ThaMunsta/itflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Strip slashes on user agent and ip to prevent user header modification for XSS attack in API logging

Browse Source
This commit is contained in:
johnnyq
2022-02-04 16:55:45 -05:00
parent 338c991d21
commit be0778ab84
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api.php
+2 -2
View File
@@ -4,9 +4,9 @@ include("functions.php");
include("config.php"); include("config.php");
// Get user IP // Get user IP
$ip = mysqli_real_escape_string($mysqli,get_ip()); $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
// Get user agent // Get user agent
$user_agent = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']); $user_agent = stip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
// Check API key is provided in GET request as 'api_key' // Check API key is provided in GET request as 'api_key'
if(!isset($_GET['api_key']) OR empty($_GET['api_key'])) { if(!isset($_GET['api_key']) OR empty($_GET['api_key'])) {
api/v1/validate_api_key.php
+2 -2
View File
@@ -7,9 +7,9 @@ include(__DIR__ . "../../../config.php");
header('Content-Type: application/json'); header('Content-Type: application/json');
// Get user IP // Get user IP
$ip = mysqli_real_escape_string($mysqli,get_ip()); $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
// Get user agent // Get user agent
$user_agent = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']); $user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
// Setup return array // Setup return array
$return_arr = array(); $return_arr = array();