summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoryorhel <yorhel@1fe2e327-d9db-4752-bcf7-ef0cb4a1748b>2008-07-27 10:13:34 +0000
committeryorhel <yorhel@1fe2e327-d9db-4752-bcf7-ef0cb4a1748b>2008-07-27 10:13:34 +0000
commit4cd4507ddc82c8639b03b3c233392550a971464e (patch)
tree5fe5d24b7b4c5e08dae69d8b28973a6a985c6048
parent0f22533bdf554b88f1b5f9592a078382e272ad31 (diff)
Fixed several major SQL injection bugs introduced in r26
git-svn-id: svn://vndb.org/vndb@71 1fe2e327-d9db-4752-bcf7-ef0cb4a1748b
-rw-r--r--lib/VNDB/Discussions.pm1
-rw-r--r--lib/VNDB/HomePages.pm1
-rw-r--r--lib/VNDB/Producers.pm5
-rw-r--r--lib/VNDB/Releases.pm4
-rw-r--r--lib/VNDB/Users.pm1
-rw-r--r--lib/VNDB/VN.pm9
-rw-r--r--lib/VNDB/VNLists.pm1
-rw-r--r--lib/VNDB/Votes.pm5
8 files changed, 20 insertions, 7 deletions
diff --git a/lib/VNDB/Discussions.pm b/lib/VNDB/Discussions.pm
index 4c015357..85b6db9b 100644
--- a/lib/VNDB/Discussions.pm
+++ b/lib/VNDB/Discussions.pm
@@ -150,6 +150,7 @@ sub TTag {
my $f = $self->FormCheck(
{ name => 'p', required => 0, default => 1, template => 'int' },
);
+ return $self->ResNotFound if $f->{_err};
my $o = !$iid ? undef :
$type eq 'u' ? $self->DBGetUser(uid => $iid)->[0] :
diff --git a/lib/VNDB/HomePages.pm b/lib/VNDB/HomePages.pm
index 62cffe3b..63adcab7 100644
--- a/lib/VNDB/HomePages.pm
+++ b/lib/VNDB/HomePages.pm
@@ -76,6 +76,7 @@ sub History { # type(p,v,r,u), id, [rss.xml|/]
{ name => 'i', required => 0, default => 0, enum => [ 0..1 ] },
{ name => 'h', required => 0, default => 0, enum => [ 0..2 ] }, # hidden option
);
+ return $self->ResNotFound if $f->{_err};
my $o =
$type eq 'u' ? $self->DBGetUser(uid => $id)->[0] :
diff --git a/lib/VNDB/Producers.pm b/lib/VNDB/Producers.pm
index 37cb1ecf..2de29b19 100644
--- a/lib/VNDB/Producers.pm
+++ b/lib/VNDB/Producers.pm
@@ -45,6 +45,7 @@ sub PBrowse {
{ name => 'p', required => 0, default => 1, template => 'int' },
{ name => 'q', required => 0, default => '' }
);
+ return $self->ResNotFound if $p->{_err};
my($r, $np) = $self->DBGetProducer(
$chr ne 'all' ? (
@@ -69,7 +70,9 @@ sub PEdit {
my $self = shift;
my $id = shift || 0; # 0 = new
- my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' })->{rev};
+ my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' });
+ return $self->ResNotFound if $rev->{_err};
+ $rev = $rev->{rev};
my $p = $self->DBGetProducer(id => $id, what => 'changes', $rev ? ( rev => $rev ) : ())->[0] if $id;
return $self->ResNotFound() if $id && !$p;
diff --git a/lib/VNDB/Releases.pm b/lib/VNDB/Releases.pm
index 58270a3f..3dcf4153 100644
--- a/lib/VNDB/Releases.pm
+++ b/lib/VNDB/Releases.pm
@@ -46,7 +46,9 @@ sub REdit {
my $rid = $act eq 'r' ? $id : 0;
- my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' })->{rev};
+ my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' });
+ return $self->ResNotFound if $rev->{_err};
+ $rev = $rev->{rev};
my $r = $self->DBGetRelease(id => $rid, what => 'changes producers platforms media vn', $rev ? ( rev => $rev ) : ())->[0] if $rid;
my $ivn = $self->DBGetVN(id => $id)->[0] if !$rid;
diff --git a/lib/VNDB/Users.pm b/lib/VNDB/Users.pm
index 670086cc..4b953d17 100644
--- a/lib/VNDB/Users.pm
+++ b/lib/VNDB/Users.pm
@@ -192,6 +192,7 @@ sub UsrList {
{ name => 'o', required => 0, default => 'a', enum => [ 'a','d' ] },
{ name => 'p', required => 0, default => 1, template => 'int' },
);
+ return $self->ResNotFound if $f->{_err};
my($unfo, $np) = $self->DBGetUser(
order => $f->{s}.($f->{o} eq 'a' ? ' ASC' : ' DESC'),
diff --git a/lib/VNDB/VN.pm b/lib/VNDB/VN.pm
index edf644ab..fadba900 100644
--- a/lib/VNDB/VN.pm
+++ b/lib/VNDB/VN.pm
@@ -62,7 +62,9 @@ sub VNEdit {
my $self = shift;
my $id = shift; # 0 = new
- my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' })->{rev};
+ my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' });
+ return $self->ResNotFound if $rev->{_err};
+ $rev = $rev->{rev};
my $v = $self->DBGetVN(id => $id, what => 'extended changes relations categories anime', $rev ? ( rev => $rev ) : ())->[0] if $id;
return $self->ResNotFound() if $id && !$v;
@@ -212,13 +214,14 @@ sub VNBrowse {
$chr = 'all' if !defined $chr;
my $f = $self->FormCheck(
- { name => 's', required => 0, default => 'title', enum => [ qw|title released| ] },
+ { name => 's', required => 0, default => 'title', enum => [ qw|title released votes| ] },
{ name => 'o', required => 0, default => 'a', enum => [ 'a','d' ] },
{ name => 'q', required => 0, default => '' },
{ name => 'sq', required => 0, default => '' },
{ name => 'p', required => 0, template => 'int', default => 1},
);
- $f->{s} = 'title' if $f->{_err};
+ return $self->ResNotFound if $f->{_err};
+ $f->{s} = 'title' if $f->{s} eq 'votes';
$f->{q} ||= $f->{sq};
diff --git a/lib/VNDB/VNLists.pm b/lib/VNDB/VNLists.pm
index c0f1ac1d..2a8be0a8 100644
--- a/lib/VNDB/VNLists.pm
+++ b/lib/VNDB/VNLists.pm
@@ -49,6 +49,7 @@ sub VNMyList {
{ name => 'p', required => 0, template => 'int', default => 1 },
{ name => 't', required => 0, enum => [ -1..$#$VNDB::LSTAT ], default => -1 },
);
+ return $self->ResNotFound if $f->{_err};
if($self->ReqMethod eq 'POST') {
my $frm = $self->FormCheck(
diff --git a/lib/VNDB/Votes.pm b/lib/VNDB/Votes.pm
index a6089b3d..99b28465 100644
--- a/lib/VNDB/Votes.pm
+++ b/lib/VNDB/Votes.pm
@@ -18,9 +18,9 @@ sub VNVote {
return $self->ResDenied() if !$uid;
my $f = $self->FormCheck(
- { name => 'v', required => 0, default => 0, enum => [ '-1','1'..'10'] }
+ { name => 'v', required => 1, default => 0, enum => [ '-1','1'..'10'] }
);
- return $self->ResNotFound() if !$f->{v};
+ return $self->ResNotFound() if $f->{_err};
$self->DBDelVote($uid, $id) if $f->{v} == -1 || $self->DBGetVotes(uid => $uid, vid => $id)->[0]{vid};
@@ -42,6 +42,7 @@ sub VNVotes {
{ name => 'o', required => 0, default => 'd', enum => [ 'a','d' ] },
{ name => 'p', required => 0, default => 1, template => 'int' },
);
+ return $self->ResNotFound if $f->{_err};
my $order = $f->{s} . ($f->{o} eq 'a' ? ' ASC' : ' DESC');
my ($votes, $np) = $self->DBGetVotes(