N°2957 - Better check of the class parameter in requests

application/utils.inc.php

@@ -283,6 +283,8 @@ class utils
 	 *
 	 * @since 2.5.2 2.6.0 new 'transaction_id' filter
 	 * @since 2.7.0 new 'element_identifier' filter
+	 *
+	 * @throws \CoreException
 	 */
 	protected static function Sanitize_Internal($value, $sSanitizationFilter)
 	{
@@ -296,7 +298,7 @@ class utils
 				$retValue = $value;
 				if (!MetaModel::IsValidClass($value))
 				{
-					$retValue = false;
+					throw new CoreException(Dict::Format('UI:OQL:UnknownClassNoFix', utils::HtmlEntities($value)));
 				}
 				break;
 

datamodels/2.x/itop-attachments/ajax.itop-attachment.php

@@ -32,7 +32,7 @@ require_once(APPROOT.'/application/ajaxwebpage.class.inc.php');
  */
 function RenderAttachments(ajax_page $oPage, $iTransactionId)
 {
-	$sClass = utils::ReadParam('objclass', '');
+	$sClass = utils::ReadParam('objclass', '', false, 'class');
 	$sId = utils::ReadParam('objkey', '');
 	$oObject = MetaModel::GetObject($sClass, $sId, false);
 	$bEditMode = utils::ReadParam('edit_mode', 0);

pages/UI.php

@@ -388,7 +388,7 @@ try
 		///////////////////////////////////////////////////////////////////////////////////////////
 		
 		case 'details': // Details of an object
-			$sClass = utils::ReadParam('class', '');
+			$sClass = utils::ReadParam('class', '', false, 'class');
 			$id = utils::ReadParam('id', '');
 			if ( empty($sClass) || empty($id))
 			{
@@ -459,7 +459,7 @@ try
 
 		case 'release_lock_and_details':
         $oP->DisableBreadCrumb();
-		$sClass = utils::ReadParam('class', '');
+        $sClass = utils::ReadParam('class', '', false, 'class');
 		$id = utils::ReadParam('id', '');
 		$oObj = MetaModel::GetObject($sClass, $id);
 		$sToken = utils::ReadParam('token', '');
@@ -906,7 +906,7 @@ HTML
 
 		case 'apply_modify': // Applying the modifications to an existing object
 			$oP->DisableBreadCrumb();
-			$sClass = utils::ReadPostedParam('class', '');
+			$sClass = utils::ReadPostedParam('class', '', 'class');
 			$sClassLabel = MetaModel::GetName($sClass);
 			$id = utils::ReadPostedParam('id', '');
 			$sTransactionId = utils::ReadPostedParam('transaction_id', '', 'transaction_id');
@@ -1493,7 +1493,7 @@ HTML
 			}
 			$iFieldsCount = count($aFieldsMap);
 			$sJsonFieldsMap = json_encode($aFieldsMap);
-	
+
 			$oP->add_script(
 <<<EOF
 			// Initializes the object once at the beginning of the page...
@@ -1695,7 +1695,7 @@ EOF
 
 		case 'apply_stimulus': // Actual state change
 		$oP->DisableBreadCrumb();
-		$sClass = utils::ReadPostedParam('class', '');
+		$sClass = utils::ReadPostedParam('class', '', 'class');
 		$id = utils::ReadPostedParam('id', '');
 			$sTransactionId = utils::ReadPostedParam('transaction_id', '', 'transaction_id');
 		$sStimulus = utils::ReadPostedParam('stimulus', '');
@@ -1938,7 +1938,7 @@ EOF
 		
 		case 'kill_lock':
 		$oP->DisableBreadCrumb();
-		$sClass = utils::ReadParam('class', '');
+		$sClass = utils::ReadParam('class', '', false, 'class');
 		$id = utils::ReadParam('id', '');
 		iTopOwnershipLock::KillLock($sClass, $id);
 		$oObj = MetaModel::GetObject($sClass, $id);

pages/navigator.php

@@ -36,7 +36,7 @@ $oAppContext = new ApplicationContext();
 $oP = new iTopWebPage("iTop - Navigator");
 
 // Main program
-$sClass = utils::ReadParam('class', '');
+$sClass = utils::ReadParam('class', '', false, 'class');
 $id = utils::ReadParam('id', 0);
 $sRelation = utils::ReadParam('relation', 'neighbours');