From 3dd0a86903071630802d8b185a9df6e77da150a2 Mon Sep 17 00:00:00 2001 From: "marcelo.cuiza" Date: Tue, 28 Apr 2015 15:48:30 -0400 Subject: [PATCH] correcciones incidencias veracode --- gulliver/system/class.bootstrap.php | 12 +- gulliver/system/class.g.php | 25 +-- .../DefinitionCache/Serializer.php | 29 +++ gulliver/thirdparty/pear/Archive/Zip.php | 11 +- gulliver/thirdparty/pear/Log/syslog.php | 11 +- gulliver/thirdparty/pear/Log/win.php | 11 +- gulliver/thirdparty/pear/PEAR/Builder.php | 29 ++- .../thirdparty/pear/PEAR/Command/Package.php | 15 ++ gulliver/thirdparty/pear/PEAR/Common.php | 28 +++ gulliver/thirdparty/pear/PEAR/Installer.php | 37 ++-- gulliver/thirdparty/pear/PEAR/Registry.php | 27 +++ gulliver/thirdparty/pear/SOAP/Value.php | 11 +- gulliver/thirdparty/pear/SOAP/WSDL.php | 11 +- gulliver/thirdparty/phing/lib/Capsule.php | 12 +- gulliver/thirdparty/phing/lib/Zip.php | 11 +- gulliver/thirdparty/tcpdf/tcpdf.php | 11 +- workflow/engine/bin/cron.php | 6 + workflow/engine/bin/cron_single.php | 200 +++++++++--------- workflow/engine/bin/messageeventcron.php | 6 +- .../engine/bin/messageeventcron_single.php | 5 + workflow/engine/bin/reindex_solr.php | 13 +- workflow/engine/bin/verify_solr.php | 13 +- workflow/engine/controllers/installer.php | 12 ++ workflow/engine/methods/setup/setup.php | 5 +- workflow/engine/methods/setup/skin_Ajax.php | 13 +- .../BusinessModel/Consolidated.php | 6 +- workflow/engine/test/bootstrap/unit.php | 5 +- workflow/public_html/bootstrap.php | 7 + workflow/public_html/sysGeneric.php | 22 +- 29 files changed, 442 insertions(+), 162 deletions(-) diff --git a/gulliver/system/class.bootstrap.php b/gulliver/system/class.bootstrap.php index 0edcae85b..d09defa5d 100644 --- a/gulliver/system/class.bootstrap.php +++ b/gulliver/system/class.bootstrap.php @@ -670,10 +670,18 @@ class Bootstrap */ public static function LoadClass($strClass) { + Bootstrap::LoadSystem('inputfilter'); + $filter = new InputFilter(); + + $path = PATH_GULLIVER . 'class.' . $strClass . '.php'; + $path = $filter->validateInput($path, "path"); + $classfile = Bootstrap::ExpandPath("classes") . 'class.' . $strClass . '.php'; + $classfile = $filter->validateInput($classfile, "path"); + if (!file_exists($classfile)) { - if (file_exists(PATH_GULLIVER . 'class.' . $strClass . '.php')) { - return require_once (PATH_GULLIVER . 'class.' . $strClass . '.php'); + if (file_exists($path)) { + return require_once ($path); } else { return false; } diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index ca57a81f0..d0d63551d 100755 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -245,7 +245,7 @@ class G } $result = base64_encode( $result ); - $result = str_replace( '/', '°', $result ); + $result = str_replace( '/', '°', $result ); $result = str_replace( '=', '', $result ); return $result; } @@ -264,7 +264,7 @@ class G // if ( defined ( 'ENABLE_ENCRYPT' ) && ENABLE_ENCRYPT == 'yes' ) { //if (strpos($string, '|', 0) !== false) return $string; $result = ''; - $string = str_replace( '°', '/', $string ); + $string = str_replace( '°', '/', $string ); $string_jhl = explode( "?", $string ); $string = base64_decode( $string ); $string = base64_decode( $string_jhl[0] ); @@ -784,7 +784,7 @@ class G for ($i = 2; $i < count( $aRequestUri ); $i ++) { $decoded = G::decrypt( urldecode( $aRequestUri[$i] ), URL_KEY ); - if ($decoded == 'sWì›') { + if ($decoded == 'sWì›') { $decoded = $VARS[$i]; //this is for the string "../" } $plain .= '/' . $decoded; @@ -1349,7 +1349,7 @@ class G $lang = defined( SYS_LANG ) ? SYS_LANG : 'en'; } $aux = explode( ' ', $datetime ); //para dividir la fecha del dia - $date = explode( '-', isset( $aux[0] ) ? $aux[0] : '00-00-00' ); //para obtener los dias, el mes, y el año. + $date = explode( '-', isset( $aux[0] ) ? $aux[0] : '00-00-00' ); //para obtener los dias, el mes, y el año. $time = explode( ':', isset( $aux[1] ) ? $aux[1] : '00:00:00' ); //para obtener las horas, minutos, segundos. $date[0] = (int) ((isset( $date[0] )) ? $date[0] : '0'); $date[1] = (int) ((isset( $date[1] )) ? $date[1] : '0'); @@ -1365,7 +1365,7 @@ class G ); // Spanish days - $ARR_WEEKDAYS['es'] = array ("Domingo","Lunes","Martes","Miércoles","Jueves","Viernes","Sábado" + $ARR_WEEKDAYS['es'] = array ("Domingo","Lunes","Martes","Miércoles","Jueves","Viernes","Sábado" ); // English days $ARR_WEEKDAYS['en'] = array ("Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday" @@ -1461,7 +1461,7 @@ class G } $aux = explode( ' ', $date ); //para dividir la fecha del dia - $date = explode( '-', isset( $aux[0] ) ? $aux[0] : '00-00-00' ); //para obtener los dias, el mes, y el año. + $date = explode( '-', isset( $aux[0] ) ? $aux[0] : '00-00-00' ); //para obtener los dias, el mes, y el año. $time = explode( ':', isset( $aux[1] ) ? $aux[1] : '00:00:00' ); //para obtener las horas, minutos, segundos. $year = (int) ((isset( $date[0] )) ? $date[0] : '0'); //year @@ -2438,12 +2438,12 @@ class G $loginhtml = (ENABLE_ENCRYPT == 'yes' ? G::encrypt( urldecode( $aux[1] ), URL_KEY ) : $aux[1]); //header ("location: /$sys/$lang/$skin/$login/$loginhtml"); - header( "location: /fluid/mNE/o9A/mNGm1aLiop3V4qU/dtij4J°gmaLPwKDU3qNn2qXanw" ); + header( "location: /fluid/mNE/o9A/mNGm1aLiop3V4qU/dtij4J°gmaLPwKDU3qNn2qXanw" ); die(); } if ($sw == 0) { - header( "location: /fluid/mNE/o9A/mNGm1aLiop3V4qU/dtij4J°gmaLPwKDU3qNn2qXanw" ); + header( "location: /fluid/mNE/o9A/mNGm1aLiop3V4qU/dtij4J°gmaLPwKDU3qNn2qXanw" ); die(); } } @@ -2653,6 +2653,7 @@ class G G::LoadSystem('inputfilter'); $filter = new InputFilter(); $file = $filter->validateInput($file, "path"); + $path = $filter->validateInput($path, "path"); move_uploaded_file( $file, $path . "/" . $nameToSave ); @chmod( $path . "/" . $nameToSave, $permission ); @@ -2791,7 +2792,7 @@ class G /** * Generate a numeric or alphanumeric code * - * @author Julio Cesar Laura Avendaힼjuliocesar@colosa.com> + * @author Julio Cesar Laura Avendaíž¼juliocesar@colosa.com> * @access public * @return string */ @@ -3157,7 +3158,7 @@ class G $quotedReplacement = preg_quote( $replacement, '/' ); - $default = array ('/à|á|å|â/' => 'a','/è|é|ê|ẽ|ë/' => 'e','/ì|í|î/' => 'i','/ò|ó|ô|ø/' => 'o','/ù|ú|ů|û/' => 'u','/ç/' => 'c','/ñ/' => 'n','/ä|æ/' => 'ae','/ö/' => 'oe','/ü/' => 'ue','/Ä/' => 'Ae','/Ü/' => 'Ue','/Ö/' => 'Oe','/ß/' => 'ss','/\.|\,|\:|\-|\\|\//' => " ",'/\\s+/' => $replacement + $default = array ('/à |á|Ã¥|â/' => 'a','/è|é|ê|ẽ|ë/' => 'e','/ì|í|î/' => 'i','/ò|ó|ô|ø/' => 'o','/ù|ú|ů|û/' => 'u','/ç/' => 'c','/ñ/' => 'n','/ä|æ/' => 'ae','/ö/' => 'oe','/ü/' => 'ue','/Ä/' => 'Ae','/Ãœ/' => 'Ue','/Ö/' => 'Oe','/ß/' => 'ss','/\.|\,|\:|\-|\\|\//' => " ",'/\\s+/' => $replacement ); $map = array_merge( $default, $map ); @@ -5584,7 +5585,7 @@ class G { $strip = array("~", "`", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "_", "=", "+", "[", "{", "]", "}", "\\", "|", ";", ":", "\"", "'", "‘", "’", "“", "”", "–", "—", - "—", "–", ",", "<", ".", ">", "/", "?"); + "—", "–", ",", "<", ".", ">", "/", "?"); $clean = trim(str_replace($strip, "", strip_tags($string))); $clean = preg_replace('/\s+/', "-", $clean); $clean = ($alpha) ? preg_replace("/[^a-zA-Z0-9]/", "", $clean) : $clean ; @@ -5718,4 +5719,4 @@ function eprintln ($s = "", $c = null) function __ ($msgID, $lang = SYS_LANG, $data = null) { return G::LoadTranslation( $msgID, $lang, $data ); -} +} \ No newline at end of file diff --git a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php index 2d52acfaa..e1f40e701 100644 --- a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php +++ b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php @@ -83,6 +83,21 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac if (!file_exists($file)) { return false; } + + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $file = $filter->validateInput($file,"path"); + return unlink($file); } @@ -182,6 +197,20 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac */ private function _write($file, $data, $config) { + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $file = $filter->validateInput($file,"path"); + if(is_file($file)) { $result = file_put_contents($file, $data); } else { diff --git a/gulliver/thirdparty/pear/Archive/Zip.php b/gulliver/thirdparty/pear/Archive/Zip.php index 631b7d070..e96111080 100755 --- a/gulliver/thirdparty/pear/Archive/Zip.php +++ b/gulliver/thirdparty/pear/Archive/Zip.php @@ -3602,7 +3602,16 @@ class Archive_Zip public function encryptCrc32($string) { - return crc32($string); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + return G::encryptCrc32($string); } } diff --git a/gulliver/thirdparty/pear/Log/syslog.php b/gulliver/thirdparty/pear/Log/syslog.php index 0bc5a3466..93ce84efc 100755 --- a/gulliver/thirdparty/pear/Log/syslog.php +++ b/gulliver/thirdparty/pear/Log/syslog.php @@ -178,7 +178,16 @@ class Log_syslog extends Log public function encryptOld($string) { - return md5($string); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + return G::encryptOld($string); } } diff --git a/gulliver/thirdparty/pear/Log/win.php b/gulliver/thirdparty/pear/Log/win.php index e267d3788..1f7d1ae62 100755 --- a/gulliver/thirdparty/pear/Log/win.php +++ b/gulliver/thirdparty/pear/Log/win.php @@ -268,7 +268,16 @@ EOT; public function encryptOld($string) { - return md5($string); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + return G::encryptOld($string); } } diff --git a/gulliver/thirdparty/pear/PEAR/Builder.php b/gulliver/thirdparty/pear/PEAR/Builder.php index 9e3ab3411..cbd443d50 100755 --- a/gulliver/thirdparty/pear/PEAR/Builder.php +++ b/gulliver/thirdparty/pear/PEAR/Builder.php @@ -107,7 +107,20 @@ class PEAR_Builder extends PEAR_Common } else { return $this->raiseError("Did not understand the completion status returned from msdev.exe."); } - + + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $dsp = $filter->validateInput($dsp,"path"); // msdev doesn't tell us the output directory :/ // open the dsp, find /out and use that directory $dsptext = join(file($dsp),''); @@ -347,6 +360,20 @@ class PEAR_Builder extends PEAR_Common */ function _runCommand($command, $callback = null) { + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $command = $filter->validateInput($command); + $this->log(1, "running: $command"); $pp = @popen("$command 2>&1", "r"); if (!$pp) { diff --git a/gulliver/thirdparty/pear/PEAR/Command/Package.php b/gulliver/thirdparty/pear/PEAR/Command/Package.php index f7b24490f..fe1fe03ff 100755 --- a/gulliver/thirdparty/pear/PEAR/Command/Package.php +++ b/gulliver/thirdparty/pear/PEAR/Command/Package.php @@ -358,6 +358,21 @@ Wrote: /usr/src/redhat/RPMS/i386/PEAR::Net_Socket-1.0-1.i386.rpm $this->output .= "+ $command\n"; } $this->output .= "+ $command\n"; + + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $command = $filter->validateInput($command); + if (empty($options['dry-run'])) { $fp = popen($command, "r"); while ($line = fgets($fp, 1024)) { diff --git a/gulliver/thirdparty/pear/PEAR/Common.php b/gulliver/thirdparty/pear/PEAR/Common.php index 8c49511b3..88a4f6049 100755 --- a/gulliver/thirdparty/pear/PEAR/Common.php +++ b/gulliver/thirdparty/pear/PEAR/Common.php @@ -1218,6 +1218,20 @@ class PEAR_Common extends PEAR */ function analyzeSourceCode($file) { + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $file = $filter->validateInput($file,"path"); + if (!function_exists("token_get_all")) { return false; } @@ -1631,6 +1645,20 @@ class PEAR_Common extends PEAR } } $dest_file = $save_dir . DIRECTORY_SEPARATOR . $save_as; + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $dest_file = $filter->validateInput($dest_file,"path"); + if (!$wp = @fopen($dest_file, 'wb')) { fclose($fp); if ($callback) { diff --git a/gulliver/thirdparty/pear/PEAR/Installer.php b/gulliver/thirdparty/pear/PEAR/Installer.php index 9c8e15c95..0e7f9d7fa 100755 --- a/gulliver/thirdparty/pear/PEAR/Installer.php +++ b/gulliver/thirdparty/pear/PEAR/Installer.php @@ -232,23 +232,28 @@ class PEAR_Installer extends PEAR_Common $fp = fopen($orig_file, "r"); $contents = fread($fp, filesize($orig_file)); fclose($fp); - if(!class_exists('G')){ - $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); - $docuroot = explode( '/', $realdocuroot ); - array_pop( $docuroot ); - $pathhome = implode( '/', $docuroot ) . '/'; - array_pop( $docuroot ); - $pathTrunk = implode( '/', $docuroot ) . '/'; - require_once($pathTrunk.'gulliver/system/class.g.php'); + if(!class_exists('G')){ + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); } if (isset($atts['md5sum'])) { $md5sum = G::encryptOld($contents); } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $subst_from = $subst_to = array(); foreach ($atts['replacements'] as $a) { $to = ''; if ($a['type'] == 'php-const') { if (preg_match('/^[a-z0-9_]+$/i', $a['to'])) { + $a['to'] = $filter->validateInput($a['to']); eval("\$to = $a[to];"); } else { $this->log(0, "invalid php-const replacement: $a[to]"); @@ -872,14 +877,14 @@ class PEAR_Installer extends PEAR_Common if (!function_exists("md5_file")) { function md5_file($filename) { - if(!class_exists('G')){ - $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); - $docuroot = explode( '/', $realdocuroot ); - array_pop( $docuroot ); - $pathhome = implode( '/', $docuroot ) . '/'; - array_pop( $docuroot ); - $pathTrunk = implode( '/', $docuroot ) . '/'; - require_once($pathTrunk.'gulliver/system/class.g.php'); + if(!class_exists('G')){ + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); } $fp = fopen($filename, "r"); if (!$fp) return null; diff --git a/gulliver/thirdparty/pear/PEAR/Registry.php b/gulliver/thirdparty/pear/PEAR/Registry.php index 0e7849327..84d57292c 100755 --- a/gulliver/thirdparty/pear/PEAR/Registry.php +++ b/gulliver/thirdparty/pear/PEAR/Registry.php @@ -165,6 +165,19 @@ class PEAR_Registry extends PEAR { $this->_assertStateDir(); $file = $this->_packageFileName($package); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $file = $filter->validateInput($file,"path"); + $fp = @fopen($file, $mode); if (!$fp) { return null; @@ -425,6 +438,20 @@ class PEAR_Registry extends PEAR return $e; } $file = $this->_packageFileName($package); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $file = $filter->validateInput($file,"path"); + $ret = @unlink($file); $this->rebuildFileMap(); $this->_unlock(); diff --git a/gulliver/thirdparty/pear/SOAP/Value.php b/gulliver/thirdparty/pear/SOAP/Value.php index fd2d7b624..aafb53b7c 100755 --- a/gulliver/thirdparty/pear/SOAP/Value.php +++ b/gulliver/thirdparty/pear/SOAP/Value.php @@ -237,7 +237,16 @@ class SOAP_Attachment extends SOAP_Value public function encryptOld($string) { - return md5($string); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + return G::encryptOld($string); } } diff --git a/gulliver/thirdparty/pear/SOAP/WSDL.php b/gulliver/thirdparty/pear/SOAP/WSDL.php index e3ee87265..9e760f519 100755 --- a/gulliver/thirdparty/pear/SOAP/WSDL.php +++ b/gulliver/thirdparty/pear/SOAP/WSDL.php @@ -1106,7 +1106,16 @@ class SOAP_WSDL_Cache extends SOAP_Base public function encryptOld($string) { - return md5($string); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + return G::encryptOld($string); } } diff --git a/gulliver/thirdparty/phing/lib/Capsule.php b/gulliver/thirdparty/phing/lib/Capsule.php index be8fe46a7..693649177 100755 --- a/gulliver/thirdparty/phing/lib/Capsule.php +++ b/gulliver/thirdparty/phing/lib/Capsule.php @@ -122,8 +122,16 @@ class Capsule { // so that include "path/relative/to/templates"; can be used within templates $__old_inc_path = ini_get('include_path'); - if(is_dir($this->templatePath . PATH_SEPARATOR . $__old_inc_path)) { - ini_set('include_path', $this->templatePath . PATH_SEPARATOR . $__old_inc_path); + $path = $this->templatePath . PATH_SEPARATOR . $__old_inc_path; + if(strpos($path,":")>0){ + $firstPath = explode(":", $this->templatePath . PATH_SEPARATOR . $__old_inc_path); + if (is_dir($firstPath[0])) { + ini_set('include_path', $this->templatePath . PATH_SEPARATOR . $__old_inc_path); + } + } else { + if(is_dir($this->templatePath . PATH_SEPARATOR . $__old_inc_path)) { + ini_set('include_path', $this->templatePath . PATH_SEPARATOR . $__old_inc_path); + } } @ini_set('track_errors', true); diff --git a/gulliver/thirdparty/phing/lib/Zip.php b/gulliver/thirdparty/phing/lib/Zip.php index 16b1222ff..40dfe5959 100755 --- a/gulliver/thirdparty/phing/lib/Zip.php +++ b/gulliver/thirdparty/phing/lib/Zip.php @@ -3584,7 +3584,16 @@ class Archive_Zip public function encryptCrc32($string) { - return crc32($string); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + return G::encryptCrc32($string); } } diff --git a/gulliver/thirdparty/tcpdf/tcpdf.php b/gulliver/thirdparty/tcpdf/tcpdf.php index 7a3594c2e..5e96dd903 100644 --- a/gulliver/thirdparty/tcpdf/tcpdf.php +++ b/gulliver/thirdparty/tcpdf/tcpdf.php @@ -29708,7 +29708,16 @@ Putting 1 is equivalent to putting 0 and calling Ln() just after. Default value: public function encryptOld($string) { - return md5($string); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + return G::encryptOld($string); } } // END OF TCPDF CLASS diff --git a/workflow/engine/bin/cron.php b/workflow/engine/bin/cron.php index 9ab67a4ad..b3d4774f5 100755 --- a/workflow/engine/bin/cron.php +++ b/workflow/engine/bin/cron.php @@ -33,6 +33,12 @@ $e_all = defined('E_DEPRECATED') ? E_ALL & ~E_DEPRECATED : E_ALL; $e_all = defined('E_STRICT') ? $e_all & ~E_STRICT : $e_all; $e_all = $config['debug'] ? $e_all : $e_all & ~E_NOTICE; +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$config['debug'] = $filter->validateInput($config['debug']); +$config['memory_limit'] = $filter->validateInput($config['memory_limit']); +$config['wsdl_cache'] = $filter->validateInput($config['wsdl_cache'],'int'); +$config['time_zone'] = $filter->validateInput($config['time_zone']); // Do not change any of these settings directly, use env.ini instead ini_set('display_errors', $config['debug']); ini_set('error_reporting', $e_all); diff --git a/workflow/engine/bin/cron_single.php b/workflow/engine/bin/cron_single.php index 4d7b59945..205e981b3 100755 --- a/workflow/engine/bin/cron_single.php +++ b/workflow/engine/bin/cron_single.php @@ -90,6 +90,12 @@ if (!defined('PATH_HOME')) { $e_all = defined('E_STRICT') ? $e_all & ~E_STRICT : $e_all; $e_all = $config['debug'] ? $e_all : $e_all & ~E_NOTICE; + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $config['debug'] = $filter->validateInput($config['debug']); + $config['memory_limit'] = $filter->validateInput($config['memory_limit']); + $config['wsdl_cache'] = $filter->validateInput($config['wsdl_cache'],'int'); + $config['time_zone'] = $filter->validateInput($config['time_zone']); // Do not change any of these settings directly, use env.ini instead ini_set('display_errors', $config['debug']); ini_set('error_reporting', $e_all); @@ -355,8 +361,8 @@ Bootstrap::registerClass('wsResponse', PATH_HOME . "engine/classes/clas Bootstrap::registerClass("PMLicensedFeatures", PATH_HOME . "engine" . PATH_SEP . "classes" . PATH_SEP . "class.licensedFeatures.php"); Bootstrap::registerClass("AddonsManagerPeer", PATH_HOME . "engine" . PATH_SEP . "classes" . PATH_SEP . "model" . PATH_SEP . "AddonsManagerPeer.php"); -/*----------------------------------********---------------------------------*/ -Bootstrap::registerClass('dashboards', PATH_HOME . "engine/classes/class.dashboards.php"); +/*----------------------------------********---------------------------------*/ +Bootstrap::registerClass('dashboards', PATH_HOME . "engine/classes/class.dashboards.php"); /*----------------------------------********---------------------------------*/ $arrayClass = array("Configuration", "EmailServer", "ListInbox", "ListParticipatedHistory"); @@ -371,18 +377,18 @@ foreach ($arrayClass as $value) { G::LoadClass("serverConfiguration"); G::LoadClass("dates"); //Load Criteria -/*----------------------------------********---------------------------------*/ -global $dateInit; -global $dateFinish; +/*----------------------------------********---------------------------------*/ +global $dateInit; +global $dateFinish; /*----------------------------------********---------------------------------*/ if (!defined('SYS_SYS')) { $sObject = $argv[1]; $sNow = $argv[2]; $dateSystem = $argv[3]; - /*----------------------------------********---------------------------------*/ - $dateInit = null; - $dateFinish = null; + /*----------------------------------********---------------------------------*/ + $dateInit = null; + $dateFinish = null; /*----------------------------------********---------------------------------*/ $sFilter = ''; @@ -527,17 +533,17 @@ function processWorkspace() resendEmails(); unpauseApplications(); calculateDuration(); - /*----------------------------------********---------------------------------*/ - calculateAppDuration(); + /*----------------------------------********---------------------------------*/ + calculateAppDuration(); /*----------------------------------********---------------------------------*/ executeEvents($sLastExecution); executeScheduledCases(); executeUpdateAppTitle(); executeCaseSelfService(); executePlugins(); - /*----------------------------------********---------------------------------*/ - fillReportByUser(); - fillReportByProcess(); + /*----------------------------------********---------------------------------*/ + fillReportByUser(); + fillReportByProcess(); /*----------------------------------********---------------------------------*/ } catch (Exception $oError) { saveLog("main", "error", "Error processing workspace : " . $oError->getMessage() . "\n"); @@ -728,29 +734,29 @@ function calculateDuration() } } -/*----------------------------------********---------------------------------*/ -function calculateAppDuration() -{ - global $sFilter; - - if ($sFilter != '' && strpos($sFilter, 'calculateapp') === false) { - return false; - } - - setExecutionMessage("Calculating Duration by Application"); - - try { - $oApplication = new Application(); - $oApplication->calculateAppDuration(1); - - setExecutionResultMessage('DONE'); - saveLog('calculateDurationByApp', 'action', 'Calculating Duration by Application'); - } catch (Exception $oError) { - setExecutionResultMessage('WITH ERRORS', 'error'); - eprintln(" '-".$oError->getMessage(), 'red'); - saveLog('calculateDurationByApp', 'error', 'Error Calculating Duration: ' . $oError->getMessage()); - } -} +/*----------------------------------********---------------------------------*/ +function calculateAppDuration() +{ + global $sFilter; + + if ($sFilter != '' && strpos($sFilter, 'calculateapp') === false) { + return false; + } + + setExecutionMessage("Calculating Duration by Application"); + + try { + $oApplication = new Application(); + $oApplication->calculateAppDuration(1); + + setExecutionResultMessage('DONE'); + saveLog('calculateDurationByApp', 'action', 'Calculating Duration by Application'); + } catch (Exception $oError) { + setExecutionResultMessage('WITH ERRORS', 'error'); + eprintln(" '-".$oError->getMessage(), 'red'); + saveLog('calculateDurationByApp', 'error', 'Error Calculating Duration: ' . $oError->getMessage()); + } +} /*----------------------------------********---------------------------------*/ function executeEvents($sLastExecution, $sNow=null) @@ -1095,66 +1101,66 @@ function setExecutionResultMessage($m, $t='') eprintln("[$m]", $c); } -/*----------------------------------********---------------------------------*/ -function fillReportByUser () -{ - try { - global $sFilter; - global $dateInit; - global $dateFinish; - - if (strpos($sFilter, 'report_by_user') === false) { - return false; - } - if ($dateInit == null) { - eprintln("You must enter the starting date.", "red"); - eprintln('Example: +init-date"YYYY-MM-DD HH:MM:SS" +finish-date"YYYY-MM-DD HH:MM:SS"', "red"); - return false; - } - - $dateFinish = ($dateFinish != null) ? $dateFinish : date("Y-m-d H:i:s"); - - $appcv = new AppCacheView(); - $appcv->setPathToAppCacheFiles( PATH_METHODS . 'setup' . PATH_SEP . 'setupSchemas' . PATH_SEP ); - setExecutionMessage("Calculating data to fill the 'User Reporting'..."); - $appcv->fillReportByUser($dateInit, $dateFinish); - setExecutionResultMessage("DONE"); - } catch (Exception $e) { - setExecutionResultMessage("WITH ERRORS", "error"); - eprintln(" '-" . $e->getMessage(), "red"); - saveLog("fillReportByUser", "error", "Error in fill report by user: " . $e->getMessage()); - } -} - -function fillReportByProcess () -{ - try { - global $sFilter; - global $dateInit; - global $dateFinish; - - if (strpos($sFilter, 'report_by_process') === false) { - return false; - } - - if ($dateInit == null) { - eprintln("You must enter the starting date.", "red"); - eprintln('Example: +init-date"YYYY-MM-DD HH:MM:SS" +finish-date"YYYY-MM-DD HH:MM:SS"', "red"); - return false; - } - - $dateFinish = ($dateFinish != null) ? $dateFinish : date("Y-m-d H:i:s"); - $appcv = new AppCacheView(); - $appcv->setPathToAppCacheFiles( PATH_METHODS . 'setup' . PATH_SEP . 'setupSchemas' . PATH_SEP ); - - setExecutionMessage("Calculating data to fill the 'Process Reporting'..."); - $appcv->fillReportByProcess($dateInit, $dateFinish); - setExecutionResultMessage("DONE"); - } catch (Exception $e) { - setExecutionResultMessage("WITH ERRORS", "error"); - eprintln(" '-" . $e->getMessage(), "red"); - saveLog("fillReportByProcess", "error", "Error in fill report by process: " . $e->getMessage()); - } -} +/*----------------------------------********---------------------------------*/ +function fillReportByUser () +{ + try { + global $sFilter; + global $dateInit; + global $dateFinish; + + if (strpos($sFilter, 'report_by_user') === false) { + return false; + } + if ($dateInit == null) { + eprintln("You must enter the starting date.", "red"); + eprintln('Example: +init-date"YYYY-MM-DD HH:MM:SS" +finish-date"YYYY-MM-DD HH:MM:SS"', "red"); + return false; + } + + $dateFinish = ($dateFinish != null) ? $dateFinish : date("Y-m-d H:i:s"); + + $appcv = new AppCacheView(); + $appcv->setPathToAppCacheFiles( PATH_METHODS . 'setup' . PATH_SEP . 'setupSchemas' . PATH_SEP ); + setExecutionMessage("Calculating data to fill the 'User Reporting'..."); + $appcv->fillReportByUser($dateInit, $dateFinish); + setExecutionResultMessage("DONE"); + } catch (Exception $e) { + setExecutionResultMessage("WITH ERRORS", "error"); + eprintln(" '-" . $e->getMessage(), "red"); + saveLog("fillReportByUser", "error", "Error in fill report by user: " . $e->getMessage()); + } +} + +function fillReportByProcess () +{ + try { + global $sFilter; + global $dateInit; + global $dateFinish; + + if (strpos($sFilter, 'report_by_process') === false) { + return false; + } + + if ($dateInit == null) { + eprintln("You must enter the starting date.", "red"); + eprintln('Example: +init-date"YYYY-MM-DD HH:MM:SS" +finish-date"YYYY-MM-DD HH:MM:SS"', "red"); + return false; + } + + $dateFinish = ($dateFinish != null) ? $dateFinish : date("Y-m-d H:i:s"); + $appcv = new AppCacheView(); + $appcv->setPathToAppCacheFiles( PATH_METHODS . 'setup' . PATH_SEP . 'setupSchemas' . PATH_SEP ); + + setExecutionMessage("Calculating data to fill the 'Process Reporting'..."); + $appcv->fillReportByProcess($dateInit, $dateFinish); + setExecutionResultMessage("DONE"); + } catch (Exception $e) { + setExecutionResultMessage("WITH ERRORS", "error"); + eprintln(" '-" . $e->getMessage(), "red"); + saveLog("fillReportByProcess", "error", "Error in fill report by process: " . $e->getMessage()); + } +} /*----------------------------------********---------------------------------*/ diff --git a/workflow/engine/bin/messageeventcron.php b/workflow/engine/bin/messageeventcron.php index 4d884768d..60d79ee13 100644 --- a/workflow/engine/bin/messageeventcron.php +++ b/workflow/engine/bin/messageeventcron.php @@ -43,7 +43,11 @@ try { G::LoadClass("system"); $config = System::getSystemConfiguration(); - + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $config['time_zone'] = $filter->validateInput($config['time_zone']); + ini_set("date.timezone", $config["time_zone"]); //CRON command options diff --git a/workflow/engine/bin/messageeventcron_single.php b/workflow/engine/bin/messageeventcron_single.php index b64d86f7c..f92ccca8e 100644 --- a/workflow/engine/bin/messageeventcron_single.php +++ b/workflow/engine/bin/messageeventcron_single.php @@ -91,6 +91,11 @@ try { $e_all = (defined("E_STRICT"))? $e_all & ~E_STRICT : $e_all; $e_all = ($config["debug"])? $e_all : $e_all & ~E_NOTICE; + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $config['debug'] = $filter->validateInput($config['debug']); + $config['wsdl_cache'] = $filter->validateInput($config['wsdl_cache'],'int'); + $config['time_zone'] = $filter->validateInput($config['time_zone']); //Do not change any of these settings directly, use env.ini instead ini_set("display_errors", $config["debug"]); ini_set("error_reporting", $e_all); diff --git a/workflow/engine/bin/reindex_solr.php b/workflow/engine/bin/reindex_solr.php index 0c4795091..97206b169 100644 --- a/workflow/engine/bin/reindex_solr.php +++ b/workflow/engine/bin/reindex_solr.php @@ -207,9 +207,16 @@ if (! defined ('SYS_SYS')) { define ('TIME_ZONE', $config ['time_zone']); date_default_timezone_set (TIME_ZONE); - print "TIME_ZONE: " . TIME_ZONE . "\n"; - print "MEMCACHED_ENABLED: " . MEMCACHED_ENABLED . "\n"; - print "MEMCACHED_SERVER: " . MEMCACHED_SERVER . "\n"; + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $TIME_ZONE = $filter->xssFilterHard(TIME_ZONE); + $MEMCACHED_ENABLED = $filter->xssFilterHard(MEMCACHED_ENABLED); + $MEMCACHED_SERVER = $filter->xssFilterHard(MEMCACHED_SERVER); + + print "TIME_ZONE: " . $TIME_ZONE . "\n"; + print "MEMCACHED_ENABLED: " . $MEMCACHED_ENABLED . "\n"; + print "MEMCACHED_SERVER: " . $MEMCACHED_SERVER . "\n"; // **************************************** include_once (PATH_HOME . 'engine' . PATH_SEP . 'config' . PATH_SEP . 'paths_installed.php'); diff --git a/workflow/engine/bin/verify_solr.php b/workflow/engine/bin/verify_solr.php index 5466c7362..0139902ba 100644 --- a/workflow/engine/bin/verify_solr.php +++ b/workflow/engine/bin/verify_solr.php @@ -139,9 +139,16 @@ if (! defined ('SYS_SYS')) { define ('TIME_ZONE', $config ['time_zone']); date_default_timezone_set (TIME_ZONE); - print "TIME_ZONE: " . TIME_ZONE . "\n"; - print "MEMCACHED_ENABLED: " . MEMCACHED_ENABLED . "\n"; - print "MEMCACHED_SERVER: " . MEMCACHED_SERVER . "\n"; + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $TIME_ZONE = $filter->xssFilterHard(TIME_ZONE); + $MEMCACHED_ENABLED = $filter->xssFilterHard(MEMCACHED_ENABLED); + $MEMCACHED_SERVER = $filter->xssFilterHard(MEMCACHED_SERVER); + + print "TIME_ZONE: " . $TIME_ZONE . "\n"; + print "MEMCACHED_ENABLED: " . $MEMCACHED_ENABLED . "\n"; + print "MEMCACHED_SERVER: " . $MEMCACHED_SERVER . "\n"; // **************************************** include_once (PATH_HOME . 'engine' . PATH_SEP . 'config' . PATH_SEP . 'paths_installed.php'); diff --git a/workflow/engine/controllers/installer.php b/workflow/engine/controllers/installer.php index 737653c5a..e0248996e 100755 --- a/workflow/engine/controllers/installer.php +++ b/workflow/engine/controllers/installer.php @@ -699,6 +699,9 @@ class Installer extends Controller try { $db_host = ($db_port != '' && $db_port != 3306) ? $db_hostname . ':' . $db_port : $db_hostname; + $db_host = $filter->validateInput($db_host); + $db_username = $filter->validateInput($db_username); + $db_password = $filter->validateInput($db_password); $this->link = @mysql_connect( $db_host, $db_username, $db_password ); $this->installLog( G::LoadTranslation('ID_CONNECT_TO_SERVER', SYS_LANG, Array($db_hostname, $db_port, $db_username ) )); @@ -1032,6 +1035,9 @@ class Installer extends Controller try { $db_host = ($db_port != '' && $db_port != 1433) ? $db_hostname . ':' . $db_port : $db_hostname; + $db_host = $filter->validateInput($db_host); + $db_username = $filter->validateInput($db_username); + $db_password = $filter->validateInput($db_password); $this->link = @mssql_connect( $db_host, $db_username, $db_password ); $this->installLog( G::LoadTranslation('ID_CONNECT_TO_SERVER', SYS_LANG, Array( $db_hostname, $db_port, $db_username )) ); @@ -1231,6 +1237,9 @@ class Installer extends Controller $info = new stdclass(); if ($_REQUEST['db_engine'] == 'mysql') { + $_REQUEST['db_hostname'] = $filter->validateInput($_REQUEST['db_hostname']); + $_REQUEST['db_username'] = $filter->validateInput($_REQUEST['db_username']); + $_REQUEST['db_password'] = $filter->validateInput($_REQUEST['db_password']); $link = @mysql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $query = "show databases like '%s' "; @@ -1296,6 +1305,7 @@ class Installer extends Controller } $db_host = ($db_port != '' && $db_port != 1433) ? $db_hostname . ':' . $db_port : $db_hostname; + $link = @mysql_connect( $db_host, $db_username, $db_password ); if (! $link) { $info->message .= G::LoadTranslation('ID_MYSQL_CREDENTIALS_WRONG'); @@ -1348,6 +1358,7 @@ class Installer extends Controller } $db_host = ($db_port != '' && $db_port != 1433) ? $db_hostname . ':' . $db_port : $db_hostname; + $link = @mssql_connect( $db_host, $db_username, $db_password ); if (! $link) { $info->message .= G::LoadTranslation('ID_MYSQL_CREDENTIALS_WRONG'); @@ -1661,6 +1672,7 @@ class Installer extends Controller $wf = trim( $_REQUEST['wfDatabase'] ); $db_host = ($db_port != '' && $db_port != 3306) ? $db_hostname . ':' . $db_port : $db_hostname; + $link = @mysql_connect( $db_host, $db_username, $db_password ); @mysql_select_db($wf, $link); $res = mysql_query( "SELECT STORE_ID FROM ADDONS_MANAGER WHERE ADDON_NAME = '" . $namePlugin . "'", $link ); diff --git a/workflow/engine/methods/setup/setup.php b/workflow/engine/methods/setup/setup.php index 022c36cff..978cddd1c 100755 --- a/workflow/engine/methods/setup/setup.php +++ b/workflow/engine/methods/setup/setup.php @@ -33,7 +33,6 @@ G::LoadSystem('inputfilter'); $filter = new InputFilter(); $_GET['i18'] = $filter->xssFilterHard($_GET['i18']); $_GET['newSite'] = $filter->xssFilterHard($_GET['newSite']); -$_GET['module'] = $filter->xssFilterHard($_GET['module']); if (($RBAC_Response = $RBAC->userCanAccess( "PM_SETUP" )) != 1) return $RBAC_Response; @@ -78,10 +77,10 @@ foreach ($toolItems as $item) { $G_PUBLISH->AddContent( 'template', '', '', '', $template ); G::RenderPage( 'publish' ); if (isset( $_GET['module'] )) { - + $module = $filter->xssFilterHard($_GET['module']); print " "; } diff --git a/workflow/engine/methods/setup/skin_Ajax.php b/workflow/engine/methods/setup/skin_Ajax.php index b6578b3e3..e81f79ccd 100755 --- a/workflow/engine/methods/setup/skin_Ajax.php +++ b/workflow/engine/methods/setup/skin_Ajax.php @@ -319,9 +319,9 @@ function importSkin () function exportSkin ($skinToExport = "") { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); try { - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); if (! isset( $_REQUEST['SKIN_FOLDER_ID'] )) { throw (new Exception( G::LoadTranslation( 'ID_SKIN_NAME_REQUIRED' ) )); } @@ -356,19 +356,23 @@ function exportSkin ($skinToExport = "") $response['success'] = true; $response['message'] = $skinTar; G::auditLog("ExportSkin", "Skin Name: ".$skinName); + + $response = $filter->xssFilterHard($response); + print_r( G::json_encode( $response ) ); } catch (Exception $e) { $response['success'] = false; $response['message'] = $e->getMessage(); + $response = $filter->xssFilterHard($response); print_r( G::json_encode( $response ) ); } } function deleteSkin () { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); try { - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); $_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']); if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) { @@ -389,6 +393,7 @@ function deleteSkin () } catch (Exception $e) { $response['success'] = false; $response['error'] = $response['message'] = $e->getMessage(); + $response = $filter->xssFilterHard($response); print_r( G::json_encode( $response ) ); } } diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php b/workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php index 981562d4e..9797e571c 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php @@ -323,11 +323,15 @@ class Consolidated $oCriteria->add($oCriteria->getNewCriterion(AppCacheViewPeer::APP_NUMBER, $search, Criteria::LIKE)); } } + + G::LoadSystem('inputfilter'); + $filter = new \InputFilter(); if ($sort != "") { $reportTable = new ReportTables(); $arrayReportTableVar = $reportTable->getTableVars($tableUid); - + $tableName = $filter->validateInput($tableName); + $sort = $filter->validateInput($sort); if (in_array($sort, $arrayReportTableVar)) { $sort = strtoupper($sort); eval("\$field = " . $tableName . "Peer::" . $sort . ";"); diff --git a/workflow/engine/test/bootstrap/unit.php b/workflow/engine/test/bootstrap/unit.php index bf534e841..df960121d 100755 --- a/workflow/engine/test/bootstrap/unit.php +++ b/workflow/engine/test/bootstrap/unit.php @@ -61,8 +61,9 @@ //$_test_dir = realpath(dirname(__FILE__).'/..'); //require_once( 'lime/lime.php'); - - require_once (PATH_GULLIVER . "class.bootstrap.php"); + if(file_exists(PATH_GULLIVER . "class.bootstrap.php")) { + require_once (PATH_GULLIVER . "class.bootstrap.php"); + } spl_autoload_register(array('Bootstrap', 'autoloadClass')); Bootstrap::registerClass('G', PATH_GULLIVER . "class.g.php"); Bootstrap::registerClass('System', PATH_HOME . "engine/classes/class.system.php"); diff --git a/workflow/public_html/bootstrap.php b/workflow/public_html/bootstrap.php index 276713bcf..b9f385999 100755 --- a/workflow/public_html/bootstrap.php +++ b/workflow/public_html/bootstrap.php @@ -69,6 +69,13 @@ //$e_all = $config['debug'] ? $e_all : $e_all & ~E_NOTICE; //$e_all = E_ALL & ~ E_DEPRECATED & ~ E_STRICT & ~ E_NOTICE & ~E_WARNING; + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $config['display_errors'] = $filter->validateInput($config['display_errors']); + $config['error_reporting'] = $filter->validateInput($config['error_reporting']); + $config['memory_limit'] = $filter->validateInput($config['memory_limit']); + $config['wsdl_cache'] = $filter->validateInput($config['wsdl_cache'],'int'); + $config['time_zone'] = $filter->validateInput($config['time_zone']); // Do not change any of these settings directly, use env.ini instead ini_set( 'display_errors', $config['display_errors']); ini_set( 'error_reporting', $config['error_reporting']); diff --git a/workflow/public_html/sysGeneric.php b/workflow/public_html/sysGeneric.php index c4af872b7..d6714eec3 100755 --- a/workflow/public_html/sysGeneric.php +++ b/workflow/public_html/sysGeneric.php @@ -303,6 +303,20 @@ session_start(); //$e_all = $config['debug'] ? $e_all : $e_all & ~ E_NOTICE; //$e_all = E_ALL & ~ E_DEPRECATED & ~ E_STRICT & ~ E_NOTICE & ~E_WARNING; +//Call Gulliver Classes +Bootstrap::LoadThirdParty("smarty/libs", "Smarty.class"); + +//Loading the autoloader libraries feature +Bootstrap::registerSystemClasses(); + +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$config['display_errors'] = $filter->validateInput($config['display_errors']); +$config['error_reporting'] = $filter->validateInput($config['error_reporting']); +$config['memory_limit'] = $filter->validateInput($config['memory_limit']); +$config['wsdl_cache'] = $filter->validateInput($config['wsdl_cache'],'int'); +$config['time_zone'] = $filter->validateInput($config['time_zone']); + // Do not change any of these settings directly, use env.ini instead ini_set( 'display_errors', $config['display_errors']); ini_set( 'error_reporting', $config['error_reporting']); @@ -334,15 +348,7 @@ define( 'PATH_C', (rtrim( Bootstrap::sys_get_temp_dir(), PATH_SEP ) . PATH_SEP) define( 'PATH_LANGUAGECONT', PATH_HOME . 'engine/content/languages/' ); } -//Call Gulliver Classes -Bootstrap::LoadThirdParty("smarty/libs", "Smarty.class"); - -//Loading the autoloader libraries feature -Bootstrap::registerSystemClasses(); - //Load filter class -G::LoadSystem('inputfilter'); -$filter = new InputFilter(); $skinPathErrors = G::skinGetPathToSrcByVirtualUri("errors", $config); $skinPathUpdate = G::skinGetPathToSrcByVirtualUri("update", $config);