Peter M. Groen / knowledgetree

Commit 843b7249c48aa0f27f0890b35e607e6c405f9bc1

Authored by Megan Watson
1 parent 94e7844b

Fixed XSS issues as per the Arhont report (1-6), used strip_tags to remove any t… 

…ags containing javascript.

Committed by: Megan Watson
Reviewed by: Donald Jackson



git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@9628 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 7 changed files with 50 additions and 40 deletions
action.php
  View file @843b724
... ... @@ -40,6 +40,11 @@ require_once('config/dmsDefaults.php');
40 40 require_once(KT_LIB_DIR . '/actions/actionregistry.inc.php');
41 41 require_once(KT_LIB_DIR . '/dispatcher.inc.php');
42 42  
  43 +// Strip html tags out of the request action to prevent XSS attacks
  44 +// This is done here to ensure that it is done for all places that use the variables.
  45 +$_REQUEST['fReturnAction'] = strip_tags($_REQUEST['fReturnAction']);
  46 +$_REQUEST['fReturnData'] = strip_tags($_REQUEST['fReturnData']);
  47 +
43 48 /*
44 49 * Using KTStandardDispatcher for errorPage, overriding handleOutput as
45 50 * the document action dispatcher will handle that.
... ...
config/dmsDefaults.php
  View file @843b724
... ... @@ -250,12 +250,12 @@ class KTInit {
250 250 $path_info = KTUtil::arrayGet($_SERVER, 'PATH_INFO');
251 251 $orig_path_info = KTUtil::arrayGet($_SERVER, 'ORIG_PATH_INFO');
252 252 if (empty($path_info) && !empty($orig_path_info)) {
253   - $_SERVER['PATH_INFO'] = $_SERVER['ORIG_PATH_INFO'];
  253 + $_SERVER['PATH_INFO'] = strip_tags($_SERVER['ORIG_PATH_INFO']);
254 254 $_SERVER['PHP_SELF'] .= $_SERVER['PATH_INFO'];
255 255 }
256 256 $env_path_info = KTUtil::arrayGet($_SERVER, 'REDIRECT_kt_path_info');
257 257 if (empty($path_info) && !empty($env_path_info)) {
258   - $_SERVER['PATH_INFO'] = $env_path_info;
  258 + $_SERVER['PATH_INFO'] = strip_tags($env_path_info);
259 259 $_SERVER['PHP_SELF'] .= $_SERVER['PATH_INFO'];
260 260 }
261 261  
... ... @@ -263,16 +263,19 @@ class KTInit {
263 263 // set REQUEST_URI. Fake it.
264 264 $request_uri = KTUtil::arrayGet($_SERVER, 'REQUEST_URI');
265 265 if (empty($request_uri)) {
266   - $_SERVER['REQUEST_URI'] = KTUtil::addQueryString($_SERVER['PHP_SELF'], $_SERVER['QUERY_STRING']);
  266 + $_SERVER['REQUEST_URI'] = strip_tags(KTUtil::addQueryString($_SERVER['PHP_SELF'], $_SERVER['QUERY_STRING']));
267 267 }
268 268 } else {
269 269 unset($_SERVER['PATH_INFO']);
270 270 }
271 271  
272   - $script_name = KTUtil::arrayGet($_SERVER, 'SCRIPT_NAME');
273   - $php_self = KTUtil::arrayGet($_SERVER, 'PHP_SELF');
  272 + $script_name = strip_tags(KTUtil::arrayGet($_SERVER, 'SCRIPT_NAME'));
  273 + $php_self = strip_tags(KTUtil::arrayGet($_SERVER, 'PHP_SELF'));
274 274  
275   - $kt_path_info = KTUtil::arrayGet($_REQUEST, 'kt_path_info');
  275 + $_SERVER['SCRIPT_NAME'] = $script_name;
  276 + $_SERVER['PHP_SELF'] = $php_self;
  277 +
  278 + $kt_path_info = strip_tags(KTUtil::arrayGet($_REQUEST, 'kt_path_info'));
276 279 if (!empty($kt_path_info)) {
277 280 $_SERVER['PHP_SELF'] .= '?kt_path_info=' . $kt_path_info;
278 281 $_SERVER['PATH_INFO'] = $kt_path_info;
... ...
customerrorpage.php
  View file @843b724
... ... @@ -50,6 +50,8 @@ $sScriptName = ($sLastChar == '\\' || $sLastChar == '/') ? substr($sScriptName,
50 50 $bSSLEnabled = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? true : false;
51 51 $sRootUrl = ($bSSLEnabled ? 'https://' : 'http://').$sRoot;
52 52  
  53 +$error = strip_tags($error);
  54 +
53 55 ?>
54 56 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
55 57 <html>
... ...
lib/dispatcher.inc.php
  View file @843b724
... ... @@ -6,31 +6,31 @@
6 6 * Document Management Made Simple
7 7 * Copyright (C) 2008 KnowledgeTree Inc.
8 8 * Portions copyright The Jam Warehouse Software (Pty) Limited
9   - *
  9 + *
10 10 * This program is free software; you can redistribute it and/or modify it under
11 11 * the terms of the GNU General Public License version 3 as published by the
12 12 * Free Software Foundation.
13   - *
  13 + *
14 14 * This program is distributed in the hope that it will be useful, but WITHOUT
15 15 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
16 16 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
17 17 * details.
18   - *
  18 + *
19 19 * You should have received a copy of the GNU General Public License
20 20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
21   - *
22   - * You can contact KnowledgeTree Inc., PO Box 7775 #87847, San Francisco,
  21 + *
  22 + * You can contact KnowledgeTree Inc., PO Box 7775 #87847, San Francisco,
23 23 * California 94120-7775, or email info@knowledgetree.com.
24   - *
  24 + *
25 25 * The interactive user interfaces in modified source and object code versions
26 26 * of this program must display Appropriate Legal Notices, as required under
27 27 * Section 5 of the GNU General Public License version 3.
28   - *
  28 + *
29 29 * In accordance with Section 7(b) of the GNU General Public License version 3,
30 30 * these Appropriate Legal Notices must retain the display of the "Powered by
31   - * KnowledgeTree" logo and retain the original copyright notice. If the display of the
  31 + * KnowledgeTree" logo and retain the original copyright notice. If the display of the
32 32 * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
33   - * must display the words "Powered by KnowledgeTree" and retain the original
  33 + * must display the words "Powered by KnowledgeTree" and retain the original
34 34 * copyright notice.
35 35 * Contributor( s): ______________________________________
36 36 *
... ... @@ -115,7 +115,7 @@ class KTDispatcher {
115 115 }
116 116 $method = sprintf('%s_main', $this->action_prefix);
117 117 if (array_key_exists($this->event_var, $_REQUEST)) {
118   - $event = $_REQUEST[$this->event_var];
  118 + $event = strip_tags($_REQUEST[$this->event_var]);
119 119 $proposed_method = sprintf('%s_%s', $this->action_prefix, $event);
120 120  
121 121 if (method_exists($this, $proposed_method)) {
... ... @@ -538,18 +538,18 @@ class KTErrorDispatcher extends KTStandardDispatcher {
538 538 }
539 539  
540 540 function dispatch() {
541   -
  541 +
542 542 require_once(KT_LIB_DIR . '/validation/customerror.php');
543   -
  543 +
544 544 $bCustomCheck = KTCustomErrorCheck::customErrorInit($this->oError);
545   -
  545 +
546 546 if($bCustomCheck)
547 547 {
548 548 exit(0);
549 549 }
550   -
551   -
552   - //if either customer error messages is off or the custom error page doesn't exist the function will run
  550 +
  551 +
  552 + //if either customer error messages is off or the custom error page doesn't exist the function will run
553 553 //the default error handling here
554 554 $oRegistry =& KTErrorViewerRegistry::getSingleton();
555 555 $oViewer =& $oRegistry->getViewer($this->oError);
... ...
login.php
  View file @843b724
... ... @@ -62,7 +62,7 @@ class LoginPageDispatcher extends KTDispatcher {
62 62 }
63 63 else {
64 64 // User is already logged in - get the redirect
65   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  65 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
66 66  
67 67 $cookietest = KTUtil::randomString();
68 68 setcookie("CookieTestCookie", $cookietest, 0);
... ... @@ -117,7 +117,7 @@ class LoginPageDispatcher extends KTDispatcher {
117 117 return $sessionID;
118 118 }
119 119  
120   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  120 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
121 121  
122 122 // DEPRECATED initialise page-level authorisation array
123 123 $_SESSION["pageAccess"] = NULL;
... ... @@ -167,7 +167,7 @@ class LoginPageDispatcher extends KTDispatcher {
167 167  
168 168 $errorMessageConfirm = $_SESSION['errormessage']['login'];
169 169  
170   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  170 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
171 171  
172 172 $oReg =& KTi18nregistry::getSingleton();
173 173 $aRegisteredLangs = $oReg->geti18nLanguages('knowledgeTree');
... ... @@ -241,12 +241,12 @@ class LoginPageDispatcher extends KTDispatcher {
241 241 }
242 242 setcookie("kt_language", $language, 2147483647, '/');
243 243  
244   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  244 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
245 245  
246 246 $url = $_SERVER["PHP_SELF"];
247 247 $queryParams = array();
248 248  
249   - if ($redirect !== null) {
  249 + if (!empty($redirect)) {
250 250 $queryParams[] = 'redirect=' . urlencode($redirect);
251 251 }
252 252  
... ... @@ -338,9 +338,9 @@ class LoginPageDispatcher extends KTDispatcher {
338 338  
339 339 $url = $_SERVER["PHP_SELF"];
340 340 $queryParams = array();
341   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  341 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
342 342  
343   - if ($redirect !== null) {
  343 + if (!empty($redirect)) {
344 344 $queryParams[] = 'redirect='. urlencode($redirect);
345 345 }
346 346  
... ... @@ -351,7 +351,7 @@ class LoginPageDispatcher extends KTDispatcher {
351 351 }
352 352  
353 353 // check for a location to forward to
354   - if ($redirect !== null) {
  354 + if (!empty($redirect)) {
355 355 $url = $redirect;
356 356 // else redirect to the dashboard if there is none
357 357 } else {
... ...
plugins/passwordResetPlugin/loginResetDispatcher.php
  View file @843b724
... ... @@ -82,7 +82,7 @@ class loginResetDispatcher extends KTDispatcher {
82 82  
83 83 if(!loginUtil::check()) { // bounce here, potentially.
84 84 // User is already logged in - get the redirect
85   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  85 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
86 86  
87 87 $cookietest = KTUtil::randomString();
88 88 setcookie("CookieTestCookie", $cookietest, 0);
... ... @@ -101,7 +101,7 @@ class loginResetDispatcher extends KTDispatcher {
101 101  
102 102 $errorMessageConfirm = $_SESSION['errormessage']['login'];
103 103  
104   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  104 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
105 105  
106 106 // Get the list of languages
107 107 $oReg =& KTi18nregistry::getSingleton();
... ... @@ -171,7 +171,7 @@ class loginResetDispatcher extends KTDispatcher {
171 171  
172 172 if(!loginUtil::check()) { // bounce here, potentially.
173 173 // User is already logged in - get the redirect
174   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  174 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
175 175  
176 176 $cookietest = KTUtil::randomString();
177 177 setcookie("CookieTestCookie", $cookietest, 0);
... ... @@ -191,12 +191,12 @@ class loginResetDispatcher extends KTDispatcher {
191 191 }
192 192 setcookie("kt_language", $language, 2147483647, '/');
193 193  
194   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  194 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
195 195  
196 196 $url = $_SERVER["PHP_SELF"];
197 197 $queryParams = array();
198 198  
199   - if ($redirect !== null) {
  199 + if (!empty($redirect)) {
200 200 $queryParams[] = 'redirect=' . urlencode($redirect);
201 201 }
202 202  
... ... @@ -254,9 +254,9 @@ class loginResetDispatcher extends KTDispatcher {
254 254  
255 255 $url = $_SERVER["PHP_SELF"];
256 256 $queryParams = array();
257   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  257 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
258 258  
259   - if ($redirect !== null) {
  259 + if (!empty($redirect)) {
260 260 $queryParams[] = 'redirect='. urlencode($redirect);
261 261 }
262 262  
... ... @@ -267,7 +267,7 @@ class loginResetDispatcher extends KTDispatcher {
267 267 }
268 268  
269 269 // check for a location to forward to
270   - if ($redirect !== null) {
  270 + if (!empty($redirect)) {
271 271 $url = $redirect;
272 272 // else redirect to the dashboard if there is none
273 273 } else {
... ... @@ -415,4 +415,4 @@ class loginResetDispatcher extends KTDispatcher {
415 415 $dispatcher = new loginResetDispatcher();
416 416 $dispatcher->dispatch();
417 417  
418 418 -?>
  419 +?>
419 420 \ No newline at end of file
... ...
plugins/passwordResetPlugin/loginUtil.inc.php
  View file @843b724
... ... @@ -94,7 +94,7 @@ class loginUtil
94 94 return $sessionID;
95 95 }
96 96  
97   - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect');
  97 + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect'));
98 98  
99 99 // DEPRECATED initialise page-level authorisation array
100 100 $_SESSION["pageAccess"] = NULL;
... ...