Author: jfthomps Date: Wed Sep 8 13:28:47 2010 New Revision: 995047 URL: http://svn.apache.org/viewvc?rev=995047&view=rev Log: VCL-274 check for SQL injection/XSS
VCL-254 block request improvements states.php: added AJvalidateUserid (missed on last checkin) utils.php: -modified validateUserid - escaped $loginid before using in query - in some cases it is possible for user supplied input to reach this function -added AJvalidateUserid (missed on last checkin) -modified getAffiliationID - escaped $affil before using in query - in some cases it is possible for user supplied input to reach this function authmethods/itecsauth.php: modified validateITECSUser - escaped $loginid before using in query - in some cases it is possible for user supplied input to reach this function Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php incubator/vcl/trunk/web/.ht-inc/states.php incubator/vcl/trunk/web/.ht-inc/utils.php Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php?rev=995047&r1=995046&r2=995047&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php (original) +++ incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php Wed Sep 8 13:28:47 2010 @@ -100,6 +100,7 @@ function validateITECSUser($loginid) { global $ENABLE_ITECSAUTH; if(! $ENABLE_ITECSAUTH) return 0; + $loginid = mysql_real_escape_string($loginid); $query = "SELECT email " . "FROM user " . "WHERE email = '$loginid' AND " Modified: incubator/vcl/trunk/web/.ht-inc/states.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/states.php?rev=995047&r1=995046&r2=995047&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/states.php (original) +++ incubator/vcl/trunk/web/.ht-inc/states.php Wed Sep 8 13:28:47 2010 @@ -141,6 +141,7 @@ $noHTMLwrappers = array('sendRDPfile', 'AJdeleteSiteMaintenance', 'AJgetScheduleTimesData', 'AJsaveScheduleTimes', + 'AJvalidateUserid', ); # main @@ -642,10 +643,12 @@ $actions['pages']['xmlrpcaffiliations'] $actions['mode']['continuationsError'] = "continuationsError"; $actions['mode']['clearCache'] = "clearPrivCache"; $actions['mode']['errorrpt'] = "errorrpt"; +$actions['mode']['AJvalidateUserid'] = "AJvalidateUserid"; $actions['pages']['continuationsError'] = "misc"; $actions['pages']['clearCache'] = "misc"; $actions['pages']['errorrpt'] = "misc"; $actions['pages']['logout'] = "misc"; $actions['pages']['shiblogout'] = "misc"; +$actions['pages']['AJvalidateUserid'] = "misc"; ?> Modified: incubator/vcl/trunk/web/.ht-inc/utils.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=995047&r1=995046&r2=995047&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/utils.php (original) +++ incubator/vcl/trunk/web/.ht-inc/utils.php Wed Sep 8 13:28:47 2010 @@ -917,9 +917,10 @@ function validateUserid($loginid) { if(empty($affilid)) return 0; + $escloginid = mysql_real_escape_string($loginid); $query = "SELECT id " . "FROM user " - . "WHERE unityid = '$loginid' AND " + . "WHERE unityid = '$escloginid' AND " . "affiliationid = $affilid"; $qh = doQuery($query, 101); if(mysql_num_rows($qh)) @@ -941,6 +942,21 @@ function validateUserid($loginid) { //////////////////////////////////////////////////////////////////////////////// /// +/// \fn AJvalidateUserid() +/// +/// \brief checks to see if submitted userid is valid +/// +//////////////////////////////////////////////////////////////////////////////// +function AJvalidateUserid() { + $user = processInputVar('user', ARG_STRING); + if(validateUserid($user)) + sendJSON(array('status' => 'valid')); + else + sendJSON(array('status' => 'invalid')); +} + +//////////////////////////////////////////////////////////////////////////////// +/// /// \fn getAffilidAndLogin(&$login, &$affilid) /// /// \param $login - login for user, may include \...@affiliation @@ -2667,6 +2683,7 @@ function getUserUnityID($userid) { /// //////////////////////////////////////////////////////////////////////////////// function getAffiliationID($affil) { + $affil = mysql_real_escape_string($affil); $query = "SELECT id FROM affiliation WHERE name = '$affil'"; $qh = doQuery($query, 101); if(mysql_num_rows($qh)) { @@ -8841,13 +8858,10 @@ function getDojoHTML($refresh) { break; case 'editSchedule': case 'submitAddSchedule': - // TODO remove any unneeded items $dojoRequires = array('dojo.parser', 'dijit.form.TimeTextBox', 'dojox.grid.DataGrid', 'dojox.string.sprintf', - #'dijit.form.FilteringSelect', - #'dijit.Tooltip', 'dijit.form.Button', 'dojo.data.ItemFileWriteStore'); case 'viewImages':