From f1d7aec5fc4aaf516e1d8a6f0eb3082050553302 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Mon, 12 Mar 2018 19:08:39 +0100 Subject: [PATCH] check request values --- lam/templates/3rdParty/pla/htdocs/add_attr_form.php | 2 +- lam/templates/3rdParty/pla/htdocs/add_oclass_form.php | 2 +- lam/templates/3rdParty/pla/htdocs/add_value_form.php | 4 ++-- lam/templates/3rdParty/pla/htdocs/compare.php | 4 ++-- lam/templates/3rdParty/pla/htdocs/compare_form.php | 2 +- lam/templates/3rdParty/pla/htdocs/copy.php | 4 ++-- lam/templates/3rdParty/pla/htdocs/copy_form.php | 2 +- lam/templates/3rdParty/pla/htdocs/delete.php | 2 +- lam/templates/3rdParty/pla/htdocs/delete_attr.php | 2 +- lam/templates/3rdParty/pla/htdocs/download_binary_attr.php | 4 ++-- lam/templates/3rdParty/pla/htdocs/template_engine.php | 4 ++-- lam/templates/3rdParty/pla/htdocs/update.php | 2 +- lam/templates/3rdParty/pla/htdocs/update_confirm.php | 2 +- 13 files changed, 18 insertions(+), 18 deletions(-) diff --git a/lam/templates/3rdParty/pla/htdocs/add_attr_form.php b/lam/templates/3rdParty/pla/htdocs/add_attr_form.php index a0a2996a..52c54821 100644 --- a/lam/templates/3rdParty/pla/htdocs/add_attr_form.php +++ b/lam/templates/3rdParty/pla/htdocs/add_attr_form.php @@ -17,7 +17,7 @@ $request['dn'] = get_request('dn','GET'); # Check if the entry exists. if (! $request['dn'] || ! $app['server']->dnExists($request['dn'])) - error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php'); + error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php'); $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null)); $request['page']->setDN($request['dn']); diff --git a/lam/templates/3rdParty/pla/htdocs/add_oclass_form.php b/lam/templates/3rdParty/pla/htdocs/add_oclass_form.php index 87d61c5f..0d574cba 100644 --- a/lam/templates/3rdParty/pla/htdocs/add_oclass_form.php +++ b/lam/templates/3rdParty/pla/htdocs/add_oclass_form.php @@ -21,7 +21,7 @@ $request['dn'] = get_request('dn','REQUEST',true); # Check if the entry exists. if (! $request['dn'] || ! $app['server']->dnExists($request['dn'])) - error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php'); + error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php'); $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null)); $request['page']->setDN($request['dn']); diff --git a/lam/templates/3rdParty/pla/htdocs/add_value_form.php b/lam/templates/3rdParty/pla/htdocs/add_value_form.php index 66d9757d..d675a6fa 100644 --- a/lam/templates/3rdParty/pla/htdocs/add_value_form.php +++ b/lam/templates/3rdParty/pla/htdocs/add_value_form.php @@ -19,7 +19,7 @@ $request['attr'] = get_request('attr','GET',true); # Check if the entry exists. if (! $request['dn'] || ! $app['server']->dnExists($request['dn'])) - error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php'); + error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php'); $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null)); $request['page']->setDN($request['dn']); @@ -105,7 +105,7 @@ if (! strcasecmp($request['attr'],'objectclass') || get_request('meth','REQUEST' foreach ($socs as $name => $oclass) { # Exclude any structural ones, that are not in the heirachy, as they'll only generate an LDAP_OBJECT_CLASS_VIOLATION if (($oclass->getType() == 'structural') && ! $oclass->isRelated($request['attribute']->getValues())) - continue; + continue; printf('',$oclass->getName(false),$oclass->getName(false)); } diff --git a/lam/templates/3rdParty/pla/htdocs/compare.php b/lam/templates/3rdParty/pla/htdocs/compare.php index ec204e1b..dc0e53dd 100644 --- a/lam/templates/3rdParty/pla/htdocs/compare.php +++ b/lam/templates/3rdParty/pla/htdocs/compare.php @@ -21,10 +21,10 @@ $ldap['SRC'] = $_SESSION[APPCONFIG]->getServer(get_request('server_id_src')); $ldap['DST'] = $_SESSION[APPCONFIG]->getServer(get_request('server_id_dst')); if (! $ldap['SRC']->dnExists($request['dnSRC'])) - error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn($request['dnSRC'])),'error','index.php'); + error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn(htmlspecialchars($request['dnSRC']))),'error','index.php'); if (! $ldap['DST']->dnExists($request['dnDST'])) - error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn($request['dnDST'])),'error','index.php'); + error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn(htmlspecialchars($request['dnDST']))),'error','index.php'); $request['pageSRC'] = new PageRender($ldap['SRC']->getIndex(),get_request('template','REQUEST',false,'none')); $request['pageSRC']->setDN($request['dnSRC']); diff --git a/lam/templates/3rdParty/pla/htdocs/compare_form.php b/lam/templates/3rdParty/pla/htdocs/compare_form.php index e519c965..520b24db 100644 --- a/lam/templates/3rdParty/pla/htdocs/compare_form.php +++ b/lam/templates/3rdParty/pla/htdocs/compare_form.php @@ -18,7 +18,7 @@ $request['dn'] = get_request('dn','GET'); # Check if the entry exists. if (! $request['dn'] || ! $app['server']->dnExists($request['dn'])) - error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php'); + error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php'); $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none')); $request['page']->setDN($request['dn']); diff --git a/lam/templates/3rdParty/pla/htdocs/copy.php b/lam/templates/3rdParty/pla/htdocs/copy.php index 40c64830..74b7d88e 100644 --- a/lam/templates/3rdParty/pla/htdocs/copy.php +++ b/lam/templates/3rdParty/pla/htdocs/copy.php @@ -28,11 +28,11 @@ if ($ldap['DST']->isReadOnly()) error(('Destination server is currently READ-ONLY.'),'error','index.php'); if ($ldap['DST']->dnExists($request['dnDST'])) - error(sprintf(_('The destination entry (%s) already exists.'),pretty_print_dn($request['dnDST'])),'error','index.php'); + error(sprintf(_('The destination entry (%s) already exists.'),pretty_print_dn(htmlspecialchars($request['dnDST']))),'error','index.php'); if (! $ldap['DST']->dnExists($ldap['DST']->getContainer($request['dnDST']))) error(sprintf(_('The container you specified (%s) does not exist. Please try again.'), - pretty_print_dn($ldap['DST']->getContainer($request['dnDST']))),'error','index.php'); + pretty_print_dn(htmlspecialchars($ldap['DST']->getContainer($request['dnDST'])))),'error','index.php'); if (pla_compare_dns($request['dnSRC'],$request['dnDST']) == 0 && $ldap['SRC']->getIndex() == $ldap['DST']->getIndex()) error(_('The source and destination DN are the same.'),'error','index.php'); diff --git a/lam/templates/3rdParty/pla/htdocs/copy_form.php b/lam/templates/3rdParty/pla/htdocs/copy_form.php index cc77429a..ca3c04e0 100644 --- a/lam/templates/3rdParty/pla/htdocs/copy_form.php +++ b/lam/templates/3rdParty/pla/htdocs/copy_form.php @@ -17,7 +17,7 @@ $request['dn'] = get_request('dn','GET'); # Check if the entry exists. if (! $request['dn'] || ! $app['server']->dnExists($request['dn'])) - error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php'); + error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php'); $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none')); $request['page']->setDN($request['dn']); diff --git a/lam/templates/3rdParty/pla/htdocs/delete.php b/lam/templates/3rdParty/pla/htdocs/delete.php index 73d7f7fb..ff373199 100644 --- a/lam/templates/3rdParty/pla/htdocs/delete.php +++ b/lam/templates/3rdParty/pla/htdocs/delete.php @@ -16,7 +16,7 @@ $request = array(); $request['dn'] = get_request('dn','REQUEST',true); if (! $app['server']->dnExists($request['dn'])) - error(sprintf('%s (%s)',_('No such entry.'),''.pretty_print_dn($request['dn']).''),'error','index.php'); + error(sprintf('%s (%s)',_('No such entry.'),''.pretty_print_dn(htmlspecialchars($request['dn'])).''),'error','index.php'); # Delete the entry. $result = $app['server']->delete($request['dn']); diff --git a/lam/templates/3rdParty/pla/htdocs/delete_attr.php b/lam/templates/3rdParty/pla/htdocs/delete_attr.php index c33c5e7a..c6bf1592 100644 --- a/lam/templates/3rdParty/pla/htdocs/delete_attr.php +++ b/lam/templates/3rdParty/pla/htdocs/delete_attr.php @@ -17,7 +17,7 @@ $request['attr'] = get_request('attr','REQUEST',true); $request['index'] = get_request('index','REQUEST',true); if ($app['server']->isAttrReadOnly($request['attr'])) - error(sprintf(('The attribute "%s" is flagged as read-only in the phpLDAPadmin configuration.'),$request['attr']),'error','index.php'); + error(sprintf(('The attribute "%s" is flagged as read-only in the phpLDAPadmin configuration.'),htmlspecialchars($request['attr'])),'error','index.php'); $update_array = array(); $update_array[$request['attr']] = $app['server']->getDNAttrValue($request['dn'],$request['attr']); diff --git a/lam/templates/3rdParty/pla/htdocs/download_binary_attr.php b/lam/templates/3rdParty/pla/htdocs/download_binary_attr.php index 251f2deb..1338ba38 100644 --- a/lam/templates/3rdParty/pla/htdocs/download_binary_attr.php +++ b/lam/templates/3rdParty/pla/htdocs/download_binary_attr.php @@ -21,13 +21,13 @@ $request['type'] = get_request('type','GET',false,'octet-stream'); $request['filename'] = get_request('filename','GET',false,sprintf('%s:%s.bin',get_rdn($request['dn'],true),$request['attr'])); if (! $app['server']->dnExists($request['dn'])) - error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php'); + error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php'); $search = $app['server']->getDNAttrValues($request['dn'],null,LDAP_DEREF_NEVER,array($request['attr'])); # Dump the binary data to the browser $obStatus = ob_get_status(); -if (isset($obStatus['type']) && $obStatus['type'] && $obStatus['status']) +if (isset($obStatus['type']) && $obStatus['type'] && $obStatus['status']) ob_end_clean(); if (! isset($search[$request['attr']][$request['index']])) { diff --git a/lam/templates/3rdParty/pla/htdocs/template_engine.php b/lam/templates/3rdParty/pla/htdocs/template_engine.php index 1cfaba98..224a52dc 100644 --- a/lam/templates/3rdParty/pla/htdocs/template_engine.php +++ b/lam/templates/3rdParty/pla/htdocs/template_engine.php @@ -12,7 +12,7 @@ The template engine has the following responsibilities: * If we are passed a DN, then we are editing an existing entry * If we are not passed a DN, then we are passed a container (and creating a new entry in that container) -In both cases, we are optionally passed a template ID. +In both cases, we are optionally passed a template ID. * If we have a template ID, then we'll render the creation/editing using that template * If we are not passed a template ID, then we'll either: * Present a list of available templates, @@ -42,7 +42,7 @@ $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('te # If we have a DN, then this is to edit the entry. if ($request['dn']) { $app['server']->dnExists($request['dn']) - or error(sprintf('%s (%s)',_('No such entry'),pretty_print_dn($request['dn'])),'error','index.php'); + or error(sprintf('%s (%s)',_('No such entry'),pretty_print_dn(htmlspecialchars($request['dn']))),'error','index.php'); $request['page']->setDN($request['dn']); $request['page']->accept(); diff --git a/lam/templates/3rdParty/pla/htdocs/update.php b/lam/templates/3rdParty/pla/htdocs/update.php index 5f31f28a..fafda95b 100644 --- a/lam/templates/3rdParty/pla/htdocs/update.php +++ b/lam/templates/3rdParty/pla/htdocs/update.php @@ -24,7 +24,7 @@ if (get_request('cancel','REQUEST')) { } if (! $request['dn'] || ! $app['server']->dnExists($request['dn'])) - error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php'); + error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php'); $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none')); $request['page']->setDN($request['dn']); diff --git a/lam/templates/3rdParty/pla/htdocs/update_confirm.php b/lam/templates/3rdParty/pla/htdocs/update_confirm.php index 69735e22..6e91fa8f 100644 --- a/lam/templates/3rdParty/pla/htdocs/update_confirm.php +++ b/lam/templates/3rdParty/pla/htdocs/update_confirm.php @@ -20,7 +20,7 @@ $request = array(); $request['dn'] = get_request('dn','REQUEST',true); if (! $request['dn'] || ! $app['server']->dnExists($request['dn'])) - error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php'); + error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php'); $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none')); $request['page']->setDN($request['dn']);