Changeset 15313 for branches


Ignore:
Timestamp:
2007/08/20 16:54:49 (17 years ago)
Author:
adachi
Message:

XSS脆弱性の修正

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/rel/html/input_zip.php

    r12157 r15313  
    5656// ͹ÊØÈֹ椬ȯ¸«¤µ¤ì¤¿¾ì¹ç 
    5757if(count($data_list) > 0) { 
     58    lfCheckInput(); 
    5859    $func = "fnPutAddress('" . $_GET['input1'] . "','" . $_GET['input2']. "');"; 
    5960    $objPage->tpl_onload = "$func"; 
     
    7071function fnErrorCheck() { 
    7172    // ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸ÇÛÎó¤Î½é´ü²½ 
    72     $objErr = new SC_CheckError(); 
    73      
     73    $objErr = new SC_CheckError($_GET); 
     74 
    7475    // ͹ÊØÈÖ¹æ 
    75     $objErr->doFunc( array("͹ÊØÈÖ¹æ1",'zip1',ZIP01_LEN ) ,array( "NUM_COUNT_CHECK" ) ); 
    76     $objErr->doFunc( array("͹ÊØÈÖ¹æ2",'zip2',ZIP02_LEN ) ,array( "NUM_COUNT_CHECK" ) ); 
    77      
     76    $objErr->doFunc( array("͹ÊØÈÖ¹æ1",'zip1',ZIP01_LEN ) ,array( "NUM_CHECK", "NUM_COUNT_CHECK" ) ); 
     77    $objErr->doFunc( array("͹ÊØÈÖ¹æ2",'zip2',ZIP02_LEN ) ,array( "NUM_CHECK", "NUM_COUNT_CHECK" ) ); 
     78 
    7879    return $objErr->arrErr; 
    7980} 
    8081 
     82/** 
     83 * input1,2¤ÎÆþÎÏ¥Á¥§¥Ã¥¯ 
     84 * ±Ñ¿ô»ú¥¢¥ó¥À¡¼¥Ð¡¼°Ê³°¤¬ÆþÎϤµ¤ì¤¿¾ì¹ç¡¢ 
     85 * ÉÔÀµ¤Ê¥¢¥¯¥»¥¹¤È¤ß¤Ê¤·¥¨¥é¡¼²èÌ̤ØÁ«°Ü 
     86 * @param void 
     87 * @return void 
     88 */ 
     89function lfCheckInput(){ 
     90    $pattern = "/^[0-9a-z_]+$/"; 
     91    foreach (array('input1', 'input2') as $key_name) { 
     92        $ret = preg_match_all($pattern, $_GET[$key_name], $matches); 
     93        if (!$ret) { 
     94            $msg = sprintf('invalid param: $_GET[%s]="%s"', $key_name, $_GET[$key_name]); 
     95            gfPrintLog($msg); 
     96            sfDispSiteError(''); 
     97        } 
     98    } 
     99} 
    81100?> 
Note: See TracChangeset for help on using the changeset viewer.