user input not sanitized
coreyp_1 - August 14, 2008 - 07:59
| Project: | Skipcart |
| Version: | 5.x-1.10 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Description
Arguments passed to the "/skipcart" callback are not checked prior to passing them on to other functions, resulting in php errors.
To reproduce the error, go to a link like this: example.com/skipcart/test . "test" is passed to cart_add_item(), which in turn is passed to node_load(), which throws a php error.
A better portion of code might be to replace this:
<?php
function skipcart_item() {
if ( !arg(1)) {
drupal_set_message("No arg passed to skipcart.",'error');
return 'Exiting';
}
$product_nid = arg(1);
// empty the cart
// cart.module line 1058
// function cart_empty($cookie_id = null) {
// this only happens if they have it turned on
if ( variable_get('skipcart_clearcart','0')) {
cart_empty();
watchdog('Skipcart',"Cart emptied in preparation for skipcarting $product_nid");
}
// add this item
// cart.module line 946
// function cart_add_item($nid, $qty = NULL, $data = NULL) {
cart_add_item($product_nid,1);
watchdog('Skipcart',"NID $product_nid added to new cart");
?>with this:
<?php
function skipcart_item() {
if ( !($product_nid = (int)arg(1))) {
drupal_set_message(arg(1) ? "Invalid arg passed to skipcart" : "No arg passed to skipcart.",'error');
return 'Exiting';
}
// empty the cart
// cart.module line 1058
// function cart_empty($cookie_id = null) {
// this only happens if they have it turned on
if ( variable_get('skipcart_clearcart','0')) {
cart_empty();
watchdog('Skipcart',"Cart emptied in preparation for skipcarting $product_nid");
}
// add this item
// cart.module line 946
// function cart_add_item($nid, $qty = NULL, $data = NULL) {
cart_add_item($product_nid,1);
watchdog('Skipcart',"NID $product_nid added to new cart");
?>