deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Security: Sanitize Remote IP address

Browse source 
Dunno quite how, but evidently, request.ip is manipulable. Make sure it consists of a dotted-quad.
Also, correct a typo from the previous revision.
This commit is contained in:
Jacques Distler 2008-03-14 10:50:06 -05:00
parent 827fb77ad3
commit d46798dd08
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/wiki_controller.rb
View file

@ -412,7 +412,7 @@ class WikiController < ApplicationController
def remote_ip def remote_ip
ip = request.remote_ip ip = request.remote_ip
logger.info(ip) logger.info(ip)
ip ip.gsub!(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/, '\1')
end end
def render_atom(hide_description = false, limit = 15) def render_atom(hide_description = false, limit = 15)

2
app/models/page.rb
View file

@ -77,7 +77,7 @@ class Page < ActiveRecord::Base
# Returns the original wiki-word name as separate words, so "MyPage" becomes "My Page". # Returns the original wiki-word name as separate words, so "MyPage" becomes "My Page".
def plain_name def plain_name
web.brackets_only? ? CGI.escapeHTML(name) : CGI.escapHTML(WikiWords.separate(name)) web.brackets_only? ? CGI.escapeHTML(name) : CGI.escapeHTML(WikiWords.separate(name))
end end
LOCKING_PERIOD = 30.minutes LOCKING_PERIOD = 30.minutes