Peter M. Groen / knowledgetree

Commit af8535a22a0d4a84e92ee8dc776cc08768bd5ff8

Authored by nbm
1 parent ac5d1467

Make create and store safer: 

Require a built-up session.

Store static data in a session instead of using a hidden form variable,
out of the reach of attackers.


git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@3055 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 3 changed files with 51 additions and 21 deletions
presentation/lookAndFeel/knowledgeTree/create.php
  View file @af8535a
@@ -30,10 +30,14 @@ @@ -30,10 +30,14 @@
30 require_once("../../../config/dmsDefaults.php"); 30 require_once("../../../config/dmsDefaults.php");
31 require_once("$default->fileSystemRoot/presentation/Html.inc"); 31 require_once("$default->fileSystemRoot/presentation/Html.inc");
32 32
  33 +if (!checkSession()) {
  34 + exit(0);
  35 +}
  36 +
33 $aKeys = array_keys($_POST); 37 $aKeys = array_keys($_POST);
34 $aParameterValues = array(); 38 $aParameterValues = array();
35 -$sObjectName;  
36 -$sObjectFolderName; 39 +// $sObjectName;
  40 +// $sObjectFolderName;
37 //parse the information in the html page 41 //parse the information in the html page
38 for ($i = 0; $i < count($aKeys); $i++) { 42 for ($i = 0; $i < count($aKeys); $i++) {
39 $sRowStart = $aKeys[$i]; 43 $sRowStart = $aKeys[$i];
@@ -41,11 +45,11 @@ for ($i = 0; $i &lt; count($aKeys); $i++) { @@ -41,11 +45,11 @@ for ($i = 0; $i &lt; count($aKeys); $i++) {
41 if ($pos == 0) { 45 if ($pos == 0) {
42 $i++; 46 $i++;
43 //get the object to create 47 //get the object to create
44 - $sObjectName = $_POST[$aKeys[$i]];  
45 - $i++; 48 + //$sObjectName = $_POST[$aKeys[$i]];
  49 + //$i++;
46 //get the object folder name 50 //get the object folder name
47 - $sObjectFolderName = $_POST[$aKeys[$i]];  
48 - $i++; 51 + //$sObjectFolderName = $_POST[$aKeys[$i]];
  52 + //$i++;
49 53
50 while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i < count($aKeys))) { 54 while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i < count($aKeys))) {
51 //get the paramater number 55 //get the paramater number
presentation/lookAndFeel/knowledgeTree/store.inc
  View file @af8535a
@@ -33,19 +33,40 @@ function constructQuery($aKeys, $aSuppliedValues = null) { @@ -33,19 +33,40 @@ function constructQuery($aKeys, $aSuppliedValues = null) {
33 $pos = strncasecmp("unique_start", $sRowStart, 12); 33 $pos = strncasecmp("unique_start", $sRowStart, 12);
34 34
35 if ($pos == 0) { 35 if ($pos == 0) {
36 - $aColumns = array(); 36 + $sRandomString = substr($sRowStart, 13);
  37 + if (!array_key_exists("pelfq_" . $sRandomString . "_tn", $_SESSION)) {
  38 + print "Hack attempt! Session data not set up for store.\n";
  39 + return false;
  40 + }
  41 + if (!array_key_exists("pelfq_" . $sRandomString . "_id", $_SESSION)) {
  42 + print "Hack attempt! Session data not set up for store.\n";
  43 + return false;
  44 + }
  45 + if (!array_key_exists("pelfq_" . $sRandomString . "_columns", $_SESSION)) {
  46 + print "Hack attempt! Session data not set up for store.\n";
  47 + return false;
  48 + }
  49 +
  50 + $aColumns = array();
37 $aValues = array(); 51 $aValues = array();
38 $aTypes = array(); 52 $aTypes = array();
39 53
40 - $iPrimaryKey = $_POST[$aKeys[++$i]];  
41 - $sTableName = $_POST[$aKeys[++$i]]; 54 + // $iPrimaryKey = $_POST[$aKeys[++$i]];
  55 + // $sTableName = $_POST[$aKeys[++$i]];
  56 + $iPrimaryKey = $_SESSION["pelfq_" . $sRandomString . "_id"];
  57 + $sTableName = $_SESSION["pelfq_" . $sRandomString . "_tn"];
  58 + $aColumnNames = $_SESSION["pelfq_" . $sRandomString . "_columns"];
42 59
43 - $i++; 60 + $i++;
44 $iColumnCount = 0; 61 $iColumnCount = 0;
45 62
46 //get all the values for the table 63 //get all the values for the table
47 while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i <= count($aKeys))) { 64 while ((strncasecmp("unique_end", $sRowStart, 10) != 0) && ($i <= count($aKeys))) {
48 $aColumns[$iColumnCount] = $_POST[$aKeys[$i]]; 65 $aColumns[$iColumnCount] = $_POST[$aKeys[$i]];
  66 + if (!in_array($aColumns[$iColumnCount], $aColumnNames)) {
  67 + print "Hack attempt! $aColumns[$iColumnCount] is not in "; var_dump($aColumnNames);
  68 + return false;
  69 + }
49 $aTypes[$iColumnCount]= $_POST[$aKeys[++$i]]; 70 $aTypes[$iColumnCount]= $_POST[$aKeys[++$i]];
50 71
51 switch ($aTypes[$iColumnCount]) { 72 switch ($aTypes[$iColumnCount]) {
@@ -190,4 +211,4 @@ function constructQuery($aKeys, $aSuppliedValues = null) { @@ -190,4 +211,4 @@ function constructQuery($aKeys, $aSuppliedValues = null) {
190 } 211 }
191 return $aQuery; 212 return $aQuery;
192 } 213 }
193 -?>  
194 \ No newline at end of file 214 \ No newline at end of file
  215 +?>
presentation/lookAndFeel/knowledgeTree/store.php
  View file @af8535a
@@ -32,16 +32,21 @@ require_once(&quot;$default-&gt;fileSystemRoot/lib/documentmanagement/Document.inc&quot;); @@ -32,16 +32,21 @@ require_once(&quot;$default-&gt;fileSystemRoot/lib/documentmanagement/Document.inc&quot;);
32 require_once("$default->fileSystemRoot/lib/foldermanagement/Folder.inc"); 32 require_once("$default->fileSystemRoot/lib/foldermanagement/Folder.inc");
33 require_once("store.inc"); 33 require_once("store.inc");
34 34
  35 +KTUtil::extractGPC('fReturnURL');
35 36
36 -if (count($_POST) > 0) {  
37 - $aKeys = array_keys($_POST);  
38 - $aQueries = constructQuery($aKeys);  
39 -  
40 - //execute the queries  
41 - for ($i=0; $i<count($aQueries); $i++) {  
42 - $sql = $default->db;  
43 - $sql->query($aQueries[$i]);  
44 - }  
45 - redirect(strip_tags(urldecode($fReturnURL))); 37 +if (checkSession()) {
  38 + if (count($_POST) > 0) {
  39 + $aKeys = array_keys($_POST);
  40 + $aQueries = constructQuery($aKeys);
  41 +
  42 + //execute the queries
  43 + for ($i=0; $i<count($aQueries); $i++) {
  44 + $sql = $default->db;
  45 + $sql->query($aQueries[$i]);
  46 + }
  47 + $default->log->debug("store.php redirecting to $fReturnURL");
  48 + redirect(strip_tags(urldecode($fReturnURL)));
  49 + }
46 } 50 }
  51 +
47 ?> 52 ?>