Commit af8535a22a0d4a84e92ee8dc776cc08768bd5ff8
1 parent
ac5d1467
Make create and store safer:
Require a built-up session. Store static data in a session instead of using a hidden form variable, out of the reach of attackers. git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@3055 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
3 changed files
with
51 additions
and
21 deletions
presentation/lookAndFeel/knowledgeTree/create.php
| ... | ... | @@ -30,10 +30,14 @@ |
| 30 | 30 | require_once("../../../config/dmsDefaults.php"); |
| 31 | 31 | require_once("$default->fileSystemRoot/presentation/Html.inc"); |
| 32 | 32 | |
| 33 | +if (!checkSession()) { | |
| 34 | + exit(0); | |
| 35 | +} | |
| 36 | + | |
| 33 | 37 | $aKeys = array_keys($_POST); |
| 34 | 38 | $aParameterValues = array(); |
| 35 | -$sObjectName; | |
| 36 | -$sObjectFolderName; | |
| 39 | +// $sObjectName; | |
| 40 | +// $sObjectFolderName; | |
| 37 | 41 | //parse the information in the html page |
| 38 | 42 | for ($i = 0; $i < count($aKeys); $i++) { |
| 39 | 43 | $sRowStart = $aKeys[$i]; |
| ... | ... | @@ -41,11 +45,11 @@ for ($i = 0; $i < count($aKeys); $i++) { |
| 41 | 45 | if ($pos == 0) { |
| 42 | 46 | $i++; |
| 43 | 47 | //get the object to create |
| 44 | - $sObjectName = $_POST[$aKeys[$i]]; | |
| 45 | - $i++; | |
| 48 | + //$sObjectName = $_POST[$aKeys[$i]]; | |
| 49 | + //$i++; | |
| 46 | 50 | //get the object folder name |
| 47 | - $sObjectFolderName = $_POST[$aKeys[$i]]; | |
| 48 | - $i++; | |
| 51 | + //$sObjectFolderName = $_POST[$aKeys[$i]]; | |
| 52 | + //$i++; | |
| 49 | 53 | |
| 50 | 54 | while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i < count($aKeys))) { |
| 51 | 55 | //get the paramater number | ... | ... |
presentation/lookAndFeel/knowledgeTree/store.inc
| ... | ... | @@ -33,19 +33,40 @@ function constructQuery($aKeys, $aSuppliedValues = null) { |
| 33 | 33 | $pos = strncasecmp("unique_start", $sRowStart, 12); |
| 34 | 34 | |
| 35 | 35 | if ($pos == 0) { |
| 36 | - $aColumns = array(); | |
| 36 | + $sRandomString = substr($sRowStart, 13); | |
| 37 | + if (!array_key_exists("pelfq_" . $sRandomString . "_tn", $_SESSION)) { | |
| 38 | + print "Hack attempt! Session data not set up for store.\n"; | |
| 39 | + return false; | |
| 40 | + } | |
| 41 | + if (!array_key_exists("pelfq_" . $sRandomString . "_id", $_SESSION)) { | |
| 42 | + print "Hack attempt! Session data not set up for store.\n"; | |
| 43 | + return false; | |
| 44 | + } | |
| 45 | + if (!array_key_exists("pelfq_" . $sRandomString . "_columns", $_SESSION)) { | |
| 46 | + print "Hack attempt! Session data not set up for store.\n"; | |
| 47 | + return false; | |
| 48 | + } | |
| 49 | + | |
| 50 | + $aColumns = array(); | |
| 37 | 51 | $aValues = array(); |
| 38 | 52 | $aTypes = array(); |
| 39 | 53 | |
| 40 | - $iPrimaryKey = $_POST[$aKeys[++$i]]; | |
| 41 | - $sTableName = $_POST[$aKeys[++$i]]; | |
| 54 | + // $iPrimaryKey = $_POST[$aKeys[++$i]]; | |
| 55 | + // $sTableName = $_POST[$aKeys[++$i]]; | |
| 56 | + $iPrimaryKey = $_SESSION["pelfq_" . $sRandomString . "_id"]; | |
| 57 | + $sTableName = $_SESSION["pelfq_" . $sRandomString . "_tn"]; | |
| 58 | + $aColumnNames = $_SESSION["pelfq_" . $sRandomString . "_columns"]; | |
| 42 | 59 | |
| 43 | - $i++; | |
| 60 | + $i++; | |
| 44 | 61 | $iColumnCount = 0; |
| 45 | 62 | |
| 46 | 63 | //get all the values for the table |
| 47 | 64 | while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i <= count($aKeys))) { |
| 48 | 65 | $aColumns[$iColumnCount] = $_POST[$aKeys[$i]]; |
| 66 | + if (!in_array($aColumns[$iColumnCount], $aColumnNames)) { | |
| 67 | + print "Hack attempt! $aColumns[$iColumnCount] is not in "; var_dump($aColumnNames); | |
| 68 | + return false; | |
| 69 | + } | |
| 49 | 70 | $aTypes[$iColumnCount]= $_POST[$aKeys[++$i]]; |
| 50 | 71 | |
| 51 | 72 | switch ($aTypes[$iColumnCount]) { |
| ... | ... | @@ -190,4 +211,4 @@ function constructQuery($aKeys, $aSuppliedValues = null) { |
| 190 | 211 | } |
| 191 | 212 | return $aQuery; |
| 192 | 213 | } |
| 193 | -?> | |
| 194 | 214 | \ No newline at end of file |
| 215 | +?> | ... | ... |
presentation/lookAndFeel/knowledgeTree/store.php
| ... | ... | @@ -32,16 +32,21 @@ require_once("$default->fileSystemRoot/lib/documentmanagement/Document.inc"); |
| 32 | 32 | require_once("$default->fileSystemRoot/lib/foldermanagement/Folder.inc"); |
| 33 | 33 | require_once("store.inc"); |
| 34 | 34 | |
| 35 | +KTUtil::extractGPC('fReturnURL'); | |
| 35 | 36 | |
| 36 | -if (count($_POST) > 0) { | |
| 37 | - $aKeys = array_keys($_POST); | |
| 38 | - $aQueries = constructQuery($aKeys); | |
| 39 | - | |
| 40 | - //execute the queries | |
| 41 | - for ($i=0; $i<count($aQueries); $i++) { | |
| 42 | - $sql = $default->db; | |
| 43 | - $sql->query($aQueries[$i]); | |
| 44 | - } | |
| 45 | - redirect(strip_tags(urldecode($fReturnURL))); | |
| 37 | +if (checkSession()) { | |
| 38 | + if (count($_POST) > 0) { | |
| 39 | + $aKeys = array_keys($_POST); | |
| 40 | + $aQueries = constructQuery($aKeys); | |
| 41 | + | |
| 42 | + //execute the queries | |
| 43 | + for ($i=0; $i<count($aQueries); $i++) { | |
| 44 | + $sql = $default->db; | |
| 45 | + $sql->query($aQueries[$i]); | |
| 46 | + } | |
| 47 | + $default->log->debug("store.php redirecting to $fReturnURL"); | |
| 48 | + redirect(strip_tags(urldecode($fReturnURL))); | |
| 49 | + } | |
| 46 | 50 | } |
| 51 | + | |
| 47 | 52 | ?> | ... | ... |