Author: jfthomps
Date: Wed Jun 17 15:59:23 2009
New Revision: 785694
URL: http://svn.apache.org/viewvc?rev=785694&view=rev
Log:
VCL-151
modified code to ensure apostrophes in names are appropriately escaped; also
added some checks for anything that gets inserted/updated in the user table
itecsauth.php:
-modified addITECSUser and updateITECSUser to call mysql_escape_string to
escape data before it gets inserted into the user table
ldapauth.php:
-modified updateLDAPUser - added check that numericid is actually numeric
before using it for anything
-modified getLDAPUserData to use mysql_escape_string instead of ereg_replace to
replace apostrophes; also added check for numericid being numeric
shibauth.php:
-modified updateShibUser and addShibUser to escape things with
mysql_escape_string before inserting or updating things in the user table
userpreferences.php:
-modified submitUserPrefs to check for $width and $height being numeric before
calling updateUserPrefs
utils.php:
-modified updateUserPrefs to call mysql_escape_string on $preferredname and
$audio before updating the user table
Modified:
incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php
incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php
incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php
incubator/vcl/trunk/web/.ht-inc/userpreferences.php
incubator/vcl/trunk/web/.ht-inc/utils.php
Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php Wed Jun 17
15:59:23 2009
@@ -36,6 +36,7 @@
global $mysql_link_vcl, $ENABLE_ITECSAUTH;
if(! $ENABLE_ITECSAUTH)
return NULL;
+ $esc_loginid = mysql_escape_string($loginid);
$query = "SELECT id AS uid, "
. "first, "
. "last, "
@@ -44,14 +45,15 @@
. "active, "
. "lockedout "
. "FROM user "
- . "WHERE email = '$loginid'";
+ . "WHERE email = '$esc_loginid'";
$qh = doQuery($query, 101, "accounts");
if($row = mysql_fetch_assoc($qh)) {
// FIXME test replacing ''s
// FIXME do we care if the account is active?
- $first = ereg_replace("'", "\'", $row['first']);
- $last = ereg_replace("'", "\'", $row['last']);
- $loweruser = strtolower($row['email']);
+ $first = mysql_escape_string($row['first']);
+ $last = mysql_escape_string($row['last']);
+ $loweruser = mysql_escape_string(strtolower($row['email']));
+ $email = mysql_escape_string($row['email']);
$query = "INSERT INTO user ("
. "uid, "
. "unityid, "
@@ -67,7 +69,7 @@
. "2, "
. "'$first', "
. "'$last', "
- . "'{$row['email']}', "
+ . "'$email', "
. "0, "
. "NOW())";
// FIXME might want this logged
@@ -190,6 +192,10 @@
// if get a row
// update db
// update results from select
+ $esc_userid = mysql_escape_string($userid);
+ $first = mysql_escape_string($userData['first']);
+ $last = mysql_escape_string($userData['last']);
+ $email = mysql_escape_string($userData['email']);
if($user = mysql_fetch_assoc($qh)) {
$user["unityid"] = $userid;
$user["firstname"] = $userData['first'];
@@ -197,10 +203,10 @@
$user["email"] = $userData["email"];
$user["lastupdated"] = $now;
$query = "UPDATE user "
- . "SET unityid = '$userid', "
- . "firstname = '{$userData['first']}', "
- . "lastname = '{$userData['last']}', "
- . "email = '{$userData['email']}', "
+ . "SET unityid = '$esc_userid', "
+ . "firstname = '$first', "
+ . "lastname = '$last', "
+ . "email = '$email', "
. "lastupdated = '$now' "
. "WHERE uid = " . $userData["uid"];
doQuery($query, 256, 'vcl', 1);
Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php Wed Jun 17
15:59:23 2009
@@ -197,7 +197,8 @@
. "WHERE u.IMtypeid = i.id AND "
. "u.adminlevelid = a.id AND "
. "af.id = $affilid AND ";
- if(array_key_exists('numericid', $userData))
+ if(array_key_exists('numericid', $userData) &&
+ is_numeric($userData['numericid']))
$query .= "u.uid = " . $userData["numericid"];
else {
$query .= "u.unityid = '$userid' AND "
@@ -219,7 +220,8 @@
. "lastname = '{$userData['last']}', "
. "email = '{$userData['email']}', "
. "lastupdated = '$now' ";
- if(array_key_exists('numericid', $userData))
+ if(array_key_exists('numericid', $userData) &&
+ is_numeric($userData['numericid']))
$query .= "WHERE uid = " . $userData["numericid"];
else
$query .= "WHERE unityid = '$userid' AND "
@@ -285,7 +287,11 @@
/// \param $authtype - an array from the $authMechs table
/// \param $userid - a userid without the affiliation part
///
-/// \return an array of user information
+/// \return an array of user information with the following keys:\n
+/// \b first - first name of user (escaped with mysql_escape_string)\n
+/// \b last - last name of user (escaped with mysql_escape_string)\n
+/// \b email - email address of user (escaped with mysql_escape_string)\n
+/// \b numericid - numeric id of user if $authtype is configured to include it
///
/// \brief gets user information from ldap
///
@@ -362,11 +368,11 @@
$data[strtolower($auth['email'])] = $userid .
$auth['defaultemail'];
}
- $return['first'] = ereg_replace("'", "\'",
$data[strtolower($auth['firstname'])]);
- $return['last'] = ereg_replace("'", "\'",
$data[strtolower($auth['lastname'])]);
- if($donumericid)
+ $return['first'] =
mysql_escape_string($data[strtolower($auth['firstname'])]);
+ $return['last'] =
mysql_escape_string($data[strtolower($auth['lastname'])]);
+ if($donumericid &&
is_numeric($data[strtolower($auth['numericid'])]))
$return['numericid'] =
$data[strtolower($auth['numericid'])];
- $return['email'] = $data[strtolower($auth['email'])];
+ $return['email'] =
mysql_escape_string($data[strtolower($auth['email'])]);
$return['emailnotices'] = 1;
return $return;
Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php Wed Jun 17
15:59:23 2009
@@ -64,11 +64,15 @@
# update user's data in db
$user['id'] = $row['id'];
+ $first = mysql_escape_string($user['firstname']);
+ $last = mysql_escape_string($user['lastname']);
$query = "UPDATE user "
- . "SET firstname = '{$user['firstname']}', "
- . "lastname = '{$user['lastname']}', ";
- if(array_key_exists('email', $user))
- $query .= "email = '{$user['email']}', ";
+ . "SET firstname = '$first', "
+ . "lastname = '$last', ";
+ if(array_key_exists('email', $user)) {
+ $email = mysql_escape_string($user['email']);
+ $query .= "email = '$email', ";
+ }
$query .= "emailnotices = 0, "
. "lastupdated = NOW() "
. "WHERE uid = {$user['id']}";
@@ -95,6 +99,9 @@
////////////////////////////////////////////////////////////////////////////////
function addShibUser($user) {
global $mysql_link_vcl;
+ $unityid = mysql_escape_string($user['unityid']);
+ $first = mysql_escape_string($user['firstname']);
+ $last = mysql_escape_string($user['lastname']);
$query = "INSERT INTO user "
. "(unityid, "
. "affiliationid, "
@@ -105,12 +112,14 @@
$query .= "emailnotices, "
. "lastupdated) "
. "VALUES ("
- . "'{$user['unityid']}', "
+ . "'$unityid', "
. "{$user['affilid']}, "
- . "'{$user['firstname']}', "
- . "'{$user['lastname']}', ";
- if(array_key_exists('email', $user))
- $query .= "'{$user['email']}', ";
+ . "'$first', "
+ . "'$last', ";
+ if(array_key_exists('email', $user)) {
+ $email = mysql_escape_string($user['email']);
+ $query .= "'$email', ";
+ }
$query .= "0, "
. "NOW())";
doQuery($query, 101, 'vcl', 1);
Modified: incubator/vcl/trunk/web/.ht-inc/userpreferences.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/userpreferences.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/userpreferences.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/userpreferences.php Wed Jun 17 15:59:23 2009
@@ -454,8 +454,13 @@
$width = 0;
$height = 0;
}
- else
+ else {
list($width, $height) = explode('x', $data["resolution"]);
+ if(! is_numeric($width) || ! is_numeric($height)) {
+ $width = 0;
+ $height = 0;
+ }
+ }
if(updateUserPrefs($user['id'], $data["preferredname"], $width,
$height,
$data["bpp"], $data["audiomode"], $data["mapdrives"],
$data["mapprinters"], $data["mapserial"])) {
Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=785694&r1=785693&r2=785694&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Wed Jun 17 15:59:23 2009
@@ -3015,6 +3015,8 @@
function updateUserPrefs($userid, $preferredname, $width, $height,
$bpp, $audio, $mapdrives, $mapprinters, $mapserial) {
global $mysql_link_vcl;
+ $preferredname = mysql_escape_string($preferredname);
+ $audio = mysql_escape_string($audio);
$query = "UPDATE user SET "
. "preferredname = '$preferredname', "
. "width = '$width', "
