[Phpgroupware-cvs] phpgwapi/inc functions.inc.php,1.121.2.13.2.24

[skwashd]

Update of phpgwapi/inc

Modified Files:
     Branch: Version-0_9_16-branch
            functions.inc.php lines: +41 -39

Log Message:
fix XSS problems and one admin option being broken

====================================================
Index: phpgwapi/inc/functions.inc.php
diff -u phpgwapi/inc/functions.inc.php:1.121.2.13.2.23 
phpgwapi/inc/functions.inc.php:1.121.2.13.2.24
--- phpgwapi/inc/functions.inc.php:1.121.2.13.2.23      Wed Aug 24 13:46:44 2005
+++ phpgwapi/inc/functions.inc.php      Fri Aug 26 01:33:15 2005
@@ -25,9 +25,9 @@
        include_once(PHPGW_API_INC.'/common_functions.inc.php');

        /*!
-        @function lang
-        @abstract function to handle multilanguage support
-       */
+         @function lang
+         @abstract function to handle multilanguage support
+        */
        function 
lang($key,$m1='',$m2='',$m3='',$m4='',$m5='',$m6='',$m7='',$m8='',$m9='',$m10='')
        {
                if(is_array($m1))
@@ -42,6 +42,34 @@
                return $value;
        }

+       function clean_vars($vars)
+       {
+               if ( !is_array($vars) )
+               {
+                       $data_cleaner = createObject('phpgwapi.data_cleaner', 
$vars);
+                       return $data_cleaner->clean();
+               }
+
+               foreach ( $vars as $key => $val )
+               {
+                       $vars[$key] = clean_vars($val);
+               }
+               return $vars;
+       }
+
+       // Remove this and I will make sure that you lose important parts of 
your anatomy - skwashd
+       $GLOBALS['RAW_REQUEST'] = $_REQUEST; // if you really need the raw value
+       $to_cleans = array('_GET', '_POST', '_COOKIE', '_REQUEST');
+       foreach ( $to_cleans as $to_clean )
+       {
+               if ( isset($GLOBALS[$to_clean]) && 
is_array($GLOBALS[$to_clean]) && count($GLOBALS[$to_clean]) )
+               {
+                       $GLOBALS['to_clean'] = clean_vars($GLOBALS['to_clean']);
+                       $GLOBALS["HTTP{$to_change}_VARS"] = 
$GLOBALS[$to_change];//legacy app support - will be dropped in 18
+               }
+       }
+
+
        /* Make sure the header.inc.php is current. */
        if ($GLOBALS['phpgw_info']['server']['versions']['header'] < 
$GLOBALS['phpgw_info']['server']['versions']['current_header'])
        {
@@ -54,20 +82,20 @@
        if (!isset($GLOBALS['phpgw_info']['flags']['currentapp']))
        {
                /* This object does not exist yet. */
-       /*      $GLOBALS['phpgw']->log->write(array('text'=>'W-MissingFlags, 
currentapp flag not set'));*/
+               /*      
$GLOBALS['phpgw']->log->write(array('text'=>'W-MissingFlags, currentapp flag 
not set'));*/

                echo '<b>!!! YOU DO NOT HAVE YOUR 
$GLOBALS[\'phpgw_info\'][\'flags\'][\'currentapp\'] SET !!!';
                echo '<br />!!! PLEASE CORRECT THIS SITUATION !!!</b>';
        }

        magic_quotes_runtime(false);
-// Can't use this yet - errorlog hasn't been created.
-//     print_debug('sane environment','messageonly','api');
+       // Can't use this yet - errorlog hasn't been created.
+       //      print_debug('sane environment','messageonly','api');

        
/****************************************************************************\
-       * Multi-Domain support                                                  
     *
-       
\****************************************************************************/
-
+        * Multi-Domain support                                                 
      *
+        
\****************************************************************************/
+
        /* make them fix their header */
        if (!isset($GLOBALS['phpgw_domain']))
        {
@@ -113,34 +141,8 @@
                unset ($GLOBALS['phpgw_domain']); // we kill this for security 
reasons
        }

-// Can't use this yet - errorlog hasn't been created.
-//     print_debug('domain',@$GLOBALS['phpgw_info']['user']['domain'],'api');
-
-       // Remove this and you will loose important parts of your anatomy - 
skwashd
-       $GLOBALS['RAW_REQUEST'] = $_REQUEST; // if you really need the raw value
-       $to_cleans = array('_GET', '_POST', '_COOKIE', '_REQUEST');
-       $data_cleaner = createObject('phpgwapi.data_cleaner', '');
-       foreach ( $to_cleans as $to_clean )
-       {
-               if ( isset($GLOBALS[$to_clean]) && 
is_array($GLOBALS[$to_clean]) && count($GLOBALS[$to_clean]) )
-               {
-                       foreach ( $GLOBALS[$to_clean] as $key => $val )
-                       {
-                               if ( !is_array($val) )
-                               {
-                                       $GLOBALS[$to_clean][$key] = 
$data_cleaner->clean($val);
-                               }
-                               else
-                               {
-                                       foreach ( $val as $skey => $sval )
-                                       {
-                                               
$GLOBALS[$to_clean][$key][$skey] = $data_cleaner->clean($val);
-                                       }
-                               }
-                       }
-                       $GLOBALS["HTTP{$to_change}_VARS"] = 
$GLOBALS[$to_change];
-               }
-       }
+       // Can't use this yet - errorlog hasn't been created.
+       //      
print_debug('domain',@$GLOBALS['phpgw_info']['user']['domain'],'api');

         
/****************************************************************************\
         * These lines load up the API, fill up the $phpgw_info array, etc      
      *
@@ -481,5 +483,5 @@
                        include_once(PHPGW_APP_INC . '/header.inc.php');
                }
        }
-
+
        error_reporting(E_ERROR | E_WARNING | E_PARSE);