On Tue, Jul 19, 2005 at 07:54:31AM +0200, Martin Schulze wrote: > Ok, I'll wait.
so, a 6 hour plane flight later, i've learned 3 things:
1 - there are a number of other variables that also need to be included.
2 - there are a number of calls where variables are indirectly passed
to mysql_foo functions via other functions (which causes a problem
for the current sanity checking method)
3 - there is another, ridiculously obvious security vulnerability in
the woody version.
1 is easy to fix, we can just add on the extra variables to the file.
of the 900 or so calls to mysql_foo functions, i had about 170 left
to look at when my battery crapped out.
2 is trickier. we could either repeat the process i'm about finished
with wrt mysql_foo for all the functions that pass variables to
mysql_foo, or we could do the sanity checking in the function. as
the former sounds ugly and even more time consuming i'm going to
side with thte latter.
what i think i'm going to do is split sanitize.php into sanitize and
sanitize-functions. sanitize will include_once sanitize-functions,
so then sanitize can be included multiple times (otherwise i believe
that php will bitch about functions being redefined), and i'll just
slip in a line in each mysql-calling function to include sanitize,
and add the variables in said functions to sanitize.php.
as for 3, well... there's a variable, which is stored in a cookie.
the cookie name is cactilogin, and the value is an integer. want to
guess what it does? a fix for this shouldn't be too hard, this kind
of info should be stored in the session and not in the cookie.
anyway, i'll have a fair amount of free time tomorrow, but will need
a little sleep first :)
sean
--
signature.asc
Description: Digital signature
