From 14c2edaaed80701cfa5f6bf3482cd575b4ab8b81 Mon Sep 17 00:00:00 2001 From: "Paula V. Quispe" Date: Wed, 11 Mar 2015 12:07:16 -0400 Subject: [PATCH] I corrected some files --- gulliver/methods/genericAjax.php | 8 ++--- gulliver/system/class.inputfilter.php | 31 ++++++++++++++----- rbac/engine/templates/login/showDBFiles.php | 5 ++- .../engine/templates/login/showDBFiles.php | 5 ++- 4 files changed, 36 insertions(+), 13 deletions(-) diff --git a/gulliver/methods/genericAjax.php b/gulliver/methods/genericAjax.php index 1a52c1087..f0f53b9f1 100755 --- a/gulliver/methods/genericAjax.php +++ b/gulliver/methods/genericAjax.php @@ -1,10 +1,10 @@ xssFilterHard($_GET); -$_POST = $filter->xssFilterHard($_POST); -$_REQUEST = $filter->xssFilterHard($_REQUEST); -$_SESSION = $filter->xssFilterHard($_SESSION); +$_GET = $filter->xssFilterHard($_GET,"url"); +$_POST = $filter->xssFilterHard($_POST,"url"); +$_REQUEST = $filter->xssFilterHard($_REQUEST,"url"); +$_SESSION = $filter->xssFilterHard($_SESSION,"url"); $request = isset($_POST['request'])? $_POST['request']: null; if( !isset($request) ){ diff --git a/gulliver/system/class.inputfilter.php b/gulliver/system/class.inputfilter.php index 138be6c11..92abbad53 100644 --- a/gulliver/system/class.inputfilter.php +++ b/gulliver/system/class.inputfilter.php @@ -372,7 +372,7 @@ class InputFilter * @param Array or String $input * @return Array or String $input */ - public function xssFilter($input) + public function xssFilter($input, $type = "") { if(is_array($input)) { if(sizeof($input)) { @@ -380,7 +380,16 @@ class InputFilter if(is_array($val) && sizeof($val)) { $input[$i] = $this->xssFilter($val); } else { - $input[$i] = addslashes(htmlspecialchars(filter_var($val, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8')); + if(!empty($val)) { + if($type != "url") { + $inputFiltered = addslashes(htmlspecialchars(filter_var($val, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8')); + } else { + $inputFiltered = filter_var($val, FILTER_SANITIZE_STRING); + } + } else { + $inputFiltered = ""; + } + $input[$i] = $inputFiltered; } } } @@ -389,7 +398,11 @@ class InputFilter if(!isset($input) || trim($input) === '' || $input === NULL ) { return ''; } else { - return addslashes(htmlspecialchars(filter_var($input, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8')); + if($type != "url") { + return addslashes(htmlspecialchars(filter_var($input, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8')); + } else { + return filter_var($input, FILTER_SANITIZE_STRING); + } } } } @@ -401,10 +414,9 @@ class InputFilter * @param Array or String $input * @return Array or String $input */ - function xssFilterHard($input) + function xssFilterHard($input, $type = "") { require_once (PATH_THIRDPARTY . 'HTMLPurifier/HTMLPurifier.auto.php'); - //G::LoadThirdParty ('HTMLPurifier', 'HTMLPurifier.auto.php'); $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); if(is_array($input)) { @@ -415,7 +427,9 @@ class InputFilter } else { if(!empty($val)) { $inputFiltered = $purifier->purify($val); - $inputFiltered = addslashes(htmlspecialchars($inputFiltered, ENT_COMPAT, 'UTF-8')); + if($type != "url") { + $inputFiltered = addslashes(htmlspecialchars($inputFiltered, ENT_COMPAT, 'UTF-8')); + } } else { $inputFiltered = ""; } @@ -429,7 +443,10 @@ class InputFilter return ''; } else { $input = $purifier->purify($input); - return addslashes(htmlspecialchars($input, ENT_COMPAT, 'UTF-8')); + if($type != "url") { + $input = addslashes(htmlspecialchars($input, ENT_COMPAT, 'UTF-8')); + } + return $input; } } } diff --git a/rbac/engine/templates/login/showDBFiles.php b/rbac/engine/templates/login/showDBFiles.php index 31682bdd9..89cab1860 100755 --- a/rbac/engine/templates/login/showDBFiles.php +++ b/rbac/engine/templates/login/showDBFiles.php @@ -30,11 +30,14 @@ die; } - + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + echo ""; echo ""; echo ""; $curPage = getenv( "REQUEST_URI" ); + $curPage = $filter->xssFilterHard($curPage,"url"); //running the while loop $first = 0; while ($file = readdir($dir_handle)) diff --git a/workflow/engine/templates/login/showDBFiles.php b/workflow/engine/templates/login/showDBFiles.php index 31682bdd9..89cab1860 100755 --- a/workflow/engine/templates/login/showDBFiles.php +++ b/workflow/engine/templates/login/showDBFiles.php @@ -30,11 +30,14 @@ die; } - + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + echo "
Please select a valid workspace to continue
"; echo ""; echo ""; $curPage = getenv( "REQUEST_URI" ); + $curPage = $filter->xssFilterHard($curPage,"url"); //running the while loop $first = 0; while ($file = readdir($dir_handle))
Please select a valid workspace to continue