fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

I reviewed the XSS - MEDIUM in files

Browse Source
This commit is contained in:
Paula V. Quispe
2015-03-17 15:25:49 -04:00
parent ded144d932
commit cb1463a775
6 changed files with 83 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
workflow/engine/bin/tasks/cliWorkspaces.php
View File

@@ -228,6 +228,10 @@ function run_info($args, $opts) {
}
function run_workspace_upgrade($args, $opts) {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$opts = $filter->xssFilterHard($opts);
$args = $filter->xssFilterHard($args);
$workspaces = get_workspaces_from_args($args);
$first = true;
$lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
@@ -242,6 +246,10 @@ function run_workspace_upgrade($args, $opts) {
}
function run_translation_upgrade($args, $opts) {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$opts = $filter->xssFilterHard($opts);
$args = $filter->xssFilterHard($args);
$workspaces = get_workspaces_from_args($args);
$first = true;
foreach ($workspaces as $workspace) {
@@ -256,6 +264,10 @@ function run_translation_upgrade($args, $opts) {
}
function run_cacheview_upgrade($args, $opts) {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$opts = $filter->xssFilterHard($opts);
$args = $filter->xssFilterHard($args);
$workspaces = get_workspaces_from_args($args);
$lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
foreach ($workspaces as $workspace) {
@@ -304,6 +316,10 @@ function run_migrate_new_cases_lists($args, $opts) {
}
function database_upgrade($command, $args) {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$command = $filter->xssFilterHard($command);
$args = $filter->xssFilterHard($args);
$workspaces = get_workspaces_from_args($args);
$checkOnly = (strcmp($command, "check") == 0);
foreach ($workspaces as $workspace) {
@@ -587,6 +603,10 @@ function runStructureDirectories($command, $args) {
function run_database_generate_self_service_by_value($args, $opts)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$opts = $filter->xssFilterHard($opts);
$args = $filter->xssFilterHard($args);
try {
$arrayWorkspace = get_workspaces_from_args($args);

13
workflow/engine/classes/class.webdav.php
View File

@@ -398,13 +398,18 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
*/
public function GET(&$options)
{
$paths = $this->paths;
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$options = $filter->xssFilterHard($options);
$paths = $filter->xssFilterHard($this->paths);
$pathClasses = PATH_DB . SYS_SYS . PATH_SEP . 'classes' . PATH_SEP;
if (count($paths) > 0 && $paths[0] == 'classes' && is_dir($pathClasses)) {
$fsFile = $pathClasses . $paths[1];
$fsFile = $filter->xssFilterHard($fsFile);
if (count($paths) == 2 && file_exists($fsFile)) {
$content = file_get_contents($fsFile);
$content = $filter->xssFilterHard($content);
print $content;
header("Content-Type: " . mime_content_type($fsFile));
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -418,8 +423,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
if (count($paths) == 4 && $paths[2] == 'xmlforms') {
$pathXmlform = $pathProcesses . 'xmlForms' . PATH_SEP . $paths[1] . PATH_SEP;
$fsFile = $pathXmlform . $paths[3];
$fsFile = $filter->xssFilterHard($fsFile);
if (count($paths) == 4 && file_exists($fsFile)) {
$content = file_get_contents($fsFile);
$content = $filter->xssFilterHard($content);
print $content;
header("Content-Type: " . mime_content_type($fsFile));
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -431,8 +438,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
if (count($paths) == 4 && $paths[2] == 'mailTemplates') {
$pathTemplates = $pathProcesses . 'mailTemplates' . PATH_SEP . $paths[1] . PATH_SEP;
$fsFile = $pathTemplates . $paths[3];
$fsFile = $filter->xssFilterHard($fsFile);
if (count($paths) == 4 && file_exists($fsFile)) {
$content = file_get_contents($fsFile);
$content = $filter->xssFilterHard($content);
print $content;
header("Content-Type: " . mime_content_type($fsFile));
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -444,8 +453,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
if (count($paths) == 4 && $paths[2] == 'public_html') {
$pathPublic = $pathProcesses . 'public' . PATH_SEP . $paths[1] . PATH_SEP;
$fsFile = $pathPublic . $paths[3];
$fsFile = $filter->xssFilterHard($fsFile);
if (count($paths) == 4 && file_exists($fsFile)) {
$content = file_get_contents($fsFile);
$content = $filter->xssFilterHard($content);
print $content;
header("Content-Type: " . mime_content_type($fsFile));
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");

10
workflow/engine/classes/triggers/api/class.zimbraApi.php
View File

@@ -803,6 +803,9 @@ class Zimbra
protected function message($message)
{
if ($this->debug) {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$message = $filter->xssFilterHard($message);
echo $message;
}
}
@@ -823,6 +826,9 @@ class Zimbra
*/
protected function soapRequest($body, $header = false, $connecting = false)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
if (!$connecting && !$this->_connected) {
throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server');
}
@@ -842,7 +848,9 @@ class Zimbra
curl_setopt($this->_curl, CURLOPT_POSTFIELDS, $soap_message);
if (!($response = curl_exec($this->_curl))) {
$this->_curl = $filter->xssFilterHard($this->_curl,"url");
$response = curl_exec($this->_curl);
if (!$response) {
$this->error = 'ERROR: curl_exec - (' . curl_errno($this->_curl) . ') ' . curl_error($this->_curl);
return false;
} elseif (strpos($response, '<soap:Body><soap:Fault>') !== false) {

11
workflow/engine/methods/cases/casesStartPage_Ajax.php
View File

@@ -1,4 +1,9 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (!isset($_SESSION['USER_LOGGED'])) {
$res = new stdclass();
$res->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid)
function startCase ()
{
G::LoadClass( 'case' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
/* GET , POST & $_SESSION Vars */
/* unset any variable, because we are starting a new case */
@@ -241,6 +251,7 @@ function startCase ()
lookinginforContentProcess( $_POST['processId'] );
$aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] );
$aData = $filter->xssFilterHard($aData);
$_SESSION['APPLICATION'] = $aData['APPLICATION'];
$_SESSION['INDEX'] = $aData['INDEX'];