From 562dd8fc21b15191b23d8e93e6e60c5b0075a0e1 Mon Sep 17 00:00:00 2001 From: Benjamin Dalsass Date: Tue, 17 May 2022 08:17:21 +0200 Subject: [PATCH] =?UTF-8?q?N=C2=B04900=20-=20Stored=20XSS=20in=20dashlets?= =?UTF-8?q?=20failed=20OQL=20query?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/dashlet.class.inc.php | 315 +++++++++++++++--------------- 1 file changed, 162 insertions(+), 153 deletions(-) diff --git a/application/dashlet.class.inc.php b/application/dashlet.class.inc.php index 42eeca069..8ae3c5464 100644 --- a/application/dashlet.class.inc.php +++ b/application/dashlet.class.inc.php @@ -919,24 +919,28 @@ class DashletObjectList extends Dashlet */ public function Render($oPage, $bEditMode = false, $aExtraParams = array()) { - $sTitle = $this->aProperties['title']; - $sShowMenu = $this->aProperties['menu'] ? '1' : '0'; + try { + $sTitle = $this->aProperties['title']; + $sShowMenu = $this->aProperties['menu'] ? '1' : '0'; - $oPage->add('
'); - $sHtmlTitle = utils::HtmlEntities(Dict::S($sTitle)); // done in the itop block - if ($sHtmlTitle != '') - { - $oPage->add('

 '.$sHtmlTitle.'

'); + $oPage->add('
'); + $sHtmlTitle = utils::HtmlEntities(Dict::S($sTitle)); // done in the itop block + if ($sHtmlTitle != '') { + $oPage->add('

 '.$sHtmlTitle.'

'); + } + $oFilter = $this->GetDBSearch($aExtraParams); + $oBlock = new DisplayBlock($oFilter, 'list'); + $aParams = array( + 'menu' => $sShowMenu, + 'table_id' => self::APPUSERPREFERENCES_PREFIX.$this->sId, + ); + $sBlockId = 'block_'.$this->sId.($bEditMode ? '_edit' : ''); // make a unique id (edition occurring in the same DOM) + $oBlock->Display($oPage, $sBlockId, array_merge($aExtraParams, $aParams)); + $oPage->add('
'); + } + catch(Exception $e){ + $oPage->add(utils::HtmlEntities($e->getMessage())); } - $oFilter = $this->GetDBSearch($aExtraParams); - $oBlock = new DisplayBlock($oFilter, 'list'); - $aParams = array( - 'menu' => $sShowMenu, - 'table_id' => self::APPUSERPREFERENCES_PREFIX.$this->sId, - ); - $sBlockId = 'block_'.$this->sId.($bEditMode ? '_edit' : ''); // make a unique id (edition occurring in the same DOM) - $oBlock->Display($oPage, $sBlockId, array_merge($aExtraParams, $aParams)); - $oPage->add('
'); } public function GetDBSearch($aExtraParams = array()) @@ -1198,97 +1202,96 @@ abstract class DashletGroupBy extends Dashlet */ public function Render($oPage, $bEditMode = false, $aExtraParams = array()) { - $sTitle = $this->aProperties['title']; - $sQuery = $this->aProperties['query']; - $sStyle = $this->aProperties['style']; + try { + $sTitle = $this->aProperties['title']; + $sQuery = $this->aProperties['query']; + $sStyle = $this->aProperties['style']; - // First perform the query - if the OQL is not ok, it will generate an exception : no need to go further - if (isset($aExtraParams['query_params'])) - { - $aQueryParams = $aExtraParams['query_params']; - } - elseif (isset($aExtraParams['this->class']) && isset($aExtraParams['this->id'])) - { - $oObj = MetaModel::GetObject($aExtraParams['this->class'], $aExtraParams['this->id']); - $aQueryParams = $oObj->ToArgsForQuery(); - } - else - { - $aQueryParams = array(); - } - $oFilter = DBObjectSearch::FromOQL($sQuery, $aQueryParams); - $oFilter->SetShowObsoleteData(utils::ShowObsoleteData()); - - $sClass = $oFilter->GetClass(); - if (!$this->oModelReflection->IsValidAttCode($sClass, $this->sGroupByAttCode)) - { - $oPage->add('

'.Dict::S('UI:DashletGroupBy:MissingGroupBy').'

'); - } - else - { - switch($sStyle) + // First perform the query - if the OQL is not ok, it will generate an exception : no need to go further + if (isset($aExtraParams['query_params'])) { - case 'bars': - $sType = 'chart'; - $aParams = array( - 'chart_type' => 'bars', - 'chart_title' => $sTitle, - 'group_by' => $this->sGroupByExpr, - 'group_by_label' => $this->sGroupByLabel, - 'aggregation_function' => $this->sAggregationFunction, - 'aggregation_attribute' => $this->sAggregationAttribute, - 'limit' => $this->sLimit, - 'order_direction' => $this->sOrderDirection, - 'order_by' => $this->sOrderBy, - ); - $sHtmlTitle = ''; // done in the itop block - break; - - case 'pie': - $sType = 'chart'; - $aParams = array( - 'chart_type' => 'pie', - 'chart_title' => $sTitle, - 'group_by' => $this->sGroupByExpr, - 'group_by_label' => $this->sGroupByLabel, - 'aggregation_function' => $this->sAggregationFunction, - 'aggregation_attribute' => $this->sAggregationAttribute, - 'limit' => $this->sLimit, - 'order_direction' => $this->sOrderDirection, - 'order_by' => $this->sOrderBy, - ); - $sHtmlTitle = ''; // done in the itop block - break; - - case 'table': - default: - $sHtmlTitle = utils::HtmlEntities(Dict::S($sTitle)); // done in the itop block - $sType = 'count'; - $aParams = array( - 'group_by' => $this->sGroupByExpr, - 'group_by_label' => $this->sGroupByLabel, - 'aggregation_function' => $this->sAggregationFunction, - 'aggregation_attribute' => $this->sAggregationAttribute, - 'limit' => $this->sLimit, - 'order_direction' => $this->sOrderDirection, - 'order_by' => $this->sOrderBy, - ); - break; + $aQueryParams = $aExtraParams['query_params']; } - - $oPage->add('
'); - if ($sHtmlTitle != '') + elseif (isset($aExtraParams['this->class']) && isset($aExtraParams['this->id'])) { - $oPage->add('

 '.$sHtmlTitle.'

'); + $oObj = MetaModel::GetObject($aExtraParams['this->class'], $aExtraParams['this->id']); + $aQueryParams = $oObj->ToArgsForQuery(); } - $sBlockId = 'block_'.$this->sId.($bEditMode ? '_edit' : ''); // make a unique id (edition occuring in the same DOM) - $oBlock = new DisplayBlock($oFilter, $sType); - $oBlock->Display($oPage, $sBlockId, array_merge($aExtraParams, $aParams)); - if($bEditMode) + else { - $oPage->add('
'); + $aQueryParams = array(); } - $oPage->add('
'); + $oFilter = DBObjectSearch::FromOQL($sQuery, $aQueryParams); + $oFilter->SetShowObsoleteData(utils::ShowObsoleteData()); + + $sClass = $oFilter->GetClass(); + if (!$this->oModelReflection->IsValidAttCode($sClass, $this->sGroupByAttCode)) { + $oPage->add('

'.Dict::S('UI:DashletGroupBy:MissingGroupBy').'

'); + } else { + switch ($sStyle) { + case 'bars': + $sType = 'chart'; + $aParams = array( + 'chart_type' => 'bars', + 'chart_title' => $sTitle, + 'group_by' => $this->sGroupByExpr, + 'group_by_label' => $this->sGroupByLabel, + 'aggregation_function' => $this->sAggregationFunction, + 'aggregation_attribute' => $this->sAggregationAttribute, + 'limit' => $this->sLimit, + 'order_direction' => $this->sOrderDirection, + 'order_by' => $this->sOrderBy, + ); + $sHtmlTitle = ''; // done in the itop block + break; + + case 'pie': + $sType = 'chart'; + $aParams = array( + 'chart_type' => 'pie', + 'chart_title' => $sTitle, + 'group_by' => $this->sGroupByExpr, + 'group_by_label' => $this->sGroupByLabel, + 'aggregation_function' => $this->sAggregationFunction, + 'aggregation_attribute' => $this->sAggregationAttribute, + 'limit' => $this->sLimit, + 'order_direction' => $this->sOrderDirection, + 'order_by' => $this->sOrderBy, + ); + $sHtmlTitle = ''; // done in the itop block + break; + + case 'table': + default: + $sHtmlTitle = utils::HtmlEntities(Dict::S($sTitle)); // done in the itop block + $sType = 'count'; + $aParams = array( + 'group_by' => $this->sGroupByExpr, + 'group_by_label' => $this->sGroupByLabel, + 'aggregation_function' => $this->sAggregationFunction, + 'aggregation_attribute' => $this->sAggregationAttribute, + 'limit' => $this->sLimit, + 'order_direction' => $this->sOrderDirection, + 'order_by' => $this->sOrderBy, + ); + break; + } + + $oPage->add('
'); + if ($sHtmlTitle != '') { + $oPage->add('

 '.$sHtmlTitle.'

'); + } + $sBlockId = 'block_'.$this->sId.($bEditMode ? '_edit' : ''); // make a unique id (edition occuring in the same DOM) + $oBlock = new DisplayBlock($oFilter, $sType); + $oBlock->Display($oPage, $sBlockId, array_merge($aExtraParams, $aParams)); + if ($bEditMode) { + $oPage->add('
'); + } + $oPage->add('
'); + } + } + catch(Exception $e){ + $oPage->add(utils::HtmlEntities($e->getMessage())); } } @@ -2050,63 +2053,69 @@ class DashletHeaderDynamic extends Dashlet */ public function Render($oPage, $bEditMode = false, $aExtraParams = array()) { - $sTitle = utils::HtmlEntities($this->aProperties['title']); - $sIcon = $this->aProperties['icon']; - $sSubtitle = utils::HtmlEntities($this->aProperties['subtitle']); - $sQuery = $this->aProperties['query']; - $sGroupBy = $this->aProperties['group_by']; + try{ + $sTitle = utils::HtmlEntities($this->aProperties['title']); + $sIcon = $this->aProperties['icon']; + $sSubtitle = utils::HtmlEntities($this->aProperties['subtitle']); + $sQuery = $this->aProperties['query']; + $sGroupBy = $this->aProperties['group_by']; - $oIconSelect = $this->oModelReflection->GetIconSelectionField('icon'); - $sIconPath = utils::HtmlEntities($oIconSelect->MakeFileUrl($sIcon)); + $oIconSelect = $this->oModelReflection->GetIconSelectionField('icon'); + $sIconPath = utils::HtmlEntities($oIconSelect->MakeFileUrl($sIcon)); - $aValues = $this->GetValues(); - if (count($aValues) > 0) - { - // Stats grouped by - $sCSV = implode(',', $aValues); - $aParams = array( - 'title[block]' => $sTitle, - 'label[block]' => $sSubtitle, - 'status[block]' => $sGroupBy, - 'status_codes[block]' => $sCSV, - 'context_filter' => 1, - ); + $aValues = $this->GetValues(); + if (count($aValues) > 0) + { + // Stats grouped by + $sCSV = implode(',', $aValues); + $aParams = array( + 'title[block]' => $sTitle, + 'label[block]' => $sSubtitle, + 'status[block]' => $sGroupBy, + 'status_codes[block]' => $sCSV, + 'context_filter' => 1, + ); + } + else + { + // Simple stats + $aParams = array( + 'title[block]' => $sTitle, + 'label[block]' => $sSubtitle, + 'context_filter' => 1, + ); + } + + $oPage->add('
'); + $oPage->add('
'); + + $oPage->add(''); + + if (isset($aExtraParams['query_params'])) + { + $aQueryParams = $aExtraParams['query_params']; + } + elseif (isset($aExtraParams['this->class'])) + { + $oObj = MetaModel::GetObject($aExtraParams['this->class'], $aExtraParams['this->id']); + $aQueryParams = $oObj->ToArgsForQuery(); + } + else + { + $aQueryParams = array(); + } + + $oFilter = DBObjectSearch::FromOQL($sQuery, $aQueryParams); + $oBlock = new DisplayBlock($oFilter, 'summary'); + $sBlockId = 'block_'.$this->sId.($bEditMode ? '_edit' : ''); // make a unique id (edition occuring in the same DOM) + $oBlock->Display($oPage, $sBlockId, array_merge($aExtraParams, $aParams)); + + $oPage->add('
'); + $oPage->add('
'); } - else - { - // Simple stats - $aParams = array( - 'title[block]' => $sTitle, - 'label[block]' => $sSubtitle, - 'context_filter' => 1, - ); + catch(Exception $e){ + $oPage->add(utils::HtmlEntities($e->getMessage())); } - - $oPage->add('
'); - $oPage->add('
'); - - $oPage->add(''); - - if (isset($aExtraParams['query_params'])) - { - $aQueryParams = $aExtraParams['query_params']; - } - elseif (isset($aExtraParams['this->class'])) - { - $oObj = MetaModel::GetObject($aExtraParams['this->class'], $aExtraParams['this->id']); - $aQueryParams = $oObj->ToArgsForQuery(); - } - else - { - $aQueryParams = array(); - } - $oFilter = DBObjectSearch::FromOQL($sQuery, $aQueryParams); - $oBlock = new DisplayBlock($oFilter, 'summary'); - $sBlockId = 'block_'.$this->sId.($bEditMode ? '_edit' : ''); // make a unique id (edition occuring in the same DOM) - $oBlock->Display($oPage, $sBlockId, array_merge($aExtraParams, $aParams)); - - $oPage->add('
'); - $oPage->add('
'); } /**