mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] changelog2009-08-18 02:37 am
  • Add Memory
  • Share This Entry

[dw-free] http://bugs.dwscoalition.org/show_bug.cgi?id=1602

[commit: http://hg.dwscoalition.org/dw-free/rev/fdb51799fa25]

http://bugs.dwscoalition.org/show_bug.cgi?id=1602

Fix unsanitized output issue with Google Analytics ids.

Patch by [personal profile] rat.

Files modified:
  • bin/upgrading/en.dat
  • cgi-bin/DW/PageStats/GoogleAnalytics.pm
  • cgi-bin/DW/Setting/GoogleAnalytics.pm
--------------------------------------------------------------------------------
diff -r 2959a543e2d9 -r fdb51799fa25 bin/upgrading/en.dat
--- a/bin/upgrading/en.dat	Mon Aug 17 13:46:16 2009 -0500
+++ b/bin/upgrading/en.dat	Tue Aug 18 02:37:21 2009 +0000
@@ -2663,6 +2663,8 @@ setting.graphicpreviews.option.comm=Allo
 
 setting.graphicpreviews.option.self=Display a preview of external links when hovering over them
 
+setting.googleanalytics.error.invalid=Invalid Google Analytics ID entered, must be of the format: UA-NNNNNNN-NN (where N represents numbers).
+
 setting.googleanalytics.label=Google Analytics ID
 
 setting.imageplaceholders.error.invalid=Invalid image size.
diff -r 2959a543e2d9 -r fdb51799fa25 cgi-bin/DW/PageStats/GoogleAnalytics.pm
--- a/cgi-bin/DW/PageStats/GoogleAnalytics.pm	Mon Aug 17 13:46:16 2009 -0500
+++ b/cgi-bin/DW/PageStats/GoogleAnalytics.pm	Tue Aug 18 02:37:21 2009 +0000
@@ -29,8 +29,12 @@ sub render {
         $code = $LJ::SITE_PAGESTAT_CONFIG{google_analytics};
     } elsif ( $ctx eq 'journal' ) {
         $code = LJ::get_active_journal()->google_analytics;
+        # the ejs call isn't strictly necessary but catches any 
+        # dodgy analytics codes which may have been stored before
+        # validation was implemented.
+        $code = LJ::ejs( $code );
     }
-
+    
     return qq{
 <script type="text/javascript">
 var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
diff -r 2959a543e2d9 -r fdb51799fa25 cgi-bin/DW/Setting/GoogleAnalytics.pm
--- a/cgi-bin/DW/Setting/GoogleAnalytics.pm	Mon Aug 17 13:46:16 2009 -0500
+++ b/cgi-bin/DW/Setting/GoogleAnalytics.pm	Tue Aug 18 02:37:21 2009 +0000
@@ -56,7 +56,13 @@ sub save {
     my $txt = $class->get_arg( $args, "code" );
     $txt = LJ::trim( $txt || "" );
     $txt = LJ::text_trim( $txt, 0, 100 );
-    $u->google_analytics ( $txt );
+    # Check that the ID matches the format UA-number-number
+    # or is blank before proceeding.
+    if ( $txt =~ /^UA-\d{1,20}-\d{1,5}$/i or $txt eq "" ) {
+        $u->google_analytics ( $txt );
+    } else {
+        $class->errors( "code" => $class->ml( 'setting.googleanalytics.error.invalid' ) ) ;
+    }
     return 1;
 }
 
--------------------------------------------------------------------------------