diff options
| author | Benny Baumann <BenBE@geshi.org> | 2014-04-30 20:13:28 +0200 |
|---|---|---|
| committer | Benny Baumann <BenBE@geshi.org> | 2014-04-30 20:18:56 +0200 |
| commit | 7f02d479140d2c47e9359191ed2a7d687c6b9a33 (patch) | |
| tree | fd72a22729f6fb9575396a3a4443e2c0f76c3991 | |
| parent | 2801b166026e48e2133ac5e8ba68f3d699c4dbd2 (diff) | |
| download | cacert-devel-7f02d479140d2c47e9359191ed2a7d687c6b9a33.tar.gz cacert-devel-7f02d479140d2c47e9359191ed2a7d687c6b9a33.tar.xz cacert-devel-7f02d479140d2c47e9359191ed2a7d687c6b9a33.zip | |
bug 1138: And yet another bunch of escaping
| -rw-r--r-- | pages/wot/1.php | 4 | ||||
| -rw-r--r-- | pages/wot/10.php | 18 | ||||
| -rw-r--r-- | pages/wot/9.php | 16 | ||||
| -rw-r--r-- | stamp/common.php | 4 | ||||
| -rw-r--r-- | www/api/ccsr.php | 14 | ||||
| -rw-r--r-- | www/api/cemails.php | 6 | ||||
| -rw-r--r-- | www/index.php | 6 | ||||
| -rw-r--r-- | www/wot.php | 50 |
8 files changed, 59 insertions, 59 deletions
diff --git a/pages/wot/1.php b/pages/wot/1.php index 99c2b9f..d6e298d 100644 --- a/pages/wot/1.php +++ b/pages/wot/1.php @@ -108,9 +108,9 @@ </tr> <? while($row = mysql_fetch_assoc($list)) { ?> <tr> - <td class="DataTD" width="100"><nobr><?=$row['fname']?> <?=substr($row['lname'], 0, 1)?></nobr></td> + <td class="DataTD" width="100"><nobr><?=sanitizeHTML($row['fname'])?> <?=substr($row['lname'], 0, 1)?>.</nobr></td> <td class="DataTD"><?=maxpoints($row['id'])?></td> - <td class="DataTD"><?=$row['contactinfo']?></td> + <td class="DataTD"><?=sanitizeHTML($row['contactinfo'])?></td> <td class="DataTD"><a href="wot.php?id=9&userid=<?=intval($row['id'])?>"><?=_("Email Me")?></a></td> <td class="DataTD"><?=$row['assurer']?_("Yes"):("<font color=\"#ff0000\">"._("Not yet!")."</font>")?></td> diff --git a/pages/wot/10.php b/pages/wot/10.php index c7e1ff1..b0dc739 100644 --- a/pages/wot/10.php +++ b/pages/wot/10.php @@ -71,11 +71,11 @@ $fromuser = mysql_fetch_assoc(mysql_query("select `fname`, `lname` from `users` where `id`='".intval($row['from'])."'")); ?> <tr> - <td class="DataTD"><?=$row['id']?></td> + <td class="DataTD"><?=intval($row['id'])?></td> <td class="DataTD"><?=$row['date']?></td> - <td class="DataTD"><a href="wot.php?id=9&userid=<?=intval($row['from'])?>"><?=$fromuser['fname']." ".$fromuser['lname']?></td> - <td class="DataTD"><?=$row['points']?></td> - <td class="DataTD"><?=$row['location']?></td> + <td class="DataTD"><a href="wot.php?id=9&userid=<?=intval($row['from'])?>"><?=sanitizeHTML(trim($fromuser['fname']." ".$fromuser['lname']))?></td> + <td class="DataTD"><?=intval($row['points'])?></td> + <td class="DataTD"><?=sanitizeHTML($row['location'])?></td> <td class="DataTD"><?=_(sprintf("%s", $row['method']))?></td> </tr> <? @@ -119,25 +119,25 @@ if ($thawte) while($row = mysql_fetch_assoc($res)) { $fromuser = mysql_fetch_assoc(mysql_query("select `fname`, `lname` from `users` where `id`='".intval($row['to'])."'")); - $points += $row['points']; + $points += intval($row['points']); $name = trim($fromuser['fname']." ".$fromuser['lname']); if($name == "") $name = _("Deleted before Verification"); else - $name = "<a href='wot.php?id=9&userid=".intval($row['to'])."'>$name</a>"; + $name = "<a href='wot.php?id=9&userid=".intval($row['to'])."'>".sanitizeHTML($name)."</a>"; ?> <tr> <td class="DataTD"><?=intval($row['id'])?></td> <td class="DataTD"><?=$row['date']?></td> - <td class="DataTD"><?=$name?></td> + <td class="DataTD"><?=sanitizeHTML($name)?></td> <td class="DataTD"><?=intval($row['points'])?></td> - <td class="DataTD"><?=$row['location']?></td> + <td class="DataTD"><?=sanitizeHTML($row['location'])?></td> <td class="DataTD"><?=$row['method']==""?"":_(sprintf("%s", $row['method']))?></td> </tr> <? } ?> <tr> <td class="DataTD" colspan="3"><b><?=_("Total Points Issued")?>:</b></td> - <td class="DataTD"><?=$points?></td> + <td class="DataTD"><?=intval($points)?></td> <td class="DataTD" colspan="2"> </td> </tr> </table> diff --git a/pages/wot/9.php b/pages/wot/9.php index b492ff6..e4fff21 100644 --- a/pages/wot/9.php +++ b/pages/wot/9.php @@ -28,7 +28,7 @@ $user = mysql_fetch_array($res); $userlang = $user['language']; $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary` - where `to`='".$user['id']."' and `deleted`=0 group by `to` HAVING SUM(`points`) > 0")); + where `to`='".intval($user['id'])."' and `deleted`=0 group by `to` HAVING SUM(`points`) > 0")); if($points <= 0) { echo _("Sorry, I was unable to locate that user."); @@ -38,31 +38,31 @@ ?> <? if($_SESSION['_config']['error'] != "") { ?><font color="#ff0000" size="+1">ERROR: <?=$_SESSION['_config']['error']?></font><? unset($_SESSION['_config']['error']); } ?> <form method="post" action="wot.php"> -<input type="hidden" name="userid" value="<?=$user['id']?>"> +<input type="hidden" name="userid" value="<?=intval($user['id'])?>"> <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper"> <tr> <td colspan="2" class="title"><?=_("Contact Assurer")?></td> </tr> <tr> <td class="DataTD"><?=_("To")?>:</td> - <td class="DataTD" align="left"><?=$user['fname']?> <?=substr($user['lname'], 0, 1)?></td> + <td class="DataTD" align="left"><?=sanitizeHTML(trim($user['fname'].' '.substr($user['lname'], 0, 1)))?></td> </tr> <? if($userlang != "") { ?> <tr> <td class="DataTD"><?=_("Language")?>:</td> - <td class="DataTD" align="left"><? printf(_("%s prefers to be contacted in %s"), $user['fname'], L10n::$translations[$userlang]) ?></td> + <td class="DataTD" align="left"><? printf(_("%s prefers to be contacted in %s"), sanitizeHTML($user['fname']), L10n::$translations[$userlang]) ?></td> </tr> <? } ?> <? - $query = "select * from `addlang` where `userid`='".$user['id']."'"; + $query = "select * from `addlang` where `userid`='".intval($user['id'])."'"; $res = mysql_query($query); while($row = mysql_fetch_assoc($res)) { - $lang = mysql_fetch_assoc(mysql_query("select * from `languages` where `locale`='${row['lang']}'")); + $lang = mysql_fetch_assoc(mysql_query("select * from `languages` where `locale`='".mysql_real_escape_string($row['lang'])."'")); ?> <tr> <td class="DataTD"><?=_("Additional Language")?>:</td> - <td class="DataTD" align="left"><? printf(_("%s will also accept email in %s - %s"), $user['fname'], $lang['lang'], $lang['country']) ?></td> + <td class="DataTD" align="left"><? printf(_("%s will also accept email in %s - %s"), sanitizeHTML($user['fname']), sanitizeHTML($lang['lang']), sanitizeHTML($lang['country'])) ?></td> </tr> <? } ?> <tr> @@ -79,7 +79,7 @@ </table> <input type="hidden" name="pageid" value="<?=$_SESSION['_config']['pagehash']?>"> <input type="hidden" name="userid" value="<?=intval($_REQUEST['userid'])?>"> -<input type="hidden" name="oldid" value="<?=$id?>"> +<input type="hidden" name="oldid" value="<?=intval($id)?>"> </form> <p>[ <a href='javascript:history.go(-1)'><?=_("Go Back")?></a> ]</p> <? } } ?> diff --git a/stamp/common.php b/stamp/common.php index d0a71f4..d99a23a 100644 --- a/stamp/common.php +++ b/stamp/common.php @@ -41,9 +41,9 @@ if($row['certid'] > 0) { if($row['org'] == 0) - $query = "select * from `domaincerts` where `id`='$row[certid]' and `expire`>NOW() and `revoked`=0"; + $query = "select * from `domaincerts` where `id`='".intval($row['certid'])."' and `expire`>NOW() and `revoked`=0"; else - $query = "select * from `orgdomaincerts` where `id`='$row[certid]' and `expire`>NOW() and `revoked`=0"; + $query = "select * from `orgdomaincerts` where `id`='".intval($row['certid'])."' and `expire`>NOW() and `revoked`=0"; if($_REQUEST['debug'] == 1) echo $query."<br>\n"; $res = mysql_query($query); diff --git a/www/api/ccsr.php b/www/api/ccsr.php index aa33baa..54d7dc9 100644 --- a/www/api/ccsr.php +++ b/www/api/ccsr.php @@ -31,7 +31,7 @@ require_once '../../includes/lib/check_weak_key.php'; foreach($_REQUEST['email'] as $email) { $email = mysql_real_escape_string(trim($email)); - $query = "select * from `email` where `memid`='$memid' and `hash`='' and `deleted`=0 and `email`='$email'"; + $query = "select * from `email` where `memid`='".intval($memid)."' and `hash`='' and `deleted`=0 and `email`='$email'"; $res = mysql_query($query); if(mysql_num_rows($res) > 0) { @@ -42,7 +42,7 @@ require_once '../../includes/lib/check_weak_key.php'; } if(count($emails) <= 0) die("404,Wasn't able to match any emails sent against your account"); - $query = "select sum(`points`) as `points` from `notary` where `to`='$memid' and `notary`.`deleted`=0 group by `to`"; + $query = "select sum(`points`) as `points` from `notary` where `to`='".intval($memid)."' and `notary`.`deleted`=0 group by `to`"; $row = mysql_fetch_assoc(mysql_query($query)); $points = $row['points']; @@ -82,9 +82,9 @@ require_once '../../includes/lib/check_weak_key.php'; foreach($emails as $id => $email) $csrsubject .= "/emailAddress=".$email; - $query = "insert into `emailcerts` set `CN`='".$user['email']."', `keytype`='MS', - `memid`='".$user['id']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), - `subject`='$csrsubject', `codesign`='$codesign'"; + $query = "insert into `emailcerts` set `CN`='".mysql_real_escape_string($user['email'])."', `keytype`='MS', + `memid`='".intval($user['id'])."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), + `subject`='".mysql_real_escape_string($csrsubject)."', `codesign`='".intval($codesign)."'"; mysql_query($query); $certid = mysql_insert_id(); $CSRname = generatecertpath("csr","client",$certid); @@ -93,14 +93,14 @@ require_once '../../includes/lib/check_weak_key.php'; mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$certid'"); foreach($emails as $emailid => $email) - mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='$emailid'"); + mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='".intval($emailid)."'"); $do = `../../scripts/runclient`; sleep(10); // THIS IS BROKEN AND SHOULD BE FIXED $query = "select * from `emailcerts` where `id`='$certid' and `crt_name` != ''"; $res = mysql_query($query); if(mysql_num_rows($res) <= 0) - die("404,Your certificate request has failed. ID: $certid"); + die("404,Your certificate request has failed. ID: ".intval($certid)); $cert = mysql_fetch_assoc($res); echo "200,Authentication Ok\n"; readfile("../".$cert['crt_name']); diff --git a/www/api/cemails.php b/www/api/cemails.php index 260ca4f..4eb7597 100644 --- a/www/api/cemails.php +++ b/www/api/cemails.php @@ -25,7 +25,7 @@ echo "200,Authentication Ok\n"; $user = mysql_fetch_assoc($res); $memid = $user['id']; - $query = "select sum(`points`) as `points` from `notary` where `to`='$memid' and `notary`.`deleted`=0 group by `to`"; + $query = "select sum(`points`) as `points` from `notary` where `to`='".intval($memid)."' and `notary`.`deleted`=0 group by `to`"; $row = mysql_fetch_assoc(mysql_query($query)); $points = $row['points']; echo "CS=".intval($user['codesign'])."\n"; @@ -40,8 +40,8 @@ if($user['mname'] != "" && $user['suffix'] != "") echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['mname'])." ".sanitizeHTML($user['lname'])." ".sanitizeHTML($user['suffix'])."\n"; } - $query = "select * from `email` where `memid`='$memid' and `hash`='' and `deleted`=0"; + $query = "select * from `email` where `memid`='".intval($memid)."' and `hash`='' and `deleted`=0"; $res = mysql_query($query); while($row = mysql_fetch_assoc($res)) - echo "EMAIL=".$row['email']."\n"; + echo "EMAIL=".sanitizeHTML($row['email'])."\n"; ?> diff --git a/www/index.php b/www/index.php index bb71a63..40a8e86 100644 --- a/www/index.php +++ b/www/index.php @@ -307,19 +307,19 @@ require_once('../includes/lib/l10n.php'); $_SESSION['profile'] = ""; unset($_SESSION['profile']); $_SESSION['profile'] = mysql_fetch_assoc($res); - $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'"; + $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".intval($_SESSION['profile']['id'])."'"; mysql_query($query); if($_SESSION['profile']['language'] == "") { $query = "update `users` set `language`='".L10n::get_translation()."' - where `id`='".$_SESSION['profile']['id']."'"; + where `id`='".intval($_SESSION['profile']['id'])."'"; mysql_query($query); } else { L10n::set_translation($_SESSION['profile']['language']); L10n::init_gettext(); } - $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`"; + $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 group by `to`"; $res = mysql_query($query); $row = mysql_fetch_assoc($res); $_SESSION['profile']['points'] = $row['total']; diff --git a/www/wot.php b/www/wot.php index dec4246..7ce757d 100644 --- a/www/wot.php +++ b/www/wot.php @@ -224,8 +224,8 @@ function send_reminder() exit; } - $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' and - `to`='".$_SESSION['_config']['notarise']['id']."' and `deleted` = 0"; + $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' and + `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0"; $res = mysql_query($query); if(mysql_num_rows($res) > 0) { @@ -310,7 +310,7 @@ $iecho= "c"; exit; } - $query = "select * from `users` where `id`='".$_SESSION['_config']['notarise']['id']."'"; + $query = "select * from `users` where `id`='".intval($_SESSION['_config']['notarise']['id'])."'"; $res = mysql_query($query); $row = mysql_fetch_assoc($res); $name = $row['fname']." ".$row['mname']." ".$row['lname']." ".$row['suffix']; @@ -332,7 +332,7 @@ $iecho= "c"; if($newpoints < 0) $newpoints = $awarded = 0; - $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['_config']['notarise']['id']."' and `deleted` = 0 group by `to`"; + $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0 group by `to`"; $res = mysql_query($query); $drow = mysql_fetch_assoc($res); @@ -345,14 +345,14 @@ $iecho= "c"; if($newpoints < 0) $newpoints = 0; - if(mysql_escape_string(stripslashes($_POST['date'])) == "") + if(mysql_real_escape_string(stripslashes($_POST['date'])) == "") $_POST['date'] = date("Y-m-d H:i:s"); - $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' AND - `to`='".$_SESSION['_config']['notarise']['id']."' AND - `awarded`='$awarded' AND - `location`='".mysql_escape_string(stripslashes($_POST['location']))."' AND - `date`='".mysql_escape_string(stripslashes($_POST['date']))."' AND + $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' AND + `to`='".intval($_SESSION['_config']['notarise']['id'])."' AND + `awarded`='".intval($awarded)."' AND + `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."' AND + `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."' AND `deleted`=0"; $res = mysql_query($query); if(mysql_num_rows($res) > 0) @@ -364,11 +364,11 @@ $iecho= "c"; if($oldid == 6) { - $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."', - `to`='".$_SESSION['_config']['notarise']['id']."', - `points`='$newpoints', `awarded`='$awarded', - `location`='".mysql_escape_string(stripslashes($_POST['location']))."', - `date`='".mysql_escape_string(stripslashes($_POST['date']))."', + $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."', + `to`='".intval($_SESSION['_config']['notarise']['id'])."', + `points`='".intval($newpoints)."', `awarded`='".intval($awarded)."', + `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."', + `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."', `when`=NOW()"; //record active acceptance by Assurer if (check_date_format(trim($_REQUEST['date']),2010)) { @@ -389,11 +389,11 @@ $iecho= "c"; $addpoints = 2; else if($_SESSION['profile']['points'] == 149 && $_SESSION['profile']['points'] >= 100) $addpoints = 1; - $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."', - `to`='".$_SESSION['profile']['id']."', - `points`='$addpoints', `awarded`='$addpoints', - `location`='".mysql_escape_string(stripslashes($_POST['location']))."', - `date`='".mysql_escape_string(stripslashes($_POST['date']))."', + $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."', + `to`='".intval($_SESSION['profile']['id'])."', + `points`='".intval($addpoints)."', `awarded`='".intval($addpoints)."', + `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."', + `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."', `method`='Administrative Increase', `when`=NOW()"; mysql_query($query); @@ -479,7 +479,7 @@ $iecho= "c"; { csrf_check("chgcontact"); - $info = mysql_escape_string(strip_tags(stripslashes($_POST['contactinfo']))); + $info = mysql_real_escape_string(strip_tags(stripslashes($_POST['contactinfo']))); $listme = intval($_POST['listme']); if($listme < 0 || $listme > 1) $listme = 0; @@ -487,7 +487,7 @@ $iecho= "c"; $_SESSION['profile']['listme'] = $listme; $_SESSION['profile']['contactinfo'] = $info; - $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".$_SESSION['profile']['id']."'"; + $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".intval($_SESSION['profile']['id'])."'"; mysql_query($query); showheader(_("My CAcert.org Account!")); @@ -508,9 +508,9 @@ $iecho= "c"; $body = $_REQUEST['message']; $subject = $_REQUEST['subject']; $userid = intval($_REQUEST['userid']); - $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$userid' and `listme`=1")); + $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($userid)."' and `listme`=1")); $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary` - where `to`='".$user['id']."' and `deleted` = 0 group by `to` HAVING SUM(`points`) > 0")); + where `to`='".intval($user['id'])."' and `deleted` = 0 group by `to` HAVING SUM(`points`) > 0")); if($points > 0) { $my_translation = L10n::get_translation(); @@ -546,7 +546,7 @@ $iecho= "c"; showheader(_("My CAcert.org Account!"));?> <p> - <? printf(_("Your email has been sent to %s."), $user['fname']); ?> + <? printf(_("Your email has been sent to %s."), sanitizeHTML($user['fname'])); ?> </p> <p>[ <a href='javascript:history.go(-2)'><?= _("Go Back") ?></a> ]</p> <? |