diff options
author | yorhel <yorhel@1fe2e327-d9db-4752-bcf7-ef0cb4a1748b> | 2008-07-27 10:13:34 +0000 |
---|---|---|
committer | yorhel <yorhel@1fe2e327-d9db-4752-bcf7-ef0cb4a1748b> | 2008-07-27 10:13:34 +0000 |
commit | 4cd4507ddc82c8639b03b3c233392550a971464e (patch) | |
tree | 5fe5d24b7b4c5e08dae69d8b28973a6a985c6048 /lib | |
parent | 0f22533bdf554b88f1b5f9592a078382e272ad31 (diff) |
Fixed several major SQL injection bugs introduced in r26
git-svn-id: svn://vndb.org/vndb@71 1fe2e327-d9db-4752-bcf7-ef0cb4a1748b
Diffstat (limited to 'lib')
-rw-r--r-- | lib/VNDB/Discussions.pm | 1 | ||||
-rw-r--r-- | lib/VNDB/HomePages.pm | 1 | ||||
-rw-r--r-- | lib/VNDB/Producers.pm | 5 | ||||
-rw-r--r-- | lib/VNDB/Releases.pm | 4 | ||||
-rw-r--r-- | lib/VNDB/Users.pm | 1 | ||||
-rw-r--r-- | lib/VNDB/VN.pm | 9 | ||||
-rw-r--r-- | lib/VNDB/VNLists.pm | 1 | ||||
-rw-r--r-- | lib/VNDB/Votes.pm | 5 |
8 files changed, 20 insertions, 7 deletions
diff --git a/lib/VNDB/Discussions.pm b/lib/VNDB/Discussions.pm index 4c015357..85b6db9b 100644 --- a/lib/VNDB/Discussions.pm +++ b/lib/VNDB/Discussions.pm @@ -150,6 +150,7 @@ sub TTag { my $f = $self->FormCheck( { name => 'p', required => 0, default => 1, template => 'int' }, ); + return $self->ResNotFound if $f->{_err}; my $o = !$iid ? undef : $type eq 'u' ? $self->DBGetUser(uid => $iid)->[0] : diff --git a/lib/VNDB/HomePages.pm b/lib/VNDB/HomePages.pm index 62cffe3b..63adcab7 100644 --- a/lib/VNDB/HomePages.pm +++ b/lib/VNDB/HomePages.pm @@ -76,6 +76,7 @@ sub History { # type(p,v,r,u), id, [rss.xml|/] { name => 'i', required => 0, default => 0, enum => [ 0..1 ] }, { name => 'h', required => 0, default => 0, enum => [ 0..2 ] }, # hidden option ); + return $self->ResNotFound if $f->{_err}; my $o = $type eq 'u' ? $self->DBGetUser(uid => $id)->[0] : diff --git a/lib/VNDB/Producers.pm b/lib/VNDB/Producers.pm index 37cb1ecf..2de29b19 100644 --- a/lib/VNDB/Producers.pm +++ b/lib/VNDB/Producers.pm @@ -45,6 +45,7 @@ sub PBrowse { { name => 'p', required => 0, default => 1, template => 'int' }, { name => 'q', required => 0, default => '' } ); + return $self->ResNotFound if $p->{_err}; my($r, $np) = $self->DBGetProducer( $chr ne 'all' ? ( @@ -69,7 +70,9 @@ sub PEdit { my $self = shift; my $id = shift || 0; # 0 = new - my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' })->{rev}; + my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' }); + return $self->ResNotFound if $rev->{_err}; + $rev = $rev->{rev}; my $p = $self->DBGetProducer(id => $id, what => 'changes', $rev ? ( rev => $rev ) : ())->[0] if $id; return $self->ResNotFound() if $id && !$p; diff --git a/lib/VNDB/Releases.pm b/lib/VNDB/Releases.pm index 58270a3f..3dcf4153 100644 --- a/lib/VNDB/Releases.pm +++ b/lib/VNDB/Releases.pm @@ -46,7 +46,9 @@ sub REdit { my $rid = $act eq 'r' ? $id : 0; - my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' })->{rev}; + my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' }); + return $self->ResNotFound if $rev->{_err}; + $rev = $rev->{rev}; my $r = $self->DBGetRelease(id => $rid, what => 'changes producers platforms media vn', $rev ? ( rev => $rev ) : ())->[0] if $rid; my $ivn = $self->DBGetVN(id => $id)->[0] if !$rid; diff --git a/lib/VNDB/Users.pm b/lib/VNDB/Users.pm index 670086cc..4b953d17 100644 --- a/lib/VNDB/Users.pm +++ b/lib/VNDB/Users.pm @@ -192,6 +192,7 @@ sub UsrList { { name => 'o', required => 0, default => 'a', enum => [ 'a','d' ] }, { name => 'p', required => 0, default => 1, template => 'int' }, ); + return $self->ResNotFound if $f->{_err}; my($unfo, $np) = $self->DBGetUser( order => $f->{s}.($f->{o} eq 'a' ? ' ASC' : ' DESC'), diff --git a/lib/VNDB/VN.pm b/lib/VNDB/VN.pm index edf644ab..fadba900 100644 --- a/lib/VNDB/VN.pm +++ b/lib/VNDB/VN.pm @@ -62,7 +62,9 @@ sub VNEdit { my $self = shift; my $id = shift; # 0 = new - my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' })->{rev}; + my $rev = $self->FormCheck({ name => 'rev', required => 0, default => 0, template => 'int' }); + return $self->ResNotFound if $rev->{_err}; + $rev = $rev->{rev}; my $v = $self->DBGetVN(id => $id, what => 'extended changes relations categories anime', $rev ? ( rev => $rev ) : ())->[0] if $id; return $self->ResNotFound() if $id && !$v; @@ -212,13 +214,14 @@ sub VNBrowse { $chr = 'all' if !defined $chr; my $f = $self->FormCheck( - { name => 's', required => 0, default => 'title', enum => [ qw|title released| ] }, + { name => 's', required => 0, default => 'title', enum => [ qw|title released votes| ] }, { name => 'o', required => 0, default => 'a', enum => [ 'a','d' ] }, { name => 'q', required => 0, default => '' }, { name => 'sq', required => 0, default => '' }, { name => 'p', required => 0, template => 'int', default => 1}, ); - $f->{s} = 'title' if $f->{_err}; + return $self->ResNotFound if $f->{_err}; + $f->{s} = 'title' if $f->{s} eq 'votes'; $f->{q} ||= $f->{sq}; diff --git a/lib/VNDB/VNLists.pm b/lib/VNDB/VNLists.pm index c0f1ac1d..2a8be0a8 100644 --- a/lib/VNDB/VNLists.pm +++ b/lib/VNDB/VNLists.pm @@ -49,6 +49,7 @@ sub VNMyList { { name => 'p', required => 0, template => 'int', default => 1 }, { name => 't', required => 0, enum => [ -1..$#$VNDB::LSTAT ], default => -1 }, ); + return $self->ResNotFound if $f->{_err}; if($self->ReqMethod eq 'POST') { my $frm = $self->FormCheck( diff --git a/lib/VNDB/Votes.pm b/lib/VNDB/Votes.pm index a6089b3d..99b28465 100644 --- a/lib/VNDB/Votes.pm +++ b/lib/VNDB/Votes.pm @@ -18,9 +18,9 @@ sub VNVote { return $self->ResDenied() if !$uid; my $f = $self->FormCheck( - { name => 'v', required => 0, default => 0, enum => [ '-1','1'..'10'] } + { name => 'v', required => 1, default => 0, enum => [ '-1','1'..'10'] } ); - return $self->ResNotFound() if !$f->{v}; + return $self->ResNotFound() if $f->{_err}; $self->DBDelVote($uid, $id) if $f->{v} == -1 || $self->DBGetVotes(uid => $uid, vid => $id)->[0]{vid}; @@ -42,6 +42,7 @@ sub VNVotes { { name => 'o', required => 0, default => 'd', enum => [ 'a','d' ] }, { name => 'p', required => 0, default => 1, template => 'int' }, ); + return $self->ResNotFound if $f->{_err}; my $order = $f->{s} . ($f->{o} eq 'a' ? ' ASC' : ' DESC'); my ($votes, $np) = $self->DBGetVotes( |