From 3bf0519874ff3e358c0da9fb057ca69d0dde42e1 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Wed, 4 May 2005 22:28:33 +0000 Subject: [PATCH] r73: Updated input sanitization for: - newcomment.php - editreport.php - admin/usergroup.php - admin/status.php - docs/phrasetools.php - editcomment.php - login.php --- admin/status.php | 16 +++++----------- admin/usergroup.php | 44 +++++++++++++++++--------------------------- docs/phrasetools.php | 8 +++++++- editcomment.php | 18 +++++++----------- editreport.php | 34 ++++++++++++---------------------- login.php | 13 ++++++------- newcomment.php | 18 +++++++----------- 7 files changed, 61 insertions(+), 90 deletions(-) diff --git a/admin/status.php b/admin/status.php index c7f6cf2..99bb5ad 100755 --- a/admin/status.php +++ b/admin/status.php @@ -29,8 +29,7 @@ if (empty($_REQUEST['do'])) if ($_REQUEST['do'] == 'kill') { - sanitize(array('statusid' => INT)); - $db->query("DELETE FROM " . TABLE_PREFIX . "status WHERE statusid = $vars[statusid]"); + $db->query("DELETE FROM " . TABLE_PREFIX . "status WHERE statusid = " . intval($bugsys->in['statusid'])); build_statuses(); $admin->redirect('status.php?do=modify'); } @@ -39,16 +38,14 @@ if ($_REQUEST['do'] == 'kill') if ($_REQUEST['do'] == 'delete') { - sanitize(array('statusid' => INT)); - $admin->page_confirm(phrase('confirm_delete_status'), 'status.php?do=kill&statusid=' . $vars['statusid']); + $admin->page_confirm(phrase('confirm_delete_status'), 'status.php?do=kill&statusid=' . intval($bugsys->in['statusid'])); } // ################################################################### if ($_POST['do'] == 'insert') { - sanitize(array('status' => STR, 'displayorder' => INT)); - $db->query("INSERT INTO " . TABLE_PREFIX . "status (status, displayorder) VALUES ('" . addslasheslike($vars['status']) . "', $vars[displayorder])"); + $db->query("INSERT INTO " . TABLE_PREFIX . "status (status, displayorder) VALUES ('" . $bugsys->in['status'] . "', " . intval($bugsys->in['displayorder']) . ")"); build_statuses(); $admin->redirect('status.php?do=modify'); } @@ -75,8 +72,7 @@ if ($_REQUEST['do'] == 'add') if ($_POST['do'] == 'update') { - sanitize(array('statusid' => INT, 'status' => STR, 'displayorder' => INT)); - $db->query("UPDATE " . TABLE_PREFIX . "status SET status = '" . addslasheslike($vars['status']) . "', displayorder = $vars[displayorder] WHERE statusid = $vars[statusid]"); + $db->query("UPDATE " . TABLE_PREFIX . "status SET status = '" . $bugsys->in['status'] . "', displayorder = " . intval($bugsys->in['displayorder']) . " WHERE statusid = " . intval($bugsys->in['statusid'])); build_statuses(); $admin->redirect('status.php?do=modify'); } @@ -85,9 +81,7 @@ if ($_POST['do'] == 'update') if ($_REQUEST['do'] == 'edit') { - sanitize(array('statusid' => INT)); - - $status = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "status WHERE statusid = $vars[statusid]"); + $status = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "status WHERE statusid = " . intval($bugsys->in['statusid'])); if (!is_array($status)) { $admin->error('-1'); diff --git a/admin/usergroup.php b/admin/usergroup.php index 6814661..4dd177a 100755 --- a/admin/usergroup.php +++ b/admin/usergroup.php @@ -29,15 +29,13 @@ if (empty($_REQUEST['do'])) if ($_REQUEST['do'] == 'kill') { - sanitize(array('usergroupid' => INT)); - - if ($vars['usergroupid'] < 7) + if ($bugsys->in['usergroupid'] < 7) { $admin->error(phrase('cant_delete_default_usergroup')); } - $db->query("DELETE FROM " . TABLE_PREFIX . "usergroup WHERE usergroupid = $vars[usergroupid]"); - $db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = 2 WHERE usergroupid = $vars[usergroupid]"); + $db->query("DELETE FROM " . TABLE_PREFIX . "usergroup WHERE usergroupid = " . intval($bugsys->in['usergroupid'])); + $db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = 2 WHERE usergroupid = " . intval($bugsys->in['usergroupid'])); build_usergroups(); build_assignedto(); @@ -49,14 +47,12 @@ if ($_REQUEST['do'] == 'kill') if ($_REQUEST['do'] == 'delete') { - sanitize(array('usergroupid' => INT)); - - if ($vars['usergroupid'] < 7) + if ($bugsys->in['usergroupid'] < 7) { $admin->error(phrase('cant_delete_default_usergroup')); } - $admin->page_confirm(phrase('confirm_delete_usergroup'), 'usergroup.php?do=kill&usergroupid=' . $vars['usergroupid']); + $admin->page_confirm(phrase('confirm_delete_usergroup'), 'usergroup.php?do=kill&usergroupid=' . intval($bugsys->in['usergroupid'])); } // ################################################################### @@ -66,15 +62,13 @@ if ($_REQUEST['do'] == 'add' OR $_REQUEST['do'] == 'edit') $add = (($_REQUEST['do'] == 'add') ? true : false); $edit = (($_REQUEST['do'] == 'edit') ? true : false); - sanitize(array('usergroupid' => INT)); - $admin->page_start((($add, phrase('new_usergroup') ? phrase('edit_usergroup') : '')); $admin->form_start('usergroup.php', (($add) ? 'insert' : 'update')); if ($edit) { - $usergroup = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "usergroup WHERE usergroupid = $vars[usergroupid]"); + $usergroup = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "usergroup WHERE usergroupid = " . intval($bugsys->in['usergroupid'])); if (!is_array($usergroup)) { $admin->error('-1'); @@ -90,10 +84,10 @@ if ($_REQUEST['do'] == 'add' OR $_REQUEST['do'] == 'edit') // Details $admin->table_start(); $admin->table_head(phrase('usergroup_details')); - $admin->row_input(phrase('usergroup_title'), 'title', htmlspecialcharslike($usergroup['title'])); - $admin->row_input(phrase('usergroup_display_title'), 'displaytitle', htmlspecialcharslike($usergroup['displaytitle'])); - $admin->row_input(phrase('usergroup_open_markup'), 'opentag', htmlspecialcharslike($usergroup['opentag'])); - $admin->row_input(phrase('usergroup_close_markup'), 'closetag', htmlspecialcharslike($usergroup['closetag'])); + $admin->row_input(phrase('usergroup_title'), 'title', $bugsys->sanitize($usergroup['title'])); + $admin->row_input(phrase('usergroup_display_title'), 'displaytitle', $bugsys->sanitize($usergroup['displaytitle'])); + $admin->row_input(phrase('usergroup_open_markup'), 'opentag', $bugsys->sanitize($usergroup['opentag'])); + $admin->row_input(phrase('usergroup_close_markup'), 'closetag', $bugsys->sanitize($usergroup['closetag'])); $admin->table_end(); // Permission @@ -154,8 +148,6 @@ if ($_REQUEST['do'] == 'add' OR $_REQUEST['do'] == 'edit') if ($_POST['do'] == 'insert') { - sanitize(array('title' => STR, 'displaytitle' => STR, 'opentag' => STR, 'closetag' => STR)); - foreach ($_POST['perm'] AS $permtitle => $binaryswitch) { $permissionvalue += $_PERMISSION["$permtitle"] * $binaryswitch; @@ -165,10 +157,8 @@ if ($_POST['do'] == 'insert') INSERT INTO " . TABLE_PREFIX . "usergroup (title, displaytitle, opentag, closetag, permissions) VALUES - ('" . addslasheslike($vars['title']) . "', - '" . addslasheslike($vars['displaytitle']) . "', - '" . addslasheslike($vars['opentag']) . "', - '" . addslasheslike($vars['closetag']) . "', + ('" . $bugsys->in['title'] . "', '" . $bugsys->in['displaytitle'] . "', + '" . $bugsys->in['opentag'] . "', '" . $bugsys->in['closetag'] . "', $permissionvalue )" ); @@ -191,12 +181,12 @@ if ($_POST['do'] == 'update') $db->query(" UPDATE " . TABLE_PREFIX . "usergroup - SET title = '" . addslasheslike($vars['title']) . "', - displaytitle = '" . addslasheslike($vars['displaytitle']) . "', - opentag = '" . addslasheslike(unhtmlspecialchars($vars['opentag'])) . "', - closetag = '" . addslasheslike(unhtmlspecialchars($vars['closetag'])) . "', + SET title = '" . $bugsys->in['title'] . "', + displaytitle = '" . $bugsys->in['displaytitle'] . "', + opentag = '" . $bugsys->unsanitize($bugsys->in['opentag']) . "', + closetag = '" . $bugsys->unsanitize($bugsys->in['closetag']) . "', permissions = $permissionvalue - WHERE usergroupid = $vars[usergroupid]" + WHERE usergroupid = " . intval($bugsys->in['usergroupid']) ); build_usergroups(); diff --git a/docs/phrasetools.php b/docs/phrasetools.php index 3793c61..ac00cd6 100644 --- a/docs/phrasetools.php +++ b/docs/phrasetools.php @@ -20,7 +20,13 @@ require_once('./global.php'); define('SELECTED', ' selected="selected"'); define('CHECKED', ' checked="checked"'); -sanitize(array('varname' => STR, 'phrasetext' => STR, 'matchmethod' => STR, 'do' => STR, 'doneinsert' => INT, 'oldvarname' => STR)); + +$vars['varname'] = $bugsys->in['varname']; +$vars['phrasetext'] = $bugsys->in['phrasetext']; +$vars['matchmethod'] = $bugsys->in['matchmethod']; +$vars['do'] = $bugsys->in['do']; +$vars['doneinsert'] = intval($bugsys->in['doneinsert']); +$vars['oldvarname'] = $bugsys->in['oldvarname']; $use['varname'] = (bool)$_REQUEST['use']['varname']; $use['phrasetext'] = (bool)$_REQUEST['use']['phrasetext']; $use['and'] = (($vars['matchmethod'] == 'and') ? true : false); diff --git a/editcomment.php b/editcomment.php index f15f697..f06c9fb 100644 --- a/editcomment.php +++ b/editcomment.php @@ -16,14 +16,12 @@ $fetchtemplates = array( require_once('./global.php'); -sanitize(array('commentid' => INT)); - $comment = $db->query_first(" SELECT comment.*, user.email, user.showemail, user.displayname FROM " . TABLE_PREFIX . "comment AS comment LEFT JOIN " . TABLE_PREFIX . "user AS user ON (comment.userid = user.userid) - WHERE comment.commentid = $vars[commentid]" + WHERE comment.commentid = " . intval($bugsys->in['commentid']) ); if (!$comment) @@ -66,25 +64,23 @@ if ($_REQUEST['do'] == 'delete') if ($_POST['do'] == 'update') { - sanitize(array('comment' => STR)); - - if (!$vars['comment']) + if (!$bugsys->in['comment']) { echo 'you need to enter some text'; exit; } - $vars['comment_parsed'] = $vars['comment']; + $bugsys->in['comment_parsed'] = $bugsys->in['comment']; if (!$bugsys->options['allowhtml']) { - $vars['comment_parsed'] = htmlspecialcharslike($vars['comment_parsed']); + $vars['comment_parsed'] = $bugsys->sanitize($bugsys->in['comment_parsed']); } $db->query(" UPDATE " . TABLE_PREFIX . "comment - SET comment = '" . addslasheslike($vars['comment']) . "', - comment_parsed = '" . addslasheslike(nl2br($vars['comment_parsed'])) . "' + SET comment = '" . $bugsys->in['comment'] . "', + comment_parsed = '" . nl2br($bugsys->in['comment_parsed']) . "' WHERE commentid = $vars[commentid]" ); @@ -97,7 +93,7 @@ if ($_REQUEST['do'] == 'edit') { $comment['posttime'] = datelike('standard', $comment['dateline']); $comment['postby'] = construct_user_display($comment); - $comment['comment'] = htmlspecialcharslike($comment['comment']); + $comment['comment'] = $bugsys->sanitize($comment['comment']); eval('$template->flush("' . $template->fetch('editcomment') . '");'); } diff --git a/editreport.php b/editreport.php index 2782d12..1c2f5ec 100644 --- a/editreport.php +++ b/editreport.php @@ -17,14 +17,12 @@ $fetchtemplates = array( require_once('./global.php'); -sanitize(array('bugid' => INT)); - $bug = $db->query_first(" SELECT bug.*, user.email, user.displayname, user.showemail FROM " . TABLE_PREFIX . "bug AS bug LEFT JOIN " . TABLE_PREFIX . "user AS user ON (bug.userid = user.userid) - WHERE bug.bugid = $vars[bugid]" + WHERE bug.bugid = " . intval($bugsys->in['bugid']) ); if (!$bug) @@ -65,23 +63,14 @@ if ($_REQUEST['do'] == 'delete') if ($_POST['do'] == 'update') { - sanitize(array( - 'summary' => STR_NOHTML, - 'priority' => INT, - 'status' => INT, - 'resolution' => INT, - 'assignedto' => INT, - 'pcv_select' => STR) - ); - - $vars['pcv'] = parse_pcv_select($vars['pcv_select'], true); + $pcv = parse_pcv_select($bugsys->in['pcv_select'], true); - if (!$vars['summary']) + if (!$bugsys->in['summary']) { echo 'you need to enter a summary'; exit; } - if (!$vars['pcv']) + if (!$bugsys->in['pcv']) { echo 'invalid product/component/version'; exit; @@ -89,13 +78,14 @@ if ($_POST['do'] == 'update') $db->query(" UPDATE " . TABLE_PREFIX . "bug - SET summary = '" . addslasheslike($vars['summary']) . "', - priority = $vars[priority], status = $vars[status], - resolution = $vars[resolution], - assignedto = $vars[assignedto], - productid = " . $vars['pcv']['product'] . ", - componentid = " . $vars['pcv']['component'] . ", - versionid = " . $vars['pcv']['version'] . " + SET summary = '" . $bugsys->in['summary'] . "', + priority = " . intval($bugsys->in['priority']) . ", + status = " . intval($bugsys->in['status']) . ", + resolution = " . intval($bugsys->in['resolution']) . ", + assignedto = " . intval($bugsys->in['assignedto']) . ", + productid = " . $pcv['product'] . ", + componentid = " . $pcv['component'] . ", + versionid = " . $pcv['version'] . " WHERE bugid = $bug[bugid]" ); diff --git a/login.php b/login.php index a618faa..34b9d19 100755 --- a/login.php +++ b/login.php @@ -35,11 +35,10 @@ if (empty($_REQUEST['do'])) if ($_POST['do'] == 'login' OR $_POST['do'] == 'cplogin') { - sanitize(array('email' => STR_NOHTML, 'password' => STR, 'rememberme' => INT)); - + $rememberme = intval($bugsys->in['rememberme']); if ($_POST['cplogin']) { - $vars['rememberme'] = 0; + $rememberme = 0; } if ($_SERVER['HTTP_REFERER'] AND !$_POST['goindex']) @@ -51,11 +50,11 @@ if ($_POST['do'] == 'login' OR $_POST['do'] == 'cplogin') $url = 'index.php'; } - $userinfo = $db->query_first("SELECT * FROM user WHERE email = '" . addslasheslike($vars['email']) . "'"); - if (md5(md5($vars['password']) . md5($userinfo['salt'])) == $userinfo['password']) + $userinfo = $db->query_first("SELECT * FROM user WHERE email = '" . $bugsys->in['email'] . "'"); + if (md5(md5($bugsys->in['password']) . md5($userinfo['salt'])) == $userinfo['password']) { - mysetcookie(COOKIE_PREFIX . 'userid', $userinfo['userid'], $vars['rememberme']); - mysetcookie(COOKIE_PREFIX . 'authkey', $userinfo['authkey'], $vars['rememberme']); + mysetcookie(COOKIE_PREFIX . 'userid', $userinfo['userid'], $rememberme); + mysetcookie(COOKIE_PREFIX . 'authkey', $userinfo['authkey'], $rememberme); } else { diff --git a/newcomment.php b/newcomment.php index 1ad78f7..9f3e4ea 100644 --- a/newcomment.php +++ b/newcomment.php @@ -33,13 +33,11 @@ if (empty($_REQUEST['do'])) if ($_POST['do'] == 'insert') { - sanitize(array('bugid' => INT, 'comment' => STR)); - - $vars['comment_parsed'] = $vars['comment']; + $bugsys->in['comment_parsed'] = $bugsys->in['comment']; if (!$bugsys->options['allowhtml']) { - $vars['comment_parsed'] = htmlspecialcharslike($vars['comment_parsed']); + $vars['comment_parsed'] = $bugsys->sanitize($bugsys->in['comment_parsed']); } $time = time(); @@ -49,23 +47,21 @@ if ($_POST['do'] == 'insert') (bugid, userid, dateline, comment, comment_parsed) VALUES ($vars[bugid], " . $bugsys->userinfo['userid'] . ", - $time, '" . addslasheslike($vars['comment']) . "', - '" . addslasheslike(nl2br($vars['comment_parsed'])) . "' + $time, '" . $bugsys->in['comment'] . "', + '" . nl2br($bugsys->in['comment_parsed']) . "' )" ); - $db->query("UPDATE " . TABLE_PREFIX . "bug SET lastposttime = $time, lastpostby = " . $bugsys->userinfo['userid'] . " WHERE bugid = $vars[bugid]"); + $db->query("UPDATE " . TABLE_PREFIX . "bug SET lastposttime = $time, lastpostby = " . $bugsys->userinfo['userid'] . " WHERE bugid = " . intval($bugsys->in['bugid'])); - echo "comment inserted"; + echo "in['bugid']) . "\">comment inserted"; } // ################################################################### if ($_REQUEST['do'] == 'add') { - sanitize(array('bugid' => INT)); - - $bug = $db->query_first("SELECT bug.*, comment.comment FROM " . TABLE_PREFIX . "bug LEFT JOIN " . TABLE_PREFIX . "comment AS comment ON (bug.bugid = comment.bugid) WHERE bug.bugid = $vars[bugid]"); + $bug = $db->query_first("SELECT bug.*, comment.comment FROM " . TABLE_PREFIX . "bug LEFT JOIN " . TABLE_PREFIX . "comment AS comment ON (bug.bugid = comment.bugid) WHERE bug.bugid = " . intval($bugsys->in['bugid'])); if (!$bug) { echo 'alert: bad bug'; -- 2.43.5