From b1fa429234afa02f6ea9c62655e7a15f47ff5c7d Mon Sep 17 00:00:00 2001
From: Eric <eric.espie@combodo.com>
Date: Fri, 10 Jul 2020 14:41:38 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B02957=20-=20Better=20check=20of=20the=20c?=
 =?UTF-8?q?lass=20parameter=20in=20requests?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/utils.inc.php                            |  4 +++-
 .../2.x/itop-attachments/ajax.itop-attachment.php    |  2 +-
 pages/UI.php                                         | 12 ++++++------
 pages/navigator.php                                  |  2 +-
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/application/utils.inc.php b/application/utils.inc.php
index 529dbe21b..28e1c5a9b 100644
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -283,6 +283,8 @@ class utils
 	 *
 	 * @since 2.5.2 2.6.0 new 'transaction_id' filter
 	 * @since 2.7.0 new 'element_identifier' filter
+	 *
+	 * @throws \CoreException
 	 */
 	protected static function Sanitize_Internal($value, $sSanitizationFilter)
 	{
@@ -296,7 +298,7 @@ class utils
 				$retValue = $value;
 				if (!MetaModel::IsValidClass($value))
 				{
-					$retValue = false;
+					throw new CoreException(Dict::Format('UI:OQL:UnknownClassNoFix', utils::HtmlEntities($value)));
 				}
 				break;
 
diff --git a/datamodels/2.x/itop-attachments/ajax.itop-attachment.php b/datamodels/2.x/itop-attachments/ajax.itop-attachment.php
index b603773f1..b593cb043 100644
--- a/datamodels/2.x/itop-attachments/ajax.itop-attachment.php
+++ b/datamodels/2.x/itop-attachments/ajax.itop-attachment.php
@@ -32,7 +32,7 @@ require_once(APPROOT.'/application/ajaxwebpage.class.inc.php');
  */
 function RenderAttachments(ajax_page $oPage, $iTransactionId)
 {
-	$sClass = utils::ReadParam('objclass', '');
+	$sClass = utils::ReadParam('objclass', '', false, 'class');
 	$sId = utils::ReadParam('objkey', '');
 	$oObject = MetaModel::GetObject($sClass, $sId, false);
 	$bEditMode = utils::ReadParam('edit_mode', 0);
diff --git a/pages/UI.php b/pages/UI.php
index 581059517..0fb6d19ea 100644
--- a/pages/UI.php
+++ b/pages/UI.php
@@ -388,7 +388,7 @@ try
 		///////////////////////////////////////////////////////////////////////////////////////////
 		
 		case 'details': // Details of an object
-			$sClass = utils::ReadParam('class', '');
+			$sClass = utils::ReadParam('class', '', false, 'class');
 			$id = utils::ReadParam('id', '');
 			if ( empty($sClass) || empty($id))
 			{
@@ -459,7 +459,7 @@ try
 
 		case 'release_lock_and_details':
         $oP->DisableBreadCrumb();
-		$sClass = utils::ReadParam('class', '');
+        $sClass = utils::ReadParam('class', '', false, 'class');
 		$id = utils::ReadParam('id', '');
 		$oObj = MetaModel::GetObject($sClass, $id);
 		$sToken = utils::ReadParam('token', '');
@@ -906,7 +906,7 @@ HTML
 
 		case 'apply_modify': // Applying the modifications to an existing object
 			$oP->DisableBreadCrumb();
-			$sClass = utils::ReadPostedParam('class', '');
+			$sClass = utils::ReadPostedParam('class', '', 'class');
 			$sClassLabel = MetaModel::GetName($sClass);
 			$id = utils::ReadPostedParam('id', '');
 			$sTransactionId = utils::ReadPostedParam('transaction_id', '', 'transaction_id');
@@ -1493,7 +1493,7 @@ HTML
 			}
 			$iFieldsCount = count($aFieldsMap);
 			$sJsonFieldsMap = json_encode($aFieldsMap);
-	
+
 			$oP->add_script(
 <<<EOF
 			// Initializes the object once at the beginning of the page...
@@ -1695,7 +1695,7 @@ EOF
 
 		case 'apply_stimulus': // Actual state change
 		$oP->DisableBreadCrumb();
-		$sClass = utils::ReadPostedParam('class', '');
+		$sClass = utils::ReadPostedParam('class', '', 'class');
 		$id = utils::ReadPostedParam('id', '');
 			$sTransactionId = utils::ReadPostedParam('transaction_id', '', 'transaction_id');
 		$sStimulus = utils::ReadPostedParam('stimulus', '');
@@ -1938,7 +1938,7 @@ EOF
 		
 		case 'kill_lock':
 		$oP->DisableBreadCrumb();
-		$sClass = utils::ReadParam('class', '');
+		$sClass = utils::ReadParam('class', '', false, 'class');
 		$id = utils::ReadParam('id', '');
 		iTopOwnershipLock::KillLock($sClass, $id);
 		$oObj = MetaModel::GetObject($sClass, $id);
diff --git a/pages/navigator.php b/pages/navigator.php
index a20e753fe..70b8d9d74 100755
--- a/pages/navigator.php
+++ b/pages/navigator.php
@@ -36,7 +36,7 @@ $oAppContext = new ApplicationContext();
 $oP = new iTopWebPage("iTop - Navigator");
 
 // Main program
-$sClass = utils::ReadParam('class', '');
+$sClass = utils::ReadParam('class', '', false, 'class');
 $id = utils::ReadParam('id', 0);
 $sRelation = utils::ReadParam('relation', 'neighbours');