search

q2a / question2answer

Question2Answer is a free and open source platform for Q&A sites, running on PHP/MySQL.
http://www.question2answer.org/
GNU General Public License v3.0
1.63k stars 628 forks source link

Handle invalid entityids when favorting Questions or Users #921

Open q2apro opened 2 years ago

q2apro commented 2 years ago

In \qa-include\ajax\favorite.php the incoming values are not validated.

$entitytype = qa_post_text('entitytype');
$entityid = qa_post_text('entityid');
$setfavorite = qa_post_text('favorite');

It should be probably be validated like this: 

$entitytype = qa_post_text('entitytype'); // Q, U, T, C
$entityid = qa_post_text('entityid'); // bigint, e.g. 123456
$setfavorite = (int)qa_post_text('favorite'); // 0 or 1, so cast to int

// validate data
$entitytypes = ['Q', 'U', 'T', 'C'];
if(!in_array($entitytype, $entitytypes))
{
    echo "QA_AJAX_RESPONSE\n0\n" . "Wrong entity type";
}

$entityid = preg_replace('/[^0-9]/', '', $entityid);
// or checking with ctype_digit($blobid)

Similar to https://github.com/q2a/question2answer/issues/919