From 8e972794013bdd991eff0735b21fcc1a915bc09f Mon Sep 17 00:00:00 2001 From: Benjamin Dalsass Date: Tue, 17 May 2022 09:27:06 +0200 Subject: [PATCH] =?UTF-8?q?N=C2=B04899=20-=20Reflected=20XSS=20on=20revert?= =?UTF-8?q?=5Fdashboard=20operation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/utils.inc.php | 5 +++++ pages/ajax.render.php | 12 ++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/application/utils.inc.php b/application/utils.inc.php index f64cf306d..4a8c0e5b5 100644 --- a/application/utils.inc.php +++ b/application/utils.inc.php @@ -358,6 +358,11 @@ class utils $retValue = preg_replace('/[^a-zA-Z0-9_]/', '', $value); break; + // For URL + case 'url': + $retValue = filter_var($value, FILTER_SANITIZE_URL); + break; + default: case 'raw_data': $retValue = $value; diff --git a/pages/ajax.render.php b/pages/ajax.render.php index fbe25a152..dead51401 100644 --- a/pages/ajax.render.php +++ b/pages/ajax.render.php @@ -1183,7 +1183,7 @@ try $aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data'); $sDashboardFile = utils::ReadParam('file', '', false, 'raw_data'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $oDashboard = RuntimeDashboard::GetDashboard($sDashboardFile, $sDashboardId); $aResult = array('error' => ''); if (!is_null($oDashboard)) @@ -1202,7 +1202,7 @@ try $sDashboardId = utils::ReadParam('dashboard_id', '', false, 'raw_data'); $aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data'); $sDashboardFile = utils::ReadParam('file', '', false, 'raw_data'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $oDashboard = RuntimeDashboard::GetDashboard($sDashboardFile, $sDashboardId); $aResult = array('error' => ''); if (!is_null($oDashboard)) @@ -1219,7 +1219,7 @@ try case 'save_dashboard': $sDashboardId = utils::ReadParam('dashboard_id', '', false, 'context_param'); $aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $sJSExtraParams = json_encode($aExtraParams); $aParams = array(); $aParams['layout_class'] = utils::ReadParam('layout_class', ''); @@ -1252,7 +1252,7 @@ JS case 'revert_dashboard': $sDashboardId = utils::ReadParam('dashboard_id', '', false, 'raw_data'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); appUserPreferences::UnsetPref('display_original_dashboard_'.$sDashboardId); $oDashboard = new RuntimeDashboard($sDashboardId); $oDashboard->Revert(); @@ -1282,7 +1282,7 @@ EOF $aParams['cells'] = utils::ReadParam('cells', array(), false, 'raw_data'); $aParams['auto_reload'] = utils::ReadParam('auto_reload', false); $aParams['auto_reload_sec'] = utils::ReadParam('auto_reload_sec', 300); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $oKPI = new ExecutionKPI(); $oDashboard = new RuntimeDashboard($sDashboardId); $oDashboard->FromParams($aParams); @@ -1296,7 +1296,7 @@ EOF $aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data'); $aExtraParams['dashboard_div_id'] = utils::Sanitize($sId, '', 'element_identifier'); $sDashboardFile = utils::ReadParam('file', '', false, 'string'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $oKPI = new ExecutionKPI(); $oDashboard = RuntimeDashboard::GetDashboard($sDashboardFile, $sId); if (!is_null($oDashboard))