This is an automated email from the ASF dual-hosted git repository.
jfthomps pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/vcl.git
The following commit(s) were added to refs/heads/develop by this push:
new 8ff93235 VCL-1138 - make PHP code compatible with PHP 8
8ff93235 is described below
commit 8ff93235d346ef44947cc7a60e1d6ce60e99d184
Author: Josh Thompson <[email protected]>
AuthorDate: Thu Jan 11 15:36:05 2024 -0500
VCL-1138 - make PHP code compatible with PHP 8
generally:
-added default values when processing POST or GET input data so NULL values
aren't assigned
-removed calls to get_magic_quotes_gpc and stripslashes
-changed how date and time values are formatted to remove calls to strftime
-added checks for variables having NULL value before using string functions
(such as strpos, strlen) on them
-for some classes, added some variable declarations to top of class
additional specifics:
help.php: changed calls to mysql_fetch_assoc to call mysqli_fetch_assoc
requests.php: modified printImageDescription to use new function htmlwrap
that wraps strings without counting the characters used by html tags
utils.php:
-changed __autoload to vclAutoLoader registered with spl_autoload_register
-added doPSQuery, similar to doQuery but uses prepared statements
-added minToDaysHourMin
-added htmlwrap
-modified getVariable, getVariablesRegex, and setVariable to use doPSQuery
instead of doQuery
-modified getFSlocales to use fgets and strip_tags instead of fgetss
---
web/.ht-inc/addomain.php | 12 +-
web/.ht-inc/authentication.php | 24 +---
web/.ht-inc/blockallocations.php | 12 +-
web/.ht-inc/computer.php | 34 +++--
web/.ht-inc/groups.php | 10 +-
web/.ht-inc/help.php | 27 ++--
web/.ht-inc/image.php | 59 ++++----
web/.ht-inc/managementnode.php | 53 ++++----
web/.ht-inc/oneclick.php | 8 +-
web/.ht-inc/privileges.php | 65 ++++++---
web/.ht-inc/requests.php | 30 +++--
web/.ht-inc/resource.php | 12 +-
web/.ht-inc/schedule.php | 4 +-
web/.ht-inc/serverprofiles.php | 32 ++---
web/.ht-inc/siteconfig.php | 52 ++++---
web/.ht-inc/sitemaintenance.php | 32 +++--
web/.ht-inc/statistics.php | 23 ++--
web/.ht-inc/userpreferences.php | 8 +-
web/.ht-inc/utils.php | 285 ++++++++++++++++++++++++++++++++-------
web/.ht-inc/vm.php | 62 ++++++---
web/.ht-inc/xmlrpcWrappers.php | 56 +++-----
21 files changed, 565 insertions(+), 335 deletions(-)
diff --git a/web/.ht-inc/addomain.php b/web/.ht-inc/addomain.php
index f86ebf77..ec1e2536 100644
--- a/web/.ht-inc/addomain.php
+++ b/web/.ht-inc/addomain.php
@@ -513,13 +513,13 @@ class ADdomain extends Resource {
$errormsg = array();
$return['rscid'] = getContinuationVar('rscid', 0);
- $return["name"] = processInputVar("name", ARG_STRING);
+ $return["name"] = processInputVar("name", ARG_STRING, '');
$return["owner"] = processInputVar("owner", ARG_STRING,
"{$user["unityid"]}@{$user['affiliation']}");
- $return["domaindnsname"] = processInputVar("domaindnsname",
ARG_STRING);
- $return["username"] = processInputVar("username", ARG_STRING);
- $return["password"] = $_POST['password'];
- $return["password2"] = $_POST['password2'];
- $return["dnsservers"] = processInputVar("dnsservers",
ARG_STRING);
+ $return["domaindnsname"] = processInputVar("domaindnsname",
ARG_STRING, '');
+ $return["username"] = processInputVar("username", ARG_STRING,
'');
+ $return["password"] = $_POST['password'] ? $_POST['password'] :
'';
+ $return["password2"] = $_POST['password2'] ?
$_POST['password2'] : '';
+ $return["dnsservers"] = processInputVar("dnsservers",
ARG_STRING, '');
$return["usedbhostnames"] = processInputVar('usedbhostnames',
ARG_NUMERIC, 0);
if(!
preg_match("/^([A-Za-z0-9-!@#$%^&\*\(\)_=\+\[\]{}\\\|:;,\.\/\?~` ]){2,30}$/",
$return['name'])) {
diff --git a/web/.ht-inc/authentication.php b/web/.ht-inc/authentication.php
index cb725346..f908fb87 100644
--- a/web/.ht-inc/authentication.php
+++ b/web/.ht-inc/authentication.php
@@ -78,10 +78,7 @@ function getAuthCookieData($loginid, $authtype, $valid=600,
$shibauthid=0) {
////////////////////////////////////////////////////////////////////////////////
function readAuthCookie() {
global $keys, $AUTHERROR, $shibauthed;
- if(get_magic_quotes_gpc())
- $cookie = stripslashes($_COOKIE["VCLAUTH"]);
- else
- $cookie = $_COOKIE["VCLAUTH"];
+ $cookie = $_COOKIE["VCLAUTH"];
$cookie = base64_decode($cookie);
if(! openssl_public_decrypt($cookie, $tmp, $keys['public'])) {
# cookie is invalid; clear it and return NULL so will get
redirected to log in again
@@ -157,10 +154,7 @@ function getAuthTypeFromAuthCookie() {
global $keys, $AUTHERROR;
if(! array_key_exists('VCLAUTH', $_COOKIE))
return NULL;
- if(get_magic_quotes_gpc())
- $cookie = stripslashes($_COOKIE["VCLAUTH"]);
- else
- $cookie = $_COOKIE["VCLAUTH"];
+ $cookie = $_COOKIE["VCLAUTH"];
$cookie = base64_decode($cookie);
if(! openssl_public_decrypt($cookie, $tmp, $keys['public'])) {
$AUTHERROR["code"] = 3;
@@ -192,7 +186,7 @@ function getAuthTypeFromAuthCookie() {
////////////////////////////////////////////////////////////////////////////////
function selectAuth() {
global $HTMLheader, $printedHTMLheader, $authMechs, $skin;
- $authtype = getContinuationVar('authtype', processInputVar("authtype",
ARG_STRING));
+ $authtype = getContinuationVar('authtype', processInputVar("authtype",
ARG_STRING, ''));
if($authtype == '' && array_key_exists('VCLAUTHSEL', $_COOKIE))
$authtype = $_COOKIE['VCLAUTHSEL'];
if(array_key_exists('clearselection', $_GET) && $_GET['clearselection']
== 1) {
@@ -285,7 +279,7 @@ function printLoginPageWithSkin($authtype,
$servertimeout=0) {
function printLoginPage($servertimeout=0) {
global $authMechs, $skin, $user;
$user['id'] = 0;
- $authtype = getContinuationVar("authtype", processInputVar("authtype",
ARG_STRING));
+ $authtype = getContinuationVar("authtype", processInputVar("authtype",
ARG_STRING, ''));
if($authtype == '' && array_key_exists('VCLAUTHSEL', $_COOKIE))
$authtype = $_COOKIE['VCLAUTHSEL'];
if(isset($_GET['userid']))
@@ -298,8 +292,6 @@ function printLoginPage($servertimeout=0) {
dbDisconnect();
exit;
}
- if(get_magic_quotes_gpc())
- $userid = stripslashes($userid);
$userid = htmlspecialchars($userid);
$extrafailedmsg = '';
if($servertimeout)
@@ -386,7 +378,7 @@ function printLoginPage($servertimeout=0) {
////////////////////////////////////////////////////////////////////////////////
function submitLogin() {
global $authMechs;
- $authtype = getContinuationVar("authtype", processInputVar('authtype',
ARG_STRING));
+ $authtype = getContinuationVar("authtype", processInputVar('authtype',
ARG_STRING, ''));
if(! array_key_exists($authtype, $authMechs)) {
// FIXME - hackerish
dbDisconnect();
@@ -400,10 +392,6 @@ function submitLogin() {
selectAuth();
return;
}
- if(get_magic_quotes_gpc()) {
- $userid = stripslashes($userid);
- $passwd = stripslashes($passwd);
- }
if($authMechs[$authtype]['type'] == 'ldap')
ldapLogin($authtype, $userid, $passwd);
elseif($authMechs[$authtype]['type'] == 'local')
@@ -631,6 +619,8 @@ function checkExpiredDemoUser($userid, $groups=0) {
///
////////////////////////////////////////////////////////////////////////////////
function testGeneralAffiliation(&$login, &$affilid) {
+ if(is_null($login))
+ return 0;
if(preg_match('/^([^@]+)@([^@\.]*)$/', $login, $matches)) {
$login = $matches[1];
$affilid = getAffiliationID($matches[2]);
diff --git a/web/.ht-inc/blockallocations.php b/web/.ht-inc/blockallocations.php
index ed0fffa4..3bf357c4 100644
--- a/web/.ht-inc/blockallocations.php
+++ b/web/.ht-inc/blockallocations.php
@@ -2486,8 +2486,6 @@ function AJacceptBlockAllocationSubmit() {
$err = 1;
}
if($validemail) {
- if(get_magic_quotes_gpc())
- $emailtext = stripslashes($emailtext);
if(! $err && preg_match('/[<>|]/', $emailtext)) {
$errmsg = i("<>\'s and pipes (|) are not allowed in the
email text.");
$err = 1;
@@ -2707,8 +2705,6 @@ function AJrejectBlockAllocationSubmit() {
$errmsg = i("Please include a reason for rejecting the block
allocation in the email.");
$err = 1;
}
- if(get_magic_quotes_gpc())
- $emailtext = stripslashes($emailtext);
if(! $err && preg_match('/[<>|]/', $emailtext)) {
if($validemail)
$errmsg = i("<>\'s and pipes (|) are not allowed in the
email text.");
@@ -2860,10 +2856,8 @@ function viewBlockStatus() {
print i("The selected Block Allocation no longer exists.");
return;
}
- $startunix = datetimeToUnix($data['start']);
- $endunix = datetimeToUnix($data['end']);
- $start = strftime('%x %l:%M %P %Z', $startunix);
- $end = strftime('%x %l:%M %P %Z', $endunix);
+ $start = prettyDatetime($data['start'], 1, 0, 0, 1);
+ $end = prettyDatetime($data['end'], 1, 0, 0, 1);
print "<div id=statusdiv>\n";
print "<table class=blockStatusData summary=\"lists attributes of block
allocation\">\n";
print " <tr>\n";
@@ -3267,8 +3261,6 @@ function processBlockAllocationInput() {
}
if($method == 'request') {
$return['comments'] = processInputVar('comments', ARG_STRING);
- if(get_magic_quotes_gpc())
- $return['comments'] = stripslashes($return['comments']);
if(! $err && preg_match('/[<>]/', $return['comments'])) {
$errmsg = i("<>\'s are not allowed in the comments.");
$err = 1;
diff --git a/web/.ht-inc/computer.php b/web/.ht-inc/computer.php
index d1f6ca6b..00714f9b 100644
--- a/web/.ht-inc/computer.php
+++ b/web/.ht-inc/computer.php
@@ -1540,7 +1540,7 @@ class Computer extends Resource {
if($olddata['stateid'] == 10 && $data['stateid'] == 10)
{
$testnotes = $olddata['notes'];
# check for notes being changed
- if(strpos($testnotes, '@') === true) {
+ if(! is_null($testnotes) && strpos($testnotes,
'@') === true) {
$tmp = explode('@', $olddata['notes']);
$testnotes = $tmp[1];
}
@@ -1695,23 +1695,23 @@ class Computer extends Resource {
$return = array('error' => 0);
$return['rscid'] = getContinuationVar('rscid', 0);
- $return['name'] = processInputVar('name', ARG_STRING);
+ $return['name'] = processInputVar('name', ARG_STRING, '');
$return['startnum'] = processInputVar('startnum', ARG_NUMERIC);
$return['endnum'] = processInputVar('endnum', ARG_NUMERIC);
$return['owner'] = processInputVar('owner', ARG_STRING,
"{$user['unityid']}@{$user['affiliation']}");
- $return['type'] = processInputVar('type', ARG_STRING);
- $return['IPaddress'] = processInputVar('ipaddress', ARG_STRING);
- $return['privateIPaddress'] =
processInputVar('privateipaddress', ARG_STRING);
- $return['eth0macaddress'] = processInputVar('privatemac',
ARG_STRING);
- $return['eth1macaddress'] = processInputVar('publicmac',
ARG_STRING);
- $return['startpubipaddress'] =
processInputVar('startpubipaddress', ARG_STRING);
- $return['endpubipaddress'] = processInputVar('endpubipaddress',
ARG_STRING);
- $return['startprivipaddress'] =
processInputVar('startprivipaddress', ARG_STRING);
- $return['endprivipaddress'] =
processInputVar('endprivipaddress', ARG_STRING);
- $return['startmac'] = processInputVar('startmac', ARG_STRING);
+ $return['type'] = processInputVar('type', ARG_STRING, '');
+ $return['IPaddress'] = processInputVar('ipaddress', ARG_STRING,
'');
+ $return['privateIPaddress'] =
processInputVar('privateipaddress', ARG_STRING, '');
+ $return['eth0macaddress'] = processInputVar('privatemac',
ARG_STRING, '');
+ $return['eth1macaddress'] = processInputVar('publicmac',
ARG_STRING, '');
+ $return['startpubipaddress'] =
processInputVar('startpubipaddress', ARG_STRING, '');
+ $return['endpubipaddress'] = processInputVar('endpubipaddress',
ARG_STRING, '');
+ $return['startprivipaddress'] =
processInputVar('startprivipaddress', ARG_STRING, '');
+ $return['endprivipaddress'] =
processInputVar('endprivipaddress', ARG_STRING, '');
+ $return['startmac'] = processInputVar('startmac', ARG_STRING,
'');
$return['provisioningid'] = processInputVar('provisioningid',
ARG_NUMERIC);
$return['stateid'] = processInputVar('stateid', ARG_NUMERIC);
- $return['notes'] = processInputVar('notes', ARG_STRING);
+ $return['notes'] = processInputVar('notes', ARG_STRING, '');
$return['vmprofileid'] = processInputVar('vmprofileid',
ARG_NUMERIC);
$return['platformid'] = processInputVar('platformid',
ARG_NUMERIC);
$return['scheduleid'] = processInputVar('scheduleid',
ARG_NUMERIC);
@@ -1723,9 +1723,9 @@ class Computer extends Resource {
$return['natenabled'] = processInputVar('natenabled',
ARG_NUMERIC);
$return['nathostid'] = processInputVar('nathostid',
ARG_NUMERIC);
$return['nathostenabled'] = processInputVar('nathostenabled',
ARG_NUMERIC);
- $return['natpublicIPaddress'] =
processInputVar('natpublicipaddress', ARG_STRING);
- $return['natinternalIPaddress'] =
processInputVar('natinternalipaddress', ARG_STRING);
- $return['location'] = processInputVar('location', ARG_STRING);
+ $return['natpublicIPaddress'] =
processInputVar('natpublicipaddress', ARG_STRING, '');
+ $return['natinternalIPaddress'] =
processInputVar('natinternalipaddress', ARG_STRING, '');
+ $return['location'] = processInputVar('location', ARG_STRING,
'');
$addmode = processInputVar('addmode', ARG_STRING);
if(! is_null($addmode) && $addmode != 'single' && $addmode !=
'multiple') {
@@ -3581,8 +3581,6 @@ class Computer extends Resource {
elseif($newstateid == 10 || $newstateid == 23) {
if($newstateid == 10) {
$notes = processInputVar('notes', ARG_STRING);
- if(get_magic_quotes_gpc())
- $notes = stripslashes($notes);
$notes = vcl_mysql_escape_string($notes);
$notes = $user["unityid"] . " " .
unixToDatetime(time()) . "@"
. $notes;
diff --git a/web/.ht-inc/groups.php b/web/.ht-inc/groups.php
index 306395e1..30315b4f 100644
--- a/web/.ht-inc/groups.php
+++ b/web/.ht-inc/groups.php
@@ -993,7 +993,7 @@ function processGroupInput($checks=1) {
$return["type"] = getContinuationVar("type");
$return["custom"] = getContinuationVar("custom", 1);
$return["courseroll"] = getContinuationVar("courseroll", 0);
- $return["name"] = getContinuationVar('name', processInputVar("name",
ARG_STRING));
+ $return["name"] = getContinuationVar('name', processInputVar("name",
ARG_STRING, ''));
$return["affiliationid"] = getContinuationVar('affiliationid',
processInputVar("affiliationid", ARG_NUMERIC, $user['affiliationid']));
$return["resourcetypeid"] = getContinuationVar('resourcetypeid',
processInputVar("resourcetypeid", ARG_NUMERIC));
$return["owner"] = getContinuationVar('owner', processInputVar("owner",
ARG_STRING));
@@ -1004,10 +1004,12 @@ function processGroupInput($checks=1) {
$return["totalmax"] = getContinuationVar('totalmax',
processInputVar("totalmax", ARG_NUMERIC));
$return["maxextend"] = getContinuationVar('maxextend',
processInputVar("maxextend", ARG_NUMERIC));
$return["overlap"] = getContinuationVar('overlap',
processInputVar("overlap", ARG_NUMERIC, 0));
- $return['editgroupids'] = getContinuationVar('editgroupids');
+ $return['editgroupids'] = getContinuationVar('editgroupids', '');
$editgroupids = explode(',', $return['editgroupids']);
- $return['ownergroupids'] = getContinuationVar('ownergroupids');
- $ownergroupids = explode(',', $return['ownergroupids']);
+ if($return['type'] == 'resource') {
+ $return['ownergroupids'] = getContinuationVar('ownergroupids');
+ $ownergroupids = explode(',', $return['ownergroupids']);
+ }
$groupwasnone = getContinuationVar('groupwasnone');
$editname = getContinuationVar('editname', 1);
diff --git a/web/.ht-inc/help.php b/web/.ht-inc/help.php
index b038d973..b19e3ab6 100644
--- a/web/.ht-inc/help.php
+++ b/web/.ht-inc/help.php
@@ -39,15 +39,10 @@ define("SUMMARYERR", 1 << 3);
function printHelpForm() {
global $user, $submitErr, $noHTMLwrappers;
if($submitErr) {
- $name = processInputVar("name", ARG_STRING);
- $email = processInputVar("email", ARG_STRING);
+ $name = processInputVar("name", ARG_STRING, '');
+ $email = processInputVar("email", ARG_STRING, '');
$summary = processInputVar("summary", ARG_STRING);
$text = processInputVar("comments", ARG_STRING);
- if(get_magic_quotes_gpc()) {
- $name = stripslashes($name);
- $summary = stripslashes($summary);
- $text = stripslashes($text);
- }
$name = preg_replace(array('/"/', '/>/'), array('"',
'>'), $name);
$summary = preg_replace(array('/"/', '/>/'), array('"',
'>'), $summary);
}
@@ -126,16 +121,14 @@ function submitHelpForm() {
$text = processInputVar("comments", ARG_STRING);
$testname = $name;
- if(get_magic_quotes_gpc())
- $testname = stripslashes($name);
- if(! preg_match('/^([-A-Za-z \']{1,} [-A-Za-z \']{2,})*$/', $testname))
{
+ if(is_null($testname) || ! preg_match('/^([-A-Za-z \']{1,} [-A-Za-z
\']{2,})*$/', $testname)) {
$submitErr |= NAMEERR;
$submitErrMsg[NAMEERR] = "Name can only contain letters,
spaces, apostrophes ('), and dashes (-). Both first and last name must be
specified.";
}
- if(!
preg_match('/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i',
- $email)) {
+ if(is_null($email) || ! filter_var($email, FILTER_VALIDATE_EMAIL)) {
$submitErr |= EMAILERR;
- $submitErrMsg[EMAILERR] = "Invalid email address, please
correct";
+ $submitErrMsg[EMAILERR] = "Invalid email address specified";
+ $_POST['email'] = $user['email'];
}
if(empty($summary)) {
$submitErr |= SUMMARYERR;
@@ -176,8 +169,6 @@ function submitHelpForm() {
}
$from = $user["email"];
- if(get_magic_quotes_gpc())
- $text = stripslashes($text);
$message = "Problem report submitted from VCL web form:\n\n"
. "User: " . $user["unityid"] . "\n"
. "Name: " . $testname . "\n"
@@ -225,7 +216,7 @@ function submitHelpForm() {
$resultlen = strlen(i('Fail'));
$qh = doQuery($query);
$logins = array();
- while($row = mysql_fetch_assoc($qh)) {
+ while($row = mysqli_fetch_assoc($qh)) {
$tmp = prettyDatetime($row['timestamp'], 1, 1);
$row['timestamp'] = str_replace(' ', ' ', $tmp);
if($row['passfail'])
@@ -268,8 +259,6 @@ function submitHelpForm() {
if(! $indrupal)
print "<H2>VCL Help</H2>\n";
$mailParams = "-f" . ENVELOPESENDER;
- if(get_magic_quotes_gpc())
- $summary = stripslashes($summary);
$helpemail = getHelpEmail($user['affiliationid']);
if(! mail($helpemail, "$summary", $message,
"From: $from\r\nReply-To: $email\r\n", $mailParams)){
@@ -302,7 +291,7 @@ function getHelpEmail($affil) {
$field = 'name';
$query = "SELECT helpaddress FROM affiliation WHERE $field = '$affil'";
$qh = doQuery($query);
- if($row = mysql_fetch_assoc($qh))
+ if($row = mysqli_fetch_assoc($qh))
if($row['helpaddress'] != '')
return $row['helpaddress'];
return HELPEMAIL;
diff --git a/web/.ht-inc/image.php b/web/.ht-inc/image.php
index 329cec83..947a49d1 100644
--- a/web/.ht-inc/image.php
+++ b/web/.ht-inc/image.php
@@ -25,6 +25,7 @@
///
////////////////////////////////////////////////////////////////////////////////
class Image extends Resource {
+ var $imagerevisionid;
/////////////////////////////////////////////////////////////////////////////
///
/// \fn __construct()
@@ -1045,8 +1046,6 @@ class Image extends Resource {
elseif(! $autocaptured) {
$comments = processInputVar('comments', ARG_STRING, '');
$comments = htmlspecialchars($comments);
- if(get_magic_quotes_gpc())
- $comments = stripslashes($comments);
}
if(! $autocaptured)
@@ -1252,7 +1251,13 @@ class Image extends Resource {
# ad authentication
if($data['adauthenabled']) {
- $esc_baseou = vcl_mysql_escape_string($data['baseou']);
+ if(is_null($data['baseou'])) {
+ $esc_baseou = 'NULL';
+ }
+ else {
+ $esc_baseou =
vcl_mysql_escape_string($data['baseou']);
+ $esc_baseou = "'$esc_baseou'";
+ }
$query = "INSERT INTO imageaddomain "
. "(imageid, "
. "addomainid, "
@@ -1260,7 +1265,7 @@ class Image extends Resource {
. "VALUES "
. "($imageid, "
. "{$data['addomainid']}, "
- . "'$esc_baseou')";
+ . "$esc_baseou)";
doQuery($query);
}
@@ -1534,7 +1539,7 @@ class Image extends Resource {
sendJSON($arr);
return;
}
- $remids = processInputVar('imageids', ARG_STRING);
+ $remids = processInputVar('imageids', ARG_STRING, '');
$remids = explode(',', $remids);
foreach($remids as $id) {
if(! is_numeric($id)) {
@@ -1632,48 +1637,42 @@ class Image extends Resource {
$return = array('error' => 0);
- $return["name"] = processInputVar("name", ARG_STRING);
+ $return["name"] = processInputVar("name", ARG_STRING, '');
$return["owner"] = processInputVar("owner", ARG_STRING,
"{$user["unityid"]}@{$user['affiliation']}");
$return["ram"] = processInputVar("ram", ARG_NUMERIC, 512);
- $return["cores"] = processInputVar("cores", ARG_NUMERIC);
- $return["cpuspeed"] = processInputVar("cpuspeed", ARG_NUMERIC);
+ $return["cores"] = processInputVar("cores", ARG_NUMERIC, 4);
+ $return["cpuspeed"] = processInputVar("cpuspeed", ARG_NUMERIC,
2000);
$return["networkspeed"] = (int)processInputVar("networkspeed",
ARG_NUMERIC);
$return["concurrent"] = processInputVar("concurrent",
ARG_NUMERIC, 0);
- $return["reload"] = processInputVar("reload", ARG_NUMERIC); #
not in add
+ $return["reload"] = processInputVar("reload", ARG_NUMERIC, 0);
# not in add
$return["checkout"] = processInputVar("checkout", ARG_NUMERIC);
$return["checkuser"] = processInputVar("checkuser",
ARG_NUMERIC);
$return["rootaccess"] = processInputVar("rootaccess",
ARG_NUMERIC);
$return["sethostname"] = processInputVar("sethostname",
ARG_NUMERIC);
$return["maxinitialtime"] = processInputVar("maxinitialtime",
ARG_NUMERIC, 0);
$return["sysprep"] = processInputVar("sysprep", ARG_NUMERIC); #
only in add
- $return["connectmethodids"] =
processInputVar("connectmethodids", ARG_STRING); # only in add
- $return["adauthenabled"] = processInputVar("adauthenabled",
ARG_NUMERIC);
+ $return["connectmethodids"] =
processInputVar("connectmethodids", ARG_STRING, ''); # only in add
+ $return["adauthenabled"] = processInputVar("adauthenabled",
ARG_NUMERIC, 0);
$return["addomainid"] = processInputVar("addomainid",
ARG_NUMERIC);
- $return["baseou"] = processInputVar("baseou", ARG_STRING);
+ $return["baseou"] = processInputVar("baseou", ARG_STRING, '');
$return['requestid'] = getContinuationVar('requestid'); # only
in add
$return["imageid"] = getContinuationVar('imageid');
$return['baserevisionid'] =
getContinuationVar('baserevisionid');
- $return["desc"] = processInputVar("desc", ARG_STRING);
- if(get_magic_quotes_gpc())
- $return["desc"] = stripslashes($return['desc']);
+ $return["desc"] = processInputVar("desc", ARG_STRING, '');
$return['desc'] = preg_replace("/[\n\s]*$/", '',
$return['desc']);
$return['desc'] = preg_replace("/\r/", '', $return['desc']);
$return['desc'] = htmlspecialchars($return['desc']);
$return['desc'] = preg_replace("/\n/", '<br>', $return['desc']);
- $return["usage"] = processInputVar("usage", ARG_STRING);
- if(get_magic_quotes_gpc())
- $return["usage"] = stripslashes($return['usage']);
+ $return["usage"] = processInputVar("usage", ARG_STRING, '');
$return['usage'] = preg_replace("/[\n\s]*$/", '',
$return['usage']);
$return['usage'] = preg_replace("/\r/", '', $return['usage']);
$return['usage'] = htmlspecialchars($return['usage']);
$return['usage'] = preg_replace("/\n/", '<br>',
$return['usage']);
- $return["comments"] = processInputVar("imgcomments",
ARG_STRING);
- if(get_magic_quotes_gpc())
- $return["comments"] = stripslashes($return['comments']);
+ $return["comments"] = processInputVar("imgcomments",
ARG_STRING, '');
$return['comments'] = preg_replace("/[\n\s]*$/", '',
$return['comments']);
$return['comments'] = preg_replace("/\r/", '',
$return['comments']);
$return['comments'] = htmlspecialchars($return['comments']);
@@ -1735,19 +1734,23 @@ class Image extends Resource {
$return['error'] = 1;
$errormsg[] = i("Submitted ID is not valid");
}
- if($return['checkout'] != 0 && $return['checkout'] != 1) {
+ if(is_null($return['checkout']) ||
+ ($return['checkout'] != 0 && $return['checkout'] != 1)) {
$return['error'] = 1;
$errormsg[] = i("Available for Checkout must be Yes or
No");
}
- if($return['checkuser'] != 0 && $return['checkuser'] != 1) {
+ if(is_null($return['checkuser']) ||
+ ($return['checkuser'] != 0 && $return['checkuser'] != 1)) {
$return['error'] = 1;
$errormsg[] = i("Check for Logged in User must be Yes
or No");
}
- if($return['rootaccess'] != 0 && $return['rootaccess'] != 1) {
+ if(is_null($return['rootaccess']) ||
+ ($return['rootaccess'] != 0 && $return['rootaccess'] != 1)) {
$return['error'] = 1;
$errormsg[] = i("Users Have Administrative Access must
be Yes or No");
}
- if($return['sethostname'] != 0 && $return['sethostname'] != 1) {
+ if(is_null($return['sethostname']) ||
+ ($return['sethostname'] != 0 && $return['sethostname'] !=
1)) {
$return['error'] = 1;
$errormsg[] = i("Set Computer Hostname must be Yes or
No");
}
@@ -2256,10 +2259,8 @@ class Image extends Resource {
function AJupdateRevisionComments() {
$imageid = getContinuationVar('imageid');
$revisionid = getContinuationVar('revisionid');
- $comments = processInputVar('comments', ARG_STRING);
+ $comments = processInputVar('comments', ARG_STRING, '');
$comments = htmlspecialchars($comments);
- if(get_magic_quotes_gpc())
- $comments = stripslashes($comments);
$comments = vcl_mysql_escape_string($comments);
$query = "UPDATE imagerevision "
. "SET comments = '$comments' "
@@ -2299,7 +2300,7 @@ class Image extends Resource {
function AJdeleteRevisions() {
$revids = getContinuationVar('revids');
$imageid = getContinuationVar('imageid');
- $checkedids = processInputVar('checkedids', ARG_STRING);
+ $checkedids = processInputVar('checkedids', ARG_STRING, '');
$ids = explode(',', $checkedids);
if(empty($ids)) {
sendJSON(array());
diff --git a/web/.ht-inc/managementnode.php b/web/.ht-inc/managementnode.php
index dd49e2c9..6fb90284 100644
--- a/web/.ht-inc/managementnode.php
+++ b/web/.ht-inc/managementnode.php
@@ -712,35 +712,30 @@ class ManagementNode extends Resource {
$return = array('error' => 0);
$return['rscid'] = getContinuationVar('rscid', 0);
- $return['name'] = processInputVar('name', ARG_STRING);
+ $return['name'] = processInputVar('name', ARG_STRING, '');
$return['owner'] = processInputVar('owner', ARG_STRING,
"{$user['unityid']}@{$user['affiliation']}");
- $return['ipaddress'] = processInputVar('ipaddress', ARG_STRING);
- $return['stateid'] = processInputVar('stateid', ARG_NUMERIC);
- $return['sysadminemail'] = processInputVar('sysadminemail',
ARG_STRING);
- $return['sharedmailbox'] = processInputVar('sharedmailbox',
ARG_STRING);
- $return['installpath'] = processInputVar('installpath',
ARG_STRING);
- $return['timeservers'] = processInputVar('timeservers',
ARG_STRING);
- $return['keys'] = processInputVar('keys', ARG_STRING);
+ $return['ipaddress'] = processInputVar('ipaddress', ARG_STRING,
'');
+ $return['stateid'] = processInputVar('stateid', ARG_NUMERIC, 0);
+ $return['sysadminemail'] = processInputVar('sysadminemail',
ARG_STRING, '');
+ $return['sharedmailbox'] = processInputVar('sharedmailbox',
ARG_STRING, '');
+ $return['installpath'] = processInputVar('installpath',
ARG_STRING, '');
+ $return['timeservers'] = processInputVar('timeservers',
ARG_STRING, '');
+ $return['keys'] = processInputVar('keys', ARG_STRING, '');
$return['sshport'] = processInputVar('sshport', ARG_NUMERIC);
$return['imagelibenable'] = processInputVar('imagelibenable',
ARG_NUMERIC);
$return['imagelibgroupid'] = processInputVar('imagelibgroupid',
ARG_NUMERIC);
- $return['imagelibuser'] = processInputVar('imagelibuser',
ARG_STRING);
- $return['imagelibkey'] = processInputVar('imagelibkey',
ARG_STRING);
- $return['publicIPconfig'] = processInputVar('publicIPconfig',
ARG_STRING);
- $return['publicnetmask'] = processInputVar('publicnetmask',
ARG_STRING);
- $return['publicgateway'] = processInputVar('publicgateway',
ARG_STRING);
- $return['publicdnsserver'] = processInputVar('publicdnsserver',
ARG_STRING);
+ $return['imagelibuser'] = processInputVar('imagelibuser',
ARG_STRING, '');
+ $return['imagelibkey'] = processInputVar('imagelibkey',
ARG_STRING, '');
+ $return['publicIPconfig'] = processInputVar('publicIPconfig',
ARG_STRING, '');
+ $return['publicnetmask'] = processInputVar('publicnetmask',
ARG_STRING, '');
+ $return['publicgateway'] = processInputVar('publicgateway',
ARG_STRING, '');
+ $return['publicdnsserver'] = processInputVar('publicdnsserver',
ARG_STRING, '');
$return['checkininterval'] = processInputVar('checkininterval',
ARG_NUMERIC);
- $return['availablenetworks'] =
processInputVar('availablenetworks', ARG_STRING);
- $return['federatedauth'] = processInputVar('federatedauth',
ARG_STRING);
- $return['nathostenabled'] = processInputVar('nathostenabled',
ARG_NUMERIC);
- $return['natpublicIPaddress'] =
processInputVar('natpublicipaddress', ARG_STRING);
- $return['natinternalIPaddress'] =
processInputVar('natinternalipaddress', ARG_STRING);
-
- if(get_magic_quotes_gpc()) {
- $return['sysadminemail'] =
stripslashes($return['sysadminemail']);
- $return['sharedmailbox'] =
stripslashes($return['sharedmailbox']);
- }
+ $return['availablenetworks'] =
processInputVar('availablenetworks', ARG_STRING, '');
+ $return['federatedauth'] = processInputVar('federatedauth',
ARG_STRING, '');
+ $return['nathostenabled'] = processInputVar('nathostenabled',
ARG_NUMERIC, 2);
+ $return['natpublicIPaddress'] =
processInputVar('natpublicipaddress', ARG_STRING, '');
+ $return['natinternalIPaddress'] =
processInputVar('natinternalipaddress', ARG_STRING, '');
$olddata = getContinuationVar('olddata');
@@ -889,8 +884,14 @@ class ManagementNode extends Resource {
}
}
else {
- $return['publicnetmask'] = $olddata['publicnetmask'];
- $return['publicgateway'] = $olddata['publicgateway'];
+ if($return['mode'] == 'edit') {
+ $return['publicnetmask'] =
$olddata['publicnetmask'];
+ $return['publicgateway'] =
$olddata['publicgateway'];
+ }
+ else {
+ $return['publicnetmask'] = '';
+ $return['publicgateway'] = '';
+ }
}
# stateid 2 - available, 5 - failed, 10 - maintenance
if(! preg_match('/^(2|5|10)$/', $return['stateid'])) {
diff --git a/web/.ht-inc/oneclick.php b/web/.ht-inc/oneclick.php
index d8b62c9d..0f8f0233 100755
--- a/web/.ht-inc/oneclick.php
+++ b/web/.ht-inc/oneclick.php
@@ -232,8 +232,8 @@ function submitOneClick() {
global $user, $submitErr, $submitErrMsg;
$maxlength = getContinuationVar('maxlength');
$imageid = processInputVar("imageid", ARG_NUMERIC);
- $name = processInputVar("newOneClickName", ARG_STRING);
- $duration = processInputVar("length", ARG_NUMERIC);
+ $name = processInputVar("newOneClickName", ARG_STRING, '');
+ $duration = processInputVar("length", ARG_NUMERIC, 120);
$autologin = processInputVar("autologin", ARG_NUMERIC) == 1 ? 1 : 0;
# validate access to $imageid
@@ -410,8 +410,8 @@ function submitEditOneClick() {
global $submitErr, $submitErrMsg;
$oneclickid = getContinuationVar('oneclickid');
$maxlength = getContinuationVar('maxlength');
- $name = processInputVar('name', ARG_STRING);
- $duration = processInputVar("duration", ARG_NUMERIC);
+ $name = processInputVar('name', ARG_STRING, '');
+ $duration = processInputVar("duration", ARG_NUMERIC, 120);
$autologin = processInputVar("autologin", ARG_NUMERIC) == 1 ? 1 : 0;
# validate $name
diff --git a/web/.ht-inc/privileges.php b/web/.ht-inc/privileges.php
index 714b910d..cb90926e 100644
--- a/web/.ht-inc/privileges.php
+++ b/web/.ht-inc/privileges.php
@@ -1164,6 +1164,13 @@ function AJrefreshNodeDropData() {
function AJsubmitAddChildNode() {
global $user;
$parent = processInputVar("activeNode", ARG_NUMERIC);
+ if(is_null($parent)) {
+ $text = "Invalid parent node submitted.";
+ print "dojo.byId('childNodeName').value = ''; ";
+ print "dijit.byId('addNodePane').hide(); ";
+ print "alert('$text');";
+ return;
+ }
if(! checkUserHasPriv("nodeAdmin", $user["id"], $parent)) {
$text = "You do not have rights to add children to this node.";
print "dojo.byId('childNodeName').value = ''; ";
@@ -1171,7 +1178,7 @@ function AJsubmitAddChildNode() {
print "alert('$text');";
return;
}
- $newnode = processInputVar("newnode", ARG_STRING);
+ $newnode = processInputVar("newnode", ARG_STRING, '');
$errmsg = '';
if(! validateNodeName($newnode, $errmsg)) {
print "dojo.byId('addChildNodeStatus').innerHTML = '$errmsg';";
@@ -1308,7 +1315,7 @@ function AJsubmitRenameNode() {
sendJSON($arr);
return;
}
- $newname = processInputVar('newname', ARG_STRING);
+ $newname = processInputVar('newname', ARG_STRING, '');
$errmsg = '';
if(! validateNodeName($newname, $errmsg)) {
$arr = array('error' => 2, 'message' => $errmsg);
@@ -1350,6 +1357,12 @@ function AJmoveNode() {
$oldparentid = processInputVar('oldparentid', ARG_NUMERIC);
$newparentid = processInputVar('newparentid', ARG_NUMERIC);
+ if(is_null($moveid) || is_null($oldparentid) || is_null($newparentid)) {
+ $arr = array('status' => 'invalidreload');
+ sendJSON($arr);
+ return;
+ }
+
if(! checkUserHasPriv("nodeAdmin", $user["id"], $moveid) ||
! checkUserHasPriv("nodeAdmin", $user["id"], $newparentid) ||
! checkUserHasPriv("nodeAdmin", $user["id"], $oldparentid)) {
@@ -1463,9 +1476,7 @@ function AJrevertMoveNode() {
////////////////////////////////////////////////////////////////////////////////
function userLookup() {
global $user;
- $userid = processInputVar("userid", ARG_STRING);
- if(get_magic_quotes_gpc())
- $userid = stripslashes($userid);
+ $userid = processInputVar("userid", ARG_STRING, '');
$affilid = processInputVar('affiliationid', ARG_NUMERIC,
$user['affiliationid']);
$force = processInputVar('force', ARG_NUMERIC, 0);
print "<div align=center>\n";
@@ -2465,8 +2476,8 @@ function getUserPrivRowHTML($privname, $rownum, $privs,
$types,
////////////////////////////////////////////////////////////////////////////////
function jsonGetUserGroupMembers() {
global $user;
- $usergrpid = processInputVar('groupid', ARG_NUMERIC);
- $domid = processInputVar('domid', ARG_STRING);
+ $usergrpid = processInputVar('groupid', ARG_NUMERIC, 0);
+ $domid = processInputVar('domid', ARG_STRING, '');
$query = "SELECT g.ownerid, "
. "g.affiliationid, "
. "g.custom, "
@@ -2645,8 +2656,8 @@ function getResourcePrivRowHTML($privname, $rownum,
$privs, $types,
///
////////////////////////////////////////////////////////////////////////////////
function jsonGetResourceGroupMembers() {
- $resgrpid = processInputVar('groupid', ARG_NUMERIC);
- $domid = processInputVar('domid', ARG_STRING);
+ $resgrpid = processInputVar('groupid', ARG_NUMERIC, 0);
+ $domid = processInputVar('domid', ARG_STRING, '');
$query = "SELECT rt.name "
. "FROM resourcegroup rg, "
. "resourcetype rt "
@@ -3116,7 +3127,7 @@ function getNodeCascadePrivileges($node, $type="all",
$privs=0) {
function AJchangeUserPrivs() {
global $user;
$node = processInputVar("activeNode", ARG_NUMERIC);
- if(! checkUserHasPriv("userGrant", $user["id"], $node)) {
+ if(is_null($node) || ! checkUserHasPriv("userGrant", $user["id"],
$node)) {
$text = "You do not have rights to modify user privileges at
this node.";
print "alert('$text');";
return;
@@ -3125,6 +3136,12 @@ function AJchangeUserPrivs() {
$newpriv = processInputVar('priv', ARG_STRING);
$newprivval = processInputVar('value', ARG_STRING);
+ if(is_null($newpriv) || ! preg_match('/^[- a-zA-Z0-9]+$/', $newpriv)) {
+ $text = "Invalid user privilege submitted.";
+ print "alert('$text');";
+ return;
+ }
+
if(! validateUserid($newuser)) {
$text = "Invalid user submitted.";
print "alert('$text');";
@@ -3172,7 +3189,7 @@ function AJchangeUserPrivs() {
function AJchangeUserGroupPrivs() {
global $user;
$node = processInputVar("activeNode", ARG_NUMERIC);
- if(! checkUserHasPriv("userGrant", $user["id"], $node)) {
+ if(is_null($node) || ! checkUserHasPriv("userGrant", $user["id"],
$node)) {
$text = "You do not have rights to modify user privileges at
this node.";
print "alert('$text');";
return;
@@ -3181,6 +3198,12 @@ function AJchangeUserGroupPrivs() {
$newpriv = processInputVar('priv', ARG_STRING);
$newprivval = processInputVar('value', ARG_STRING);
+ if(is_null($newpriv) || ! preg_match('/^[- a-zA-Z0-9]+$/', $newpriv)) {
+ $text = "Invalid user privilege submitted.";
+ print "alert('$text');";
+ return;
+ }
+
$newusergrp = getUserGroupName($newusergrpid);
if($newusergrp === 0) {
$text = "Invalid user group submitted.";
@@ -3229,12 +3252,12 @@ function AJchangeUserGroupPrivs() {
function AJchangeResourcePrivs() {
global $user;
$node = processInputVar("activeNode", ARG_NUMERIC);
- if(! checkUserHasPriv("resourceGrant", $user["id"], $node)) {
+ if(is_null($node) || ! checkUserHasPriv("resourceGrant", $user["id"],
$node)) {
$text = "You do not have rights to modify resource privileges
at this node.";
print "alert('$text');";
return;
}
- $resourcegrp = processInputVar("item", ARG_STRING);
+ $resourcegrp = processInputVar("item", ARG_STRING, '');
$newpriv = processInputVar('priv', ARG_STRING);
$newprivval = processInputVar('value', ARG_STRING);
@@ -3307,7 +3330,7 @@ function AJchangeResourcePrivs() {
function AJsubmitAddUserPriv() {
global $user;
$node = processInputVar("activeNode", ARG_NUMERIC);
- if(! checkUserHasPriv("userGrant", $user["id"], $node)) {
+ if(is_null($node) || ! checkUserHasPriv("userGrant", $user["id"],
$node)) {
$text = "You do not have rights to add new users at this node.";
print "addUserPaneHide(); ";
print "alert('$text');";
@@ -3320,7 +3343,7 @@ function AJsubmitAddUserPriv() {
return;
}
- $perms = explode(':', processInputVar('perms', ARG_STRING));
+ $perms = explode(':', processInputVar('perms', ARG_STRING, ''));
$usertypes = getTypes("users");
array_push($usertypes["users"], "block");
array_push($usertypes["users"], "cascade");
@@ -3359,7 +3382,7 @@ function AJsubmitAddUserPriv() {
function AJsubmitAddUserGroupPriv() {
global $user;
$node = processInputVar("activeNode", ARG_NUMERIC);
- if(! checkUserHasPriv("userGrant", $user["id"], $node)) {
+ if(is_null($node) || ! checkUserHasPriv("userGrant", $user["id"],
$node)) {
$text = "You do not have rights to add new user groups at this
node.";
print "addUserGroupPaneHide(); ";
print "alert('$text');";
@@ -3374,7 +3397,7 @@ function AJsubmitAddUserGroupPriv() {
return;
}
- $perms = explode(':', processInputVar('perms', ARG_STRING));
+ $perms = explode(':', processInputVar('perms', ARG_STRING, ''));
$usertypes = getTypes("users");
array_push($usertypes["users"], "block");
@@ -3413,13 +3436,13 @@ function AJsubmitAddUserGroupPriv() {
function AJsubmitAddResourcePriv() {
global $user;
$node = processInputVar("activeNode", ARG_NUMERIC);
- if(! checkUserHasPriv("resourceGrant", $user["id"], $node)) {
+ if(is_null($node) || ! checkUserHasPriv("resourceGrant", $user["id"],
$node)) {
$text = "You do not have rights to add new resource groups at
this node.";
print "addResourceGroupPaneHide(); ";
print "alert('$text');";
return;
}
- $newgroupid = processInputVar("newgroupid", ARG_NUMERIC);
+ $newgroupid = processInputVar("newgroupid", ARG_NUMERIC, -1);
$privs = array("computerAdmin", "mgmtNodeAdmin", "imageAdmin",
"scheduleAdmin", "serverProfileAdmin");
$resourcegroups = getUserResources($privs, array("manageGroup"), 1);
@@ -3441,7 +3464,7 @@ function AJsubmitAddResourcePriv() {
return;
}
- $perms = explode(':', processInputVar('perms', ARG_STRING));
+ $perms = explode(':', processInputVar('perms', ARG_STRING, ''));
$privtypes = getResourcePrivs();
$newgroupprivs = array();
foreach($privtypes as $type) {
@@ -3564,7 +3587,7 @@ function AJsaveUserGroupPrivs() {
sendJSON(array('failed' => 'noaccess'));
return;
}
- $permids = processInputVar('permids', ARG_STRING);
+ $permids = processInputVar('permids', ARG_STRING, '');
if(! preg_match('/^[0-9,]*$/', $permids)) {
sendJSON(array('failed' => 'invalid input'));
return;
diff --git a/web/.ht-inc/requests.php b/web/.ht-inc/requests.php
index 72c9b365..14b37cc3 100644
--- a/web/.ht-inc/requests.php
+++ b/web/.ht-inc/requests.php
@@ -2097,13 +2097,12 @@ function AJupdateWaitTime() {
function printImageDescription($imageid) {
$imagenotes = getImageNotes($imageid);
if(! preg_match('/^\s*$/', $imagenotes['description'])) {
- $desc = preg_replace("/\n/", '<br>',
$imagenotes['description']);
- $desc = preg_replace("/\r/", '', $desc);
+ $desc = preg_replace("/\r/", '', $imagenotes['description']);
$desc = preg_replace("/'/", ''', $desc);
- $desc = preg_replace("/(.{1,60}([ \n]|$))/", '\1<br>', $desc);
+ $desc = htmlwrap($desc, 80);
print "dojo.byId('imgdesc').innerHTML = '<b>";
print i("Image Description") . "</b>:<br>";
- print "$desc<br>'; ";
+ print "$desc<br><br>'; ";
}
}
@@ -2218,7 +2217,7 @@ function AJshowRequestSuggestedTimes() {
for($cnt = 0, $amount = 900, $e =
datetimeToUnix($reqdata['end']) + 900;
$cnt < 15 && $amount <= $maxextend && $amount < 7200;
$cnt++, $amount += 900, $e += 900) {
- $end = strftime('%x %l:%M %P', $e);
+ $end = prettyDatetime($e, 1, 0, 1, 1);
$extenstion = getReservationExtenstion($amount / 60);
if($cnt % 2)
$html .= "<tr class=\"tablerow0\">";
@@ -2234,7 +2233,7 @@ function AJshowRequestSuggestedTimes() {
}
for(; $cnt < 15 && $amount <= $maxextend;
$cnt++, $amount += 3600, $e += 3600) {
- $end = strftime('%x %l:%M %P', $e);
+ $end = prettyDatetime($e, 1, 0, 1, 1);
$extenstion = getReservationExtenstion($amount / 60);
if($cnt % 2)
$html .= "<tr class=\"tablerow0\">";
@@ -2262,7 +2261,7 @@ function AJshowRequestSuggestedTimes() {
foreach($slots as $key => $slot) {
$cnt++;
$slot['startts'] +=
$_SESSION['persistdata']['tzoffset'] * 60;
- $start = strftime('%x %l:%M %P', $slot['startts']);
+ $start = prettyDatetime($slot['startts'], 1, 0, 1, 1);
if(($slot['startts'] - time()) + $slot['startts'] +
$slot['duration'] >= 2114402400)
# end time >= 2037-01-01 00:00:00
$duration = 'indefinite';
@@ -3418,7 +3417,7 @@ function AJeditRequest() {
else
$maxcheck = $maxtimes['total'];
if(! $openend && ($reslen >= $maxcheck)) {
- $h = sprintf(i("You are only allowed to extend your
reservation such that it has a total length of %s. "), minToHourMin($maxcheck));
+ $h = sprintf(i("You are only allowed to extend your
reservation such that it has a total length of %s. "),
minToDaysHourMin($maxcheck));
$h .= i("This reservation already meets that length. Therefore,
you are not allowed to extend your reservation any further.");
$h = preg_replace("/(.{1,60}([ \n]|$))/", '\1<br>', $h) .
"<br>";
sendJSON(array('status' => 'nomodify', 'html' => $h));
@@ -3528,7 +3527,7 @@ function AJeditRequest() {
else
$maxcheck = $maxtimes['total'];
$m = sprintf(i("You can extend this reservation by up
to %s but not exceeding %s for your total reservation time."),
- minToHourMin($maxtimes['extend']),
minToHourMin($maxcheck));
+ minToDaysHourMin($maxtimes['extend']),
minToDaysHourMin($maxcheck));
$h .= preg_replace("/(.{1,60}([ \n]|$))/", '\1<br>',
$m) . "<br>";
}
}
@@ -4402,7 +4401,7 @@ function AJconnectRequest() {
$h .= "</big></font><br><br>\n";
}
$imagenotes = getImageNotes($requestData['reservations'][0]['imageid']);
- if(! preg_match('/^\s*$/', $imagenotes['usage'])) {
+ if(! is_null($imagenotes['usage']) && ! preg_match('/^\s*$/',
$imagenotes['usage'])) {
$h .= "<h3>" . i("Notes on using this environment:") .
"</h3>\n";
$h .= "{$imagenotes['usage']}<br><br><br>\n";
}
@@ -4531,6 +4530,11 @@ function AJconnectRequest() {
function AJcheckConnectTimeout() {
$requestid = getContinuationVar('requestid');
$reqdata = getRequestInfo($requestid, 1);
+ if(is_null($reqdata)) {
+ $data['status'] = 'timeout';
+ sendJSON($data);
+ return;
+ }
$stateid = $reqdata['stateid'];
if($stateid == 14)
$stateid = $reqdata['laststateid'];
@@ -4714,7 +4718,7 @@ function processRequestInput() {
$return['nousercheck'] = 0;
# revisionid
- $revids = processInputVar("revisionid", ARG_STRING);
+ $revids = processInputVar("revisionid", ARG_STRING, '');
$revids = explode(':', $revids);
$images = getImages(0, $return['imageid']);
$return['revisionids'] = array();
@@ -4777,7 +4781,7 @@ function processRequestInput() {
# server specific input
if($return['type'] == 'server') {
# name
- $return['name'] = processInputVar('name', ARG_STRING);
+ $return['name'] = processInputVar('name', ARG_STRING, '');
if(! preg_match('/^([-a-zA-Z0-9_\. ]){0,255}$/',
$return['name'])) {
$return['err'] = 1;
$return['errmsg'] = i('The reservation name can only
contain letters, numbers, spaces, dashes(-), underscores(_), and periods(.) and
can be up to 255 characters long');
@@ -4899,8 +4903,6 @@ function processRequestInput() {
$userconfigs = $tmp['config'];
$initconfigs = getMappedConfigs($return['imageid']);
if(array_key_exists('configdata', $_POST)) {
- if(get_magic_quotes_gpc())
- $_POST['configdata'] =
stripslashes($_POST['configdata']);
$configdata = json_decode($_POST['configdata']);
}
if(array_key_exists('configdata', $_POST) &&
diff --git a/web/.ht-inc/resource.php b/web/.ht-inc/resource.php
index 04a5e106..f6ea570c 100644
--- a/web/.ht-inc/resource.php
+++ b/web/.ht-inc/resource.php
@@ -894,7 +894,12 @@ class Resource {
}
$groups = getUserResources(array($this->restype . "Admin"),
array("manageGroup"), 1);
- $tmp = processInputVar('listids', ARG_STRING);
+ $tmp = processInputVar('listids', ARG_STRING, '');
+ if($tmp == '') {
+ $arr = array('status' => 'invalid');
+ sendJSON($arr);
+ return;
+ }
$tmp = explode(',', $tmp);
$groupids = array();
foreach($tmp as $id) {
@@ -1075,6 +1080,11 @@ class Resource {
$resources = getUserResources(array($this->restype . "Admin"),
array("manageGroup"));
$tmp = processInputVar('listids', ARG_STRING);
+ if($tmp == '') {
+ $arr = array('status' => 'invalid');
+ sendJSON($arr);
+ return;
+ }
$tmp = explode(',', $tmp);
$rscids = array();
foreach($tmp as $id) {
diff --git a/web/.ht-inc/schedule.php b/web/.ht-inc/schedule.php
index d0760e8d..7b0bca79 100644
--- a/web/.ht-inc/schedule.php
+++ b/web/.ht-inc/schedule.php
@@ -331,9 +331,9 @@ class Schedule extends Resource {
$errormsg = array();
$return['rscid'] = getContinuationVar('rscid', 0);
- $return["name"] = processInputVar("name", ARG_STRING);
+ $return["name"] = processInputVar("name", ARG_STRING, '');
$return["owner"] = processInputVar("owner", ARG_STRING,
"{$user["unityid"]}@{$user['affiliation']}");
- $times = processInputVar('times', ARG_STRING);
+ $times = processInputVar('times', ARG_STRING, '');
if(!
preg_match("/^([A-Za-z0-9-!@#$%^&\*\(\)_=\+\[\]{}\\\|:;,\.\/\?~` ]){2,30}$/",
$return['name'])) {
$return['error'] = 1;
diff --git a/web/.ht-inc/serverprofiles.php b/web/.ht-inc/serverprofiles.php
index 9d9ad379..3bcace5e 100644
--- a/web/.ht-inc/serverprofiles.php
+++ b/web/.ht-inc/serverprofiles.php
@@ -662,17 +662,17 @@ function processProfileInput() {
global $user;
$ret = array();
$ret['profileid'] = processInputVar('id', ARG_NUMERIC);
- $ret['name'] = processInputVar('name', ARG_STRING);
- $ret['desc'] = processInputVar('desc', ARG_STRING);
+ $ret['name'] = processInputVar('name', ARG_STRING, '');
+ $ret['desc'] = processInputVar('desc', ARG_STRING, '');
$ret['imageid'] = processInputVar('imageid', ARG_NUMERIC);
- $ret['fixedMAC'] = processInputVar('fixedMAC', ARG_STRING);
- $ret['admingroupid'] = processInputVar('admingroupid', ARG_NUMERIC);
- $ret['logingroupid'] = processInputVar('logingroupid', ARG_NUMERIC);
- $monitored = processInputVar('monitored', ARG_STRING);
- $ret['fixedIP'] = processInputVar('fixedIP', ARG_STRING);
- $ret['netmask'] = processInputVar('netmask', ARG_STRING);
- $ret['router'] = processInputVar('router', ARG_STRING);
- $ret['dns'] = processInputVar('dns', ARG_STRING);
+ $ret['fixedMAC'] = processInputVar('fixedMAC', ARG_STRING, '');
+ $ret['admingroupid'] = processInputVar('admingroupid', ARG_NUMERIC, 0);
+ $ret['logingroupid'] = processInputVar('logingroupid', ARG_NUMERIC, 0);
+ $monitored = processInputVar('monitored', ARG_STRING, '');
+ $ret['fixedIP'] = processInputVar('fixedIP', ARG_STRING, '');
+ $ret['netmask'] = processInputVar('netmask', ARG_STRING, '');
+ $ret['router'] = processInputVar('router', ARG_STRING, '');
+ $ret['dns'] = processInputVar('dns', ARG_STRING, '');
$ret['dnsArr'] = array();
$err = array();
@@ -950,7 +950,7 @@ function jsonProfileGroupingProfiles() {
///
////////////////////////////////////////////////////////////////////////////////
function AJaddGroupToProfile() {
- $profileid = processInputVar('id', ARG_NUMERIC);
+ $profileid = processInputVar('id', ARG_NUMERIC, 0);
$resources = getUserResources(array("serverProfileAdmin"),
array("manageGroup"));
// check access to profile
if(! array_key_exists($profileid, $resources['serverprofile'])) {
@@ -961,7 +961,7 @@ function AJaddGroupToProfile() {
// check access to groups
$groups = getUserResources(array("serverProfileAdmin"),
array("manageGroup"), 1);
- $tmp = processInputVar('listids', ARG_STRING);
+ $tmp = processInputVar('listids', ARG_STRING, '');
$tmp = explode(',', $tmp);
$groupids = array();
foreach($tmp as $id) {
@@ -998,7 +998,7 @@ function AJaddGroupToProfile() {
///
////////////////////////////////////////////////////////////////////////////////
function AJremGroupFromProfile() {
- $profileid = processInputVar('id', ARG_NUMERIC);
+ $profileid = processInputVar('id', ARG_NUMERIC, 0);
$resources = getUserResources(array("serverProfileAdmin"),
array("manageGroup"));
if(! array_key_exists($profileid, $resources['serverprofile'])) {
$arr = array('groups' => array(), 'addrem' => 0);
@@ -1007,7 +1007,7 @@ function AJremGroupFromProfile() {
}
$groups = getUserResources(array("serverProfileAdmin"),
array("manageGroup"), 1);
- $tmp = processInputVar('listids', ARG_STRING);
+ $tmp = processInputVar('listids', ARG_STRING, '');
$tmp = explode(',', $tmp);
$groupids = array();
foreach($tmp as $id) {
@@ -1056,7 +1056,7 @@ function AJaddProfileToGroup() {
}
$resources = getUserResources(array("serverProfileAdmin"),
array("manageGroup"));
- $tmp = processInputVar('listids', ARG_STRING);
+ $tmp = processInputVar('listids', ARG_STRING, '');
$tmp = explode(',', $tmp);
$profileids = array();
foreach($tmp as $id) {
@@ -1102,7 +1102,7 @@ function AJremProfileFromGroup() {
}
$resources = getUserResources(array("serverProfileAdmin"),
array("manageGroup"));
- $tmp = processInputVar('listids', ARG_STRING);
+ $tmp = processInputVar('listids', ARG_STRING, '');
$tmp = explode(',', $tmp);
$profileids = array();
foreach($tmp as $id) {
diff --git a/web/.ht-inc/siteconfig.php b/web/.ht-inc/siteconfig.php
index bda65f2a..17904058 100644
--- a/web/.ht-inc/siteconfig.php
+++ b/web/.ht-inc/siteconfig.php
@@ -179,7 +179,7 @@ function AJupdateTimeSource() {
return;
}
$origval = getContinuationVar('origval');
- $val = processInputVar('timesource', ARG_STRING);
+ $val = processInputVar('timesource', ARG_STRING, '');
$val = preg_replace('/\s+/', '', $val);
if($origval != $val) {
$servers = explode(',', $val);
@@ -1075,7 +1075,7 @@ class AffilTextVariable {
return;
}
$value = processInputVar('value', ARG_STRING);
- if(! $this->validateValue($value)) {
+ if(is_null($value) || ! $this->validateValue($value)) {
$arr = array('status' => 'failed',
'msgid' => "{$this->domidbase}msg",
'errmsg' => i('Invalid value submitted.'),
@@ -1147,9 +1147,9 @@ class AffilTextVariable {
$id = "{$this->domidbase}_$affilid";
$newval = processInputVar($id, ARG_STRING);
if($newval !== NULL ||
- ! $this->allowempty ||
- ($affilid == $this->globalid && !
$this->allowglobalempty)) {
- if(! $this->validateValue($newval)) {
+ ($newval === NULL && ! $this->allowempty) ||
+ (($newval === NULL && $affilid == $this->globalid &&
! $this->allowglobalempty))) {
+ if($newval === NULL || !
$this->validateValue($newval)) {
$affil = getAffiliationName($affilid);
$arr = array('status' => 'failed',
'msgid' =>
"{$this->domidbase}msg",
@@ -2021,6 +2021,7 @@ class GlobalSingleVariable {
var $defaultval;
var $updatemsg;
var $type;
+ var $invalidvaluemsg;
/////////////////////////////////////////////////////////////////////////////
///
@@ -2127,7 +2128,7 @@ class GlobalSingleVariable {
sendJSON($arr);
return;
case 'textarea':
- $newval = processInputVar('newval',
ARG_STRING);
+ $newval = processInputVar('newval', ARG_STRING,
'');
if(! $this->validateValue($newval)) {
$arr = array('status' => 'failed',
'msgid' =>
"{$this->domidbase}msg",
@@ -2176,6 +2177,8 @@ class GlobalSingleVariable {
///
////////////////////////////////////////////////////////////////////////////////
class userPasswordLength extends GlobalSingleVariable {
+ var $minval;
+ var $maxval;
/////////////////////////////////////////////////////////////////////////////
///
/// \fn __construct()
@@ -2300,6 +2303,13 @@ class GlobalMultiVariable {
var $deleteCBextra;
var $saveCBextra;
var $allowduplicates;
+ var $savekeys;
+ var $setkeys;
+ var $addmsg;
+ var $delmsg;
+ var $constraint;
+ var $invalidmsg;
+ var $invalidvaluemsg;
/////////////////////////////////////////////////////////////////////////////
///
@@ -2481,7 +2491,7 @@ class GlobalMultiVariable {
sendJSON($arr);
return;
}
- if(! $this->validateValue($newval)) {
+ if(is_null($newval) || ! $this->validateValue($newval)) {
$arr = array('status' => 'failed',
'msgid' => "{$this->domidbase}msg",
'btn' => "{$this->domidbase}addbtn",
@@ -2617,7 +2627,7 @@ class GlobalMultiVariable {
case 'text':
case 'textarea':
$newval =
processInputVar("{$this->domidbase}|$key", ARG_STRING);
- if(! $this->validateValue($newval,
$key)) {
+ if(is_null($newval) || !
$this->validateValue($newval, $key)) {
$arr = array('status' =>
'failed',
'msgid' =>
"{$this->domidbase}msg",
'btn' =>
"{$this->domidbase}btn",
@@ -2723,6 +2733,8 @@ class GlobalMultiVariable {
///
////////////////////////////////////////////////////////////////////////////////
class NFSmounts extends GlobalMultiVariable {
+ var $invalidmsg;
+ var $invalidvaluemsg;
/////////////////////////////////////////////////////////////////////////////
///
/// \fn __construct()
@@ -2737,13 +2749,14 @@ class NFSmounts extends GlobalMultiVariable {
foreach($this->units as $key => $val) {
$this->units[$key]['name'] = $val['hostname'];
}
- $vals = getVariablesRegex('^nfsmount\\\|[0-9]+$');
+ $this->setValues();
+ /*$vals = getVariablesRegex('^nfsmount\\\|[0-9]+$');
$this->values = array();
foreach($vals as $key => $val) {
$tmp = explode('|', $key);
$id = $tmp[1];
$this->values[$id] = $val;
- }
+ }*/
$formbase = ' <hostname or IP>:<export
path>,<mount path>';
$this->desc = _("NFS Mounts are NFS exports that are to be
mounted within each reservation deployed by a given management node.<br>Values
must be like") . $formbase;
$this->domidbase = 'nfsmount';
@@ -2768,12 +2781,13 @@ class NFSmounts extends GlobalMultiVariable {
///
/////////////////////////////////////////////////////////////////////////////
function setValues() {
- $vals = getVariablesRegex('^nfsmount\\\|[0-9]+$');
+ $vals = getVariablesRegex('^nfsmount\|[0-9]+$');
$this->values = array();
foreach($vals as $key => $val) {
$tmp = explode('|', $key);
$id = $tmp[1];
- $this->values[$id] = $val;
+ if(isset($this->units[$id]))
+ $this->values[$id] = $val;
}
}
@@ -2963,7 +2977,7 @@ class Affiliations extends GlobalMultiVariable {
return;
}
$newval = processInputVar('multival', ARG_STRING);
- if(! $this->validateValue($newval)) {
+ if(is_null($newval) || ! $this->validateValue($newval)) {
$arr = array('status' => 'failed',
'msgid' => "{$this->domidbase}msg",
'btn' => "{$this->domidbase}addbtn",
@@ -3122,9 +3136,9 @@ class Messages {
$this->globalopts = $globalopts;
if($this->globalopts)
- $data =
getVariablesRegex('^(usermessage\\\||adminmessage\\\|)');
+ $data =
getVariablesRegex('^(usermessage\||adminmessage\|)');
else
- $data = getVariablesRegex('^usermessage\\\|');
+ $data = getVariablesRegex('^usermessage\|');
foreach($data as $key => $item) {
# 0 - category, 1 - type, 2 - affil
$keyparts = explode('|', $key);
@@ -3278,7 +3292,7 @@ class Messages {
////////////////////////////////////////////////////////////////////////////////
function AJdeleteMessages() {
global $user;
- $key = processInputVar('key', ARG_STRING);
+ $key = processInputVar('key', ARG_STRING, '');
$affilid = processInputVar('affilid', ARG_NUMERIC);
$keyparts = explode('|', $key);
if(! array_key_exists($key, $this->basekeys) ||
@@ -3315,7 +3329,7 @@ class Messages {
////////////////////////////////////////////////////////////////////////////////
function AJsaveMessages() {
global $user;
- $key = processInputVar('key', ARG_STRING);
+ $key = processInputVar('key', ARG_STRING, '');
$affilid = processInputVar('affilid', ARG_NUMERIC);
$subject = processInputVar('subject', ARG_STRING);
$body = processInputVar('body', ARG_STRING);
@@ -3335,7 +3349,7 @@ class Messages {
sendJSON($arr);
return;
}
- if(preg_match('/^\s*$/', $body)) {
+ if(is_null($body) || preg_match('/^\s*$/', $body)) {
$arr = array('status' => 'failed',
'msgid' => "messagesmsg",
'btn' => "messagessavebtn",
@@ -3367,7 +3381,7 @@ class Messages {
}
if($changed) {
if(preg_match('/\[.*\]/', $body) ||
- preg_match('/\[.*\]/', $shortmsg))
+ (! is_null($shortmsg) && preg_match('/\[.*\]/',
$shortmsg)))
setVariable('usermessage_needs_validating', 1,
'none');
unset($data['invalidfields']);
setVariable($savekey, $data, 'yaml');
diff --git a/web/.ht-inc/sitemaintenance.php b/web/.ht-inc/sitemaintenance.php
index fe833dc6..dd80080e 100644
--- a/web/.ht-inc/sitemaintenance.php
+++ b/web/.ht-inc/sitemaintenance.php
@@ -453,25 +453,37 @@ function AJeditSiteMaintenance() {
function processSiteMaintenanceInput() {
$start = processInputVar('start', ARG_NUMERIC);
$end = processInputVar('end', ARG_NUMERIC);
- $data['hoursahead'] = processInputVar('hoursahead', ARG_NUMERIC);
- $data['allowreservations'] = processInputVar('allowreservations',
ARG_NUMERIC);
- $data['reason'] = processInputVar('reason', ARG_STRING);
- $data['usermessage'] = processInputVar('usermessage', ARG_STRING);
+ $data['hoursahead'] = processInputVar('hoursahead', ARG_NUMERIC, 168);
+ $data['allowreservations'] = processInputVar('allowreservations',
ARG_NUMERIC, 1);
+ $data['reason'] = processInputVar('reason', ARG_STRING, '');
+ $data['usermessage'] = processInputVar('usermessage', ARG_STRING, '');
$err = 0;
$now = time();
- $data['startdt'] = numdatetimeToDatetime($start . '00');
- $data['startts'] = datetimeToUnix($data['startdt']);
- $data['enddt'] = numdatetimeToDatetime($end . '00');
- $data['endts'] = datetimeToUnix($data['enddt']);
+
+ if(is_null($start) || ! preg_match('/^[0-9]{12}$/', $start)) {
+ $errmsg = 'Invalid start time submitted.';
+ $err = 1;
+ }
+ if(! $err && (is_null($end) || ! preg_match('/^[0-9]{12}$/', $end))) {
+ $errmsg = 'Invalid end time submitted.';
+ $err = 1;
+ }
+
+ if(! $err) {
+ $data['startdt'] = numdatetimeToDatetime($start . '00');
+ $data['startts'] = datetimeToUnix($data['startdt']);
+ $data['enddt'] = numdatetimeToDatetime($end . '00');
+ $data['endts'] = datetimeToUnix($data['enddt']);
+ }
$reg = "/^[-0-9a-zA-Z\.,\?:;_@!#\(\)\n ]+$/";
- if(! preg_match($reg, $data['reason'])) {
+ if(! $err && ! preg_match($reg, $data['reason'])) {
$errmsg = "Reason can only contain letters, numbers,
spaces,\\nand these characters: . , ? : ; - _ @ ! # ( )";
$err = 1;
}
- if(! preg_match($reg, $data['usermessage'])) {
+ if(! $err && ! preg_match($reg, $data['usermessage'])) {
$errmsg = "User Message can only contain letters, numbers,
spaces,\\nand these characters: . , ? : ; - _ @ ! # ( )";
$err = 1;
}
diff --git a/web/.ht-inc/statistics.php b/web/.ht-inc/statistics.php
index 9d749fe4..c803b1c0 100644
--- a/web/.ht-inc/statistics.php
+++ b/web/.ht-inc/statistics.php
@@ -37,7 +37,7 @@ define("ORDERERR", 1 << 2);
///
////////////////////////////////////////////////////////////////////////////////
function selectStatistics() {
- global $submitErr, $user;
+ global $submitErr, $user, $locale;
list($month1, $day1, $year1) = explode(',', date('n,j,Y', time() -
(SECINDAY * 6)));
list($month2, $day2, $year2) = explode(',', date('n,j,Y', time()));
@@ -58,8 +58,10 @@ function selectStatistics() {
$affilid = $user['affiliationid'];
print i("Select a starting date:") . "<br>\n";
$months = array('');
+ $df = new IntlDateFormatter($locale, IntlDateFormatter::FULL,
IntlDateFormatter::FULL);
+ $df->setPattern('MMMM');
for($i = 2 * SECINDAY, $cnt = 1; $cnt < 13; $i += SECINMONTH, $cnt++)
- $months[$cnt] = strftime('%B', $i);
+ $months[$cnt] = $df->format($i);
unset($months[0]);
$days = array();
for($i = 0; $i < 32; $i++) {
@@ -140,12 +142,12 @@ function viewStatistics() {
define("1HOUR", 3600);
define("2HOURS", 7200);
define("4HOURS", 14400);
- $month1 = processInputVar("month1", ARG_NUMERIC);
- $day1 = processInputVar("day1", ARG_NUMERIC);
- $year1 = processInputVar("year1", ARG_NUMERIC);
- $month2 = processInputVar("month2", ARG_NUMERIC);
- $day2 = processInputVar("day2", ARG_NUMERIC);
- $year2 = processInputVar("year2", ARG_NUMERIC);
+ $month1 = (int)processInputVar("month1", ARG_NUMERIC);
+ $day1 = (int)processInputVar("day1", ARG_NUMERIC);
+ $year1 = (int)processInputVar("year1", ARG_NUMERIC);
+ $month2 = (int)processInputVar("month2", ARG_NUMERIC);
+ $day2 = (int)processInputVar("day2", ARG_NUMERIC);
+ $year2 = (int)processInputVar("year2", ARG_NUMERIC);
$affilid = processInputVar("affilid", ARG_NUMERIC,
$user['affiliationid']);
$mode2 = getContinuationVar('mode', 'default');
$provid = processInputVar('provid', ARG_NUMERIC, 0);
@@ -197,9 +199,10 @@ function viewStatistics() {
print "(Times and dates on this page are in " . date('T') . ")<br>\n";
print "<H3>";
$tmp = mktime(0, 0, 0, $month1, $day1, $year1);
- $starttime = strftime('%x', $tmp);
+ $df = new IntlDateFormatter($locale, IntlDateFormatter::SHORT,
IntlDateFormatter::NONE);
+ $starttime = $df->format($tmp);
$tmp = mktime(0, 0, 0, $month2, $day2, $year2);
- $endtime = strftime('%x', $tmp);
+ $endtime = $df->format($tmp);
printf(i("Reservation information between %s and %s:"), $starttime,
$endtime);
print "</H3>\n";
$reloadid = getUserlistID('vclreload@Local');
diff --git a/web/.ht-inc/userpreferences.php b/web/.ht-inc/userpreferences.php
index fcdc6f79..475de3ea 100644
--- a/web/.ht-inc/userpreferences.php
+++ b/web/.ht-inc/userpreferences.php
@@ -562,8 +562,6 @@ function submitGeneralPreferences() {
$user['usepublickeys'] = $newval;
}
if($pubkeyauth == 2 && preg_match('|^[-a-zA-Z0-9\+/ @=\.\n\r]*$|',
$pubkeys)) {
- if(get_magic_quotes_gpc())
- $pubkeys = stripslashes($pubkeys);
$_pubkeys = vcl_mysql_escape_string($pubkeys);
$query = "UPDATE user SET sshpublickeys = '$_pubkeys' WHERE id
= {$user['id']}";
doQuery($query);
@@ -614,6 +612,7 @@ function processUserPrefsInput($checks=1) {
$submitErrMsg[PREFNAMEERR] = i("Preferred name can only be up to 25
characters");
}
if(! preg_match('/^[a-zA-Z ]*$/', $return["preferredname"])) {
+ $_POST['preferredname'] = preg_replace('/[^a-zA-Z ]/', '',
$return['preferredname']);
$submitErr |= PREFNAMEERR;
$submitErrMsg[PREFNAMEERR] = i("Preferred name can only contain
letters and spaces");
}
@@ -621,11 +620,6 @@ function processUserPrefsInput($checks=1) {
$return['newpassword'] = $_POST['newpassword'];
$confirmpwd = $_POST['confirmpassword'];
$curr = $_POST['currentpassword'];
- if(get_magic_quotes_gpc()) {
- $return['newpassword'] =
stripslashes($return['newpassword']);
- $confirmpwd = stripslashes($confirmpwd);
- $curr = stripslashes($curr);
- }
if(! empty($return['newpassword']) && ! empty($confirmpwd) &&
! validateLocalAccount($user['unityid'], $curr)) {
$submitErr |= LOCALPASSWORDERR;
diff --git a/web/.ht-inc/utils.php b/web/.ht-inc/utils.php
index 21c33047..667673b6 100644
--- a/web/.ht-inc/utils.php
+++ b/web/.ht-inc/utils.php
@@ -48,6 +48,8 @@ $HTMLheader = "";
/// global variable to store if header has been printed
$printedHTMLheader = 0;
+spl_autoload_register('vclAutoLoader');
+
////////////////////////////////////////////////////////////////////////////////
///
/// \fn initGlobals()
@@ -142,6 +144,7 @@ function initGlobals() {
if(isset($_COOKIE['VCLAUTH']) ||
$mode == 'submitLogin' ||
$mode == 'selectauth' ||
+ $mode == 'xmlrpccall' ||
$mode == 'main') {
// open keys
$fp = fopen(".ht-inc/keys.pem", "r");
@@ -357,21 +360,21 @@ function initGlobals() {
////////////////////////////////////////////////////////////////////////////////
///
-/// \fn __autoload($class)
+/// \fn vclAutoLoader($class)
///
/// \param $class - name of a class
///
/// \brief handles loading class implementation file for a specified class
///
////////////////////////////////////////////////////////////////////////////////
-function __autoload($class) {
+function vclAutoLoader($class) {
global $actions;
$class = strtolower($class);
+ require_once(".ht-inc/resource.php");
if(array_key_exists($class, $actions['classmapping'])) {
require_once(".ht-inc/{$actions['classmapping'][$class]}.php");
return;
}
- require_once(".ht-inc/resource.php");
require_once(".ht-inc/$class.php");
}
@@ -419,8 +422,6 @@ function checkAccess() {
exit;
}
$xmlpass = $_SERVER['HTTP_X_PASS'];
- if(get_magic_quotes_gpc())
- $xmlpass = stripslashes($xmlpass);
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'],
ARG_NUMERIC, 1);
if($apiver == 1) {
addLoginLog($xmluser, 'unknown', $user['affilid'], 0);
@@ -833,7 +834,7 @@ function maintenanceCheck() {
}
else
print i("This site is currently in maintenance.") .
"<br>\n";
- $niceend = strftime('%A, %x, %l:%M %P', $end);
+ $niceend = prettyDatetime($end, 1, 0, 1);
printf(i("The maintenance is scheduled to end
<strong>%s</strong>.") . "<br><br><br>\n", $niceend);
printHTMLFooter();
exit;
@@ -863,8 +864,8 @@ function maintenanceNotice() {
$_SESSION['usersessiondata'] = array();
return;
}
- $nicestart = strftime('%A, %x, %l:%M %P', $start);
- $niceend = strftime('%A, %x, %l:%M %P',
datetimeToUnix($item['end']));
+ $nicestart = prettyDatetime($start, 1, 0, 1);
+ $niceend = prettyDatetime($item['end'], 1, 0, 1);
print "<div id=\"maintenancenotice\">\n";
print "<strong>" . i("NOTICE:") . "</strong> ";
print i("This site will be down for maintenance during
the following times:") . "<br><br>\n";
@@ -1290,8 +1291,6 @@ function doQuery($query, $errcode=101, $db="vcl",
$nolog=0) {
if(QUERYLOGGING != 0 && (! $nolog) &&
preg_match('/^(UPDATE|INSERT|DELETE)/', $query) &&
strpos($query, 'UPDATE continuations SET expiretime = ') ===
FALSE) {
- $logquery = str_replace("'", "\'", $query);
- $logquery = str_replace('"', '\"', $logquery);
if(isset($user['id']))
$id = $user['id'];
else
@@ -1302,11 +1301,13 @@ function doQuery($query, $errcode=101, $db="vcl",
$nolog=0) {
. "mode, "
. "query) "
. "VALUES "
- . "($id, "
+ . "(?, " # $id
. "NOW(), "
- . "'$mode', "
- . "'$logquery')";
- mysqli_query($mysqli_link_vcl, $q);
+ . "?, " # $mode
+ . "?)"; # $logquery
+ $s = mysqli_prepare($mysqli_link_vcl, $q);
+ mysqli_stmt_bind_param($s, 'iss', $id, $mode, $query);
+ mysqli_stmt_execute($s);
}
for($i = 0; ! ($qh = mysqli_query($mysqli_link_vcl, $query)) &&
$i < 3; $i++) {
if(mysqli_errno($mysqli_link_vcl) == '1213') #
DEADLOCK, sleep and retry
@@ -1324,6 +1325,76 @@ function doQuery($query, $errcode=101, $db="vcl",
$nolog=0) {
return $qh;
}
+////////////////////////////////////////////////////////////////////////////////
+///
+/// \fn doPSQuery($query, $paramtypes, $params, $errcode, $db, $nolog)
+///
+/// \param $query - SQL statement
+/// \param $paramtypes - string containing the types of parameters to fill in
+/// for the ?s in the query, ex: 'ssi' for string string integer
+/// \param $params - array of parameters to fill in for the ?s in the query
+/// \param $errcode - error code
+/// \param $db - (optional, defaul=vcl), database to query against
+/// \param $nolog - (optional, defaul=0), don't log to queryLog table
+///
+/// \return $qh - query handle or NULL if problem encountered
+///
+/// \brief performs the query and returns $qh or aborts on error
+///
+////////////////////////////////////////////////////////////////////////////////
+function doPSQuery($query, $paramtypes, $params, $errcode=101, $db="vcl",
+ $nolog=0) {
+ global $mysqli_link_vcl, $mysqli_link_acct, $user, $mode,
$ENABLE_ITECSAUTH;
+ global $totalQueries, $queryTimes, $totalQueryTime;
+ $totalQueries++;
+ if(strlen($paramtypes) != count($params))
+ return NULL;
+ if($db == "vcl") {
+ if(QUERYLOGGING != 0 && (! $nolog) &&
+ preg_match('/^(UPDATE|INSERT|DELETE)/', $query) &&
+ strpos($query, 'UPDATE continuations SET expiretime = ') ===
FALSE) {
+ if(isset($user['id']))
+ $id = $user['id'];
+ else
+ $id = 0;
+ $q = "INSERT INTO querylog "
+ . "(userid, "
+ . "timestamp, "
+ . "mode, "
+ . "query) "
+ . "VALUES "
+ . "(?, " # $id
+ . "NOW(), "
+ . "?, " # $mode
+ . "?)"; # $logquery
+ $s = mysqli_prepare($mysqli_link_vcl, $q);
+ mysqli_stmt_bind_param($s, 'iss', $id, $mode, $query);
+ mysqli_stmt_execute($s);
+ }
+ $stmt = mysqli_prepare($mysqli_link_vcl, $query);
+ if(strlen($paramtypes))
+ mysqli_stmt_bind_param($stmt, $paramtypes, ...$params);
+ for($i = 0; ! mysqli_stmt_execute($stmt) && $i < 3; $i++) {
+ if(mysqli_errno($mysqli_link_vcl) == '1213') #
DEADLOCK, sleep and retry
+ usleep(50);
+ else
+ abort($errcode, $query);
+ }
+ $qh = mysqli_stmt_get_result($stmt);
+ }
+ elseif($db == "accounts") {
+ if($ENABLE_ITECSAUTH) {
+ $stmt = mysqli_prepare($mysqli_link_acct, $query);
+ mysqli_stmt_bind_param($stmt, $paramtypes, ...$params);
+ mysqli_stmt_execute($stmt);
+ $qh = mysqli_stmt_get_result($stmt) or abort($errcode,
$query);
+ }
+ else
+ $qh = NULL;
+ }
+ return $qh;
+}
+
////////////////////////////////////////////////////////////////////////////////
///
/// \fn dbLastInsertID()
@@ -1352,6 +1423,8 @@ function dbLastInsertID() {
////////////////////////////////////////////////////////////////////////////////
function vcl_mysql_escape_string($string) {
global $mysqli_link_vcl;
+ if(is_null($string))
+ $string = '';
return mysqli_real_escape_string($mysqli_link_vcl, $string);
}
@@ -1753,8 +1826,8 @@ function getImageRevisions($imageid, $incdeleted=0) {
function getImageNotes($imageid) {
if(empty($imageid))
$imageid = 0;
- $query = "SELECT description, "
- . "`usage` "
+ $query = "SELECT COALESCE(description, '') as description, "
+ . "COALESCE(`usage`, '') as `usage` "
. "FROM image "
. "WHERE id = $imageid";
$qh = doQuery($query, 101);
@@ -4043,6 +4116,8 @@ function processInputVar($vartag, $type,
$defaultvalue=NULL, $stripwhitespace=0)
}
}
else {
+ if(is_null($return))
+ $return = '';
$return = strip_tags($return);
if($stripwhitespace)
$return = trim($return);
@@ -4290,6 +4365,7 @@ function getUserInfo($id, $noupdate=0, $numeric=0) {
. "u.lastupdated AS lastupdated, "
. "u.usepublickeys, "
. "u.sshpublickeys, "
+ . "COALESCE(u.sshpublickeys, '') AS sshpublickeys, "
. "af.shibonly "
. "FROM affiliation af, "
. "user u "
@@ -5529,7 +5605,7 @@ function getSemaphore($imageid, $imagerevisionid,
$mgmtnodeid, $compid, $start,
$rc = mysqli_affected_rows($mysqli_link_vcl);
# check to see if another process allocated this one
- if($rc) {
+ if($rc > 0) {
$query = "SELECT rq.id "
. "FROM request rq, "
. "reservation rs "
@@ -10054,12 +10130,17 @@ function printArray($array) {
////////////////////////////////////////////////////////////////////////////////
///
-/// \fn prettyDatetime($stamp, $showyear=0, $notzoffset=0)
+/// \fn prettyDatetime($stamp, $showyear=0, $notzoffset=0, $numericdate=0
+/// $nodayname=0)
///
/// \param $stamp - a timestamp in unix or mysql datetime format
/// \param $showyear (optional, default=0) - set to 1 to include year
/// \param $notzoffset (optional, default=0) - set to 1 to prevent timezone
/// conversion
+/// \param $numericdate (optional, default=0) - set to 1 to use a numeric date
+/// instead of a written out date
+/// \param $nodayname (optional, default=0) - set to 1 to leave off name of day
+/// of week
///
/// \return date/time in html format of [Day of week], [month] [day of month],
/// [HH:MM] [am/pm]
@@ -10067,17 +10148,28 @@ function printArray($array) {
/// \brief reformats the datetime to look better
///
////////////////////////////////////////////////////////////////////////////////
-function prettyDatetime($stamp, $showyear=0, $notzoffset=0) {
+function prettyDatetime($stamp, $showyear=0, $notzoffset=0, $numericdate=0,
+ $nodayname=0) {
global $locale;
if(! preg_match('/^[\d]+$/', $stamp))
$stamp = datetimeToUnix($stamp);
if(! $notzoffset && isset($_SESSION['persistdata']['tzoffset']))
$stamp += $_SESSION['persistdata']['tzoffset'] * 60;
+ $dateformatter = IntlDateFormatter::MEDIUM;
+ if($numericdate)
+ $dateformatter = IntlDateFormatter::SHORT;
+ $df = new IntlDateFormatter($locale, $dateformatter,
IntlDateFormatter::SHORT);
+ $ptn = $df->getPattern();
+ $dayptn = 'EEEE, ';
+ if($nodayname)
+ $dayptn = '';
if($showyear)
- $return = strftime('%A, %b %-d, %Y, %l:%M %P',
$stamp);
- else
- $return = strftime('%A, %b %-d, %l:%M %P', $stamp);
- return $return;
+ $df->setPattern("{$dayptn}$ptn z"); #Tuesday, May 2, 2023,
11:56 AM EDT
+ else {
+ $ptn = preg_replace('|[/ ]?y[,/]?|', '', $ptn);
+ $df->setPattern("{$dayptn}$ptn z"); #Tuesday, May 2, 11:56 AM
EDT
+ }
+ return $df->format($stamp);
}
////////////////////////////////////////////////////////////////////////////////
@@ -10104,6 +10196,36 @@ function minToHourMin($min) {
return sprintf("%.2f " . i("hours"), $min / 60);
}
+////////////////////////////////////////////////////////////////////////////////
+///
+/// \fn minToDaysHourMin($min)
+///
+/// \param $min - minutes
+///
+/// \return a string value
+///
+/// \brief um, I don't know how to describe this, just look at the code
+///
+////////////////////////////////////////////////////////////////////////////////
+function minToDaysHourMin($min) {
+ if($min < 60)
+ return $min . " " . i("minutes");
+ elseif($min < 2880) {
+ if($min == 60)
+ return i("1 hour");
+ elseif($min % 60 == 0)
+ return sprintf("%d " . i("hours"), $min / 60);
+ elseif($min % 30 == 0)
+ return sprintf("%.1f " . i("hours"), $min / 60);
+ else
+ return sprintf("%.2f " . i("hours"), $min / 60);
+ }
+ elseif($min < 64800)
+ return sprintf("%d " . i("days"), $min / 1440);
+ else
+ return sprintf("%d " . i("weeks"), $min / 10080);
+}
+
////////////////////////////////////////////////////////////////////////////////
///
/// \fn secToMinSec($sec)
@@ -10155,6 +10277,74 @@ function prettyLength($minutes) {
}
}
+////////////////////////////////////////////////////////////////////////////////
+///
+/// \fn htmlwrap($str, $linelen)
+///
+/// \param $str - string to be wrapped
+/// \param $linelen - max length of each line
+///
+/// \brief breaks $str up into multiple lines no longer than $linelen with each
+/// line ending with a break tag (<br/>)
+///
+////////////////////////////////////////////////////////////////////////////////
+function htmlwrap($str, $linelen) {
+ $str = str_replace('<br>', '<br/>', $str);
+ $str = str_replace('<br />', '<br/>', $str);
+ $word = '';
+ $nextstr = '';
+ $curlen = 0;
+ $strlen = strlen($str);
+ $wrapped = '';
+ $intag = 0;
+ for($i = 0; $i < $strlen; $i++) {
+ $nextstr .= $str[$i];
+ if($str[$i] == '<') {
+ $intag = 1;
+ continue;
+ }
+ elseif($str[$i] == '>') {
+ $intag = 0;
+ if($i > 4 && substr($nextstr, -5, 5) == '<br/>') {
+ if(strlen($nextstr)) {
+ if($curlen <= $linelen) {
+ $wrapped .= $nextstr;
+ }
+ else {
+ $wrapped .= "<br/>$nextstr";
+ }
+ $word = '';
+ $nextstr = '';
+ }
+ $curlen = 0;
+ }
+ continue;
+ }
+ if(! $intag) {
+ $curlen++;
+ $word .= $str[$i];
+ if($str[$i] == ' ') {
+ if($curlen <= $linelen) {
+ $wrapped .= $nextstr;
+ }
+ else {
+ $wrapped .= "<br/>$nextstr";
+ $curlen = strlen($word);
+ }
+ $word = '';
+ $nextstr = '';
+ }
+ }
+ }
+ if($curlen <= $linelen) {
+ $wrapped .= $nextstr;
+ }
+ else {
+ $wrapped .= "<br/>$nextstr";
+ }
+ return $wrapped;
+}
+
////////////////////////////////////////////////////////////////////////////////
///
/// \fn AJsetTZoffset()
@@ -10348,6 +10538,8 @@ function getUserGroupID($name,
$affilid=DEFAULT_AFFILID, $noadd=0) {
///
////////////////////////////////////////////////////////////////////////////////
function getUserGroupName($id, $incAffil=0) {
+ if(! is_numeric($id))
+ return 0;
if($incAffil) {
$query = "SELECT CONCAT(u.name, '@', a.name) as name "
. "FROM usergroup u, "
@@ -10603,7 +10795,7 @@ function sendRDPfile() {
$userid = $matches[1];
else
$userid = $user["unityid"];
- if($request['reservations'][0]['domainDNSName'] != '' && !
strlen($passwd))
+ if($request['reservations'][0]['domainDNSName'] != '' &&
(is_null($passwd) || ! strlen($passwd)) &&
$request['reservations'][0]['OStype'] == 'windows')
$userid .= "@" . $request['reservations'][0]['domainDNSName'];
elseif($request['reservations'][0]['OStype'] == 'windows')
$userid = ".\\$userid";
@@ -10958,6 +11150,8 @@ function getUserMaxTimes($uid=0) {
$allgroups = getUserGroups();
foreach($groupids as $id) {
+ if(! isset($allgroups[$id]))
+ continue;
if($return["initial"] < $allgroups[$id]["initialmaxtime"])
$return["initial"] = $allgroups[$id]["initialmaxtime"];
if($return["total"] < $allgroups[$id]["totalmaxtime"])
@@ -12015,7 +12209,7 @@ function weekOfYear($ts) {
////////////////////////////////////////////////////////////////////////////////
function cleanSemaphore() {
global $mysqli_link_vcl, $uniqid;
- if(! is_resource($mysqli_link_vcl) || !
get_resource_type($mysqli_link_vcl) == 'mysql link')
+ if(! is_object($mysqli_link_vcl) || get_class($mysqli_link_vcl) !=
'mysqli')
return;
$query = "DELETE FROM semaphore "
. "WHERE procid = '$uniqid'";
@@ -12450,8 +12644,8 @@ function getVariable($key, $default=NULL, $incparams=0)
{
. "timestamp, ";
$query .= "value ";
$query .= "FROM variable "
- . "WHERE name = '$key'";
- $qh = doQuery($query);
+ . "WHERE name = ?"; # $key
+ $qh = doPSQuery($query, 's', array($key));
if($row = mysqli_fetch_assoc($qh)) {
if($incparams) {
switch($row['serialization']) {
@@ -12500,8 +12694,8 @@ function getVariablesRegex($pattern) {
. "serialization, "
. "value "
. "FROM variable "
- . "WHERE name REGEXP '$pattern'";
- $qh = doQuery($query);
+ . "WHERE name REGEXP ?"; # $pattern
+ $qh = doPSQuery($query, 's', array($pattern));
$ret = array();
while($row = mysqli_fetch_assoc($qh)) {
switch($row['serialization']) {
@@ -12537,8 +12731,8 @@ function getVariablesRegex($pattern) {
////////////////////////////////////////////////////////////////////////////////
function setVariable($key, $data, $serialization='') {
$update = 0;
- $query = "SELECT serialization FROM variable WHERE name = '$key'";
- $qh = doQuery($query);
+ $query = "SELECT serialization FROM variable WHERE name = ?"; # $key
+ $qh = doPSQuery($query, 's', array($key));
if($row = mysqli_fetch_assoc($qh)) {
if($serialization == '')
$serialization = $row['serialization'];
@@ -12549,37 +12743,37 @@ function setVariable($key, $data, $serialization='') {
$_SESSION['variables'][$key] = $data;
switch($serialization) {
case 'none':
- $qdata = vcl_mysql_escape_string($data);
+ $qdata = $data;
break;
case 'yaml':
- $yaml = Spyc::YAMLDump($data);
- $qdata = vcl_mysql_escape_string($yaml);
+ $qdata = Spyc::YAMLDump($data);
break;
case 'phpserialize':
- $qdata = vcl_mysql_escape_string(serialize($data));
+ $qdata = serialize($data);
break;
}
if($update)
$query = "UPDATE variable "
- . "SET value = '$qdata', "
- . "serialization = '$serialization', "
+ . "SET serialization = ?, " # $serialization
+ . "value = ?, " # $qdata
. "setby = 'webcode', "
. "timestamp = NOW() "
- . "WHERE name = '$key'";
+ . "WHERE name = ?"; # $key
else
$query = "INSERT INTO variable "
- . "(name, "
- . "serialization, "
+ . "(serialization, "
. "value, "
+ . "name, "
. "setby, "
. "timestamp) "
. "VALUES "
- . "('$key', "
- . "'$serialization', "
- . "'$qdata', "
+ . "(?, " # $serialization
+ . "?, " # $qdata
+ . "?, " # $key
. "'webcode', "
. "NOW())";
- doQuery($query);
+ $params = array($serialization, $qdata, $key);
+ doPSQuery($query, 'sss', $params);
}
////////////////////////////////////////////////////////////////////////////////
@@ -14439,7 +14633,8 @@ function getFSlocales() {
if(! file_exists("{$dir}/language"))
continue;
$fh = fopen("{$dir}/language", 'r');
- while($line = fgetss($fh)) {
+ while($line = fgets($fh)) {
+ $line = strip_tags($line);
if(preg_match('/(^#)|(^\s*$)/', $line)) {
continue;
}
diff --git a/web/.ht-inc/vm.php b/web/.ht-inc/vm.php
index df10b43e..d351cf09 100644
--- a/web/.ht-inc/vm.php
+++ b/web/.ht-inc/vm.php
@@ -354,7 +354,7 @@ function vmhostdata() {
$data = getVMHostData($vmhostid);
$resources = getUserResources(array("computerAdmin"),
array("administer"));
- if(! array_key_exists($data[$vmhostid]['computerid'],
$resources['computer'])) {
+ if(is_null($vmhostid) || !
array_key_exists($data[$vmhostid]['computerid'], $resources['computer'])) {
sendJSON(array('failed' => 'noaccess'));
return;
}
@@ -505,7 +505,7 @@ function AJvmToHost() {
$hostdata = getVMHostData($hostid);
$resources = getUserResources(array("computerAdmin"),
array("administer"));
- if(! array_key_exists($hostdata[$hostid]['computerid'],
$resources['computer'])) {
+ if(is_null($hostid) || !
array_key_exists($hostdata[$hostid]['computerid'], $resources['computer'])) {
sendJSON(array('failed' => 'nohostaccess'));
return;
}
@@ -514,7 +514,7 @@ function AJvmToHost() {
$fails = array();
$vmlistids = processInputVar('listids', ARG_STRING);
- if(! preg_match('/^(\d+)(,\d+)*$/', $vmlistids)) {
+ if(is_null($vmlistids) || ! preg_match('/^(\d+)(,\d+)*$/', $vmlistids))
{
sendJSON(array('failed' => 'invaliddata'));
return;
}
@@ -578,14 +578,14 @@ function AJvmFromHost() {
$hostdata = getVMHostData($hostid);
$resources = getUserResources(array("computerAdmin"),
array("administer"));
- if(! array_key_exists($hostdata[$hostid]['computerid'],
$resources['computer'])) {
+ if(is_null($hostid) || !
array_key_exists($hostdata[$hostid]['computerid'], $resources['computer'])) {
sendJSON(array('failed' => 'nohostaccess'));
return;
}
$fails = array();
$vmlistids = processInputVar('listids', ARG_STRING);
- if(! preg_match('/^(\d+)(,\d+)*$/', $vmlistids)) {
+ if(is_null($vmlistids) || ! preg_match('/^(\d+)(,\d+)*$/', $vmlistids))
{
sendJSON(array('failed' => 'invaliddata'));
return;
}
@@ -717,14 +717,14 @@ function AJcancelVMmove() {
$hostdata = getVMHostData($hostid);
$resources = getUserResources(array("computerAdmin"),
array("administer"));
- if(! array_key_exists($hostdata[$hostid]['computerid'],
$resources['computer'])) {
+ if(is_null($hostid) || !
array_key_exists($hostdata[$hostid]['computerid'], $resources['computer'])) {
sendJSON(array('failed' => 'nohostaccess'));
return;
}
$fails = array();
$requestids = processInputVar('listids', ARG_STRING);
- if(! preg_match('/^(\d+)(,\d+)*$/', $requestids)) {
+ if(is_null($requestids) || ! preg_match('/^(\d+)(,\d+)*$/',
$requestids)) {
sendJSON(array('failed' => 'invaliddata'));
return;
}
@@ -774,11 +774,11 @@ function AJcancelVMmove() {
///
////////////////////////////////////////////////////////////////////////////////
function AJprofileData($profileid="") {
- if(! checkUserHasPerm('Manage VM Profiles')) {
+ $profileid = processInputVar('profileid', ARG_NUMERIC, $profileid);
+ if(empty($profileid) || ! checkUserHasPerm('Manage VM Profiles')) {
sendJSON(array('failed' => 'noaccess'));
return;
}
- $profileid = processInputVar('profileid', ARG_NUMERIC, $profileid);
$profiledata = getVMProfiles($profileid);
foreach($profiledata[$profileid] AS $key => $value) {
if(is_null($value))
@@ -819,7 +819,11 @@ function AJupdateVMprofileItem() {
return;
}
$profileid = processInputVar('profileid', ARG_NUMERIC);
- $item = processInputVar('item', ARG_STRING);
+ if(empty($profileid) || ! checkUserHasPerm('Manage VM Profiles')) {
+ print "alert('Invalid data submitted.');";
+ return;
+ }
+ $item = processInputVar('item', ARG_STRING, '');
if(!
preg_match('/^(profilename|imageid|resourcepath|folderpath|repositorypath|repositoryimagetypeid|datastorepath|datastoreimagetypeid|vmdisk|vmpath|virtualswitch[0-3]|username|password|eth0generated|eth1generated)$/',
$item)) {
print "alert('Invalid data submitted.');";
return;
@@ -841,15 +845,26 @@ function AJupdateVMprofileItem() {
if(! in_array($newvalue, $vmdisks))
$newvalue = $vmdisks[0];
}
- elseif($item == 'password')
- $newvalue = $_POST['newvalue'];
+ elseif($item == 'password') {
+ if(isset($_POST['newvalue']))
+ $newvalue = $_POST['newvalue'];
+ else
+ $newvalue = '';
+ }
+ elseif($item == 'profilename') {
+ $newvalue = processInputVar('newvalue', ARG_STRING);
+ if(empty($newvalue) || ! preg_match('/^[-a-zA-Z0-9
\.\(\),@#_\+:;]$/', $newvalue)) {
+ $profile = getVMProfiles($profileid);
+ print "alert('Invalid value submitted for Name');";
+ print "dijit.byId('pname').set('value',
'{$profile[$profileid]['name']}');";
+ return;
+ }
+ }
else
$newvalue = processInputVar('newvalue', ARG_STRING);
- if($newvalue == '')
+ if(empty($newvalue))
$newvalue2 = 'NULL';
else {
- if(get_magic_quotes_gpc())
- $newvalue = stripslashes($newvalue);
$newvalue2 = vcl_mysql_escape_string($newvalue);
$newvalue2 = "'$newvalue2'";
}
@@ -940,7 +955,8 @@ function AJupdateVMprofileItem() {
. "SET `$item` = $newvalue2 "
. "WHERE id = $profileid";
doQuery($query, 101);
- $newvalue = preg_replace("/'/", "\\'", $newvalue);
+ if(! is_null($newvalue))
+ $newvalue = preg_replace("/'/", "\\'", $newvalue);
print "curprofile.$item = '$newvalue';";
}
@@ -954,13 +970,17 @@ function AJupdateVMprofileItem() {
////////////////////////////////////////////////////////////////////////////////
function AJnewProfile() {
$newprofile = processInputVar('newname', ARG_STRING);
- if(get_magic_quotes_gpc())
- $newprofile = stripslashes($newprofile);
+ if(empty($newprofile) || ! preg_match('/^[-a-zA-Z0-9
\.\(\),@#_\+:;]$/', $newprofile)) {
+ sendJSON(array('failed' => 'invalid',
+ 'errmsg' => 'Invalid name submitted for new
profile.'));
+ return;
+ }
$newprofile = vcl_mysql_escape_string($newprofile);
$query = "SELECT id FROM vmprofile WHERE profilename = '$newprofile'";
$qh = doQuery($query, 101);
if($row = mysqli_fetch_assoc($qh)) {
- sendJSON(array('failed' => 'exists'));
+ sendJSON(array('failed' => 'exists',
+ 'errmsg' => 'A profile with this name already
exists.'));
return;
}
$imageid = getImageId('noimage');
@@ -992,6 +1012,10 @@ function AJdelProfile() {
return;
}
$profileid = processInputVar('profileid', ARG_NUMERIC);
+ if(empty($profileid)) {
+ sendJSON(array('failed' => 'noaccess'));
+ return;
+ }
# check to see if profile is in use
$query = "SELECT vh.computerid, "
. "s.name "
diff --git a/web/.ht-inc/xmlrpcWrappers.php b/web/.ht-inc/xmlrpcWrappers.php
index 750000e4..5a1605bd 100644
--- a/web/.ht-inc/xmlrpcWrappers.php
+++ b/web/.ht-inc/xmlrpcWrappers.php
@@ -98,7 +98,7 @@ function XMLRPCaffiliations() {
///
////////////////////////////////////////////////////////////////////////////////
function XMLRPCtest($string) {
- $string = processInputData($string, ARG_STRING);
+ $string = processInputData($string, ARG_STRING, 0, '');
return array('status' => 'success',
'message' => 'RPC call worked successfully',
'string' => $string);
@@ -168,7 +168,7 @@ function XMLRPCaddRequest($imageid, $start, $length,
$foruser='',
global $user;
$imageid = processInputData($imageid, ARG_NUMERIC);
$start = processInputData($start, ARG_STRING, 1);
- $length = processInputData($length, ARG_NUMERIC);
+ $length = processInputData($length, ARG_NUMERIC, 0, 60);
#$foruser = processInputData($foruser, ARG_STRING, 1);
// make sure user didn't submit a request for an image he
@@ -425,9 +425,7 @@ function XMLRPCdeployServer($imageid, $start, $end,
$admingroup='',
'errormsg' => "access denied to $imageid");
}
if($admingroup != '') {
- $admingroup = processInputData($admingroup, ARG_STRING);
- if(get_magic_quotes_gpc())
- $admingroup = stripslashes($admingroup);
+ $admingroup = processInputData($admingroup, ARG_STRING, 0, '');
if(preg_match('/@/', $admingroup)) {
$tmp = explode('@', $admingroup);
$escadmingroup = vcl_mysql_escape_string($tmp[0]);
@@ -452,9 +450,7 @@ function XMLRPCdeployServer($imageid, $start, $end,
$admingroup='',
else
$admingroupid = '';
if($logingroup != '') {
- $logingroup = processInputData($logingroup, ARG_STRING);
- if(get_magic_quotes_gpc())
- $logingroup = stripslashes($logingroup);
+ $logingroup = processInputData($logingroup, ARG_STRING, 0, '');
if(preg_match('/@/', $logingroup)) {
$tmp = explode('@', $logingroup);
$esclogingroup = vcl_mysql_escape_string($tmp[0]);
@@ -478,7 +474,7 @@ function XMLRPCdeployServer($imageid, $start, $end,
$admingroup='',
}
else
$logingroupid = '';
- $ipaddr = processInputData($ipaddr, ARG_STRING);
+ $ipaddr = processInputData($ipaddr, ARG_STRING, 0, '');
$ipaddrArr = explode('.', $ipaddr);
if($ipaddr != '' && (!
preg_match('/^(([0-9]){1,3}\.){3}([0-9]){1,3}$/', $ipaddr) ||
$ipaddrArr[0] < 1 || $ipaddrArr[0] > 255 ||
@@ -490,7 +486,7 @@ function XMLRPCdeployServer($imageid, $start, $end,
$admingroup='',
'errormsg' => "Invalid IP address. Must be w.x.y.z
with each of "
. "w, x, y, and z being between 1 and
255 (inclusive)");
}
- $macaddr = processInputData($macaddr, ARG_STRING);
+ $macaddr = processInputData($macaddr, ARG_STRING, 0, '');
if($macaddr != '' && !
preg_match('/^(([A-Fa-f0-9]){2}:){5}([A-Fa-f0-9]){2}$/', $macaddr)) {
return array('status' => 'error',
'errorcode' => 58,
@@ -504,9 +500,7 @@ function XMLRPCdeployServer($imageid, $start, $end,
$admingroup='',
$end = processInputData($end, ARG_STRING, 1);
#$foruser = processInputData($foruser, ARG_STRING, 1);
- $name = processInputData($name, ARG_STRING);
- if(get_magic_quotes_gpc())
- $name = stripslashes($name);
+ $name = processInputData($name, ARG_STRING, 0, '');
if(! preg_match('/^([-a-zA-Z0-9_\. ]){0,255}$/', $name)) {
return array('status' => 'error',
'errorcode' => 58,
@@ -572,8 +566,6 @@ function XMLRPCdeployServer($imageid, $start, $end,
$admingroup='',
. "WHERE requestid = {$return['requestid']}";
doQuery($query);
if($userdata != '') {
- if(get_magic_quotes_gpc())
- $userdata = stripslashes($userdata);
$esc_userdata = vcl_mysql_escape_string($userdata);
$query = "INSERT INTO variable "
. "(name, "
@@ -806,7 +798,7 @@ function XMLRPCgetRequestStatus($requestid) {
function XMLRPCgetRequestConnectData($requestid, $remoteIP) {
global $user;
$requestid = processInputData($requestid, ARG_NUMERIC);
- $remoteIP = processInputData($remoteIP, ARG_STRING, 1);
+ $remoteIP = processInputData($remoteIP, ARG_STRING, 0, '');
if(!
preg_match('/^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/',
$remoteIP, $matches) ||
$matches[1] < 1 || $matches[1] > 223 ||
$matches[2] > 255 ||
@@ -921,7 +913,7 @@ function XMLRPCgetRequestConnectData($requestid, $remoteIP)
{
function XMLRPCextendRequest($requestid, $extendtime) {
global $user;
$requestid = processInputData($requestid, ARG_NUMERIC);
- $extendtime = processInputData($extendtime, ARG_NUMERIC);
+ $extendtime = processInputData($extendtime, ARG_NUMERIC, 0, 0);
$userRequests = getUserRequests('all', $user['id']);
$found = 0;
@@ -1130,7 +1122,7 @@ function XMLRPCsetRequestEnding($requestid, $end) {
'errormsg' => "access denied to specify end time");
}
- $end = processInputData($end, ARG_NUMERIC);
+ $end = processInputData($end, ARG_NUMERIC, 0, 0);
$maxend = datetimeToUnix("2038-01-01 00:00:00");
if($end < 0 || $end > $maxend) {
@@ -1185,7 +1177,7 @@ function XMLRPCsetRequestEnding($requestid, $end) {
if($timeToNext > -1) {
$lockedall = 1;
if(count($request['reservations']) > 1) {
- # get semaphore on each existing node in cluster so
that nothing
+ # get semaphore on each existing node in cluster so
that nothing
# can get moved to the nodes during this process
$unixend = datetimeToUnix($request['end']);
$checkend = unixToDatetime($unixend + 900);
@@ -1770,8 +1762,6 @@ function XMLRPCnodeExists($nodeName, $parentNode) {
if(in_array("userGrant", $user["privileges"]) ||
in_array("resourceGrant", $user["privileges"]) ||
in_array("nodeAdmin", $user["privileges"])) {
- if(get_magic_quotes_gpc())
- $nodeName = stripslashes($nodeName);
$nodeName = vcl_mysql_escape_string($nodeName);
// does a node with this name already exist?
$query = "SELECT id "
@@ -2620,8 +2610,6 @@ function XMLRPCeditUserGroup($name, $affiliation,
$newName, $newAffiliation,
# are valid
$validate = array('name' => $name,
'affiliation' => $affiliation);
- if(get_magic_quotes_gpc())
- $newOwner = stripslashes($newOwner);
if(! empty($newOwner))
$validate['owner'] = $newOwner;
if(! empty($newManagingGroup))
@@ -2672,8 +2660,6 @@ function XMLRPCeditUserGroup($name, $affiliation,
$newName, $newAffiliation,
$validate = array('name' => $name,
'affiliation' => $affiliation);
if(! empty($newName)) {
- if(get_magic_quotes_gpc())
- $newName = stripslashes($newName);
$validate['name'] = $newName;
$tmp = vcl_mysql_escape_string($newName);
$updates[] = "name = '$tmp'";
@@ -2940,8 +2926,6 @@ function XMLRPCaddUsersToGroup($name, $affiliation,
$users) {
foreach($users as $_user) {
if(empty($_user))
continue;
- if(get_magic_quotes_gpc())
- $_user = stripslashes($_user);
$esc_user = vcl_mysql_escape_string($_user);
if(validateUserid($_user) == 1)
addUserGroupMember($esc_user, $rc['id']);
@@ -3022,8 +3006,6 @@ function XMLRPCremoveUsersFromGroup($name, $affiliation,
$users) {
foreach($users as $_user) {
if(empty($_user))
continue;
- if(get_magic_quotes_gpc())
- $_user = stripslashes($_user);
$esc_user = vcl_mysql_escape_string($_user);
# check that affiliation of user can be determined because
getUserlistID
# will abort if it cannot find it
@@ -3128,8 +3110,6 @@ function XMLRPCaddResourceGroup($name, $managingGroup,
$type) {
'errorcode' => 76,
'errormsg' => 'resource group already
exists');
}
- if(get_magic_quotes_gpc())
- $name = stripslashes($name);
if(! preg_match('/^[-a-zA-Z0-9_\. ]{3,30}$/', $name)) {
return array('status' => 'error',
'errorcode' => 87,
@@ -3935,7 +3915,7 @@ function XMLRPCcheckCryptSecrets($reservationid) {
////////////////////////////////////////////////////////////////////////////////
function XMLRPCgetOneClickParams($oneclickid) {
global $user;
- $oneclickid = processInputData($oneclickid, ARG_NUMERIC);
+ $oneclickid = processInputData($oneclickid, ARG_NUMERIC, 0, 0);
$query = "SELECT o.id, "
. "o.userid, "
. "o.imageid, "
@@ -4073,8 +4053,8 @@ function XMLRPCaddOneClick($name, $imageid, $duration,
$autologin) {
global $user;
$userid = $user['id'];
$imageid = processInputData($imageid, ARG_NUMERIC);
- $name = processInputData($name, ARG_STRING);
- $duration = processInputData($duration, ARG_NUMERIC);
+ $name = processInputData($name, ARG_STRING, 0, '');
+ $duration = processInputData($duration, ARG_NUMERIC, 0, 120);
$autologin = processInputData($autologin, ARG_NUMERIC) == 1 ? 1 : 0;
# validate $imageid
@@ -4163,10 +4143,10 @@ function XMLRPCaddOneClick($name, $imageid, $duration,
$autologin) {
////////////////////////////////////////////////////////////////////////////////
function XMLRPCeditOneClick($oneclickid, $name, $imageid, $duration,
$autologin) {
global $user;
- $oneclickid = processInputData($oneclickid, ARG_NUMERIC);
+ $oneclickid = processInputData($oneclickid, ARG_NUMERIC, 0, 0);
$imageid = processInputData($imageid, ARG_NUMERIC);
- $name = processInputData($name, ARG_STRING);
- $duration = processInputData($duration, ARG_NUMERIC);
+ $name = processInputData($name, ARG_STRING, 0, '');
+ $duration = processInputData($duration, ARG_NUMERIC, 0, 120);
$autologin = processInputData($autologin, ARG_NUMERIC) == 1 ? 1 : 0;
# validate $imageid
@@ -4254,7 +4234,7 @@ function XMLRPCeditOneClick($oneclickid, $name, $imageid,
$duration, $autologin)
////////////////////////////////////////////////////////////////////////////////
function XMLRPCdeleteOneClick($oneclickid) {
global $user;
- $oneclickid = processInputData($oneclickid, ARG_NUMERIC);
+ $oneclickid = processInputData($oneclickid, ARG_NUMERIC, 0, 0);
$query = "SELECT id "
. "FROM oneclick "
