bug 1138: And yet another bunch of escaping
authorBenny Baumann <BenBE@geshi.org>
Wed, 30 Apr 2014 18:13:28 +0000 (20:13 +0200)
committerBenny Baumann <BenBE@geshi.org>
Wed, 30 Apr 2014 18:18:56 +0000 (20:18 +0200)
pages/wot/1.php
pages/wot/10.php
pages/wot/9.php
stamp/common.php
www/api/ccsr.php
www/api/cemails.php
www/index.php
www/wot.php

index 99c2b9f..d6e298d 100644 (file)
   </tr>
 <? while($row = mysql_fetch_assoc($list)) { ?>
   <tr>
-    <td class="DataTD" width="100"><nobr><?=$row['fname']?> <?=substr($row['lname'], 0, 1)?></nobr></td>
+    <td class="DataTD" width="100"><nobr><?=sanitizeHTML($row['fname'])?> <?=substr($row['lname'], 0, 1)?>.</nobr></td>
     <td class="DataTD"><?=maxpoints($row['id'])?></td>
-    <td class="DataTD"><?=$row['contactinfo']?></td>
+    <td class="DataTD"><?=sanitizeHTML($row['contactinfo'])?></td>
     <td class="DataTD"><a href="wot.php?id=9&amp;userid=<?=intval($row['id'])?>"><?=_("Email Me")?></a></td>
     <td class="DataTD"><?=$row['assurer']?_("Yes"):("<font color=\"#ff0000\">"._("Not yet!")."</font>")?></td>
 
index c7e1ff1..b0dc739 100644 (file)
                $fromuser = mysql_fetch_assoc(mysql_query("select `fname`, `lname` from `users` where `id`='".intval($row['from'])."'"));
 ?>
   <tr>
-    <td class="DataTD"><?=$row['id']?></td>
+    <td class="DataTD"><?=intval($row['id'])?></td>
     <td class="DataTD"><?=$row['date']?></td>
-    <td class="DataTD"><a href="wot.php?id=9&amp;userid=<?=intval($row['from'])?>"><?=$fromuser['fname']." ".$fromuser['lname']?></td>
-    <td class="DataTD"><?=$row['points']?></td>
-    <td class="DataTD"><?=$row['location']?></td>
+    <td class="DataTD"><a href="wot.php?id=9&amp;userid=<?=intval($row['from'])?>"><?=sanitizeHTML(trim($fromuser['fname']." ".$fromuser['lname']))?></td>
+    <td class="DataTD"><?=intval($row['points'])?></td>
+    <td class="DataTD"><?=sanitizeHTML($row['location'])?></td>
     <td class="DataTD"><?=_(sprintf("%s", $row['method']))?></td>
   </tr>
 <?
@@ -119,25 +119,25 @@ if ($thawte)
        while($row = mysql_fetch_assoc($res))
        {
                $fromuser = mysql_fetch_assoc(mysql_query("select `fname`, `lname` from `users` where `id`='".intval($row['to'])."'"));
-               $points += $row['points'];
+               $points += intval($row['points']);
                $name = trim($fromuser['fname']." ".$fromuser['lname']);
                if($name == "")
                        $name = _("Deleted before Verification");
                else
-                       $name = "<a href='wot.php?id=9&amp;userid=".intval($row['to'])."'>$name</a>";
+                       $name = "<a href='wot.php?id=9&amp;userid=".intval($row['to'])."'>".sanitizeHTML($name)."</a>";
 ?>
   <tr>
     <td class="DataTD"><?=intval($row['id'])?></td>
     <td class="DataTD"><?=$row['date']?></td>
-    <td class="DataTD"><?=$name?></td>
+    <td class="DataTD"><?=sanitizeHTML($name)?></td>
     <td class="DataTD"><?=intval($row['points'])?></td>
-    <td class="DataTD"><?=$row['location']?></td>
+    <td class="DataTD"><?=sanitizeHTML($row['location'])?></td>
     <td class="DataTD"><?=$row['method']==""?"":_(sprintf("%s", $row['method']))?></td>
   </tr>
 <? } ?>
   <tr>
     <td class="DataTD" colspan="3"><b><?=_("Total Points Issued")?>:</b></td>
-    <td class="DataTD"><?=$points?></td>
+    <td class="DataTD"><?=intval($points)?></td>
     <td class="DataTD" colspan="2">&nbsp;</td>
   </tr>
 </table>
index b492ff6..e4fff21 100644 (file)
@@ -28,7 +28,7 @@
                $user = mysql_fetch_array($res);
                $userlang = $user['language'];
                $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
-                               where `to`='".$user['id']."' and `deleted`=0 group by `to` HAVING SUM(`points`) > 0"));
+                               where `to`='".intval($user['id'])."' and `deleted`=0 group by `to` HAVING SUM(`points`) > 0"));
                if($points <= 0)
                {
                        echo _("Sorry, I was unable to locate that user.");
 ?>
 <? if($_SESSION['_config']['error'] != "") { ?><font color="#ff0000" size="+1">ERROR: <?=$_SESSION['_config']['error']?></font><? unset($_SESSION['_config']['error']); } ?>
 <form method="post" action="wot.php">
-<input type="hidden" name="userid" value="<?=$user['id']?>">
+<input type="hidden" name="userid" value="<?=intval($user['id'])?>">
 <table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
   <tr>
     <td colspan="2" class="title"><?=_("Contact Assurer")?></td>
   </tr>
   <tr>
     <td class="DataTD"><?=_("To")?>:</td>
-    <td class="DataTD" align="left"><?=$user['fname']?> <?=substr($user['lname'], 0, 1)?></td>
+    <td class="DataTD" align="left"><?=sanitizeHTML(trim($user['fname'].' '.substr($user['lname'], 0, 1)))?></td>
   </tr>
 <? if($userlang != "") { ?>
   <tr>
     <td class="DataTD"><?=_("Language")?>:</td>
-    <td class="DataTD" align="left"><? printf(_("%s prefers to be contacted in %s"), $user['fname'], L10n::$translations[$userlang]) ?></td>
+    <td class="DataTD" align="left"><? printf(_("%s prefers to be contacted in %s"), sanitizeHTML($user['fname']), L10n::$translations[$userlang]) ?></td>
   </tr>
 <? } ?>
 <?
-       $query = "select * from `addlang` where `userid`='".$user['id']."'";
+       $query = "select * from `addlang` where `userid`='".intval($user['id'])."'";
        $res = mysql_query($query);
        while($row = mysql_fetch_assoc($res))
        {
-               $lang = mysql_fetch_assoc(mysql_query("select * from `languages` where `locale`='${row['lang']}'"));
+               $lang = mysql_fetch_assoc(mysql_query("select * from `languages` where `locale`='".mysql_real_escape_string($row['lang'])."'"));
 ?>
   <tr>
     <td class="DataTD"><?=_("Additional Language")?>:</td>
-    <td class="DataTD" align="left"><? printf(_("%s will also accept email in %s - %s"), $user['fname'], $lang['lang'], $lang['country']) ?></td>
+    <td class="DataTD" align="left"><? printf(_("%s will also accept email in %s - %s"), sanitizeHTML($user['fname']), sanitizeHTML($lang['lang']), sanitizeHTML($lang['country'])) ?></td>
   </tr>
 <? } ?>
   <tr>
@@ -79,7 +79,7 @@
 </table>
 <input type="hidden" name="pageid" value="<?=$_SESSION['_config']['pagehash']?>">
 <input type="hidden" name="userid" value="<?=intval($_REQUEST['userid'])?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
+<input type="hidden" name="oldid" value="<?=intval($id)?>">
 </form>
 <p>[ <a href='javascript:history.go(-1)'><?=_("Go Back")?></a> ]</p>
 <? } } ?>
index d0a71f4..d99a23a 100644 (file)
@@ -41,9 +41,9 @@
                                if($row['certid'] > 0)
                                {
                                        if($row['org'] == 0)
-                                               $query = "select * from `domaincerts` where `id`='$row[certid]' and `expire`>NOW() and `revoked`=0";
+                                               $query = "select * from `domaincerts` where `id`='".intval($row['certid'])."' and `expire`>NOW() and `revoked`=0";
                                        else
-                                               $query = "select * from `orgdomaincerts` where `id`='$row[certid]' and `expire`>NOW() and `revoked`=0";
+                                               $query = "select * from `orgdomaincerts` where `id`='".intval($row['certid'])."' and `expire`>NOW() and `revoked`=0";
                                        if($_REQUEST['debug'] == 1)
                                                echo $query."<br>\n";
                                        $res = mysql_query($query);
index aa33baa..54d7dc9 100644 (file)
@@ -31,7 +31,7 @@ require_once '../../includes/lib/check_weak_key.php';
        foreach($_REQUEST['email'] as $email)
        {
                $email = mysql_real_escape_string(trim($email));
-               $query = "select * from `email` where `memid`='$memid' and `hash`='' and `deleted`=0 and `email`='$email'";
+               $query = "select * from `email` where `memid`='".intval($memid)."' and `hash`='' and `deleted`=0 and `email`='$email'";
                $res = mysql_query($query);
                if(mysql_num_rows($res) > 0)
                {
@@ -42,7 +42,7 @@ require_once '../../includes/lib/check_weak_key.php';
        }
        if(count($emails) <= 0)
                die("404,Wasn't able to match any emails sent against your account");
-       $query = "select sum(`points`) as `points` from `notary` where `to`='$memid' and `notary`.`deleted`=0 group by `to`";
+       $query = "select sum(`points`) as `points` from `notary` where `to`='".intval($memid)."' and `notary`.`deleted`=0 group by `to`";
        $row = mysql_fetch_assoc(mysql_query($query));
        $points = $row['points'];
 
@@ -82,9 +82,9 @@ require_once '../../includes/lib/check_weak_key.php';
        foreach($emails as $id => $email)
                $csrsubject .= "/emailAddress=".$email;
 
-       $query = "insert into `emailcerts` set `CN`='".$user['email']."', `keytype`='MS',
-                               `memid`='".$user['id']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
-                               `subject`='$csrsubject', `codesign`='$codesign'";
+       $query = "insert into `emailcerts` set `CN`='".mysql_real_escape_string($user['email'])."', `keytype`='MS',
+                               `memid`='".intval($user['id'])."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
+                               `subject`='".mysql_real_escape_string($csrsubject)."', `codesign`='".intval($codesign)."'";
        mysql_query($query);
        $certid = mysql_insert_id();
        $CSRname = generatecertpath("csr","client",$certid);
@@ -93,14 +93,14 @@ require_once '../../includes/lib/check_weak_key.php';
        mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$certid'");
 
        foreach($emails as $emailid => $email)
-               mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='$emailid'");
+               mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='".intval($emailid)."'");
 
        $do = `../../scripts/runclient`;
        sleep(10); // THIS IS BROKEN AND SHOULD BE FIXED
        $query = "select * from `emailcerts` where `id`='$certid' and `crt_name` != ''";
        $res = mysql_query($query);
        if(mysql_num_rows($res) <= 0)
-               die("404,Your certificate request has failed. ID: $certid");
+               die("404,Your certificate request has failed. ID: ".intval($certid));
        $cert = mysql_fetch_assoc($res);
        echo "200,Authentication Ok\n";
        readfile("../".$cert['crt_name']);
index 260ca4f..4eb7597 100644 (file)
@@ -25,7 +25,7 @@
        echo "200,Authentication Ok\n";
        $user = mysql_fetch_assoc($res);
        $memid = $user['id'];
-       $query = "select sum(`points`) as `points` from `notary` where `to`='$memid' and `notary`.`deleted`=0 group by `to`";
+       $query = "select sum(`points`) as `points` from `notary` where `to`='".intval($memid)."' and `notary`.`deleted`=0 group by `to`";
        $row = mysql_fetch_assoc(mysql_query($query));
        $points = $row['points'];
        echo "CS=".intval($user['codesign'])."\n";
@@ -40,8 +40,8 @@
                if($user['mname'] != "" && $user['suffix'] != "")
                        echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['mname'])." ".sanitizeHTML($user['lname'])." ".sanitizeHTML($user['suffix'])."\n";
        }
-       $query = "select * from `email` where `memid`='$memid' and `hash`='' and `deleted`=0";
+       $query = "select * from `email` where `memid`='".intval($memid)."' and `hash`='' and `deleted`=0";
        $res = mysql_query($query);
        while($row = mysql_fetch_assoc($res))
-               echo "EMAIL=".$row['email']."\n";
+               echo "EMAIL=".sanitizeHTML($row['email'])."\n";
 ?>
index bb71a63..40a8e86 100644 (file)
@@ -307,19 +307,19 @@ require_once('../includes/lib/l10n.php');
                        $_SESSION['profile'] = "";
                        unset($_SESSION['profile']);
                        $_SESSION['profile'] = mysql_fetch_assoc($res);
-                       $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
+                       $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".intval($_SESSION['profile']['id'])."'";
                        mysql_query($query);
 
                        if($_SESSION['profile']['language'] == "")
                        {
                                $query = "update `users` set `language`='".L10n::get_translation()."'
-                                               where `id`='".$_SESSION['profile']['id']."'";
+                                               where `id`='".intval($_SESSION['profile']['id'])."'";
                                mysql_query($query);
                        } else {
                                L10n::set_translation($_SESSION['profile']['language']);
                                L10n::init_gettext();
                        }
-                       $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
+                       $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 group by `to`";
                        $res = mysql_query($query);
                        $row = mysql_fetch_assoc($res);
                        $_SESSION['profile']['points'] = $row['total'];
index dec4246..7ce757d 100644 (file)
@@ -224,8 +224,8 @@ function send_reminder()
                        exit;
                }
 
-               $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' and
-                       `to`='".$_SESSION['_config']['notarise']['id']."' and `deleted` = 0";
+               $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' and
+                       `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0";
                $res = mysql_query($query);
                if(mysql_num_rows($res) > 0)
                {
@@ -310,7 +310,7 @@ $iecho= "c";
                        exit;
                }
 
-               $query = "select * from `users` where `id`='".$_SESSION['_config']['notarise']['id']."'";
+               $query = "select * from `users` where `id`='".intval($_SESSION['_config']['notarise']['id'])."'";
                $res = mysql_query($query);
                $row = mysql_fetch_assoc($res);
                $name = $row['fname']." ".$row['mname']." ".$row['lname']." ".$row['suffix'];
@@ -332,7 +332,7 @@ $iecho= "c";
                if($newpoints < 0)
                        $newpoints = $awarded = 0;
 
-               $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['_config']['notarise']['id']."' and `deleted` = 0 group by `to`";
+               $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0 group by `to`";
                $res = mysql_query($query);
                $drow = mysql_fetch_assoc($res);
 
@@ -345,14 +345,14 @@ $iecho= "c";
                if($newpoints < 0)
                        $newpoints = 0;
 
-               if(mysql_escape_string(stripslashes($_POST['date'])) == "")
+               if(mysql_real_escape_string(stripslashes($_POST['date'])) == "")
                        $_POST['date'] = date("Y-m-d H:i:s");
 
-               $query = "select * from `notary` where `from`='".$_SESSION['profile']['id']."' AND
-                                               `to`='".$_SESSION['_config']['notarise']['id']."' AND
-                                               `awarded`='$awarded' AND
-                                               `location`='".mysql_escape_string(stripslashes($_POST['location']))."' AND
-                                               `date`='".mysql_escape_string(stripslashes($_POST['date']))."' AND
+               $query = "select * from `notary` where `from`='".intval($_SESSION['profile']['id'])."' AND
+                                               `to`='".intval($_SESSION['_config']['notarise']['id'])."' AND
+                                               `awarded`='".intval($awarded)."' AND
+                                               `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."' AND
+                                               `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."' AND
                                                `deleted`=0";
                $res = mysql_query($query);
                if(mysql_num_rows($res) > 0)
@@ -364,11 +364,11 @@ $iecho= "c";
 
        if($oldid == 6)
        {
-               $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."',
-                                               `to`='".$_SESSION['_config']['notarise']['id']."',
-                                               `points`='$newpoints', `awarded`='$awarded',
-                                               `location`='".mysql_escape_string(stripslashes($_POST['location']))."',
-                                               `date`='".mysql_escape_string(stripslashes($_POST['date']))."',
+               $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
+                                               `to`='".intval($_SESSION['_config']['notarise']['id'])."',
+                                               `points`='".intval($newpoints)."', `awarded`='".intval($awarded)."',
+                                               `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
+                                               `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
                                                `when`=NOW()";
                //record active acceptance by Assurer
                if (check_date_format(trim($_REQUEST['date']),2010)) {
@@ -389,11 +389,11 @@ $iecho= "c";
                                $addpoints = 2;
                        else if($_SESSION['profile']['points'] == 149 && $_SESSION['profile']['points'] >= 100)
                                $addpoints = 1;
-                       $query = "insert into `notary` set `from`='".$_SESSION['profile']['id']."',
-                                                       `to`='".$_SESSION['profile']['id']."',
-                                                       `points`='$addpoints', `awarded`='$addpoints',
-                                                       `location`='".mysql_escape_string(stripslashes($_POST['location']))."',
-                                                       `date`='".mysql_escape_string(stripslashes($_POST['date']))."',
+                       $query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
+                                                       `to`='".intval($_SESSION['profile']['id'])."',
+                                                       `points`='".intval($addpoints)."', `awarded`='".intval($addpoints)."',
+                                                       `location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
+                                                       `date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
                                                        `method`='Administrative Increase',
                                                        `when`=NOW()";
                        mysql_query($query);
@@ -479,7 +479,7 @@ $iecho= "c";
        {
                csrf_check("chgcontact");
 
-               $info = mysql_escape_string(strip_tags(stripslashes($_POST['contactinfo'])));
+               $info = mysql_real_escape_string(strip_tags(stripslashes($_POST['contactinfo'])));
                $listme = intval($_POST['listme']);
                if($listme < 0 || $listme > 1)
                        $listme = 0;
@@ -487,7 +487,7 @@ $iecho= "c";
                $_SESSION['profile']['listme'] = $listme;
                $_SESSION['profile']['contactinfo'] = $info;
 
-               $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".$_SESSION['profile']['id']."'";
+               $query = "update `users` set `listme`='$listme',`contactinfo`='$info' where `id`='".intval($_SESSION['profile']['id'])."'";
                mysql_query($query);
 
                showheader(_("My CAcert.org Account!"));
@@ -508,9 +508,9 @@ $iecho= "c";
                        $body = $_REQUEST['message'];
                        $subject = $_REQUEST['subject'];
                        $userid = intval($_REQUEST['userid']);
-                       $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$userid' and `listme`=1"));
+                       $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($userid)."' and `listme`=1"));
                        $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
-                                               where `to`='".$user['id']."' and `deleted` = 0 group by `to` HAVING SUM(`points`) > 0"));
+                                               where `to`='".intval($user['id'])."' and `deleted` = 0 group by `to` HAVING SUM(`points`) > 0"));
                        if($points > 0)
                        {
                                $my_translation = L10n::get_translation();
@@ -546,7 +546,7 @@ $iecho= "c";
 
                                showheader(_("My CAcert.org Account!"));?>
                                <p>
-                                       <? printf(_("Your email has been sent to %s."), $user['fname']); ?>
+                                       <? printf(_("Your email has been sent to %s."), sanitizeHTML($user['fname'])); ?>
                                </p>
                                <p>[ <a href='javascript:history.go(-2)'><?= _("Go Back") ?></a> ]</p>
                                <?