Merge pull request #435 from TheSerapher/security-fix

Security fix
2013-07-11 06:56:19 -07:00 · 2013-07-11 06:56:19 -07:00 · bbcb210f27
commit bbcb210f27
parent ed573e6e46 7466689b50
8 changed files with 16 additions and 11 deletions
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@ -442,6 +442,10 @@ class User {
   **/
  public function register($username, $password1, $password2, $pin, $email1='', $email2='') {
    $this->debug->append("STA " . __METHOD__, 4);
+    if (strlen($username > 40)) {
+      $this->setErrorMessage('Username exceeding character limit');
+      return false;
+    }
    if ($this->getEmail($email1)) {
      $this->setErrorMessage( 'This e-mail address is already taken' );
      return false;
@ -482,8 +486,9 @@ class User {
    $password_hash = $this->getHash($password1);
    $pin_hash = $this->getHash($pin);
    $apikey_hash = $this->getHash($username);
+    $username_clean = strip_tags($username);

-    if ($this->checkStmt($stmt) && $stmt->bind_param('sssss', $username, $password_hash, $email1, $pin_hash, $apikey_hash)) {
+    if ($this->checkStmt($stmt) && $stmt->bind_param('sssss', $username_clean, $password_hash, $email1, $pin_hash, $apikey_hash)) {
      if (!$stmt->execute()) {
        $this->setErrorMessage( 'Unable to register' );
        if ($stmt->sqlstate == '23000') $this->setErrorMessage( 'Username or email already registered' );
--- a/public/templates/mmcFE/account/edit/default.tpl
+++ b/public/templates/mmcFE/account/edit/default.tpl
@ -4,7 +4,7 @@
      <input type="hidden" name="action" value="{$smarty.request.action|escape}">
      <input type="hidden" name="do" value="updateAccount">
      <table>
-        <tbody><tr><td>Username: </td><td>{$GLOBAL.userdata.username}</td></tr>
+        <tbody><tr><td>Username: </td><td>{$GLOBAL.userdata.username|escape}</td></tr>
        <tr><td>User Id: </td><td>{$GLOBAL.userdata.id}</td></tr>
        <tr><td>API Key: </td><td><a href="{$smarty.server.PHP_SELF}?page=api&action=getuserstatus&api_key={$GLOBAL.userdata.api_key}&id={$GLOBAL.userdata.id}">{$GLOBAL.userdata.api_key}</a></td></tr>
        <tr><td>E-Mail: </td><td><input type="text" name="email" value="{nocache}{$GLOBAL.userdata.email|escape}{/nocache}" size="20"></td></tr>
--- a/public/templates/mmcFE/admin/user/default.tpl
+++ b/public/templates/mmcFE/admin/user/default.tpl
@ -48,8 +48,8 @@
 {section name=user loop=$USERS|default}
    <tr>
      <td class="center">{$USERS[user].id}</td>
-      <td>{$USERS[user].username}</td>
-      <td>{$USERS[user].email}</td>
+      <td>{$USERS[user].username|escape}</td>
+      <td>{$USERS[user].email|escape}</td>
      <td class="right">{$USERS[user].shares}</td>
      <td class="right">{$USERS[user].hashrate}</td>
      <td class="right">{$USERS[user].payout.est_donation|number_format:"8"}</td>
--- a/public/templates/mmcFE/global/userinfo.tpl
+++ b/public/templates/mmcFE/global/userinfo.tpl
@ -1,5 +1,5 @@
 {if $GLOBAL.userdata.username|default}
-            <h2>Welcome, {$smarty.session.USERDATA.username} <font size='1px'><b>Active Account</b>: <b>{$GLOBAL.fees}%</b> Pool Fee</font> <font size='1px'><i>(You are <a href='{$smarty.server.PHP_SELF}?page=account&action=edit'>donating</a> <b></i>{$GLOBAL.userdata.donate_percent}%</b> <i>of your earnings)</i></font></h2>
+            <h2>Welcome, {$smarty.session.USERDATA.username|escape} <font size='1px'><b>Active Account</b>: <b>{$GLOBAL.fees|escape}%</b> Pool Fee</font> <font size='1px'><i>(You are <a href='{$smarty.server.PHP_SELF}?page=account&action=edit'>donating</a> <b></i>{$GLOBAL.userdata.donate_percent|escape}%</b> <i>of your earnings)</i></font></h2>
 {else}
            <h2>Welcome guest, <font size="1px"> please <a href="{$smarty.server.PHP_SELF}?page=register">register</a> to user this pool.</font></h2>
 {/if}
--- a/public/templates/mmcFE/statistics/blocks/default.tpl
+++ b/public/templates/mmcFE/statistics/blocks/default.tpl
@ -57,7 +57,7 @@ target and network difficulty and assuming a zero variance scenario.
        {else if $BLOCKSFOUND[block].confirmations == -1}
          <font color="red">Orphan</font>
        {else}{$GLOBAL.confirmations - $BLOCKSFOUND[block].confirmations} left{/if}</td>
-        <td>{$BLOCKSFOUND[block].finder|default:"unknown"}</td>
+        <td>{$BLOCKSFOUND[block].finder|default:"unknown"|escape}</td>
        <td class="center">{$BLOCKSFOUND[block].time|date_format:"%d/%m %H:%M:%S"}</td>
        <td class="right">{$BLOCKSFOUND[block].difficulty|number_format:"2"}</td>
        <td class="right">{$BLOCKSFOUND[block].amount|number_format:"2"}</td>
--- a/public/templates/mmcFE/statistics/blocks/small_table.tpl
+++ b/public/templates/mmcFE/statistics/blocks/small_table.tpl
@ -14,7 +14,7 @@
 {section block $BLOCKSFOUND}
      <tr class="{cycle values="odd,even"}">
        <td class="center"><a href="{$GLOBAL.blockexplorer}{$BLOCKSFOUND[block].height}" target="_blank">{$BLOCKSFOUND[block].height}</a></td>
-        <td>{$BLOCKSFOUND[block].finder|default:"unknown"}</td>
+        <td>{$BLOCKSFOUND[block].finder|default:"unknown"|escape}</td>
        <td class="center">{$BLOCKSFOUND[block].time|date_format:"%d/%m %H:%M:%S"}</td>
        <td class="right">{$BLOCKSFOUND[block].shares|number_format}</td>
      </tr>
--- a/public/templates/mmcFE/statistics/pool/contributors_hashrate.tpl
+++ b/public/templates/mmcFE/statistics/pool/contributors_hashrate.tpl
@ -17,7 +17,7 @@
      {math assign="estday" equation="round(reward / ( diff * pow(2,32) / ( hashrate * 1000 ) / 3600 / 24), 3)" diff=$DIFFICULTY reward=$REWARD hashrate=$CONTRIBHASHES[contrib].hashrate}
      <tr{if $GLOBAL.userdata.username == $CONTRIBHASHES[contrib].account}{assign var=listed value=1} style="background-color:#99EB99;"{else} class="{cycle values="odd,even"}"{/if}>
        <td>{$rank++}</td>
-        <td>{$CONTRIBHASHES[contrib].account}</td>
+        <td>{$CONTRIBHASHES[contrib].account|escape}</td>
        <td class="right">{$CONTRIBHASHES[contrib].hashrate|number_format}</td>
        <td class="right">{$estday|number_format:"3"}</td>
        {if $GLOBAL.config.price.currency}<td class="right">{($estday * $GLOBAL.price)|default:"n/a"|number_format:"2"}</td>{/if}
@ -27,7 +27,7 @@
      {if $GLOBAL.userdata.hashrate > 0}{math assign="myestday" equation="round(reward / ( diff * pow(2,32) / ( hashrate * 1000 ) / 3600 / 24), 3)" diff=$DIFFICULTY reward=$REWARD hashrate=$GLOBAL.userdata.hashrate}{/if}
      <tr style="background-color:#99EB99;">
        <td>n/a</td>
-        <td>{$GLOBAL.userdata.username}</td>
+        <td>{$GLOBAL.userdata.username|escape}</td>
        <td class="right">{$GLOBAL.userdata.hashrate}</td>
        <td class="right">{$myestday|number_format:"3"|default:"n/a"}</td>
        {if $GLOBAL.config.price.currency}<td class="right">{($myestday * $GLOBAL.price)|default:"n/a"|number_format:"2"}</td>{/if}
--- a/public/templates/mmcFE/statistics/pool/contributors_shares.tpl
+++ b/public/templates/mmcFE/statistics/pool/contributors_shares.tpl
@ -14,14 +14,14 @@
 {section hashrate $CONTRIBSHARES}
      <tr{if $GLOBAL.userdata.username == $CONTRIBSHARES[hashrate].account}{assign var=listed value=1} style="background-color:#99EB99;"{else} class="{cycle values="odd,even"}"{/if}>
        <td>{$rank++}</td>
-        <td>{$CONTRIBSHARES[hashrate].account}</td>
+        <td>{$CONTRIBSHARES[hashrate].account|escape}</td>
        <td class="right">{$CONTRIBSHARES[hashrate].shares|number_format}</td>
      </tr>
 {/section}
 {if $listed != 1 && $GLOBAL.userdata.username|default:""}
      <tr style="background-color:#99EB99;">
        <td>n/a</td>
-        <td>{$GLOBAL.userdata.username}</td>
+        <td>{$GLOBAL.userdata.username|escape}</td>
        <td class="right">{$GLOBAL.userdata.shares.valid|number_format}</td>
      </tr>
 {/if}