Revision 1832
Added by Dietmar almost 12 years ago
- security Application error message fix in search/search.php
search.php | ||
---|---|---|
15 | 15 |
* |
16 | 16 |
*/ |
17 | 17 |
|
18 |
// Must include code to stop this file being access directly |
|
19 |
if(defined('WB_PATH') == false) { die("Cannot access this file directly"); } |
|
18 |
/* -------------------------------------------------------- */ |
|
19 |
// Must include code to stop this file being accessed directly |
|
20 |
if(!defined('WB_PATH')) { |
|
21 |
require_once(dirname(dirname(__FILE__)).'/framework/globalExceptionHandler.php'); |
|
22 |
throw new IllegalFileException(); |
|
23 |
} |
|
24 |
/* -------------------------------------------------------- */ |
|
20 | 25 |
|
21 | 26 |
// Check if search is enabled |
22 | 27 |
if(SHOW_SEARCH != true) { |
... | ... | |
132 | 137 |
// use "%/en/" (or "%/en/, %/info", ...) to get the old behavior |
133 | 138 |
$search_path_SQL = ''; |
134 | 139 |
$search_path = ''; |
140 |
// solve $_REQUEST['search_path' to be string |
|
141 |
if(isset($_REQUEST['search_path']) && is_array($_REQUEST['search_path'])) { |
|
142 |
$_REQUEST['search_path'] = implode(",", $_REQUEST['search_path']); |
|
143 |
} |
|
135 | 144 |
if(isset($_REQUEST['search_path'])) { |
136 | 145 |
$search_path = addslashes(htmlspecialchars(strip_tags($wb->strip_slashes($_REQUEST['search_path'])), ENT_QUOTES)); |
137 | 146 |
if(!preg_match('~^%?[-a-zA-Z0-9_,/ ]+$~', $search_path)) |
... | ... | |
269 | 278 |
$search_results_footer = str_replace($vars, $values, ($fetch_results_footer['value'])); |
270 | 279 |
|
271 | 280 |
// Do extra vars/values replacement |
272 |
$vars = array('[SEARCH_STRING]', '[WB_URL]', '[PAGE_EXTENSION]', '[TEXT_SEARCH]', '[TEXT_ALL_WORDS]', '[TEXT_ANY_WORDS]', '[TEXT_EXACT_MATCH]', '[TEXT_MATCH]', '[TEXT_MATCHING]', '[ALL_CHECKED]', '[ANY_CHECKED]', '[EXACT_CHECKED]', '[REFERRER_ID]', '[SEARCH_PATH]');
|
|
281 |
$vars = array('[SEARCH_STRING]', '[WB_URL]', '[PAGE_EXTENSION]', '[TEXT_SEARCH]', '[TEXT_ALL_WORDS]', '[TEXT_ANY_WORDS]', '[TEXT_EXACT_MATCH]', '[TEXT_MATCH]', '[TEXT_MATCHING]', '[ALL_CHECKED]', '[ANY_CHECKED]', '[EXACT_CHECKED]', '[REFERRER]', '[SEARCH_PATH]'); |
|
273 | 282 |
$values = array($search_display_string, WB_URL, PAGE_EXTENSION, $TEXT['SEARCH'], $TEXT['ALL_WORDS'], $TEXT['ANY_WORDS'], $TEXT['EXACT_MATCH'], $TEXT['MATCH'], $TEXT['MATCHING'], $all_checked, $any_checked, $exact_checked, REFERRER_ID, $search_path); |
274 | 283 |
$search_header = str_replace($vars, $values, ($fetch_header['value'])); |
275 | 284 |
$vars = array('[TEXT_NO_RESULTS]'); |
Also available in: Unified diff