diff --git a/lam/lib/config.inc b/lam/lib/config.inc index d97e1d7d..4a53e8e3 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -293,7 +293,7 @@ class LAMConfig { */ function __construct($file) { if (empty($file) || !preg_match("/^[a-z0-9_-]+$/i", $file)) { - logNewMessage('ERROR', 'Invalid config file name: ' . $file); + logNewMessage(LOG_ERR, 'Invalid config file name: ' . $file); die(); } // load first profile if none is given diff --git a/lam/templates/delete.php b/lam/templates/delete.php index f9b8044d..dc353df7 100644 --- a/lam/templates/delete.php +++ b/lam/templates/delete.php @@ -62,7 +62,16 @@ if (!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) { // Set correct language, codepages, .... setlanguage(); +if (isset($_POST['type']) && !preg_match('/^[a-z0-9_]+$/i', $_POST['type'])) { + logNewMessage(LOG_ERR, 'Invalid type: ' . $_POST['type']); + die(); +} + if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) { + if (!preg_match('/^[a-z0-9_]+$/i', $_GET['type'])) { + logNewMessage(LOG_ERR, 'Invalid type: ' . $_GET['type']); + die(); + } // Create account list foreach ($_SESSION['delete_dn'] as $dn) { $start = strpos ($dn, "=")+1; @@ -83,8 +92,8 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) { echo "
" . _("Account name:") . " $users[$i] | \n"; - echo "" . _('DN') . ": " . $_SESSION['delete_dn'][$i] . " | \n"; + echo "" . _("Account name:") . " " . htmlspecialchars($users[$i]) . " | \n"; + echo "" . _('DN') . ": " . htmlspecialchars($_SESSION['delete_dn'][$i]) . " | \n"; $childCount = getChildCount($_SESSION['delete_dn'][$i]); if ($childCount > 0) { echo "" . _('Number of child entries') . ": " . $childCount . " | \n"; diff --git a/lam/templates/lists/deletelink.php b/lam/templates/lists/deletelink.php index 14c46d25..a33d4390 100644 --- a/lam/templates/lists/deletelink.php +++ b/lam/templates/lists/deletelink.php @@ -45,6 +45,10 @@ setlanguage(); // get account name and type $dn = $_GET['DN']; $type = $_GET['type']; +if (!preg_match('/^[a-z0-9_]+$/i', $type)) { + logNewMessage(LOG_ERR, 'Invalid type: ' . $type); + die(); +} if (isset($dn) && isset($type)) { $dn = str_replace("\\", '',$dn); diff --git a/lam/templates/ou_edit.php b/lam/templates/ou_edit.php index ff6093ab..1872feac 100644 --- a/lam/templates/ou_edit.php +++ b/lam/templates/ou_edit.php @@ -82,7 +82,7 @@ if (isset($_POST['createOU']) || isset($_POST['deleteOU'])) { } // show errormessage if ou is invalid else { - $error = _("OU is invalid!") . "