From 8b21c9a83be62b427f59ecf59ea4a7ab40ad9560 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Tue, 26 Jul 2011 15:26:21 +0000 Subject: [PATCH] removed debug_dump because of XSS vulnerability --- lam/templates/3rdParty/pla/htdocs/cmd.php | 23 +++++++------------- lam/templates/3rdParty/pla/lib/functions.php | 20 +---------------- 2 files changed, 9 insertions(+), 34 deletions(-) diff --git a/lam/templates/3rdParty/pla/htdocs/cmd.php b/lam/templates/3rdParty/pla/htdocs/cmd.php index 37885b5b..d4d0a0f3 100644 --- a/lam/templates/3rdParty/pla/htdocs/cmd.php +++ b/lam/templates/3rdParty/pla/htdocs/cmd.php @@ -18,24 +18,17 @@ $www['meth'] = get_request('meth','REQUEST'); ob_start(); -switch ($www['cmd']) { - case '_debug': - debug_dump($_REQUEST,1); - break; +if (defined('HOOKSDIR') && file_exists(HOOKSDIR.$www['cmd'].'.php')) + $app['script_cmd'] = HOOKSDIR.$www['cmd'].'.php'; - default: - if (defined('HOOKSDIR') && file_exists(HOOKSDIR.$www['cmd'].'.php')) - $app['script_cmd'] = HOOKSDIR.$www['cmd'].'.php'; +elseif (defined('HTDOCDIR') && file_exists(HTDOCDIR.$www['cmd'].'.php')) + $app['script_cmd'] = HTDOCDIR.$www['cmd'].'.php'; - elseif (defined('HTDOCDIR') && file_exists(HTDOCDIR.$www['cmd'].'.php')) - $app['script_cmd'] = HTDOCDIR.$www['cmd'].'.php'; +elseif (file_exists('welcome.php')) + $app['script_cmd'] = 'welcome.php'; - elseif (file_exists('welcome.php')) - $app['script_cmd'] = 'welcome.php'; - - else - $app['script_cmd'] = null; -} +else + $app['script_cmd'] = null; if (DEBUG_ENABLED) debug_log('Ready to render page for command [%s,%s].',128,0,__FILE__,__LINE__,__METHOD__,$www['cmd'],$app['script_cmd']); diff --git a/lam/templates/3rdParty/pla/lib/functions.php b/lam/templates/3rdParty/pla/lib/functions.php index 3545db0f..9f0f56b8 100644 --- a/lam/templates/3rdParty/pla/lib/functions.php +++ b/lam/templates/3rdParty/pla/lib/functions.php @@ -357,25 +357,7 @@ function cmd_control_pane($type) { * @param boolean Whether to stop execution or not. */ function debug_dump($variable,$die=false,$onlydebugaddr=false) { - if ($onlydebugaddr && - isset($_SESSION[APPCONFIG]) && $_SESSION[APPCONFIG]->getValue('debug','addr') && - $_SERVER['HTTP_X_FORWARDED_FOR'] != $_SESSION[APPCONFIG]->getValue('debug','addr') && - $_SERVER['REMOTE_ADDR'] != $_SESSION[APPCONFIG]->getValue('debug','addr')) - return; - - $backtrace = debug_backtrace(); - $caller['class'] = isset($backtrace[0]['class']) ? $backtrace[0]['class'] : 'N/A'; - $caller['function'] = isset($backtrace[0]['function']) ? $backtrace[0]['function'] : 'N/A'; - $caller['file'] = isset($backtrace[0]['file']) ? $backtrace[0]['file'] : 'N/A'; - $caller['line'] = isset($backtrace[0]['line']) ? $backtrace[0]['line'] : 'N/A'; - $caller['debug'] = $variable; - - print '
';
-	print_r($caller);
-	print '
'; - - if ($die) - die(); + if ($die) die(); } /**