[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 57/218: Security : direct injection
|
From: |
Dany De Bontridder |
|
Subject: |
[Noalyss-commit] [noalyss] 57/218: Security : direct injection |
|
Date: |
Thu, 12 Sep 2019 15:58:40 -0400 (EDT) |
sparkyx pushed a commit to branch entreprise
in repository noalyss.
commit fd6886835ce58da71fe62275dc2e7cde90181702
Author: Dany De Bontridder <address@hidden>
Date: Thu May 31 23:04:59 2018 +0200
Security : direct injection
---
html/do.php | 2 +-
html/popup.php | 20 +++++++++------
html/recherche.php | 7 ++++--
include/class/acc_ledger_search.class.php | 41 +++++++++++--------------------
include/lib/html_input.class.php | 2 +-
include/lib/http_input.class.php | 4 +--
6 files changed, 35 insertions(+), 41 deletions(-)
diff --git a/html/do.php b/html/do.php
index 2635141..73669e6 100644
--- a/html/do.php
+++ b/html/do.php
@@ -263,7 +263,7 @@ if (isset($_REQUEST['ac']))
}
$_REQUEST['ac']= trim(strtoupper($_REQUEST['ac']));
- $AC=$_REQUEST['ac'];
+ $AC=$http->request('ac');
$user_profile=$g_user->get_profile();
diff --git a/html/popup.php b/html/popup.php
index 8118411..f1a3c8a 100644
--- a/html/popup.php
+++ b/html/popup.php
@@ -83,14 +83,15 @@ if ( basename($_GET['op']) == 'history' )
$to_periode='to_periode='.format_date($limit[1]->p_end);
if (isset($_GET['ex']))
{
- if ( $exercice > $_GET['ex'])
+ $ex=$http->get("ex","number");
+ if ( $exercice > $ex)
{
- $limit_periode=$periode->get_limit($_GET['ex']);
+ $limit_periode=$periode->get_limit($ex);
$from_periode='from_periode='.format_date($limit_periode[0]->p_start);
}
else
{
- $limit_periode=$periode->get_limit($_GET['ex']);
+ $limit_periode=$periode->get_limit($ex);
$to_periode='to_periode='.format_date($limit_periode[1]->p_end);
}
@@ -98,13 +99,15 @@ if ( basename($_GET['op']) == 'history' )
if (isset($_GET['pcm_val']) )
{
-
$href_csv="export.php?".$href.'&poste_id='.$_GET['pcm_val'].'&ople=0&type=poste&'.$from_periode.'&'.$to_periode."&act=CSV:postedetail";
-
$href_pdf="export.php?".$href.'&poste_id='.$_GET['pcm_val'].'&ople=0&type=poste&'.$from_periode.'&'.$to_periode."&act=PDF:postedetail";;
+ $pcm_val=$http->get("pcm_val");
+
$href_csv="export.php?".$href.'&poste_id='.$pcm_val.'&ople=0&type=poste&'.$from_periode.'&'.$to_periode."&act=CSV:postedetail";
+
$href_pdf="export.php?".$href.'&poste_id='.$pcm_val.'&ople=0&type=poste&'.$from_periode.'&'.$to_periode."&act=PDF:postedetail";;
}
else
{
-
$href_csv="export.php?".$href.'&f_id='.$_GET['f_id'].'&ople=0&type=poste&'.$from_periode.'&'.$to_periode."&act=CSV:fichedetail";
-
$href_pdf="export.php?".$href.'&f_id='.$_GET['f_id'].'&ople=0&type=poste&'.$from_periode.'&'.$to_periode."&act=PDF:fichedetail";
+ $f_id=$http->get("f_id","number");
+
$href_csv="export.php?".$href.'&f_id='.$f_id.'&ople=0&type=poste&'.$from_periode.'&'.$to_periode."&act=CSV:fichedetail";
+
$href_pdf="export.php?".$href.'&f_id='.$f_id.'&ople=0&type=poste&'.$from_periode.'&'.$to_periode."&act=PDF:fichedetail";
}
echo HtmlInput::print_window();
echo '<a class="smallbutton" href="'.$href_csv.'">'._("Export
CSV").'</a>';
@@ -118,8 +121,9 @@ echo HtmlInput::hidden('inpopup',1);
load_all_script();
$str=$_SERVER['QUERY_STRING']."&div=popup";
+$ajax=$http->get("ajax");
$script="
- var
obj={id:'popup',fixed:1,cssclass:'content',style:'width:auto',html:loading(),qs:'$str',js_success:'success_box',js_error:null,callback:'".$_GET['ajax']."'};
+ var
obj={id:'popup',fixed:1,cssclass:'content',style:'width:auto',html:loading(),qs:'$str',js_success:'success_box',js_error:null,callback:'".$ajax."'};
show_box(obj);
";
echo create_script($script);
diff --git a/html/recherche.php b/html/recherche.php
index 460a674..03f35e2 100644
--- a/html/recherche.php
+++ b/html/recherche.php
@@ -27,11 +27,13 @@ include_once NOALYSS_INCLUDE.'/lib/ac_common.php';
require_once NOALYSS_INCLUDE.'/class/acc_ledger.class.php';
require_once NOALYSS_INCLUDE.'/class/acc_ledger_search.class.php';
require_once NOALYSS_INCLUDE.'/lib/icon_action.class.php';
+require_once NOALYSS_INCLUDE.'/lib/http_input.class.php';
html_page_start($_SESSION['g_theme']);
load_all_script();
+$http=new HttpInput();
$gDossier=dossier::id();
@@ -95,8 +97,9 @@ if ( isset ($_GET['viewsearch']))
// Navigation bar
$step=$_SESSION['g_pagesize'];
- $page=(isset($_GET['offset']))?$_GET['page']:1;
- $offset=(isset($_GET['offset']))?$_GET['offset']:0;
+ $page=$http->get("page","number",1);
+ $offset=$http->get("offset","number",0);
+
if (count ($_GET) == 0)
$array=null;
else
diff --git a/include/class/acc_ledger_search.class.php
b/include/class/acc_ledger_search.class.php
index 464f51b..15fa171 100644
--- a/include/class/acc_ledger_search.class.php
+++ b/include/class/acc_ledger_search.class.php
@@ -98,6 +98,7 @@ class Acc_Ledger_Search
function search_form()
{
global $g_user;
+ $http=new HttpInput();
$r="";
$bledger_param=json_encode(array(
'dossier'=>Dossier::id(),
@@ -138,49 +139,35 @@ class Acc_Ledger_Search
$date_end_hidden=HtmlInput::hidden("{$this->div}date_end_hidden",
$date_end);
/* widget for date_start */
$f_date_start=new IDate('date_start', '', $this->div."date_start");
- /* all periode or only the selected one */
- if (isset($_REQUEST['date_start']))
- {
- $f_date_start->value=$_REQUEST['date_start'];
- }
- else
- {
- $f_date_start->value=$date_start;
- }
+ /* all periode or only the selected one */
+ $f_date_start->value=$http->request("date_start","string",$date_start);
+
/* widget for date_end */
$f_date_end=new IDate('date_end', '', $this->div."date_end");
+
/* all date or only the selected one */
- if (isset($_REQUEST['date_end']))
- {
- $f_date_end->value=$_REQUEST['date_end'];
- }
- else
- {
- $f_date_end->value=$date_end;
- }
+ $f_date_end->value=$http->request("date_end","string",$date_end);
+
/* widget for date term */
$f_date_paid_start=new IDate('date_paid_start', '',
$this->div."date_paid_start");
$f_date_paid_end=new IDate('date_paid_end', '',
$this->div."date_paid_end");
-
$f_date_paid_start->value=(isset($_REQUEST['date_paid_start']))?$_REQUEST['date_paid_start']:'';
-
$f_date_paid_end->value=(isset($_REQUEST['date_paid_end']))?$_REQUEST['date_paid_end']:'';
+
$f_date_paid_start->value=$http->request("date_paid_start","string","");
+ $f_date_paid_end->value=$http->request("date_paid_end","string","");
/* widget for desc */
$f_descript=new IText('desc', "", $this->div."desc");
$f_descript->size=40;
- if (isset($_REQUEST['desc']))
- {
- $f_descript->value=$_REQUEST['desc'];
- }
+ $f_descript->value=$http->request('desc',"string","");
/* widget for amount */
$f_amount_min=new INum('amount_min', '0', $this->div."amount_min");
-
$f_amount_min->value=(isset($_REQUEST['amount_min']))?abs($_REQUEST['amount_min']):0;
+ $f_amount_min->value=$http->request("amount_min","string",0);
$f_amount_max=new INum('amount_max', '0', $this->div."amount_max");
-
$f_amount_max->value=(isset($_REQUEST['amount_max']))?abs($_REQUEST['amount_max']):0;
+ $f_amount_max->value=$http->request("amount_max","string",0);
/* input quick code */
$f_qcode=new ICard($this->div.'qcode');
@@ -196,7 +183,7 @@ class Acc_Ledger_Search
$f_qcode->set_function('fill_data');
$f_qcode->javascript=sprintf(' onchange="fill_data_onchange(%s);" ',
$f_qcode->name);
-
$f_qcode->value=(isset($_REQUEST[$this->div.'qcode']))?$_REQUEST[$this->div.'qcode']:'';
+ $f_qcode->value=$http->request($this->div.'qcode',"string","");
/* $f_txt_qcode=new IText('qcode');
$f_txt_qcode->value=(isset($_REQUEST['qcode']))?$_REQUEST['qcode']:'';
@@ -204,7 +191,7 @@ class Acc_Ledger_Search
/* input poste comptable */
$f_accounting=new IPoste('accounting', "", $this->div."accounting");
-
$f_accounting->value=(isset($_REQUEST['accounting']))?$_REQUEST['accounting']:'';
+ $f_accounting->value=$http->request('accounting',"string","");
/*
* utile ??? Filtre les postes comptables en fonction du journal
* if ($this->id==-1)
diff --git a/include/lib/html_input.class.php b/include/lib/html_input.class.php
index cfabb49..0892966 100755
--- a/include/lib/html_input.class.php
+++ b/include/lib/html_input.class.php
@@ -221,7 +221,7 @@ class HtmlInput
{
if ($p_id=="")
$p_id=$p_name;
- return '<INPUT TYPE="hidden" id="'.$p_id.'" NAME="'.$p_name.'"
VALUE="'.$p_value.'">';
+ return '<INPUT TYPE="hidden" id="'.strip_tags($p_id).'"
NAME="'.$p_name.'" VALUE="'.strip_tags($p_value).'">';
}
static function extension()
diff --git a/include/lib/http_input.class.php b/include/lib/http_input.class.php
index 6772c0e..5dd1a33 100644
--- a/include/lib/http_input.class.php
+++ b/include/lib/http_input.class.php
@@ -108,7 +108,7 @@ class HttpInput
if (array_key_exists($p_name,$this->array) )
{
$this->check_type($p_name, $p_type);
- return $this->array[$p_name];
+ return strip_tags($this->array[$p_name]);
}
else
{
@@ -121,7 +121,7 @@ class HttpInput
EXC_PARAM_VALUE);
}
$this->check_type($p_name, $p_type);
- return $this->array[$p_name];
+ return strip_tags($this->array[$p_name]);
}
catch (Exception $e)
{
- [Noalyss-commit] [noalyss] 142/218: Currency : Precision 6, (continued)
- [Noalyss-commit] [noalyss] 142/218: Currency : Precision 6, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 147/218: Currency : detail operation Purchase , the amount in currency were wrong in the summary, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 148/218: remove commented code, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 152/218: New function findSide return D if number is <0, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 93/218: translate, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 37/218: comment, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 50/218: Protect function nb , return the string if the parameter is not a float, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 52/218: Create invoice : New version of libreoffice use the numeric in another way, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 56/218: Fix todo_list : if list empty , gets an error in php 7.2, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 60/218: Security fix : f_id is a number, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 57/218: Security : direct injection,
Dany De Bontridder <=
- [Noalyss-commit] [noalyss] 63/218: CFGLED : security fix : remove $_REQUEST, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 64/218: Merge master, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 72/218: Merge branch 'master' into r700-currency, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 83/218: adapt to 7.2 ,init, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 86/218: Currency : show the currency of the ledger when entering info, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 89/218: adapt to 7.2 ,array, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 90/218: Code cleaning : remove SQL with hardcoded value, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 109/218: Indentation, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 121/218: Currency : error when displaying, add 4 due to a mistype instruction, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 126/218: Merge branch 'master' into r700-currency, Dany De Bontridder, 2019/09/12