Skip to content

Commit

Permalink
Merge pull request #5964 from BOINC/dpa_web13
Browse files Browse the repository at this point in the history
web: remove vulnerabilities in tree_threader and in unused badge function
  • Loading branch information
lfield authored Dec 19, 2024
2 parents 57e0bdf + b51b3e4 commit 949aa54
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
3 changes: 3 additions & 0 deletions html/inc/util_ops.inc
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,9 @@ function app_version_desc($avid) {
////// badge-related stuff

function get_badge($name, $title, $image_url) {
$name = BoincDb::escape_string($name);
$title = BoincDb::escape_string($title);
$image_url = BoincDb::escape_string($image_url);
$b = BoincBadge::lookup("name='$name'");
if ($b) return $b;
$now = time();
Expand Down
4 changes: 3 additions & 1 deletion html/user/tree_threader.php
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
<?php

DEPRECATED

// Handler for TreeThreader remote job submission.
//
// Assumptions:
Expand Down Expand Up @@ -155,7 +157,7 @@ function handle_get_output($r, $batch) {

// authenticate the user
//
$auth = (string)$r->auth;
$auth = BoincDb::escape_string((string)$r->auth);
$user = BoincUser::lookup("authenticator='$auth'");
if (!$user) error("invalid authenticator");
$user_submit = BoincUserSubmit::lookup_userid($user->id);
Expand Down

0 comments on commit 949aa54

Please sign in to comment.