc/hedera-web/config.php');
require_once ('php/db/db.php'); require_once ('php/db/db.php');
require_once ('php/web/auth.php'); require_once ('php/web/auth.php');
function checkToken ($token)
{
return preg_match ('/^[\w\-]+$/', $token);
}
function ifNull ($map, $key) function ifNull ($map, $key)
{ {
return isset ($map[$key]) ? $map[$key] : NULL; return isset ($map[$key]) ? $map[$key] : NULL;