[Phpgroupware-cvs] phpgwapi/inc functions.inc.php class.data_clean...

[Dave Hall]

CVSROOT:        /cvsroot/phpgwapi
Module name:    phpgwapi
Branch:         
Changes by:     Dave Hall <address@hidden>      06/05/15 07:22:18

Modified files:
        inc            : functions.inc.php 
Added files:
        inc            : class.data_cleaner.inc.php 

Log message:
        merging data cleaner (antiXSS code) from 16

CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/phpgwapi/phpgwapi/inc/class.data_cleaner.inc.php.diff?tr1=1.1&tr2=1.2&r1=text&r2=text
http://cvs.savannah.gnu.org/viewcvs/phpgwapi/phpgwapi/inc/functions.inc.php.diff?tr1=1.186&tr2=1.187&r1=text&r2=text

Patches:
Index: phpgwapi/inc/functions.inc.php
diff -u phpgwapi/inc/functions.inc.php:1.186 
phpgwapi/inc/functions.inc.php:1.187
--- phpgwapi/inc/functions.inc.php:1.186        Mon Apr 10 12:45:17 2006
+++ phpgwapi/inc/functions.inc.php      Mon May 15 07:22:18 2006
@@ -7,7 +7,7 @@
        * @license http://www.fsf.org/licenses/lgpl.html GNU Lesser General 
Public License
        * @package phpgwapi
        * @subpackage utilities
-       * @version $Id: functions.inc.php,v 1.186 2006/04/10 12:45:17 skwashd 
Exp $
+       * @version $Id: functions.inc.php,v 1.187 2006/05/15 07:22:18 skwashd 
Exp $
        */
        
        
@@ -59,6 +59,20 @@
                return $value;
        }
 
+       function clean_vars($vars, $safe_redirect = True)
+       {
+               if ( !is_array($vars) )
+               {
+                       return $GLOBALS['data_cleaner']->clean($vars, 
$safe_redirect);
+               }
+               
+               foreach ( $vars as $key => $val )
+               {
+                       $vars[$key] = clean_vars($val, $safe_redirect);
+               }
+               return $vars;
+       }
+
        /* Make sure the header.inc.php is current. */
        if ($GLOBALS['phpgw_info']['server']['versions']['header'] < 
$GLOBALS['phpgw_info']['server']['versions']['current_header'])
        {
@@ -180,28 +194,21 @@
                $GLOBALS['phpgw_info']['server']['cache_phpgw_info'] = 
stripslashes($GLOBALS['phpgw']->db->f('config_value'));
        }
 
-       $cache_query = "select content from phpgw_app_sessions where"
-               ." sessionid = '0' and loginid = '0' and app = 'phpgwapi' and 
location = 'config'";
+       $cache_query = "SELECT content from phpgw_app_sessions WHERE"
+               ." sessionid = '0' AND loginid = '0' and app = 'phpgwapi' AND 
location = 'config'";
 
        $GLOBALS['phpgw']->db->query($cache_query,__LINE__,__FILE__);
        $server_info_cache = $GLOBALS['phpgw']->db->num_rows();
 
-       if(@$GLOBALS['phpgw_info']['server']['cache_phpgw_info'] && 
$server_info_cache)
+       if(isset($GLOBALS['phpgw_info']['server']['cache_phpgw_info'])
+                       && $GLOBALS['phpgw_info']['server']['cache_phpgw_info']
+                       && $server_info_cache > 0)
        {
                $GLOBALS['phpgw']->db->next_record();
                $GLOBALS['phpgw_info']['server'] = 
unserialize(stripslashes($GLOBALS['phpgw']->db->f('content')));
        }
        else
        {
-/*
-This code doesn't unserialize the variables like the code in config does.  
This was causing problems with
-my new logging stuff.  So I changed it. 
-               $GLOBALS['phpgw']->db->query("select * from phpgw_config WHERE 
config_app='phpgwapi'",__LINE__,__FILE__);
-               while ($GLOBALS['phpgw']->db->next_record())
-               {
-                       
$GLOBALS['phpgw_info']['server'][$GLOBALS['phpgw']->db->f('config_name')] = 
stripslashes($GLOBALS['phpgw']->db->f('config_value'));
-               }
-*/
                $c = CreateObject('phpgwapi.config','phpgwapi');
                $c->read_repository();
                foreach ($c->config_data as $k => $v)
@@ -210,13 +217,9 @@
                }
 
 
-               if(@isset($GLOBALS['phpgw_info']['server']['cache_phpgw_info']))
+               if(isset($GLOBALS['phpgw_info']['server']['cache_phpgw_info'])
+                       && $GLOBALS['phpgw_info']['server']['cache_phpgw_info'])
                {
-                       if($server_info_cache)
-                       {
-                               $cache_query = "DELETE FROM phpgw_app_sessions 
WHERE sessionid='0' and loginid='0' and app='phpgwapi' and location='config'";
-                               
$GLOBALS['phpgw']->db->query($cache_query,__LINE__,__FILE__);                   
        
-                       }
                        $cache_query = 'INSERT INTO 
phpgw_app_sessions(sessionid,loginid,app,location,content) VALUES('
                                . 
"'0','0','phpgwapi','config','".$GLOBALS['phpgw']->db->db_addslashes(serialize($GLOBALS['phpgw_info']['server']))."')";
                        
$GLOBALS['phpgw']->db->query($cache_query,__LINE__,__FILE__);
@@ -224,7 +227,20 @@
        }
        unset($cache_query);
        unset($server_info_cache);
-       if(@isset($GLOBALS['phpgw_info']['server']['enforce_ssl']) && !$HTTPS)
+
+       // Remove this and I will make sure that you lose important parts of 
your anatomy - skwashd
+       $GLOBALS['RAW_REQUEST'] = $_REQUEST; // if you really need the raw value
+       $to_cleans = array('_GET', '_POST', '_COOKIE', '_REQUEST');
+       $GLOBALS['data_cleaner'] = createObject('phpgwapi.data_cleaner'); // We 
create it for the whole call ...
+       foreach ( $to_cleans as $to_clean )
+       {
+               if ( isset($GLOBALS[$to_clean]) && 
is_array($GLOBALS[$to_clean]) && count($GLOBALS[$to_clean]) )
+               {
+                       $GLOBALS[$to_clean] = clean_vars($GLOBALS[$to_clean]);
+               }
+       }
+
+       if(isset($GLOBALS['phpgw_info']['server']['enforce_ssl']) && 
!(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']) )
        {
                Header('Location: https://' . 
$GLOBALS['phpgw_info']['server']['hostname'] . 
$GLOBALS['phpgw_info']['server']['webserver_url'] . $_SERVER['REQUEST_URI']);
                exit;