Fossil SCM
Add a PD_NoBot() check to /timeline, based on spider attack records.
Commit
3fa6f8f09ad4fed9f9a7754fa51a09665ddd63f3e671c7d09b596c915f3b15a5
Parent
a64ef5efd15caec…
1 file changed
+3
+3
| --- src/timeline.c | ||
| +++ src/timeline.c | ||
| @@ -1698,10 +1698,13 @@ | ||
| 1698 | 1698 | int haveParameterN; /* True if n= query parameter present */ |
| 1699 | 1699 | |
| 1700 | 1700 | url_initialize(&url, "timeline"); |
| 1701 | 1701 | cgi_query_parameters_to_url(&url); |
| 1702 | 1702 | |
| 1703 | + (void)P_NoBot("ss") | |
| 1704 | + /* "ss" is processed via the udc but at least one spider likes to | |
| 1705 | + ** try to SQL inject via this argument, so let's catch that. */; | |
| 1703 | 1706 | |
| 1704 | 1707 | /* Set number of rows to display */ |
| 1705 | 1708 | z = P("n"); |
| 1706 | 1709 | if( z!=0 ){ |
| 1707 | 1710 | haveParameterN = 1; |
| 1708 | 1711 |
| --- src/timeline.c | |
| +++ src/timeline.c | |
| @@ -1698,10 +1698,13 @@ | |
| 1698 | int haveParameterN; /* True if n= query parameter present */ |
| 1699 | |
| 1700 | url_initialize(&url, "timeline"); |
| 1701 | cgi_query_parameters_to_url(&url); |
| 1702 | |
| 1703 | |
| 1704 | /* Set number of rows to display */ |
| 1705 | z = P("n"); |
| 1706 | if( z!=0 ){ |
| 1707 | haveParameterN = 1; |
| 1708 |
| --- src/timeline.c | |
| +++ src/timeline.c | |
| @@ -1698,10 +1698,13 @@ | |
| 1698 | int haveParameterN; /* True if n= query parameter present */ |
| 1699 | |
| 1700 | url_initialize(&url, "timeline"); |
| 1701 | cgi_query_parameters_to_url(&url); |
| 1702 | |
| 1703 | (void)P_NoBot("ss") |
| 1704 | /* "ss" is processed via the udc but at least one spider likes to |
| 1705 | ** try to SQL inject via this argument, so let's catch that. */; |
| 1706 | |
| 1707 | /* Set number of rows to display */ |
| 1708 | z = P("n"); |
| 1709 | if( z!=0 ){ |
| 1710 | haveParameterN = 1; |
| 1711 |