fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in mcuiza/processmaker/XSS-2 (pull request #1700)

Browse Source 
xss 2
This commit is contained in:
Julio Cesar Laura Avendaño
2015-03-19 00:20:01 -04:00
parent 74605790a9 177a85512e
commit 363ebedf2e
7 changed files with 56 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
workflow/engine/methods/cases/casesList_Ajax.php
View File

@@ -40,6 +40,12 @@ require_once ("classes/model/AdditionalTables.php");
require_once ("classes/model/AppDelay.php");*/
G::LoadClass( 'case' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
$actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
function filterUserListArray($users = array(), $filter = '')

10
workflow/engine/methods/setup/skin_Ajax.php
View File

@@ -1,4 +1,8 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
if (! isset( $_REQUEST['action'] )) {
$res['success'] = false;
$res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION');
@@ -162,7 +166,7 @@ function newSkin ($baseSkin = 'classic')
$configFileFinal = PATH_CUSTOM_SKINS . $skinFolder . PATH_SEP . 'config.xml';
$xmlConfiguration = file_get_contents( $configFileOriginal );
$workspace = ($_REQUEST['workspace'] == 'global') ? '' : SYS_SYS;
$xmlConfigurationObj = G::xmlParser($xmlConfiguration);
@@ -360,6 +364,10 @@ function exportSkin ($skinToExport = "")
function deleteSkin ()
{
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']);
if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) {
throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) ));
}

4
workflow/engine/methods/tracker/tracker_Ajax.php
View File

@@ -22,6 +22,10 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if (isset( $_POST['form']['action'] )) {
$_POST['action'] = $_POST['form']['action'];
}

9
workflow/engine/methods/users/usersAjax.php
View File

@@ -1,4 +1,13 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if(isset($_SESSION['USER_LOGGED'])) {
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
}
if(isset($_SESSION['USR_USERNAME'])) {
$_SESSION['USR_USERNAME'] = $filter->xssFilterHard($_SESSION['USR_USERNAME']);
}
global $RBAC;
$result = new StdClass();

6
workflow/engine/methods/users/users_Ajax.php
View File

@@ -23,6 +23,12 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
global $RBAC;
switch ($RBAC->userCanAccess('PM_LOGIN')) {
case - 2: