Author: jfthomps
Date: Wed Sep 8 13:28:47 2010
New Revision: 995047
URL: http://svn.apache.org/viewvc?rev=995047&view=rev
Log:
VCL-274
check for SQL injection/XSS
VCL-254
block request improvements
states.php: added AJvalidateUserid (missed on last checkin)
utils.php:
-modified validateUserid - escaped $loginid before using in query - in some
cases it is possible for user supplied input to reach this function
-added AJvalidateUserid (missed on last checkin)
-modified getAffiliationID - escaped $affil before using in query - in some
cases it is possible for user supplied input to reach this function
authmethods/itecsauth.php: modified validateITECSUser - escaped $loginid before
using in query - in some cases it is possible for user supplied input to reach
this function
Modified:
incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php
incubator/vcl/trunk/web/.ht-inc/states.php
incubator/vcl/trunk/web/.ht-inc/utils.php
Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php?rev=995047&r1=995046&r2=995047&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php Wed Sep 8
13:28:47 2010
@@ -100,6 +100,7 @@ function validateITECSUser($loginid) {
global $ENABLE_ITECSAUTH;
if(! $ENABLE_ITECSAUTH)
return 0;
+ $loginid = mysql_real_escape_string($loginid);
$query = "SELECT email "
. "FROM user "
. "WHERE email = '$loginid' AND "
Modified: incubator/vcl/trunk/web/.ht-inc/states.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/states.php?rev=995047&r1=995046&r2=995047&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/states.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/states.php Wed Sep 8 13:28:47 2010
@@ -141,6 +141,7 @@ $noHTMLwrappers = array('sendRDPfile',
'AJdeleteSiteMaintenance',
'AJgetScheduleTimesData',
'AJsaveScheduleTimes',
+ 'AJvalidateUserid',
);
# main
@@ -642,10 +643,12 @@ $actions['pages']['xmlrpcaffiliations']
$actions['mode']['continuationsError'] = "continuationsError";
$actions['mode']['clearCache'] = "clearPrivCache";
$actions['mode']['errorrpt'] = "errorrpt";
+$actions['mode']['AJvalidateUserid'] = "AJvalidateUserid";
$actions['pages']['continuationsError'] = "misc";
$actions['pages']['clearCache'] = "misc";
$actions['pages']['errorrpt'] = "misc";
$actions['pages']['logout'] = "misc";
$actions['pages']['shiblogout'] = "misc";
+$actions['pages']['AJvalidateUserid'] = "misc";
?>
Modified: incubator/vcl/trunk/web/.ht-inc/utils.php
URL:
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/utils.php?rev=995047&r1=995046&r2=995047&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/utils.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/utils.php Wed Sep 8 13:28:47 2010
@@ -917,9 +917,10 @@ function validateUserid($loginid) {
if(empty($affilid))
return 0;
+ $escloginid = mysql_real_escape_string($loginid);
$query = "SELECT id "
. "FROM user "
- . "WHERE unityid = '$loginid' AND "
+ . "WHERE unityid = '$escloginid' AND "
. "affiliationid = $affilid";
$qh = doQuery($query, 101);
if(mysql_num_rows($qh))
@@ -941,6 +942,21 @@ function validateUserid($loginid) {
////////////////////////////////////////////////////////////////////////////////
///
+/// \fn AJvalidateUserid()
+///
+/// \brief checks to see if submitted userid is valid
+///
+////////////////////////////////////////////////////////////////////////////////
+function AJvalidateUserid() {
+ $user = processInputVar('user', ARG_STRING);
+ if(validateUserid($user))
+ sendJSON(array('status' => 'valid'));
+ else
+ sendJSON(array('status' => 'invalid'));
+}
+
+////////////////////////////////////////////////////////////////////////////////
+///
/// \fn getAffilidAndLogin(&$login, &$affilid)
///
/// \param $login - login for user, may include \...@affiliation
@@ -2667,6 +2683,7 @@ function getUserUnityID($userid) {
///
////////////////////////////////////////////////////////////////////////////////
function getAffiliationID($affil) {
+ $affil = mysql_real_escape_string($affil);
$query = "SELECT id FROM affiliation WHERE name = '$affil'";
$qh = doQuery($query, 101);
if(mysql_num_rows($qh)) {
@@ -8841,13 +8858,10 @@ function getDojoHTML($refresh) {
break;
case 'editSchedule':
case 'submitAddSchedule':
- // TODO remove any unneeded items
$dojoRequires = array('dojo.parser',
'dijit.form.TimeTextBox',
'dojox.grid.DataGrid',
'dojox.string.sprintf',
- #'dijit.form.FilteringSelect',
- #'dijit.Tooltip',
'dijit.form.Button',
'dojo.data.ItemFileWriteStore');
case 'viewImages':
