Menu
▾
▴
[xoops-svn] SF.net SVN: xoops-svn:[12083] XoopsCore/branches/2.5.x/2.5.7/htdocs
|
From: <rgr...@us...> - 2013-09-22 21:44:53
|
Revision: 12083
http://sourceforge.net/p/xoops/svn/12083
Author: rgriffith
Date: 2013-09-22 21:44:50 +0000 (Sun, 22 Sep 2013)
Log Message:
-----------
Fixes for security issues reported by Mehdi Dadkhah
see: http://packetstormsecurity.com/files/123148
Modified Paths:
--------------
XoopsCore/branches/2.5.x/2.5.7/htdocs/banners.php
XoopsCore/branches/2.5.x/2.5.7/htdocs/class/xoopsload.php
XoopsCore/branches/2.5.x/2.5.7/htdocs/include/checklogin.php
XoopsCore/branches/2.5.x/2.5.7/htdocs/register.php
XoopsCore/branches/2.5.x/2.5.7/htdocs/user.php
Added Paths:
-----------
XoopsCore/branches/2.5.x/2.5.7/htdocs/class/xoopsfilterinput.php
Modified: XoopsCore/branches/2.5.x/2.5.7/htdocs/banners.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7/htdocs/banners.php 2013-09-22 15:55:58 UTC (rev 12082)
+++ XoopsCore/branches/2.5.x/2.5.7/htdocs/banners.php 2013-09-22 21:44:50 UTC (rev 12083)
@@ -325,20 +325,59 @@
exit();
}
+XoopsLoad::load('XoopsFilterInput');
+$myts =& MyTextSanitizer::getInstance();
+
$op = '';
if (!empty($_POST['op'])) {
- $op = $_POST['op'];
-} else if (!empty($_GET['op'])) {
- $op = $_GET['op'];
+ // from $_POST we use keys: op, login, pass, url, pass, bid, cid
+ $op = trim(XoopsFilterInput::clean($_POST['op'], 'STRING'));
+
+ $clean_login='';
+ if (isset($_POST['login'])) {
+ $clean_login = trim(XoopsFilterInput::clean($myts->stripSlashesGPC($_POST['login']), 'STRING'));
+ }
+
+ $clean_pass='';
+ if (isset($_POST['pass'])) {
+ $clean_pass = trim(XoopsFilterInput::clean($myts->stripSlashesGPC($_POST['pass']), 'STRING'));
+ }
+
+ $clean_url='';
+ if (isset($_POST['url'])) {
+ $clean_url = trim(XoopsFilterInput::clean($myts->stripSlashesGPC($_POST['url']), 'WEBURL'));
+ }
+
+ $clean_bid=0;
+ if (isset($_POST['bid'])) {
+ $clean_bid = XoopsFilterInput::clean($_POST['bid'], 'INT');
+ }
+
+ $clean_cid=0;
+ if (isset($_POST['cid'])) {
+ $clean_cid = XoopsFilterInput::clean($_POST['cid'], 'INT');
+ }
+
+} elseif (!empty($_GET['op'])) {
+ // from $_POST we use keys: op, bid, cid
+ $op = trim(XoopsFilterInput::clean($_GET['op'], 'STRING'));
+
+ $clean_bid=0;
+ if (isset($_GET['bid'])) {
+ $clean_bid = XoopsFilterInput::clean($_GET['bid'], 'INT');
+ }
+
+ $clean_cid=0;
+ if (isset($_GET['cid'])) {
+ $clean_cid = XoopsFilterInput::clean($_GET['cid'], 'INT');
+ }
+
}
$myts =& MyTextSanitizer::getInstance();
switch ($op) {
case "click":
- $bid = 0;
- if (!empty($_GET['bid'])) {
- $bid = intval($_GET['bid']);
- }
+ $bid = $clean_bid;
clickbanner($bid);
break;
case "Ok":
@@ -348,8 +387,8 @@
exit();
}
- $_SESSION['banner_login'] = $myts->stripslashesGPC(trim($_POST['login']));
- $_SESSION['banner_pass'] = $myts->stripslashesGPC(trim($_POST['pass']));
+ $_SESSION['banner_login'] = $clean_login;
+ $_SESSION['banner_pass'] = $clean_pass;
}
bannerstats();
break;
@@ -358,26 +397,14 @@
redirect_header("banners.php", 3, implode('<br />', $GLOBALS['xoopsSecurity']->getErrors()));
exit();
}
- $bid = $cid = 0;
- if (!empty($_POST['url'])) {
- $url = $myts->stripslashesGPC(trim($_POST['url']));
- }
- if (!empty($_POST['bid'])) {
- $bid = intval($_POST['bid']);
- }
- if (!empty($_POST['cid'])) {
- $cid = intval($_POST['cid']);
- }
+ $url = $clean_url;
+ $bid = $clean_bid;
+ $cid = $clean_cid;
change_banner_url_by_client($cid, $bid, $url);
break;
case "EmailStats":
- $bid = $cid = 0;
- if (!empty($_GET['bid'])) {
- $bid = intval($_GET['bid']);
- }
- if (!empty($_GET['cid'])) {
- $cid = intval($_GET['cid']);
- }
+ $bid = $clean_bid;
+ $cid = $clean_cid;
EmailStats($cid, $bid);
break;
case "login":
Added: XoopsCore/branches/2.5.x/2.5.7/htdocs/class/xoopsfilterinput.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7/htdocs/class/xoopsfilterinput.php (rev 0)
+++ XoopsCore/branches/2.5.x/2.5.7/htdocs/class/xoopsfilterinput.php 2013-09-22 21:44:50 UTC (rev 12083)
@@ -0,0 +1,433 @@
+<?php
+/*
+ You may not change or alter any portion of this comment or credits
+ of supporting developers from this source code or any supporting source code
+ which is considered copyrighted (c) material of the original comment or credit authors.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/**
+ * Backport of Xmf\FilterInput, using Daniel Morris's original
+ * PHP INPUT FILTER for php4
+ *
+ * @class: XoopsFilterInput (PHP4 & PHP5, with comments)
+ * @project: PHP Input Filter
+ * @date: 10-05-2005
+ * @version: 1.2.2_php4/php5
+ * @author: Daniel Morris
+ * @contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
+ * @author Louis Landry <lou...@jo...>
+ * @author Grégory Mage (Aka Mage)
+ * @author trabis <lus...@gm...>
+ * @author Richard Griffith <ri...@ge...>
+ * @copyright: Daniel Morris
+ * @email: da...@ro...
+ * @license: GNU General Public License (GPL)
+ */
+class XoopsFilterInput {
+ var $tagsArray; // default = empty array
+ var $attrArray; // default = empty array
+
+ var $tagsMethod; // default = 0
+ var $attrMethod; // default = 0
+
+ var $xssAuto; // default = 1
+ var $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
+ var $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc'); // also will strip ALL event handlers
+
+ /**
+ * Constructor for XoopsFilterInput class. Only first parameter is required.
+ * @access constructor
+ * @param Array $tagsArray - list of user-defined tags
+ * @param Array $attrArray - list of user-defined attributes
+ * @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
+ * @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
+ * @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
+ */
+ function XoopsFilterInput($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) {
+ // make sure user defined arrays are in lowercase
+ for ($i = 0; $i < count($tagsArray); $i++) $tagsArray[$i] = strtolower($tagsArray[$i]);
+ for ($i = 0; $i < count($attrArray); $i++) $attrArray[$i] = strtolower($attrArray[$i]);
+ // assign to member vars
+ $this->tagsArray = (array) $tagsArray;
+ $this->attrArray = (array) $attrArray;
+ $this->tagsMethod = $tagsMethod;
+ $this->attrMethod = $attrMethod;
+ $this->xssAuto = $xssAuto;
+ }
+
+ /**
+ * Returns a reference to an input filter object, only creating it if it doesn't already exist.
+ *
+ * This method must be invoked as:
+ * <pre> $filter = & XoopsFilterInput::getInstance();</pre>
+ *
+ * @param array $tagsArray list of user-defined tags
+ * @param array $attrArray list of user-defined attributes
+ * @param int $tagsMethod WhiteList method = 0, BlackList method = 1
+ * @param int $attrMethod WhiteList method = 0, BlackList method = 1
+ * @param int $xssAuto Only auto clean essentials = 0,
+ * Allow clean blacklisted tags/attr = 1
+ *
+ * @return XoopsFilterInput object.
+ * @since 1.5
+ * @static
+ */
+ static function getInstance(
+ $tagsArray = array(),
+ $attrArray = array(),
+ $tagsMethod = 0,
+ $attrMethod = 0,
+ $xssAuto = 1
+ ) {
+ static $instances;
+
+ $sig = md5(serialize(array($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto)));
+
+ if (!isset ($instances)) {
+ $instances = array();
+ }
+
+ if (empty ($instances[$sig])) {
+ $instances[$sig] = new XoopsFilterInput($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto);
+ }
+
+ return $instances[$sig];
+ }
+
+ /**
+ * Method to be called by another php script. Processes for XSS and specified bad code.
+ * @access public
+ * @param Mixed $source - input string/array-of-string to be 'cleaned'
+ * @return String $source - 'cleaned' version of input parameter
+ */
+ function process($source) {
+ // clean all elements in this array
+ if (is_array($source)) {
+ foreach($source as $key => $value)
+ // filter element for XSS and other 'bad' code etc.
+ if (is_string($value)) $source[$key] = $this->remove($this->decode($value));
+ return $source;
+ // clean this string
+ } else if (is_string($source)) {
+ // filter source for XSS and other 'bad' code etc.
+ return $this->remove($this->decode($source));
+ // return parameter as given
+ } else return $source;
+ }
+
+ /**
+ * Method to be called by another php script. Processes for XSS and
+ * specified bad code.
+ *
+ * @param mixed $source Input string/array-of-string to be 'cleaned'
+ * @param string $type Return type for the variable (INT, FLOAT,
+ * BOOLEAN, WORD, ALNUM, CMD, BASE64, STRING,
+ * ARRAY, PATH, NONE)
+ *
+ * @return mixed 'Cleaned' version of input parameter
+ * @static
+ */
+ static function clean($source, $type = 'string')
+ {
+ // Handle the type constraint
+ switch (strtoupper($type)) {
+ case 'INT':
+ case 'INTEGER':
+ // Only use the first integer value
+ preg_match('/-?[0-9]+/', (string) $source, $matches);
+ $result = @ (int) $matches[0];
+ break;
+
+ case 'FLOAT':
+ case 'DOUBLE':
+ // Only use the first floating point value
+ preg_match('/-?[0-9]+(\.[0-9]+)?/', (string) $source, $matches);
+ $result = @ (float) $matches[0];
+ break;
+
+ case 'BOOL':
+ case 'BOOLEAN':
+ $result = (bool) $source;
+ break;
+
+ case 'WORD':
+ $result = (string) preg_replace('/[^A-Z_]/i', '', $source);
+ break;
+
+ case 'ALNUM':
+ $result = (string) preg_replace('/[^A-Z0-9]/i', '', $source);
+ break;
+
+ case 'CMD':
+ $result = (string) preg_replace('/[^A-Z0-9_\.-]/i', '', $source);
+ $result = ltrim($result, '.');
+ break;
+
+ case 'BASE64':
+ $result = (string) preg_replace('/[^A-Z0-9\/+=]/i', '', $source);
+ break;
+
+ case 'STRING':
+ // Check for static usage and assign $filter the proper variable
+ if (isset($this) && is_a($this, 'XoopsFilterInput')) {
+ $filter =& $this;
+ } else {
+ $filter = XoopsFilterInput::getInstance();
+ }
+ $result = (string) $filter->process($source);
+ break;
+
+ case 'ARRAY':
+ // Check for static usage and assign $filter the proper variable
+ if (isset($this) && is_a($this, 'XoopsFilterInput')) {
+ $filter =& $this;
+ } else {
+ $filter = XoopsFilterInput::getInstance();
+ }
+ $result = (array) $filter->process($source);
+ break;
+
+ case 'PATH':
+ $pattern = '/^[A-Za-z0-9_-]+[A-Za-z0-9_\.-]*([\\\\\/][A-Za-z0-9_-]+[A-Za-z0-9_\.-]*)*$/';
+ preg_match($pattern, (string) $source, $matches);
+ $result = @ (string) $matches[0];
+ break;
+
+ case 'USERNAME':
+ $result = (string) preg_replace('/[\x00-\x1F\x7F<>"\'%&]/', '', $source);
+ break;
+
+ case 'WEBURL':
+ // Check for static usage and assign $filter the proper variable
+ if (isset($this) && is_a($this, 'XoopsFilterInput')) {
+ $filter =& $this;
+ } else {
+ $filter = XoopsFilterInput::getInstance();
+ }
+ $result = (string) $filter->process($source);
+ // allow only relative, http or https
+ $urlparts=parse_url($result);
+ if (!empty($urlparts['scheme'])
+ && !($urlparts['scheme']=='http' || $urlparts['scheme']=='https')
+ ) {
+ $result='';
+ }
+ // do not allow quotes or tag brackets
+ if (!preg_match('#^[^"<>]+$#', $result)) {
+ $result='';
+ }
+ break;
+
+ default:
+ // Check for static usage and assign $filter the proper variable
+ if (isset($this) && is_a($this, 'XoopsFilterInput')) {
+ $filter =& $this;
+ } else {
+ $filter = XoopsFilterInput::getInstance();
+ }
+ $result = $filter->process($source);
+ break;
+ }
+
+ return $result;
+ }
+
+
+ /**
+ * Internal method to iteratively remove all unwanted tags and attributes
+ * @access protected
+ * @param String $source - input string to be 'cleaned'
+ * @return String $source - 'cleaned' version of input parameter
+ */
+ function remove($source) {
+ $loopCounter=0;
+ // provides nested-tag protection
+ while($source != $this->filterTags($source)) {
+ $source = $this->filterTags($source);
+ $loopCounter++;
+ }
+ return $source;
+ }
+
+ /**
+ * Internal method to strip a string of certain tags
+ * @access protected
+ * @param String $source - input string to be 'cleaned'
+ * @return String $source - 'cleaned' version of input parameter
+ */
+ function filterTags($source) {
+ // filter pass setup
+ $preTag = NULL;
+ $postTag = $source;
+ // find initial tag's position
+ $tagOpen_start = strpos($source, '<');
+ // interate through string until no tags left
+ while($tagOpen_start !== FALSE) {
+ // process tag interatively
+ $preTag .= substr($postTag, 0, $tagOpen_start);
+ $postTag = substr($postTag, $tagOpen_start);
+ $fromTagOpen = substr($postTag, 1);
+ // end of tag
+ $tagOpen_end = strpos($fromTagOpen, '>');
+ if ($tagOpen_end === false) break;
+ // next start of tag (for nested tag assessment)
+ $tagOpen_nested = strpos($fromTagOpen, '<');
+ if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end)) {
+ $preTag .= substr($postTag, 0, ($tagOpen_nested+1));
+ $postTag = substr($postTag, ($tagOpen_nested+1));
+ $tagOpen_start = strpos($postTag, '<');
+ continue;
+ }
+ $tagOpen_nested = (strpos($fromTagOpen, '<') + $tagOpen_start + 1);
+ $currentTag = substr($fromTagOpen, 0, $tagOpen_end);
+ $tagLength = strlen($currentTag);
+ if (!$tagOpen_end) {
+ $preTag .= $postTag;
+ $tagOpen_start = strpos($postTag, '<');
+ }
+ // iterate through tag finding attribute pairs - setup
+ $tagLeft = $currentTag;
+ $attrSet = array();
+ $currentSpace = strpos($tagLeft, ' ');
+ // is end tag
+ if (substr($currentTag, 0, 1) == "/") {
+ $isCloseTag = TRUE;
+ list($tagName) = explode(' ', $currentTag);
+ $tagName = substr($tagName, 1);
+ // is start tag
+ } else {
+ $isCloseTag = FALSE;
+ list($tagName) = explode(' ', $currentTag);
+ }
+ // excludes all "non-regular" tagnames OR no tagname OR remove if xssauto is on and tag is blacklisted
+ if ((!preg_match("/^[a-z][a-z0-9]*$/i",$tagName)) || (!$tagName) || ((in_array(strtolower($tagName), $this->tagBlacklist)) && ($this->xssAuto))) {
+ $postTag = substr($postTag, ($tagLength + 2));
+ $tagOpen_start = strpos($postTag, '<');
+ // don't append this tag
+ continue;
+ }
+ // this while is needed to support attribute values with spaces in!
+ while ($currentSpace !== FALSE) {
+ $fromSpace = substr($tagLeft, ($currentSpace+1));
+ $nextSpace = strpos($fromSpace, ' ');
+ $openQuotes = strpos($fromSpace, '"');
+ $closeQuotes = strpos(substr($fromSpace, ($openQuotes+1)), '"') + $openQuotes + 1;
+ // another equals exists
+ if (strpos($fromSpace, '=') !== FALSE) {
+ // opening and closing quotes exists
+ if (($openQuotes !== FALSE) && (strpos(substr($fromSpace, ($openQuotes+1)), '"') !== FALSE))
+ $attr = substr($fromSpace, 0, ($closeQuotes+1));
+ // one or neither exist
+ else $attr = substr($fromSpace, 0, $nextSpace);
+ // no more equals exist
+ } else $attr = substr($fromSpace, 0, $nextSpace);
+ // last attr pair
+ if (!$attr) $attr = $fromSpace;
+ // add to attribute pairs array
+ $attrSet[] = $attr;
+ // next inc
+ $tagLeft = substr($fromSpace, strlen($attr));
+ $currentSpace = strpos($tagLeft, ' ');
+ }
+ // appears in array specified by user
+ $tagFound = in_array(strtolower($tagName), $this->tagsArray);
+ // remove this tag on condition
+ if ((!$tagFound && $this->tagsMethod) || ($tagFound && !$this->tagsMethod)) {
+ // reconstruct tag with allowed attributes
+ if (!$isCloseTag) {
+ $attrSet = $this->filterAttr($attrSet);
+ $preTag .= '<' . $tagName;
+ for ($i = 0; $i < count($attrSet); $i++)
+ $preTag .= ' ' . $attrSet[$i];
+ // reformat single tags to XHTML
+ if (strpos($fromTagOpen, "</" . $tagName)) $preTag .= '>';
+ else $preTag .= ' />';
+ // just the tagname
+ } else $preTag .= '</' . $tagName . '>';
+ }
+ // find next tag's start
+ $postTag = substr($postTag, ($tagLength + 2));
+ $tagOpen_start = strpos($postTag, '<');
+ }
+ // append any code after end of tags
+ $preTag .= $postTag;
+ return $preTag;
+ }
+
+ /**
+ * Internal method to strip a tag of certain attributes
+ * @access protected
+ * @param Array $attrSet
+ * @return Array $newSet
+ */
+ function filterAttr($attrSet) {
+ $newSet = array();
+ // process attributes
+ for ($i = 0; $i <count($attrSet); $i++) {
+ // skip blank spaces in tag
+ if (!$attrSet[$i]) continue;
+ // split into attr name and value
+ $attrSubSet = explode('=', trim($attrSet[$i]));
+ list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
+ // removes all "non-regular" attr names AND also attr blacklisted
+ if ((!eregi("^[a-z]*$",$attrSubSet[0])) || (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) || (substr($attrSubSet[0], 0, 2) == 'on'))))
+ continue;
+ // xss attr value filtering
+ if ($attrSubSet[1]) {
+ // strips unicode, hex, etc
+ $attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
+ // strip normal newline within attr value
+ $attrSubSet[1] = preg_replace('/\s+/', '', $attrSubSet[1]);
+ // strip double quotes
+ $attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
+ // [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value)
+ if ((substr($attrSubSet[1], 0, 1) == "'") && (substr($attrSubSet[1], (strlen($attrSubSet[1]) - 1), 1) == "'"))
+ $attrSubSet[1] = substr($attrSubSet[1], 1, (strlen($attrSubSet[1]) - 2));
+ // strip slashes
+ $attrSubSet[1] = stripslashes($attrSubSet[1]);
+ }
+ // auto strip attr's with "javascript:
+ if ( ((strpos(strtolower($attrSubSet[1]), 'expression') !== false) && (strtolower($attrSubSet[0]) == 'style')) ||
+ (strpos(strtolower($attrSubSet[1]), 'javascript:') !== false) ||
+ (strpos(strtolower($attrSubSet[1]), 'behaviour:') !== false) ||
+ (strpos(strtolower($attrSubSet[1]), 'vbscript:') !== false) ||
+ (strpos(strtolower($attrSubSet[1]), 'mocha:') !== false) ||
+ (strpos(strtolower($attrSubSet[1]), 'livescript:') !== false)
+ ) continue;
+
+ // if matches user defined array
+ $attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);
+ // keep this attr on condition
+ if ((!$attrFound && $this->attrMethod) || ($attrFound && !$this->attrMethod)) {
+ // attr has value
+ if ($attrSubSet[1]) $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
+ // attr has decimal zero as value
+ else if ($attrSubSet[1] == "0") $newSet[] = $attrSubSet[0] . '="0"';
+ // reformat single attributes to XHTML
+ else $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"';
+ }
+ }
+ return $newSet;
+ }
+
+ /**
+ * Try to convert to plaintext
+ * @access protected
+ * @param String $source
+ * @return String $source
+ */
+ function decode($source) {
+ // url decode
+ $charset = defined('_CHARSET') ? constant('_CHARSET') : 'utf-8';
+ $source = html_entity_decode($source, ENT_QUOTES, $charset);
+ // convert decimal
+ $source = preg_replace('/&#(\d+);/me',"chr(\\1)", $source); // decimal notation
+ // convert hex
+ $source = preg_replace('/&#x([a-f0-9]+);/mei',"chr(0x\\1)", $source); // hex notation
+ return $source;
+ }
+}
Modified: XoopsCore/branches/2.5.x/2.5.7/htdocs/class/xoopsload.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7/htdocs/class/xoopsload.php 2013-09-22 15:55:58 UTC (rev 12082)
+++ XoopsCore/branches/2.5.x/2.5.7/htdocs/class/xoopsload.php 2013-09-22 21:44:50 UTC (rev 12083)
@@ -204,6 +204,7 @@
'xoopsformeditor' => XOOPS_ROOT_PATH . '/class/xoopsform/formeditor.php',
'xoopsformselecteditor' => XOOPS_ROOT_PATH . '/class/xoopsform/formselecteditor.php',
'xoopsformcalendar' => XOOPS_ROOT_PATH . '/class/xoopsform/formcalendar.php',
+ 'xoopsfilterinput' => XOOPS_ROOT_PATH . '/class/xoopsfilterinput.php',
);
}
Modified: XoopsCore/branches/2.5.x/2.5.7/htdocs/include/checklogin.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7/htdocs/include/checklogin.php 2013-09-22 15:55:58 UTC (rev 12082)
+++ XoopsCore/branches/2.5.x/2.5.7/htdocs/include/checklogin.php 2013-09-22 21:44:50 UTC (rev 12083)
@@ -20,8 +20,27 @@
xoops_loadLanguage('user');
-$uname = !isset($_POST['uname']) ? '' : trim($_POST['uname']);
-$pass = !isset($_POST['pass']) ? '' : trim($_POST['pass']);
+// from $_POST we use keys: uname, pass, rememberme, xoops_redirect
+XoopsLoad::load('XoopsFilterInput');
+$clean_uname = '';
+if (isset($_POST['uname'])) {
+ $clean_uname = trim(XoopsFilterInput::clean($_POST['uname'], 'STRING'));
+}
+$clean_pass = '';
+if (isset($_POST['pass'])) {
+ $clean_pass = trim(XoopsFilterInput::clean($_POST['pass'], 'STRING'));
+}
+$clean_rememberme = '';
+if (isset($_POST['rememberme'])) {
+ $clean_rememberme = trim(XoopsFilterInput::clean($_POST['rememberme'], 'STRING'));
+}
+$clean_redirect = '';
+if (isset($_POST['xoops_redirect'])) {
+ $clean_redirect = trim(XoopsFilterInput::clean($_POST['xoops_redirect'], 'WEBURL'));
+}
+
+$uname = $clean_uname;
+$pass = $clean_pass;
if ($uname == '' || $pass == '') {
redirect_header(XOOPS_URL.'/user.php', 1, _US_INCORRECTLOGIN);
exit();
@@ -70,15 +89,15 @@
// Set cookie for rememberme
if (!empty($xoopsConfig['usercookie'])) {
- if (!empty($_POST["rememberme"])) {
+ if (!empty($clean_rememberme)) {
setcookie($xoopsConfig['usercookie'], $_SESSION['xoopsUserId'] . '{-}' . md5($user->getVar('pass') . XOOPS_DB_NAME . XOOPS_DB_PASS . XOOPS_DB_PREFIX), time() + 31536000, '/', XOOPS_COOKIE_DOMAIN, 0);
} else {
setcookie($xoopsConfig['usercookie'], 0, -1, '/', XOOPS_COOKIE_DOMAIN, 0);
}
}
- if (!empty($_POST['xoops_redirect']) && !strpos($_POST['xoops_redirect'], 'register')) {
- $xoops_redirect = trim(rawurldecode($_POST['xoops_redirect']));
+ if (!empty($clean_redirect) && !strpos($clean_redirect, 'register')) {
+ $xoops_redirect = rawurldecode($clean_redirect);
$parsed = parse_url(XOOPS_URL);
$url = isset($parsed['scheme']) ? $parsed['scheme'].'://' : 'http://';
if (isset( $parsed['host'])) {
@@ -90,7 +109,7 @@
$url .= $_SERVER['HTTP_HOST'];
}
if (@$parsed['path']) {
- if (strncmp($parsed['path'], $xoops_redirect, strlen( $parsed['path']))) {
+ if (strncmp($parsed['path'], $xoops_redirect, strlen($parsed['path']))) {
$url .= $parsed['path'];
}
}
@@ -105,9 +124,9 @@
$notification_handler->doLoginMaintenance($user->getVar('uid'));
redirect_header($url, 1, sprintf(_US_LOGGINGU, $user->getVar('uname')), false);
-} else if (empty($_POST['xoops_redirect'])) {
+} else if (empty($clean_redirect)) {
redirect_header(XOOPS_URL . '/user.php', 5, $xoopsAuth->getHtmlErrors());
} else {
- redirect_header(XOOPS_URL . '/user.php?xoops_redirect=' . urlencode(trim($_POST['xoops_redirect'])), 5, $xoopsAuth->getHtmlErrors(), false);
+ redirect_header(XOOPS_URL . '/user.php?xoops_redirect=' . urlencode($clean_redirect), 5, $xoopsAuth->getHtmlErrors(), false);
}
exit();
Modified: XoopsCore/branches/2.5.x/2.5.7/htdocs/register.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7/htdocs/register.php 2013-09-22 15:55:58 UTC (rev 12082)
+++ XoopsCore/branches/2.5.x/2.5.7/htdocs/register.php 2013-09-22 21:44:50 UTC (rev 12083)
@@ -45,17 +45,72 @@
return XoopsUserUtility::validate($uname, $email, $pass, $vpass);
}
-$op = isset($_POST['op']) ? $_POST['op'] : (isset($_GET["op"]) ? $_GET["op"] : 'register');
-$uname = isset($_POST['uname']) ? $myts->stripSlashesGPC($_POST['uname']) : '';
-$email = isset($_POST['email']) ? trim($myts->stripSlashesGPC($_POST['email'])) : '';
-$url = isset($_POST['url']) ? trim($myts->stripSlashesGPC($_POST['url'])) : '';
-$pass = isset($_POST['pass']) ? $myts->stripSlashesGPC($_POST['pass']) : '';
-$vpass = isset($_POST['vpass']) ? $myts->stripSlashesGPC($_POST['vpass']) : '';
-$timezone_offset = isset($_POST['timezone_offset']) ? (float) $_POST['timezone_offset'] : $xoopsConfig['default_TZ'];
-$user_viewemail = (isset($_POST['user_viewemail']) && intval($_POST['user_viewemail'])) ? 1 : 0;
-$user_mailok = (isset($_POST['user_mailok']) && intval($_POST['user_mailok'])) ? 1 : 0;
-$agree_disc = (isset($_POST['agree_disc']) && intval($_POST['agree_disc'])) ? 1 : 0;
+XoopsLoad::load('XoopsFilterInput');
+// from $_POST we use keys: op, uname, email, url, pass, vpass, timezone_offset,
+// user_viewemail, user_mailok, agree_disc
+$op='register';
+if (isset($_POST['op'])) {
+ $op = trim(XoopsFilterInput::clean($_POST['op'], 'STRING'));
+}
+$uname='';
+if (isset($_POST['uname'])) {
+ $uname = trim(XoopsFilterInput::clean($myts->stripSlashesGPC($_POST['uname']), 'STRING'));
+}
+
+$email='';
+if (isset($_POST['email'])) {
+ $email = trim(XoopsFilterInput::clean($myts->stripSlashesGPC($_POST['email']), 'STRING'));
+}
+
+$url='';
+if (isset($_POST['url'])) {
+ $url = trim(XoopsFilterInput::clean($myts->stripSlashesGPC($_POST['url']), 'WEBURL'));
+}
+
+$pass='';
+if (isset($_POST['pass'])) {
+ $pass = trim(XoopsFilterInput::clean($myts->stripSlashesGPC($_POST['pass']), 'STRING'));
+}
+
+$vpass='';
+if (isset($_POST['vpass'])) {
+ $vpass = trim(XoopsFilterInput::clean($myts->stripSlashesGPC($_POST['vpass']), 'STRING'));
+}
+
+$timezone_offset=$xoopsConfig['default_TZ'];
+if (isset($_POST['timezone_offset'])) {
+ $timezone_offset = XoopsFilterInput::clean($_POST['timezone_offset'], 'FLOAT');
+}
+
+$user_viewemail=false;
+if (isset($_POST['user_viewemail'])) {
+ $user_viewemail = XoopsFilterInput::clean($_POST['user_viewemail'], 'BOOL');
+}
+
+$user_mailok=false;
+if (isset($_POST['user_mailok'])) {
+ $user_mailok = XoopsFilterInput::clean($_POST['user_mailok'], 'BOOL');
+}
+
+$agree_disc=false;
+if (isset($_POST['agree_disc'])) {
+ $agree_disc = XoopsFilterInput::clean($_POST['agree_disc'], 'BOOL');
+}
+
+// from $_GET we may use keys: op, id, actkey
+$clean_id='';
+$clean_actkey='';
+if (!isset($_POST['op']) && isset($_GET['op'])) {
+ $op = XoopsFilterInput::clean($_GET['op'], 'STRING');
+ if (isset($_GET['id'])) {
+ $clean_id = XoopsFilterInput::clean($_GET['id'], 'INT');
+ }
+ if (isset($_GET['actkey'])) {
+ $clean_actkey = XoopsFilterInput::clean($_GET['actkey'], 'STRING');
+ }
+}
+
switch ($op) {
case 'newuser':
$xoopsOption['xoops_pagetitle'] = _US_USERREG;
@@ -214,8 +269,8 @@
case 'actv':
case 'activate':
- $id = intval($_GET['id']);
- $actkey = trim($_GET['actkey']);
+ $id = $clean_id;
+ $actkey = $clean_actkey;
if (empty($id)) {
redirect_header('index.php', 1, '');
exit();
Modified: XoopsCore/branches/2.5.x/2.5.7/htdocs/user.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7/htdocs/user.php 2013-09-22 15:55:58 UTC (rev 12082)
+++ XoopsCore/branches/2.5.x/2.5.7/htdocs/user.php 2013-09-22 21:44:50 UTC (rev 12083)
@@ -28,13 +28,32 @@
xoops_loadLanguage('user');
+XoopsLoad::load('XoopsFilterInput');
$op = 'main';
if (isset($_POST['op'])) {
- $op = trim($_POST['op']);
+ // from $_POST we use keys: op, ok
+ $op = trim(XoopsFilterInput::clean($_POST['op']));
+ $clean_ok=false;
+ if (isset($_POST['ok'])) {
+ $clean_ok = XoopsFilterInput::clean($_POST['ok'], 'BOOLEAN');
+ }
} elseif (isset($_GET['op'])) {
- $op = trim($_GET['op']);
+ // from $_GET we may use keys: op, xoops_redirect, id, actkey
+ $op = trim(XoopsFilterInput::clean($_GET['op']));
+ $clean_redirect = '';
+ if (isset($_GET['xoops_redirect'])) {
+ $clean_redirect = XoopsFilterInput::clean($_GET['xoops_redirect'], 'WEBURL');
+ }
+ if (isset($_GET['id'])) {
+ $clean_id = XoopsFilterInput::clean($_GET['id'], 'INT');
+ }
+ if (isset($_GET['actkey'])) {
+ $clean_actkey = XoopsFilterInput::clean($_GET['actkey'], 'STRING');
+ }
}
+
+
if ($op == 'login') {
include_once $GLOBALS['xoops']->path('include/checklogin.php');
exit();
@@ -49,8 +68,8 @@
$xoTheme->addMeta('meta', 'description', _US_LOSTPASSWORD . " " . _US_NOPROBLEM);
$xoopsTpl->assign('lang_login', _LOGIN);
$xoopsTpl->assign('lang_username', _USERNAME);
- if (isset($_GET['xoops_redirect'])) {
- $xoopsTpl->assign('redirect_page', htmlspecialchars(trim($_GET['xoops_redirect']), ENT_QUOTES));
+ if (!empty($clean_redirect)) {
+ $xoopsTpl->assign('redirect_page', htmlspecialchars(trim($clean_redirect), ENT_QUOTES));
}
if ($xoopsConfig['usercookie']) {
$xoopsTpl->assign('lang_rememberme', _US_REMEMBERME);
@@ -65,8 +84,8 @@
include $GLOBALS['xoops']->path('footer.php');
exit();
}
- if (!empty($_GET['xoops_redirect'])) {
- $redirect = trim($_GET['xoops_redirect']);
+ if (!empty($clean_redirect)) {
+ $redirect = trim($clean_redirect);
$isExternal = false;
if ($pos = strpos($redirect, '://')) {
$xoopsLocation = substr(XOOPS_URL, strpos(XOOPS_URL, '://') + 3);
@@ -102,58 +121,10 @@
if ($op == 'actv') {
$GLOBALS['xoopsLogger']->addDeprecated("Deprecated code. The activation is now handled by register.php");
- $id = intval($_GET['id']);
- $actkey = trim($_GET['actkey']);
+ $id = isset($clean_id) ? $clean_id : 0;
+ $actkey = isset($clean_actkey) ? $clean_actkey : '';
redirect_header("register.php?id={$id}&actkey={$actkey}", 1, '');
exit();
-
- if (empty($id)) {
- redirect_header('index.php', 1, '');
-// exit();
- }
- $member_handler =& xoops_gethandler('member');
- $thisuser =& $member_handler->getUser($id);
- if (!is_object($thisuser)) {
- exit();
- }
- if ($thisuser->getVar('actkey') != $actkey) {
- redirect_header('index.php', 5, _US_ACTKEYNOT);
- } else {
- if ($thisuser->getVar('level') > 0) {
- redirect_header('user.php', 5, _US_ACONTACT, false);
- } else {
- if (false != $member_handler->activateUser($thisuser)) {
- $config_handler =& xoops_gethandler('config');
- $xoopsConfigUser = $config_handler->getConfigsByCat(XOOPS_CONF_USER);
- if ($xoopsConfigUser['activation_type'] == 2) {
- $myts =& MyTextSanitizer::getInstance();
- $xoopsMailer =& xoops_getMailer();
- $xoopsMailer->useMail();
- $xoopsMailer->setTemplate('activated.tpl');
- $xoopsMailer->assign('SITENAME', $xoopsConfig['sitename']);
- $xoopsMailer->assign('ADMINMAIL', $xoopsConfig['adminmail']);
- $xoopsMailer->assign('SITEURL', XOOPS_URL . "/");
- $xoopsMailer->setToUsers($thisuser);
- $xoopsMailer->setFromEmail($xoopsConfig['adminmail']);
- $xoopsMailer->setFromName($xoopsConfig['sitename']);
- $xoopsMailer->setSubject(sprintf(_US_YOURACCOUNT, $xoopsConfig['sitename']));
- include $GLOBALS['xoops']->path('header.php');
- if (!$xoopsMailer->send()) {
- printf(_US_ACTVMAILNG, $thisuser->getVar('uname'));
- } else {
- printf(_US_ACTVMAILOK, $thisuser->getVar('uname'));
- }
- include $GLOBALS['xoops']->path('footer.php');
- } else {
- redirect_header('user.php', 5, _US_ACTLOGIN, false);
- }
- } else {
- //TODO remove hardcoded string
- redirect_header('index.php', 5, 'Activation failed!');
- }
- }
- }
- exit();
}
if ($op == 'delete') {
@@ -169,13 +140,13 @@
redirect_header('user.php', 5, _US_ADMINNO);
exit();
}
- $ok = !isset($_POST['ok']) ? 0 : intval($_POST['ok']);
- if ($ok != 1) {
+ if (!$clean_ok) {
include $GLOBALS['xoops']->path('header.php');
xoops_confirm(
array('op' => 'delete', 'ok' => 1),
'user.php',
- _US_SURETODEL . '<br/>' . _US_REMOVEINFO);
+ _US_SURETODEL . '<br/>' . _US_REMOVEINFO
+ );
include $GLOBALS['xoops']->path('footer.php');
} else {
$del_uid = $xoopsUser->getVar("uid");
|
