From 7f0d38b7cfee72452d6429ce32491d8ff9998efa Mon Sep 17 00:00:00 2001
From: Fil <fil@rezo.net>
Date: Fri, 28 Feb 2003 21:20:46 +0000
Subject: [PATCH] securite

---
 ecrire/inc_auth_spip.php3 |  2 +-
 ecrire/inc_version.php3   |  2 +-
 ecrire/sites.php3         | 12 ++++++------
 ecrire/sites_tous.php3    |  2 +-
 inc-public-global.php3    |  2 +-
 spip_image.php3           |  1 +
 spip_pass.php3            |  2 +-
 7 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/ecrire/inc_auth_spip.php3 b/ecrire/inc_auth_spip.php3
index f7a6dacf6b..6e49cb1402 100644
--- a/ecrire/inc_auth_spip.php3
+++ b/ecrire/inc_auth_spip.php3
@@ -13,7 +13,7 @@ class Auth_spip {
 	}
 
 	function verifier_challenge_md5($login, $mdpass_actuel, $mdpass_futur) {
-		$query = "SELECT * FROM spip_auteurs WHERE login='$login' AND pass='".addslashes($mdpass_actuel)."' AND statut<>'5poubelle' AND source='spip'";
+		$query = "SELECT * FROM spip_auteurs WHERE login='".addslashes($login)."' AND pass='".addslashes($mdpass_actuel)."' AND statut<>'5poubelle' AND source='spip'";
 		$result = spip_query($query);
 
 		if ($row = spip_fetch_array($result)) {
diff --git a/ecrire/inc_version.php3 b/ecrire/inc_version.php3
index 1b5581c3ce..64cf030f02 100644
--- a/ecrire/inc_version.php3
+++ b/ecrire/inc_version.php3
@@ -159,7 +159,7 @@ error_reporting(E_ALL ^ E_NOTICE);
 // ** Securite **
 $auteur_session = '';
 $connect_statut = '';
-
+$dir_ecrire = '';
 
 // - le dossier des squelettes, a preciser dans mes_fonctions.php3, sous
 //   la forme : < ? php $GLOBALS['dossier_squelettes'] = 'squel'; ? >
diff --git a/ecrire/sites.php3 b/ecrire/sites.php3
index e2f4f7ed83..f1ca622448 100644
--- a/ecrire/sites.php3
+++ b/ecrire/sites.php3
@@ -115,7 +115,7 @@ if ($analyser_site == 'oui' AND $flag_editable) {
 		$syndication = $v[syndic] ? 'oui' : 'non';
 		$query = "UPDATE spip_syndic ".
 			"SET nom_site='$nom_site', url_site='$url_site', url_syndic='$url_syndic', descriptif='$descriptif', syndication='$syndication', statut='$statut' ".
-			"WHERE id_syndic=$id_syndic";
+			"WHERE id_syndic=".intval($id_syndic);
 		$result = spip_query($query);
 		if ($syndication == 'oui') syndic_a_jour($id_syndic);
 		$link = new Link('sites.php3');
@@ -133,11 +133,11 @@ if ($analyser_site == 'oui' AND $flag_editable) {
 
 if ($nouveau_statut AND $flag_administrable) {
 	$statut = $nouveau_statut;
-	$query = "UPDATE spip_syndic SET statut='$statut' WHERE id_syndic='$id_syndic'";
+	$query = "UPDATE spip_syndic SET statut='$statut' WHERE id_syndic=".intval($id_syndic);
 	$result = spip_query($query);
 	//if ($statut == 'refuse') $redirect_ok = 'oui';
 	if ($statut == 'publie') {
-		$query = "UPDATE spip_syndic SET date=NOW() WHERE id_syndic='$id_syndic'";
+		$query = "UPDATE spip_syndic SET date=NOW() WHERE id_syndic=".intval(id_syndic);
 		$result = spip_query($query);
 	}
 	calculer_rubriques();
@@ -156,7 +156,7 @@ if ($nom_site AND $modifier_site == 'oui' AND $flag_editable) {
 	if (strlen($url_syndic) < 8) $syndication = "non";
 	$url_syndic = addslashes($url_syndic);
 
-	$query = "UPDATE spip_syndic SET id_rubrique='$id_rubrique', nom_site='$nom_site', url_site='$url_site', url_syndic='$url_syndic', descriptif='$descriptif', syndication='$syndication', statut='$statut' WHERE id_syndic='$id_syndic'";
+	$query = "UPDATE spip_syndic SET id_rubrique='$id_rubrique', nom_site='$nom_site', url_site='$url_site', url_syndic='$url_syndic', descriptif='$descriptif', syndication='$syndication', statut='$statut' WHERE id_syndic=".intval($id_syndic);
 	$result = spip_query($query);
 
 	if ($syndication_old != $syndication OR $url_syndic != $old_syndic) {
@@ -183,7 +183,7 @@ if ($nom_site AND $modifier_site == 'oui' AND $flag_editable) {
 if ($jour AND $connect_statut == '0minirezo') {
 	if ($annee == "0000") $mois = "00";
 	if ($mois == "00") $jour = "00";
-	$query = "UPDATE spip_syndic SET date='$annee-$mois-$jour' WHERE id_syndic=$id_syndic";
+	$query = "UPDATE spip_syndic SET date='$annee-$mois-$jour' WHERE id_syndic=".intval($id_syndic);
 	$result = spip_query($query);
 	calculer_dates_rubriques();
 }
@@ -428,7 +428,7 @@ if ($syndication == "oui" OR $syndication == "off" OR $syndication == "sus") {
 	// modifier la moderation
 	if ($flag_administrable && $options=='avancees') {
 		if ($moderation == 'oui' OR $moderation == 'non')
-			spip_query("UPDATE spip_syndic SET moderation='$moderation' WHERE id_syndic=$id_syndic");
+			spip_query("UPDATE spip_syndic SET moderation='$moderation' WHERE id_syndic=".intval($id_syndic));
 		else
 			$moderation = $mod;
 
diff --git a/ecrire/sites_tous.php3 b/ecrire/sites_tous.php3
index df33650e1f..b95afc109e 100644
--- a/ecrire/sites_tous.php3
+++ b/ecrire/sites_tous.php3
@@ -5,7 +5,7 @@ include ("inc.php3");
 include_ecrire ("inc_sites.php3");
 
 if ($connect_statut == '0minirezo' AND $supp_syndic) {
-	$query="DELETE FROM spip_syndic WHERE id_syndic=$supp_syndic";
+	$query="DELETE FROM spip_syndic WHERE id_syndic=".intval($supp_syndic);
 	$result=spip_query($query);
 }
 
diff --git a/inc-public-global.php3 b/inc-public-global.php3
index 3d326e70d9..10fa14fdd0 100644
--- a/inc-public-global.php3
+++ b/inc-public-global.php3
@@ -1,7 +1,7 @@
 <?php
 
-$dir_ecrire = 'ecrire/';
 include ("ecrire/inc_version.php3");
+$dir_ecrire = 'ecrire/';
 include_local ("inc-cache.php3");
 
 
diff --git a/spip_image.php3 b/spip_image.php3
index 6e96652822..2c8baf5a51 100644
--- a/spip_image.php3
+++ b/spip_image.php3
@@ -11,6 +11,7 @@ include_local("inc-cache.php3");
 // verifier les formats acceptes par GD
 
 if (($test_formats == "oui") AND $flag_function_exists) {
+	$gd_formats = Array();
 	if (function_exists('ImageCreateFromJPEG')) {
 		$srcImage = @ImageCreateFromJPEG("IMG/test.jpg");
 		if ($srcImage) {
diff --git a/spip_pass.php3 b/spip_pass.php3
index e66945c8fc..532022f6c6 100644
--- a/spip_pass.php3
+++ b/spip_pass.php3
@@ -1,7 +1,7 @@
 <?php
 
-$dir_ecrire = 'ecrire/';
 include ("ecrire/inc_version.php3");
+$dir_ecrire = 'ecrire/';
 
 include_ecrire ("inc_meta.php3");
 include_ecrire ("inc_presentation.php3");
-- 
GitLab