fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in paulis/processmaker/PM-VERACODE-9 (pull request #1716)

Browse Source 
I reviewed the XSS - MEDIUM in files
This commit is contained in:
Julio Cesar Laura Avendaño
2015-03-19 23:59:43 -04:00
parent 48386b558f 0ef17ab94b
commit eec9a94c9c
7 changed files with 39 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
rbac/engine/templates/testAuthenticationSource.php
View File

@@ -22,6 +22,10 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
* *
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS);
global $G_TABLE; global $G_TABLE;
global $G_CONTENT; global $G_CONTENT;
global $HTTP_SESSION_VARS; global $HTTP_SESSION_VARS;
@@ -88,7 +92,8 @@
$oResult = $oLdap->search($rootDn, $sFilter, $aParams); $oResult = $oLdap->search($rootDn, $sFilter, $aParams);
if (PEAR::isError($oResult)) { if (PEAR::isError($oResult)) {
print ( $oLdap->message); $oLdap->message = $filter->xssFilterHard($oLdap->message);
print ( $oLdap->message);
return $oResult; return $oResult;
} }
/* /*

1
workflow/engine/methods/cases/proxyPMTablesFieldList.php
View File

@@ -744,6 +744,7 @@ function xgetFieldsFromPMTable($tabUid)
$oCriteria->addSelectColumn ( FieldsPeer::FLD_INDEX ); $oCriteria->addSelectColumn ( FieldsPeer::FLD_INDEX );
$oCriteria->add (FieldsPeer::ADD_TAB_UID, $tabUid , CRITERIA::EQUAL ); $oCriteria->add (FieldsPeer::ADD_TAB_UID, $tabUid , CRITERIA::EQUAL );
$oCriteria->add (FieldsPeer::FLD_NAME, 'APP_UID' , CRITERIA::NOT_EQUAL ); $oCriteria->add (FieldsPeer::FLD_NAME, 'APP_UID' , CRITERIA::NOT_EQUAL );
$oCriteria->addAnd (FieldsPeer::FLD_NAME, 'APP_NUMBER' , CRITERIA::NOT_EQUAL );
$oCriteria->addDescendingOrderByColumn('FLD_INDEX'); $oCriteria->addDescendingOrderByColumn('FLD_INDEX');
$oDataset = FieldsPeer::doSelectRS($oCriteria); $oDataset = FieldsPeer::doSelectRS($oCriteria);
$oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);

5
workflow/engine/methods/departments/departments_Ajax.php
View File

@@ -23,6 +23,11 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
function LookForChildren ($parent, $level, $aDepUsers) function LookForChildren ($parent, $level, $aDepUsers)
{ {
G::LoadClass( 'configuration' ); G::LoadClass( 'configuration' );

4
workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php
View File

@@ -28,6 +28,10 @@
* also the functionality of dependent fields in grids doesn't depends in this * also the functionality of dependent fields in grids doesn't depends in this
* file so this is somewhat expendable. * file so this is somewhat expendable.
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
function subDependencies ($k, &$G_FORM, &$aux, $grid = '') function subDependencies ($k, &$G_FORM, &$aux, $grid = '')
{ {
$myDependentFields = ''; $myDependentFields = '';

5
workflow/engine/methods/dynaforms/fieldsHandlerAjax.php
View File

@@ -25,6 +25,9 @@
* @Date Aug 26th, 2009 * @Date Aug 26th, 2009
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$request = $_POST['request']; $request = $_POST['request'];
switch ($request) { switch ($request) {
@@ -32,6 +35,7 @@ switch ($request) {
if (isset( $_POST['items'] )) { if (isset( $_POST['items'] )) {
$items = $_POST['items']; $items = $_POST['items'];
$tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE']; $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
$tmpfilename = $filter->xssFilterHard($tmpfilename);
G::LoadSystem( 'dynaformhandler' ); G::LoadSystem( 'dynaformhandler' );
$o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" ); $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
@@ -53,6 +57,7 @@ switch ($request) {
break; break;
case 'saveHidden': case 'saveHidden':
$tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE']; $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
$tmpfilename = $filter->xssFilterHard($tmpfilename);
G::LoadSystem( 'dynaformhandler' ); G::LoadSystem( 'dynaformhandler' );
$o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" ); $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
$hidden_items = Array (); $hidden_items = Array ();

3
workflow/engine/methods/dynaforms/test.php
View File

@@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) {
</select> <input type="submit" value="Send" /> </select> <input type="submit" value="Send" />
</form> </form>
<?php <?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$test = $_POST['form']['test']; $test = $_POST['form']['test'];
if ($test) { if ($test) {
$test = $filter->xssFilterHard($test);
foreach ($test as $t) { foreach ($test as $t) {
echo 'You selected ', $t, '<br />'; echo 'You selected ', $t, '<br />';
} }

17
workflow/engine/templates/groups/groups_Tree.php
View File

@@ -29,6 +29,8 @@
$WIDTH_PANEL = 350; $WIDTH_PANEL = 350;
G::LoadSystem('inputfilter');
$filter = new InputFilter();
G::LoadClass('groups'); G::LoadClass('groups');
$groups = new Groups(); $groups = new Groups();
@@ -47,6 +49,17 @@
$UID = htmlentities($group->getGrpUid()); $UID = htmlentities($group->getGrpUid());
//$GROUP_TITLE = htmlentities($group->getGrpTitle()); //$GROUP_TITLE = htmlentities($group->getGrpTitle());
$GROUP_TITLE = strip_tags($group->getGrpTitle()); $GROUP_TITLE = strip_tags($group->getGrpTitle());
$ID_NEW = G::LoadTranslation('ID_NEW');
$ID_GROUPS = G::loadTranslation("ID_GROUPS");
$ID_EDIT = $filter->xssFilterHard($ID_EDIT);
$ID_MEMBERS = $filter->xssFilterHard($ID_MEMBERS);
$ID_DELETE = $filter->xssFilterHard($ID_DELETE);
$UID = $filter->xssFilterHard($UID);
$GROUP_TITLE = $filter->xssFilterHard($GROUP_TITLE);
$ID_NEW = $filter->xssFilterHard($ID_NEW);
$ID_GROUPS = $filter->xssFilterHard($ID_GROUPS);
$htmlGroup .=" $htmlGroup .="
<tr id=\"{$xVar}\" onclick=\"focusRow(this, 'Selected')\" onmouseout=\"setRowClass(this, '{$RowClass}')\" onmouseover=\"setRowClass(this, 'RowPointer' )\" class=\"{$RowClass}\"> <tr id=\"{$xVar}\" onclick=\"focusRow(this, 'Selected')\" onmouseout=\"setRowClass(this, '{$RowClass}')\" onmouseover=\"setRowClass(this, 'RowPointer' )\" class=\"{$RowClass}\">
<td><img src=\"/images/users.png\" border=\"0\" width=\"20\" height=\"20\"/></td> <td><img src=\"/images/users.png\" border=\"0\" width=\"20\" height=\"20\"/></td>
@@ -68,13 +81,13 @@
<div class="boxContentBlue"> <div class="boxContentBlue">
<table width="95%" style="margin:0px;" cellspacing="0" cellpadding="0"> <table width="95%" style="margin:0px;" cellspacing="0" cellpadding="0">
<tr> <tr>
<td class="userGroupTitle">'.G::loadTranslation("ID_GROUPS").'</td> <td class="userGroupTitle">'.$ID_GROUPS.'</td>
</tr> </tr>
</table> </table>
</div> </div>
<div class="boxBottomBlue"><div class="a"></div><div class="b"></div><div class="c"></div></div> <div class="boxBottomBlue"><div class="a"></div><div class="b"></div><div class="c"></div></div>
<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.G::LoadTranslation('ID_NEW').'</a></div> <div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.$ID_NEW.'</a></div>
<div id="groupsListDiv" style="height:350px; width:'.($WIDTH_PANEL-20).'px; overflow:auto"> <div id="groupsListDiv" style="height:350px; width:'.($WIDTH_PANEL-20).'px; overflow:auto">
<table class="pagedTableDefault"><tr><td>' <table class="pagedTableDefault"><tr><td>'