fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in paulis/processmaker/PM-VERACODE-7 (pull request #1694)

Browse Source 
I completed the SQL Injection Hight and I reviewed the XSS - MEDIUM in files
This commit is contained in:
Julio Cesar Laura Avendaño
2015-03-19 00:19:18 -04:00
parent fbd49ac341 ded144d932
commit 74605790a9
17 changed files with 120 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
workflow/engine/methods/appFolder/appFolderAjax.php
View File

@@ -1,4 +1,9 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
if (! isset ($_SESSION ['USER_LOGGED'])) {
$res ['success'] = false;
$res ['error'] = G::LoadTranslation('ID_LOGIN_AGAIN');

8
workflow/engine/methods/cases/caseMessageHistory_Ajax.php
View File

@@ -21,6 +21,10 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$arrayToTranslation = array(
"TRIGGER" => G::LoadTranslation("ID_TRIGGER_DB"),
@@ -31,11 +35,11 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
if ($actionAjax == 'messageHistoryGridList_JXP') {
if (!isset($_REQUEST['start'])) {
if (!isset($_REQUEST['start']) || $_REQUEST['start'] =='') {
$_REQUEST['start'] = 0;
}
if (!isset($_REQUEST['limit'])) {
if (!isset($_REQUEST['limit']) || $_REQUEST['limit'] =='') {
$_REQUEST['limit'] = 20;
}

6
workflow/engine/methods/cases/cases_StepToRevise.php
View File

@@ -23,6 +23,9 @@
*/
// die("first");
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
if ((int) $_SESSION['INDEX'] < 1) {
$_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
die();

6
workflow/engine/methods/cases/cases_StepToReviseInputs.php
View File

@@ -23,6 +23,9 @@
*/
//die("second");
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
if ((int) $_SESSION['INDEX'] < 1) {
$_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
die();

5
workflow/engine/methods/cases/cases_StepToReviseOutputs.php
View File

@@ -23,6 +23,9 @@
*/
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
/* Includes */
G::LoadClass( 'case' );

5
workflow/engine/methods/cases/cases_ToReviseOutputDocView.php
View File

@@ -23,6 +23,9 @@
*/
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
/* Includes */
G::LoadClass( 'case' );

3
workflow/engine/methods/cases/cases_generatePMTable.php
View File

@@ -4,6 +4,9 @@
* and open the template in the editor.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
require_once ("classes/model/AdditionalTables.php");
require_once ("classes/model/Fields.php");
// passing the parameters

5
workflow/engine/methods/setup/appCacheViewAjax.php
View File

@@ -1,6 +1,9 @@
<?php
require_once ('classes/model/AppCacheView.php');
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
$request = isset( $_POST['request'] ) ? $_POST['request'] : (isset( $_GET['request'] ) ? $_GET['request'] : null);
function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName = "")