diff --git a/action.php b/action.php index cec8254..e67c41d 100644 --- a/action.php +++ b/action.php @@ -40,6 +40,11 @@ require_once('config/dmsDefaults.php'); require_once(KT_LIB_DIR . '/actions/actionregistry.inc.php'); require_once(KT_LIB_DIR . '/dispatcher.inc.php'); +// Strip html tags out of the request action to prevent XSS attacks +// This is done here to ensure that it is done for all places that use the variables. +$_REQUEST['fReturnAction'] = strip_tags($_REQUEST['fReturnAction']); +$_REQUEST['fReturnData'] = strip_tags($_REQUEST['fReturnData']); + /* * Using KTStandardDispatcher for errorPage, overriding handleOutput as * the document action dispatcher will handle that. diff --git a/config/dmsDefaults.php b/config/dmsDefaults.php index 7ec4b10..a60e5e9 100644 --- a/config/dmsDefaults.php +++ b/config/dmsDefaults.php @@ -250,12 +250,12 @@ class KTInit { $path_info = KTUtil::arrayGet($_SERVER, 'PATH_INFO'); $orig_path_info = KTUtil::arrayGet($_SERVER, 'ORIG_PATH_INFO'); if (empty($path_info) && !empty($orig_path_info)) { - $_SERVER['PATH_INFO'] = $_SERVER['ORIG_PATH_INFO']; + $_SERVER['PATH_INFO'] = strip_tags($_SERVER['ORIG_PATH_INFO']); $_SERVER['PHP_SELF'] .= $_SERVER['PATH_INFO']; } $env_path_info = KTUtil::arrayGet($_SERVER, 'REDIRECT_kt_path_info'); if (empty($path_info) && !empty($env_path_info)) { - $_SERVER['PATH_INFO'] = $env_path_info; + $_SERVER['PATH_INFO'] = strip_tags($env_path_info); $_SERVER['PHP_SELF'] .= $_SERVER['PATH_INFO']; } @@ -263,16 +263,19 @@ class KTInit { // set REQUEST_URI. Fake it. $request_uri = KTUtil::arrayGet($_SERVER, 'REQUEST_URI'); if (empty($request_uri)) { - $_SERVER['REQUEST_URI'] = KTUtil::addQueryString($_SERVER['PHP_SELF'], $_SERVER['QUERY_STRING']); + $_SERVER['REQUEST_URI'] = strip_tags(KTUtil::addQueryString($_SERVER['PHP_SELF'], $_SERVER['QUERY_STRING'])); } } else { unset($_SERVER['PATH_INFO']); } - $script_name = KTUtil::arrayGet($_SERVER, 'SCRIPT_NAME'); - $php_self = KTUtil::arrayGet($_SERVER, 'PHP_SELF'); + $script_name = strip_tags(KTUtil::arrayGet($_SERVER, 'SCRIPT_NAME')); + $php_self = strip_tags(KTUtil::arrayGet($_SERVER, 'PHP_SELF')); - $kt_path_info = KTUtil::arrayGet($_REQUEST, 'kt_path_info'); + $_SERVER['SCRIPT_NAME'] = $script_name; + $_SERVER['PHP_SELF'] = $php_self; + + $kt_path_info = strip_tags(KTUtil::arrayGet($_REQUEST, 'kt_path_info')); if (!empty($kt_path_info)) { $_SERVER['PHP_SELF'] .= '?kt_path_info=' . $kt_path_info; $_SERVER['PATH_INFO'] = $kt_path_info; diff --git a/customerrorpage.php b/customerrorpage.php index 18ea8bf..fa2b52f 100644 --- a/customerrorpage.php +++ b/customerrorpage.php @@ -50,6 +50,8 @@ $sScriptName = ($sLastChar == '\\' || $sLastChar == '/') ? substr($sScriptName, $bSSLEnabled = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? true : false; $sRootUrl = ($bSSLEnabled ? 'https://' : 'http://').$sRoot; +$error = strip_tags($error); + ?> diff --git a/lib/dispatcher.inc.php b/lib/dispatcher.inc.php index c99823c..edaf6d9 100644 --- a/lib/dispatcher.inc.php +++ b/lib/dispatcher.inc.php @@ -6,31 +6,31 @@ * Document Management Made Simple * Copyright (C) 2008 KnowledgeTree Inc. * Portions copyright The Jam Warehouse Software (Pty) Limited - * + * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License version 3 as published by the * Free Software Foundation. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. - * + * * You should have received a copy of the GNU General Public License * along with this program. If not, see . - * - * You can contact KnowledgeTree Inc., PO Box 7775 #87847, San Francisco, + * + * You can contact KnowledgeTree Inc., PO Box 7775 #87847, San Francisco, * California 94120-7775, or email info@knowledgetree.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by - * KnowledgeTree" logo and retain the original copyright notice. If the display of the + * KnowledgeTree" logo and retain the original copyright notice. If the display of the * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices - * must display the words "Powered by KnowledgeTree" and retain the original + * must display the words "Powered by KnowledgeTree" and retain the original * copyright notice. * Contributor( s): ______________________________________ * @@ -115,7 +115,7 @@ class KTDispatcher { } $method = sprintf('%s_main', $this->action_prefix); if (array_key_exists($this->event_var, $_REQUEST)) { - $event = $_REQUEST[$this->event_var]; + $event = strip_tags($_REQUEST[$this->event_var]); $proposed_method = sprintf('%s_%s', $this->action_prefix, $event); if (method_exists($this, $proposed_method)) { @@ -538,18 +538,18 @@ class KTErrorDispatcher extends KTStandardDispatcher { } function dispatch() { - + require_once(KT_LIB_DIR . '/validation/customerror.php'); - + $bCustomCheck = KTCustomErrorCheck::customErrorInit($this->oError); - + if($bCustomCheck) { exit(0); } - - - //if either customer error messages is off or the custom error page doesn't exist the function will run + + + //if either customer error messages is off or the custom error page doesn't exist the function will run //the default error handling here $oRegistry =& KTErrorViewerRegistry::getSingleton(); $oViewer =& $oRegistry->getViewer($this->oError); diff --git a/login.php b/login.php index 5639268..f7efa84 100644 --- a/login.php +++ b/login.php @@ -62,7 +62,7 @@ class LoginPageDispatcher extends KTDispatcher { } else { // User is already logged in - get the redirect - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); $cookietest = KTUtil::randomString(); setcookie("CookieTestCookie", $cookietest, 0); @@ -117,7 +117,7 @@ class LoginPageDispatcher extends KTDispatcher { return $sessionID; } - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); // DEPRECATED initialise page-level authorisation array $_SESSION["pageAccess"] = NULL; @@ -167,7 +167,7 @@ class LoginPageDispatcher extends KTDispatcher { $errorMessageConfirm = $_SESSION['errormessage']['login']; - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); $oReg =& KTi18nregistry::getSingleton(); $aRegisteredLangs = $oReg->geti18nLanguages('knowledgeTree'); @@ -241,12 +241,12 @@ class LoginPageDispatcher extends KTDispatcher { } setcookie("kt_language", $language, 2147483647, '/'); - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); $url = $_SERVER["PHP_SELF"]; $queryParams = array(); - if ($redirect !== null) { + if (!empty($redirect)) { $queryParams[] = 'redirect=' . urlencode($redirect); } @@ -338,9 +338,9 @@ class LoginPageDispatcher extends KTDispatcher { $url = $_SERVER["PHP_SELF"]; $queryParams = array(); - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); - if ($redirect !== null) { + if (!empty($redirect)) { $queryParams[] = 'redirect='. urlencode($redirect); } @@ -351,7 +351,7 @@ class LoginPageDispatcher extends KTDispatcher { } // check for a location to forward to - if ($redirect !== null) { + if (!empty($redirect)) { $url = $redirect; // else redirect to the dashboard if there is none } else { diff --git a/plugins/passwordResetPlugin/loginResetDispatcher.php b/plugins/passwordResetPlugin/loginResetDispatcher.php index d53f8fe..6c1e226 100644 --- a/plugins/passwordResetPlugin/loginResetDispatcher.php +++ b/plugins/passwordResetPlugin/loginResetDispatcher.php @@ -82,7 +82,7 @@ class loginResetDispatcher extends KTDispatcher { if(!loginUtil::check()) { // bounce here, potentially. // User is already logged in - get the redirect - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); $cookietest = KTUtil::randomString(); setcookie("CookieTestCookie", $cookietest, 0); @@ -101,7 +101,7 @@ class loginResetDispatcher extends KTDispatcher { $errorMessageConfirm = $_SESSION['errormessage']['login']; - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); // Get the list of languages $oReg =& KTi18nregistry::getSingleton(); @@ -171,7 +171,7 @@ class loginResetDispatcher extends KTDispatcher { if(!loginUtil::check()) { // bounce here, potentially. // User is already logged in - get the redirect - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); $cookietest = KTUtil::randomString(); setcookie("CookieTestCookie", $cookietest, 0); @@ -191,12 +191,12 @@ class loginResetDispatcher extends KTDispatcher { } setcookie("kt_language", $language, 2147483647, '/'); - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); $url = $_SERVER["PHP_SELF"]; $queryParams = array(); - if ($redirect !== null) { + if (!empty($redirect)) { $queryParams[] = 'redirect=' . urlencode($redirect); } @@ -254,9 +254,9 @@ class loginResetDispatcher extends KTDispatcher { $url = $_SERVER["PHP_SELF"]; $queryParams = array(); - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); - if ($redirect !== null) { + if (!empty($redirect)) { $queryParams[] = 'redirect='. urlencode($redirect); } @@ -267,7 +267,7 @@ class loginResetDispatcher extends KTDispatcher { } // check for a location to forward to - if ($redirect !== null) { + if (!empty($redirect)) { $url = $redirect; // else redirect to the dashboard if there is none } else { @@ -415,4 +415,4 @@ class loginResetDispatcher extends KTDispatcher { $dispatcher = new loginResetDispatcher(); $dispatcher->dispatch(); -?> +?> \ No newline at end of file diff --git a/plugins/passwordResetPlugin/loginUtil.inc.php b/plugins/passwordResetPlugin/loginUtil.inc.php index 6a304a9..1960e8b 100644 --- a/plugins/passwordResetPlugin/loginUtil.inc.php +++ b/plugins/passwordResetPlugin/loginUtil.inc.php @@ -94,7 +94,7 @@ class loginUtil return $sessionID; } - $redirect = KTUtil::arrayGet($_REQUEST, 'redirect'); + $redirect = strip_tags(KTUtil::arrayGet($_REQUEST, 'redirect')); // DEPRECATED initialise page-level authorisation array $_SESSION["pageAccess"] = NULL;