From 194b02208b5e1548ce31fdedd7185b0a7773beea Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Wed, 4 May 2005 23:09:51 +0000 Subject: [PATCH] r74: Updated input sanitization for: - showreport.php - register.php - newreport.php - search.php --- newreport.php | 56 +++++++++++++++++++++----------------------------- register.php | 32 ++++++++++++++--------------- search.php | 48 +++++++++++++++++++++---------------------- showreport.php | 8 +++----- 4 files changed, 65 insertions(+), 79 deletions(-) diff --git a/newreport.php b/newreport.php index 4b7fca8..977c100 100755 --- a/newreport.php +++ b/newreport.php @@ -34,72 +34,61 @@ if (empty($_REQUEST['do'])) if ($_POST['do'] == 'insert') { - sanitize(array( - 'pcv_select' => STR, - 'summary' => STR_NOHTML, - 'severity' => INT, - 'priority' => INT, - 'status' => INT, - 'resolution' => INT, - 'assignedto' => INT, - 'comment' => STR) - ); - // ------------------------------------------------------------------- // check permissions on various input values if (!can_perform('canchangestatus')) { - $vars['priority'] = $bugsys->options['defaultpriority']; - $vars['status'] = $bugsys->options['defaultstatus']; - $vars['resolution'] = $bugsys->options['defaultresolve']; + $bugsys->in['priority'] = $bugsys->options['defaultpriority']; + $bugsys->in['status'] = $bugsys->options['defaultstatus']; + $bugsys->['resolution'] = $bugsys->options['defaultresolve']; } else { - if (!$bugsys->datastore['priority']["$vars[priority]"]) + if (!$bugsys->datastore['priority'][ $bugsys->in['priority'] ]) { - $vars['priority'] = $bugsys->options['defaultpriority']; + $bugsys->in['priority'] = $bugsys->options['defaultpriority']; } - if (!$bugsys->datastore['status']["$vars[status]"]) + if (!$bugsys->datastore['status'][ $bugsys->in['status'] ]) { - $vars['status'] = $bugsys->options['defaultstatus']; + $bugsys->in['status'] = $bugsys->options['defaultstatus']; } - if (!$bugsys->datastore['resolution']["$vars[resolution]"]) + if (!$bugsys->datastore['resolution'][ $bugsys->in['resolution'] ]) { - $vars['resolution'] = $bugsys->options['defaultresolve']; + $bugsys->in['resolution'] = $bugsys->options['defaultresolve']; } } if (!can_perform('canassign')) { - $vars['assignedto'] = $bugsys->options['defaultassign']; + $bugsys->in['assignedto'] = $bugsys->options['defaultassign']; } else { // assigned person is not a dev or a valid user - if (!$bugsys->datastore['assignto']["$vars[assignedto]"]['userid']) + if (!$bugsys->datastore['assignto'][ $bugsys->in['assignedto'] ]['userid']) { - $vars['assignedto'] = $bugsys->options['defaultassign']; + $bugsys->in['assignedto'] = $bugsys->options['defaultassign']; } } // ------------------------------------------------------------------- // product/component/version stuff - $vars['pcv'] = parse_pcv_select($vars['pcv_select'], true); + $pcv = parse_pcv_select($bugsys->in['pcv_select'], true); print_r($vars); // ------------------------------------------------------------------- // sanity checks - if (!$vars['pcv']) + if (!$bugsys->in['pcv']) { echo 'there was a problem selecting the product, component, or version'; exit; } - if (!$vars['summary']) + if (!$bugsys->in['summary']) { echo 'please enter a bug title'; exit; } - if (!$vars['comment']) + if (!$bugsys->in['comment']) { echo 'please enter a bug description'; exit; @@ -107,11 +96,11 @@ if ($_POST['do'] == 'insert') // ------------------------------------------------------------------- // data clean and insert - $vars['comment_parsed'] = $vars['comment']; + $bugsys->in['comment_parsed'] = $bugsys->in['comment']; if (!$bugsys->options['allowhtml']) { - $vars['comment_parsed'] = htmlspecialcharslike($vars['comment_parsed']); + $bugsys->in['comment_parsed'] = $bugsys->sanitize($bugsys->in['comment_parsed']); } // create the bug report @@ -119,8 +108,9 @@ if ($_POST['do'] == 'insert') INSERT INTO " . TABLE_PREFIX . "bug (userid, productid, componentid, versionid, summary, severity, priority, status, assignedto, resolution) VALUES - (" . $bugsys->userinfo['userid'] . ", " . $vars['pcv']['product'] . ", " . $vars['pcv']['component'] . ", " . $vars['pcv']['version'] . ", - '" . addslasheslike($vars['summary']) . "', $vars[severity], $vars[priority], $vars[status], $vars[assignedto], $vars[resolution] + (" . $bugsys->userinfo['userid'] . ", " . $pcv['product'] . ", " . $pcv['component'] . ", " . $pcv['version'] . ", + '" . $bugsys->in['summary'] . "', " . intval($bugsys->in['severity']) . ", " . intval($bugsys->in['priority']) . ", + " . intval($bugsys->in['status']) . ", " . intval($bugsys->in['assignedto']) . ", " . intval($bugsys->in['resolution']) . " )" ); @@ -134,8 +124,8 @@ if ($_POST['do'] == 'insert') (bugid, userid, dateline, comment, comment_parsed) VALUES ($bugid, " . $bugsys->userinfo['userid'] . ", - $time, '" . addslasheslike($vars['comment']) . "', - '" . addslasheslike(nl2br($vars['comment_parsed'])) . "' + $time, '" . $bugsys->in['comment'] . "', + '" . nl2br($bugsys->in['comment_parsed']) . "' )" ); diff --git a/register.php b/register.php index 411c88f..863cdc2 100755 --- a/register.php +++ b/register.php @@ -49,27 +49,27 @@ if ($_POST['do'] == 'insert') { sanitize(array('email' => STR_NOHTML, 'confirmemail' => STR_NOHTML, 'displayname' => STR_NOHTML, 'password' => STR, 'confirmpassword' => STR, 'showemail' => INT, 'languageid' => INT)); - if ($vars['email'] != $vars['confirmemail']) + if ($bugsys->in['email'] != $bugsys->in['confirmemail']) { $errors[] = 'The emails you entered do not match.'; } - if (!$vars['email']) + if (!$bugsys->in['email']) { $errors[] = 'The password you specified was blank.'; } - if ($vars['password'] != $vars['confirmpassword']) + if ($bugsys->in['password'] != $bugsys->in['confirmpassword']) { $errors[] = 'The passwords you entered did not match.'; } - if (!$vars['password']) + if (!$bugsys->in['password']) { $errors[] = 'The password you specified was blank.'; } - if (is_array($db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE email = '" . addslasheslike($vars['email']) . "'"))) + if (is_array($db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE email = '" . $bugsys->in['email'] . "'"))) { $errors[] = 'The specified email is already in use.'; } @@ -102,13 +102,13 @@ if ($_POST['do'] == 'insert') INSERT INTO " . TABLE_PREFIX . "user (email, displayname, password, salt, authkey, showemail, languageid, usergroupid) VALUES - ('" . addslasheslike($vars['email']) . "', - '" . addslasheslike($vars['displayname']) . "', - '" . md5(md5($vars['password']) . md5($salt)) . "', + ('" . $bugsys->in['email'] . "', + '" . $bugsys->in['displayname'] . "', + '" . md5(md5($bugsys->in['password']) . md5($salt)) . "', '$salt', '" . fetch_random_chars() . "', - $vars[showemail], - $vars[languageid], + " . intval($bugsys->in['showemail']) . ", + " . intval($bugsys->in['languageid']) . ", $usergroupid )" ); @@ -122,7 +122,7 @@ if ($_POST['do'] == 'insert') $db->query("INSERT INTO " . TABLE_PREFIX . "useractivation (userid, activator, dateline, usergroupid) VALUES ($userid, '$activationid', " . NOW . ", 2)"); - mymail(addslasheslike($vars['email']), 'Welcome to ' . $bugsys->options['trackertitle'], "Hi " . addslasheslike($vars['displayname']) . " you need to activate your account: http://devbox/bugtraq/register.php?do=activate&userid=" . $userid . "&activator=" . $activationid); + mymail($bugsys->in['email'], 'Welcome to ' . $bugsys->options['trackertitle'], "Hi " . $bugsys->in['displayname'] . " you need to activate your account: http://devbox/bugtraq/register.php?do=activate&userid=" . $userid . "&activator=" . $activationid); echo 'You now need to activate your account via email.'; } @@ -130,7 +130,7 @@ if ($_POST['do'] == 'insert') { if ($bugsys->options['sendwelcomemail']) { - mymail(addslasheslike($vars['email']), 'Welcome to ' . $bugsys->options['trackertitle'], "Hi " . addslasheslike($vars['displayname']) . " and welcome to the " . $bugsys->options['trackertitle'] . " bug tracker! Thanks for registering."); + mymail($bugsys->in['email'], 'Welcome to ' . $bugsys->options['trackertitle'], "Hi " . $bugsys->in['displayname'] . " and welcome to the " . $bugsys->options['trackertitle'] . " bug tracker! Thanks for registering."); } if ($usergroupid == 4) @@ -148,12 +148,10 @@ if ($_POST['do'] == 'insert') if ($_REQUEST['do'] == 'activate') { - sanitize(array('userid' => INT, 'activator' => STR)); - - if ($useractivation = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "useractivation WHERE userid = $vars[userid] AND activator = '" . addslasheslike($vars['activator']) . "'")) + if ($useractivation = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "useractivation WHERE userid = " . intval($bugsys->in['userid']) . " AND activator = '" . $bugsys->in['activator'] . "'")) { - $db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = $useractivation[usergroupid] WHERE userid = $vars[userid]"); - $db->query("DELETE FROM " . TABLE_PREFIX . "useractivation WHERE userid = $vars[userid]"); + $db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = $useractivation[usergroupid] WHERE userid = " . intval($bugsys->in['userid'])); + $db->query("DELETE FROM " . TABLE_PREFIX . "useractivation WHERE userid = " . intval($bugsys->in['userid'])); echo 'your account is now activated and you can now login'; } else diff --git a/search.php b/search.php index f0f7da3..2763454 100644 --- a/search.php +++ b/search.php @@ -24,7 +24,7 @@ if (!can_perform('cansearch')) exit; } -define('MODE', intval($_POST['mode'])); +define('MODE', intval($bugsys->in['mode'])); define('MODE_ANY', ((MODE == 1) ? 1 : 0)); define('MODE_ALL', ((MODE == 2) ? 1 : 0)); define('MODE_RAW', ((MODE == 3) ? 1 : 0)); @@ -58,13 +58,13 @@ if ($_REQUEST['do'] == 'results') // ------------------------------------------------------------------- // parse out our product/component/version - $vars['pcv'] = parse_pcv_select($vars['pcv_select']); + $pcv = parse_pcv_select($bugsys->in['pcv_select']); // ------------------------------------------------------------------- // handle keywords - if ($vars['summary']) + if ($bugsys->in['summary']) { - $keywords = preg_split('#\s+#', $vars['summary']); + $keywords = preg_split('#\s+#', $bugsys->in['summary']); // #*# need to have some str to bool conversions @@ -106,11 +106,11 @@ if ($_REQUEST['do'] == 'results') // ------------------------------------------------------------------- // reporter - if ($vars['reporter']) + if ($bugsys->in['reporter']) { // force email or name?? make a distinction? // more elegant way to do this? probably - $user = $db->query_first("SELECT * FROM user WHERE email = '$vars[reporter]' OR MATCH (displayname) AGAINST ('$vars[reporter]')"); + $user = $db->query_first("SELECT * FROM user WHERE email = '" . $bugsys->in['reporter'] . "' OR MATCH (displayname) AGAINST ('" . $bugsys->in['reporter'] . "')"); if ($user['userid']) { $querybuild['reporter'] = "AND bug.userid = $user[userid] OR comment.userid = $user[userid]"; @@ -119,50 +119,50 @@ if ($_REQUEST['do'] == 'results') // ------------------------------------------------------------------- // product/component/version stuff - if (is_array($vars['pcv'])) + if (is_array($bugsys->in['pcv'])) { - $querybuild['pcv'] = "AND bug.productid = {$vars['pcv']['product']} AND bug.componentid = {$vars['pcv']['component']} AND bug.versionid = {$vars['pcv']['version']}"; + $querybuild['pcv'] = "AND bug.productid = $pcv['product'] AND bug.componentid = $pcv['component'] AND bug.versionid = $pcv['version']"; } // ------------------------------------------------------------------- // severity, priority, status, resolution, assignedto // severity - if ($vars['severity']) + if ($bugsys->in['severity']) { - $querybuild['severity'] = "AND bug.severity = $vars[severity]"; + $querybuild['severity'] = "AND bug.severity = " . intval($bugsys->in['severity']); } // priority - if ($vars['priority']) + if ($bugsys->in['priority']) { - $querybuild['priority'] = "AND bug.priority = $vars[priority]"; + $querybuild['priority'] = "AND bug.priority = " . intval($bugsys->in['priority']); } // status - if ($vars['status']) + if ($bugsys->in['status']) { - $querybuild['status'] = "AND bug.status = $vars[status]"; + $querybuild['status'] = "AND bug.status = " . intval($bugsys->in['status']); } // resolution - if ($vars['resolution']) + if ($bugsys->in['resolution']) { - $querybuild['resolution'] = "AND bug.resolution = $vars[resolution]"; + $querybuild['resolution'] = "AND bug.resolution = " . intval($bugsys->in['resolution']); } // assignment - if ($vars['assignedto']) + if ($bugsys->in['assignedto']) { - $querybuild['assignedto'] = "AND bug.assignedto = $vars[assignedto]"; + $querybuild['assignedto'] = "AND bug.assignedto = " . intval($bugsys->in['assignedto']); } // ------------------------------------------------------------------- // date - if ($vars['date']) + if ($bugsys->in['date']) { // now - (seconds/day * number of days) - $dateline = time() - ($vars['date'] * 3600); + $dateline = time() - (intval($bugsys->in['date']) * 3600); $querybuild['date'] = "AND bug.dateline >= $dateline"; } @@ -170,12 +170,12 @@ if ($_REQUEST['do'] == 'results') // sort by $sortby = array('bugid', 'severity', 'priority', 'status', 'resolution', 'dateline'); $orderby = array('ASC', 'DESC'); - $vars['orderby'] = strtoupper($vars['orderby']); - if (in_array($vars['sortby'], $sortby) AND in_array($vars['orderby'], $orderby)) + $bugsys->in['orderby'] = strtoupper($bugsys->in['orderby']); + if (in_array($bugsys->in['sortby'], $sortby) AND in_array($bugsys->in['orderby'], $orderby)) { - $sortclause = "ORDER BY $vars[sortby] $vars[orderby]"; + $sortclause = "ORDER BY " . $bugsys->in['sortby'] . ' ' . $bugsys->in['orderby']; } - else if ($vars['sortby'] == 'relevance') + else if ($bugsys->in['sortby'] == 'relevance') { $sortclause = ''; } diff --git a/showreport.php b/showreport.php index 38d9904..28db721 100644 --- a/showreport.php +++ b/showreport.php @@ -27,14 +27,12 @@ if (!can_perform('canviewbugs')) // ------------------------------------------------------------------- // get the report -sanitize(array('bugid' => INT, 'hilight' => STR)); - $bug = $db->query_first(" SELECT bug.*, user.displayname, user.email, user.showemail FROM " . TABLE_PREFIX . "bug AS bug LEFT JOIN " . TABLE_PREFIX . "user AS user ON (bug.userid = user.userid) - WHERE bug.bugid = $vars[bugid]" + WHERE bug.bugid = " . intval($bugsys->in['bugid']) ); if (!is_array($bug)) @@ -68,7 +66,7 @@ else // ------------------------------------------------------------------- // hilight -$words = explode(' ', $vars['hilight']); +$words = explode(' ', $bugsys->in['hilight']); foreach ($words AS $word) { if (trim($word)) @@ -87,7 +85,7 @@ $comments_fetch = $db->query(" FROM " . TABLE_PREFIX . "comment AS comment LEFT JOIN " . TABLE_PREFIX . "user AS user ON (comment.userid = user.userid) - WHERE comment.bugid = $vars[bugid] + WHERE comment.bugid = $bug[bugid] ORDER BY comment.dateline ASC" ); while ($comment = $db->fetch_array($comments_fetch)) -- 2.43.5