Import request variables

From MapbenderWiki

Contents 1 Objective 2 Process 2.1 Identify all occurences 2.2 Analyze individual occurences 2.3 Fix individual occurences

Objective

All occurences of import_request_variables() must be removed, as it imposes a security threat.

Process

Identify all occurences

Occurences will be marked in the source code as follows

/*
 * @security_patch irv
 */

Analyze individual occurences

• Use the module, go through all possible use cases
• You will find a log file with information on the used variables

log/security_patch.log

Fix individual occurences

Instantiate each used variable as

$varname = $_GET["varname"];
$varname = $_POST["varname"];
$varname = $_FILE["varname"];

If many variables have to be instantiated you can use a construct like

$postvars = explode(",", "varname1,varname2,varname3");
foreach ($postvars as $value) {
   $$value = $_POST[$value];
}