From c4032c9dcb7b68902b1d685facdfd634413cc299 Mon Sep 17 00:00:00 2001 From: "Paula V. Quispe" Date: Mon, 4 May 2015 17:26:32 -0400 Subject: [PATCH] VERACODE: I solved some issues [May 01] --- .../HTMLPurifier/DefinitionCache/Serializer.php | 4 ++-- workflow/engine/controllers/pmTablesProxy.php | 10 +++++----- workflow/engine/methods/users/usersAjax.php | 2 +- workflow/public_html/bootstrap.php | 10 +++++----- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php index e1f40e701..bd4c21d17 100644 --- a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php +++ b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php @@ -96,7 +96,7 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac G::LoadSystem('inputfilter'); $filter = new InputFilter(); - $file = $filter->validateInput($file,"path"); + $file = $filter->validateInput($file,'path'); return unlink($file); } @@ -209,7 +209,7 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac G::LoadSystem('inputfilter'); $filter = new InputFilter(); - $file = $filter->validateInput($file,"path"); + $file = $filter->validateInput($file,'path'); if(is_file($file)) { $result = file_put_contents($file, $data); diff --git a/workflow/engine/controllers/pmTablesProxy.php b/workflow/engine/controllers/pmTablesProxy.php index 2f8350207..03700369e 100755 --- a/workflow/engine/controllers/pmTablesProxy.php +++ b/workflow/engine/controllers/pmTablesProxy.php @@ -671,11 +671,11 @@ class pmTablesProxy extends HttpProxyController $filter = new InputFilter(); $countRow = 250; $tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE']; - $tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); + //$tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) { $filename = $_FILES['form']['name']['CSV_FILE']; - $filename = $filter->xssFilterHard($filename, 'path'); - if ($oFile = fopen( $tmpfilename, 'r' )) { + //$filename = $filter->xssFilterHard($filename, 'path'); + if ($oFile = fopen( $filter->xssFilterHard($tmpfilename, 'path'), 'r' )) { require_once 'classes/model/AdditionalTables.php'; $oAdditionalTables = new AdditionalTables(); $aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true ); @@ -771,11 +771,11 @@ class pmTablesProxy extends HttpProxyController G::LoadSystem('inputfilter'); $filter = new InputFilter(); $tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE']; - $tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); + //$tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) { $filename = $_FILES['form']['name']['CSV_FILE']; $filename = $filter->xssFilterHard($filename, 'path'); - if ($oFile = fopen( $tmpfilename, 'r' )) { + if ($oFile = fopen( $filter->xssFilterHard($tmpfilename, 'path'), 'r' )) { require_once 'classes/model/AdditionalTables.php'; $oAdditionalTables = new AdditionalTables(); $aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true ); diff --git a/workflow/engine/methods/users/usersAjax.php b/workflow/engine/methods/users/usersAjax.php index 051d9bb8a..50f780946 100755 --- a/workflow/engine/methods/users/usersAjax.php +++ b/workflow/engine/methods/users/usersAjax.php @@ -200,7 +200,7 @@ switch ($_POST['action']) { } $aData['USR_STATUS'] = $statusWF; $aData['USR_UID'] = $sUserUID; - $aData['USR_PASSWORD'] = md5($sUserUID); //fake :p + $aData['USR_PASSWORD'] = G::encryptOld($sUserUID); //fake :p $aData['USR_COUNTRY'] = $form['USR_COUNTRY']; $aData['USR_CITY'] = $form['USR_CITY']; $aData['USR_LOCATION'] = $form['USR_LOCATION']; diff --git a/workflow/public_html/bootstrap.php b/workflow/public_html/bootstrap.php index b9f385999..3de609018 100755 --- a/workflow/public_html/bootstrap.php +++ b/workflow/public_html/bootstrap.php @@ -77,13 +77,13 @@ $config['wsdl_cache'] = $filter->validateInput($config['wsdl_cache'],'int'); $config['time_zone'] = $filter->validateInput($config['time_zone']); // Do not change any of these settings directly, use env.ini instead - ini_set( 'display_errors', $config['display_errors']); - ini_set( 'error_reporting', $config['error_reporting']); + ini_set( 'display_errors', $filter->validateInput($config['display_errors'])); + ini_set( 'error_reporting', $filter->validateInput($config['error_reporting'])); ini_set('short_open_tag', 'On'); ini_set('default_charset', "UTF-8"); - ini_set('memory_limit', $config['memory_limit']); + ini_set('memory_limit', $filter->validateInput($config['memory_limit']); ini_set('soap.wsdl_cache_enabled', $config['wsdl_cache']); - ini_set('date.timezone', $config['time_zone']); + ini_set('date.timezone', $filter->validateInput($config['time_zone']); define ('DEBUG_SQL_LOG', $config['debug_sql']); define ('DEBUG_TIME_LOG', $config['debug_time']); @@ -713,7 +713,7 @@ } elseif ($isRestRequest) { G::dispatchRestService(SYS_TARGET, $restConfig, $restApiClassPath); } else { - require_once $phpFile; + require_once $filter->validateInput($phpFile,'path'); } if (defined('SKIP_HEADERS')){