Still fixing regressions caused by Trac#446: XSS vulnerabilities...

SVN:trunk[1450]

application/utils.inc.php

@@ -181,6 +181,7 @@ class utils
 			break;
 			
 			case 'parameter':
+			case 'field_name':
 			if (is_array($value))
 			{
 				$retValue = array();
@@ -196,10 +197,21 @@ class utils
 			}
 			else
 			{
-				$retValue = filter_var($value, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>'/^[ A-Za-z0-9_=-]*$/'))); // the '=' equal character is used in serialized filters
+				switch($sSanitizationFilter)
+				{
+					case 'parameter':
+					$retValue = filter_var($value, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>'/^[ A-Za-z0-9_=-]*$/'))); // the '=' equal character is used in serialized filters
+					break;
+					
+					case 'field_name':
+					$retValue = filter_var($value, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>'/^[A-Za-z0-9_]+(->[A-Za-z0-9_]+)*$/'))); // att_code or att_code->name or AttCode->Name or AttCode->Key2->Name
+					break;
+				}
 			}
 			break;
 			
+			break;
+			
 			default:
 			case 'raw_data':
 			$retValue = $value;

pages/csvimport.php

@@ -198,8 +198,8 @@ try
 		$bHeaderLine = (utils::ReadParam('header_line', '0') == 1);
 		$iRealSkippedLines = $iSkippedLines = utils::ReadParam('nb_skipped_lines', '0');
 		$sClassName = utils::ReadParam('class_name', '');
-		$aFieldsMapping = utils::ReadParam('field', array());
-		$aSearchFields = utils::ReadParam('search_field', array());
+		$aFieldsMapping = utils::ReadParam('field', array(), false, 'field_name');
+		$aSearchFields = utils::ReadParam('search_field', array(), false, 'field_name');
 		$iCurrentStep = $bSimulate ? 4 : 5;
 		$bAdvanced = utils::ReadParam('advanced', 0);
 		$sEncoding = utils::ReadParam('encoding', 'UTF-8');

setup/setuppage.class.inc.php

@@ -677,7 +677,7 @@ function CreateDatabaseStructure(Config $oConfig, $aSelectedModules, $sMode)
 			MetaModel::DBCreate();
 			SetupWebPage::log_ok("Database structure successfully created.");
 			// Check (and update only if it seems needed) the hierarchical keys
-			MetaModel::CheckHKeys(false /* bForceUpdate */);
+			MetaModel::CheckHKeys(false /* bDiagnosticsOnly */, false /* bVerbose*/, false /* bForceUpdate */);
 		}
 		else
 		{

synchro/synchro_exec.php

@@ -61,9 +61,9 @@ function UsageAndExit($oP)
 	exit -2;
 }
 
-function ReadMandatoryParam($oP, $sParam)
+function ReadMandatoryParam($oP, $sParam, $sSanitizationFilter = 'parameter')
 {
-	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */);
+	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */, $sSanitizationFilter);
 	if (is_null($sValue))
 	{
 		$oP->p("ERROR: Missing argument '$sParam'\n");
@@ -100,9 +100,9 @@ if (utils::IsModeCLI())
 	// Next steps:
 	//   specific arguments: 'csvfile'
 	//   
-	$sAuthUser = ReadMandatoryParam($oP, 'auth_user');
-	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd');
-	$sDataSourcesList = ReadMandatoryParam($oP, 'data_sources');
+	$sAuthUser = ReadMandatoryParam($oP, 'auth_user', 'raw_data');
+	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd', 'raw_data');
+	$sDataSourcesList = ReadMandatoryParam($oP, 'data_sources', 'raw_data'); // May contain commas
 	if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd))
 	{
 		UserRights::Login($sAuthUser); // Login & set the user's language
@@ -119,7 +119,7 @@ else
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
 	LoginWebPage::DoLogin(); // Check user rights and prompt if needed
 
-	$sDataSourcesList = utils::ReadParam('data_sources', null, true);
+	$sDataSourcesList = utils::ReadParam('data_sources', null, true, 'raw_data');
 	
 	if ($sDataSourcesList == null)
 	{

synchro/synchro_import.php

@@ -176,22 +176,22 @@ function UsageAndExit($oP)
 }
 
 
-function ReadParam($oP, $sParam)
+function ReadParam($oP, $sParam, $sSanitizationFilter = 'parameter')
 {
 	global $aPageParams;
 	assert(isset($aPageParams[$sParam]));
 	assert(!$aPageParams[$sParam]['mandatory']);
-	$sValue = utils::ReadParam($sParam, $aPageParams[$sParam]['default'], true /* Allow CLI */);
+	$sValue = utils::ReadParam($sParam, $aPageParams[$sParam]['default'], true /* Allow CLI */, $sSanitizationFilter);
 	return trim($sValue);
 }
 
-function ReadMandatoryParam($oP, $sParam)
+function ReadMandatoryParam($oP, $sParam, $sSanitizationFilter)
 {
 	global $aPageParams;
 	assert(isset($aPageParams[$sParam]));
 	assert($aPageParams[$sParam]['mandatory']);
 
-	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */);
+	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */, $sSanitizationFilter);
 	if (is_null($sValue))
 	{
 		$oP->p("ERROR: Missing argument '$sParam'\n");
@@ -244,9 +244,9 @@ if (utils::IsModeCLI())
 	// Next steps:
 	//   specific arguments: 'csvfile'
 	//   
-	$sAuthUser = ReadMandatoryParam($oP, 'auth_user');
-	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd');
-	$sCsvFile = ReadMandatoryParam($oP, 'csvfile');
+	$sAuthUser = ReadMandatoryParam($oP, 'auth_user', 'raw_data');
+	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd', 'raw_data');
+	$sCsvFile = ReadMandatoryParam($oP, 'csvfile', 'raw_data');
 	if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd))
 	{
 		UserRights::Login($sAuthUser); // Login & set the user's language
@@ -273,7 +273,7 @@ else
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
 	LoginWebPage::DoLogin(); // Check user rights and prompt if needed
 
-	$sCSVData = utils::ReadPostedParam('csvdata', '', 'raw_data');
+	$sCSVData = utils::ReadPostedParam('csvdata', '', false, 'raw_data');
 }
 
 
@@ -285,14 +285,14 @@ try
 	//
 	$iDataSourceId = ReadMandatoryParam($oP, 'data_source_id');
 	$sSynchronize = ReadParam($oP, 'synchronize');
-	$sSep = ReadParam($oP, 'separator');
-	$sQualifier = ReadParam($oP, 'qualifier');
-	$sCharSet = ReadParam($oP, 'charset');
-	$sDateFormat = ReadParam($oP, 'date_format');
+	$sSep = ReadParam($oP, 'separator', 'raw_data');
+	$sQualifier = ReadParam($oP, 'qualifier', 'raw_data');
+	$sCharSet = ReadParam($oP, 'charset', 'raw_data');
+	$sDateFormat = ReadParam($oP, 'date_format', 'raw_data');
 	$sOutput = ReadParam($oP, 'output');
 //	$sReportLevel = ReadParam($oP, 'reportlevel');
 	$sSimulate = ReadParam($oP, 'simulate');
-	$sComment = ReadParam($oP, 'comment');
+	$sComment = ReadParam($oP, 'comment', 'raw_data');
 
 	$oLoadStartDate = new DateTime(); // Now
 

webservices/cron.php

@@ -32,9 +32,9 @@ require_once(APPROOT.'/application/startup.inc.php');
 
 
 
-function ReadMandatoryParam($oP, $sParam)
+function ReadMandatoryParam($oP, $sParam, $sSanitizationFilter = 'parameter')
 {
-	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */);
+	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */, $sSanitizationFilter);
 	if (is_null($sValue))
 	{
 		$oP->p("ERROR: Missing argument '$sParam'\n");
@@ -130,8 +130,8 @@ if (utils::IsModeCLI())
 	// Next steps:
 	//   specific arguments: 'csvfile'
 	//   
-	$sAuthUser = ReadMandatoryParam($oP, 'auth_user');
-	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd');
+	$sAuthUser = ReadMandatoryParam($oP, 'auth_user', 'raw_data');
+	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd', 'raw_data');
 	if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd))
 	{
 		UserRights::Login($sAuthUser); // Login & set the user's language

webservices/import.php

@@ -181,22 +181,22 @@ function UsageAndExit($oP)
 }
 
 
-function ReadParam($oP, $sParam)
+function ReadParam($oP, $sParam, $sSanitizationFilter = 'parameter')
 {
 	global $aPageParams;
 	assert(isset($aPageParams[$sParam]));
 	assert(!$aPageParams[$sParam]['mandatory']);
-	$sValue = utils::ReadParam($sParam, $aPageParams[$sParam]['default'], true /* Allow CLI */);
+	$sValue = utils::ReadParam($sParam, $aPageParams[$sParam]['default'], true /* Allow CLI */, $sSanitizationFilter);
 	return trim($sValue);
 }
 
-function ReadMandatoryParam($oP, $sParam)
+function ReadMandatoryParam($oP, $sParam, $sSanitizationFilter)
 {
 	global $aPageParams;
 	assert(isset($aPageParams[$sParam]));
 	assert($aPageParams[$sParam]['mandatory']);
 
-	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */);
+	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */, $sSanitizationFilter);
 	if (is_null($sValue))
 	{
 		$oP->p("ERROR: Missing argument '$sParam'\n");
@@ -233,9 +233,9 @@ if (utils::IsModeCLI())
 	// Next steps:
 	//   specific arguments: 'csvfile'
 	//   
-	$sAuthUser = ReadMandatoryParam($oP, 'auth_user');
-	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd');
-	$sCsvFile = ReadMandatoryParam($oP, 'csvfile');
+	$sAuthUser = ReadMandatoryParam($oP, 'auth_user', 'raw_data');
+	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd', 'raw_data');
+	$sCsvFile = ReadMandatoryParam($oP, 'csvfile', 'raw_data');
 	if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd))
 	{
 		UserRights::Login($sAuthUser); // Login & set the user's language
@@ -272,16 +272,16 @@ try
 	//
 	// Read parameters
 	//
-	$sClass = ReadMandatoryParam($oP, 'class');
-	$sSep = ReadParam($oP, 'separator');
-	$sQualifier = ReadParam($oP, 'qualifier');
-	$sCharSet = ReadParam($oP, 'charset');
-	$sDateFormat = ReadParam($oP, 'date_format');
+	$sClass = ReadMandatoryParam($oP, 'class', 'class');
+	$sSep = ReadParam($oP, 'separator', 'raw_data');
+	$sQualifier = ReadParam($oP, 'qualifier', 'raw_data');
+	$sCharSet = ReadParam($oP, 'charset', 'raw_data');
+	$sDateFormat = ReadParam($oP, 'date_format', 'raw_data');
 	$sOutput = ReadParam($oP, 'output');
 //	$sReportLevel = ReadParam($oP, 'reportlevel');
-	$sReconcKeys = ReadParam($oP, 'reconciliationkeys');
+	$sReconcKeys = ReadParam($oP, 'reconciliationkeys', 'field_name');
 	$sSimulate = ReadParam($oP, 'simulate');
-	$sComment = ReadParam($oP, 'comment');
+	$sComment = ReadParam($oP, 'comment', 'raw_data');
 
 	//////////////////////////////////////////////////
 	//