summaryrefslogtreecommitdiff
path: root/pages
AgeCommit message (Collapse)Author
2014-06-15bug 1273: replace backtick operators with shell_execFelix Dörre
+ fix 1 missing escapeshellarg Commands used to locate: 1. find includes -type f -name '*.php' -exec cat {} \; \ | tr '\n' '?' | sed 's/\(\$query .\?= \|\ mysql_query(\|query_init (\)"\([^"]\|".\(\(intval\|mysql_real_escape_string\)\ (\$[^\$)]\+)\|\$_SESSION\(\['_config'\]\['user'\]\['Q[1-5]'\]\ \|['_config']['disablelogin']\)\)[ ?]*."\)*"/mysql-substitute/g'\ | tr '?' '\n' | grep --color=always "\`"|less -r and reviewing the queries by hand. This command replaces out strings obviously looking like sql_queries and then outputting al remaining backticks: starting with "$query = ,mysql_query, ..." and are only interrupted by "safe" calls: - mysql_real_escape_string - intval - pre_escaped session variables (This command may also be used for locating bad escaped sql_queries) 2. grep -r "\`\(grep\|/\|echo\|dig\|openssl\|gpg\|rm\|../\)" www includes pages \ | grep -v '\(from\|update\|into\) `gpg'
2014-06-13Merge branch 'release' into bug-807Benny Baumann
Conflicts: includes/account.php includes/lib/account.php pages/account/16.php
2014-06-06Merge branch 'bug-413' into bug-1138bug-1138Benny Baumann
Conflicts: pages/account/12.php pages/account/5.php
2014-05-27bug 413: Port same change as for 5.php over to 12.phpbug-413Benny Baumann
2014-05-27bug 413: Backport changes from 7aced740 by Michael Tänzer to avoid ↵Benny Baumann
conflicts when integrating both together
2014-05-20bug 1138: fix double-escaping in wot/10Benny Baumann
2014-05-01bug 1138: $verified is a string that is directly filled with data from theMichael Tänzer
translation system => do not intval() Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-05-01bug 1138: This is an int, no need to mysql_real_escape()Michael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-05-01bug 1138: Avoid double escaping of $_SESSION['_config']['OU'] and fix XSSMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-30bug 1138: Whitespace changes and code formattingBenny Baumann
2014-04-30bug 1138: And yet another bunch of escapingBenny Baumann
2014-04-30bug 1138: Some escaping for the GnuPG codeBenny Baumann
2014-04-30bug 1138: And yet another bunch of missing escapesBenny Baumann
2014-04-30bug 1138: Add some more mising escaping for values from the databaseBenny Baumann
2014-04-30bug 1138: Add some more mising escaping for values from the databaseBenny Baumann
2014-04-30bug 1138: Add some mising escaping for values from the databaseBenny Baumann
2014-04-29bug 1138: Implement log parameter for output_assurances*() and use it forMichael Tänzer
data summary Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-29bug 1138: Only revoke assurance if we actually found oneMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-29Merge branch 'bug-1221' into bug-1138Michael Tänzer
Conflicts: includes/account.php includes/general.php includes/loggedin.php includes/notary.inc.php pages/account/43.php pages/account/55.php pages/wot/10.php www/index.php www/wot.php Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Set $oldidMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Always provide a back linkMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: correct colspan for cert tablesMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Only use support engineer mode if not viewing own historyMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Code styleMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: TypoMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Properly call output_log_domains()Michael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Properly display domain tableMichael Tänzer
- Wrong call to get_domains() => deleted domains weren't included - <td> needs to be wrapped in a <tr> Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Always show email address tableMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: more intuitive variable namingMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Inline $colspandefault because it make the code more complex andMichael Tänzer
isn't very useful Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: properly display announcement settings on account historyMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Make testing for support access to account details page moreMichael Tänzer
robust and possibly fix some issues - should check for same userid not whether we come from the SE page - always use the already validated values (not $_REQUEST) - make if clause logic more readable Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: make string more readable for translatorsMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Use CSS styling instead of deprecated attributesMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Source code layoutMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Sanitize ticket number against XSSMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Unused variableMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Don't double escapeMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-11bug 1138: Correct spelling / meaningMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-07bug 1138: Adjust the rest of the output_*_certs() functionsMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-07bug 1138: rename interface to better describe what these functions doMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-07bug 1138: don't alias columns that could cause ambiguitiesMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-02bug 1138: Error handling when inserting to the admin logMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-04-01bug 1138: Common argument ordering for user_agreement gettersMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-31bug 1138: Documentation and minor fixesMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-24bug 1138: Move back link out of the translation stringMichael Tänzer
Signed-off-by: Michael Tänzer <neo@nhng.de>
2014-03-24Merge branch 'release' into bug-1138Michael Tänzer
2014-03-21Merge remote-tracking branch 'origin/bug-1257' into releaseMichael Tänzer
2014-03-21Merge remote-tracking branch 'origin/bug-1239' into releaseMichael Tänzer
2014-03-21Merge branch 'release' into bug-1221Michael Tänzer