[Gforge-commits] r6083 - trunk/gforge/www/people
lo-lan-do at svr1.gforge.org
lo-lan-do at svr1.gforge.org
Thu Sep 6 03:07:42 EDT 2007
Author: lo-lan-do
Date: 2007-09-06 03:07:33 -0400 (Thu, 06 Sep 2007)
New Revision: 6083
Modified:
trunk/gforge/www/people/editprofile.php
Log:
Fixed SQL injection vulnerability due to insufficient input sanitizing (CVE-2007-3913).
Modified: trunk/gforge/www/people/editprofile.php
===================================================================
--- trunk/gforge/www/people/editprofile.php 2007-09-05 13:29:14 UTC (rev 6082)
+++ trunk/gforge/www/people/editprofile.php 2007-09-06 07:07:33 UTC (rev 6083)
@@ -159,7 +159,13 @@
}
if (getStringFromRequest('MultiDelete')) {
- $skill_delete = getStringFromRequest('skill_delete');
+ $unfiltered_skill_delete_array = getArrayFromRequest('skill_delete');
+ $skill_delete = array() ;
+ foreach ($unfiltered_skill_delete AS $usd) {
+ if (is_numeric ($usd)) {
+ $skill_delete[] = $usd;
+ }
+ }
$numItems = count($skill_delete);
if($numItems == 0) {
$feedback .= _('No skills selected to delete.');
More information about the Gforge-commits
mailing list