diff options
| -rwxr-xr-x | docs/CHANGELOG | 2 | ||||
| -rw-r--r-- | lib/class/user.class.php | 23 |
2 files changed, 15 insertions, 10 deletions
diff --git a/docs/CHANGELOG b/docs/CHANGELOG index 82ffa1a6..6d4fba04 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -4,6 +4,8 @@ -------------------------------------------------------------------------- v.3.6-FUTURE + - Fixed persistent XSS vulnerability in user self-editing (reported by + Jean-Lou Hau) - Fixed persistent XSS vulnerabilities in AJAX object editing (reported by Jean-Lou Hau) - Fixed character set detection for ID3v1 tags diff --git a/lib/class/user.class.php b/lib/class/user.class.php index edc711e9..56ed97bc 100644 --- a/lib/class/user.class.php +++ b/lib/class/user.class.php @@ -396,7 +396,6 @@ class User extends database_object { * good stuff */ public function update($data) { - if (empty($data['username'])) { Error::add('username', T_('Error Username Required')); } @@ -409,14 +408,20 @@ class User extends database_object { return false; } - foreach ($data as $name=>$value) { + foreach ($data as $name => $value) { + if ($name == 'password1') { + $name = 'password'; + } + else { + $value = scrub_in($value); + } + switch ($name) { - case 'password1'; - $name = 'password'; + case 'password'; case 'access': case 'email': case 'username': - case 'fullname'; + case 'fullname': if ($this->$name != $value) { $function = 'update_' . $name; $this->$function($value); @@ -425,13 +430,11 @@ class User extends database_object { default: // Rien a faire break; - } // end switch on field - - } // end foreach + } + } return true; - - } // update + } /** * update_username |