diff --git a/gulliver/system/class.dbMaintenance.php b/gulliver/system/class.dbMaintenance.php index 1e6022198..bd55d0595 100755 --- a/gulliver/system/class.dbMaintenance.php +++ b/gulliver/system/class.dbMaintenance.php @@ -451,9 +451,8 @@ class DataBaseMaintenance } $sQuery = "LOCK TABLES " . implode( " READ, ", $aTables ) . " READ; "; - $sQuery = $filter->preventSqlInjection($sQuery); - if (@mysql_query( $sQuery )) { + if (@mysql_query( $filter->preventSqlInjection($sQuery) )) { echo " [OK]\n"; return true; } else { @@ -664,7 +663,7 @@ class DataBaseMaintenance $filter = new InputFilter(); $tablename = $filter->validateInput($tablename, 'nosql'); $tableSchema = ""; - $sql = "show create table `%s`; "; + $sql = 'show create table `%s`; '; $sql = $filter->preventSqlInjection($sql, array($tablename)); $result = @mysql_query( $sql ); if ($result) { @@ -713,4 +712,3 @@ $o2->connect(); $o2->restoreFromSql('/home/erik/backs/schema_os.sql'); $o2->restoreAllData('sql'); */ - diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index 3c3277435..73811e1ba 100644 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -310,8 +310,12 @@ class G while (! @is_dir( dirname( end( $folder_path ) ) ) && dirname( end( $folder_path ) ) != '/' && dirname( end( $folder_path ) ) != '.' && dirname( end( $folder_path ) ) != '') { array_push( $folder_path, dirname( end( $folder_path ) ) ); //var_dump($folder_path); die; } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); while ($parent_folder_path = array_pop( $folder_path )) { + $parent_folder_path = $filter->validateInput($parent_folder_path,"path"); if (! @is_dir( $parent_folder_path )) { if (! @mkdir( $parent_folder_path, $rights)) { error_log( "Can't create folder \"$parent_folder_path\""); @@ -2718,6 +2722,12 @@ class G $image = $inputFn( $path ); imagecopyresampled( $image_p, $image, 0, 0, 0, 0, $resWidth, $resHeight, $width, $height ); $outputFn( $image_p, $saveTo ); + + if(!is_null($saveTo)) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $saveTo = $filter->validateInput($saveTo, "path"); + } @chmod( $saveTo, 0666 ); } @@ -3137,7 +3147,7 @@ class G /*G::LoadSystem('inputfilter'); $filter = new InputFilter(); $c = $filter->xssFilterHard($c);*/ - print ("") ; + print ('') ; } /** diff --git a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php index e1f40e701..bd4c21d17 100644 --- a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php +++ b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php @@ -96,7 +96,7 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac G::LoadSystem('inputfilter'); $filter = new InputFilter(); - $file = $filter->validateInput($file,"path"); + $file = $filter->validateInput($file,'path'); return unlink($file); } @@ -209,7 +209,7 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac G::LoadSystem('inputfilter'); $filter = new InputFilter(); - $file = $filter->validateInput($file,"path"); + $file = $filter->validateInput($file,'path'); if(is_file($file)) { $result = file_put_contents($file, $data); diff --git a/gulliver/thirdparty/creole/drivers/pgsql/metadata/PgSQLTableInfo.php b/gulliver/thirdparty/creole/drivers/pgsql/metadata/PgSQLTableInfo.php index 4e9febde8..5226cf6dd 100755 --- a/gulliver/thirdparty/creole/drivers/pgsql/metadata/PgSQLTableInfo.php +++ b/gulliver/thirdparty/creole/drivers/pgsql/metadata/PgSQLTableInfo.php @@ -102,8 +102,7 @@ class PgSQLTableInfo extends TableInfo { WHERE att.attrelid = %d AND att.attnum > 0 AND att.attisdropped IS FALSE ORDER BY att.attnum"; - $query = $filter->preventSqlInjection($query); - $result = pg_query ($this->conn->getResource(), sprintf ($query, $this->oid)); + $result = pg_query ($this->conn->getResource(), sprintf ($filter->preventSqlInjection($query), $this->oid)); if (!$result) { throw new SQLException("Could not list fields for table: " . $this->name, pg_last_error($this->conn->getResource())); @@ -238,8 +237,7 @@ class PgSQLTableInfo extends TableInfo { d.typtype = 'd' AND d.typname = '%s' ORDER BY d.typname"; - $query = $filter->preventSqlInjection($query); - $result = pg_query ($this->conn->getResource(), sprintf ($query, $strDomain)); + $result = pg_query ($this->conn->getResource(), sprintf ($filter->preventSqlInjection($query), $strDomain)); if (!$result) { throw new SQLException("Query for domain [" . $strDomain . "] failed.", pg_last_error($this->conn->getResource())); @@ -297,8 +295,7 @@ class PgSQLTableInfo extends TableInfo { AND a2.attnum = ct.conkey[1] AND a1.attnum = ct.confkey[1] ORDER BY conname"; - $query = $filter->preventSqlInjection($query); - $result = pg_query ($this->conn->getResource(), sprintf ($query, $this->oid)); + $result = pg_query ($this->conn->getResource(), sprintf ($filter->preventSqlInjection($query), $this->oid)); if (!$result) { throw new SQLException("Could not list foreign keys for table: " . $this->name, pg_last_error($this->conn->getResource())); } @@ -384,8 +381,7 @@ class PgSQLTableInfo extends TableInfo { JOIN pg_class cls ON cls.oid=indexrelid WHERE indrelid = %d AND NOT indisprimary ORDER BY cls.relname"; - $query = $filter->preventSqlInjection($query); - $result = pg_query ($this->conn->getResource(), sprintf ($query, $this->oid)); + $result = pg_query ($this->conn->getResource(), sprintf ($filter->preventSqlInjection($query), $this->oid)); if (!$result) { @@ -417,8 +413,7 @@ class PgSQLTableInfo extends TableInfo { FROM pg_catalog.pg_class c JOIN pg_catalog.pg_attribute a ON a.attrelid = c.oid WHERE c.oid = '%s' AND a.attnum = %d AND NOT a.attisdropped ORDER BY a.attnum"; - $query = $filter->preventSqlInjection($query); - $result2 = pg_query ($this->conn->getResource(), sprintf ($query, $this->oid, $intColNum)); + $result2 = pg_query ($this->conn->getResource(), sprintf ($filter->preventSqlInjection($query), $this->oid, $intColNum)); if (!$result2) { throw new SQLException("Could not list indexes keys for table: " . $this->name, pg_last_error($this->conn->getResource())); @@ -461,8 +456,7 @@ class PgSQLTableInfo extends TableInfo { JOIN pg_class cls ON cls.oid=indexrelid WHERE indrelid = %s AND indisprimary ORDER BY cls.relname"; - $query = $filter->preventSqlInjection($query); - $result = pg_query($this->conn->getResource(), sprintf ($query, $this->oid)); + $result = pg_query($this->conn->getResource(), sprintf ($filter->preventSqlInjection($query), $this->oid)); if (!$result) { throw new SQLException("Could not list primary keys for table: " . $this->name, pg_last_error($this->conn->getResource())); } @@ -491,8 +485,7 @@ class PgSQLTableInfo extends TableInfo { FROM pg_catalog.pg_class c JOIN pg_catalog.pg_attribute a ON a.attrelid = c.oid WHERE c.oid = '%s' AND a.attnum = %d AND NOT a.attisdropped ORDER BY a.attnum"; - $query = $filter->preventSqlInjection($query); - $result2 = pg_query ($this->conn->getResource(), sprintf ($query, $this->oid, $intColNum)); + $result2 = pg_query ($this->conn->getResource(), sprintf ($filter->preventSqlInjection($query), $this->oid, $intColNum)); if (!$result2) { throw new SQLException("Could not list indexes keys for table: " . $this->name, pg_last_error($this->conn->getResource())); diff --git a/gulliver/thirdparty/creole/drivers/sqlite/metadata/SQLiteTableInfo.php b/gulliver/thirdparty/creole/drivers/sqlite/metadata/SQLiteTableInfo.php index 98e9c32ff..ce38831d0 100755 --- a/gulliver/thirdparty/creole/drivers/sqlite/metadata/SQLiteTableInfo.php +++ b/gulliver/thirdparty/creole/drivers/sqlite/metadata/SQLiteTableInfo.php @@ -124,8 +124,7 @@ class SQLiteTableInfo extends TableInfo { // get columns for that index $query = "PRAGMA index_info('$name')"; - $query = $filter->preventSqlInjection($query); - $res2 = sqlite_query($this->conn->getResource(), $query); + $res2 = sqlite_query($this->conn->getResource(), $filter->preventSqlInjection($query)); while($row2 = sqlite_fetch_array($res2, SQLITE_ASSOC)) { $colname = $row2['name']; $this->indexes[$name]->addColumn($this->columns[ $colname ]); diff --git a/gulliver/thirdparty/pear/PEAR/Command/Package.php b/gulliver/thirdparty/pear/PEAR/Command/Package.php index 2db434e3f..9dec74734 100755 --- a/gulliver/thirdparty/pear/PEAR/Command/Package.php +++ b/gulliver/thirdparty/pear/PEAR/Command/Package.php @@ -465,7 +465,7 @@ Wrote: /usr/src/redhat/RPMS/i386/PEAR::Net_Socket-1.0-1.i386.rpm } } $plist = implode(" ", $params); - $cmd = "$php -C -d include_path=$cwd$ps$ip -f $run_tests -- $plist"; + $cmd = $php.' -C -d include_path='.$cwd.$ps.$ip.' -f '.$run_tests.' -- '.$plist; if (!class_exists('G')) { $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); diff --git a/workflow/engine/classes/model/ListCanceled.php b/workflow/engine/classes/model/ListCanceled.php index f5d740bc4..c40589387 100644 --- a/workflow/engine/classes/model/ListCanceled.php +++ b/workflow/engine/classes/model/ListCanceled.php @@ -261,7 +261,7 @@ class ListCanceled extends BaseListCanceled { return (int)$total; } - public function loadList ($usr_uid, $filters = array()) + public function loadList($usr_uid, $filters = array(), $callbackRecord = null) { $resp = array(); $criteria = new Criteria(); @@ -308,7 +308,8 @@ class ListCanceled extends BaseListCanceled { $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); $data = array(); while ($dataset->next()) { - $aRow = $dataset->getRow(); + $aRow = (is_null($callbackRecord))? $dataset->getRow() : $callbackRecord($dataset->getRow()); + $data[] = $aRow; } diff --git a/workflow/engine/classes/model/ListCompleted.php b/workflow/engine/classes/model/ListCompleted.php index 5b5925fa1..876302b28 100644 --- a/workflow/engine/classes/model/ListCompleted.php +++ b/workflow/engine/classes/model/ListCompleted.php @@ -271,7 +271,7 @@ class ListCompleted extends BaseListCompleted return (int)$total; } - public function loadList ($usr_uid, $filters = array()) + public function loadList($usr_uid, $filters = array(), $callbackRecord = null) { $resp = array(); $criteria = new Criteria(); @@ -315,7 +315,8 @@ class ListCompleted extends BaseListCompleted $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); $data = array(); while ($dataset->next()) { - $aRow = $dataset->getRow(); + $aRow = (is_null($callbackRecord))? $dataset->getRow() : $callbackRecord($dataset->getRow()); + $data[] = $aRow; } diff --git a/workflow/engine/classes/model/ListInbox.php b/workflow/engine/classes/model/ListInbox.php index 11d64a087..7cb10180a 100644 --- a/workflow/engine/classes/model/ListInbox.php +++ b/workflow/engine/classes/model/ListInbox.php @@ -13,7 +13,7 @@ require_once 'classes/model/om/BaseListInbox.php'; * * @package classes.model */ - + class ListInbox extends BaseListInbox { /** @@ -131,7 +131,7 @@ class ListInbox extends BaseListInbox // update participated history $listParticipatedHistory = new ListParticipatedHistory(); - $listParticipatedHistory->update($data); + $listParticipatedHistory->update($data); return $result; } else { $con->rollback(); @@ -395,7 +395,7 @@ class ListInbox extends BaseListInbox return (int)$total; } - public function loadList ($usr_uid, $filters = array()) + public function loadList($usr_uid, $filters = array(), $callbackRecord = null) { $criteria = new Criteria(); @@ -429,7 +429,7 @@ class ListInbox extends BaseListInbox if ($filters['action'] == 'draft') { $criteria->add( ListInboxPeer::APP_STATUS, 'DRAFT', Criteria::EQUAL ); - } else { + } else { $criteria->add( ListInboxPeer::APP_STATUS, 'TO_DO', Criteria::EQUAL ); } @@ -449,7 +449,8 @@ class ListInbox extends BaseListInbox $data = array(); $aPriorities = array ('1' => 'VL','2' => 'L','3' => 'N','4' => 'H','5' => 'VH'); while ($dataset->next()) { - $aRow = $dataset->getRow(); + $aRow = (is_null($callbackRecord))? $dataset->getRow() : $callbackRecord($dataset->getRow()); + $aRow['DEL_PRIORITY'] = G::LoadTranslation( "ID_PRIORITY_{$aPriorities[$aRow['DEL_PRIORITY']]}" ); $data[] = $aRow; } diff --git a/workflow/engine/classes/model/ListMyInbox.php b/workflow/engine/classes/model/ListMyInbox.php index 36fb6a8ca..337d3164f 100644 --- a/workflow/engine/classes/model/ListMyInbox.php +++ b/workflow/engine/classes/model/ListMyInbox.php @@ -210,7 +210,7 @@ class ListMyInbox extends BaseListMyInbox return (int)$total; } - public function loadList ($usr_uid, $filters = array()) + public function loadList($usr_uid, $filters = array(), $callbackRecord = null) { $criteria = new Criteria(); @@ -264,7 +264,8 @@ class ListMyInbox extends BaseListMyInbox $data = array(); $aPriorities = array ('1' => 'VL','2' => 'L','3' => 'N','4' => 'H','5' => 'VH'); while ($dataset->next()) { - $aRow = $dataset->getRow(); + $aRow = (is_null($callbackRecord))? $dataset->getRow() : $callbackRecord($dataset->getRow()); + $aRow['DEL_PRIORITY'] = G::LoadTranslation( "ID_PRIORITY_{$aPriorities[$aRow['DEL_PRIORITY']]}" ); $data[] = $aRow; } diff --git a/workflow/engine/classes/model/ListParticipatedHistory.php b/workflow/engine/classes/model/ListParticipatedHistory.php index a1adddc3b..4836e8e4a 100644 --- a/workflow/engine/classes/model/ListParticipatedHistory.php +++ b/workflow/engine/classes/model/ListParticipatedHistory.php @@ -169,7 +169,7 @@ class ListParticipatedHistory extends BaseListParticipatedHistory return (int)$total; } - public function loadList ($usr_uid, $filters = array()) + public function loadList($usr_uid, $filters = array(), $callbackRecord = null) { $criteria = new Criteria(); @@ -219,7 +219,8 @@ class ListParticipatedHistory extends BaseListParticipatedHistory $data = array(); $aPriorities = array ('1' => 'VL','2' => 'L','3' => 'N','4' => 'H','5' => 'VH'); while ($dataset->next()) { - $aRow = $dataset->getRow(); + $aRow = (is_null($callbackRecord))? $dataset->getRow() : $callbackRecord($dataset->getRow()); + $aRow['DEL_PRIORITY'] = G::LoadTranslation( "ID_PRIORITY_{$aPriorities[$aRow['DEL_PRIORITY']]}" ); $data[] = $aRow; } diff --git a/workflow/engine/classes/model/ListParticipatedLast.php b/workflow/engine/classes/model/ListParticipatedLast.php index 90b13e72e..bc008a208 100644 --- a/workflow/engine/classes/model/ListParticipatedLast.php +++ b/workflow/engine/classes/model/ListParticipatedLast.php @@ -25,7 +25,7 @@ class ListParticipatedLast extends BaseListParticipatedLast * */ public function create($data) - { + { $criteria = new Criteria(); $criteria->addSelectColumn(ApplicationPeer::APP_STATUS); $criteria->add( ApplicationPeer::APP_UID, $data['APP_UID'], Criteria::EQUAL ); @@ -108,7 +108,7 @@ class ListParticipatedLast extends BaseListParticipatedLast * */ public function refresh ($data, $isSelfService = false) - { + { $data['APP_STATUS'] = (empty($data['APP_STATUS'])) ? 'TO_DO' : $data['APP_STATUS']; if (!$isSelfService) { $criteria = new Criteria(); @@ -133,7 +133,7 @@ class ListParticipatedLast extends BaseListParticipatedLast } $this->update($data); - + } /** * Remove List Participated History @@ -239,7 +239,7 @@ class ListParticipatedLast extends BaseListParticipatedLast return (int)$total; } - public function loadList ($usr_uid, $filters = array()) + public function loadList($usr_uid, $filters = array(), $callbackRecord = null) { $criteria = new Criteria(); @@ -252,7 +252,7 @@ class ListParticipatedLast extends BaseListParticipatedLast $criteria->addSelectColumn(ListParticipatedLastPeer::APP_TITLE); $criteria->addSelectColumn(ListParticipatedLastPeer::APP_PRO_TITLE); $criteria->addSelectColumn(ListParticipatedLastPeer::APP_TAS_TITLE); - $criteria->addSelectColumn(ListParticipatedLastPeer::APP_STATUS); + $criteria->addSelectColumn(ListParticipatedLastPeer::APP_STATUS); $criteria->addSelectColumn(ListParticipatedLastPeer::DEL_PREVIOUS_USR_UID); $criteria->addSelectColumn(ListParticipatedLastPeer::DEL_PREVIOUS_USR_USERNAME); $criteria->addSelectColumn(ListParticipatedLastPeer::DEL_PREVIOUS_USR_FIRSTNAME); @@ -290,7 +290,8 @@ class ListParticipatedLast extends BaseListParticipatedLast $data = array(); $aPriorities = array ('1' => 'VL','2' => 'L','3' => 'N','4' => 'H','5' => 'VH'); while ($dataset->next()) { - $aRow = $dataset->getRow(); + $aRow = (is_null($callbackRecord))? $dataset->getRow() : $callbackRecord($dataset->getRow()); + $aRow['DEL_PRIORITY'] = G::LoadTranslation( "ID_PRIORITY_{$aPriorities[$aRow['DEL_PRIORITY']]}" ); $data[] = $aRow; } diff --git a/workflow/engine/classes/model/ListPaused.php b/workflow/engine/classes/model/ListPaused.php index fb08cb7db..fb2ddc41f 100644 --- a/workflow/engine/classes/model/ListPaused.php +++ b/workflow/engine/classes/model/ListPaused.php @@ -281,7 +281,7 @@ class ListPaused extends BaseListPaused { return (int)$total; } - public function loadList ($usr_uid, $filters = array()) + public function loadList($usr_uid, $filters = array(), $callbackRecord = null) { $resp = array(); $criteria = new Criteria(); @@ -332,7 +332,8 @@ class ListPaused extends BaseListPaused { $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); $data = array(); while ($dataset->next()) { - $aRow = $dataset->getRow(); + $aRow = (is_null($callbackRecord))? $dataset->getRow() : $callbackRecord($dataset->getRow()); + $data[] = $aRow; } diff --git a/workflow/engine/classes/model/ListUnassigned.php b/workflow/engine/classes/model/ListUnassigned.php index 32411825b..0fc92cf71 100644 --- a/workflow/engine/classes/model/ListUnassigned.php +++ b/workflow/engine/classes/model/ListUnassigned.php @@ -243,7 +243,7 @@ class ListUnassigned extends BaseListUnassigned return (int)$total; } - public function loadList ($usr_uid, $filters = array()) + public function loadList($usr_uid, $filters = array(), $callbackRecord = null) { $resp = array(); $criteria = new Criteria(); @@ -298,7 +298,8 @@ class ListUnassigned extends BaseListUnassigned $data = array(); $aPriorities = array ('1' => 'VL','2' => 'L','3' => 'N','4' => 'H','5' => 'VH'); while ($dataset->next()) { - $aRow = $dataset->getRow(); + $aRow = (is_null($callbackRecord))? $dataset->getRow() : $callbackRecord($dataset->getRow()); + $aRow['DEL_PRIORITY'] = G::LoadTranslation( "ID_PRIORITY_{$aPriorities[$aRow['DEL_PRIORITY']]}" ); $data[] = $aRow; } @@ -313,7 +314,7 @@ class ListUnassigned extends BaseListUnassigned /** * Generate Data * - * @return object criteria + * @return object criteria */ public function generateData($appUid,$delPreviusUsrUid){ try { @@ -348,7 +349,7 @@ class ListUnassigned extends BaseListUnassigned $taskGroupVariable = trim($row["TAS_GROUP_VARIABLE"], " @#"); $delPreviusUsrUid = ''; $unaUid = $this->newRow($row,$delPreviusUsrUid); - //Selfservice by group + //Selfservice by group if ($taskGroupVariable != "" && isset($applicationData[$taskGroupVariable]) && trim($applicationData[$taskGroupVariable]) != "") { $gprUid = trim($applicationData[$taskGroupVariable]); //Define Users by Group @@ -362,13 +363,13 @@ class ListUnassigned extends BaseListUnassigned } else { //Define all users assigned to Task $task = new TaskUser(); - $arrayUsers = $task->getAllUsersTask($row["TAS_UID"]); + $arrayUsers = $task->getAllUsersTask($row["TAS_UID"]); foreach($arrayUsers as $urow){ $newRow["USR_UID"] = $urow["USR_UID"]; $listUnassignedGpr = new ListUnassignedGroup(); $listUnassignedGpr->newRow($unaUid,$urow["USR_UID"],"USER",""); } - } + } } } catch (Exception $e) { throw $e; diff --git a/workflow/engine/controllers/installer.php b/workflow/engine/controllers/installer.php index e0248996e..3ea60b913 100644 --- a/workflow/engine/controllers/installer.php +++ b/workflow/engine/controllers/installer.php @@ -321,8 +321,13 @@ class Installer extends Controller G::verifyPath( $aux['dirname'], true ); if (is_dir( $aux['dirname'] )) { if (! file_exists( $_REQUEST['pathLogFile'] )) { - @file_put_contents( $_REQUEST['pathLogFile'], '' ); - @chmod($_REQUEST['pathShared'], 0770); + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $pathLogFile = $filter->validateInput($_REQUEST['pathLogFile'], "path"); + $pathShared = $filter->validateInput($_REQUEST['pathShared'], "path"); + + @file_put_contents( $pathLogFile, '' ); + @chmod($pathShared, 0770); } } } @@ -843,10 +848,10 @@ class Installer extends Controller $query = sprintf( "USE %s;", $wf_workpace ); $this->mysqlQuery( $query ); - $query = sprintf( "UPDATE USERS SET USR_USERNAME = '%s', USR_LASTNAME = '%s', USR_PASSWORD = '%s' WHERE USR_UID = '00000000000000000000000000000001' ", $adminUsername, $adminUsername, md5( $adminPassword ) ); + $query = sprintf( "UPDATE USERS SET USR_USERNAME = '%s', USR_LASTNAME = '%s', USR_PASSWORD = '%s' WHERE USR_UID = '00000000000000000000000000000001' ", $adminUsername, $adminUsername, G::encryptOld( $adminPassword ) ); $this->mysqlQuery( $query ); - $query = sprintf( "UPDATE RBAC_USERS SET USR_USERNAME = '%s', USR_LASTNAME = '%s', USR_PASSWORD = '%s' WHERE USR_UID = '00000000000000000000000000000001' ", $adminUsername, $adminUsername, md5( $adminPassword ) ); + $query = sprintf( "UPDATE RBAC_USERS SET USR_USERNAME = '%s', USR_LASTNAME = '%s', USR_PASSWORD = '%s' WHERE USR_UID = '00000000000000000000000000000001' ", $adminUsername, $adminUsername, G::encryptOld( $adminPassword ) ); $this->mysqlQuery( $query ); // Write the paths_installed.php file (contains all the information configured so far) @@ -1091,6 +1096,8 @@ class Installer extends Controller } $this->installLog( G::LoadTranslation('ID_CREATING', SYS_LANG, Array($db_file) )); + + $db_file = $filter->validateInput($db_file, "path"); file_put_contents( $db_file, $dbText ); // Generate the databases.php file @@ -1111,6 +1118,8 @@ class Installer extends Controller $databasesText = str_replace( '{dbData}', $dbData, @file_get_contents( PATH_HOME . 'engine/templates/installer/databases.tpl' ) ); $this->installLog( G::LoadTranslation('ID_CREATING', SYS_LANG, Array($databases_file) )); + + $databases_file = $filter->validateInput($databases_file, "path"); file_put_contents( $databases_file, $databasesText ); //execute scripts to create and populates databases @@ -1237,35 +1246,35 @@ class Installer extends Controller $info = new stdclass(); if ($_REQUEST['db_engine'] == 'mysql') { - $_REQUEST['db_hostname'] = $filter->validateInput($_REQUEST['db_hostname']); - $_REQUEST['db_username'] = $filter->validateInput($_REQUEST['db_username']); - $_REQUEST['db_password'] = $filter->validateInput($_REQUEST['db_password']); - $link = @mysql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); - $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); + $db_hostname = $filter->validateInput($_REQUEST['db_hostname']); + $db_username = $filter->validateInput($_REQUEST['db_username']); + $db_password = $filter->validateInput($_REQUEST['db_password']); + $link = @mysql_connect( $db_hostname, $db_username, $db_password ); + $wfDatabase = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $query = "show databases like '%s' "; - $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) ); + $query = $filter->preventSqlInjection( $query, array($wfDatabase) ); $dataset = @mysql_query( $query, $link ); $info->wfDatabaseExists = (@mysql_num_rows( $dataset ) > 0); } else if ($_REQUEST['db_engine'] == 'mssql') { - $link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); - $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); + $link = @mssql_connect( $db_hostname, $db_username, $db_password ); + $wfDatabase = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $query = "select * from sys.databases where name = '%s' "; - $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) ); + $query = $filter->preventSqlInjection( $query, array($wfDatabase) ); $dataset = @mssql_query( $query , $link ); $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0); } else if ($_REQUEST['db_engine'] == 'sqlsrv') { - $arguments = array("UID" => $_REQUEST['db_username'], "PWD" => $_REQUEST['db_password']); - $link = @sqlsrv_connect( $_REQUEST['db_hostname'], $arguments); - $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); + $arguments = array("UID" => $db_username, "PWD" => $db_password); + $link = @sqlsrv_connect( $db_hostname, $arguments); + $wfDatabase = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $query = "select * from sys.databases where name = '%s' "; - $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) ); + $query = $filter->preventSqlInjection( $query, array($wfDatabase) ); $dataset = @sqlsrv_query( $link, $query ); $info->wfDatabaseExists = (@sqlsrv_num_rows( $dataset ) > 0); } else { - $link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); - $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); + $link = @mssql_connect( $db_hostname, $db_username, $db_password ); + $wfDatabase = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $query = "select * from sys.databases where name = '%s' "; - $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) ); + $query = $filter->preventSqlInjection( $query, array($wfDatabase) ); $dataset = @mssql_query( $query , $link ); $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0); } @@ -1670,6 +1679,7 @@ class Installer extends Controller $db_password = trim( $_REQUEST['db_password'] ); $db_password = $filter->validateInput($db_password); $wf = trim( $_REQUEST['wfDatabase'] ); + $wf = $filter->validateInput($wf); $db_host = ($db_port != '' && $db_port != 3306) ? $db_hostname . ':' . $db_port : $db_hostname; @@ -1701,4 +1711,3 @@ class Installer extends Controller } } } - diff --git a/workflow/engine/controllers/pmTablesProxy.php b/workflow/engine/controllers/pmTablesProxy.php index 2f8350207..03700369e 100755 --- a/workflow/engine/controllers/pmTablesProxy.php +++ b/workflow/engine/controllers/pmTablesProxy.php @@ -671,11 +671,11 @@ class pmTablesProxy extends HttpProxyController $filter = new InputFilter(); $countRow = 250; $tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE']; - $tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); + //$tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) { $filename = $_FILES['form']['name']['CSV_FILE']; - $filename = $filter->xssFilterHard($filename, 'path'); - if ($oFile = fopen( $tmpfilename, 'r' )) { + //$filename = $filter->xssFilterHard($filename, 'path'); + if ($oFile = fopen( $filter->xssFilterHard($tmpfilename, 'path'), 'r' )) { require_once 'classes/model/AdditionalTables.php'; $oAdditionalTables = new AdditionalTables(); $aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true ); @@ -771,11 +771,11 @@ class pmTablesProxy extends HttpProxyController G::LoadSystem('inputfilter'); $filter = new InputFilter(); $tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE']; - $tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); + //$tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) { $filename = $_FILES['form']['name']['CSV_FILE']; $filename = $filter->xssFilterHard($filename, 'path'); - if ($oFile = fopen( $tmpfilename, 'r' )) { + if ($oFile = fopen( $filter->xssFilterHard($tmpfilename, 'path'), 'r' )) { require_once 'classes/model/AdditionalTables.php'; $oAdditionalTables = new AdditionalTables(); $aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true ); diff --git a/workflow/engine/methods/cases/cases_Ajax.php b/workflow/engine/methods/cases/cases_Ajax.php index 9dfa86859..aa4c46c30 100644 --- a/workflow/engine/methods/cases/cases_Ajax.php +++ b/workflow/engine/methods/cases/cases_Ajax.php @@ -254,13 +254,13 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) { switch ($_POST['TAS_ASSIGN_TYPE']) { // switch verify $_POST['TAS_ASSIGN_TYPE'] case 'BALANCED': - $_POST['USR_UID'] = $filter->xssFilterHard($_POST['USR_UID']); + $USR_UID = $filter->xssFilterHard($_POST['USR_UID']); G::LoadClass( 'user' ); $oUser = new User( new DBConnection() ); - $oUser->load( $_POST['USR_UID'] ); + $oUser->load( $USR_UID ); $oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']); $oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']); - echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . ''; + echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . ''; break; case 'MANUAL': $sAux = ''; } else { $ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' )); - echo 'Error: ' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . $ID_EMPTY; + echo 'Error: ' . $TAS_ASSIGN_VARIABLE . ' ' . $ID_EMPTY; echo ''; } break; @@ -461,14 +461,15 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) { $cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] ); break; case 'toRevisePanel': - $_POST['APP_UID'] = $filter->xssFilterHard($_POST['APP_UID']); - $_POST['DEL_INDEX'] = $filter->xssFilterHard($_POST['DEL_INDEX']); + $APP_UID = $filter->xssFilterHard($_POST['APP_UID']); + $DEL_INDEX = $filter->xssFilterHard($_POST['DEL_INDEX']); - $_GET['APP_UID'] = $_POST['APP_UID']; - $_GET['DEL_INDEX'] = $_POST['DEL_INDEX']; + $_GET['APP_UID'] = $APP_UID + $_GET['DEL_INDEX'] = $DEL_INDEX; $G_PUBLISH = new Publisher(); - echo ''; + + echo ""; // $G_PUBLISH->AddContent( 'smarty', 'cases/cases_toRevise' ); // $G_PUBLISH->AddContent('smarty', 'cases/cases_toReviseIn', '', '', array()); G::RenderPage( 'publish', 'raw' ); @@ -1025,4 +1026,3 @@ function getCasesTypeIds () $aTypes = Array ('to_do','draft','cancelled','sent','paused','completed','selfservice','to_revise','to_reassign'); return $aTypesID; } - diff --git a/workflow/engine/methods/cases/proxyNewCasesList.php b/workflow/engine/methods/cases/proxyNewCasesList.php index 2d05166a9..7e1a3f394 100644 --- a/workflow/engine/methods/cases/proxyNewCasesList.php +++ b/workflow/engine/methods/cases/proxyNewCasesList.php @@ -104,34 +104,45 @@ try { $filters['dir'] = 'DESC'; } - $result = $list->loadList($userUid, $filters); - if (!empty($result)) { - foreach ($result as &$value) { - if (isset($value['DEL_PREVIOUS_USR_UID'])) { - $value['PREVIOUS_USR_UID'] = $value['DEL_PREVIOUS_USR_UID']; - $value['PREVIOUS_USR_USERNAME'] = $value['DEL_PREVIOUS_USR_USERNAME']; - $value['PREVIOUS_USR_FIRSTNAME'] = $value['DEL_PREVIOUS_USR_FIRSTNAME']; - $value['PREVIOUS_USR_LASTNAME'] = $value['DEL_PREVIOUS_USR_LASTNAME']; - } - if (isset($value['DEL_DUE_DATE'])) { - $value['DEL_TASK_DUE_DATE'] = $value['DEL_DUE_DATE']; - } - if (isset($value['APP_PAUSED_DATE'])) { - $value['APP_UPDATE_DATE'] = $value['APP_PAUSED_DATE']; - } - if (isset($value['DEL_CURRENT_USR_USERNAME'])) { - $value['USR_USERNAME'] = $value['DEL_CURRENT_USR_USERNAME']; - $value['USR_FIRSTNAME'] = $value['DEL_CURRENT_USR_FIRSTNAME']; - $value['USR_LASTNAME'] = $value['DEL_CURRENT_USR_LASTNAME']; - $value['APP_UPDATE_DATE'] = $value['DEL_DELEGATE_DATE']; - } - if (isset($value['APP_STATUS'])) { - $value['APP_STATUS_LABEL'] = G::LoadTranslation( "ID_{$value['APP_STATUS']}" ); - } + $result = $list->loadList( + $userUid, + $filters, + function (array $record) + { + try { + if (isset($record["DEL_PREVIOUS_USR_UID"])) { + $record["PREVIOUS_USR_UID"] = $record["DEL_PREVIOUS_USR_UID"]; + $record["PREVIOUS_USR_USERNAME"] = $record["DEL_PREVIOUS_USR_USERNAME"]; + $record["PREVIOUS_USR_FIRSTNAME"] = $record["DEL_PREVIOUS_USR_FIRSTNAME"]; + $record["PREVIOUS_USR_LASTNAME"] = $record["DEL_PREVIOUS_USR_LASTNAME"]; + } - //$value = array_change_key_case($value, CASE_LOWER); + if (isset($record["DEL_DUE_DATE"])) { + $record["DEL_TASK_DUE_DATE"] = $record["DEL_DUE_DATE"]; + } + + if (isset($record["APP_PAUSED_DATE"])) { + $record["APP_UPDATE_DATE"] = $record["APP_PAUSED_DATE"]; + } + + if (isset($record["DEL_CURRENT_USR_USERNAME"])) { + $record["USR_USERNAME"] = $record["DEL_CURRENT_USR_USERNAME"]; + $record["USR_FIRSTNAME"] = $record["DEL_CURRENT_USR_FIRSTNAME"]; + $record["USR_LASTNAME"] = $record["DEL_CURRENT_USR_LASTNAME"]; + $record["APP_UPDATE_DATE"] = $record["DEL_DELEGATE_DATE"]; + } + + if (isset($record["APP_STATUS"])) { + $record["APP_STATUS_LABEL"] = G::LoadTranslation("ID_" . $record["APP_STATUS"]); + } + + //Return + return $record; + } catch (Exception $e) { + throw $e; + } } - } + ); $filtersData = array(); $filtersData['start'] = $filters['start']; @@ -143,12 +154,16 @@ try { $filtersData['search'] = $filters['search']; $filtersData['date_from'] = $filters['dateFrom']; $filtersData['date_to'] = $filters['dateTo']; + $filtersData["action"] = $filters["action"]; + + $response = array(); $response['filters'] = $filtersData; - $response['data'] = $result; - $filtersData['action'] = $filters['action']; $response['totalCount'] = $list->countTotal($userUid, $filtersData); - + $response = $filter->xssFilterHard($response); + + $response["data"] = $result; + echo G::json_encode($response); } catch (Exception $e) { $msg = array("error" => $e->getMessage()); diff --git a/workflow/engine/methods/users/usersAjax.php b/workflow/engine/methods/users/usersAjax.php index 051d9bb8a..50f780946 100755 --- a/workflow/engine/methods/users/usersAjax.php +++ b/workflow/engine/methods/users/usersAjax.php @@ -200,7 +200,7 @@ switch ($_POST['action']) { } $aData['USR_STATUS'] = $statusWF; $aData['USR_UID'] = $sUserUID; - $aData['USR_PASSWORD'] = md5($sUserUID); //fake :p + $aData['USR_PASSWORD'] = G::encryptOld($sUserUID); //fake :p $aData['USR_COUNTRY'] = $form['USR_COUNTRY']; $aData['USR_CITY'] = $form['USR_CITY']; $aData['USR_LOCATION'] = $form['USR_LOCATION']; diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php b/workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php index 89bd6ea95..8e590b361 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php @@ -334,9 +334,9 @@ class Consolidated $sort = $filter->validateInput($sort); if (in_array($sort, $arrayReportTableVar)) { $sort = strtoupper($sort); - eval("\$field = " . $tableName . "Peer::" . $sort . ";"); + eval('$field = ' . $tableName . 'Peer::' . $sort . ';'); } else { - eval("\$field = AppCacheViewPeer::" . $sort . ";"); + eval('$field = AppCacheViewPeer::' . $sort . ';'); } if ($dir == "ASC") { diff --git a/workflow/public_html/bootstrap.php b/workflow/public_html/bootstrap.php index b9f385999..50a532307 100755 --- a/workflow/public_html/bootstrap.php +++ b/workflow/public_html/bootstrap.php @@ -77,13 +77,13 @@ $config['wsdl_cache'] = $filter->validateInput($config['wsdl_cache'],'int'); $config['time_zone'] = $filter->validateInput($config['time_zone']); // Do not change any of these settings directly, use env.ini instead - ini_set( 'display_errors', $config['display_errors']); - ini_set( 'error_reporting', $config['error_reporting']); + ini_set( 'display_errors', $filter->validateInput($config['display_errors']) ); + ini_set( 'error_reporting', $filter->validateInput($config['error_reporting']) ); ini_set('short_open_tag', 'On'); ini_set('default_charset', "UTF-8"); - ini_set('memory_limit', $config['memory_limit']); + ini_set('memory_limit', $filter->validateInput($config['memory_limit']) ); ini_set('soap.wsdl_cache_enabled', $config['wsdl_cache']); - ini_set('date.timezone', $config['time_zone']); + ini_set('date.timezone', $filter->validateInput($config['time_zone']) ); define ('DEBUG_SQL_LOG', $config['debug_sql']); define ('DEBUG_TIME_LOG', $config['debug_time']); @@ -713,7 +713,7 @@ } elseif ($isRestRequest) { G::dispatchRestService(SYS_TARGET, $restConfig, $restApiClassPath); } else { - require_once $phpFile; + require_once $filter->validateInput($phpFile,'path'); } if (defined('SKIP_HEADERS')){