fernando/luos
1
0
Fork 0
Code Releases Activity

validaciones veracode del reporte del 11-05-15

Browse Source
This commit is contained in:
marcelo.cuiza
2015-05-11 16:36:07 -04:00
parent 94b98fe61f
commit 3a06caf555
4 changed files with 44 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
workflow/engine/classes/class.webdav.php
View File

@@ -902,16 +902,21 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
$dir = dirname($path) . "/";
$base = basename($path);
G::LoadSystem('inputfilter');
$filter = new InputFilter();
foreach ($options["props"] as $key => $prop) {
if ($prop["ns"] == "DAV:") {
$options["props"][$key]['status'] = "403 Forbidden";
} else {
if (isset($prop["val"])) {
$query = "REPLACE INTO properties SET path = '$options[path]', name = '$prop[name]', ns= '$prop[ns]', value = '$prop[val]'";
$query = "REPLACE INTO properties SET path = '%s', name = '%s', ns= '%s', value = '%s'";
$query = $filter->preventSqlInjection($query, Array($options['path'],$prop['name'],$prop['ns'],$prop['val']));
error_log($query);
} else {
$query = "DELETE FROM properties WHERE path = '$options[path]' AND name = '$prop[name]' AND ns = '$prop[ns]'";
$query = "DELETE FROM properties WHERE path = '%s' AND name = '%s' AND ns = '%s'";
$query = $filter->preventSqlInjection($query, Array($options['path'],$prop['name'],$prop['ns']));
}
mysql_query($query);
}

12
workflow/engine/controllers/installer.php
View File

@@ -315,6 +315,10 @@ class Installer extends Controller
$info->success = false;
}
}
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$pathShared = $filter->validateInput($_REQUEST['pathShared'], 'path');
if ($info->pathShared->result) {
$aux = pathinfo( $_REQUEST['pathLogFile'] );
@@ -322,7 +326,7 @@ class Installer extends Controller
if (is_dir( $aux['dirname'] )) {
if (! file_exists( $_REQUEST['pathLogFile'] )) {
@file_put_contents( $_REQUEST['pathLogFile'], '' );
@chmod($_REQUEST['pathShared'], 0770);
@chmod($pathShared , 0770);
}
}
}
@@ -388,7 +392,11 @@ class Installer extends Controller
return $false;
}
}
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$logFile = $filter->validateInput($logFile, 'path');
$fpt = fopen( $logFile, 'a' );
fwrite( $fpt, sprintf( "%s %s\n", date( 'Y:m:d H:i:s' ), trim( $text ) ) );
fclose( $fpt );