Closed emanuelb closed 7 years ago
in: https://github.com/phpmyadmin/scripts/blob/master/hooks/lib/github.php#L38
list($algo, $hash) = explode('=', $_SERVER['HTTP_X_HUB_SIGNATURE'], 2) + array('', ''); if (!in_array($algo, array('sha1', 'sha256', 'sha512'), true)) { fail("Hash algorithm '$algo' is not allowed."); }
fail function call die on received parameter (thus output content) which contain $algo that come from $_SERVER['HTTP_X_HUB_SIGNATURE'].
fix: change:
fail("Hash algorithm '$algo' is not allowed.");
to:
fail("Hash algorithm '".htmlspecialchars($algo)."' is not allowed.");
in: https://github.com/phpmyadmin/scripts/blob/master/hooks/lib/github.php#L38
fail function call die on received parameter (thus output content) which contain $algo that come from $_SERVER['HTTP_X_HUB_SIGNATURE'].
fix: change:
to: