mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixed xss in deluser (#9079)

Browse Source 
DO NOT DELETE THIS TEXT

#### Please note

> Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting.

- [x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/)

#### Testers

If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926`
This commit is contained in:
Tony Murray
2018-08-25 06:10:00 -05:00
committed by Neil Lathwood
parent 05a77b7bd2
commit 0a34a37d9e
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
html/pages/deluser.inc.php
View File

@@ -13,16 +13,17 @@ if (!Auth::user()->isAdmin()) {
if (Auth::get()->canManageUsers()) { if (Auth::get()->canManageUsers()) {
if ($vars['action'] == 'del') { if ($vars['action'] == 'del') {
$delete_username = dbFetchCell('SELECT username FROM users WHERE user_id = ?', array($vars['id'])); $id = (int)$vars['id'];
$delete_username = dbFetchCell('SELECT username FROM users WHERE user_id = ?', [$id]);
if ($vars['confirm'] == 'yes') { if ($vars['confirm'] == 'yes') {
if (Auth::get()->deleteUser($vars['id']) >= 0) { if (Auth::get()->deleteUser($id) >= 0) {
print_message('<div class="infobox">User "'.$delete_username.'" deleted!'); print_message('<div class="infobox">User "'.$delete_username.'" deleted!');
} else { } else {
print_error('Error deleting user "'.$delete_username.'"!'); print_error('Error deleting user "'.$delete_username.'"!');
} }
} else { } else {
print_error('You have requested deletion of the user "'.$delete_username.'". This action can not be reversed.<br /><a class="btn btn-danger" href="deluser/action=del/id='.$vars['id'].'/confirm=yes">Click to confirm</a>'); print_error('You have requested deletion of the user "'.$delete_username.'". This action can not be reversed.<br /><a class="btn btn-danger" href="deluser/action=del/id='.$id.'/confirm=yes">Click to confirm</a>');
} }
} }