security fixes, filter all post/get vars

diff --git a/mods/atalker/admin/admin_index.php b/mods/atalker/admin/admin_index.php
index ec7d8b5..d9a548b 100644 (file)
--- a/mods/atalker/admin/admin_index.php
+++ b/mods/atalker/admin/admin_index.php
@@ -17,7 +17,27 @@
 
        define('AT_INCLUDE_PATH', '../../../include/');
        require (AT_INCLUDE_PATH.'vitals.inc.php');
-
+       $_POST['textin'] = $addslashes(stripslashes($_POST['textin'])); 
+       $_POST['add'] = $addslashes(stripslashes($_POST['add']));       
+       $_POST['type'] = $addslashes(stripslashes($_POST['type']));     
+       $_POST['page'] = $addslashes(stripslashes($_POST['page']));     
+       $_POST['popup'] = $addslashes(stripslashes($_POST['popup']));   
+       $_POST['download'] = $addslashes(stripslashes($_POST['download']));     
+       $_POST['read'] = $addslashes(stripslashes($_POST['read']));     
+       $_POST['save'] = $addslashes(stripslashes($_POST['save']));     
+       $_POST['file_type'] = $addslashes(stripslashes($_POST['file_type']));   
+       $_POST['volumn'] = $addslashes(stripslashes($_POST['volumn'])); 
+       $_POST['duration'] = $addslashes(stripslashes($_POST['duration']));     
+       $_POST['filename'] = $addslashes(stripslashes($_POST['filename']));     
+
+
+       $_POST['export'] = $addslashes(stripslashes($_POST['export'])); 
+       $_POST['language'] = $addslashes(stripslashes($_POST['language']));     
+       $_POST['speaker'] = $addslashes(stripslashes($_POST['speaker']));
+       $_POST['base'] = $addslashes(stripslashes($_POST['base']));
+       $_POST['middle'] = $addslashes(stripslashes($_POST['middle']));
+       $_POST['range'] = $addslashes(stripslashes($_POST['range']));
+       $_POST['rate'] = $addslashes(stripslashes($_POST['rate']));
 // with the following line, only administrators can access this page
 admin_authenticate(AT_ADMIN_PRIV_COURSES);
 

diff --git a/mods/atalker/index.php b/mods/atalker/index.php
index 1dbaa16..ccf7457 100644 (file)
--- a/mods/atalker/index.php
+++ b/mods/atalker/index.php
@@ -15,6 +15,30 @@
        
        define('AT_INCLUDE_PATH', '../../include/');
        require (AT_INCLUDE_PATH.'vitals.inc.php');
+
+       $_POST['textin'] = $addslashes(stripslashes($_POST['textin'])); 
+       $_POST['add'] = $addslashes(stripslashes($_POST['add']));       
+       $_POST['type'] = $addslashes(stripslashes($_POST['type']));     
+       $_POST['page'] = $addslashes(stripslashes($_POST['page']));     
+       $_POST['popup'] = $addslashes(stripslashes($_POST['popup']));   
+       $_POST['download'] = $addslashes(stripslashes($_POST['download']));     
+       $_POST['read'] = $addslashes(stripslashes($_POST['read']));     
+       $_POST['save'] = $addslashes(stripslashes($_POST['save']));     
+       $_POST['file_type'] = $addslashes(stripslashes($_POST['file_type']));   
+       $_POST['volumn'] = $addslashes(stripslashes($_POST['volumn'])); 
+       $_POST['duration'] = $addslashes(stripslashes($_POST['duration']));     
+       $_POST['filename'] = $addslashes(stripslashes($_POST['filename']));     
+
+
+       $_POST['export'] = $addslashes(stripslashes($_POST['export'])); 
+       $_POST['language'] = $addslashes(stripslashes($_POST['language']));     
+       $_POST['speaker'] = $addslashes(stripslashes($_POST['speaker']));
+       $_POST['base'] = $addslashes(stripslashes($_POST['base']));
+       $_POST['middle'] = $addslashes(stripslashes($_POST['middle']));
+       $_POST['range'] = $addslashes(stripslashes($_POST['range']));
+       $_POST['rate'] = $addslashes(stripslashes($_POST['rate']));
+
+
        require_once(AT_INCLUDE_PATH.'../mods/atalker/atalkerlib.inc.php');
 
        $_pages['mods/atalker/index.php']['title_var']  = _AT('atalker');

diff --git a/mods/atalker/reader.html.php b/mods/atalker/reader.html.php
index 11eddbe..87d9c1a 100644 (file)
--- a/mods/atalker/reader.html.php
+++ b/mods/atalker/reader.html.php
@@ -159,11 +159,11 @@ if($_SESSION['privileges'] == AT_ADMIN_PRIV_ADMIN){
                        </select>
                        <label for="speaker"><?php echo _AT('speaker'); ?></label>
                        <select name="speaker" id="speaker">
-                               <option value="male1" <?php if($_POST['speaker'] == 'male1'){ echo $select; } ?>><?php echo _AT('male1'); ?></option>
+                               <option value="male1" <?php if($_POST['speaker'] == 'male1' || !$_POST['speaker']){ echo $select; } ?>><?php echo _AT('male1'); ?></option>
                                <option value="male2" <?php if($_POST['speaker'] == 'male2'){ echo $select; } ?>><?php echo _AT('male2'); ?></option>
                                <option value="male3" <?php if($_POST['speaker'] == 'male3'){ echo $select; } ?>><?php echo _AT('male3'); ?></option>
                                <option value="male4" <?php if($_POST['speaker'] == 'male4'){ echo $select; } ?>><?php echo _AT('male4'); ?></option>
-                               <option value="female1" <?php if($_POST['speaker'] == 'female1' || !$_POST['speaker']){ echo $select; } ?>><?php echo _AT('female1'); ?></option>
+                               <option value="female1" <?php if($_POST['speaker'] == 'female1'){ echo $select; } ?>><?php echo _AT('female1'); ?></option>
                        </select>               
                </td>
        </tr>

diff --git a/mods/atalker/text_reader.php b/mods/atalker/text_reader.php
index 69fa20a..9ee6ec8 100644 (file)
--- a/mods/atalker/text_reader.php
+++ b/mods/atalker/text_reader.php
@@ -55,7 +55,7 @@
        fputs($fp, $scheme_in);
        fclose($fp);
        
-       $file_props = "-mode --tts -eval ".AT_SPEECH_DIR.$now.".scm";
+       //$file_props = "-mode --tts -eval ".AT_SPEECH_DIR.$now.".scm";
 
        if(!$_POST['create'] && !$_POST['remove']){