[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fmsystem-commits] [14870] Merge 14867:14869 from trunk
|
From: |
Sigurd Nes |
|
Subject: |
[Fmsystem-commits] [14870] Merge 14867:14869 from trunk |
|
Date: |
Tue, 29 Mar 2016 08:21:35 +0000 |
Revision: 14870
http://svn.sv.gnu.org/viewvc/?view=rev&root=fmsystem&revision=14870
Author: sigurdne
Date: 2016-03-29 08:21:34 +0000 (Tue, 29 Mar 2016)
Log Message:
-----------
Merge 14867:14869 from trunk
Modified Paths:
--------------
branches/Version-2_0-branch/catch/templates/base/cat_filter.xsl
branches/Version-2_0-branch/catch/templates/base/cat_select.xsl
branches/Version-2_0-branch/hrm/templates/base/admin.xsl
branches/Version-2_0-branch/hrm/templates/base/cat_filter.xsl
branches/Version-2_0-branch/hrm/templates/base/cat_select.xsl
branches/Version-2_0-branch/phpgwapi/inc/class.db.inc.php
branches/Version-2_0-branch/phpgwapi/inc/class.phpgw.inc.php
branches/Version-2_0-branch/phpgwapi/inc/class.xslttemplates.inc.php
branches/Version-2_0-branch/preferences/templates/base/admin_acl.xsl
branches/Version-2_0-branch/preferences/templates/base/cat_filter.xsl
branches/Version-2_0-branch/sms/templates/base/cat_filter.xsl
branches/Version-2_0-branch/sms/templates/base/cat_select.xsl
Property Changed:
----------------
branches/Version-2_0-branch/
Property changes on: branches/Version-2_0-branch
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/dev-syncromind:13653
/branches/stavangerkommune:12743-12875,12986
/trunk:14721-14732,14734-14735,14737,14739,14741,14743-14744,14746-14749,14751,14753,14755-14757,14759,14761-14764,14766-14768,14770-14783,14785-14792,14794-14813,14815-14816,14818,14820-14822,14824-14825,14827-14829,14831-14834,14836,14838,14840-14842,14844-14845,14847,14849-14866
+ /branches/dev-syncromind:13653
/branches/stavangerkommune:12743-12875,12986
/trunk:14721-14732,14734-14735,14737,14739,14741,14743-14744,14746-14749,14751,14753,14755-14757,14759,14761-14764,14766-14768,14770-14783,14785-14792,14794-14813,14815-14816,14818,14820-14822,14824-14825,14827-14829,14831-14834,14836,14838,14840-14842,14844-14845,14847,14849-14866,14868-14869
Modified: branches/Version-2_0-branch/catch/templates/base/cat_filter.xsl
===================================================================
--- branches/Version-2_0-branch/catch/templates/base/cat_filter.xsl
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/catch/templates/base/cat_filter.xsl
2016-03-29 08:21:34 UTC (rev 14870)
@@ -24,7 +24,7 @@
<xsl:template match="cat_list">
<xsl:variable name="id"><xsl:value-of select="id"/></xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$id}"
selected="selected"><xsl:value-of disable-output-escaping="yes"
select="name"/></option>
</xsl:when>
<xsl:otherwise>
Modified: branches/Version-2_0-branch/catch/templates/base/cat_select.xsl
===================================================================
--- branches/Version-2_0-branch/catch/templates/base/cat_select.xsl
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/catch/templates/base/cat_select.xsl
2016-03-29 08:21:34 UTC (rev 14870)
@@ -12,7 +12,7 @@
<xsl:template match="cat_list">
<xsl:variable name="cat_id"><xsl:value-of
select="cat_id"/></xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$cat_id}"
selected="selected"><xsl:value-of disable-output-escaping="yes"
select="name"/></option>
</xsl:when>
<xsl:otherwise>
Modified: branches/Version-2_0-branch/hrm/templates/base/admin.xsl
===================================================================
--- branches/Version-2_0-branch/hrm/templates/base/admin.xsl 2016-03-29
08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/hrm/templates/base/admin.xsl 2016-03-29
08:21:34 UTC (rev 14870)
@@ -852,7 +852,7 @@
<xsl:template match="vendor_category">
<xsl:variable name="cat_id"><xsl:value-of
select="cat_id"/></xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$cat_id}"
selected="selected"><xsl:value-of disable-output-escaping="yes"
select="name"/></option>
</xsl:when>
<xsl:otherwise>
Modified: branches/Version-2_0-branch/hrm/templates/base/cat_filter.xsl
===================================================================
--- branches/Version-2_0-branch/hrm/templates/base/cat_filter.xsl
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/hrm/templates/base/cat_filter.xsl
2016-03-29 08:21:34 UTC (rev 14870)
@@ -24,7 +24,7 @@
<xsl:template match="cat_list">
<xsl:variable name="cat_id"><xsl:value-of
select="cat_id"/></xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$cat_id}"
selected="selected"><xsl:value-of disable-output-escaping="yes"
select="name"/></option>
</xsl:when>
<xsl:otherwise>
Modified: branches/Version-2_0-branch/hrm/templates/base/cat_select.xsl
===================================================================
--- branches/Version-2_0-branch/hrm/templates/base/cat_select.xsl
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/hrm/templates/base/cat_select.xsl
2016-03-29 08:21:34 UTC (rev 14870)
@@ -12,7 +12,7 @@
<xsl:template match="cat_list">
<xsl:variable name="cat_id"><xsl:value-of
select="cat_id"/></xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$cat_id}"
selected="selected"><xsl:value-of disable-output-escaping="yes"
select="name"/></option>
</xsl:when>
<xsl:otherwise>
Modified: branches/Version-2_0-branch/phpgwapi/inc/class.db.inc.php
===================================================================
--- branches/Version-2_0-branch/phpgwapi/inc/class.db.inc.php 2016-03-29
08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/phpgwapi/inc/class.db.inc.php 2016-03-29
08:21:34 UTC (rev 14870)
@@ -742,8 +742,17 @@
{
// return;
$sql_parts = preg_split('/where/i', $sql);
- if (is_array($sql_parts) && count($sql_parts) >1 )
+ if (is_array($sql_parts) && count($sql_parts) > 1 )
{
+ switch ( $this->Type )
+ {
+ case 'postgres':
+ $pattern =
"/((?=.*\bUNION\b)(?=.*\bALL\b)|\bPG_SLEEP\b|\bCHR\b|\bGENERATE_SERIES\b)/i";
+ break;
+ default:
+ $pattern =
"/((?=.*\bUNION\b)(?=.*\bALL\b)|\bCHR\b)/i";
+ }
+
$first_element = true;
foreach ($sql_parts as $sql_part)
{
@@ -752,7 +761,7 @@
$first_element = false;
continue;
}
-
if(preg_match("/((?=.*\bUNION\b)(?=.*\bALL\b)|\bPG_SLEEP\b|\bCHR\b|\bGENERATE_SERIES\b)/i",
$sql))
+ if(preg_match($pattern, $sql))
{
$this->transaction_abort();
trigger_error('Attempt on
SQL-injection', E_USER_ERROR);
Modified: branches/Version-2_0-branch/phpgwapi/inc/class.phpgw.inc.php
===================================================================
--- branches/Version-2_0-branch/phpgwapi/inc/class.phpgw.inc.php
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/phpgwapi/inc/class.phpgw.inc.php
2016-03-29 08:21:34 UTC (rev 14870)
@@ -367,8 +367,41 @@
return self::clean_value($value, $value_type,
$default);
}
-
+
+ public static function get_ip_address() {
+ $ip_keys = array('HTTP_CLIENT_IP',
'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP',
'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR');
+ foreach ($ip_keys as $key)
+ {
+ if (array_key_exists($key, $_SERVER)
=== true)
+ {
+ foreach (explode(',',
$_SERVER[$key]) as $ip)
+ {
+ // trim for safety
measures
+ $ip = trim($ip);
+ // attempt to validate
IP
+ if
(self::validate_ip($ip))
+ {
+ return $ip;
+ }
+ }
+ }
+ }
+ return isset($_SERVER['REMOTE_ADDR']) ?
$_SERVER['REMOTE_ADDR'] : false;
+ }
+
/**
+ * Ensures an ip address is both a valid IP and does
not fall within
+ * a private network range.
+ */
+ public static function validate_ip($ip)
+ {
+ if (filter_var($ip, FILTER_VALIDATE_IP,
FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) ===
false) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
* Test (and sanitise) the value of a variable
*
* @param mixed $value the value to test
@@ -395,6 +428,34 @@
$value = stripslashes($value);
}
+ if(preg_match('/\'$/', $value))
+ {
+ $error = 'SQL-injection spottet.';
+ $error .= " <br/> Your IP is logged";
+ $ip_address = self::get_ip_address();
+ if($_POST) //$_POST: it "could" be a
valid userinput...
+ {
+ /*
+ * Log entry - just in case..
+ */
+
$GLOBALS['phpgw']->log->error(array(
+ 'text' => 'Possible
SQL-injection spottet from IP: %1. Error: %2',
+ 'p1' => $ip_address,
+ 'p2' => 'input value
ending with apos',
+ 'line' => __LINE__,
+ 'file' => __FILE__
+ ));
+
+ }
+ else
+ {
+ echo $error;
+
$GLOBALS['phpgw_info']['flags']['xslt_app'] = false;
+ trigger_error("$error:
{$ip_address}", E_USER_ERROR);
+
$GLOBALS['phpgw']->common->phpgw_exit();
+ }
+ }
+
switch ( $value_type )
{
case 'string':
Modified: branches/Version-2_0-branch/phpgwapi/inc/class.xslttemplates.inc.php
===================================================================
--- branches/Version-2_0-branch/phpgwapi/inc/class.xslttemplates.inc.php
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/phpgwapi/inc/class.xslttemplates.inc.php
2016-03-29 08:21:34 UTC (rev 14870)
@@ -257,12 +257,6 @@
<!DOCTYPE xsl:stylesheet [
<!ENTITY nl " ">
<!ENTITY nbsp " ">
- <!ENTITY AElig "Æ">
- <!ENTITY aelig "æ">
- <!ENTITY Oslash "Ø">
- <!ENTITY oslash "ø">
- <!ENTITY Aring "Å">
- <!ENTITY aring "å">
]>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
version="1.0"
xmlns:phpgw="http://phpgroupware.org/functions";
Modified: branches/Version-2_0-branch/preferences/templates/base/admin_acl.xsl
===================================================================
--- branches/Version-2_0-branch/preferences/templates/base/admin_acl.xsl
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/preferences/templates/base/admin_acl.xsl
2016-03-29 08:21:34 UTC (rev 14870)
@@ -899,7 +899,7 @@
<xsl:value-of select="cat_id"/>
</xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$cat_id}" selected="selected">
<xsl:value-of disable-output-escaping="yes"
select="name"/>
</option>
Modified: branches/Version-2_0-branch/preferences/templates/base/cat_filter.xsl
===================================================================
--- branches/Version-2_0-branch/preferences/templates/base/cat_filter.xsl
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/preferences/templates/base/cat_filter.xsl
2016-03-29 08:21:34 UTC (rev 14870)
@@ -24,7 +24,7 @@
<xsl:template match="cat_list">
<xsl:variable name="cat_id"><xsl:value-of
select="cat_id"/></xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$cat_id}"
selected="selected"><xsl:value-of disable-output-escaping="yes"
select="name"/></option>
</xsl:when>
<xsl:otherwise>
Modified: branches/Version-2_0-branch/sms/templates/base/cat_filter.xsl
===================================================================
--- branches/Version-2_0-branch/sms/templates/base/cat_filter.xsl
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/sms/templates/base/cat_filter.xsl
2016-03-29 08:21:34 UTC (rev 14870)
@@ -34,7 +34,7 @@
<xsl:value-of select="id"/>
</xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$id}" selected="selected">
<xsl:value-of disable-output-escaping="yes"
select="name"/>
</option>
Modified: branches/Version-2_0-branch/sms/templates/base/cat_select.xsl
===================================================================
--- branches/Version-2_0-branch/sms/templates/base/cat_select.xsl
2016-03-29 08:19:31 UTC (rev 14869)
+++ branches/Version-2_0-branch/sms/templates/base/cat_select.xsl
2016-03-29 08:21:34 UTC (rev 14870)
@@ -20,7 +20,7 @@
<xsl:value-of select="cat_id"/>
</xsl:variable>
<xsl:choose>
- <xsl:when test="selected='selected'">
+ <xsl:when test="selected='selected' or selected = 1">
<option value="{$cat_id}" selected="selected">
<xsl:value-of disable-output-escaping="yes"
select="name"/>
</option>
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Fmsystem-commits] [14870] Merge 14867:14869 from trunk,
Sigurd Nes <=