1 Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar.
3 diff --git a/bin/quotaimg.php b/bin/quotaimg.php
4 index 354f4eb..4e73c21 100644
11 -$used = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
12 -$quota = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
13 -$width = empty($_GET['w']) ? 100 : (int)$_GET['w'];
14 -$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
15 +$used = isset($_GET['u']) ? intval($_GET['u']) : '??';
16 +$quota = isset($_GET['q']) ? intval($_GET['q']) : '??';
17 +$width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
18 +$height = empty($_GET['h']) ? 14 : min(50, intval($_GET['h']));
22 @@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
25 $quota_width = $quota / 100 * $width;
26 - imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
27 + imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
29 $string = $quota . '%';
30 $mid = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
31 @@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
35 -genQuota($used, $quota, $width, $height);
36 +if ($width > 1 && $height > 1) {
37 + genQuota($used, $quota, $width, $height);
40 + header("HTTP/1.0 404 Not Found");
45 \ No newline at end of file