Scrub user data in User->update()

Fixes another persistent XSS vulnerability.
author: Paul Arthur <paul.arthur@flowerysong.com> 2013-02-07 16:34:21 -0500
committer: Paul Arthur <paul.arthur@flowerysong.com> 2013-02-07 16:36:44 -0500
commit: 453a161a78acf07926a9ad7a8afef7cb07b23e7b (patch)
tree: 17bc28a2fc5bb437ae5bcf3a049c24102c2903eb
parent: 266f7cea9bd51df298cc45fbb8abb39a1375acd2 (diff)
download: ampache-453a161a78acf07926a9ad7a8afef7cb07b23e7b.tar.gz
ampache-453a161a78acf07926a9ad7a8afef7cb07b23e7b.tar.bz2
ampache-453a161a78acf07926a9ad7a8afef7cb07b23e7b.zip
2 files changed, 15 insertions, 10 deletions
diff --git a/docs/CHANGELOG b/docs/CHANGELOG
index 82ffa1a6..6d4fba04 100755
--- a/docs/CHANGELOG
+++ b/docs/CHANGELOG
@@ -4,6 +4,8 @@
 
 --------------------------------------------------------------------------
   v.3.6-FUTURE
+    - Fixed persistent XSS vulnerability in user self-editing (reported by
+        Jean-Lou Hau)
     - Fixed persistent XSS vulnerabilities in AJAX object editing (reported by
         Jean-Lou Hau)
     - Fixed character set detection for ID3v1 tags
diff --git a/lib/class/user.class.php b/lib/class/user.class.php
index edc711e9..56ed97bc 100644
--- a/lib/class/user.class.php
+++ b/lib/class/user.class.php
@@ -396,7 +396,6 @@ class User extends database_object {
      * good stuff
      */
     public function update($data) {
-
         if (empty($data['username'])) {
             Error::add('username', T_('Error Username Required'));
         }
@@ -409,14 +408,20 @@ class User extends database_object {
             return false;
         }
 
-        foreach ($data as $name=>$value) {
+        foreach ($data as $name => $value) {
+            if ($name == 'password1') {
+                $name = 'password';
+            }
+            else {
+                $value = scrub_in($value);
+            }
+
             switch ($name) {
-                case 'password1';
-                    $name = 'password';
+                case 'password';
                 case 'access':
                 case 'email':
                 case 'username':
-                case 'fullname';
+                case 'fullname':
                     if ($this->$name != $value) {
                         $function = 'update_' . $name;
                         $this->$function($value);
@@ -425,13 +430,11 @@ class User extends database_object {
                 default:
                     // Rien a faire
                 break;
-            } // end switch on field
-
-        } // end foreach
+            }
+        }
 
         return true;
-
-    } // update
+    }
 
     /**
      * update_username
author	Paul Arthur <paul.arthur@flowerysong.com>	2013-02-07 16:34:21 -0500
committer	Paul Arthur <paul.arthur@flowerysong.com>	2013-02-07 16:36:44 -0500
commit	453a161a78acf07926a9ad7a8afef7cb07b23e7b (patch)
tree	17bc28a2fc5bb437ae5bcf3a049c24102c2903eb
parent	266f7cea9bd51df298cc45fbb8abb39a1375acd2 (diff)
download	ampache-453a161a78acf07926a9ad7a8afef7cb07b23e7b.tar.gz ampache-453a161a78acf07926a9ad7a8afef7cb07b23e7b.tar.bz2 ampache-453a161a78acf07926a9ad7a8afef7cb07b23e7b.zip