diff --git a/application/loginwebpage.class.inc.php b/application/loginwebpage.class.inc.php
index 70631457c..8f51eb10f 100644
--- a/application/loginwebpage.class.inc.php
+++ b/application/loginwebpage.class.inc.php
@@ -303,6 +303,9 @@ class LoginWebPage extends NiceWebPage
$sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
$sToken = utils::ReadParam('token', '', false, 'raw_data');
+ $sAuthUserForDisplay = utils::HtmlEntities($sAuthUser);
+ $sTokenForDisplay = utils::HtmlEntities($sToken);
+
UserRights::Login($sAuthUser); // Set the user's language
$oUser = UserRights::GetUserObject();
@@ -311,7 +314,7 @@ class LoginWebPage extends NiceWebPage
$this->add("".Dict::S('UI:ResetPwd-Title')."
\n");
if ($oUser == null)
{
- $this->add("".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUser)."
\n");
+ $this->add("".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUserForDisplay)."
\n");
}
else
{
@@ -323,7 +326,8 @@ class LoginWebPage extends NiceWebPage
}
else
{
- $this->add("".Dict::Format('UI:ResetPwd-Error-EnterPassword', $oUser->GetFriendlyName())."
\n");
+ $sUserNameForDisplay = utils::HtmlEntities($oUser->GetFriendlyName());
+ $this->add("".Dict::Format('UI:ResetPwd-Error-EnterPassword', $sUserNameForDisplay)."
\n");
$sInconsistenPwdMsg = Dict::S('UI:Login:RetypePwdDoesNotMatch');
$this->add_script(
@@ -346,8 +350,8 @@ EOF
$this->add(" |
\n");
$this->add("\n");
$this->add("\n");
- $this->add("\n");
- $this->add("\n");
+ $this->add("\n");
+ $this->add("\n");
$this->add("\n");
$this->add("GetReloadURL())
{
@@ -1426,7 +1427,7 @@ class utils
asort($aPossibleEncodings);
return $aPossibleEncodings;
}
-
+
/**
* Helper to encapsulation iTop's htmlentities
* @param string $sValue
@@ -1436,7 +1437,7 @@ class utils
{
return htmlentities($sValue, ENT_QUOTES, 'UTF-8');
}
-
+
/**
* Convert a string containing some (valid) HTML markup to plain text
* @param string $sHtml
diff --git a/datamodels/2.x/itop-backup/check-backup.php b/datamodels/2.x/itop-backup/check-backup.php
index 2af5a7375..81ea9fe6e 100644
--- a/datamodels/2.x/itop-backup/check-backup.php
+++ b/datamodels/2.x/itop-backup/check-backup.php
@@ -212,56 +212,59 @@ catch(Exception $e)
}
$sZipArchiveFile = MakeArchiveFileName().'.tar.gz';
-echo date('Y-m-d H:i:s')." - Checking file: $sZipArchiveFile\n";
+$sZipArchiveFileForDisplay = utils::HtmlEntities($sZipArchiveFile);
+echo date('Y-m-d H:i:s')." - Checking file: $sZipArchiveFileForDisplay\n";
-if (file_exists($sZipArchiveFile))
+
+if (!file_exists($sZipArchiveFile))
{
- if ($aStat = stat($sZipArchiveFile))
- {
- $iSize = (int) $aStat['size'];
- $iMIN = utils::ReadParam('check_size_min', 0);
- if ($iSize > $iMIN)
- {
- echo "Found the archive\n";
- $sOldArchiveFile = MakeArchiveFileName(time() - 86400).'.tar.gz'; // yesterday's archive
- if (file_exists($sOldArchiveFile))
- {
- if ($aOldStat = stat($sOldArchiveFile))
- {
- echo "Comparing its size with older file: $sOldArchiveFile\n";
- $iOldSize = (int) $aOldStat['size'];
- $fVariationPercent = 100 * ($iSize - $iOldSize) / $iOldSize;
- $sVariation = round($fVariationPercent, 2)." percent(s)";
+ RaiseAlarm("Missing backup file '$sZipArchiveFileForDisplay'");
- $iREDUCTIONMAX = utils::ReadParam('check_size_reduction_max');
- if ($fVariationPercent < -$iREDUCTIONMAX)
- {
- RaiseAlarm("Backup file '$sZipArchiveFile' changed by $sVariation, expecting a reduction limited to $iREDUCTIONMAX percents of the original size");
- }
- elseif ($fVariationPercent < 0)
- {
- echo "Size variation: $sVariation (the maximum allowed reduction is $iREDUCTIONMAX) \n";
- }
- else
- {
- echo "The archive grew by: $sVariation\n";
- }
- }
- }
+ return;
+}
+
+$aStat = stat($sZipArchiveFile);
+if (!$aStat)
+{
+ RaiseAlarm("Failed to stat backup file '$sZipArchiveFileForDisplay'");
+
+ return;
+}
+
+$iSize = (int)$aStat['size'];
+$iMIN = utils::ReadParam('check_size_min', 0);
+if ($iSize <= $iMIN)
+{
+ RaiseAlarm("Backup file '$sZipArchiveFileForDisplay' too small (Found: $iSize, while expecting $iMIN bytes)");
+
+ return;
+}
+
+
+echo "Found the archive\n";
+$sOldArchiveFile = MakeArchiveFileName(time() - 86400).'.tar.gz'; // yesterday's archive
+$sOldArchiveFileForDisplay = utils::HtmlEntities($sOldArchiveFile);
+if (file_exists($sOldArchiveFile))
+{
+ if ($aOldStat = stat($sOldArchiveFile))
+ {
+ echo "Comparing its size with older file: $sOldArchiveFileForDisplay\n";
+ $iOldSize = (int)$aOldStat['size'];
+ $fVariationPercent = 100 * ($iSize - $iOldSize) / $iOldSize;
+ $sVariation = round($fVariationPercent, 2)." percent(s)";
+
+ $iREDUCTIONMAX = utils::ReadParam('check_size_reduction_max');
+ if ($fVariationPercent < -$iREDUCTIONMAX)
+ {
+ RaiseAlarm("Backup file '$sZipArchiveFileForDisplay' changed by $sVariation, expecting a reduction limited to $iREDUCTIONMAX percents of the original size");
+ }
+ elseif ($fVariationPercent < 0)
+ {
+ echo "Size variation: $sVariation (the maximum allowed reduction is $iREDUCTIONMAX) \n";
}
else
{
- RaiseAlarm("Backup file '$sZipArchiveFile' too small (Found: $iSize, while expecting $iMIN bytes)");
+ echo "The archive grew by: $sVariation\n";
}
}
- else
- {
- RaiseAlarm("Failed to stat backup file '$sZipArchiveFile'");
- }
}
-else
-{
- RaiseAlarm("Missing backup file '$sZipArchiveFile'");
-}
-
-?>
diff --git a/js/dashboard.js b/js/dashboard.js
index 77c8a2ab8..4a938a6aa 100644
--- a/js/dashboard.js
+++ b/js/dashboard.js
@@ -373,6 +373,7 @@ $(function()
dashboard_id: '',
file_id: '',
file: '',
+ transaction: '',
text: 'Select a dashboard file to import',
title: 'Dahsboard Import',
close_btn: 'Close',
@@ -390,7 +391,7 @@ $(function()
//me.onClose();
};
$('#'+this.options.file_id).fileupload({
- url: me.options.submit_to+'&id='+me.options.dashboard_id+'&file='+me.options.file,
+ url: me.options.submit_to+'&id='+me.options.dashboard_id+'&file='+me.options.file+'&transaction_id='+me.options.transaction,
dataType: 'json',
pasteZone: null, // Don't accept files via Chrome's copy/paste
done: function (e, data) {
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index 60cc6e422..4299cb768 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -942,6 +942,11 @@ try
break;
case 'import_dashboard':
+ $sTransactionId = utils::ReadParam('transaction_id', '', false, 'raw_data');
+ if (!utils::IsTransactionValid($sTransactionId, true))
+ {
+ throw new SecurityException('ajax.render.php import_dashboard : invalid transaction_id');
+ }
$sDashboardId = utils::ReadParam('id', '', false, 'raw_data');
$sDashboardFile = utils::ReadParam('file', '', false, 'raw_data');
$oDashboard = RuntimeDashboard::GetDashboard($sDashboardFile, $sDashboardId);
@@ -2297,7 +2302,12 @@ EOF
try
{
$token = utils::ReadParam('token', null);
- $aResult = array('code' => 'error', 'percentage' => 100, 'message' => "Export not found for token: '$token'"); // Fallback error, just in case
+ $sTokenForDisplay = utils::HtmlEntities($token);
+ $aResult = array( // Fallback error, just in case
+ 'code' => 'error',
+ 'percentage' => 100,
+ 'message' => "Export not found for token: '$sTokenForDisplay'",
+ );
$data = '';
if ($token === null)
{
@@ -2372,11 +2382,11 @@ EOF
$oPage->add(json_encode($aResult));
} catch (BulkExportException $e)
{
- $aResult = array('code' => 'error', 'percentage' => 100, 'message' => $e->GetLocalizedMessage());
+ $aResult = array('code' => 'error', 'percentage' => 100, 'message' => utils::HtmlEntities($e->GetLocalizedMessage()));
$oPage->add(json_encode($aResult));
} catch (Exception $e)
{
- $aResult = array('code' => 'error', 'percentage' => 100, 'message' => $e->getMessage());
+ $aResult = array('code' => 'error', 'percentage' => 100, 'message' => utils::HtmlEntities($e->getMessage()));
$oPage->add(json_encode($aResult));
}
break;