bug 1138: And yet another bunch of missing escapes
authorBenny Baumann <BenBE@geshi.org>
Wed, 30 Apr 2014 16:27:23 +0000 (18:27 +0200)
committerBenny Baumann <BenBE@geshi.org>
Wed, 30 Apr 2014 18:18:56 +0000 (20:18 +0200)
pages/account/44.php
pages/account/5.php
pages/account/52.php
pages/account/55.php
pages/account/57.php
pages/account/59.php
pages/account/6.php

index d7e31c6..718f0e0 100644 (file)
@@ -54,6 +54,6 @@ if (!valid_ticket_number($ticketno)) {
   </tr>
 </table>
 <input type="hidden" name="userid" value="<?=intval($_REQUEST['userid'])?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
+<input type="hidden" name="oldid" value="<?=intval($id)?>">
 <input type="hidden" name="ticketno" value="<?=sanitizeHTML($ticketno)?>"/>
 </form>
index cca2f6f..f458114 100644 (file)
@@ -19,7 +19,7 @@
 <form method="post" action="account.php">
 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
   <tr>
-    <td colspan="10" class="title"><?=_("Client Certificates")?> - <a href="account.php?id=5&amp;viewall=<?=!$viewall?>"><?=$viewall?_("Hide old certificates"):_("View all certificates")?></a></td>
+    <td colspan="10" class="title"><?=_("Client Certificates")?> - <a href="account.php?id=5&amp;viewall=<?=intval(!$viewall)?>"><?=$viewall?_("Hide old certificates"):_("View all certificates")?></a></td>
   </tr>
   <tr>
     <td class="DataTD"><?=_("Renew/Revoke/Delete")?></td>
@@ -43,7 +43,7 @@
                        `emailcerts`.`disablelogin` as `disablelogin`,
                        `emailcerts`.`description`
                        from `emailcerts`
-                       where `emailcerts`.`memid`='".$_SESSION['profile']['id']."'
+                       where `emailcerts`.`memid`='".intval($_SESSION['profile']['id'])."'
                        ";
        if($viewall != 1)
                $query .= " AND `revoked`=0 AND `renewed`=0 ";
 ?>
   <tr>
 <? if($verified != _("Pending") && $verified != _("Revoked")) { ?>
-    <td class="DataTD"><input type="checkbox" name="revokeid[]" value="<?=$row['id']?>"></td>
+    <td class="DataTD"><input type="checkbox" name="revokeid[]" value="<?=intval($row['id'])?>"></td>
     <td class="DataTD"><?=$verified?></td>
-    <td class="DataTD"><a href="account.php?id=6&amp;cert=<?=$row['id']?>"><?=(trim($row['CN'])=="" ? _("empty") : $row['CN'])?></a></td>
+    <td class="DataTD"><a href="account.php?id=6&amp;cert=<?=intval($row['id'])?>"><?=(trim($row['CN'])=="" ? _("empty") : sanitizeHTML($row['CN']))?></a></td>
 <? } else if($verified != _("Revoked")) { ?>
-    <td class="DataTD"><input type="checkbox" name="delid[]" value="<?=$row['id']?>"></td>
+    <td class="DataTD"><input type="checkbox" name="delid[]" value="<?=intval($row['id'])?>"></td>
     <td class="DataTD"><?=$verified?></td>
-    <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : $row['CN'])?></td>
+    <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : sanitizeHTML($row['CN']))?></td>
 <? } else { ?>
     <td class="DataTD">&nbsp;</td>
     <td class="DataTD"><?=$verified?></td>
-    <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : $row['CN'])?></td>
+    <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : sanitizeHTML($row['CN']))?></td>
 <? } ?>
-    <td class="DataTD"><?=$row['serial']?></td>
-    <td class="DataTD"><?=$row['revoke']?></td>
-    <td class="DataTD"><?=$row['expire']?></td>
+    <td class="DataTD"><?=sanitizeHTML($row['serial'])?></td>
+    <td class="DataTD"><?=sanitizeHTML($row['revoke'])?></td>
+    <td class="DataTD"><?=sanitizeHTML($row['expire'])?></td>
     <td class="DataTD">
-      <input type="checkbox" name="disablelogin_<?=$row['id']?>" value="1" <?=$row['disablelogin']?"":'checked="checked"'?>/>
-      <input type="hidden" name="cert_<?=$row['id']?>" value="1" />
+      <input type="checkbox" name="disablelogin_<?=intval($row['id'])?>" value="1" <?=$row['disablelogin']?"":'checked="checked"'?>/>
+      <input type="hidden" name="cert_<?=intval($row['id'])?>" value="1" />
     </td>
-    <td class="DataTD"><input name="comment_<?=$row['id']?>" type="text" value="<?=htmlspecialchars($row['description'])?>" /></td>
-    <td class="DataTD"><input type="checkbox" name="check_comment_<?=$row['id']?>" /></td>
+    <td class="DataTD"><input name="comment_<?=intval($row['id'])?>" type="text" value="<?=htmlspecialchars($row['description'])?>" /></td>
+    <td class="DataTD"><input type="checkbox" name="check_comment_<?=intval($row['id'])?>" /></td>
   </tr>
     <? } ?>
   <tr>
     <td class="DataTD" colspan="9">
-      <a href="account.php?id=5&amp;viewall=<?=!$viewall?>"><b><?=$viewall?_("Hide old certificates"):_("View all certificates")?></b></a>
+      <a href="account.php?id=5&amp;viewall=<?=intval(!$viewall)?>"><b><?=$viewall?_("Hide old certificates"):_("View all certificates")?></b></a>
     </td>
   </tr>
 
   </tr>
 <? } ?>
 </table>
-<input type="hidden" name="oldid" value="<?=$id?>" />
+<input type="hidden" name="oldid" value="<?=intval($id)?>" />
 <input type="hidden" name="csrf" value="<?=make_csrf('clicerchange')?>" />
 </form>
 <p><?=_("From here you can delete pending requests, or revoke valid certificates.")?></p>
index ce2025f..cb35548 100644 (file)
 <? if($_SESSION['profile']['tverify'] <= 0) { echo _("You don't have access to this area."); } else { ?>
 <?
        $uid = intval($_GET['uid']);
-       $query = "select * from `tverify` where `id`='$uid' and `modified`=0";
+       $query = "select * from `tverify` where `id`='".intval($uid)."' and `modified`=0";
        $res = mysql_query($query);
        if(mysql_num_rows($res) > 0)
        {
                $row = mysql_fetch_assoc($res);
                $memid = intval($row['memid']);
 
-               $query2 = "select * from `tverify-vote` where `tverify`='$uid' and `memid`='".intval($_SESSION['profile']['id'])."'";
+               $query2 = "select * from `tverify-vote` where `tverify`='".intval($uid)."' and `memid`='".intval($_SESSION['profile']['id'])."'";
                 $rc2 = mysql_num_rows(mysql_query($query2));
                if($rc2 > 0)
                {
@@ -35,9 +35,9 @@
                        exit;
                }
 
-               $query = "select sum(`points`) as `points` from `notary` where `to`='$memid' and `deleted` = 0";
+               $query = "select sum(`points`) as `points` from `notary` where `to`='".intval($memid)."' and `deleted` = 0";
                $notary = mysql_fetch_assoc(mysql_query($query));
-               $query = "select * from `users` where `id`='$memid'";
+               $query = "select * from `users` where `id`='".intval($memid)."'";
                $user = mysql_fetch_assoc(mysql_query($query));
                $tobe = 50 - $notary['points'];
                if($row['URL'] != '' && $row['photoid'] != '')
@@ -48,9 +48,9 @@
                        $tobe = 0;
 ?>
 <?=_("Request Details")?>:<br>
-<?=_("Name on file")?>: <?=$user['fname']." ".$user['mname']." ".$user['lname']." ".$user['suffix']?><br>
-<?=_("Primary email address")?>: <?=$user['email']." (".$user['id'].")"?><br>
-<?=_("Certificate Subject")?>: <?=$row['CN']?><br>
+<?=_("Name on file")?>: <?=sanitizeHTML($user['fname']." ".$user['mname']." ".$user['lname']." ".$user['suffix'])?><br>
+<?=_("Primary email address")?>: <?=sanitizeHTML($user['email'])." (".intval($user['id']).")"?><br>
+<?=_("Certificate Subject")?>: <?=sanitizeHTML($row['CN'])?><br>
 <? if($row['URL'] != '') { ?><?=_("Notary URL")?>: <a href="<?=$row['URL']?>"><?=$row['URL']?></a><br><? } ?>
 <? if($row['photoid'] != '') { ?><?=_("Photo ID URL")?>: <a href="/account.php?id=51&amp;photoid=<?=intval($row['id'])?>"><?=_("Here")?></a><br><? } ?>
 <?=_("Current Points")?>: <?=intval($notary['points'])?><br>
 <input type="submit" name="agree" value="<?=_("I agree with this Application")?>">
 <input type="submit" name="disagree" value="<?=_("I don't agree with this Application")?>">
 <input type="hidden" name="oldid" value="<?=intval($_GET['id'])?>">
-<input type="hidden" name="uid" value="<?=$uid?>">
+<input type="hidden" name="uid" value="<?=intval($uid)?>">
 </form>
 <? } else {
-       $query = "select * from `tverify` where `id`='$uid' and `modified`=1";
+       $query = "select * from `tverify` where `id`='".intval($uid)."' and `modified`=1";
        $res = mysql_query($query);
        if(mysql_num_rows($res) > 0)
        {
@@ -84,7 +84,7 @@
                while($row = mysql_fetch_assoc($res))
                {
                        $uid=intval($row['id']);
-                       $query3 = "select * from `tverify-vote` where `tverify`='$uid' and `memid`='".intval($_SESSION['profile']['id'])."'";
+                       $query3 = "select * from `tverify-vote` where `tverify`='".intval($uid)."' and `memid`='".intval($_SESSION['profile']['id'])."'";
                        $rc3 = mysql_num_rows(mysql_query($query3));
                        if($rc3 <= 0)
                        {
index 7e9710c..d110601 100644 (file)
@@ -58,7 +58,7 @@
 <?\r
         $query = "SELECT `CP`.`pass_date`, `CT`.`type_text`, `CV`.`test_text` ".\r
                  " FROM `cats_passed` AS CP, `cats_variant` AS CV, `cats_type` AS CT ".\r
-                 " WHERE `CP`.`variant_id`=`CV`.`id` AND `CV`.`type_id`=`CT`.`id` AND `CP`.`user_id` ='".(int)$user_id."'".\r
+                 " WHERE `CP`.`variant_id`=`CV`.`id` AND `CV`.`type_id`=`CT`.`id` AND `CP`.`user_id` ='".intval($user_id)."'".\r
                  " ORDER BY `CP`.`pass_date`";\r
 \r
         $res = mysql_query($query);\r
@@ -71,9 +71,9 @@
           }\r
 ?>\r
   <tr>\r
-    <td class="DataTD"><?=$row[0]?></td>\r
-    <td class="DataTD"><?=$row[1]?></td>\r
-    <td class="DataTD"><?=$row[2]?></td>\r
+    <td class="DataTD"><?=sanitizeHTML($row[0])?></td>\r
+    <td class="DataTD"><?=sanitizeHTML($row[1])?></td>\r
+    <td class="DataTD"><?=sanitizeHTML($row[2])?></td>\r
   </tr>\r
 <?      }\r
 ?>\r
@@ -84,7 +84,7 @@
 <?\r
       if ($_SESSION['profile']['admin'] == 1 && array_key_exists('userid',$_REQUEST) && intval($_REQUEST['userid']) > 0) {\r
 ?>\r
-    <tr><td colspan="3" class="DataTD"><a href="account.php?id=43&amp;userid=<?=$user_id ?>">back</a></td></tr>\r
+    <tr><td colspan="3" class="DataTD"><a href="account.php?id=43&amp;userid=<?=intval($user_id)?>">back</a></td></tr>\r
 <?    } else {\r
         $query = 'SELECT `u`.id, `u`.`assurer`, SUM(`points`) FROM `users` AS `u`, `notary` AS `n` '.\r
                  '  WHERE `u`.`id` = \''.(int)intval($_SESSION['profile']['id']).'\' AND `n`.`to` = `u`.`id` AND `expire` < now() and  and `n`.`deleted` = 0'.
index c6a490f..9db7ccf 100644 (file)
@@ -98,7 +98,7 @@
 <?
       if ($_SESSION['profile']['admin'] == 1 && array_key_exists('userid',$_REQUEST) && intval($_REQUEST['userid']) > 0) {
 ?>
-    <tr><td colspan="3" class="DataTD"><a href="account.php?id=43&amp;userid=<?=$user_id ?>">back</a></td></tr>
+    <tr><td colspan="3" class="DataTD"><a href="account.php?id=43&amp;userid=<?=intval($user_id)?>">back</a></td></tr>
 <?    }
 ?>  </table>
 <?
index f8bae4a..1c73ae5 100644 (file)
@@ -65,14 +65,14 @@ if ($userid != $_SESSION['profile']['id']) {
 
     if (!valid_ticket_number($ticketno)) {
         printf(_("I'm sorry, you did not enter a ticket number! %s Support is not allowed to view the account history without a ticket number."), '<br/>');
-        echo '<br/><a href="account.php?id=43&amp;userid='.$userid.'">'. _('Back to previous page.') .'</a>';
+        echo '<br/><a href="account.php?id=43&amp;userid='.intval($userid).'">'. _('Back to previous page.') .'</a>';
         showfooter();
         exit;
     }
 
     if (!write_se_log($userid, $_SESSION['profile']['id'], 'SE View account history', $ticketno)) {
         echo _("Writing to the admin log failed. Can't continue.");
-        echo '<br/><a href="account.php?id=43&amp;userid='.$userid.'">'. _('Back to previous page.') .'</a>';
+        echo '<br/><a href="account.php?id=43&amp;userid='.intval($userid).'">'. _('Back to previous page.') .'</a>';
         showfooter();
         exit;
     }
@@ -89,11 +89,11 @@ if ($userid != $_SESSION['profile']['id']) {
     </tr>
     <tr>
         <td class="DataTD"><?=_('User name')?></td>
-        <td class="DataTD"><?=$username?></td>
+        <td class="DataTD"><?=sanitizeHTML($username)?></td>
     </tr>
     <tr>
         <td class="DataTD"><?=_('Date of Birth')?></td>
-        <td class="DataTD"><?=$dob?></td>
+        <td class="DataTD"><?=sanitizeHTML($dob)?></td>
     </tr>
     <tr>
         <td class="DataTD"><?=_("Is Assurer")?>:</td>
@@ -378,7 +378,7 @@ if (mysql_num_rows($dres) > 0) {
 ?>
 <tr>
     <td colspan="<?=$colspan?>" >
-        <a href="account.php?id=<?=$oldid?intval($oldid):($support?43:13)?>&amp;userid=<?=$userid?>"><?= _('Back to previous page.')?></a>
+        <a href="account.php?id=<?=$oldid?intval($oldid):($support?43:13)?>&amp;userid=<?=intval($userid)?>"><?= _('Back to previous page.')?></a>
     </td>
 </tr>
 
index 0803406..305fccb 100644 (file)
@@ -137,11 +137,11 @@ if (array_key_exists('format', $_REQUEST)) {
        </tr>
        <tr>
                <td class="DataTD"><?=_("Email Address")?></td>
-               <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : $row['CN'])?></td>
+               <td class="DataTD"><?=(trim($row['CN'])=="" ? _("empty") : sanitizeHTML($row['CN']))?></td>
        </tr>
        <tr>
                <td class="DataTD"><?=_("SerialNumber")?></td>
-               <td class="DataTD"><?=$row['serial']?></td>
+               <td class="DataTD"><?=sanitizeHTML($row['serial'])?></td>
        </tr>
        <tr>
                <td class="DataTD"><?=_("Revoked")?></td>