create-admin.php:

- fix SQL injection (only exploitable by superadmins) Reported by Matthias Bethke (msbethke@SF), https://sourceforge.net/tracker/?func=detail&atid=937964&aid=3412484&group_id=191583 Note: this fix is (intentionally) different from the fix in the 2.3 branch and includes a TODO note for some bigger changes that we should do. git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1186 a1433add-5e2c-0410-b055-b7f2511e0802
13 years ago · 9d1f79c495
parent 8f805af202
commit 9d1f79c495
1 changed files with 2 additions and 1 deletions
--- a/create-admin.php
+++ b/create-admin.php
@ -49,7 +49,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
   if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
   if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
   $fDomains = array();
-   if (!empty ($_POST['fDomains'])) $fDomains = $_POST['fDomains'];
+   if (!empty ($_POST['fDomains'])) $fDomains = escape_string($_POST['fDomains']);
+# TODO: work with non-escaped values here and do the escaping in create_admin()
   list ($error, $infoMessage, $pAdminCreate_admin_username_text_error, $pAdminCreate_admin_password_text_error) = create_admin($fUsername, $fPassword, $fPassword2, $fDomains);

   if ($error != 0) {