We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 89455f05 authored by P. J. McDermott's avatar P. J. McDermott

Don't urldecode() superglobals like $_GET.

Superglobals are automatically decoded. Decoding them again could be a
security issue.
parent 714a6aaf
......@@ -24,7 +24,7 @@ require_once('templating.php');
require_once('data/Album.php');
try {
$artist = new Artist(urldecode($_GET['artist']));
$artist = new Artist($_GET['artist']);
} catch (Exception $e) {
$smarty->assign('pageheading', 'Artist not found.');
$smarty->assign('details', 'The artist ' . $_GET['artist'] . ' was not found in the database.');
......
......@@ -24,7 +24,7 @@ require_once('database.php');
require_once('templating.php');
require_once('data/Album.php');
$album = new Album(urldecode($_GET['album']), urldecode($_GET['artist']));
$album = new Album($_GET['album'], $_GET['artist']);
try {
$artist = new Artist($album->artist_name);
......
......@@ -26,7 +26,7 @@ require_once('data/Server.php');
require_once('data/TagCloud.php');
try {
$artist = new Artist(urldecode($_GET['artist']));
$artist = new Artist($_GET['artist']);
} catch (exception $e) {
$smarty->assign('pageheading', 'Artist not found.');
$smarty->assign('details', 'The artist '.($_GET['artist']).' was not found in the database.');
......
......@@ -34,7 +34,7 @@ if($logged_in == false) {
}
try {
$artist = new Artist(urldecode($_GET['artist']));
$artist = new Artist($_GET['artist']);
} catch (exception $e) {
$smarty->assign('pageheading', 'Artist not found.');
$smarty->assign('details', 'The artist '.($_GET['artist']).' was not found in the database.');
......
......@@ -27,7 +27,7 @@ require_once('data/TagCloud.php');
require_once('artist-menu.php');
try {
$artist = new Artist(urldecode($_GET['artist']));
$artist = new Artist($_GET['artist']);
} catch (exception $e) {
$smarty->assign('pageheading', 'Artist not found.');
$smarty->assign('details', 'The artist '.($_GET['artist']).' was not found in the database.');
......
......@@ -32,7 +32,7 @@ if(!isset($_GET['tag'])) {
die();
}
$tag = urldecode($_GET['tag']);
$tag = $_GET['tag'];
$smarty->assign('tag', $tag);
try {
......
......@@ -27,7 +27,7 @@ require_once('data/Track.php');
require_once('utils/licenses.php');
try {
$artist = new Artist(urldecode($_GET['artist']));
$artist = new Artist($_GET['artist']);
} catch (Exception $e) {
$smarty->assign('pageheading', 'Artist not found.');
$smarty->assign('details', 'The artist ' . $_GET['artist'] . ' was not found in the database.');
......@@ -35,7 +35,7 @@ try {
die();
}
$album = new Album(urldecode($_GET['album']), $artist->name);
$album = new Album($_GET['album'], $artist->name);
if(!isset($this_user) || !$this_user->manages($artist->name)) {
$smarty->assign('pageheading', 'Permission denied');
......@@ -47,7 +47,7 @@ if(!isset($this_user) || !$this_user->manages($artist->name)) {
$edit = false;
if(isset($_GET['track'])) {
$edit = true;
$track = new Track(urldecode($_GET['track']), $artist->name);
$track = new Track($_GET['track'], $artist->name);
}
$smarty->assign('artist', $artist);
......
......@@ -25,7 +25,7 @@ require_once('data/sanitize.php');
require_once('data/Server.php');
require_once('data/TagCloud.php');
$track = new Track(urldecode($_GET['track']), urldecode($_GET['artist']));
$track = new Track($_GET['track'], $_GET['artist']);
$smarty->assign('track', $track);
$album = new Album($track->album_name, $track->artist_name);
......
......@@ -35,7 +35,7 @@ if(!isset($_GET['user']) && $logged_in == false) {
}
try {
$user = new User(urldecode($_GET['user']));
$user = new User($_GET['user']);
} catch (Exception $e) {
$smarty->assign('pageheading', 'User not found');
$smarty->assign('details', 'Shall I call in a missing persons report?');
......
......@@ -35,7 +35,7 @@ if(!isset($_GET['user']) && $logged_in == false) {
}
try {
$user = new User(urldecode($_GET['user']));
$user = new User($_GET['user']);
} catch (Exception $e) {
$smarty->assign('pageheading', $error);
$smarty->assign('details', 'Shall I call in a missing persons report?');
......
......@@ -34,7 +34,7 @@ if(!isset($_GET['user']) && $logged_in == false) {
}
try {
$user = new User(urldecode($_GET['user']));
$user = new User($_GET['user']);
} catch (exception $e) {
$error = 'User not found';
}
......
......@@ -34,7 +34,7 @@ if(!isset($_GET['user']) && $logged_in == false) {
}
try {
$user = new User(urldecode($_GET['user']));
$user = new User($_GET['user']);
} catch (Exception $e) {
$smarty->assign('pageheading', 'User not found');
$smarty->assign('details', 'Shall I call in a missing persons report?');
......
......@@ -34,7 +34,7 @@ if(!isset($_GET['user']) && $logged_in == false) {
}
try {
$user = new User(urldecode($_GET['user']));
$user = new User($_GET['user']);
} catch (exception $e) {
$error = 'User not found';
}
......
......@@ -34,7 +34,7 @@ if(!isset($_GET['user']) && $logged_in == false) {
}
try {
$user = new User(urldecode($_GET['user']));
$user = new User($_GET['user']);
} catch (exception $e) {
$error = 'User not found';
}
......
......@@ -34,7 +34,7 @@ if(!isset($_GET['user']) && $logged_in == false) {
}
try {
$user = new User(urldecode($_GET['user']));
$user = new User($_GET['user']);
} catch (Exception $e) {
if ($e->getCode() == 22) {
echo('We had some trouble locating that user. Are you sure you spelled it correctly?'."\n");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment