From: kkalev Date: Sun, 13 Mar 2005 15:52:35 +0000 (+0000) Subject: urlencode() all occurrences of the $login variable when used in url's. Bug noted... X-Git-Url: https://git.entuzijast.net/?a=commitdiff_plain;h=fe107c4db2077d2eabca1465d434dd2734ade497;p=freeradius-dialup-admin.git urlencode() all occurrences of the $login variable when used in url's. Bug noted by Dag Landau --- diff --git a/Changelog b/Changelog index 23d6b4e..e2c525e 100644 --- a/Changelog +++ b/Changelog @@ -23,6 +23,7 @@ Ver 1.78: long time ago. Bug noted by Nick Bright * In user_finger only set LD_LIBRARY_PATH once, not each time we call snmpfinger * Add support for usrhiper in snmpfinger. Patch from Nick Bright +* urlencode() all occurrences of the $login variable when used in url's. Bug noted by Dag Landau Ver 1.75: * A LOT of security related fixes. Now dialupadmin should hopefully be secure enough to be accessed by normal users (not administrators). diff --git a/htdocs/accounting.php3 b/htdocs/accounting.php3 index 5f618cb..93d80ae 100644 --- a/htdocs/accounting.php3 +++ b/htdocs/accounting.php3 @@ -281,8 +281,10 @@ echo "\n"; if ($info == '') $info = '-'; $info = $sql_attrs[$val][func]($info); - if ($val == 'username') - $info = "$info"; + if ($val == 'username'){ + $Info = urlencode($info); + $info = "$info"; + } echo <<$info EOM; diff --git a/htdocs/badusers.php3 b/htdocs/badusers.php3 index ada7422..631ecc3 100644 --- a/htdocs/badusers.php3 +++ b/htdocs/badusers.php3 @@ -153,6 +153,7 @@ if ($link){ $num++; $id = $row[id]; $user = "$row[username]"; + $User = urlencode($user); $date = "$row[date]"; $reason = "$row[reason]"; $admin = "$row[admin]"; @@ -167,7 +168,7 @@ if ($link){ echo << $num - $user + $user $date $admin $reason diff --git a/htdocs/find.php3 b/htdocs/find.php3 index bde88d5..f83ac7e 100644 --- a/htdocs/find.php3 +++ b/htdocs/find.php3 @@ -51,11 +51,12 @@ EOM; foreach ($found_users as $user){ if ($user == '') $user = '-'; + $User = urlencode($user); $num++; $msg .= << $num - $user + $user EOM; } diff --git a/htdocs/show_groups.php3 b/htdocs/show_groups.php3 index 0f72feb..b17e314 100644 --- a/htdocs/show_groups.php3 +++ b/htdocs/show_groups.php3 @@ -75,10 +75,11 @@ include_once("../lib/$config[general_lib_type]/group_info.php3"); if (isset($existing_groups)){ foreach ($existing_groups as $group => $num_members){ $num++; + $Group = urlencode($group); echo << $num - $group + $group $num_members EOM; diff --git a/htdocs/user_finger.php3 b/htdocs/user_finger.php3 index e8696d6..db10017 100644 --- a/htdocs/user_finger.php3 +++ b/htdocs/user_finger.php3 @@ -184,13 +184,14 @@ EOM; $user = $finger_info[$j][$k][user]; if ($user == '') $user = ' '; + $User = urlencode($user); $time = $finger_info[$j][$k][session_time]; $ip = $finger_info[$j][$k][ip]; $cid = $finger_info[$j][$k][callerid]; $inf = $user_info[$user]; echo << - $k$user + $k$user EOM; if ($acct_attrs['uf'][4] != '') echo "$ip\n"; if ($acct_attrs['uf'][9] != '') echo "$cid\n"; diff --git a/htdocs/user_stats.php3 b/htdocs/user_stats.php3 index 17b516e..0ba2b18 100644 --- a/htdocs/user_stats.php3 +++ b/htdocs/user_stats.php3 @@ -120,8 +120,10 @@ if ($link){ $acct_login = $row[username]; if ($acct_login == '') $acct_login = '-'; - else - $acct_login = "$acct_login"; + else{ + $Acct_login = urlencode($acct_login); + $acct_login = "$acct_login"; + } $acct_time = $row[conntotduration]; $acct_time = time2str($acct_time); $acct_conn_num = $row[connnum]; diff --git a/html/group_toolbar.html.php3 b/html/group_toolbar.html.php3 index 0763565..c31d599 100644 --- a/html/group_toolbar.html.php3 +++ b/html/group_toolbar.html.php3 @@ -1,12 +1,13 @@ -ADMIN +ADMIN -EDIT +EDIT -DELETE +DELETE EOM; ?> diff --git a/html/user_toolbar.html.php3 b/html/user_toolbar.html.php3 index 8ac6db5..892ee43 100644 --- a/html/user_toolbar.html.php3 +++ b/html/user_toolbar.html.php3 @@ -1,27 +1,28 @@ -SHOW +SHOW -EDIT +EDIT -USER INFO +USER INFO -ACCOUNTING +ACCOUNTING -BADUSERS +BADUSERS -DELETE +DELETE -TEST +TEST -OPEN SESSIONS +OPEN SESSIONS EOM;