From 16fc7f7e8603c5cb7c129cfbf97fc572b9b8740c Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Mon, 12 Mar 2018 19:48:56 +0100
Subject: [PATCH] check input

---
 lam/templates/3rdParty/pla/htdocs/add_attr_form.php      | 2 +-
 lam/templates/3rdParty/pla/htdocs/add_oclass_form.php    | 2 +-
 lam/templates/3rdParty/pla/htdocs/compare_form.php       | 4 ++--
 lam/templates/3rdParty/pla/htdocs/copy_form.php          | 4 ++--
 lam/templates/3rdParty/pla/htdocs/delete.php             | 4 ++--
 lam/templates/3rdParty/pla/htdocs/delete_form.php        | 8 ++++----
 lam/templates/3rdParty/pla/htdocs/modify_member_form.php | 2 +-
 lam/templates/3rdParty/pla/htdocs/rdelete.php            | 2 +-
 lam/templates/3rdParty/pla/htdocs/rename_form.php        | 8 ++++----
 lam/templates/3rdParty/pla/htdocs/view_jpeg_photo.php    | 2 +-
 10 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/lam/templates/3rdParty/pla/htdocs/add_attr_form.php b/lam/templates/3rdParty/pla/htdocs/add_attr_form.php
index 52c54821..d12ea187 100644
--- a/lam/templates/3rdParty/pla/htdocs/add_attr_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/add_attr_form.php
@@ -100,7 +100,7 @@ if (get_request('meth','REQUEST') != 'ajax') {
 					echo '<input type="hidden" name="cmd" value="update" />';
 
 				printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
-				printf('<input type="hidden" name="dn" value="%s" />',$request['dn']);
+				printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
 				echo '<input type="hidden" name="binary" value="true" />';
 
 				echo '<select name="single_item_attr">';
diff --git a/lam/templates/3rdParty/pla/htdocs/add_oclass_form.php b/lam/templates/3rdParty/pla/htdocs/add_oclass_form.php
index 0d574cba..72de0ebf 100644
--- a/lam/templates/3rdParty/pla/htdocs/add_oclass_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/add_oclass_form.php
@@ -57,7 +57,7 @@ foreach ($ldap['attrs']['need'] as $index => $values)
 	$ldap['attrs']['need'][$index]->show();
 
 if (count($ldap['attrs']['need']) > 0) {
-	$request['page']->drawTitle(sprintf(_('Add new object class to <b>%s</b>'),get_rdn($request['dn'])));
+	$request['page']->drawTitle(sprintf(_('Add new object class to <b>%s</b>'),htmlspecialchars(get_rdn($request['dn']))));
 	$request['page']->drawSubTitle();
 
 	echo '<div style="text-align: center">';
diff --git a/lam/templates/3rdParty/pla/htdocs/compare_form.php b/lam/templates/3rdParty/pla/htdocs/compare_form.php
index 520b24db..53894d76 100644
--- a/lam/templates/3rdParty/pla/htdocs/compare_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/compare_form.php
@@ -25,12 +25,12 @@ $request['page']->setDN($request['dn']);
 $request['page']->accept();
 
 # Render the form
-$request['page']->drawTitle(sprintf(_('Compare another DN with <b>%s</b>'),get_rdn($request['dn'])));
+$request['page']->drawTitle(sprintf(_('Compare another DN with <b>%s</b>'),htmlspecialchars(get_rdn($request['dn']))));
 $request['page']->drawSubTitle();
 
 printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR);
 echo '<div style="text-align: center;">';
-printf('%s <b>%s</b> %s<br />',_('Compare'),get_rdn($request['dn']),_('with '));
+printf('%s <b>%s</b> %s<br />',_('Compare'),htmlspecialchars(get_rdn($request['dn'])),_('with '));
 echo '</div>';
 
 echo '<form action="cmd.php" method="post" id="compare_form">';
diff --git a/lam/templates/3rdParty/pla/htdocs/copy_form.php b/lam/templates/3rdParty/pla/htdocs/copy_form.php
index ca3c04e0..cca49661 100644
--- a/lam/templates/3rdParty/pla/htdocs/copy_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/copy_form.php
@@ -24,12 +24,12 @@ $request['page']->setDN($request['dn']);
 $request['page']->accept();
 
 # Render the form
-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Copy'),get_rdn($request['dn'])));
+$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Copy'),htmlspecialchars(get_rdn($request['dn']))));
 $request['page']->drawSubTitle();
 
 printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR);
 echo '<div style="text-align: center;">';
-printf(_('Copy <b>%s</b> to a new object.') . '<br /><br />',get_rdn($request['dn']));
+printf(_('Copy <b>%s</b> to a new object.') . '<br /><br />',htmlspecialchars(get_rdn($request['dn'])));
 echo '</div>';
 
 echo '<form action="cmd.php" method="post" id="copy_form">';
diff --git a/lam/templates/3rdParty/pla/htdocs/delete.php b/lam/templates/3rdParty/pla/htdocs/delete.php
index ff373199..32d8ac14 100644
--- a/lam/templates/3rdParty/pla/htdocs/delete.php
+++ b/lam/templates/3rdParty/pla/htdocs/delete.php
@@ -29,12 +29,12 @@ if ($result) {
 
 	system_message(array(
 		'title'=>_('Delete DN'),
-		'body'=>sprintf('<b>' . _('Successfully deleted DN %s') . '</b>',$request['dn']),
+		'body'=>sprintf('<b>' . _('Successfully deleted DN %s') . '</b>',htmlspecialchars($request['dn'])),
 		'type'=>'info'),
 		sprintf('index.php?server_id=%s%s',$app['server']->getIndex(),$redirect_url));
 } else
 	system_message(array(
-		'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])),
+		'title'=>_('Could not delete the entry.').sprintf(' (%s)',htmlspecialchars(pretty_print_dn($request['dn']))),
 		'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),
 		'type'=>'error'));
 ?>
diff --git a/lam/templates/3rdParty/pla/htdocs/delete_form.php b/lam/templates/3rdParty/pla/htdocs/delete_form.php
index e3be6389..a4d17675 100644
--- a/lam/templates/3rdParty/pla/htdocs/delete_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/delete_form.php
@@ -24,15 +24,15 @@ $request['template'] = $request['page']->getTemplate();
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
 	system_message(array(
 		'title'=>_('Entry does not exist'),
-		'body'=>sprintf(_('The entry (%s) does not exist.'),$request['dn']),
+		'body'=>sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),
 		'type'=>'error'),'index.php');
 
 # We search all children, not only the visible children in the tree
 $request['children'] = $app['server']->getContainerContents($request['dn'],null,0,'(objectClass=*)',LDAP_DEREF_NEVER);
 
-printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(get_rdn($request['dn'])));
+printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(htmlspecialchars(get_rdn($request['dn']))));
 printf('<h3 class="subtitle">%s: <b>%s</b></h3>',
-	_('DN'),$request['dn']);
+	_('DN'),htmlspecialchars($request['dn']));
 echo "\n";
 
 echo '<center>';
@@ -109,7 +109,7 @@ if (count($request['children'])) {
 
 	printf('<tr><td style="width: 10%%;">%s:</td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',_('Server'),$app['server']->getName());
 	printf('<tr><td style="width: 10%%;"><acronym title="%s">%s</acronym></td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',
-		_('DN'),_('DN'),$request['dn']);
+		_('DN'),_('DN'),htmlspecialchars($request['dn']));
 	echo '<tr><td colspan="4">&nbsp;</td></tr>';
 	echo "\n";
 
diff --git a/lam/templates/3rdParty/pla/htdocs/modify_member_form.php b/lam/templates/3rdParty/pla/htdocs/modify_member_form.php
index 213a0e78..9385cc3d 100644
--- a/lam/templates/3rdParty/pla/htdocs/modify_member_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/modify_member_form.php
@@ -54,7 +54,7 @@ foreach ($app['server']->getBaseDN() as $base) {
 
 usort($possible_values,'pla_compare_dns');
 
-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Modify group'),get_rdn($request['dn'])));
+$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Modify group'),htmlspecialchars(get_rdn($request['dn']))));
 $request['page']->drawSubTitle();
 
 printf(_('There are <b>%s</b> members in group <b>%s</b>:'),
diff --git a/lam/templates/3rdParty/pla/htdocs/rdelete.php b/lam/templates/3rdParty/pla/htdocs/rdelete.php
index 5a40a5c5..0aec2ac2 100644
--- a/lam/templates/3rdParty/pla/htdocs/rdelete.php
+++ b/lam/templates/3rdParty/pla/htdocs/rdelete.php
@@ -44,7 +44,7 @@ foreach ($request['parent'] as $dn) {
 
 	} else {
 		system_message(array(
-			'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])),
+			'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn(htmlspecialchars($request['dn']))),
 			'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),
 			'type'=>'error'));
 	}
diff --git a/lam/templates/3rdParty/pla/htdocs/rename_form.php b/lam/templates/3rdParty/pla/htdocs/rename_form.php
index 8ed78c11..9c8767da 100644
--- a/lam/templates/3rdParty/pla/htdocs/rename_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/rename_form.php
@@ -21,17 +21,17 @@ $request['page']->setDN($request['dn']);
 $request['page']->accept();
 
 # Render the form
-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Rename'),get_rdn($request['dn'])));
+$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Rename'),htmlspecialchars(get_rdn($request['dn']))));
 $request['page']->drawSubTitle();
 
 echo '<center>';
-printf(_('Rename <b>%s</b> to a new object.') . '<br /><br />',get_rdn($request['dn']));
+printf(_('Rename <b>%s</b> to a new object.') . '<br /><br />',htmlspecialchars(get_rdn($request['dn'])));
 
 echo '<form action="cmd.php?cmd=rename" method="post" />';
 printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
 printf('<input type="hidden" name="dn" value="%s" />',rawurlencode($request['dn']));
-printf('<input type="hidden" name="template" value="%s" />',$request['template']);
-printf('<input type="text" name="new_rdn" size="30" value="%s" />',get_rdn($request['dn']));
+printf('<input type="hidden" name="template" value="%s" />',htmlspecialchars($request['template']));
+printf('<input type="text" name="new_rdn" size="30" value="%s" />',htmlspecialchars(get_rdn($request['dn'])));
 printf('<input type="submit" value="%s" />',_('Rename'));
 echo '</form>';
 
diff --git a/lam/templates/3rdParty/pla/htdocs/view_jpeg_photo.php b/lam/templates/3rdParty/pla/htdocs/view_jpeg_photo.php
index d52501cc..372ab5b5 100644
--- a/lam/templates/3rdParty/pla/htdocs/view_jpeg_photo.php
+++ b/lam/templates/3rdParty/pla/htdocs/view_jpeg_photo.php
@@ -18,7 +18,7 @@ $request['dn'] = get_request('dn','GET');
 $request['attr'] = strtolower(get_request('attr','GET',false,'jpegphoto'));
 $request['index'] = get_request('index','GET',false,0);
 $request['type'] = get_request('type','GET',false,'image/jpeg');
-$request['filename'] = get_request('filename','GET',false,sprintf('%s.jpg',get_rdn($request['dn'],true)));
+$request['filename'] = get_request('filename','GET',false,sprintf('%s.jpg',htmlspecialchars(get_rdn($request['dn'],true))));
 $request['location'] = get_request('location','GET',false,'ldap');
 
 switch ($request['location']) {