1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
Subject: Security-relevant changes between MTOS 5.14 and MTOS 5.161
Bug-Debian: http://bugs.debian.org/734304
Origin: http://www.movabletype.jp/downloads/stable/MTOS-5.161-en.tar.gz
diff -urN MTOS-5.14-en/lib/MT/App/Comments.pm MTOS-5.161-en/lib/MT/App/Comments.pm
--- MTOS-5.14-en/lib/MT/App/Comments.pm 2012-05-10 10:03:28.000000000 +0100
+++ MTOS-5.161-en/lib/MT/App/Comments.pm 2013-10-20 04:48:03.000000000 +0100
@@ -1822,6 +1822,10 @@
$app->translate(
"Somehow, the entry you tried to comment on does not exist")
);
+ return $app->error(
+ $app->translate( "No such entry '[_1]'.", encode_html($entry_id) ) )
+ if $entry->status != RELEASE;
+
my $ctx = MT::Template::Context->new;
my $blog = MT::Blog->load( $entry->blog_id );
@@ -1992,14 +1996,19 @@
$param{ 'auth_mode_' . $cmntr->auth_type } = 1;
+ return $app->error( $app->translate("Invalid request") )
+ if $cmntr->name ne $q->param('name');
+ return $app->error( $app->translate("Invalid request") )
+ if $q->param('id') && $cmntr->id ne $q->param('id');
+
$app->user($cmntr);
$app->{session} = $sess_obj;
- my $original = $cmntr->clone();
-
$app->validate_magic
or return $app->handle_error( $app->translate('Invalid request') );
+ my $original = $cmntr->clone();
+
if ( 'MT' eq $cmntr->auth_type ) {
my $nickname = $param{nickname};
unless ( $nickname && $param{email} ) {
diff -urN MTOS-5.14-en/lib/MT/CMS/Entry.pm MTOS-5.161-en/lib/MT/CMS/Entry.pm
--- MTOS-5.14-en/lib/MT/CMS/Entry.pm 2012-05-10 10:03:28.000000000 +0100
+++ MTOS-5.161-en/lib/MT/CMS/Entry.pm 2013-10-20 04:48:03.000000000 +0100
@@ -7,13 +7,19 @@
use strict;
use MT::Util qw( format_ts relative_date remove_html encode_html encode_js
- encode_url archive_file_for offset_time_list break_up_text first_n_words );
+ encode_url archive_file_for offset_time_list break_up_text first_n_words
+ untainted_param );
use MT::I18N qw( const wrap_text );
sub edit {
my $cb = shift;
my ( $app, $id, $obj, $param ) = @_;
+ for my $k (qw(text text_more)) {
+ next unless $app->param($k);
+ $param->{$k} = untainted_param( $app, $k );
+ }
+
my $q = $app->param;
my $type = $q->param('_type');
my $perms = $app->permissions;
diff -urN MTOS-5.14-en/lib/MT/Util.pm MTOS-5.161-en/lib/MT/Util.pm
--- MTOS-5.14-en/lib/MT/Util.pm 2012-05-10 10:03:28.000000000 +0100
+++ MTOS-5.161-en/lib/MT/Util.pm 2013-10-20 04:48:03.000000000 +0100
@@ -27,7 +27,7 @@
extract_urls extract_domain extract_domains is_valid_date
epoch2ts ts2epoch escape_unicode unescape_unicode
sax_parser expat_parser libxml_parser trim ltrim rtrim asset_cleanup caturl multi_iter
- weaken log_time make_string_csv browser_language sanitize_embed
+ weaken log_time make_string_csv browser_language sanitize_embed untainted_param
extract_url_path break_up_text dir_separator deep_do deep_copy realpath canonicalize_path);
{
@@ -2486,6 +2486,16 @@
return $sanitized;
}
+sub untainted_param {
+ my ( $app, $k ) = @_;
+ my $v = $app->param($k);
+ local $app->{login_again};
+ require MT::Sanitize;
+ ( $v && !$app->validate_magic )
+ ? MT::Sanitize->sanitize( $v, $app->config->GlobalSanitizeSpec )
+ : $v;
+}
+
sub log_time {
return format_ts(
'[%Y-%m-%d %H:%M:%S]',
|
