Still fixing regressions caused by Trac#446: XSS vulnerabilities...

SVN:trunk[1450]
2026-04-24 11:08:45 +02:00 · 2011-08-12 10:06:33 +00:00
parent 96f3350029
commit b02021a4ff
7 changed files with 53 additions and 41 deletions
--- a/synchro/synchro_import.php
+++ b/synchro/synchro_import.php
@@ -176,22 +176,22 @@ function UsageAndExit($oP)
 }


-function ReadParam($oP, $sParam)
+function ReadParam($oP, $sParam, $sSanitizationFilter = 'parameter')
 {
 	global $aPageParams;
 	assert(isset($aPageParams[$sParam]));
 	assert(!$aPageParams[$sParam]['mandatory']);
-	$sValue = utils::ReadParam($sParam, $aPageParams[$sParam]['default'], true /* Allow CLI */);
+	$sValue = utils::ReadParam($sParam, $aPageParams[$sParam]['default'], true /* Allow CLI */, $sSanitizationFilter);
 	return trim($sValue);
 }

-function ReadMandatoryParam($oP, $sParam)
+function ReadMandatoryParam($oP, $sParam, $sSanitizationFilter)
 {
 	global $aPageParams;
 	assert(isset($aPageParams[$sParam]));
 	assert($aPageParams[$sParam]['mandatory']);

-	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */);
+	$sValue = utils::ReadParam($sParam, null, true /* Allow CLI */, $sSanitizationFilter);
 	if (is_null($sValue))
 	{
 		$oP->p("ERROR: Missing argument '$sParam'\n");
@@ -244,9 +244,9 @@ if (utils::IsModeCLI())
 	// Next steps:
 	//   specific arguments: 'csvfile'
 	//   
-	$sAuthUser = ReadMandatoryParam($oP, 'auth_user');
-	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd');
-	$sCsvFile = ReadMandatoryParam($oP, 'csvfile');
+	$sAuthUser = ReadMandatoryParam($oP, 'auth_user', 'raw_data');
+	$sAuthPwd = ReadMandatoryParam($oP, 'auth_pwd', 'raw_data');
+	$sCsvFile = ReadMandatoryParam($oP, 'csvfile', 'raw_data');
 	if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd))
 	{
 		UserRights::Login($sAuthUser); // Login & set the user's language
@@ -273,7 +273,7 @@ else
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
 	LoginWebPage::DoLogin(); // Check user rights and prompt if needed

-	$sCSVData = utils::ReadPostedParam('csvdata', '', 'raw_data');
+	$sCSVData = utils::ReadPostedParam('csvdata', '', false, 'raw_data');
 }


@@ -285,14 +285,14 @@ try
 	//
 	$iDataSourceId = ReadMandatoryParam($oP, 'data_source_id');
 	$sSynchronize = ReadParam($oP, 'synchronize');
-	$sSep = ReadParam($oP, 'separator');
-	$sQualifier = ReadParam($oP, 'qualifier');
-	$sCharSet = ReadParam($oP, 'charset');
-	$sDateFormat = ReadParam($oP, 'date_format');
+	$sSep = ReadParam($oP, 'separator', 'raw_data');
+	$sQualifier = ReadParam($oP, 'qualifier', 'raw_data');
+	$sCharSet = ReadParam($oP, 'charset', 'raw_data');
+	$sDateFormat = ReadParam($oP, 'date_format', 'raw_data');
 	$sOutput = ReadParam($oP, 'output');
 //	$sReportLevel = ReadParam($oP, 'reportlevel');
 	$sSimulate = ReadParam($oP, 'simulate');
-	$sComment = ReadParam($oP, 'comment');
+	$sComment = ReadParam($oP, 'comment', 'raw_data');

 	$oLoadStartDate = new DateTime(); // Now