Author: jfthomps
Date: Wed Jun 17 15:59:23 2009
New Revision: 785694

URL: http://svn.apache.org/viewvc?rev=785694&view=rev
Log:
VCL-151

modified code to ensure apostrophes in names are appropriately escaped; also 
added some checks for anything that gets inserted/updated in the user table

itecsauth.php:
-modified addITECSUser and updateITECSUser to call mysql_escape_string to 
escape data before it gets inserted into the user table

ldapauth.php:
-modified updateLDAPUser - added check that numericid is actually numeric 
before using it for anything
-modified getLDAPUserData to use mysql_escape_string instead of ereg_replace to 
replace apostrophes; also added check for numericid being numeric

shibauth.php:
-modified updateShibUser and addShibUser to escape things with 
mysql_escape_string before inserting or updating things in the user table

userpreferences.php:
-modified submitUserPrefs to check for $width and $height being numeric before 
calling updateUserPrefs

utils.php:
-modified updateUserPrefs to call mysql_escape_string on $preferredname and 
$audio before updating the user table

Modified:
    incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php
    incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php
    incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php
    incubator/vcl/trunk/web/.ht-inc/userpreferences.php
    incubator/vcl/trunk/web/.ht-inc/utils.php

Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php Wed Jun 17 
15:59:23 2009
@@ -36,6 +36,7 @@
        global $mysql_link_vcl, $ENABLE_ITECSAUTH;
        if(! $ENABLE_ITECSAUTH)
                return NULL;
+       $esc_loginid = mysql_escape_string($loginid);
        $query = "SELECT id AS uid, "
               .        "first, " 
               .        "last, "
@@ -44,14 +45,15 @@
               .        "active, "
               .        "lockedout "
               . "FROM user "
-              . "WHERE email = '$loginid'";
+              . "WHERE email = '$esc_loginid'";
        $qh = doQuery($query, 101, "accounts");
        if($row = mysql_fetch_assoc($qh)) {
                // FIXME test replacing ''s
                // FIXME do we care if the account is active?
-               $first = ereg_replace("'", "\'", $row['first']);
-               $last = ereg_replace("'", "\'", $row['last']);
-               $loweruser = strtolower($row['email']);
+               $first = mysql_escape_string($row['first']);
+               $last = mysql_escape_string($row['last']);
+               $loweruser = mysql_escape_string(strtolower($row['email']));
+               $email = mysql_escape_string($row['email']);
                $query = "INSERT INTO user ("
                       .        "uid, "
                       .        "unityid, "
@@ -67,7 +69,7 @@
                       .        "2, "
                       .        "'$first', "
                       .        "'$last', "
-                      .        "'{$row['email']}', "
+                      .        "'$email', "
                       .        "0, "
                       .        "NOW())";
                // FIXME might want this logged
@@ -190,6 +192,10 @@
        // if get a row
        //    update db
        //    update results from select
+       $esc_userid = mysql_escape_string($userid);
+       $first = mysql_escape_string($userData['first']);
+       $last = mysql_escape_string($userData['last']);
+       $email = mysql_escape_string($userData['email']);
        if($user = mysql_fetch_assoc($qh)) {
                $user["unityid"] = $userid;
                $user["firstname"] = $userData['first'];
@@ -197,10 +203,10 @@
                $user["email"] = $userData["email"];
                $user["lastupdated"] = $now;
                $query = "UPDATE user "
-                      . "SET unityid = '$userid', "
-                      .     "firstname = '{$userData['first']}', "
-                      .     "lastname = '{$userData['last']}', "
-                      .     "email = '{$userData['email']}', "
+                      . "SET unityid = '$esc_userid', "
+                      .     "firstname = '$first', "
+                      .     "lastname = '$last', "
+                      .     "email = '$email', "
                       .     "lastupdated = '$now' "
                       . "WHERE uid = " . $userData["uid"];
                doQuery($query, 256, 'vcl', 1);

Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php Wed Jun 17 
15:59:23 2009
@@ -197,7 +197,8 @@
               . "WHERE u.IMtypeid = i.id AND "
               .       "u.adminlevelid = a.id AND "
               .       "af.id = $affilid AND ";
-       if(array_key_exists('numericid', $userData))
+       if(array_key_exists('numericid', $userData) &&
+          is_numeric($userData['numericid']))
                $query .=   "u.uid = " . $userData["numericid"];
        else {
                $query .=   "u.unityid = '$userid' AND "
@@ -219,7 +220,8 @@
                       .     "lastname = '{$userData['last']}', "
                       .     "email = '{$userData['email']}', "
                       .     "lastupdated = '$now' ";
-               if(array_key_exists('numericid', $userData))
+               if(array_key_exists('numericid', $userData) &&
+                  is_numeric($userData['numericid']))
                        $query .= "WHERE uid = " . $userData["numericid"];
                else
                        $query .= "WHERE unityid = '$userid' AND "
@@ -285,7 +287,11 @@
 /// \param $authtype - an array from the $authMechs table
 /// \param $userid - a userid without the affiliation part
 ///
-/// \return an array of user information
+/// \return an array of user information with the following keys:\n
+/// \b first - first name of user (escaped with mysql_escape_string)\n
+/// \b last - last name of user (escaped with mysql_escape_string)\n
+/// \b email - email address of user (escaped with mysql_escape_string)\n
+/// \b numericid - numeric id of user if $authtype is configured to include it
 ///
 /// \brief gets user information from ldap
 ///
@@ -362,11 +368,11 @@
                        $data[strtolower($auth['email'])] = $userid . 
$auth['defaultemail'];
                }
 
-               $return['first'] = ereg_replace("'", "\'", 
$data[strtolower($auth['firstname'])]);
-               $return['last'] = ereg_replace("'", "\'", 
$data[strtolower($auth['lastname'])]);
-               if($donumericid)
+               $return['first'] = 
mysql_escape_string($data[strtolower($auth['firstname'])]);
+               $return['last'] = 
mysql_escape_string($data[strtolower($auth['lastname'])]);
+               if($donumericid && 
is_numeric($data[strtolower($auth['numericid'])]))
                        $return['numericid'] = 
$data[strtolower($auth['numericid'])];
-               $return['email'] = $data[strtolower($auth['email'])];
+               $return['email'] = 
mysql_escape_string($data[strtolower($auth['email'])]);
                $return['emailnotices'] = 1;
 
                return $return;

Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php Wed Jun 17 
15:59:23 2009
@@ -64,11 +64,15 @@
 
        # update user's data in db
        $user['id'] = $row['id'];
+       $first = mysql_escape_string($user['firstname']);
+       $last = mysql_escape_string($user['lastname']);
        $query = "UPDATE user "
-              . "SET firstname = '{$user['firstname']}', "
-              .     "lastname = '{$user['lastname']}', ";
-       if(array_key_exists('email', $user))
-               $query .= "email = '{$user['email']}', ";
+              . "SET firstname = '$first', "
+              .     "lastname = '$last', ";
+       if(array_key_exists('email', $user)) {
+               $email = mysql_escape_string($user['email']);
+               $query .= "email = '$email', ";
+       }
        $query .=    "emailnotices = 0, " 
               .     "lastupdated = NOW() " 
               . "WHERE uid = {$user['id']}";
@@ -95,6 +99,9 @@
 
////////////////////////////////////////////////////////////////////////////////
 function addShibUser($user) {
        global $mysql_link_vcl;
+       $unityid = mysql_escape_string($user['unityid']);
+       $first = mysql_escape_string($user['firstname']);
+       $last = mysql_escape_string($user['lastname']);
        $query = "INSERT INTO user "
               .        "(unityid, "
               .        "affiliationid, "
@@ -105,12 +112,14 @@
        $query .=       "emailnotices, "
               .        "lastupdated) "
               . "VALUES ("
-              .        "'{$user['unityid']}', "
+              .        "'$unityid', "
               .        "{$user['affilid']}, "
-              .        "'{$user['firstname']}', "
-              .        "'{$user['lastname']}', ";
-       if(array_key_exists('email', $user))
-               $query .=    "'{$user['email']}', ";
+              .        "'$first', "
+              .        "'$last', ";
+       if(array_key_exists('email', $user)) {
+               $email = mysql_escape_string($user['email']);
+               $query .=    "'$email', ";
+       }
        $query .=       "0, "
               .        "NOW())";
        doQuery($query, 101, 'vcl', 1);

Modified: incubator/vcl/trunk/web/.ht-inc/userpreferences.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/userpreferences.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/userpreferences.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/userpreferences.php Wed Jun 17 15:59:23 2009
@@ -454,8 +454,13 @@
                $width = 0;
                $height = 0;
        }
-       else
+       else {
                list($width, $height) = explode('x', $data["resolution"]);
+               if(! is_numeric($width) || ! is_numeric($height)) {
+                       $width = 0;
+                       $height = 0;
+               }
+       }
        if(updateUserPrefs($user['id'], $data["preferredname"], $width, 
$height, 
                           $data["bpp"], $data["audiomode"], $data["mapdrives"],
                           $data["mapprinters"], $data["mapserial"])) {

Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Wed Jun 17 15:59:23 2009
@@ -3015,6 +3015,8 @@
 function updateUserPrefs($userid, $preferredname, $width, $height,
                          $bpp, $audio, $mapdrives, $mapprinters, $mapserial) {
        global $mysql_link_vcl;
+       $preferredname = mysql_escape_string($preferredname);
+       $audio = mysql_escape_string($audio);
        $query = "UPDATE user SET "
               .        "preferredname = '$preferredname', "
               .        "width = '$width', "


Reply via email to