# HG changeset patch # User HIROSE Yuuji # Date 1560576819 -32400 # Node ID 6e727ab07c98e2a11e4e105f35fba80c36883987 # Parent c064c7d357dc9c7ca39df127def89fb66774ffb8 Sanitize argument from cgi with numericalize() diff -r c064c7d357dc -r 6e727ab07c98 s4-blog.sh --- a/s4-blog.sh Sat Jun 15 14:32:50 2019 +0900 +++ b/s4-blog.sh Sat Jun 15 14:33:39 2019 +0900 @@ -649,7 +649,8 @@ } gethandout() { # $1=rowid of blog - blog_writable $1 $user + rid=`numericalize "$1"` + blog_writable $rid $user rc=$? # =0: writable, $BLOG_NOTMEM bit set => not member if [ $((rc & $BLOG_NOTMEM)) -gt 0 ] ; then echo "メンバー以外は利用できません。" | html p; return @@ -658,7 +659,7 @@ bd=$tmpd/archive.$$ mkdir $bd query "select m.rowid,author,m.val from article a join article_m m\ - on a.id=m.id where blogid=(select id from blog where rowid=$1)\ + on a.id=m.id where blogid=(select id from blog where rowid=$rid)\ and m.key in ('image', 'document', 'binary');" \ | while IFS='|' read rowid author filename; do err isfilereadable $user article_m $rowid @@ -986,7 +987,7 @@ blog_addentry() { # $1=GRPname(if it is a group) - grprowid=$1 + grprowid=`numericalize $1` rowid=`getpar rowid` ## err blog_addentry0: rowid=$rowid if [ -n "$grprowid" ]; then @@ -994,7 +995,7 @@ else owner=`getpar owner` fi - err blog-add: \$1=$1 rowid=$rowid owner=$owner + err blog-add: \$1=$grprowid rowid=$rowid owner=$owner if isgroup "$owner"; then groupmode=1 listing=$owner guide="[${owner}]" GF_OWNER=$owner else @@ -1047,7 +1048,7 @@ } blog_reply() { # Posting to blog article - rowid=$1 + rowid=`numericalize $1` # Ensure (already purified in s4.cgi) if [ -z "$rowid" ]; then echo "表示する日記番号が未指定です。" | html p