deon/phpldapadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XSS vulnerability, when import is using a file upload without a valid LDIF. Also fixes #250 and closes #251

Browse Source
This commit is contained in:
Deon George 2024-01-11 09:23:54 +11:00
parent 528081d909
commit d59cbfef5d
3 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/import.php
View File

@ -103,7 +103,7 @@ function display_pla_parse_error($request) {
printf('<tr><td colspan=2><b>%s</b>:</td></tr>',_('Data')); printf('<tr><td colspan=2><b>%s</b>:</td></tr>',_('Data'));
foreach ($request->error['data'] as $line) foreach ($request->error['data'] as $line)
printf('<tr><td>&nbsp;</td><td>%s</td></tr>',$line); printf('<tr><td>&nbsp;</td><td>%s</td></tr>',htmlspecialchars($line));
echo '</table>'; echo '</table>';
echo '</center>'; echo '</center>';

2
lib/Template.php
View File

@ -660,6 +660,8 @@ class Template extends xmlTemplate {
# If container is not set, we're probably creating the base # If container is not set, we're probably creating the base
elseif ($this->getRDN() && get_request('create_base')) elseif ($this->getRDN() && get_request('create_base'))
return $this->getRDN(); return $this->getRDN();
return '';
} }
public function getDNEncode($url=true) { public function getDNEncode($url=true) {

4
lib/import_functions.php
View File

@ -175,7 +175,9 @@ class ImportLDIF extends Import {
return $this->error(sprintf('%s %s',_('LDIF import only suppports version 1'),$version),$lines); return $this->error(sprintf('%s %s',_('LDIF import only suppports version 1'),$version),$lines);
$haveVersion = true; $haveVersion = true;
$lines = $this->nextLines();
if (! $lines)
$lines = $this->nextLines();
} }
$server = $this->getServer(); $server = $this->getServer();