From 3bf0519874ff3e358c0da9fb057ca69d0dde42e1 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Wed, 4 May 2005 22:28:33 +0000
Subject: [PATCH] r73: Updated input sanitization for: - newcomment.php -
 editreport.php - admin/usergroup.php - admin/status.php -
 docs/phrasetools.php - editcomment.php - login.php

---
 admin/status.php     | 16 +++++-----------
 admin/usergroup.php  | 44 +++++++++++++++++---------------------------
 docs/phrasetools.php |  8 +++++++-
 editcomment.php      | 18 +++++++-----------
 editreport.php       | 34 ++++++++++++----------------------
 login.php            | 13 ++++++-------
 newcomment.php       | 18 +++++++-----------
 7 files changed, 61 insertions(+), 90 deletions(-)

diff --git a/admin/status.php b/admin/status.php
index c7f6cf2..99bb5ad 100755
--- a/admin/status.php
+++ b/admin/status.php
@@ -29,8 +29,7 @@ if (empty($_REQUEST['do']))
 
 if ($_REQUEST['do'] == 'kill')
 {
-	sanitize(array('statusid' => INT));
-	$db->query("DELETE FROM " . TABLE_PREFIX . "status WHERE statusid = $vars[statusid]");
+	$db->query("DELETE FROM " . TABLE_PREFIX . "status WHERE statusid = " . intval($bugsys->in['statusid']));
 	build_statuses();
 	$admin->redirect('status.php?do=modify');
 }
@@ -39,16 +38,14 @@ if ($_REQUEST['do'] == 'kill')
 
 if ($_REQUEST['do'] == 'delete')
 {
-	sanitize(array('statusid' => INT));
-	$admin->page_confirm(phrase('confirm_delete_status'), 'status.php?do=kill&amp;statusid=' . $vars['statusid']);
+	$admin->page_confirm(phrase('confirm_delete_status'), 'status.php?do=kill&amp;statusid=' . intval($bugsys->in['statusid']));
 }
 
 // ###################################################################
 
 if ($_POST['do'] == 'insert')
 {
-	sanitize(array('status' => STR, 'displayorder' => INT));
-	$db->query("INSERT INTO " . TABLE_PREFIX . "status (status, displayorder) VALUES ('" . addslasheslike($vars['status']) . "', $vars[displayorder])");
+	$db->query("INSERT INTO " . TABLE_PREFIX . "status (status, displayorder) VALUES ('" . $bugsys->in['status'] . "', " . intval($bugsys->in['displayorder']) . ")");
 	build_statuses();
 	$admin->redirect('status.php?do=modify');
 }
@@ -75,8 +72,7 @@ if ($_REQUEST['do'] == 'add')
 
 if ($_POST['do'] == 'update')
 {
-	sanitize(array('statusid' => INT, 'status' => STR, 'displayorder' => INT));
-	$db->query("UPDATE " . TABLE_PREFIX . "status SET status = '" . addslasheslike($vars['status']) . "', displayorder = $vars[displayorder] WHERE statusid = $vars[statusid]");
+	$db->query("UPDATE " . TABLE_PREFIX . "status SET status = '" . $bugsys->in['status'] . "', displayorder = " . intval($bugsys->in['displayorder']) . " WHERE statusid = " . intval($bugsys->in['statusid']));
 	build_statuses();
 	$admin->redirect('status.php?do=modify');
 }
@@ -85,9 +81,7 @@ if ($_POST['do'] == 'update')
 
 if ($_REQUEST['do'] == 'edit')
 {
-	sanitize(array('statusid' => INT));
-	
-	$status = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "status WHERE statusid = $vars[statusid]");
+	$status = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "status WHERE statusid = " . intval($bugsys->in['statusid']));
 	if (!is_array($status))
 	{
 		$admin->error('-1');
diff --git a/admin/usergroup.php b/admin/usergroup.php
index 6814661..4dd177a 100755
--- a/admin/usergroup.php
+++ b/admin/usergroup.php
@@ -29,15 +29,13 @@ if (empty($_REQUEST['do']))
 
 if ($_REQUEST['do'] == 'kill')
 {
-	sanitize(array('usergroupid' => INT));
-	
-	if ($vars['usergroupid'] < 7)
+	if ($bugsys->in['usergroupid'] < 7)
 	{
 		$admin->error(phrase('cant_delete_default_usergroup'));
 	}
 	
-	$db->query("DELETE FROM " . TABLE_PREFIX . "usergroup WHERE usergroupid = $vars[usergroupid]");
-	$db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = 2 WHERE usergroupid = $vars[usergroupid]");
+	$db->query("DELETE FROM " . TABLE_PREFIX . "usergroup WHERE usergroupid = " . intval($bugsys->in['usergroupid']));
+	$db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = 2 WHERE usergroupid = " . intval($bugsys->in['usergroupid']));
 	
 	build_usergroups();
 	build_assignedto();
@@ -49,14 +47,12 @@ if ($_REQUEST['do'] == 'kill')
 
 if ($_REQUEST['do'] == 'delete')
 {
-	sanitize(array('usergroupid' => INT));
-	
-	if ($vars['usergroupid'] < 7)
+	if ($bugsys->in['usergroupid'] < 7)
 	{
 		$admin->error(phrase('cant_delete_default_usergroup'));
 	}
 	
-	$admin->page_confirm(phrase('confirm_delete_usergroup'), 'usergroup.php?do=kill&amp;usergroupid=' . $vars['usergroupid']);
+	$admin->page_confirm(phrase('confirm_delete_usergroup'), 'usergroup.php?do=kill&amp;usergroupid=' . intval($bugsys->in['usergroupid']));
 }
 
 // ###################################################################
@@ -66,15 +62,13 @@ if ($_REQUEST['do'] == 'add' OR $_REQUEST['do'] == 'edit')
 	$add = (($_REQUEST['do'] == 'add') ? true : false);
 	$edit = (($_REQUEST['do'] == 'edit') ? true : false);
 	
-	sanitize(array('usergroupid' => INT));
-	
 	$admin->page_start((($add, phrase('new_usergroup') ? phrase('edit_usergroup') : ''));
 	
 	$admin->form_start('usergroup.php', (($add) ? 'insert' : 'update'));
 	
 	if ($edit)
 	{
-		$usergroup = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "usergroup WHERE usergroupid = $vars[usergroupid]");
+		$usergroup = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "usergroup WHERE usergroupid = " . intval($bugsys->in['usergroupid']));
 		if (!is_array($usergroup))
 		{
 			$admin->error('-1');
@@ -90,10 +84,10 @@ if ($_REQUEST['do'] == 'add' OR $_REQUEST['do'] == 'edit')
 	// Details
 	$admin->table_start();
 	$admin->table_head(phrase('usergroup_details'));
-	$admin->row_input(phrase('usergroup_title'), 'title', htmlspecialcharslike($usergroup['title']));
-	$admin->row_input(phrase('usergroup_display_title'), 'displaytitle', htmlspecialcharslike($usergroup['displaytitle']));
-	$admin->row_input(phrase('usergroup_open_markup'), 'opentag', htmlspecialcharslike($usergroup['opentag']));
-	$admin->row_input(phrase('usergroup_close_markup'), 'closetag', htmlspecialcharslike($usergroup['closetag']));
+	$admin->row_input(phrase('usergroup_title'), 'title', $bugsys->sanitize($usergroup['title']));
+	$admin->row_input(phrase('usergroup_display_title'), 'displaytitle', $bugsys->sanitize($usergroup['displaytitle']));
+	$admin->row_input(phrase('usergroup_open_markup'), 'opentag', $bugsys->sanitize($usergroup['opentag']));
+	$admin->row_input(phrase('usergroup_close_markup'), 'closetag', $bugsys->sanitize($usergroup['closetag']));
 	$admin->table_end();
 	
 	// Permission
@@ -154,8 +148,6 @@ if ($_REQUEST['do'] == 'add' OR $_REQUEST['do'] == 'edit')
 
 if ($_POST['do'] == 'insert')
 {
-	sanitize(array('title' => STR, 'displaytitle' => STR, 'opentag' => STR, 'closetag' => STR));
-	
 	foreach ($_POST['perm'] AS $permtitle => $binaryswitch)
 	{
 		$permissionvalue += $_PERMISSION["$permtitle"] * $binaryswitch;
@@ -165,10 +157,8 @@ if ($_POST['do'] == 'insert')
 		INSERT INTO " . TABLE_PREFIX . "usergroup
 			(title, displaytitle, opentag, closetag, permissions)
 		VALUES
-			('" . addslasheslike($vars['title']) . "',
-			'" . addslasheslike($vars['displaytitle']) . "',
-			'" . addslasheslike($vars['opentag']) . "',
-			'" . addslasheslike($vars['closetag']) . "',
+			('" . $bugsys->in['title'] . "', '" . $bugsys->in['displaytitle'] . "',
+			'" . $bugsys->in['opentag'] . "', '" . $bugsys->in['closetag'] . "',
 			$permissionvalue
 		)"
 	);
@@ -191,12 +181,12 @@ if ($_POST['do'] == 'update')
 	
 	$db->query("
 		UPDATE " . TABLE_PREFIX . "usergroup
-		SET title = '" . addslasheslike($vars['title']) . "',
-			displaytitle = '" . addslasheslike($vars['displaytitle']) . "',
-			opentag = '" . addslasheslike(unhtmlspecialchars($vars['opentag'])) . "',
-			closetag = '" . addslasheslike(unhtmlspecialchars($vars['closetag'])) . "',
+		SET title = '" . $bugsys->in['title'] . "',
+			displaytitle = '" . $bugsys->in['displaytitle'] . "',
+			opentag = '" . $bugsys->unsanitize($bugsys->in['opentag']) . "',
+			closetag = '" . $bugsys->unsanitize($bugsys->in['closetag']) . "',
 			permissions = $permissionvalue
-		WHERE usergroupid = $vars[usergroupid]"
+		WHERE usergroupid = " . intval($bugsys->in['usergroupid'])
 	);
 	
 	build_usergroups();
diff --git a/docs/phrasetools.php b/docs/phrasetools.php
index 3793c61..ac00cd6 100644
--- a/docs/phrasetools.php
+++ b/docs/phrasetools.php
@@ -20,7 +20,13 @@ require_once('./global.php');
 define('SELECTED', ' selected="selected"');
 define('CHECKED', ' checked="checked"');
 
-sanitize(array('varname' => STR, 'phrasetext' => STR, 'matchmethod' => STR, 'do' => STR, 'doneinsert' => INT, 'oldvarname' => STR));
+
+$vars['varname'] = $bugsys->in['varname'];
+$vars['phrasetext'] = $bugsys->in['phrasetext'];
+$vars['matchmethod'] = $bugsys->in['matchmethod'];
+$vars['do'] = $bugsys->in['do'];
+$vars['doneinsert'] = intval($bugsys->in['doneinsert']);
+$vars['oldvarname'] = $bugsys->in['oldvarname'];
 $use['varname'] = (bool)$_REQUEST['use']['varname'];
 $use['phrasetext'] = (bool)$_REQUEST['use']['phrasetext'];
 $use['and'] = (($vars['matchmethod'] == 'and') ? true : false);
diff --git a/editcomment.php b/editcomment.php
index f15f697..f06c9fb 100644
--- a/editcomment.php
+++ b/editcomment.php
@@ -16,14 +16,12 @@ $fetchtemplates = array(
 
 require_once('./global.php');
 
-sanitize(array('commentid' => INT));
-
 $comment = $db->query_first("
 	SELECT comment.*, user.email, user.showemail, user.displayname
 	FROM " . TABLE_PREFIX . "comment AS comment
 	LEFT JOIN " . TABLE_PREFIX . "user AS user
 		ON (comment.userid = user.userid)
-	WHERE comment.commentid = $vars[commentid]"
+	WHERE comment.commentid = " . intval($bugsys->in['commentid'])
 );
 
 if (!$comment)
@@ -66,25 +64,23 @@ if ($_REQUEST['do'] == 'delete')
 
 if ($_POST['do'] == 'update')
 {
-	sanitize(array('comment' => STR));
-	
-	if (!$vars['comment'])
+	if (!$bugsys->in['comment'])
 	{
 		echo 'you need to enter some text';
 		exit;
 	}
 	
-	$vars['comment_parsed'] = $vars['comment'];
+	$bugsys->in['comment_parsed'] = $bugsys->in['comment'];
 	
 	if (!$bugsys->options['allowhtml'])
 	{
-		$vars['comment_parsed'] = htmlspecialcharslike($vars['comment_parsed']);
+		$vars['comment_parsed'] = $bugsys->sanitize($bugsys->in['comment_parsed']);
 	}
 	
 	$db->query("
 		UPDATE " . TABLE_PREFIX . "comment
-		SET comment = '" . addslasheslike($vars['comment']) . "',
-			comment_parsed = '" . addslasheslike(nl2br($vars['comment_parsed'])) . "'
+		SET comment = '" . $bugsys->in['comment'] . "',
+			comment_parsed = '" . nl2br($bugsys->in['comment_parsed']) . "'
 		WHERE commentid = $vars[commentid]"
 	);
 	
@@ -97,7 +93,7 @@ if ($_REQUEST['do'] == 'edit')
 {
 	$comment['posttime'] = datelike('standard', $comment['dateline']);
 	$comment['postby'] = construct_user_display($comment);
-	$comment['comment'] = htmlspecialcharslike($comment['comment']);
+	$comment['comment'] = $bugsys->sanitize($comment['comment']);
 	eval('$template->flush("' . $template->fetch('editcomment') . '");');
 }
 
diff --git a/editreport.php b/editreport.php
index 2782d12..1c2f5ec 100644
--- a/editreport.php
+++ b/editreport.php
@@ -17,14 +17,12 @@ $fetchtemplates = array(
 
 require_once('./global.php');
 
-sanitize(array('bugid' => INT));
-
 $bug = $db->query_first("
 	SELECT bug.*, user.email, user.displayname, user.showemail
 	FROM " . TABLE_PREFIX . "bug AS bug
 	LEFT JOIN " . TABLE_PREFIX . "user AS user
 		ON (bug.userid = user.userid)
-	WHERE bug.bugid = $vars[bugid]"
+	WHERE bug.bugid = " . intval($bugsys->in['bugid'])
 );
 
 if (!$bug)
@@ -65,23 +63,14 @@ if ($_REQUEST['do'] == 'delete')
 
 if ($_POST['do'] == 'update')
 {
-	sanitize(array(
-		'summary' => STR_NOHTML,
-		'priority' => INT,
-		'status' => INT,
-		'resolution' => INT,
-		'assignedto' => INT,
-		'pcv_select' => STR)
-	);
-	
-	$vars['pcv'] = parse_pcv_select($vars['pcv_select'], true);
+	$pcv = parse_pcv_select($bugsys->in['pcv_select'], true);
 	
-	if (!$vars['summary'])
+	if (!$bugsys->in['summary'])
 	{
 		echo 'you need to enter a summary';
 		exit;
 	}
-	if (!$vars['pcv'])
+	if (!$bugsys->in['pcv'])
 	{
 		echo 'invalid product/component/version';
 		exit;
@@ -89,13 +78,14 @@ if ($_POST['do'] == 'update')
 	
 	$db->query("
 		UPDATE " . TABLE_PREFIX . "bug
-		SET summary = '" . addslasheslike($vars['summary']) . "',
-			priority = $vars[priority], status = $vars[status],
-			resolution = $vars[resolution],
-			assignedto = $vars[assignedto],
-			productid = " . $vars['pcv']['product'] . ",
-			componentid = " . $vars['pcv']['component'] . ",
-			versionid = " . $vars['pcv']['version'] . "
+		SET summary = '" . $bugsys->in['summary'] . "',
+			priority = " . intval($bugsys->in['priority']) . ",
+			status = " . intval($bugsys->in['status']) . ",
+			resolution = " . intval($bugsys->in['resolution']) . ",
+			assignedto = " . intval($bugsys->in['assignedto']) . ",
+			productid = " . $pcv['product'] . ",
+			componentid = " . $pcv['component'] . ",
+			versionid = " . $pcv['version'] . "
 		WHERE bugid = $bug[bugid]"
 	);
 	
diff --git a/login.php b/login.php
index a618faa..34b9d19 100755
--- a/login.php
+++ b/login.php
@@ -35,11 +35,10 @@ if (empty($_REQUEST['do']))
 
 if ($_POST['do'] == 'login' OR $_POST['do'] == 'cplogin')
 {
-	sanitize(array('email' => STR_NOHTML, 'password' => STR, 'rememberme' => INT));
-	
+	$rememberme = intval($bugsys->in['rememberme']);
 	if ($_POST['cplogin'])
 	{
-		$vars['rememberme'] = 0;
+		$rememberme = 0;
 	}
 	
 	if ($_SERVER['HTTP_REFERER'] AND !$_POST['goindex'])
@@ -51,11 +50,11 @@ if ($_POST['do'] == 'login' OR $_POST['do'] == 'cplogin')
 		$url = 'index.php';
 	}
 	
-	$userinfo = $db->query_first("SELECT * FROM user WHERE email = '" . addslasheslike($vars['email']) . "'");
-	if (md5(md5($vars['password']) . md5($userinfo['salt'])) == $userinfo['password'])
+	$userinfo = $db->query_first("SELECT * FROM user WHERE email = '" . $bugsys->in['email'] . "'");
+	if (md5(md5($bugsys->in['password']) . md5($userinfo['salt'])) == $userinfo['password'])
 	{
-		mysetcookie(COOKIE_PREFIX . 'userid', $userinfo['userid'], $vars['rememberme']);
-		mysetcookie(COOKIE_PREFIX . 'authkey', $userinfo['authkey'], $vars['rememberme']);
+		mysetcookie(COOKIE_PREFIX . 'userid', $userinfo['userid'], $rememberme);
+		mysetcookie(COOKIE_PREFIX . 'authkey', $userinfo['authkey'], $rememberme);
 	}
 	else
 	{
diff --git a/newcomment.php b/newcomment.php
index 1ad78f7..9f3e4ea 100644
--- a/newcomment.php
+++ b/newcomment.php
@@ -33,13 +33,11 @@ if (empty($_REQUEST['do']))
 
 if ($_POST['do'] == 'insert')
 {
-	sanitize(array('bugid' => INT, 'comment' => STR));
-	
-	$vars['comment_parsed'] = $vars['comment'];
+	$bugsys->in['comment_parsed'] = $bugsys->in['comment'];
 	
 	if (!$bugsys->options['allowhtml'])
 	{
-		$vars['comment_parsed'] = htmlspecialcharslike($vars['comment_parsed']);
+		$vars['comment_parsed'] = $bugsys->sanitize($bugsys->in['comment_parsed']);
 	}
 	
 	$time = time();
@@ -49,23 +47,21 @@ if ($_POST['do'] == 'insert')
 			(bugid, userid, dateline, comment, comment_parsed)
 		VALUES
 			($vars[bugid], " . $bugsys->userinfo['userid'] . ",
-			$time, '" . addslasheslike($vars['comment']) . "',
-			'" . addslasheslike(nl2br($vars['comment_parsed'])) . "'
+			$time, '" . $bugsys->in['comment'] . "',
+			'" . nl2br($bugsys->in['comment_parsed']) . "'
 		)"
 	);
 	
-	$db->query("UPDATE " . TABLE_PREFIX . "bug SET lastposttime = $time, lastpostby = " . $bugsys->userinfo['userid'] . " WHERE bugid = $vars[bugid]");
+	$db->query("UPDATE " . TABLE_PREFIX . "bug SET lastposttime = $time, lastpostby = " . $bugsys->userinfo['userid'] . " WHERE bugid = " . intval($bugsys->in['bugid']));
 	
-	echo "<a href=\"showreport.php?bugid=$vars[bugid]\">comment inserted</a>";
+	echo "<a href=\"showreport.php?bugid=" . intval($bugsys->in['bugid']) . "\">comment inserted</a>";
 }
 
 // ###################################################################
 
 if ($_REQUEST['do'] == 'add')
 {
-	sanitize(array('bugid' => INT));
-	
-	$bug = $db->query_first("SELECT bug.*, comment.comment FROM " . TABLE_PREFIX . "bug LEFT JOIN " . TABLE_PREFIX . "comment AS comment ON (bug.bugid = comment.bugid) WHERE bug.bugid = $vars[bugid]");
+	$bug = $db->query_first("SELECT bug.*, comment.comment FROM " . TABLE_PREFIX . "bug LEFT JOIN " . TABLE_PREFIX . "comment AS comment ON (bug.bugid = comment.bugid) WHERE bug.bugid = " . intval($bugsys->in['bugid']));
 	if (!$bug)
 	{
 		echo 'alert: bad bug';
-- 
2.22.5