From ecb93d8c1fd3bbde62aca9c3a13c32f077da2da8 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Mon, 29 Aug 2016 00:50:41 +0200 Subject: [PATCH] Tests: fix XSS vulnerability This issue was reported by JPCERT Coordination Center (JPCERT/CC) with reference JVN#48237713. The root cause is a foreach loop processing all GET parameters and blindly assigning them to variables, allowing an attacker to replace contents of global variables. This limits variable processing using a regex matching those used in testdatabases.inc.php (i.e. beginning with 'test' or 'no'). Fixes #274 --- tests/test.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/test.php b/tests/test.php index f3991ff..382dd3e 100644 --- a/tests/test.php +++ b/tests/test.php @@ -1741,8 +1741,11 @@ function adodb_test_err($dbms, $fn, $errno, $errmsg, $p1=false, $p2=false) foreach($_GET as $k=>$v) { - //global $$k; - $$k = $v; + // XSS protection (see Github issue #274) - only set variables for + // expected get parameters used in testdatabases.inc.php + if(preg_match('/^(test|no)\w+$/', $k)) { + $$k = $v; + } } ?>