]> git.wh0rd.org Git - tt-rss.git/commitdiff
force strip_tags() on all user input unless explicitly allowed
authorAndrew Dolgov <noreply@fakecake.org>
Sun, 3 Dec 2017 20:35:38 +0000 (23:35 +0300)
committerAndrew Dolgov <noreply@fakecake.org>
Sun, 3 Dec 2017 20:35:38 +0000 (23:35 +0300)
13 files changed:
classes/api.php
classes/article.php
classes/backend.php
classes/handler/public.php
classes/pluginhandler.php
classes/pref/feeds.php
classes/pref/filters.php
classes/pref/labels.php
classes/pref/prefs.php
classes/pref/users.php
classes/rpc.php
classes/rssutils.php
include/functions.php

index c28d36524aa850ae8ee84f1d55deaef48a668933..4c321d77ef856b46bdbf668349978aad11004445 100644 (file)
@@ -26,7 +26,7 @@ class API extends Handler {
                                return false;
                        }
 
-                       $this->seq = (int) $_REQUEST['seq'];
+                       $this->seq = (int) clean($_REQUEST['seq']);
 
                        return true;
                }
@@ -53,9 +53,9 @@ class API extends Handler {
                @session_destroy();
                @session_start();
 
-               $login = $_REQUEST["user"];
-               $password = $_REQUEST["password"];
-               $password_base64 = base64_decode($_REQUEST["password"]);
+               $login = clean($_REQUEST["user"]);
+               $password = clean($_REQUEST["password"]);
+               $password_base64 = base64_decode(clean($_REQUEST["password"]));
 
                if (SINGLE_USER_MODE) $login = "admin";
 
@@ -100,8 +100,8 @@ class API extends Handler {
        }
 
        function getUnread() {
-               $feed_id = $_REQUEST["feed_id"];
-               $is_cat = $_REQUEST["is_cat"];
+               $feed_id = clean($_REQUEST["feed_id"]);
+               $is_cat = clean($_REQUEST["is_cat"]);
 
                if ($feed_id) {
                        $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat)));
@@ -116,11 +116,11 @@ class API extends Handler {
        }
 
        function getFeeds() {
-               $cat_id = $_REQUEST["cat_id"];
-               $unread_only = API::param_to_bool($_REQUEST["unread_only"]);
-               $limit = (int) $_REQUEST["limit"];
-               $offset = (int) $_REQUEST["offset"];
-               $include_nested = API::param_to_bool($_REQUEST["include_nested"]);
+               $cat_id = clean($_REQUEST["cat_id"]);
+               $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
+               $limit = (int) clean($_REQUEST["limit"]);
+               $offset = (int) clean($_REQUEST["offset"]);
+               $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
 
                $feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested);
 
@@ -128,9 +128,9 @@ class API extends Handler {
        }
 
        function getCategories() {
-               $unread_only = API::param_to_bool($_REQUEST["unread_only"]);
-               $enable_nested = API::param_to_bool($_REQUEST["enable_nested"]);
-               $include_empty = API::param_to_bool($_REQUEST['include_empty']);
+               $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
+               $enable_nested = API::param_to_bool(clean($_REQUEST["enable_nested"]));
+               $include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
 
                // TODO do not return empty categories, return Uncategorized and standard virtual cats
 
@@ -185,39 +185,39 @@ class API extends Handler {
        }
 
        function getHeadlines() {
-               $feed_id = $_REQUEST["feed_id"];
+               $feed_id = clean($_REQUEST["feed_id"]);
                if ($feed_id != "") {
 
                        if (is_numeric($feed_id)) $feed_id = (int) $feed_id;
 
-                       $limit = (int)$_REQUEST["limit"];
+                       $limit = (int)clean($_REQUEST["limit"]);
 
                        if (!$limit || $limit >= 200) $limit = 200;
 
-                       $offset = (int)$_REQUEST["skip"];
-                       $filter = $_REQUEST["filter"];
-                       $is_cat = API::param_to_bool($_REQUEST["is_cat"]);
-                       $show_excerpt = API::param_to_bool($_REQUEST["show_excerpt"]);
-                       $show_content = API::param_to_bool($_REQUEST["show_content"]);
+                       $offset = (int)clean($_REQUEST["skip"]);
+                       $filter = clean($_REQUEST["filter"]);
+                       $is_cat = API::param_to_bool(clean($_REQUEST["is_cat"]));
+                       $show_excerpt = API::param_to_bool(clean($_REQUEST["show_excerpt"]));
+                       $show_content = API::param_to_bool(clean($_REQUEST["show_content"]));
                        /* all_articles, unread, adaptive, marked, updated */
-                       $view_mode = $_REQUEST["view_mode"];
-                       $include_attachments = API::param_to_bool($_REQUEST["include_attachments"]);
-                       $since_id = (int)$_REQUEST["since_id"];
-                       $include_nested = API::param_to_bool($_REQUEST["include_nested"]);
+                       $view_mode = clean($_REQUEST["view_mode"]);
+                       $include_attachments = API::param_to_bool(clean($_REQUEST["include_attachments"]));
+                       $since_id = (int)clean($_REQUEST["since_id"]);
+                       $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
                        $sanitize_content = !isset($_REQUEST["sanitize"]) ||
                                API::param_to_bool($_REQUEST["sanitize"]);
-                       $force_update = API::param_to_bool($_REQUEST["force_update"]);
-                       $has_sandbox = API::param_to_bool($_REQUEST["has_sandbox"]);
-                       $excerpt_length = (int)$_REQUEST["excerpt_length"];
-                       $check_first_id = (int)$_REQUEST["check_first_id"];
-                       $include_header = API::param_to_bool($_REQUEST["include_header"]);
+                       $force_update = API::param_to_bool(clean($_REQUEST["force_update"]));
+                       $has_sandbox = API::param_to_bool(clean($_REQUEST["has_sandbox"]));
+                       $excerpt_length = (int)clean($_REQUEST["excerpt_length"]);
+                       $check_first_id = (int)clean($_REQUEST["check_first_id"]);
+                       $include_header = API::param_to_bool(clean($_REQUEST["include_header"]));
 
                        $_SESSION['hasSandbox'] = $has_sandbox;
 
                        $skip_first_id_check = false;
 
                        $override_order = false;
-                       switch ($_REQUEST["order_by"]) {
+                       switch (clean($_REQUEST["order_by"])) {
                                case "title":
                                        $override_order = "ttrss_entries.title, date_entered, updated";
                                        break;
@@ -232,7 +232,7 @@ class API extends Handler {
 
                        /* do not rely on params below */
 
-                       $search = $_REQUEST["search"];
+                       $search = clean($_REQUEST["search"]);
 
                        list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset,
                                $filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order,
@@ -250,10 +250,10 @@ class API extends Handler {
        }
 
        function updateArticle() {
-               $article_ids = explode(",", $_REQUEST["article_ids"]);
-               $mode = (int) $_REQUEST["mode"];
-               $data = $_REQUEST["data"];
-               $field_raw = (int)$_REQUEST["field"];
+               $article_ids = explode(",", clean($_REQUEST["article_ids"]));
+               $mode = (int) clean($_REQUEST["mode"]);
+               $data = clean($_REQUEST["data"]);
+               $field_raw = (int)clean($_REQUEST["field"]);
 
                $field = "";
                $set_to = "";
@@ -321,7 +321,7 @@ class API extends Handler {
 
        function getArticle() {
 
-               $article_ids = explode(",", $_REQUEST["article_id"]);
+               $article_ids = explode(",", clean($_REQUEST["article_id"]));
                $sanitize_content = !isset($_REQUEST["sanitize"]) ||
                        API::param_to_bool($_REQUEST["sanitize"]);
 
@@ -407,7 +407,7 @@ class API extends Handler {
        }
 
        function updateFeed() {
-               $feed_id = (int) $_REQUEST["feed_id"];
+               $feed_id = (int) clean($_REQUEST["feed_id"]);
 
                if (!ini_get("open_basedir")) {
                        RSSUtils::update_rss_feed($feed_id);
@@ -417,8 +417,8 @@ class API extends Handler {
        }
 
        function catchupFeed() {
-               $feed_id = $_REQUEST["feed_id"];
-               $is_cat = $_REQUEST["is_cat"];
+               $feed_id = clean($_REQUEST["feed_id"]);
+               $is_cat = clean($_REQUEST["is_cat"]);
 
                Feeds::catchup_feed($feed_id, $is_cat);
 
@@ -426,13 +426,13 @@ class API extends Handler {
        }
 
        function getPref() {
-               $pref_name = $_REQUEST["pref_name"];
+               $pref_name = clean($_REQUEST["pref_name"]);
 
                $this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name)));
        }
 
        function getLabels() {
-               $article_id = (int)$_REQUEST['article_id'];
+               $article_id = (int)clean($_REQUEST['article_id']);
 
                $rv = array();
 
@@ -469,9 +469,9 @@ class API extends Handler {
 
        function setArticleLabel() {
 
-               $article_ids = explode(",", $_REQUEST["article_ids"]);
-               $label_id = (int) $_REQUEST['label_id'];
-               $assign = API::param_to_bool($_REQUEST['assign']);
+               $article_ids = explode(",", clean($_REQUEST["article_ids"]));
+               $label_id = (int) clean($_REQUEST['label_id']);
+               $assign = API::param_to_bool(clean($_REQUEST['assign']));
 
                $label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]);
 
@@ -510,9 +510,9 @@ class API extends Handler {
        }
 
        function shareToPublished() {
-               $title = strip_tags($_REQUEST["title"]);
-               $url = strip_tags($_REQUEST["url"]);
-               $content = strip_tags($_REQUEST["content"]);
+               $title = strip_tags(clean($_REQUEST["title"]));
+               $url = strip_tags(clean($_REQUEST["url"]));
+               $content = strip_tags(clean($_REQUEST["content"]));
 
                if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) {
                        $this->wrap(self::STATUS_OK, array("status" => 'OK'));
@@ -809,7 +809,7 @@ class API extends Handler {
        }
 
        function unsubscribeFeed() {
-               $feed_id = (int) $_REQUEST["feed_id"];
+               $feed_id = (int) clean($_REQUEST["feed_id"]);
 
                $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE
                        id = ? AND owner_uid = ?");
@@ -824,10 +824,10 @@ class API extends Handler {
        }
 
        function subscribeToFeed() {
-               $feed_url = $_REQUEST["feed_url"];
-               $category_id = (int) $_REQUEST["category_id"];
-               $login = $_REQUEST["login"];
-               $password = $_REQUEST["password"];
+               $feed_url = clean($_REQUEST["feed_url"]);
+               $category_id = (int) clean($_REQUEST["category_id"]);
+               $login = clean($_REQUEST["login"]);
+               $password = clean($_REQUEST["password"]);
 
                if ($feed_url) {
                        $rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password);
@@ -839,7 +839,7 @@ class API extends Handler {
        }
 
        function getFeedTree() {
-               $include_empty = API::param_to_bool($_REQUEST['include_empty']);
+               $include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
 
                $pf = new Pref_Feeds($_REQUEST);
 
index 62794ddf65507a82d6ec4544991e641c0c92f0da..f1271284e84f6a2a23b58f25c627dbe656bcf8b6 100644 (file)
@@ -8,7 +8,7 @@ class Article extends Handler_Protected {
        }
 
        function redirect() {
-               $id = $_REQUEST['id'];
+               $id = clean($_REQUEST['id']);
 
                $sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries
                                                WHERE id = ? AND id = ref_id AND owner_uid = ?
@@ -28,9 +28,9 @@ class Article extends Handler_Protected {
        }
 
        function view() {
-               $id = $_REQUEST["id"];
-               $cids = explode(",", $_REQUEST["cids"]);
-               $mode = $_REQUEST["mode"];
+               $id = clean($_REQUEST["id"]);
+               $cids = explode(",", clean($_REQUEST["cids"]));
+               $mode = clean($_REQUEST["mode"]);
 
                // in prefetch mode we only output requested cids, main article
                // just gets marked as read (it already exists in client cache)
@@ -210,7 +210,7 @@ class Article extends Handler_Protected {
 
                print __("Tags for this article (separated by commas):")."<br>";
 
-               $param = $_REQUEST['param'];
+               $param = clean($_REQUEST['param']);
 
                $tags = Article::get_article_tags($param);
 
@@ -241,8 +241,8 @@ class Article extends Handler_Protected {
        }
 
        function setScore() {
-               $ids = explode(",", $_REQUEST['id']);
-               $score = (int)$_REQUEST['score'];
+               $ids = explode(",", clean($_REQUEST['id']));
+               $score = (int)clean($_REQUEST['score']);
 
                $ids_qmarks = arr_qmarks($ids);
 
@@ -257,7 +257,7 @@ class Article extends Handler_Protected {
        }
 
        function getScore() {
-               $id = $_REQUEST['id'];
+               $id = clean($_REQUEST['id']);
 
                $sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?");
                $sth->execute([$id, $_SESSION['uid']]);
@@ -273,9 +273,9 @@ class Article extends Handler_Protected {
 
        function setArticleTags() {
 
-               $id = $_REQUEST["id"];
+               $id = clean($_REQUEST["id"]);
 
-               $tags_str = $_REQUEST["tags_str"];
+               $tags_str = clean($_REQUEST["tags_str"]);
                $tags = array_unique(trim_array(explode(",", $tags_str)));
 
                $this->pdo->beginTransaction();
@@ -342,7 +342,7 @@ class Article extends Handler_Protected {
 
 
        function completeTags() {
-               $search = $_REQUEST["search"];
+               $search = clean($_REQUEST["search"]);
 
                $sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags
                                WHERE owner_uid = ? AND
@@ -369,8 +369,8 @@ class Article extends Handler_Protected {
        private function labelops($assign) {
                $reply = array();
 
-               $ids = explode(",", $_REQUEST["ids"]);
-               $label_id = $_REQUEST["lid"];
+               $ids = explode(",", clean($_REQUEST["ids"]));
+               $label_id = clean($_REQUEST["lid"]);
 
                $label = db_escape_string(Labels::find_caption($label_id,
                $_SESSION["uid"]));
index c9a595b86ca17b1e33f3ddc943dace9dc81b60dd..d5d0f5a01ba1b94e9fa2c6ceb57019c091837b6d 100644 (file)
@@ -84,7 +84,7 @@ class Backend extends Handler {
        }
 
        function help() {
-               $topic = basename($_REQUEST["topic"]);
+               $topic = basename(clean($_REQUEST["topic"]));
 
                switch ($topic) {
                case "main":
index e2df4a3cc2537d329e204736aba850f2a4079974..8440bc3551647e702b0f9827a2301c3e5538598a 100644 (file)
@@ -139,7 +139,7 @@ class Handler_Public extends Handler {
                        $tpl->addBlock('feed');
                        $tpl->generateOutputToString($tmp);
 
-                       if (@!$_REQUEST["noxml"]) {
+                       if (@!clean($_REQUEST["noxml"])) {
                                header("Content-Type: text/xml; charset=utf-8");
                        } else {
                                header("Content-Type: text/plain; charset=utf-8");
@@ -219,8 +219,8 @@ class Handler_Public extends Handler {
        }
 
        function getUnread() {
-               $login = $_REQUEST["login"];
-               $fresh = $_REQUEST["fresh"] == "1";
+               $login = clean($_REQUEST["login"]);
+               $fresh = clean($_REQUEST["fresh"]) == "1";
 
                $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?");
                $sth->execute([$login]);
@@ -241,7 +241,7 @@ class Handler_Public extends Handler {
        }
 
        function getProfiles() {
-               $login = $_REQUEST["login"];
+               $login = clean($_REQUEST["login"]);
 
                $sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users
                        WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title");
@@ -267,7 +267,7 @@ class Handler_Public extends Handler {
        }
 
        function share() {
-               $uuid = $_REQUEST["key"];
+               $uuid = clean($_REQUEST["key"]);
 
                $sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
                        uuid = ?");
@@ -290,19 +290,19 @@ class Handler_Public extends Handler {
        }
 
        function rss() {
-               $feed = $_REQUEST["id"];
-               $key = $_REQUEST["key"];
-               $is_cat = $_REQUEST["is_cat"];
-               $limit = (int)$_REQUEST["limit"];
-               $offset = (int)$_REQUEST["offset"];
+               $feed = clean($_REQUEST["id"]);
+               $key = clean($_REQUEST["key"]);
+               $is_cat = clean($_REQUEST["is_cat"]);
+               $limit = (int)clean($_REQUEST["limit"]);
+               $offset = (int)clean($_REQUEST["offset"]);
 
-               $search = $_REQUEST["q"];
-               $view_mode = $_REQUEST["view-mode"];
-               $order = $_REQUEST["order"];
-               $start_ts = $_REQUEST["ts"];
+               $search = clean($_REQUEST["q"]);
+               $view_mode = clean($_REQUEST["view-mode"]);
+               $order = clean($_REQUEST["order"]);
+               $start_ts = clean($_REQUEST["ts"]);
 
-               $format = $_REQUEST['format'];
-               $orig_guid = $_REQUEST["orig_guid"];
+               $format = clean($_REQUEST['format']);
+               $orig_guid = clean($_REQUEST["orig_guid"]);
 
                if (!$format) $format = 'atom';
 
@@ -359,16 +359,16 @@ class Handler_Public extends Handler {
                print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
                        </head><body id='sharepopup' class='ttrss_utility'>";
 
-               $action = $_REQUEST["action"];
+               $action = clean($_REQUEST["action"]);
 
                if ($_SESSION["uid"]) {
 
                        if ($action == 'share') {
 
-                               $title = strip_tags($_REQUEST["title"]);
-                               $url = strip_tags($_REQUEST["url"]);
-                               $content = strip_tags($_REQUEST["content"]);
-                               $labels = strip_tags($_REQUEST["labels"]);
+                               $title = strip_tags(clean($_REQUEST["title"]));
+                               $url = strip_tags(clean($_REQUEST["url"]));
+                               $content = strip_tags(clean($_REQUEST["content"]));
+                               $labels = strip_tags(clean($_REQUEST["labels"]));
 
                                Article::create_published_article($title, $url, $content, $labels,
                                        $_SESSION["uid"]);
@@ -378,8 +378,8 @@ class Handler_Public extends Handler {
                                print "</script>";
 
                        } else {
-                               $title = htmlspecialchars($_REQUEST["title"]);
-                               $url = htmlspecialchars($_REQUEST["url"]);
+                               $title = htmlspecialchars(clean($_REQUEST["title"]));
+                               $url = htmlspecialchars(clean($_REQUEST["url"]));
 
                                ?>
 
@@ -466,9 +466,9 @@ class Handler_Public extends Handler {
        function login() {
                if (!SINGLE_USER_MODE) {
 
-                       $login = $_POST["login"];
-                       $password = $_POST["password"];
-                       $remember_me = $_POST["remember_me"];
+                       $login = clean($_POST["login"]);
+                       $password = clean($_POST["password"]);
+                       $remember_me = clean($_POST["remember_me"]);
 
                        if ($remember_me) {
                                session_set_cookie_params(SESSION_COOKIE_LIFETIME);
@@ -486,11 +486,11 @@ class Handler_Public extends Handler {
                                }
 
                                $_SESSION["ref_schema_version"] = get_schema_version(true);
-                               $_SESSION["bw_limit"] = !!$_POST["bw_limit"];
+                               $_SESSION["bw_limit"] = !!clean($_POST["bw_limit"]);
 
-                               if ($_POST["profile"]) {
+                               if (clean($_POST["profile"])) {
 
-                                       $profile = $_POST["profile"];
+                                       $profile = clean($_POST["profile"]);
 
                                        $sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
                                                WHERE id = ? AND owner_uid = ?");
@@ -505,8 +505,8 @@ class Handler_Public extends Handler {
                                user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
                        }
 
-                       if ($_REQUEST['return']) {
-                               header("Location: " . $_REQUEST['return']);
+                       if (clean($_REQUEST['return'])) {
+                               header("Location: " . clean($_REQUEST['return']));
                        } else {
                                header("Location: " . get_self_url_prefix());
                        }
@@ -516,7 +516,7 @@ class Handler_Public extends Handler {
        /* function subtest() {
                header("Content-type: text/plain; charset=utf-8");
 
-               $url = $_REQUEST["url"];
+               $url = clean($_REQUEST["url"]);
 
                print "$url\n\n";
 
@@ -532,7 +532,7 @@ class Handler_Public extends Handler {
 
                if ($_SESSION["uid"]) {
 
-                       $feed_url = trim($_REQUEST["feed_url"]);
+                       $feed_url = trim(clean($_REQUEST["feed_url"]));
 
                        header('Content-Type: text/html; charset=utf-8');
                        print "<html>
@@ -638,7 +638,7 @@ class Handler_Public extends Handler {
        function forgotpass() {
                startup_gettext();
 
-               @$hash = $_REQUEST["hash"];
+               @$hash = clean($_REQUEST["hash"]);
 
                header('Content-Type: text/html; charset=utf-8');
                print "<html><head><title>Tiny Tiny RSS</title>
@@ -656,10 +656,10 @@ class Handler_Public extends Handler {
                print "<h1>".__("Password recovery")."</h1>";
                print "<div class='content'>";
 
-               @$method = $_POST['method'];
+               @$method = clean($_POST['method']);
 
                if ($hash) {
-                       $login = $_REQUEST["login"];
+                       $login = clean($_REQUEST["login"]);
 
                        if ($login) {
                                $sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users
@@ -725,9 +725,9 @@ class Handler_Public extends Handler {
                        print "</form>";
                } else if ($method == 'do') {
 
-                       $login = $_POST["login"];
-                       $email = $_POST["email"];
-                       $test = $_POST["test"];
+                       $login = clean($_POST["login"]);
+                       $email = clean($_POST["email"]);
+                       $test = clean($_POST["test"]);
 
                        if (($test != 4 && $test != 'four') || !$email || !$login) {
                                print_error(__('Some of the required form parameters are missing or incorrect.'));
@@ -852,7 +852,7 @@ class Handler_Public extends Handler {
                        <div class="content">
 
                        <?php
-                               @$op = $_REQUEST["subop"];
+                               @$op = clean($_REQUEST["subop"]);
                                $updater = new DbUpdater(Db::pdo(), DB_TYPE, SCHEMA_VERSION);
 
                                if ($op == "performupdate") {
@@ -968,8 +968,8 @@ class Handler_Public extends Handler {
        public function pluginhandler() {
                $host = new PluginHost();
 
-               $plugin = basename($_REQUEST["plugin"]);
-               $method = $_REQUEST["pmethod"];
+               $plugin = basename(clean($_REQUEST["plugin"]));
+               $method = clean($_REQUEST["pmethod"]);
 
                $host->load($plugin, PluginHost::KIND_USER, 0);
                $host->load_data();
index 1c9e7aef6e8e37663c65755752268b197bfbe1c3..d10343e095057801bca90d5727760df497845a10 100644 (file)
@@ -5,7 +5,7 @@ class PluginHandler extends Handler_Protected {
        }
 
        function catchall($method) {
-               $plugin = PluginHost::getInstance()->get_plugin($_REQUEST["plugin"]);
+               $plugin = PluginHost::getInstance()->get_plugin(clean($_REQUEST["plugin"]));
 
                if ($plugin) {
                        if (method_exists($plugin, $method)) {
index 05f6b8c8f94aab3ff6c0a4e263948b6d0cc3c173..0b5a445f3f0ef8bf69c6ec16ab343b9ee7999e0a 100755 (executable)
@@ -17,8 +17,8 @@ class Pref_Feeds extends Handler_Protected {
        }
 
        function renamecat() {
-               $title = $_REQUEST['title'];
-               $id = $_REQUEST['id'];
+               $title = clean($_REQUEST['title']);
+               $id = clean($_REQUEST['id']);
 
                if ($title) {
                        $sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET
@@ -29,14 +29,14 @@ class Pref_Feeds extends Handler_Protected {
 
        private function get_category_items($cat_id) {
 
-               if ($_REQUEST['mode'] != 2)
+               if (clean($_REQUEST['mode']) != 2)
                        $search = $_SESSION["prefs_feed_search"];
                else
                        $search = "";
 
                // first one is set by API
-               $show_empty_cats = $_REQUEST['force_show_empty'] ||
-                       ($_REQUEST['mode'] != 2 && !$search);
+               $show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+                       (clean($_REQUEST['mode']) != 2 && !$search);
 
                $items = array();
 
@@ -103,7 +103,7 @@ class Pref_Feeds extends Handler_Protected {
 
        function makefeedtree() {
 
-               if ($_REQUEST['mode'] != 2)
+               if (clean($_REQUEST['mode']) != 2)
                        $search = $_SESSION["prefs_feed_search"];
                else
                        $search = "";
@@ -116,7 +116,7 @@ class Pref_Feeds extends Handler_Protected {
 
                $enable_cats = get_pref('ENABLE_FEED_CATS');
 
-               if ($_REQUEST['mode'] == 2) {
+               if (clean($_REQUEST['mode']) == 2) {
 
                        if ($enable_cats) {
                                $cat = $this->feedlist_init_cat(-1);
@@ -193,8 +193,8 @@ class Pref_Feeds extends Handler_Protected {
                }
 
                if ($enable_cats) {
-                       $show_empty_cats = $_REQUEST['force_show_empty'] ||
-                               ($_REQUEST['mode'] != 2 && !$search);
+                       $show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+                               (clean($_REQUEST['mode']) != 2 && !$search);
 
                        $sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories
                                WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title");
@@ -303,7 +303,7 @@ class Pref_Feeds extends Handler_Protected {
                $fl['identifier'] = 'id';
                $fl['label'] = 'name';
 
-               if ($_REQUEST['mode'] != 2) {
+               if (clean($_REQUEST['mode']) != 2) {
                        $fl['items'] = array($root);
                } else {
                        $fl['items'] = $root['items'];
@@ -389,9 +389,9 @@ class Pref_Feeds extends Handler_Protected {
        }
 
        function savefeedorder() {
-               $data = json_decode($_POST['payload'], true);
+               $data = json_decode(clean($_POST['payload']), true);
 
-               #file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+               #file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
                #$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
 
                if (!is_array($data['items']))
@@ -425,7 +425,7 @@ class Pref_Feeds extends Handler_Protected {
        }
 
        function removeicon() {
-               $feed_id = $_REQUEST["feed_id"];
+               $feed_id = clean($_REQUEST["feed_id"]);
 
                $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
                        WHERE id = ? AND owner_uid = ?");
@@ -457,7 +457,7 @@ class Pref_Feeds extends Handler_Protected {
                }
 
                $icon_file = $tmp_file;
-               $feed_id = $_REQUEST["feed_id"];
+               $feed_id = clean($_REQUEST["feed_id"]);
 
                if (is_file($icon_file) && $feed_id) {
                        if (filesize($icon_file) < 65535) {
@@ -500,7 +500,7 @@ class Pref_Feeds extends Handler_Protected {
                global $update_intervals;
 
 
-               $feed_id = $_REQUEST["id"];
+               $feed_id = clean($_REQUEST["id"]);
 
                $sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND
                                owner_uid = ?");
@@ -775,7 +775,7 @@ class Pref_Feeds extends Handler_Protected {
                global $purge_intervals;
                global $update_intervals;
 
-               $feed_ids = $_REQUEST["ids"];
+               $feed_ids = clean($_REQUEST["ids"]);
 
                print_notice("Enable the options you wish to apply using checkboxes on the right:");
 
@@ -924,32 +924,32 @@ class Pref_Feeds extends Handler_Protected {
 
        function editsaveops($batch) {
 
-               $feed_title = trim($_POST["title"]);
-               $feed_url = trim($_POST["feed_url"]);
-               $upd_intl = (int) $_POST["update_interval"];
-               $purge_intl = (int) $_POST["purge_interval"];
-               $feed_id = (int) $_POST["id"]; /* editSave */
-               $feed_ids = explode(",", $_POST["ids"]); /* batchEditSave */
-               $cat_id = (int) $_POST["cat_id"];
-               $auth_login = trim($_POST["auth_login"]);
-               $auth_pass = trim($_POST["auth_pass"]);
-               $private = checkbox_to_sql_bool($_POST["private"]);
+               $feed_title = trim(clean($_POST["title"]));
+               $feed_url = trim(clean($_POST["feed_url"]));
+               $upd_intl = (int) clean($_POST["update_interval"]);
+               $purge_intl = (int) clean($_POST["purge_interval"]);
+               $feed_id = (int) clean($_POST["id"]); /* editSave */
+               $feed_ids = explode(",", clean($_POST["ids"])); /* batchEditSave */
+               $cat_id = (int) clean($_POST["cat_id"]);
+               $auth_login = trim(clean($_POST["auth_login"]));
+               $auth_pass = trim(clean($_POST["auth_pass"]));
+               $private = checkbox_to_sql_bool(clean($_POST["private"]));
                $include_in_digest = checkbox_to_sql_bool(
-                       $_POST["include_in_digest"]);
+                       clean($_POST["include_in_digest"]));
                $cache_images = checkbox_to_sql_bool(
-                       $_POST["cache_images"]);
+                       clean($_POST["cache_images"]));
                $hide_images = checkbox_to_sql_bool(
-                       $_POST["hide_images"]);
+                       clean($_POST["hide_images"]));
                $always_display_enclosures = checkbox_to_sql_bool(
-                       $_POST["always_display_enclosures"]);
+                       clean($_POST["always_display_enclosures"]));
 
                $mark_unread_on_update = checkbox_to_sql_bool(
-                       $_POST["mark_unread_on_update"]);
+                       clean($_POST["mark_unread_on_update"]));
 
-               $feed_language = trim($_POST["feed_language"]);
+               $feed_language = trim(clean($_POST["feed_language"]));
 
                if (!$batch) {
-                       if ($_POST["need_auth"] !== 'on') {
+                       if (clean($_POST["need_auth"]) !== 'on') {
                                $auth_login = '';
                                $auth_pass = '';
                        }
@@ -1008,7 +1008,7 @@ class Pref_Feeds extends Handler_Protected {
 
                        foreach (array_keys($_POST) as $k) {
                                if ($k != "op" && $k != "method" && $k != "ids") {
-                                       $feed_data[$k] = $_POST[$k];
+                                       $feed_data[$k] = clean($_POST[$k]);
                                }
                        }
 
@@ -1102,7 +1102,7 @@ class Pref_Feeds extends Handler_Protected {
 
        function remove() {
 
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
 
                foreach ($ids as $id) {
                        Pref_Feeds::remove_feed($id, $_SESSION["uid"]);
@@ -1112,14 +1112,14 @@ class Pref_Feeds extends Handler_Protected {
        }
 
        function removeCat() {
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
                foreach ($ids as $id) {
                        $this->remove_feed_category($id, $_SESSION["uid"]);
                }
        }
 
        function addCat() {
-               $feed_cat = trim($_REQUEST["cat"]);
+               $feed_cat = trim(clean($_REQUEST["cat"]));
 
                add_feed_category($feed_cat);
        }
@@ -1152,7 +1152,7 @@ class Pref_Feeds extends Handler_Protected {
                                onclick=\"showInactiveFeeds()\">" .
                                __("Inactive feeds") . "</button>";
 
-               $feed_search = $_REQUEST["search"];
+               $feed_search = clean($_REQUEST["search"]);
 
                if (array_key_exists("search", $_REQUEST)) {
                        $_SESSION["prefs_feed_search"] = $feed_search;
@@ -1675,10 +1675,10 @@ class Pref_Feeds extends Handler_Protected {
        }
 
        function batchAddFeeds() {
-               $cat_id = $_REQUEST['cat'];
-               $feeds = explode("\n", $_REQUEST['feeds']);
-               $login = $_REQUEST['login'];
-               $pass = trim($_REQUEST['pass']);
+               $cat_id = clean($_REQUEST['cat']);
+               $feeds = explode("\n", clean($_REQUEST['feeds']));
+               $login = clean($_REQUEST['login']);
+               $pass = trim(clean($_REQUEST['pass']));
 
                foreach ($feeds as $feed) {
                        $feed = trim($feed);
@@ -1714,8 +1714,8 @@ class Pref_Feeds extends Handler_Protected {
        }
 
        function regenFeedKey() {
-               $feed_id = $_REQUEST['id'];
-               $is_cat = $_REQUEST['is_cat'] == "true";
+               $feed_id = clean($_REQUEST['id']);
+               $is_cat = clean($_REQUEST['is_cat']) == "true";
 
                $new_key = $this->update_feed_access_key($feed_id, $is_cat);
 
index 1ff9a372382b06f77df20217f227ece143428533..74aecd30901ddbaad2f83ce783182cdd8d9e5c47 100755 (executable)
@@ -16,9 +16,9 @@ class Pref_Filters extends Handler_Protected {
        }
 
        function savefilterorder() {
-               $data = json_decode($_POST['payload'], true);
+               $data = json_decode(clean($_POST['payload']), true);
 
-               #file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+               #file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
                #$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
 
                if (!is_array($data['items']))
@@ -46,14 +46,14 @@ class Pref_Filters extends Handler_Protected {
        }
 
        function testFilterDo() {
-               $offset = (int) $_REQUEST["offset"];
-               $limit = (int) $_REQUEST["limit"];
+               $offset = (int) clean($_REQUEST["offset"]);
+               $limit = (int) clean($_REQUEST["limit"]);
 
                $filter = array();
 
                $filter["enabled"] = true;
-               $filter["match_any_rule"] = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-               $filter["inverse"] = checkbox_to_sql_bool($_REQUEST["inverse"]);
+               $filter["match_any_rule"] = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+               $filter["inverse"] = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
 
                $filter["rules"] = array();
                $filter["actions"] = array("dummy-action");
@@ -68,7 +68,7 @@ class Pref_Filters extends Handler_Protected {
                $scope_qparts = array();
 
                $rctr = 0;
-               foreach ($_REQUEST["rule"] AS $r) {
+               foreach (clean($_REQUEST["rule"]) AS $r) {
                        $rule = json_decode($r, true);
 
                        if ($rule && $rctr < 5) {
@@ -354,7 +354,7 @@ class Pref_Filters extends Handler_Protected {
 
        function edit() {
 
-               $filter_id = $_REQUEST["id"];
+               $filter_id = clean($_REQUEST["id"]);
 
                $sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2 
                        WHERE id = ? AND owner_uid = ?");
@@ -533,7 +533,7 @@ class Pref_Filters extends Handler_Protected {
        }
 
        private function getRuleName($rule) {
-               if (!$rule) $rule = json_decode($_REQUEST["rule"], true);
+               if (!$rule) $rule = json_decode(clean($_REQUEST["rule"]), true);
 
                $feeds = $rule["feed_id"];
                $feeds_fmt = [];
@@ -573,7 +573,7 @@ class Pref_Filters extends Handler_Protected {
        }
 
        function printRuleName() {
-               print $this->getRuleName(json_decode($_REQUEST["rule"], true));
+               print $this->getRuleName(json_decode(clean($_REQUEST["rule"]), true));
        }
 
        private function getActionName($action) {
@@ -611,19 +611,19 @@ class Pref_Filters extends Handler_Protected {
        }
 
        function printActionName() {
-               print $this->getActionName(json_decode($_REQUEST["action"], true));
+               print $this->getActionName(json_decode(clean($_REQUEST["action"]), true));
        }
 
        function editSave() {
-               if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+               if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
                        return $this->testFilter();
                }
 
-               $filter_id = $_REQUEST["id"];
-               $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
-               $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-               $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
-               $title = $_REQUEST["title"];
+               $filter_id = clean($_REQUEST["id"]);
+               $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+               $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+               $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
+               $title = clean($_REQUEST["title"]);
 
                $this->pdo->beginTransaction();
 
@@ -642,7 +642,7 @@ class Pref_Filters extends Handler_Protected {
 
        function remove() {
 
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
                $ids_qmarks = arr_qmarks($ids);
 
                $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks) 
@@ -659,8 +659,8 @@ class Pref_Filters extends Handler_Protected {
                $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?");
                $sth->execute([$filter_id]);
 
-               if (!is_array($_REQUEST["rule"])) $_REQUEST["rule"] = [];
-               if (!is_array($_REQUEST["action"])) $_REQUEST["action"] = [];
+               if (!is_array(clean($_REQUEST["rule"]))) $_REQUEST["rule"] = [];
+               if (!is_array(clean($_REQUEST["action"]))) $_REQUEST["action"] = [];
                
                if ($filter_id) {
                        /* create rules */
@@ -668,7 +668,7 @@ class Pref_Filters extends Handler_Protected {
                        $rules = array();
                        $actions = array();
 
-                       foreach ($_REQUEST["rule"] as $rule) {
+                       foreach (clean($_REQUEST["rule"]) as $rule) {
                                $rule = json_decode($rule, true);
                                unset($rule["id"]);
 
@@ -677,7 +677,7 @@ class Pref_Filters extends Handler_Protected {
                                }
                        }
 
-                       foreach ($_REQUEST["action"] as $action) {
+                       foreach (clean($_REQUEST["action"]) as $action) {
                                $action = json_decode($action, true);
                                unset($action["id"]);
 
@@ -729,14 +729,14 @@ class Pref_Filters extends Handler_Protected {
        }
 
        function add() {
-               if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") {
+               if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
                        return $this->testFilter();
                }
 
-               $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]);
-               $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]);
-               $title = $_REQUEST["title"];
-               $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]);
+               $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
+               $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
+               $title = clean($_REQUEST["title"]);
+               $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
 
                $this->pdo->beginTransaction();
 
@@ -762,7 +762,7 @@ class Pref_Filters extends Handler_Protected {
 
        function index() {
 
-               $filter_search = $_REQUEST["search"];
+               $filter_search = clean($_REQUEST["search"]);
 
                if (array_key_exists("search", $_REQUEST)) {
                        $_SESSION["prefs_filter_search"] = $filter_search;
@@ -948,7 +948,7 @@ class Pref_Filters extends Handler_Protected {
        }
 
        function newrule() {
-               $rule = json_decode($_REQUEST["rule"], true);
+               $rule = json_decode(clean($_REQUEST["rule"]), true);
 
                if ($rule) {
                        $reg_exp = htmlspecialchars($rule["reg_exp"]);
@@ -1022,7 +1022,7 @@ class Pref_Filters extends Handler_Protected {
        }
 
        function newaction() {
-               $action = json_decode($_REQUEST["action"], true);
+               $action = json_decode(clean($_REQUEST["action"]), true);
 
                if ($action) {
                        $action_param = $action["action_param"];
@@ -1159,7 +1159,7 @@ class Pref_Filters extends Handler_Protected {
        }
 
        function join() {
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
 
                if (count($ids) > 1) {
                        $base_id = array_shift($ids);
index 8f1f70be94ede47d0a48d570c112371d5923a77e..38ec850a6ecb0a7ee4d9ab0938a0bfb960989ab4 100644 (file)
@@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function edit() {
-               $label_id = $_REQUEST['id'];
+               $label_id = clean($_REQUEST['id']);
 
                $sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE
                        id = ? AND owner_uid = ?");
@@ -119,11 +119,11 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function colorset() {
-               $kind = $_REQUEST["kind"];
-               $ids = explode(',', $_REQUEST["ids"]);
-               $color = $_REQUEST["color"];
-               $fg = $_REQUEST["fg"];
-               $bg = $_REQUEST["bg"];
+               $kind = clean($_REQUEST["kind"]);
+               $ids = explode(',', clean($_REQUEST["ids"]));
+               $color = clean($_REQUEST["color"]);
+               $fg = clean($_REQUEST["fg"]);
+               $bg = clean($_REQUEST["bg"]);
 
                foreach ($ids as $id) {
 
@@ -154,7 +154,7 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function colorreset() {
-               $ids = explode(',', $_REQUEST["ids"]);
+               $ids = explode(',', clean($_REQUEST["ids"]));
 
                foreach ($ids as $id) {
                        $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
@@ -174,8 +174,8 @@ class Pref_Labels extends Handler_Protected {
 
        function save() {
 
-               $id = $_REQUEST["id"];
-               $caption = trim($_REQUEST["caption"]);
+               $id = clean($_REQUEST["id"]);
+               $caption = trim(clean($_REQUEST["caption"]));
 
                $this->pdo->beginTransaction();
 
@@ -206,7 +206,7 @@ class Pref_Labels extends Handler_Protected {
 
                                        $sth->execute([$caption, $old_caption, $_SESSION['uid']]);
 
-                                       print $_REQUEST["value"];
+                                       print clean($_REQUEST["value"]);
                                } else {
                                        print $old_caption;
                                }
@@ -221,7 +221,7 @@ class Pref_Labels extends Handler_Protected {
 
        function remove() {
 
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
 
                foreach ($ids as $id) {
                        Labels::remove($id, $_SESSION["uid"]);
@@ -230,8 +230,8 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function add() {
-               $caption = $_REQUEST["caption"];
-               $output = $_REQUEST["output"];
+               $caption = clean($_REQUEST["caption"]);
+               $output = clean($_REQUEST["output"]);
 
                if ($caption) {
 
index 5d999bf3dc4b7b1e054d5c1db9c09daee55a59fb..5fc76b32c39515d9944f522041406615862bf7c5 100644 (file)
@@ -60,9 +60,9 @@ class Pref_Prefs extends Handler_Protected {
 
        function changepassword() {
 
-               $old_pw = $_POST["old_password"];
-               $new_pw = $_POST["new_password"];
-               $con_pw = $_POST["confirm_password"];
+               $old_pw = clean($_POST["old_password"]);
+               $new_pw = clean($_POST["new_password"]);
+               $con_pw = clean($_POST["confirm_password"]);
 
                if ($old_pw == "") {
                        print "ERROR: ".format_error("Old password cannot be blank.");
@@ -89,7 +89,7 @@ class Pref_Prefs extends Handler_Protected {
        }
 
        function saveconfig() {
-               $boolean_prefs = explode(",", $_POST["boolean_prefs"]);
+               $boolean_prefs = explode(",", clean($_POST["boolean_prefs"]));
 
                foreach ($boolean_prefs as $pref) {
                        if (!isset($_POST[$pref])) $_POST[$pref] = 'false';
@@ -129,8 +129,8 @@ class Pref_Prefs extends Handler_Protected {
 
        function changeemail() {
 
-               $email = $_POST["email"];
-               $full_name = $_POST["full_name"];
+               $email = clean($_POST["email"]);
+               $full_name = clean($_POST["full_name"]);
                $active_uid = $_SESSION["uid"];
 
                $sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?,
@@ -880,8 +880,8 @@ class Pref_Prefs extends Handler_Protected {
                require_once "lib/otphp/lib/otp.php";
                require_once "lib/otphp/lib/totp.php";
 
-               $password = $_REQUEST["password"];
-               $otp = $_REQUEST["otp"];
+               $password = clean($_REQUEST["password"]);
+               $otp = clean($_REQUEST["otp"]);
 
                $authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
 
@@ -930,7 +930,7 @@ class Pref_Prefs extends Handler_Protected {
        }
 
        function otpdisable() {
-               $password = $_REQUEST["password"];
+               $password = clean($_REQUEST["password"]);
 
                $authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
 
@@ -948,8 +948,8 @@ class Pref_Prefs extends Handler_Protected {
        }
 
        function setplugins() {
-               if (is_array($_REQUEST["plugins"]))
-                       $plugins = join(",", $_REQUEST["plugins"]);
+               if (is_array(clean($_REQUEST["plugins"])))
+                       $plugins = join(",", clean($_REQUEST["plugins"]));
                else
                        $plugins = "";
 
@@ -957,7 +957,7 @@ class Pref_Prefs extends Handler_Protected {
        }
 
        function clearplugindata() {
-               $name = $_REQUEST["name"];
+               $name = clean($_REQUEST["name"]);
 
                PluginHost::getInstance()->clear_data(PluginHost::getInstance()->get_plugin($name));
        }
index b23950bd3ba96331f8a3723dd223a32918c5aaba..d65af168078478d34102b8331c2723022bc67da3 100644 (file)
@@ -25,7 +25,7 @@ class Pref_Users extends Handler_Protected {
 
                        print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
 
-                       $id = (int) $_REQUEST["id"];
+                       $id = (int) clean($_REQUEST["id"]);
 
                        print_hidden("id", "$id");
                        print_hidden("op", "pref-users");
@@ -108,7 +108,7 @@ class Pref_Users extends Handler_Protected {
                }
 
                function userdetails() {
-                       $id = (int) $_REQUEST["id"];
+                       $id = (int) clean($_REQUEST["id"]);
 
                        $sth = $this->pdo->prepare("SELECT login,
                                ".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
@@ -177,11 +177,11 @@ class Pref_Users extends Handler_Protected {
                }
 
                function editSave() {
-                       $login = trim($_REQUEST["login"]);
-                       $uid = $_REQUEST["id"];
-                       $access_level = (int) $_REQUEST["access_level"];
-                       $email = trim($_REQUEST["email"]);
-                       $password = $_REQUEST["password"];
+                       $login = trim(clean($_REQUEST["login"]));
+                       $uid = clean($_REQUEST["id"]);
+                       $access_level = (int) clean($_REQUEST["access_level"]);
+                       $email = trim(clean($_REQUEST["email"]));
+                       $password = clean($_REQUEST["password"]);
 
                        if ($password) {
                                $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
@@ -199,7 +199,7 @@ class Pref_Users extends Handler_Protected {
                }
 
                function remove() {
-                       $ids = explode(",", $_REQUEST["ids"]);
+                       $ids = explode(",", clean($_REQUEST["ids"]));
 
                        foreach ($ids as $id) {
                                if ($id != $_SESSION["uid"] && $id != 1) {
@@ -217,7 +217,7 @@ class Pref_Users extends Handler_Protected {
 
                function add() {
 
-                       $login = trim($_REQUEST["login"]);
+                       $login = trim(clean($_REQUEST["login"]));
                        $tmp_user_pwd = make_password(8);
                        $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
                        $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@@ -316,7 +316,7 @@ class Pref_Users extends Handler_Protected {
                }
 
                function resetPass() {
-                       $uid = $_REQUEST["id"];
+                       $uid = clean($_REQUEST["id"]);
                        Pref_Users::resetUserPassword($uid, true);
                }
 
@@ -329,7 +329,7 @@ class Pref_Users extends Handler_Protected {
 
                        print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
 
-                       $user_search = trim($_REQUEST["search"]);
+                       $user_search = trim(clean($_REQUEST["search"]));
 
                        if (array_key_exists("search", $_REQUEST)) {
                                $_SESSION["prefs_user_search"] = $user_search;
@@ -344,7 +344,7 @@ class Pref_Users extends Handler_Protected {
                                        __('Search')."</button>
                                </div>";
 
-                       $sort = $_REQUEST["sort"];
+                       $sort = clean($_REQUEST["sort"]);
 
                        if (!$sort || $sort == "undefined") {
                                $sort = "login";
index cc036736fb37f78fc8b647e5112cccad83bdc76c..cb71412ae09012f049164b869b63cad6efe7c05c 100755 (executable)
@@ -8,14 +8,14 @@ class RPC extends Handler_Protected {
        }
 
        function setprofile() {
-               $_SESSION["profile"] = $_REQUEST["id"];
+               $_SESSION["profile"] = clean($_REQUEST["id"]);
 
                // default value
                if (!$_SESSION["profile"]) $_SESSION["profile"] = null;
        }
 
        function remprofiles() {
-               $ids = explode(",", trim($_REQUEST["ids"]));
+               $ids = explode(",", trim(clean($_REQUEST["ids"])));
 
                foreach ($ids as $id) {
                        if ($_SESSION["profile"] != $id) {
@@ -28,7 +28,7 @@ class RPC extends Handler_Protected {
 
        // Silent
        function addprofile() {
-               $title = trim($_REQUEST["title"]);
+               $title = trim(clean($_REQUEST["title"]));
 
                if ($title) {
                        $this->pdo->beginTransaction();
@@ -62,8 +62,8 @@ class RPC extends Handler_Protected {
        }
 
        function saveprofile() {
-               $id = $_REQUEST["id"];
-               $title = trim($_REQUEST["value"]);
+               $id = clean($_REQUEST["id"]);
+               $title = trim(clean($_REQUEST["value"]));
 
                if ($id == 0) {
                        print __("Default profile");
@@ -82,7 +82,7 @@ class RPC extends Handler_Protected {
 
        // Silent
        function remarchive() {
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
 
                $sth = $this->pdo->prepare("DELETE FROM ttrss_archived_feeds WHERE
                                (SELECT COUNT(*) FROM ttrss_user_entries
@@ -95,10 +95,10 @@ class RPC extends Handler_Protected {
        }
 
        function addfeed() {
-               $feed = $_REQUEST['feed'];
-               $cat = $_REQUEST['cat'];
-               $login = $_REQUEST['login'];
-               $pass = trim($_REQUEST['pass']);
+               $feed = clean($_REQUEST['feed']);
+               $cat = clean($_REQUEST['cat']);
+               $login = clean($_REQUEST['login']);
+               $pass = trim(clean($_REQUEST['pass']));
 
                $rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass);
 
@@ -106,7 +106,7 @@ class RPC extends Handler_Protected {
        }
 
        function togglepref() {
-               $key = $_REQUEST["key"];
+               $key = clean($_REQUEST["key"]);
                set_pref($key, !get_pref($key));
                $value = get_pref($key);
 
@@ -115,8 +115,8 @@ class RPC extends Handler_Protected {
 
        function setpref() {
                // set_pref escapes input, so no need to double escape it here
-               $key = $_REQUEST['key'];
-               $value = str_replace("\n", "<br/>", $_REQUEST['value']);
+               $key = clean($_REQUEST['key']);
+               $value = nl2br($_REQUEST['value']);
 
                set_pref($key, $value, false, $key != 'USER_STYLESHEET');
 
@@ -124,8 +124,8 @@ class RPC extends Handler_Protected {
        }
 
        function mark() {
-               $mark = $_REQUEST["mark"];
-               $id = $_REQUEST["id"];
+               $mark = clean($_REQUEST["mark"]);
+               $id = clean($_REQUEST["id"]);
 
                $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET marked = ?,
                                        last_marked = NOW()
@@ -137,7 +137,7 @@ class RPC extends Handler_Protected {
        }
 
        function delete() {
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
                $ids_qmarks = arr_qmarks($ids);
 
                $sth = $this->pdo->prepare("DELETE FROM ttrss_user_entries
@@ -150,7 +150,7 @@ class RPC extends Handler_Protected {
        }
 
        function unarchive() {
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
 
                foreach ($ids as $id) {
                        $this->pdo->beginTransaction();
@@ -203,7 +203,7 @@ class RPC extends Handler_Protected {
        }
 
        function archive() {
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
 
                foreach ($ids as $id) {
                        $this->archive_article($id, $_SESSION["uid"]);
@@ -257,8 +257,8 @@ class RPC extends Handler_Protected {
        }
 
        function publ() {
-               $pub = $_REQUEST["pub"];
-               $id = $_REQUEST["id"];
+               $pub = clean($_REQUEST["pub"]);
+               $id = clean($_REQUEST["id"]);
 
                $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET
                        published = ?, last_published = NOW()
@@ -270,7 +270,7 @@ class RPC extends Handler_Protected {
        }
 
        function getAllCounters() {
-               $last_article_id = (int) $_REQUEST["last_article_id"];
+               $last_article_id = (int) clean($_REQUEST["last_article_id"]);
 
                $reply = array();
 
@@ -287,8 +287,8 @@ class RPC extends Handler_Protected {
 
        /* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */
        function catchupSelected() {
-               $ids = explode(",", $_REQUEST["ids"]);
-               $cmode = sprintf("%d", $_REQUEST["cmode"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
+               $cmode = sprintf("%d", clean($_REQUEST["cmode"]));
 
                Article::catchupArticlesById($ids, $cmode);
 
@@ -296,8 +296,8 @@ class RPC extends Handler_Protected {
        }
 
        function markSelected() {
-               $ids = explode(",", $_REQUEST["ids"]);
-               $cmode = (int)$_REQUEST["cmode"];
+               $ids = explode(",", clean($_REQUEST["ids"]));
+               $cmode = (int)clean($_REQUEST["cmode"]);
 
                $this->markArticlesById($ids, $cmode);
 
@@ -305,8 +305,8 @@ class RPC extends Handler_Protected {
        }
 
        function publishSelected() {
-               $ids = explode(",", $_REQUEST["ids"]);
-               $cmode = (int)$_REQUEST["cmode"];
+               $ids = explode(",", clean($_REQUEST["ids"]));
+               $cmode = (int)clean($_REQUEST["cmode"]);
 
                $this->publishArticlesById($ids, $cmode);
 
@@ -314,10 +314,10 @@ class RPC extends Handler_Protected {
        }
 
        function sanityCheck() {
-               $_SESSION["hasAudio"] = $_REQUEST["hasAudio"] === "true";
-               $_SESSION["hasSandbox"] = $_REQUEST["hasSandbox"] === "true";
-               $_SESSION["hasMp3"] = $_REQUEST["hasMp3"] === "true";
-               $_SESSION["clientTzOffset"] = $_REQUEST["clientTzOffset"];
+               $_SESSION["hasAudio"] = clean($_REQUEST["hasAudio"]) === "true";
+               $_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true";
+               $_SESSION["hasMp3"] = clean($_REQUEST["hasMp3"]) === "true";
+               $_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]);
 
                $reply = array();
 
@@ -332,7 +332,7 @@ class RPC extends Handler_Protected {
        }
 
        function completeLabels() {
-               $search = $_REQUEST["search"];
+               $search = clean($_REQUEST["search"]);
 
                $sth = $this->pdo->prepare("SELECT DISTINCT caption FROM
                                ttrss_labels2
@@ -351,9 +351,9 @@ class RPC extends Handler_Protected {
        function updateFeedBrowser() {
                if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return;
 
-               $search = $_REQUEST["search"];
-               $limit = $_REQUEST["limit"];
-               $mode = (int) $_REQUEST["mode"];
+               $search = clean($_REQUEST["search"]);
+               $limit = clean($_REQUEST["limit"]);
+               $mode = (int) clean($_REQUEST["mode"]);
 
                require_once "feedbrowser.php";
 
@@ -365,8 +365,8 @@ class RPC extends Handler_Protected {
        // Silent
        function massSubscribe() {
 
-               $payload = json_decode($_REQUEST["payload"], false);
-               $mode = $_REQUEST["mode"];
+               $payload = json_decode(clean($_REQUEST["payload"]), false);
+               $mode = clean($_REQUEST["mode"]);
 
                if (!$payload || !is_array($payload)) return;
 
@@ -417,11 +417,11 @@ class RPC extends Handler_Protected {
        }
 
        function catchupFeed() {
-               $feed_id = $_REQUEST['feed_id'];
-               $is_cat = $_REQUEST['is_cat'] == "true";
-               $mode = $_REQUEST['mode'];
-               $search_query = $_REQUEST['search_query'];
-               $search_lang = $_REQUEST['search_lang'];
+               $feed_id = clean($_REQUEST['feed_id']);
+               $is_cat = clean($_REQUEST['is_cat']) == "true";
+               $mode = clean($_REQUEST['mode']);
+               $search_query = clean($_REQUEST['search_query']);
+               $search_lang = clean($_REQUEST['search_lang']);
 
                Feeds::catchup_feed($feed_id, $is_cat, false, $mode, [$search_query, $search_lang]);
 
@@ -429,7 +429,7 @@ class RPC extends Handler_Protected {
        }
 
        function setpanelmode() {
-               $wide = (int) $_REQUEST["wide"];
+               $wide = (int) clean($_REQUEST["wide"]);
 
                setcookie("ttrss_widescreen", $wide,
                        time() + COOKIE_LIFETIME_LONG);
@@ -566,7 +566,7 @@ class RPC extends Handler_Protected {
        }
 
        function getlinktitlebyid() {
-               $id = $_REQUEST['id'];
+               $id = clean($_REQUEST['id']);
 
                $sth = $this->pdo->prepare("SELECT link, title FROM ttrss_entries, ttrss_user_entries
                        WHERE ref_id = ? AND ref_id = id AND owner_uid = ?");
@@ -583,10 +583,10 @@ class RPC extends Handler_Protected {
        }
 
        function log() {
-               $msg = $_REQUEST['msg'];
-               $file = basename($_REQUEST['file']);
-               $line = (int) $_REQUEST['line'];
-               $context = $_REQUEST['context'];
+               $msg = clean($_REQUEST['msg']);
+               $file = basename(clean($_REQUEST['file']));
+               $line = (int) clean($_REQUEST['line']);
+               $context = clean($_REQUEST['context']);
 
                if ($msg) {
                        Logger::get()->log_error(E_USER_WARNING,
index bd59914727645a5568a17099df92941f55102d5e..b5ff63d32ac2811ad67403ca53f42e2c9f4e4c5a 100644 (file)
@@ -304,7 +304,7 @@ class RSSUtils {
         */
        static function update_rss_feed($feed, $no_cache = false) {
 
-               $debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || $_REQUEST['xdebug'];
+               $debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || clean($_REQUEST['xdebug']);
 
                _debug_suppress(!$debug_enabled);
                _debug("start", $debug_enabled);
@@ -591,7 +591,7 @@ class RSSUtils {
                        foreach ($items as $item) {
                                $pdo->beginTransaction();
 
-                               if ($_REQUEST['xdebug'] == 3) {
+                               if (clean($_REQUEST['xdebug']) == 3) {
                                        print_r($item);
                                }
 
@@ -640,7 +640,7 @@ class RSSUtils {
                                $entry_content = $item->get_content();
                                if (!$entry_content) $entry_content = $item->get_description();
 
-                               if ($_REQUEST["xdebug"] == 2) {
+                               if (clean($_REQUEST["xdebug"]) == 2) {
                                        print "content: ";
                                        print htmlspecialchars($entry_content);
                                        print "\n";
@@ -749,7 +749,7 @@ class RSSUtils {
                                        $entry_plugin_data .= mb_strtolower(get_class($plugin)) . ",";
                                }
 
-                               if ($_REQUEST["xdebug"] == 2) {
+                               if (clean($_REQUEST["xdebug"]) == 2) {
                                        print "processed content: ";
                                        print htmlspecialchars($article["content"]);
                                        print "\n";
index 417abfbb87d0000c56635f1122e9ff66a0ab11b4..0fd8ef61ac05a9cfd82e75b4f9f2d2ca61834a0a 100644 (file)
                }
        }
 
+       // this is used for user http parameters unless HTML code is actually needed
+       function clean($param) {
+               if (is_array($param)) {
+                       return array_map(strip_tags, $param);
+               } else if (is_string($param)) {
+                       return strip_tags($param);
+               } else {
+                       return $param;
+               }
+       }
+
        function make_password($length = 8) {
 
                $password = "";