mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-19 16:48:42 +02:00
🔒 N°1795 prevent XSS on some fields
This commit is contained in:
Pierre Goiffon
@@ -300,6 +300,9 @@ class LoginWebPage extends NiceWebPage
|
||||
$sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
|
||||
$sToken = utils::ReadParam('token', '', false, 'raw_data');
|
||||
|
||||
$sAuthUserForDisplay = utils::HtmlEntities($sAuthUser);
|
||||
$sTokenForDisplay = utils::HtmlEntities($sToken);
|
||||
|
||||
UserRights::Login($sAuthUser); // Set the user's language
|
||||
$oUser = UserRights::GetUserObject();
|
||||
|
||||
@@ -308,7 +311,7 @@ class LoginWebPage extends NiceWebPage
|
||||
$this->add("<h1>".Dict::S('UI:ResetPwd-Title')."</h1>\n");
|
||||
if ($oUser == null)
|
||||
{
|
||||
$this->add("<p>".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUser)."</p>\n");
|
||||
$this->add("<p>".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUserForDisplay)."</p>\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -320,7 +323,8 @@ class LoginWebPage extends NiceWebPage
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->add("<p>".Dict::Format('UI:ResetPwd-Error-EnterPassword', $oUser->GetFriendlyName())."</p>\n");
|
||||
$sUserNameForDisplay = utils::HtmlEntities($oUser->GetFriendlyName());
|
||||
$this->add("<p>".Dict::Format('UI:ResetPwd-Error-EnterPassword', $sUserNameForDisplay)."</p>\n");
|
||||
|
||||
$sInconsistenPwdMsg = Dict::S('UI:Login:RetypePwdDoesNotMatch');
|
||||
$this->add_script(
|
||||
@@ -343,8 +347,8 @@ EOF
|
||||
$this->add("<tr><td colspan=\"2\" class=\"center v-spacer\"><span class=\"btn_border\"><input type=\"submit\" onClick=\"return DoCheckPwd();\" value=\"".Dict::S('UI:Button:ChangePassword')."\" /></span></td></tr>\n");
|
||||
$this->add("</table>\n");
|
||||
$this->add("<input type=\"hidden\" name=\"loginop\" value=\"do_reset_pwd\" />\n");
|
||||
$this->add("<input type=\"hidden\" name=\"auth_user\" value=\"".htmlentities($sAuthUser, ENT_QUOTES, 'UTF-8')."\" />\n");
|
||||
$this->add("<input type=\"hidden\" name=\"token\" value=\"".htmlentities($sToken, ENT_QUOTES, 'UTF-8')."\" />\n");
|
||||
$this->add("<input type=\"hidden\" name=\"auth_user\" value=\"".$sAuthUserForDisplay."\" />\n");
|
||||
$this->add("<input type=\"hidden\" name=\"token\" value=\"".$sTokenForDisplay."\" />\n");
|
||||
$this->add("</form>\n");
|
||||
$this->add("</div\n");
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
<?php
|
||||
use Html2Text\Html2Text;
|
||||
|
||||
use Leafo\ScssPhp\Compiler;
|
||||
|
||||
// Copyright (C) 2010-2017 Combodo SARL
|
||||
//
|
||||
// This file is part of iTop.
|
||||
@@ -1398,7 +1399,17 @@ class utils
|
||||
asort($aPossibleEncodings);
|
||||
return $aPossibleEncodings;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Helper to encapsulation iTop's htmlentities
|
||||
* @param string $sValue
|
||||
* @return string
|
||||
*/
|
||||
static public function HtmlEntities($sValue)
|
||||
{
|
||||
return htmlentities($sValue, ENT_QUOTES, 'UTF-8');
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert a string containing some (valid) HTML markup to plain text
|
||||
* @param string $sHtml
|
||||
|
||||
@@ -212,11 +212,13 @@ catch(Exception $e)
|
||||
}
|
||||
|
||||
$sZipArchiveFile = MakeArchiveFileName().'.tar.gz';
|
||||
echo date('Y-m-d H:i:s')." - Checking file: $sZipArchiveFile\n";
|
||||
$sZipArchiveFileForDisplay = utils::HtmlEntities($sZipArchiveFile);
|
||||
echo date('Y-m-d H:i:s')." - Checking file: $sZipArchiveFileForDisplay\n";
|
||||
|
||||
|
||||
if (!file_exists($sZipArchiveFile))
|
||||
{
|
||||
RaiseAlarm("Missing backup file '$sZipArchiveFile'");
|
||||
RaiseAlarm("Missing backup file '$sZipArchiveFileForDisplay'");
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -224,7 +226,7 @@ if (!file_exists($sZipArchiveFile))
|
||||
$aStat = stat($sZipArchiveFile);
|
||||
if (!$aStat)
|
||||
{
|
||||
RaiseAlarm("Failed to stat backup file '$sZipArchiveFile'");
|
||||
RaiseAlarm("Failed to stat backup file '$sZipArchiveFileForDisplay'");
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -233,7 +235,7 @@ $iSize = (int)$aStat['size'];
|
||||
$iMIN = utils::ReadParam('check_size_min', 0);
|
||||
if ($iSize <= $iMIN)
|
||||
{
|
||||
RaiseAlarm("Backup file '$sZipArchiveFile' too small (Found: $iSize, while expecting $iMIN bytes)");
|
||||
RaiseAlarm("Backup file '$sZipArchiveFileForDisplay' too small (Found: $iSize, while expecting $iMIN bytes)");
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -241,11 +243,12 @@ if ($iSize <= $iMIN)
|
||||
|
||||
echo "Found the archive\n";
|
||||
$sOldArchiveFile = MakeArchiveFileName(time() - 86400).'.tar.gz'; // yesterday's archive
|
||||
$sOldArchiveFileForDisplay = utils::HtmlEntities($sOldArchiveFile);
|
||||
if (file_exists($sOldArchiveFile))
|
||||
{
|
||||
if ($aOldStat = stat($sOldArchiveFile))
|
||||
{
|
||||
echo "Comparing its size with older file: $sOldArchiveFile\n";
|
||||
echo "Comparing its size with older file: $sOldArchiveFileForDisplay\n";
|
||||
$iOldSize = (int)$aOldStat['size'];
|
||||
$fVariationPercent = 100 * ($iSize - $iOldSize) / $iOldSize;
|
||||
$sVariation = round($fVariationPercent, 2)." percent(s)";
|
||||
@@ -253,7 +256,7 @@ if (file_exists($sOldArchiveFile))
|
||||
$iREDUCTIONMAX = utils::ReadParam('check_size_reduction_max');
|
||||
if ($fVariationPercent < -$iREDUCTIONMAX)
|
||||
{
|
||||
RaiseAlarm("Backup file '$sZipArchiveFile' changed by $sVariation, expecting a reduction limited to $iREDUCTIONMAX percents of the original size");
|
||||
RaiseAlarm("Backup file '$sZipArchiveFileForDisplay' changed by $sVariation, expecting a reduction limited to $iREDUCTIONMAX percents of the original size");
|
||||
}
|
||||
elseif ($fVariationPercent < 0)
|
||||
{
|
||||
|
||||
@@ -2228,7 +2228,12 @@ EOF
|
||||
try
|
||||
{
|
||||
$token = utils::ReadParam('token', null);
|
||||
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => "Export not found for token: '$token'"); // Fallback error, just in case
|
||||
$sTokenForDisplay = utils::HtmlEntities($token);
|
||||
$aResult = array( // Fallback error, just in case
|
||||
'code' => 'error',
|
||||
'percentage' => 100,
|
||||
'message' => "Export not found for token: '$sTokenForDisplay'",
|
||||
);
|
||||
$data = '';
|
||||
if ($token === null)
|
||||
{
|
||||
@@ -2303,11 +2308,11 @@ EOF
|
||||
$oPage->add(json_encode($aResult));
|
||||
} catch (BulkExportException $e)
|
||||
{
|
||||
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => $e->GetLocalizedMessage());
|
||||
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => utils::HtmlEntities($e->GetLocalizedMessage()));
|
||||
$oPage->add(json_encode($aResult));
|
||||
} catch (Exception $e)
|
||||
{
|
||||
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => $e->getMessage());
|
||||
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => utils::HtmlEntities($e->getMessage()));
|
||||
$oPage->add(json_encode($aResult));
|
||||
}
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user