fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

correcciones

Browse Source
This commit is contained in:
marcelo.cuiza
2015-05-05 09:55:39 -04:00
parent 8a576e4e28
commit 63cba2c262
6 changed files with 64 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
gulliver/system/class.dbMaintenance.php
View File

@@ -450,7 +450,7 @@ class DataBaseMaintenance
} }
} }
$sQuery = "LOCK TABLES " . implode( " READ, ", $aTables ) . " READ; "; $sQuery = 'LOCK TABLES ' . implode( ' READ, ', $aTables ) . ' READ; ';
$sQuery = $filter->preventSqlInjection($sQuery); $sQuery = $filter->preventSqlInjection($sQuery);
if (@mysql_query( $sQuery )) { if (@mysql_query( $sQuery )) {
@@ -664,7 +664,7 @@ class DataBaseMaintenance
$filter = new InputFilter(); $filter = new InputFilter();
$tablename = $filter->validateInput($tablename, 'nosql'); $tablename = $filter->validateInput($tablename, 'nosql');
$tableSchema = ""; $tableSchema = "";
$sql = "show create table `%s`; "; $sql = 'show create table `%s`; ';
$sql = $filter->preventSqlInjection($sql, array($tablename)); $sql = $filter->preventSqlInjection($sql, array($tablename));
$result = @mysql_query( $sql ); $result = @mysql_query( $sql );
if ($result) { if ($result) {

16
gulliver/system/class.g.php
View File

@@ -311,7 +311,11 @@ class G
array_push( $folder_path, dirname( end( $folder_path ) ) ); //var_dump($folder_path); die; array_push( $folder_path, dirname( end( $folder_path ) ) ); //var_dump($folder_path); die;
} }
G::LoadSystem('inputfilter');
$filter = new InputFilter();
while ($parent_folder_path = array_pop( $folder_path )) { while ($parent_folder_path = array_pop( $folder_path )) {
$parent_folder_path = $filter->validateInput($parent_folder_path,"path");
if (! @is_dir( $parent_folder_path )) { if (! @is_dir( $parent_folder_path )) {
if (! @mkdir( $parent_folder_path, $rights)) { if (! @mkdir( $parent_folder_path, $rights)) {
error_log( "Can't create folder \"$parent_folder_path\""); error_log( "Can't create folder \"$parent_folder_path\"");
@@ -2719,6 +2723,12 @@ class G
imagecopyresampled( $image_p, $image, 0, 0, 0, 0, $resWidth, $resHeight, $width, $height ); imagecopyresampled( $image_p, $image, 0, 0, 0, 0, $resWidth, $resHeight, $width, $height );
$outputFn( $image_p, $saveTo ); $outputFn( $image_p, $saveTo );
if(!is_null($saveTo)) {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$saveTo = $filter->validateInput($saveTo, "path");
}
@chmod( $saveTo, 0666 ); @chmod( $saveTo, 0666 );
} }
@@ -2792,7 +2802,7 @@ class G
/** /**
* Generate a numeric or alphanumeric code * Generate a numeric or alphanumeric code
* *
* @author Julio Cesar Laura Avendajuliocesar@colosa.com> * @author Julio Cesar Laura Avenda?juliocesar@colosa.com>
* @access public * @access public
* @return string * @return string
*/ */
@@ -3137,7 +3147,7 @@ class G
/*G::LoadSystem('inputfilter'); /*G::LoadSystem('inputfilter');
$filter = new InputFilter(); $filter = new InputFilter();
$c = $filter->xssFilterHard($c);*/ $c = $filter->xssFilterHard($c);*/
print ("<script language=\"javascript\">{$c}</script>") ; print ('<script language="javascript">'.$c.'</script>') ;
} }
/** /**
@@ -3158,7 +3168,7 @@ class G
$quotedReplacement = preg_quote( $replacement, '/' ); $quotedReplacement = preg_quote( $replacement, '/' );
$default = array ('/à|á|å|â/' => 'a','/è|é|ê||ë/' => 'e','/ì|í|î/' => 'i','/ò|ó|ô|ø/' => 'o','/ù|ú|ů|û/' => 'u','/ç/' => 'c','/ñ/' => 'n','/ä|æ/' => 'ae','/ö/' => 'oe','/ü/' => 'ue','/Ä/' => 'Ae','/Ü/' => 'Ue','/Ö/' => 'Oe','/ß/' => 'ss','/\.|\,|\:|\-|\\|\//' => " ",'/\\s+/' => $replacement $default = array ('/à|á|å|â/' => 'a','/è|é|ê|?|ë/' => 'e','/ì|í|î/' => 'i','/ò|ó|ô|ø/' => 'o','/ù|ú|u|û/' => 'u','/ç/' => 'c','/ñ/' => 'n','/ä|æ/' => 'ae','/ö/' => 'oe','/ü/' => 'ue','/Ä/' => 'Ae','/Ü/' => 'Ue','/Ö/' => 'Oe','/ß/' => 'ss','/\.|\,|\:|\-|\\|\//' => " ",'/\\s+/' => $replacement
); );
$map = array_merge( $default, $map ); $map = array_merge( $default, $map );

2
gulliver/thirdparty/pear/PEAR/Command/Package.php vendored
View File

@@ -465,7 +465,7 @@ Wrote: /usr/src/redhat/RPMS/i386/PEAR::Net_Socket-1.0-1.i386.rpm
} }
} }
$plist = implode(" ", $params); $plist = implode(" ", $params);
$cmd = "$php -C -d include_path=$cwd$ps$ip -f $run_tests -- $plist"; $cmd = $php.' -C -d include_path='.$cwd.$ps.$ip.' -f '.$run_tests.' -- '.$plist;
if (!class_exists('G')) { if (!class_exists('G')) {
$realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] );

51
workflow/engine/controllers/installer.php
View File

@@ -321,8 +321,13 @@ class Installer extends Controller
G::verifyPath( $aux['dirname'], true ); G::verifyPath( $aux['dirname'], true );
if (is_dir( $aux['dirname'] )) { if (is_dir( $aux['dirname'] )) {
if (! file_exists( $_REQUEST['pathLogFile'] )) { if (! file_exists( $_REQUEST['pathLogFile'] )) {
@file_put_contents( $_REQUEST['pathLogFile'], '' ); G::LoadSystem('inputfilter');
@chmod($_REQUEST['pathShared'], 0770); $filter = new InputFilter();
$pathLogFile = $filter->validateInput($_REQUEST['pathLogFile'], "path");
$pathShared = $filter->validateInput($_REQUEST['pathShared'], "path");
@file_put_contents( $pathLogFile, '' );
@chmod($pathShared, 0770);
} }
} }
} }
@@ -843,10 +848,10 @@ class Installer extends Controller
$query = sprintf( "USE %s;", $wf_workpace ); $query = sprintf( "USE %s;", $wf_workpace );
$this->mysqlQuery( $query ); $this->mysqlQuery( $query );
$query = sprintf( "UPDATE USERS SET USR_USERNAME = '%s', USR_LASTNAME = '%s', USR_PASSWORD = '%s' WHERE USR_UID = '00000000000000000000000000000001' ", $adminUsername, $adminUsername, md5( $adminPassword ) ); $query = sprintf( "UPDATE USERS SET USR_USERNAME = '%s', USR_LASTNAME = '%s', USR_PASSWORD = '%s' WHERE USR_UID = '00000000000000000000000000000001' ", $adminUsername, $adminUsername, G::encryptOld( $adminPassword ) );
$this->mysqlQuery( $query ); $this->mysqlQuery( $query );
$query = sprintf( "UPDATE RBAC_USERS SET USR_USERNAME = '%s', USR_LASTNAME = '%s', USR_PASSWORD = '%s' WHERE USR_UID = '00000000000000000000000000000001' ", $adminUsername, $adminUsername, md5( $adminPassword ) ); $query = sprintf( "UPDATE RBAC_USERS SET USR_USERNAME = '%s', USR_LASTNAME = '%s', USR_PASSWORD = '%s' WHERE USR_UID = '00000000000000000000000000000001' ", $adminUsername, $adminUsername, G::encryptOld( $adminPassword ) );
$this->mysqlQuery( $query ); $this->mysqlQuery( $query );
// Write the paths_installed.php file (contains all the information configured so far) // Write the paths_installed.php file (contains all the information configured so far)
@@ -1091,6 +1096,8 @@ class Installer extends Controller
} }
$this->installLog( G::LoadTranslation('ID_CREATING', SYS_LANG, Array($db_file) )); $this->installLog( G::LoadTranslation('ID_CREATING', SYS_LANG, Array($db_file) ));
$db_file = $filter->validateInput($db_file, "path");
file_put_contents( $db_file, $dbText ); file_put_contents( $db_file, $dbText );
// Generate the databases.php file // Generate the databases.php file
@@ -1111,6 +1118,8 @@ class Installer extends Controller
$databasesText = str_replace( '{dbData}', $dbData, @file_get_contents( PATH_HOME . 'engine/templates/installer/databases.tpl' ) ); $databasesText = str_replace( '{dbData}', $dbData, @file_get_contents( PATH_HOME . 'engine/templates/installer/databases.tpl' ) );
$this->installLog( G::LoadTranslation('ID_CREATING', SYS_LANG, Array($databases_file) )); $this->installLog( G::LoadTranslation('ID_CREATING', SYS_LANG, Array($databases_file) ));
$databases_file = $filter->validateInput($databases_file, "path");
file_put_contents( $databases_file, $databasesText ); file_put_contents( $databases_file, $databasesText );
//execute scripts to create and populates databases //execute scripts to create and populates databases
@@ -1237,35 +1246,35 @@ class Installer extends Controller
$info = new stdclass(); $info = new stdclass();
if ($_REQUEST['db_engine'] == 'mysql') { if ($_REQUEST['db_engine'] == 'mysql') {
$_REQUEST['db_hostname'] = $filter->validateInput($_REQUEST['db_hostname']); $db_hostname = $filter->validateInput($_REQUEST['db_hostname']);
$_REQUEST['db_username'] = $filter->validateInput($_REQUEST['db_username']); $db_username = $filter->validateInput($_REQUEST['db_username']);
$_REQUEST['db_password'] = $filter->validateInput($_REQUEST['db_password']); $db_password = $filter->validateInput($_REQUEST['db_password']);
$link = @mysql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); $link = @mysql_connect( $db_hostname, $db_username, $db_password );
$_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $wfDatabase = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "show databases like '%s' "; $query = "show databases like '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) ); $query = $filter->preventSqlInjection( $query, array($wfDatabase) );
$dataset = @mysql_query( $query, $link ); $dataset = @mysql_query( $query, $link );
$info->wfDatabaseExists = (@mysql_num_rows( $dataset ) > 0); $info->wfDatabaseExists = (@mysql_num_rows( $dataset ) > 0);
} else if ($_REQUEST['db_engine'] == 'mssql') { } else if ($_REQUEST['db_engine'] == 'mssql') {
$link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); $link = @mssql_connect( $db_hostname, $db_username, $db_password );
$_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $wfDatabase = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' "; $query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) ); $query = $filter->preventSqlInjection( $query, array($wfDatabase) );
$dataset = @mssql_query( $query , $link ); $dataset = @mssql_query( $query , $link );
$info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0); $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
} else if ($_REQUEST['db_engine'] == 'sqlsrv') { } else if ($_REQUEST['db_engine'] == 'sqlsrv') {
$arguments = array("UID" => $_REQUEST['db_username'], "PWD" => $_REQUEST['db_password']); $arguments = array("UID" => $db_username, "PWD" => $db_password);
$link = @sqlsrv_connect( $_REQUEST['db_hostname'], $arguments); $link = @sqlsrv_connect( $db_hostname, $arguments);
$_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $wfDatabase = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' "; $query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) ); $query = $filter->preventSqlInjection( $query, array($wfDatabase) );
$dataset = @sqlsrv_query( $link, $query ); $dataset = @sqlsrv_query( $link, $query );
$info->wfDatabaseExists = (@sqlsrv_num_rows( $dataset ) > 0); $info->wfDatabaseExists = (@sqlsrv_num_rows( $dataset ) > 0);
} else { } else {
$link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); $link = @mssql_connect( $db_hostname, $db_username, $db_password );
$_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql'); $wfDatabase = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' "; $query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) ); $query = $filter->preventSqlInjection( $query, array($wfDatabase) );
$dataset = @mssql_query( $query , $link ); $dataset = @mssql_query( $query , $link );
$info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0); $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
} }
@@ -1670,6 +1679,7 @@ class Installer extends Controller
$db_password = trim( $_REQUEST['db_password'] ); $db_password = trim( $_REQUEST['db_password'] );
$db_password = $filter->validateInput($db_password); $db_password = $filter->validateInput($db_password);
$wf = trim( $_REQUEST['wfDatabase'] ); $wf = trim( $_REQUEST['wfDatabase'] );
$wf = $filter->validateInput($wf);
$db_host = ($db_port != '' && $db_port != 3306) ? $db_hostname . ':' . $db_port : $db_hostname; $db_host = ($db_port != '' && $db_port != 3306) ? $db_hostname . ':' . $db_port : $db_hostname;
@@ -1701,4 +1711,3 @@ class Installer extends Controller
} }
} }
} }

32
workflow/engine/methods/cases/cases_Ajax.php
View File

@@ -254,13 +254,13 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
switch ($_POST['TAS_ASSIGN_TYPE']) { switch ($_POST['TAS_ASSIGN_TYPE']) {
// switch verify $_POST['TAS_ASSIGN_TYPE'] // switch verify $_POST['TAS_ASSIGN_TYPE']
case 'BALANCED': case 'BALANCED':
$_POST['USR_UID'] = $filter->xssFilterHard($_POST['USR_UID']); $USR_UID = $filter->xssFilterHard($_POST['USR_UID']);
G::LoadClass( 'user' ); G::LoadClass( 'user' );
$oUser = new User( new DBConnection() ); $oUser = new User( new DBConnection() );
$oUser->load( $_POST['USR_UID'] ); $oUser->load( $USR_UID );
$oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']); $oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']);
$oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']); $oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']);
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $_POST['USR_UID'] . '">'; echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="'.$USR_UID.'">';
break; break;
case 'MANUAL': case 'MANUAL':
$sAux = '<select name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]">'; $sAux = '<select name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]">';
@@ -311,15 +311,15 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
echo $sAux; echo $sAux;
break; break;
case 'EVALUATE': case 'EVALUATE':
$_POST['TAS_ASSIGN_VARIABLE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_VARIABLE']); $TAS_ASSIGN_VARIABLE = $filter->xssFilterHard($_POST['TAS_ASSIGN_VARIABLE']);
$_SESSION['APPLICATION'] = $filter->xssFilterHard($_SESSION['APPLICATION']); $APPLICATION = $filter->xssFilterHard($_SESSION['APPLICATION']);
G::LoadClass( 'application' ); G::LoadClass( 'application' );
$oApplication = new Application( new DBConnection() ); $oApplication = new Application( new DBConnection() );
$oApplication->load( $_SESSION['APPLICATION'] ); $oApplication->load( $APPLICATION );
$sUser = ''; $sUser = '';
if ($_POST['TAS_ASSIGN_VARIABLE'] != '') { if ($TAS_ASSIGN_VARIABLE != '') {
if (isset( $oApplication->Fields['APP_DATA'][str_replace( '@@', '', $_POST['TAS_ASSIGN_VARIABLE'] )] )) { if (isset( $oApplication->Fields['APP_DATA'][str_replace( '@@', '', $TAS_ASSIGN_VARIABLE )] )) {
$sUser = $oApplication->Fields['APP_DATA'][str_replace( '@@', '', $_POST['TAS_ASSIGN_VARIABLE'] )]; $sUser = $oApplication->Fields['APP_DATA'][str_replace( '@@', '', $TAS_ASSIGN_VARIABLE )];
} }
} }
if ($sUser != '') { if ($sUser != '') {
@@ -329,7 +329,7 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">'; echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">';
} else { } else {
$ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' )); $ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' ));
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . $ID_EMPTY; echo '<strong>Error: </strong>' . $TAS_ASSIGN_VARIABLE . ' ' . $ID_EMPTY;
echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">'; echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">';
} }
break; break;
@@ -461,14 +461,15 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
$cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] ); $cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] );
break; break;
case 'toRevisePanel': case 'toRevisePanel':
$_POST['APP_UID'] = $filter->xssFilterHard($_POST['APP_UID']); $APP_UID = $filter->xssFilterHard($_POST['APP_UID']);
$_POST['DEL_INDEX'] = $filter->xssFilterHard($_POST['DEL_INDEX']); $DEL_INDEX = $filter->xssFilterHard($_POST['DEL_INDEX']);
$_GET['APP_UID'] = $_POST['APP_UID']; $_GET['APP_UID'] = $APP_UID
$_GET['DEL_INDEX'] = $_POST['DEL_INDEX']; $_GET['DEL_INDEX'] = $DEL_INDEX;
$G_PUBLISH = new Publisher(); $G_PUBLISH = new Publisher();
echo '<iframe scrolling="no" style="border:none;height=300px;width:240px;"' . ' src="casesToRevisePanelExtJs?APP_UID='.$_GET['APP_UID'].'&DEL_INDEX='.$_GET['DEL_INDEX'].'"></iframe>';
echo "<iframe scrolling='no' style='border:none;height=300px;width:240px;'" . " src='casesToRevisePanelExtJs?APP_UID=$APP_UID&DEL_INDEX=$DEL_INDEX'></iframe>";
// $G_PUBLISH->AddContent( 'smarty', 'cases/cases_toRevise' ); // $G_PUBLISH->AddContent( 'smarty', 'cases/cases_toRevise' );
// $G_PUBLISH->AddContent('smarty', 'cases/cases_toReviseIn', '', '', array()); // $G_PUBLISH->AddContent('smarty', 'cases/cases_toReviseIn', '', '', array());
G::RenderPage( 'publish', 'raw' ); G::RenderPage( 'publish', 'raw' );
@@ -1025,4 +1026,3 @@ function getCasesTypeIds ()
$aTypes = Array ('to_do','draft','cancelled','sent','paused','completed','selfservice','to_revise','to_reassign'); $aTypes = Array ('to_do','draft','cancelled','sent','paused','completed','selfservice','to_revise','to_reassign');
return $aTypesID; return $aTypesID;
} }

4
workflow/engine/src/ProcessMaker/BusinessModel/Consolidated.php
View File

@@ -334,9 +334,9 @@ class Consolidated
$sort = $filter->validateInput($sort); $sort = $filter->validateInput($sort);
if (in_array($sort, $arrayReportTableVar)) { if (in_array($sort, $arrayReportTableVar)) {
$sort = strtoupper($sort); $sort = strtoupper($sort);
eval("\$field = " . $tableName . "Peer::" . $sort . ";"); eval('$field = ' . $tableName . 'Peer::' . $sort . ';');
} else { } else {
eval("\$field = AppCacheViewPeer::" . $sort . ";"); eval('$field = AppCacheViewPeer::' . $sort . ';');
} }
if ($dir == "ASC") { if ($dir == "ASC") {