coa/aowow
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Filter/Fixup

Browse source 
* sanitize input before trying to construct filter and redirect
This commit is contained in:
Sarjuuk 2026-03-30 18:13:09 +02:00
parent 681d29e5f3
commit 8ded8e8e97
1 changed files with 29 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

36
endpoints/filter/filter.php
View file

@ -19,14 +19,28 @@ class FilterBaseResponse extends TextResponse
parent::__construct($rawParam); parent::__construct($rawParam);
$catg = null; $catg = $page = null;
if (strstr($rawParam, '=')) if (strstr($rawParam, '='))
[$this->page, $catg] = explode('=', $rawParam); [$page, $catg] = explode('=', $rawParam);
else else
$this->page = $rawParam; $page = $rawParam;
if (!$page || preg_match('/[^a-z\-]/i', $page))
return;
$this->page = strtolower($page);
if ($catg !== null) if ($catg !== null)
$this->catg = explode('.', $catg); {
// category is a string for profiler (region.realm) but not passed through here
foreach (explode('.', $catg) as $c)
{
if (preg_match('/\D/', $c))
break;
$this->catg[] = intval($c);
}
}
$opts = ['parentCats' => $this->catg]; $opts = ['parentCats' => $this->catg];
@ -38,14 +52,22 @@ class FilterBaseResponse extends TextResponse
}; };
// yes, the whole _POST! .. should the input fields be exposed and static so they can be evaluated via BaseResponse::initRequestData() ? // yes, the whole _POST! .. should the input fields be exposed and static so they can be evaluated via BaseResponse::initRequestData() ?
$this->filter = Type::newFilter($fileStr, $_POST, $opts); if (!$this->filter = Type::newFilter($fileStr, $_POST, $opts))
trigger_error('Filter::__construct - tried to init filter from bogus GET data', E_USER_WARNING);
} }
protected function generate() : void protected function generate() : void
{ {
// could not build filter from $this->page > go to front page
if (!$this->filter)
{
$this->redirectTo = '.';
return;
}
$url = '?'.$this->page; $url = '?'.$this->page;
$this->filter?->mergeCat($this->catg); $this->filter->mergeCat($this->catg);
if ($this->catg) if ($this->catg)
$url .= '='.implode('.', $this->catg); $url .= '='.implode('.', $this->catg);
@ -53,7 +75,7 @@ class FilterBaseResponse extends TextResponse
if ($x = $this->filter?->buildGETParam()) if ($x = $this->filter?->buildGETParam())
$url .= '&filter='.$x; $url .= '&filter='.$x;
if ($this->filter?->error) if ($this->filter->error)
$_SESSION['error']['fi'] = $this->filter::class; $_SESSION['error']['fi'] = $this->filter::class;
// do get request // do get request