Changeset 388

Show
Ignore:
Timestamp:
10/22/05 01:39:37 (8 years ago)
Author:
gogo
Message:

Apply #562
Apply some security patches sent in privately by Yermo

Location:
trunk/plugins/SpellChecker
Files:
2 modified

Legend:

Unmodified
Added
Removed

  • trunk/plugins/SpellChecker/aspell_setup.php

    r21 r388  
    11<?php 
     2// REVISION HISTORY: 
     3// 
     4// 2005-08-17 YmL: 
     5//      .       security fix on unchecked variables. Original author missed quite a few 
     6//              holes. 
     7 
    28  umask(000); 
    39  $temptext = tempnam('/tmp', 'spell_'); 
     
    915  { 
    1016      $lang = $_POST['dictionary']; 
    11   } 
    12  
     17  }   
     18  $lang = preg_replace('/[^a-z0-9_]/i', '', $lang); 
     19   
    1320  $aspell      = 'aspell'; 
    1421  $aspell_args = '-a --lang=' . $lang; 
     
    3542  preg_match('/really aspell ([0-9]+)\.([0-9]+)(?:\.([0-9]+))?/i', `$aspell version`, $aVer); 
    3643 
    37   $aVer = array('major' => (int)$aVer[1], 'minor' => (int)$aVer[2], 'release' => (int)$aVer[3]); 
     44  $aVer = array('major' => (int)$aVer[1], 'minor' => (int)$aVer[2], 'release' => (int)@$aVer[3]); 
    3845  if($aVer['major'] >= 0 && $aVer['minor'] >= 60) 
    3946  { 
     
    5057 
    5158  // Personal dictionaries 
    52   if(!isset($_REQUEST['p_dicts_path'])) 
    53   { 
    54     $_REQUEST['p_dicts_path'] = dirname(__FILE__) . DIRECTORY_SEPARATOR . 'personal_dicts'; 
    55   } 
     59  $p_dicts_path = dirname(__FILE__) . DIRECTORY_SEPARATOR . 'personal_dicts'; 
    5660 
    5761  if(file_exists($_REQUEST['p_dicts_path']) && is_writable($_REQUEST['p_dicts_path'])) 
     
    6872        setcookie('SpellChecker_p_dicts_name', $_REQUEST['p_dicts_name'], time() + 60*60*24*365*10); 
    6973      } 
    70     } 
    71     $p_dict_path = $_REQUEST['p_dicts_path'] . DIRECTORY_SEPARATOR . $_REQUEST['p_dicts_name']; 
     74    }     
     75    $p_dict_path = $_REQUEST['p_dicts_path'] . DIRECTORY_SEPARATOR . preg_replace('/[^a-z0-9_]/i', '', $_REQUEST['p_dicts_name']); 
    7276 
    7377    if(!file_exists($p_dict_path)) 
    7478    { 
     79                // since there is a single directory for all users this could end up containing 
     80                // quite a few subdirectories. To prevent a DOS situation we'll limit the  
     81                // total directories created to 2000 (arbitrary). Adjust to suit your installation. 
     82 
     83                $count = 0; 
     84 
     85                if( $dir = @opendir( $p_dicts_path ) ) 
     86                        { 
     87 
     88                        while( FALSE !== ($file = readdir($dir)) ) 
     89                                { 
     90                                $count++; 
     91                                } 
     92                        } 
     93 
     94                // TODO: make this a config value. 
     95 
     96                if ( $count > 2000 ) 
     97                        { 
     98 
     99                        // either very heavy use or a DOS attempt 
     100 
     101                        die(); 
     102 
     103                        } 
     104 
    75105      mkdir($p_dict_path); 
    76106      chmod($p_dict_path, 02770); 
     
    84114  } 
    85115 
     116// as an additional precaution check the aspell_args for illegal  
     117// characters 
     118  $aspell_args = preg_replace( "/[|><;\$]+/", $aspell_args ); 
    86119  $aspelldictionaries = "$aspell dump dicts"; 
    87120  $aspellcommand      = "$aspell $aspell_args < $temptext"; 

  • trunk/plugins/SpellChecker/spell-check-ui.js

    r273 r388  
    239239  else 
    240240  { 
    241     document.getElementById("b_learn").parent.removeChild(document.getElementById("b_learn")); 
     241    document.getElementById("b_learn").parentNode.removeChild(document.getElementById("b_learn")); 
    242242  } 
    243243  document.getElementById("b_replall").onclick = replaceAllClicked;