Revision 1832
Added by Dietmar almost 12 years ago
- security Application error message fix in search/search.php
| search.php | ||
|---|---|---|
| 15 | 15 |
* |
| 16 | 16 |
*/ |
| 17 | 17 |
|
| 18 |
// Must include code to stop this file being access directly |
|
| 19 |
if(defined('WB_PATH') == false) { die("Cannot access this file directly"); }
|
|
| 18 |
/* -------------------------------------------------------- */ |
|
| 19 |
// Must include code to stop this file being accessed directly |
|
| 20 |
if(!defined('WB_PATH')) {
|
|
| 21 |
require_once(dirname(dirname(__FILE__)).'/framework/globalExceptionHandler.php'); |
|
| 22 |
throw new IllegalFileException(); |
|
| 23 |
} |
|
| 24 |
/* -------------------------------------------------------- */ |
|
| 20 | 25 |
|
| 21 | 26 |
// Check if search is enabled |
| 22 | 27 |
if(SHOW_SEARCH != true) {
|
| ... | ... | |
| 132 | 137 |
// use "%/en/" (or "%/en/, %/info", ...) to get the old behavior |
| 133 | 138 |
$search_path_SQL = ''; |
| 134 | 139 |
$search_path = ''; |
| 140 |
// solve $_REQUEST['search_path' to be string |
|
| 141 |
if(isset($_REQUEST['search_path']) && is_array($_REQUEST['search_path'])) {
|
|
| 142 |
$_REQUEST['search_path'] = implode(",", $_REQUEST['search_path']);
|
|
| 143 |
} |
|
| 135 | 144 |
if(isset($_REQUEST['search_path'])) {
|
| 136 | 145 |
$search_path = addslashes(htmlspecialchars(strip_tags($wb->strip_slashes($_REQUEST['search_path'])), ENT_QUOTES)); |
| 137 | 146 |
if(!preg_match('~^%?[-a-zA-Z0-9_,/ ]+$~', $search_path))
|
| ... | ... | |
| 269 | 278 |
$search_results_footer = str_replace($vars, $values, ($fetch_results_footer['value'])); |
| 270 | 279 |
|
| 271 | 280 |
// Do extra vars/values replacement |
| 272 |
$vars = array('[SEARCH_STRING]', '[WB_URL]', '[PAGE_EXTENSION]', '[TEXT_SEARCH]', '[TEXT_ALL_WORDS]', '[TEXT_ANY_WORDS]', '[TEXT_EXACT_MATCH]', '[TEXT_MATCH]', '[TEXT_MATCHING]', '[ALL_CHECKED]', '[ANY_CHECKED]', '[EXACT_CHECKED]', '[REFERRER_ID]', '[SEARCH_PATH]');
|
|
| 281 |
$vars = array('[SEARCH_STRING]', '[WB_URL]', '[PAGE_EXTENSION]', '[TEXT_SEARCH]', '[TEXT_ALL_WORDS]', '[TEXT_ANY_WORDS]', '[TEXT_EXACT_MATCH]', '[TEXT_MATCH]', '[TEXT_MATCHING]', '[ALL_CHECKED]', '[ANY_CHECKED]', '[EXACT_CHECKED]', '[REFERRER]', '[SEARCH_PATH]');
|
|
| 273 | 282 |
$values = array($search_display_string, WB_URL, PAGE_EXTENSION, $TEXT['SEARCH'], $TEXT['ALL_WORDS'], $TEXT['ANY_WORDS'], $TEXT['EXACT_MATCH'], $TEXT['MATCH'], $TEXT['MATCHING'], $all_checked, $any_checked, $exact_checked, REFERRER_ID, $search_path); |
| 274 | 283 |
$search_header = str_replace($vars, $values, ($fetch_header['value'])); |
| 275 | 284 |
$vars = array('[TEXT_NO_RESULTS]');
|
Also available in: Unified diff