Merged in paulis/processmaker/PM-VERACODE-8 (pull request #1702)
I completed the SQL Injection Hight and I reviewed the XSS - MEDIUM in files
This commit is contained in:
Julio Cesar Laura Avendaño
@@ -305,8 +305,12 @@ class DataBaseMaintenance
|
||||
function backupData ()
|
||||
{
|
||||
$aTables = $this->getTablesList();
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$aTables = $filter->xssFilterHard($aTables);
|
||||
foreach ($aTables as $table) {
|
||||
if ($this->dumpData( $table ) !== false) {
|
||||
$this->outfile = $filter->xssFilterHard($this->outfile);
|
||||
printf( "%20s %s %s\n", 'Dump of table:', $table, " in file {$this->outfile}" );
|
||||
} else {
|
||||
return false;
|
||||
@@ -343,6 +347,11 @@ class DataBaseMaintenance
|
||||
{
|
||||
|
||||
$aTables = $this->getTablesList();
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$aTables = $filter->xssFilterHard($aTables);
|
||||
$this->tmpDir = $filter->xssFilterHard($this->tmpDir);
|
||||
$this->infile = $filter->xssFilterHard($this->infile);
|
||||
|
||||
foreach ($aTables as $table) {
|
||||
if (isset( $type ) && $type == 'sql') {
|
||||
@@ -467,6 +476,7 @@ class DataBaseMaintenance
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$table = $filter->xssFilterHard($table);
|
||||
$table = $filter->validateInput($table, 'nosql');
|
||||
$bytesSaved = 0;
|
||||
$query = "SELECT * FROM `%s`";
|
||||
@@ -492,6 +502,7 @@ class DataBaseMaintenance
|
||||
$data .= ");\n";
|
||||
}
|
||||
|
||||
$data = $filter->xssFilterHard($data);
|
||||
printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" );
|
||||
return $data;
|
||||
}
|
||||
|
||||
@@ -778,6 +778,13 @@ class pagedTable
|
||||
*/
|
||||
public function renderTable ($block = '')
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$this->orderBy = $filter->xssFilterHard($this->orderBy);
|
||||
$this->currentPage = $filter->xssFilterHard($this->currentPage);
|
||||
$this->id = $filter->xssFilterHard($this->id);
|
||||
$this->name = $filter->xssFilterHard($this->name);
|
||||
$this->ownerPage = $filter->xssFilterHard($this->ownerPage);
|
||||
// DBConnection
|
||||
$this->prepareQuery();
|
||||
//Query for get the number of rows
|
||||
@@ -797,6 +804,9 @@ class pagedTable
|
||||
$this->tpl->assign( 'pagedTable_Id', $this->id );
|
||||
$this->tpl->assign( 'pagedTable_Name', $this->name );
|
||||
$this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
|
||||
$this->xmlForm->home = $filter->xssFilterHard($this->xmlForm->home);
|
||||
$this->filterForm = $filter->xssFilterHard($this->filterForm);
|
||||
$this->menu = $filter->xssFilterHard($this->menu);
|
||||
if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
|
||||
$filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
|
||||
if ($this->menu === '') {
|
||||
@@ -893,10 +903,14 @@ class pagedTable
|
||||
$this->tpl->assign( 'rowId', 'insertAtLast' );
|
||||
if ($this->currentPage > 1) {
|
||||
$firstUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=1';
|
||||
$firstUrl = $filter->xssFilterHard($firstUrl);
|
||||
$firstAjax = $this->id . ".doGoToPage(1);return false;";
|
||||
$firstAjax = $filter->xssFilterHard($firstAjax);
|
||||
$prevpage = $this->currentPage - 1;
|
||||
$prevUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $prevpage;
|
||||
$prevUrl = $filter->xssFilterHard($prevUrl);
|
||||
$prevAjax = $this->id . ".doGoToPage(" . $prevpage . ");return false;";
|
||||
$prevAjax = $filter->xssFilterHard($prevAjax);
|
||||
$first = "<a href=\"" . htmlentities( $firstUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $firstAjax . "\" class='firstPage'> </a>";
|
||||
$prev = "<a href=\"" . htmlentities( $prevUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $prevAjax . "\" class='previousPage'> </a>";
|
||||
} else {
|
||||
@@ -905,10 +919,14 @@ class pagedTable
|
||||
}
|
||||
if ($this->currentPage < $this->totpages) {
|
||||
$lastUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $this->totpages;
|
||||
$lastUrl = $filter->xssFilterHard($lastUrl);
|
||||
$lastAjax = $this->id . ".doGoToPage(" . $this->totpages . ");return false;";
|
||||
$lastAjax = $filter->xssFilterHard($lastAjax);
|
||||
$nextpage = $this->currentPage + 1;
|
||||
$nextUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $nextpage;
|
||||
$nextUrl = $filter->xssFilterHard($nextUrl);
|
||||
$nextAjax = $this->id . ".doGoToPage(" . $nextpage . ");return false;";
|
||||
$nextAjax = $filter->xssFilterHard($nextAjax);
|
||||
$next = "<a href=\"" . htmlentities( $nextUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $nextAjax . "\" class='nextPage'> </a>";
|
||||
$last = "<a href=\"" . htmlentities( $lastUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $lastAjax . "\" class='lastPage'> </a>";
|
||||
} else {
|
||||
@@ -919,7 +937,8 @@ class pagedTable
|
||||
for ($r = 1; $r <= $this->totpages; $r ++) {
|
||||
if (($r >= ($this->currentPage - 5)) && ($r <= ($this->currentPage + 5))) {
|
||||
$pageAjax = $this->id . ".doGoToPage(" . $r . ");return false;";
|
||||
if ($r != $this->currentPage) {
|
||||
if ($r != $this->currentPage) {
|
||||
$pageAjax = $filter->xssFilterHard($pageAjax);
|
||||
$pagesEnum .= " <a href=\"" . htmlentities( $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $r, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $pageAjax . "\">" . $r . "</a>";
|
||||
} else {
|
||||
$pagesEnum .= " <a>" . $r . "</a>";
|
||||
|
||||
@@ -40,6 +40,10 @@ CLI::taskRun('run_create_translation');
|
||||
|
||||
function run_create_translation($args, $opts)
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$opts = $filter->xssFilterHard($opts);
|
||||
$args = $filter->xssFilterHard($args);
|
||||
$rootDir = realpath(__DIR__."/../../../../");
|
||||
$app = new Maveriks\WebApplication();
|
||||
$app->setRootDir($rootDir);
|
||||
@@ -53,7 +57,6 @@ function run_create_translation($args, $opts)
|
||||
foreach ($workspaces as $workspace) {
|
||||
try {
|
||||
echo "Updating labels for workspace " . pakeColor::colorize($workspace->name, "INFO") . "\n";
|
||||
$app->loadEnvironment($workspace->name, $loadConstants);
|
||||
$translation->generateTransaltionMafe($lang);
|
||||
} catch (Exception $e) {
|
||||
echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error($e->getMessage()) . "\n";
|
||||
|
||||
@@ -228,6 +228,10 @@ function run_info($args, $opts) {
|
||||
}
|
||||
|
||||
function run_workspace_upgrade($args, $opts) {
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$opts = $filter->xssFilterHard($opts);
|
||||
$args = $filter->xssFilterHard($args);
|
||||
$workspaces = get_workspaces_from_args($args);
|
||||
$first = true;
|
||||
$lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
|
||||
@@ -242,6 +246,10 @@ function run_workspace_upgrade($args, $opts) {
|
||||
}
|
||||
|
||||
function run_translation_upgrade($args, $opts) {
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$opts = $filter->xssFilterHard($opts);
|
||||
$args = $filter->xssFilterHard($args);
|
||||
$workspaces = get_workspaces_from_args($args);
|
||||
$first = true;
|
||||
foreach ($workspaces as $workspace) {
|
||||
@@ -256,6 +264,10 @@ function run_translation_upgrade($args, $opts) {
|
||||
}
|
||||
|
||||
function run_cacheview_upgrade($args, $opts) {
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$opts = $filter->xssFilterHard($opts);
|
||||
$args = $filter->xssFilterHard($args);
|
||||
$workspaces = get_workspaces_from_args($args);
|
||||
$lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
|
||||
foreach ($workspaces as $workspace) {
|
||||
@@ -304,6 +316,10 @@ function run_migrate_new_cases_lists($args, $opts) {
|
||||
}
|
||||
|
||||
function database_upgrade($command, $args) {
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$command = $filter->xssFilterHard($command);
|
||||
$args = $filter->xssFilterHard($args);
|
||||
$workspaces = get_workspaces_from_args($args);
|
||||
$checkOnly = (strcmp($command, "check") == 0);
|
||||
foreach ($workspaces as $workspace) {
|
||||
@@ -587,6 +603,10 @@ function runStructureDirectories($command, $args) {
|
||||
|
||||
function run_database_generate_self_service_by_value($args, $opts)
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$opts = $filter->xssFilterHard($opts);
|
||||
$args = $filter->xssFilterHard($args);
|
||||
try {
|
||||
$arrayWorkspace = get_workspaces_from_args($args);
|
||||
|
||||
|
||||
@@ -398,13 +398,18 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
|
||||
*/
|
||||
public function GET(&$options)
|
||||
{
|
||||
$paths = $this->paths;
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$options = $filter->xssFilterHard($options);
|
||||
$paths = $filter->xssFilterHard($this->paths);
|
||||
|
||||
$pathClasses = PATH_DB . SYS_SYS . PATH_SEP . 'classes' . PATH_SEP;
|
||||
if (count($paths) > 0 && $paths[0] == 'classes' && is_dir($pathClasses)) {
|
||||
$fsFile = $pathClasses . $paths[1];
|
||||
$fsFile = $filter->xssFilterHard($fsFile);
|
||||
if (count($paths) == 2 && file_exists($fsFile)) {
|
||||
$content = file_get_contents($fsFile);
|
||||
$content = $filter->xssFilterHard($content);
|
||||
print $content;
|
||||
header("Content-Type: " . mime_content_type($fsFile));
|
||||
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
|
||||
@@ -418,8 +423,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
|
||||
if (count($paths) == 4 && $paths[2] == 'xmlforms') {
|
||||
$pathXmlform = $pathProcesses . 'xmlForms' . PATH_SEP . $paths[1] . PATH_SEP;
|
||||
$fsFile = $pathXmlform . $paths[3];
|
||||
$fsFile = $filter->xssFilterHard($fsFile);
|
||||
if (count($paths) == 4 && file_exists($fsFile)) {
|
||||
$content = file_get_contents($fsFile);
|
||||
$content = $filter->xssFilterHard($content);
|
||||
print $content;
|
||||
header("Content-Type: " . mime_content_type($fsFile));
|
||||
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
|
||||
@@ -431,8 +438,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
|
||||
if (count($paths) == 4 && $paths[2] == 'mailTemplates') {
|
||||
$pathTemplates = $pathProcesses . 'mailTemplates' . PATH_SEP . $paths[1] . PATH_SEP;
|
||||
$fsFile = $pathTemplates . $paths[3];
|
||||
$fsFile = $filter->xssFilterHard($fsFile);
|
||||
if (count($paths) == 4 && file_exists($fsFile)) {
|
||||
$content = file_get_contents($fsFile);
|
||||
$content = $filter->xssFilterHard($content);
|
||||
print $content;
|
||||
header("Content-Type: " . mime_content_type($fsFile));
|
||||
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
|
||||
@@ -444,8 +453,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
|
||||
if (count($paths) == 4 && $paths[2] == 'public_html') {
|
||||
$pathPublic = $pathProcesses . 'public' . PATH_SEP . $paths[1] . PATH_SEP;
|
||||
$fsFile = $pathPublic . $paths[3];
|
||||
$fsFile = $filter->xssFilterHard($fsFile);
|
||||
if (count($paths) == 4 && file_exists($fsFile)) {
|
||||
$content = file_get_contents($fsFile);
|
||||
$content = $filter->xssFilterHard($content);
|
||||
print $content;
|
||||
header("Content-Type: " . mime_content_type($fsFile));
|
||||
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
|
||||
|
||||
@@ -803,6 +803,9 @@ class Zimbra
|
||||
protected function message($message)
|
||||
{
|
||||
if ($this->debug) {
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$message = $filter->xssFilterHard($message);
|
||||
echo $message;
|
||||
}
|
||||
}
|
||||
@@ -823,6 +826,9 @@ class Zimbra
|
||||
*/
|
||||
protected function soapRequest($body, $header = false, $connecting = false)
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
|
||||
if (!$connecting && !$this->_connected) {
|
||||
throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server');
|
||||
}
|
||||
@@ -842,7 +848,9 @@ class Zimbra
|
||||
|
||||
curl_setopt($this->_curl, CURLOPT_POSTFIELDS, $soap_message);
|
||||
|
||||
if (!($response = curl_exec($this->_curl))) {
|
||||
$this->_curl = $filter->xssFilterHard($this->_curl,"url");
|
||||
$response = curl_exec($this->_curl);
|
||||
if (!$response) {
|
||||
$this->error = 'ERROR: curl_exec - (' . curl_errno($this->_curl) . ') ' . curl_error($this->_curl);
|
||||
return false;
|
||||
} elseif (strpos($response, '<soap:Body><soap:Fault>') !== false) {
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
<?php
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$_REQUEST = $filter->xssFilterHard($_REQUEST);
|
||||
$_SESSION = $filter->xssFilterHard($_SESSION);
|
||||
if (!isset($_SESSION['USER_LOGGED'])) {
|
||||
$res = new stdclass();
|
||||
$res->message = G::LoadTranslation('ID_LOGIN_AGAIN');
|
||||
@@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid)
|
||||
function startCase ()
|
||||
{
|
||||
G::LoadClass( 'case' );
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$_REQUEST = $filter->xssFilterHard($_REQUEST);
|
||||
$_SESSION = $filter->xssFilterHard($_SESSION);
|
||||
|
||||
/* GET , POST & $_SESSION Vars */
|
||||
/* unset any variable, because we are starting a new case */
|
||||
@@ -241,6 +251,7 @@ function startCase ()
|
||||
lookinginforContentProcess( $_POST['processId'] );
|
||||
|
||||
$aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] );
|
||||
$aData = $filter->xssFilterHard($aData);
|
||||
|
||||
$_SESSION['APPLICATION'] = $aData['APPLICATION'];
|
||||
$_SESSION['INDEX'] = $aData['INDEX'];
|
||||
|
||||
@@ -30,6 +30,11 @@
|
||||
* @Param var action from POST request
|
||||
*/
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$_SESSION = $filter->xssFilterHard($_SESSION);
|
||||
|
||||
if (isset( $_POST['action'] ) || isset( $_POST['function'] )) {
|
||||
$action = (isset( $_POST['action'] )) ? $_POST['action'] : $_POST['function'];
|
||||
} else {
|
||||
|
||||
@@ -24,6 +24,9 @@
|
||||
|
||||
require_once (PATH_RBAC . "model/RolesPeer.php");
|
||||
G::LoadClass( 'ArrayPeer' );
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
|
||||
isset( $_POST['textFilter'] ) ? $filter = $_POST['textFilter'] : $filter = '';
|
||||
|
||||
|
||||
@@ -22,6 +22,10 @@
|
||||
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
|
||||
*/
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_GET = $filter->xssFilterHard($_GET);
|
||||
$_REQUEST = $filter->xssFilterHard($_REQUEST);
|
||||
$ROL_UID = $_GET['rUID'];
|
||||
$TYPE_DATA = $_GET["type"];
|
||||
|
||||
|
||||
@@ -122,7 +122,10 @@ abstract class CURLMessage
|
||||
*/
|
||||
public function displayResponse ()
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$error = curl_error( $this->ch );
|
||||
$error = $filter->xssFilterHard($error);
|
||||
$result = array ('header' => '','body' => '','curl_error' => '','http_code' => '','last_url' => ''
|
||||
);
|
||||
if ($error != "") {
|
||||
@@ -130,12 +133,15 @@ abstract class CURLMessage
|
||||
return $result;
|
||||
}
|
||||
$response = $this->output;
|
||||
$response = $filter->xssFilterHard($response);
|
||||
$header_size = curl_getinfo( $this->ch, CURLINFO_HEADER_SIZE );
|
||||
$result['header'] = substr( $response, 0, $header_size );
|
||||
$result['body'] = substr( $response, $header_size );
|
||||
$result['http_code'] = curl_getinfo( $this->ch, CURLINFO_HTTP_CODE );
|
||||
$result['last_url'] = curl_getinfo( $this->ch, CURLINFO_EFFECTIVE_URL );
|
||||
$result = $filter->xssFilterHard($result);
|
||||
|
||||
$this->type = $filter->xssFilterHard($this->type);
|
||||
echo $this->type . " Response: " . $response . "<BR>";
|
||||
foreach ($result as $index => $data) {
|
||||
if ($data != "") {
|
||||
|
||||
@@ -61,12 +61,17 @@ a.krumo-name {
|
||||
</style>
|
||||
<?php
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$_SESSION = $filter->xssFilterHard($_SESSION);
|
||||
if (isset( $_POST["epr"] )) {
|
||||
$_SESSION['END_POINT'] = $_POST["epr"];
|
||||
}
|
||||
$endpoint = isset( $_SESSION['END_POINT'] ) ? $_SESSION['END_POINT'] : 'http://sugar.opensource.colosa.net/soap.php';
|
||||
|
||||
$endpoint = $filter->xssFilterHard($endpoint);
|
||||
$sessionId = isset( $_SESSION['SESSION_ID'] ) ? $_SESSION['SESSION_ID'] : '';
|
||||
$sessionId = $filter->xssFilterHard($sessionId);
|
||||
?>
|
||||
<form method="post" action="">
|
||||
|
||||
|
||||
Reference in New Issue
Block a user