[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-cvs] phpgwapi/inc functions.inc.php class.data_clean...
From: |
Dave Hall |
Subject: |
[Phpgroupware-cvs] phpgwapi/inc functions.inc.php class.data_clean... |
Date: |
Mon, 15 May 2006 07:22:18 +0000 |
CVSROOT: /cvsroot/phpgwapi
Module name: phpgwapi
Branch:
Changes by: Dave Hall <address@hidden> 06/05/15 07:22:18
Modified files:
inc : functions.inc.php
Added files:
inc : class.data_cleaner.inc.php
Log message:
merging data cleaner (antiXSS code) from 16
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/phpgwapi/phpgwapi/inc/class.data_cleaner.inc.php.diff?tr1=1.1&tr2=1.2&r1=text&r2=text
http://cvs.savannah.gnu.org/viewcvs/phpgwapi/phpgwapi/inc/functions.inc.php.diff?tr1=1.186&tr2=1.187&r1=text&r2=text
Patches:
Index: phpgwapi/inc/functions.inc.php
diff -u phpgwapi/inc/functions.inc.php:1.186
phpgwapi/inc/functions.inc.php:1.187
--- phpgwapi/inc/functions.inc.php:1.186 Mon Apr 10 12:45:17 2006
+++ phpgwapi/inc/functions.inc.php Mon May 15 07:22:18 2006
@@ -7,7 +7,7 @@
* @license http://www.fsf.org/licenses/lgpl.html GNU Lesser General
Public License
* @package phpgwapi
* @subpackage utilities
- * @version $Id: functions.inc.php,v 1.186 2006/04/10 12:45:17 skwashd
Exp $
+ * @version $Id: functions.inc.php,v 1.187 2006/05/15 07:22:18 skwashd
Exp $
*/
@@ -59,6 +59,20 @@
return $value;
}
+ function clean_vars($vars, $safe_redirect = True)
+ {
+ if ( !is_array($vars) )
+ {
+ return $GLOBALS['data_cleaner']->clean($vars,
$safe_redirect);
+ }
+
+ foreach ( $vars as $key => $val )
+ {
+ $vars[$key] = clean_vars($val, $safe_redirect);
+ }
+ return $vars;
+ }
+
/* Make sure the header.inc.php is current. */
if ($GLOBALS['phpgw_info']['server']['versions']['header'] <
$GLOBALS['phpgw_info']['server']['versions']['current_header'])
{
@@ -180,28 +194,21 @@
$GLOBALS['phpgw_info']['server']['cache_phpgw_info'] =
stripslashes($GLOBALS['phpgw']->db->f('config_value'));
}
- $cache_query = "select content from phpgw_app_sessions where"
- ." sessionid = '0' and loginid = '0' and app = 'phpgwapi' and
location = 'config'";
+ $cache_query = "SELECT content from phpgw_app_sessions WHERE"
+ ." sessionid = '0' AND loginid = '0' and app = 'phpgwapi' AND
location = 'config'";
$GLOBALS['phpgw']->db->query($cache_query,__LINE__,__FILE__);
$server_info_cache = $GLOBALS['phpgw']->db->num_rows();
- if(@$GLOBALS['phpgw_info']['server']['cache_phpgw_info'] &&
$server_info_cache)
+ if(isset($GLOBALS['phpgw_info']['server']['cache_phpgw_info'])
+ && $GLOBALS['phpgw_info']['server']['cache_phpgw_info']
+ && $server_info_cache > 0)
{
$GLOBALS['phpgw']->db->next_record();
$GLOBALS['phpgw_info']['server'] =
unserialize(stripslashes($GLOBALS['phpgw']->db->f('content')));
}
else
{
-/*
-This code doesn't unserialize the variables like the code in config does.
This was causing problems with
-my new logging stuff. So I changed it.
- $GLOBALS['phpgw']->db->query("select * from phpgw_config WHERE
config_app='phpgwapi'",__LINE__,__FILE__);
- while ($GLOBALS['phpgw']->db->next_record())
- {
-
$GLOBALS['phpgw_info']['server'][$GLOBALS['phpgw']->db->f('config_name')] =
stripslashes($GLOBALS['phpgw']->db->f('config_value'));
- }
-*/
$c = CreateObject('phpgwapi.config','phpgwapi');
$c->read_repository();
foreach ($c->config_data as $k => $v)
@@ -210,13 +217,9 @@
}
- if(@isset($GLOBALS['phpgw_info']['server']['cache_phpgw_info']))
+ if(isset($GLOBALS['phpgw_info']['server']['cache_phpgw_info'])
+ && $GLOBALS['phpgw_info']['server']['cache_phpgw_info'])
{
- if($server_info_cache)
- {
- $cache_query = "DELETE FROM phpgw_app_sessions
WHERE sessionid='0' and loginid='0' and app='phpgwapi' and location='config'";
-
$GLOBALS['phpgw']->db->query($cache_query,__LINE__,__FILE__);
- }
$cache_query = 'INSERT INTO
phpgw_app_sessions(sessionid,loginid,app,location,content) VALUES('
.
"'0','0','phpgwapi','config','".$GLOBALS['phpgw']->db->db_addslashes(serialize($GLOBALS['phpgw_info']['server']))."')";
$GLOBALS['phpgw']->db->query($cache_query,__LINE__,__FILE__);
@@ -224,7 +227,20 @@
}
unset($cache_query);
unset($server_info_cache);
- if(@isset($GLOBALS['phpgw_info']['server']['enforce_ssl']) && !$HTTPS)
+
+ // Remove this and I will make sure that you lose important parts of
your anatomy - skwashd
+ $GLOBALS['RAW_REQUEST'] = $_REQUEST; // if you really need the raw value
+ $to_cleans = array('_GET', '_POST', '_COOKIE', '_REQUEST');
+ $GLOBALS['data_cleaner'] = createObject('phpgwapi.data_cleaner'); // We
create it for the whole call ...
+ foreach ( $to_cleans as $to_clean )
+ {
+ if ( isset($GLOBALS[$to_clean]) &&
is_array($GLOBALS[$to_clean]) && count($GLOBALS[$to_clean]) )
+ {
+ $GLOBALS[$to_clean] = clean_vars($GLOBALS[$to_clean]);
+ }
+ }
+
+ if(isset($GLOBALS['phpgw_info']['server']['enforce_ssl']) &&
!(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']) )
{
Header('Location: https://' .
$GLOBALS['phpgw_info']['server']['hostname'] .
$GLOBALS['phpgw_info']['server']['webserver_url'] . $_SERVER['REQUEST_URI']);
exit;
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Phpgroupware-cvs] phpgwapi/inc functions.inc.php class.data_clean...,
Dave Hall <=