From 194b02208b5e1548ce31fdedd7185b0a7773beea Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Wed, 4 May 2005 23:09:51 +0000
Subject: [PATCH] r74: Updated input sanitization for: - showreport.php -
 register.php - newreport.php - search.php

---
 newreport.php  | 56 +++++++++++++++++++++-----------------------------
 register.php   | 32 ++++++++++++++---------------
 search.php     | 48 +++++++++++++++++++++----------------------
 showreport.php |  8 +++-----
 4 files changed, 65 insertions(+), 79 deletions(-)

diff --git a/newreport.php b/newreport.php
index 4b7fca8..977c100 100755
--- a/newreport.php
+++ b/newreport.php
@@ -34,72 +34,61 @@ if (empty($_REQUEST['do']))
 
 if ($_POST['do'] == 'insert')
 {
-	sanitize(array(
-		'pcv_select' => STR,
-		'summary' => STR_NOHTML,
-		'severity' => INT,
-		'priority' => INT,
-		'status' => INT,
-		'resolution' => INT,
-		'assignedto' => INT,
-		'comment' => STR)
-	);
-	
 	// -------------------------------------------------------------------
 	// check permissions on various input values
 	if (!can_perform('canchangestatus'))
 	{
-		$vars['priority'] = $bugsys->options['defaultpriority'];
-		$vars['status'] = $bugsys->options['defaultstatus'];
-		$vars['resolution'] = $bugsys->options['defaultresolve'];
+		$bugsys->in['priority'] = $bugsys->options['defaultpriority'];
+		$bugsys->in['status'] = $bugsys->options['defaultstatus'];
+		$bugsys->['resolution'] = $bugsys->options['defaultresolve'];
 	}
 	else
 	{
-		if (!$bugsys->datastore['priority']["$vars[priority]"])
+		if (!$bugsys->datastore['priority'][ $bugsys->in['priority'] ])
 		{
-			$vars['priority'] = $bugsys->options['defaultpriority'];
+			$bugsys->in['priority'] = $bugsys->options['defaultpriority'];
 		}
-		if (!$bugsys->datastore['status']["$vars[status]"])
+		if (!$bugsys->datastore['status'][ $bugsys->in['status'] ])
 		{
-			$vars['status'] = $bugsys->options['defaultstatus'];
+			$bugsys->in['status'] = $bugsys->options['defaultstatus'];
 		}
-		if (!$bugsys->datastore['resolution']["$vars[resolution]"])
+		if (!$bugsys->datastore['resolution'][ $bugsys->in['resolution'] ])
 		{
-			$vars['resolution'] = $bugsys->options['defaultresolve'];
+			$bugsys->in['resolution'] = $bugsys->options['defaultresolve'];
 		}
 	}
 	if (!can_perform('canassign'))
 	{
-		$vars['assignedto'] = $bugsys->options['defaultassign'];
+		$bugsys->in['assignedto'] = $bugsys->options['defaultassign'];
 	}
 	else
 	{
 		// assigned person is not a dev or a valid user
-		if (!$bugsys->datastore['assignto']["$vars[assignedto]"]['userid'])
+		if (!$bugsys->datastore['assignto'][ $bugsys->in['assignedto'] ]['userid'])
 		{
-			$vars['assignedto'] = $bugsys->options['defaultassign'];
+			$bugsys->in['assignedto'] = $bugsys->options['defaultassign'];
 		}
 	}
 	
 	// -------------------------------------------------------------------
 	// product/component/version stuff
-	$vars['pcv'] = parse_pcv_select($vars['pcv_select'], true);
+	$pcv = parse_pcv_select($bugsys->in['pcv_select'], true);
 	
 	print_r($vars);
 	
 	// -------------------------------------------------------------------
 	// sanity checks
-	if (!$vars['pcv'])
+	if (!$bugsys->in['pcv'])
 	{
 		echo 'there was a problem selecting the product, component, or version';
 		exit;
 	}
-	if (!$vars['summary'])
+	if (!$bugsys->in['summary'])
 	{
 		echo 'please enter a bug title';
 		exit;
 	}
-	if (!$vars['comment'])
+	if (!$bugsys->in['comment'])
 	{
 		echo 'please enter a bug description';
 		exit;
@@ -107,11 +96,11 @@ if ($_POST['do'] == 'insert')
 	
 	// -------------------------------------------------------------------
 	// data clean and insert
-	$vars['comment_parsed'] = $vars['comment'];
+	$bugsys->in['comment_parsed'] = $bugsys->in['comment'];
 	
 	if (!$bugsys->options['allowhtml'])
 	{
-		$vars['comment_parsed'] = htmlspecialcharslike($vars['comment_parsed']);
+		$bugsys->in['comment_parsed'] = $bugsys->sanitize($bugsys->in['comment_parsed']);
 	}
 	
 	// create the bug report
@@ -119,8 +108,9 @@ if ($_POST['do'] == 'insert')
 		INSERT INTO " . TABLE_PREFIX . "bug
 			(userid, productid, componentid, versionid, summary, severity, priority, status, assignedto, resolution)
 		VALUES
-			(" . $bugsys->userinfo['userid'] . ", " . $vars['pcv']['product'] . ", " . $vars['pcv']['component'] . ", " . $vars['pcv']['version'] . ",
-			'" . addslasheslike($vars['summary']) . "', $vars[severity], $vars[priority], $vars[status], $vars[assignedto], $vars[resolution]
+			(" . $bugsys->userinfo['userid'] . ", " . $pcv['product'] . ", " . $pcv['component'] . ", " . $pcv['version'] . ",
+			'" . $bugsys->in['summary'] . "', " . intval($bugsys->in['severity']) . ", " . intval($bugsys->in['priority']) . ",
+			" . intval($bugsys->in['status']) . ", " . intval($bugsys->in['assignedto']) . ", " . intval($bugsys->in['resolution']) . "
 		)"
 	);
 	
@@ -134,8 +124,8 @@ if ($_POST['do'] == 'insert')
 			(bugid, userid, dateline, comment, comment_parsed)
 		VALUES
 			($bugid, " . $bugsys->userinfo['userid'] . ",
-			$time, '" . addslasheslike($vars['comment']) . "',
-			'" . addslasheslike(nl2br($vars['comment_parsed'])) . "'
+			$time, '" . $bugsys->in['comment'] . "',
+			'" . nl2br($bugsys->in['comment_parsed']) . "'
 		)"
 	);
 	
diff --git a/register.php b/register.php
index 411c88f..863cdc2 100755
--- a/register.php
+++ b/register.php
@@ -49,27 +49,27 @@ if ($_POST['do'] == 'insert')
 {
 	sanitize(array('email' => STR_NOHTML, 'confirmemail' => STR_NOHTML, 'displayname' => STR_NOHTML, 'password' => STR, 'confirmpassword' => STR, 'showemail' => INT, 'languageid' => INT));
 	
-	if ($vars['email'] != $vars['confirmemail'])
+	if ($bugsys->in['email'] != $bugsys->in['confirmemail'])
 	{
 		$errors[] = 'The emails you entered do not match.';
 	}
 	
-	if (!$vars['email'])
+	if (!$bugsys->in['email'])
 	{
 		$errors[] = 'The password you specified was blank.';
 	}
 	
-	if ($vars['password'] != $vars['confirmpassword'])
+	if ($bugsys->in['password'] != $bugsys->in['confirmpassword'])
 	{
 		$errors[] = 'The passwords you entered did not match.';
 	}
 	
-	if (!$vars['password'])
+	if (!$bugsys->in['password'])
 	{
 		$errors[] = 'The password you specified was blank.';
 	}
 	
-	if (is_array($db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE email = '" . addslasheslike($vars['email']) . "'")))
+	if (is_array($db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE email = '" . $bugsys->in['email'] . "'")))
 	{
 		$errors[] = 'The specified email is already in use.';
 	}
@@ -102,13 +102,13 @@ if ($_POST['do'] == 'insert')
 		INSERT INTO " . TABLE_PREFIX . "user
 			(email, displayname, password, salt, authkey, showemail, languageid, usergroupid)
 		VALUES
-			('" . addslasheslike($vars['email']) . "',
-			'" . addslasheslike($vars['displayname']) . "',
-			'" . md5(md5($vars['password']) . md5($salt)) . "',
+			('" . $bugsys->in['email'] . "',
+			'" . $bugsys->in['displayname'] . "',
+			'" . md5(md5($bugsys->in['password']) . md5($salt)) . "',
 			'$salt',
 			'" . fetch_random_chars() . "',
-			$vars[showemail],
-			$vars[languageid],
+			" . intval($bugsys->in['showemail']) . ",
+			" . intval($bugsys->in['languageid']) . ",
 			$usergroupid
 		)"
 	);
@@ -122,7 +122,7 @@ if ($_POST['do'] == 'insert')
 		
 		$db->query("INSERT INTO " . TABLE_PREFIX . "useractivation (userid, activator, dateline, usergroupid) VALUES ($userid, '$activationid', " . NOW . ", 2)");
 		
-		mymail(addslasheslike($vars['email']), 'Welcome to ' . $bugsys->options['trackertitle'], "Hi " . addslasheslike($vars['displayname']) . " you need to activate your account: http://devbox/bugtraq/register.php?do=activate&userid=" . $userid . "&activator=" . $activationid);
+		mymail($bugsys->in['email'], 'Welcome to ' . $bugsys->options['trackertitle'], "Hi " . $bugsys->in['displayname'] . " you need to activate your account: http://devbox/bugtraq/register.php?do=activate&userid=" . $userid . "&activator=" . $activationid);
 	
 		echo 'You now need to activate your account via email.';
 	}
@@ -130,7 +130,7 @@ if ($_POST['do'] == 'insert')
 	{
 		if ($bugsys->options['sendwelcomemail'])
 		{
-			mymail(addslasheslike($vars['email']), 'Welcome to ' . $bugsys->options['trackertitle'], "Hi " . addslasheslike($vars['displayname']) . " and welcome to the " . $bugsys->options['trackertitle'] . " bug tracker! Thanks for registering.");
+			mymail($bugsys->in['email'], 'Welcome to ' . $bugsys->options['trackertitle'], "Hi " . $bugsys->in['displayname'] . " and welcome to the " . $bugsys->options['trackertitle'] . " bug tracker! Thanks for registering.");
 		}
 		
 		if ($usergroupid == 4)
@@ -148,12 +148,10 @@ if ($_POST['do'] == 'insert')
 
 if ($_REQUEST['do'] == 'activate')
 {
-	sanitize(array('userid' => INT, 'activator' => STR));
-	
-	if ($useractivation = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "useractivation WHERE userid = $vars[userid] AND activator = '" . addslasheslike($vars['activator']) . "'"))
+	if ($useractivation = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "useractivation WHERE userid = " . intval($bugsys->in['userid']) . " AND activator = '" . $bugsys->in['activator'] . "'"))
 	{
-		$db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = $useractivation[usergroupid] WHERE userid = $vars[userid]");
-		$db->query("DELETE FROM " . TABLE_PREFIX . "useractivation WHERE userid = $vars[userid]");
+		$db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = $useractivation[usergroupid] WHERE userid = " . intval($bugsys->in['userid']));
+		$db->query("DELETE FROM " . TABLE_PREFIX . "useractivation WHERE userid = " . intval($bugsys->in['userid']));
 		echo 'your account is now activated and you can now login';
 	}
 	else
diff --git a/search.php b/search.php
index f0f7da3..2763454 100644
--- a/search.php
+++ b/search.php
@@ -24,7 +24,7 @@ if (!can_perform('cansearch'))
 	exit;
 }
 
-define('MODE', intval($_POST['mode']));
+define('MODE', intval($bugsys->in['mode']));
 define('MODE_ANY', ((MODE == 1) ? 1 : 0));
 define('MODE_ALL', ((MODE == 2) ? 1 : 0));
 define('MODE_RAW', ((MODE == 3) ? 1 : 0));
@@ -58,13 +58,13 @@ if ($_REQUEST['do'] == 'results')
 	
 	// -------------------------------------------------------------------
 	// parse out our product/component/version
-	$vars['pcv'] = parse_pcv_select($vars['pcv_select']);
+	$pcv = parse_pcv_select($bugsys->in['pcv_select']);
 	
 	// -------------------------------------------------------------------
 	// handle keywords
-	if ($vars['summary'])
+	if ($bugsys->in['summary'])
 	{
-		$keywords = preg_split('#\s+#', $vars['summary']);
+		$keywords = preg_split('#\s+#', $bugsys->in['summary']);
 		
 		// #*# need to have some str to bool conversions
 		
@@ -106,11 +106,11 @@ if ($_REQUEST['do'] == 'results')
 	
 	// -------------------------------------------------------------------
 	// reporter
-	if ($vars['reporter'])
+	if ($bugsys->in['reporter'])
 	{
 		// force email or name?? make a distinction?
 		// more elegant way to do this? probably
-		$user = $db->query_first("SELECT * FROM user WHERE email = '$vars[reporter]' OR MATCH (displayname) AGAINST ('$vars[reporter]')");
+		$user = $db->query_first("SELECT * FROM user WHERE email = '" . $bugsys->in['reporter'] . "' OR MATCH (displayname) AGAINST ('" . $bugsys->in['reporter'] . "')");
 		if ($user['userid'])
 		{
 			$querybuild['reporter'] = "AND bug.userid = $user[userid] OR comment.userid = $user[userid]";
@@ -119,50 +119,50 @@ if ($_REQUEST['do'] == 'results')
 	
 	// -------------------------------------------------------------------
 	// product/component/version stuff
-	if (is_array($vars['pcv']))
+	if (is_array($bugsys->in['pcv']))
 	{
-		$querybuild['pcv'] = "AND bug.productid = {$vars['pcv']['product']} AND bug.componentid = {$vars['pcv']['component']} AND bug.versionid = {$vars['pcv']['version']}";
+		$querybuild['pcv'] = "AND bug.productid = $pcv['product'] AND bug.componentid = $pcv['component'] AND bug.versionid = $pcv['version']";
 	}
 	
 	// -------------------------------------------------------------------
 	// severity, priority, status, resolution, assignedto
 	
 	// severity
-	if ($vars['severity'])
+	if ($bugsys->in['severity'])
 	{
-		$querybuild['severity'] = "AND bug.severity = $vars[severity]";
+		$querybuild['severity'] = "AND bug.severity = " . intval($bugsys->in['severity']);
 	}
 	
 	// priority
-	if ($vars['priority'])
+	if ($bugsys->in['priority'])
 	{
-		$querybuild['priority'] = "AND bug.priority = $vars[priority]";
+		$querybuild['priority'] = "AND bug.priority = " . intval($bugsys->in['priority']);
 	}
 	
 	// status
-	if ($vars['status'])
+	if ($bugsys->in['status'])
 	{
-		$querybuild['status'] = "AND bug.status = $vars[status]";
+		$querybuild['status'] = "AND bug.status = " . intval($bugsys->in['status']);
 	}
 	
 	// resolution
-	if ($vars['resolution'])
+	if ($bugsys->in['resolution'])
 	{
-		$querybuild['resolution'] = "AND bug.resolution = $vars[resolution]";
+		$querybuild['resolution'] = "AND bug.resolution = " . intval($bugsys->in['resolution']);
 	}
 	
 	// assignment
-	if ($vars['assignedto'])
+	if ($bugsys->in['assignedto'])
 	{
-		$querybuild['assignedto'] = "AND bug.assignedto = $vars[assignedto]";
+		$querybuild['assignedto'] = "AND bug.assignedto = " . intval($bugsys->in['assignedto']);
 	}
 	
 	// -------------------------------------------------------------------
 	// date
-	if ($vars['date'])
+	if ($bugsys->in['date'])
 	{
 		// now - (seconds/day * number of days)
-		$dateline = time() - ($vars['date'] * 3600);
+		$dateline = time() - (intval($bugsys->in['date']) * 3600);
 		$querybuild['date'] = "AND bug.dateline >= $dateline";
 	}
 	
@@ -170,12 +170,12 @@ if ($_REQUEST['do'] == 'results')
 	// sort by
 	$sortby = array('bugid', 'severity', 'priority', 'status', 'resolution', 'dateline');
 	$orderby = array('ASC', 'DESC');
-	$vars['orderby'] = strtoupper($vars['orderby']);
-	if (in_array($vars['sortby'], $sortby) AND in_array($vars['orderby'], $orderby))
+	$bugsys->in['orderby'] = strtoupper($bugsys->in['orderby']);
+	if (in_array($bugsys->in['sortby'], $sortby) AND in_array($bugsys->in['orderby'], $orderby))
 	{
-		$sortclause = "ORDER BY $vars[sortby] $vars[orderby]";
+		$sortclause = "ORDER BY " . $bugsys->in['sortby'] . ' ' . $bugsys->in['orderby'];
 	}
-	else if ($vars['sortby'] == 'relevance')
+	else if ($bugsys->in['sortby'] == 'relevance')
 	{
 		$sortclause = '';
 	}
diff --git a/showreport.php b/showreport.php
index 38d9904..28db721 100644
--- a/showreport.php
+++ b/showreport.php
@@ -27,14 +27,12 @@ if (!can_perform('canviewbugs'))
 
 // -------------------------------------------------------------------
 // get the report
-sanitize(array('bugid' => INT, 'hilight' => STR));
-
 $bug = $db->query_first("
 	SELECT bug.*, user.displayname, user.email, user.showemail
 	FROM " . TABLE_PREFIX . "bug AS bug
 	LEFT JOIN " . TABLE_PREFIX . "user AS user
 		ON (bug.userid = user.userid)
-	WHERE bug.bugid = $vars[bugid]"
+	WHERE bug.bugid = " . intval($bugsys->in['bugid'])
 );
 
 if (!is_array($bug))
@@ -68,7 +66,7 @@ else
 
 // -------------------------------------------------------------------
 // hilight
-$words = explode(' ', $vars['hilight']);
+$words = explode(' ', $bugsys->in['hilight']);
 foreach ($words AS $word)
 {
 	if (trim($word))
@@ -87,7 +85,7 @@ $comments_fetch = $db->query("
 	FROM " . TABLE_PREFIX . "comment AS comment
 	LEFT JOIN " . TABLE_PREFIX . "user AS user
 		ON (comment.userid = user.userid)
-	WHERE comment.bugid = $vars[bugid]
+	WHERE comment.bugid = $bug[bugid]
 	ORDER BY comment.dateline ASC"
 );
 while ($comment = $db->fetch_array($comments_fetch))
-- 
2.22.5