Escaping of config and language strings

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

Escaping of config and language strings

Post by cmb » Tue Jul 17, 2012 7:43 pm

Hello Community,

while trying to implement encrypted passwords, I've stumbled again across the wrong escaping of config and language strings. I've reported this a while ago for the pluginloader, but this time I had similar problems in the core. cmsimple/adm.php line 327:

Code: Select all

$text .= '$' . $a . '[\'' . $k1 . '\'][\'' . $k2 . '\']="' . preg_replace("/\"/s", "", $GLOBALS[$a][$k1][$k2]) . '";' . "\n"; 
IMO too simple a solution: just remove all double-quotes as they would corrupt the string -- and hope that the user won't enter a backslash (which will often eat up the next character) or even a $-sign (which will eat up the following characters, or in the worst case insert the value of a variable).

Why not simply use addcslashes()?

Code: Select all

addcslashes($GLOBALS[$a][$k1][$k2], "\0..\37\"\$\\") 
This $charlist should cater for all possibilities, and so I would prefer it over my suggestion in the thread about the pluginloader's escaping.

IMO this should have been already fixed. ;)

Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Top
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

Re: Escaping of config and language strings

Post by cmb » Wed Oct 24, 2012 3:40 pm

Hello Community,

the mentioned issue has been fixed in CMSimple_XH 1.5.4 -- but only for the core. The pluginloader still doesn't escape the strings correctly, as I've just noticed.

So we should make up for that in CMSimple_XH 1.5.6.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Top
Post Reply

Return to “Open Development”