Raised This Month: $19 Target: $400
 4% 

Whitespaces are removed from the site name


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
nvRm
Junior Member
Join Date: Dec 2014
Location: Russia
Old 03-11-2021 , 12:23   Whitespaces are removed from the site name
Reply With Quote #1

I have HLstatsX Community Edition 1.6.19-25. After saving the stats settings whitespaces in the site name option are removed. I think this is due to the valid_request() function in options.php on the line 86:

PHP Code:
if (($this->title == 'Fonts') || ($this->title == 'General')) {
    
$optval $_POST[$opt->name];
    
$search_pattern  = array('/script/i''/;/''/%/');
    
$replace_pattern = array('''''');
    
$optval preg_replace($search_pattern$replace_pattern$optval);
    
$optval $db->escape($optval);
} else {
    
$optval valid_request($_POST[$opt->name], 0);

This function is in functions.php on the line 94:
PHP Code:
function valid_request($str$numeric false)
{
    global 
$db;
    if(
is_array($str))
        return 
"";
    
$search_pattern = array("/[^A-Za-z\x{0410}-\x{044F}0-9Ёё\[\]*\.,=()!\"$%&^`':;#+~_\-|<>\/\\@{}]/u");
    
$replace_pattern = array('');
    
$str preg_replace($search_pattern$replace_pattern$str);
    if ( 
$numeric == false )
    {
        return 
$db->escape($str);
    }
    else
    {
        if ( 
is_numeric($str) )
            return 
intval($str);
        else
            return -
1;
    }

If I add a whitespace '\s' to the search pattern won't it lead to any vulnerabilities?

Last edited by nvRm; 03-11-2021 at 14:03.
nvRm is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 15:08.


Powered by vBulletin®
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Theme made by Freecode