CVE-2023-5320: fix: only URLs should be allowed · thorsten/phpMyFAQ@e923695

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

• Notifications

• Fork 263

• Code

• Issues 22

• Pull requests 1

• Discussions

• Actions

• Projects 1

• Security

• Insights

Commit

Permalink

Browse files

Browse the repository at this point in the history

fix: only URLs should be allowed

• Loading branch information

Showing 2 changed files with 9 additions and 2 deletions.

• • ajax.config_list.php
  • configuration.php

4 changes: 2 additions & 2 deletions phpmyfaq/admin/ajax.config_list.php

Expand Up

@@ -86,8 +86,8 @@ function renderInputForm($key, $type)

$type = 'url’;

break;

default:

$type = 'text’;

break;

$type = 'text’;

break;

}

printf(

Expand Down

7 changes: 7 additions & 0 deletions phpmyfaq/admin/configuration.php

Expand Up

@@ -58,6 +58,13 @@

unset($editData[‘edit’][‘main.currentVersion’]); // don’t update the version number

}

if (

isset($editData[‘edit’][‘main.referenceURL’]) &&

is_null(Filter::filterVar($editData[‘edit’][‘main.referenceURL’], FILTER_VALIDATE_URL))

) {

unset($editData[‘edit’][‘main.referenceURL’]);

}

foreach ($editData[‘edit’] as $key => $value) {

// Remove forbidden characters

$newConfigValues[$key] = str_replace($forbiddenValues, '’, $value);

Expand Down

0 comments on commit e923695

Please sign in to comment.