Changeset 1115:2b3f369c6456

Timestamp:

03/13/13 15:21:17 (12 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

2.5

Message:

Revert to previous swfupload.swf and quick & dirty hack to prevent XSS vulnerabilities

Location:

inc

Files:

inc/load_plugin_file.php

-                      r270
+                      r1115
+}
+// Prevents XSS vulnerabilities in swfupload.swf
+if (((isset($_GET['buttonText']) && strpos($_GET['buttonText'],'<') !== false) ||
+     (isset($_GET['movieName']) && strpos($_GET['movieName'],';') !== false)) &&
+     strpos($_GET['pf'],'swfupload.swf') !== false) {
+     {
+          header('Content-Type: text/plain');
+          http::head(403,'Forbidden');
+          exit;
+     }
+}
 $allow_types = array('png','jpg','jpeg','gif','css','js','swf');

Note: See TracChangeset for help on using the changeset viewer.