release 1.1.9.1: fix XSS function lost in rebuild of always.php

a3acb770 · Jim Fenton · e2070c9b · a3acb770 · a3acb770 · a3acb770
Commit a3acb770 authored Dec 03, 2019 by Jim Fenton
Hide whitespace changes
Inline Side-by-side

Showing with 84 additions and 2 deletions

VERSION VERSION +1 -1

htdocs/always.php htdocs/always.php +42 -1

inc/always.php.in inc/always.php.in +41 -0

No files found.
--- a/VERSION
+++ b/VERSION
-1.1.9
+1.1.9.1
--- a/htdocs/always.php
+++ b/htdocs/always.php
@@ -8,6 +8,47 @@

 if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');

+// XSS Protection
+function filter_post(&$val, $index) {
+    if(in_array($index, ["newpass1", "newpass2"])) return;
+
+    switch (gettype($val)) {
+        case "string":
+            $val = htmlspecialchars($val);
+            break;
+
+        case "array":
+            array_walk_recursive($val, function(&$v) {
+                if (gettype($v) == "string") {
+                    $v = htmlspecialchars($v);
+                }
+            });
+            break;
+    }
+}
+
+function clean_get() {
+    $temp = [];
+
+    foreach($_GET as $key => $value) {
+        // XSS is possible in both key and values
+        $k = htmlspecialchars($key);
+        $v = htmlspecialchars($value);
+        $temp[$k] = $v;
+    }
+
+    return $temp;
+}
+
+// Before anything else is executed we filter all the user input, a lot of code in this project
+// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
+if(isset($_POST)) array_walk($_POST, 'filter_post');
+$_GET = clean_get();
+$_SERVER['REQUEST_URI'] = str_replace("&amp;", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
+$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']);
+
+
+
 // Ensure the configuration starts out as an empty object.
 $c = (object) array();
 $c->script_start_time = microtime(true);
@@ -246,7 +287,7 @@ if ( function_exists('awl_set_locale') ) {
 */
 $c->code_version = 0;
 $c->want_awl_version = '0.60';
-$c->version_string = '1.1.9'; // The actual version # is replaced into that during the build /release process
+$c->version_string = '1.1.9.1'; // The actual version # is replaced into that during the build /release process
 if ( isset($c->version_string) && preg_match( '/(\d+)\.(\d+)\.(\d+)(.*)/', $c->version_string, $matches) ) {
  $c->code_major = $matches[1];
  $c->code_minor = $matches[2];

--- a/inc/always.php.in
+++ b/inc/always.php.in
@@ -8,6 +8,47 @@

 if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');

+// XSS Protection
+function filter_post(&$val, $index) {
+    if(in_array($index, ["newpass1", "newpass2"])) return;
+
+    switch (gettype($val)) {
+        case "string":
+            $val = htmlspecialchars($val);
+            break;
+
+        case "array":
+            array_walk_recursive($val, function(&$v) {
+                if (gettype($v) == "string") {
+                    $v = htmlspecialchars($v);
+                }
+            });
+            break;
+    }
+}
+
+function clean_get() {
+    $temp = [];
+
+    foreach($_GET as $key => $value) {
+        // XSS is possible in both key and values
+        $k = htmlspecialchars($key);
+        $v = htmlspecialchars($value);
+        $temp[$k] = $v;
+    }
+
+    return $temp;
+}
+
+// Before anything else is executed we filter all the user input, a lot of code in this project
+// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
+if(isset($_POST)) array_walk($_POST, 'filter_post');
+$_GET = clean_get();
+$_SERVER['REQUEST_URI'] = str_replace("&amp;", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
+$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']);
+
+
+
 // Ensure the configuration starts out as an empty object.
 $c = (object) array();
 $c->script_start_time = microtime(true);