tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Validate 'archiveDate' user data in Versioned

Browse Source 
Not a security issue as such, since the user input is sanitized
before being used in Versioned->augmentSQL(). But it shouldn't
reach the session state either, since that's commonly assumed
to be sanitized data, and it leaves unnecessary room for error.

strtotime() has fairly loose validation rules around dates,
but its a good "first line of defence".
This commit is contained in:
Ingo Schommer 2013-08-15 22:17:38 +02:00
parent 810f505924
commit 74f65540a2
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
model/Versioned.php
View File

@ -841,7 +841,7 @@ class Versioned extends DataExtension {
Session::set('readingMode', 'Stage.' . $stage);
}
if(isset($_GET['archiveDate'])) {
if(isset($_GET['archiveDate']) && strtotime($_GET['archiveDate'])) {
Session::set('readingMode', 'Archive.' . $_GET['archiveDate']);
}