From 9d0d0cc5161138a69f031b3ee2e8d0dfc65934b5 Mon Sep 17 00:00:00 2001
From: twodayslate <zac@gorak.us>
Date: Tue, 21 May 2013 16:56:53 -0300
Subject: [PATCH] Added filter

$field = filter_var($_GET['fid'], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);

If attempted xss then $field will be null
---
 code/FilePage.php | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/code/FilePage.php b/code/FilePage.php
index 0289f41..5f2a154 100644
--- a/code/FilePage.php
+++ b/code/FilePage.php
@@ -57,10 +57,11 @@ public function init() {
 	function Listing($ParentID = null) {
 		if(!$this->FolderID) return false;
 		
-		$field = $_GET['fid'];
-		if (isset($field) && is_numeric($field)) {
-			if (DataObject::get("File", "ID = ".$_GET['fid'])) {
-				$ParentID = $_GET['fid'];
+		$field = filter_var($_GET['fid'], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+		
+		if (isset($field)) {
+			if (DataObject::get("File", "ID = ".$field)) {
+				$ParentID = $field;
 			}
 		} else {
 			$ParentID = $this->FolderID;
@@ -75,8 +76,10 @@ function Listing($ParentID = null) {
 	
 	// Checks if not at the root folder
 	function NotRoot() {
-		if (isset($_GET['fid'])) {
-			if (DataObject::get("File", "ID = ".$_GET['fid'])) {
+		$field = filter_var($_GET['fid'], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+		
+		if (isset($field)) {
+			if (DataObject::get("File", "ID = ".$field)) {
 				return true;
 			}
 		}
@@ -85,8 +88,10 @@ function NotRoot() {
 	
 	// Gets current folder from $_GET['fid']
 	function CurrentFolder() {
-		if (isset($_GET['fid'])) {
-			return DataObject::get_by_id("File",$_GET['fid']);
+		$field = filter_var($_GET['fid'], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+		
+		if (isset($field)) {
+			return DataObject::get_by_id("File",$field);
 		}
 		return false;
 	}