summaryrefslogtreecommitdiff
path: root/includes/account.php
AgeCommit message (Collapse)Author
2014-12-05Merge remote-tracking branch 'origin/bug-790' into releaseMichael Tänzer
2014-11-23Merge branch 'bug-28' into releaseBenny Baumann
Conflicts: includes/account.php scripts/cron/warning.php www/disputes.php www/wot.php
2014-11-23Merge branch 'bug-1273' into releaseBenny Baumann
2014-11-15bug-1339: remove all traces of OTPbug-1339Felix Dörre
2014-10-07bug-790: change PEM-Armor-striping code to not break correct CSRsFelix Dörre
(copied from somewhere above)
2014-09-23bug-790: implement that thing.Felix Dörre
2014-06-15bug 1273: use runCommand where former "echo"-syntax was usedFelix Dörre
2014-06-15bug 1273: replace backtick operators with shell_execFelix Dörre
+ fix 1 missing escapeshellarg Commands used to locate: 1. find includes -type f -name '*.php' -exec cat {} \; \ | tr '\n' '?' | sed 's/\(\$query .\?= \|\ mysql_query(\|query_init (\)"\([^"]\|".\(\(intval\|mysql_real_escape_string\)\ (\$[^\$)]\+)\|\$_SESSION\(\['_config'\]\['user'\]\['Q[1-5]'\]\ \|['_config']['disablelogin']\)\)[ ?]*."\)*"/mysql-substitute/g'\ | tr '?' '\n' | grep --color=always "\`"|less -r and reviewing the queries by hand. This command replaces out strings obviously looking like sql_queries and then outputting al remaining backticks: starting with "$query = ,mysql_query, ..." and are only interrupted by "safe" calls: - mysql_real_escape_string - intval - pre_escaped session variables (This command may also be used for locating bad escaped sql_queries) 2. grep -r "\`\(grep\|/\|echo\|dig\|openssl\|gpg\|rm\|../\)" www includes pages \ | grep -v '\(from\|update\|into\) `gpg'
2014-06-13Merge branch 'release' into bug-807Benny Baumann
Conflicts: includes/account.php includes/lib/account.php pages/account/16.php
2014-06-06Merge branch 'bug-1138' into releaseBenny Baumann
2014-06-06Merge branch 'bug-1275' into releaseBenny Baumann
2014-05-01bug 1138: Avoid double escaping of $_SESSION['_config']['OU'] and fix XSSMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-05-01bug 1138: Avoid double escaping.Michael Tänzer
These session variables should be local variables as they aren't needed anywhere else Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-05-01bug 1138: Avoid double escaping in `description` which was stored into theMichael Tänzer
session mysql_real_escaped Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-05-01bug 1138: Avoid double escapingMichael Tänzer
Yes it's ugly but should be fixed in a separate bug Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-05-01Merge branch 'release' into bug-1138Benny Baumann
2014-04-30bug 1138: additional brackets for better readabilityBenny Baumann
2014-04-30bug 1138: Reorder fields to better show which variables belong togetherBenny Baumann
2014-04-30bug 1138: And yet some more sanitizing of database query argumentsBenny Baumann
2014-04-30bug 1138: Properly bail out to remark on missing ticket numberBenny Baumann
2014-04-29bug 372: `orgdomlink` has no `id` fieldbug-372Michael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-29bug 1275: Fix #1275bug-1275Michael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-29Merge branch 'bug-1221' into bug-1138Michael Tänzer
Conflicts: includes/account.php includes/general.php includes/loggedin.php includes/notary.inc.php pages/account/43.php pages/account/55.php pages/wot/10.php www/index.php www/wot.php Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-19bug 1272: Fix for a typobug-1272Benny Baumann
2014-04-19bug 1272: Properly escape the filename passed to OpenSSLBenny Baumann
2014-04-11bug 1138: Remove double escapingMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-10bug 1266: Escape data on certificate renewalbug-1266Michael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-02bug 1138: Error handling when inserting to the admin logMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-24bug 1138: $_SESSION['support'] is not used anywhere => remove itMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-24bug 1138: Removing dead code instead of only commenting it out helpsMichael Tänzer
healthful code growth (Reducing lines of code is good code growth) Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-24bug 1138: Properly check for empty stringMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-24bug 1138: Always take the intval of useridMichael Tänzer
Either check for $_REQUEST['userid']) !== "" or unconditionally convert to integer. Checking for intavl() != "" gives a false impression of what's happening. Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-24bug 1138: Fix indentationMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-24Merge branch 'release' into bug-1138Michael Tänzer
2014-03-21Merge branch 'release' into bug-1221Michael Tänzer
2014-03-20bug 807: Doh, forgot to check in include/account.phpMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-20bug 807: Allow changing the hash algorithm used in signingMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-11bug 448: Properly escape data that comes from the databasebug-448Benny Baumann
2014-03-04bug 1138: moved write_se_log from account.php to account/59.phpINOPIAE
2014-02-25bug 1138: removed double intvalINOPIAE
2014-02-25bug 448: Inline the static string in printf() and add a note to translatorsMichael Tänzer
instead Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-02-25bug 1136: added intval for $_REQUEST['userid']INOPIAE
2014-02-22bug 1138: changed $_REQUEST['action'] to $actionrequest for ID 43mam
2014-02-21bug 1138: added return link to missing or wrong delete account requestmam
2014-02-04Merge branch 'release' into bug-1138Michael Tänzer
Conflicts: includes/account.php includes/notary.inc.php Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-01-26bug 448: changed the wording for the message after the revokation of a ↵INOPIAE
certificate
2014-01-20bug 1138: added assurances to SE log, rework of assurance delete form delete ↵INOPIAE
assurance to deleted=Now()
2014-01-20bug 1138: rework delete assurance SE logINOPIAE
2014-01-20bug 1138: changed status texts from AD to SEINOPIAE
2014-01-20bug 1138: added SE log for account deleteINOPIAE