lsp: properly escape username and titles

LMMS · Mar 24, 2020 · f6aee0b · f6aee0b
1 parent b7c69d4
commit f6aee0b
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 6 deletions.
diff --git a/public/lsp/add_file.php b/public/lsp/add_file.php
@@ -31,7 +31,7 @@
 					move_uploaded_file($tmp_path, $TMP_DIR . $tmp_name_only);
 					//echo "<code>moving $tmp_path to $TMP_DIR$tmp_name_only</code>";
 					echo twig_render('lsp/edit_file.twig', [
-						'titles' => array('<a href="">Add File</a>', $file_path),
+						'titles' => array('<a href="">Add File</a>', htmlentities($file_path)),
 						'categories' => $categories,
 						'file_id' => GET('file'),
 						'licenses' => get_licenses(),

diff --git a/public/lsp/polyfill.php b/public/lsp/polyfill.php
@@ -30,7 +30,7 @@ function twig_render(string $template, array $params) {
     }
     $common = [
         'category_list' => get_categories(),
-        'username' => SESSION(),
+        'username' => html_entity_decode(SESSION()),
         'is_admin' => is_admin(get_user_id(SESSION())),
         'auth_failure' => $auth_failure,
         'commentsearch' => GET('commentsearch', false) ? 'checked' : '',

diff --git a/public/lsp/utils.php b/public/lsp/utils.php
@@ -202,6 +202,8 @@ function display_message($message, $severity = 'danger', $title = 'Error', $titl
 		'message' => $message,
 		'counter' => $counter
 	]);
+
+	return true;
 }
 
 function display_error($message, $title_array = null, $redirect = null, $counter = 15) {
@@ -238,8 +240,8 @@ function logout() {
  */
 function login() {
 	if (SESSION_EMPTY() && GET('action') == 'login') {
-		if (password_match(POST('password'), POST('login'))) {
-			$_SESSION["remote_user"] = POST('login');
+		if (password_match(POST('password'), htmlspecialchars_decode(POST('login')))) {
+			$_SESSION["remote_user"] = htmlspecialchars_decode(POST('login'));
 			$_GET["action"] = POST('oldaction');
 			set_get_post('category');
 			set_get_post('subcategory');

diff --git a/templates/lsp/base.twig b/templates/lsp/base.twig
@@ -59,7 +59,7 @@
                             {% if is_admin %}
                                 <span class="fas fa-shield-alt"></span>&nbsp;
                             {% endif %}
-                            {{username|raw}}
+                            {{username}}
                             </span>
                         {% endif %}
                             {# Show auth-fail alert in title for smaller screens #}
@@ -96,7 +96,7 @@
                     <a class="list-group-item" href="?content=add">
                         <span class="fas fa-fw fa-upload"></span>&nbsp;&nbsp;Add file
                     </a>
-                    <a class="list-group-item" href="?action=browse&user={{username|raw}}">
+                    <a class="list-group-item" href="?action=browse&user={{username|escape('url')}}">
                         <span class="far fa-fw fa-copy"></span>&nbsp;&nbsp;My files
                     </a>
                     <a class="list-group-item" href="?account=settings">