Changeset 7095 for trunk/bp-themes/bp-default/_inc/ajax.php

Timestamp:

05/22/2013 04:38:44 AM (13 years ago)

Author:

johnjamesjacoby

Message:

In the AJAX object_template_loader() functions of bp-default and bp-legacy, use sanitize_title() instead of esc_attr() to properly sanitize the requested object.

Then, do a bp_is_active() against that object to ensure the object being requested is for an active component, to prevent potential arbitrary file inclusion. (Note: this needs testing with third party components that tap into this functionality, as it was originally intended only to be used by bundled components.)

File:

• trunk/bp-themes/bp-default/_inc/ajax.php (modified) (2 diffs)

trunk/bp-themes/bp-default/_inc/ajax.php

@@ -169 +169 @@
         return;
 
+    // Bail if no object passed
+    if ( empty( $_POST['object'] ) )
+        return;
+
+    // Sanitize the object
+    $object = sanitize_title( $_POST['object'] );
+
+    // Bail if object is not an active component
+    if ( ! bp_is_active( $object ) )
+        return;
+
     /**
      * AJAX requests happen too early to be seen by bp_update_is_directory()
@@ -175 +186 @@
      * of themselves rather than the directory version.
      */
-
     if ( ! bp_current_action() )
         bp_update_is_directory( true, bp_current_component() );
-
-    // Sanitize the post object
-    $object = esc_attr( $_POST['object'] );
 
     // Locate the object template