From e6532439d68234d86176e4d967609d68dd564c1d Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sun, 3 Dec 2017 23:35:38 +0300 Subject: [PATCH] force strip_tags() on all user input unless explicitly allowed --- classes/api.php | 108 ++++++++++++++++++------------------- classes/article.php | 26 ++++----- classes/backend.php | 2 +- classes/handler/public.php | 84 ++++++++++++++--------------- classes/pluginhandler.php | 2 +- classes/pref/feeds.php | 88 +++++++++++++++--------------- classes/pref/filters.php | 62 ++++++++++----------- classes/pref/labels.php | 26 ++++----- classes/pref/prefs.php | 24 ++++----- classes/pref/users.php | 24 ++++----- classes/rpc.php | 96 ++++++++++++++++----------------- classes/rssutils.php | 8 +-- include/functions.php | 11 ++++ 13 files changed, 286 insertions(+), 275 deletions(-) diff --git a/classes/api.php b/classes/api.php index c28d3652..4c321d77 100644 --- a/classes/api.php +++ b/classes/api.php @@ -26,7 +26,7 @@ class API extends Handler { return false; } - $this->seq = (int) $_REQUEST['seq']; + $this->seq = (int) clean($_REQUEST['seq']); return true; } @@ -53,9 +53,9 @@ class API extends Handler { @session_destroy(); @session_start(); - $login = $_REQUEST["user"]; - $password = $_REQUEST["password"]; - $password_base64 = base64_decode($_REQUEST["password"]); + $login = clean($_REQUEST["user"]); + $password = clean($_REQUEST["password"]); + $password_base64 = base64_decode(clean($_REQUEST["password"])); if (SINGLE_USER_MODE) $login = "admin"; @@ -100,8 +100,8 @@ class API extends Handler { } function getUnread() { - $feed_id = $_REQUEST["feed_id"]; - $is_cat = $_REQUEST["is_cat"]; + $feed_id = clean($_REQUEST["feed_id"]); + $is_cat = clean($_REQUEST["is_cat"]); if ($feed_id) { $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat))); @@ -116,11 +116,11 @@ class API extends Handler { } function getFeeds() { - $cat_id = $_REQUEST["cat_id"]; - $unread_only = API::param_to_bool($_REQUEST["unread_only"]); - $limit = (int) $_REQUEST["limit"]; - $offset = (int) $_REQUEST["offset"]; - $include_nested = API::param_to_bool($_REQUEST["include_nested"]); + $cat_id = clean($_REQUEST["cat_id"]); + $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"])); + $limit = (int) clean($_REQUEST["limit"]); + $offset = (int) clean($_REQUEST["offset"]); + $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"])); $feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested); @@ -128,9 +128,9 @@ class API extends Handler { } function getCategories() { - $unread_only = API::param_to_bool($_REQUEST["unread_only"]); - $enable_nested = API::param_to_bool($_REQUEST["enable_nested"]); - $include_empty = API::param_to_bool($_REQUEST['include_empty']); + $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"])); + $enable_nested = API::param_to_bool(clean($_REQUEST["enable_nested"])); + $include_empty = API::param_to_bool(clean($_REQUEST['include_empty'])); // TODO do not return empty categories, return Uncategorized and standard virtual cats @@ -185,39 +185,39 @@ class API extends Handler { } function getHeadlines() { - $feed_id = $_REQUEST["feed_id"]; + $feed_id = clean($_REQUEST["feed_id"]); if ($feed_id != "") { if (is_numeric($feed_id)) $feed_id = (int) $feed_id; - $limit = (int)$_REQUEST["limit"]; + $limit = (int)clean($_REQUEST["limit"]); if (!$limit || $limit >= 200) $limit = 200; - $offset = (int)$_REQUEST["skip"]; - $filter = $_REQUEST["filter"]; - $is_cat = API::param_to_bool($_REQUEST["is_cat"]); - $show_excerpt = API::param_to_bool($_REQUEST["show_excerpt"]); - $show_content = API::param_to_bool($_REQUEST["show_content"]); + $offset = (int)clean($_REQUEST["skip"]); + $filter = clean($_REQUEST["filter"]); + $is_cat = API::param_to_bool(clean($_REQUEST["is_cat"])); + $show_excerpt = API::param_to_bool(clean($_REQUEST["show_excerpt"])); + $show_content = API::param_to_bool(clean($_REQUEST["show_content"])); /* all_articles, unread, adaptive, marked, updated */ - $view_mode = $_REQUEST["view_mode"]; - $include_attachments = API::param_to_bool($_REQUEST["include_attachments"]); - $since_id = (int)$_REQUEST["since_id"]; - $include_nested = API::param_to_bool($_REQUEST["include_nested"]); + $view_mode = clean($_REQUEST["view_mode"]); + $include_attachments = API::param_to_bool(clean($_REQUEST["include_attachments"])); + $since_id = (int)clean($_REQUEST["since_id"]); + $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"])); $sanitize_content = !isset($_REQUEST["sanitize"]) || API::param_to_bool($_REQUEST["sanitize"]); - $force_update = API::param_to_bool($_REQUEST["force_update"]); - $has_sandbox = API::param_to_bool($_REQUEST["has_sandbox"]); - $excerpt_length = (int)$_REQUEST["excerpt_length"]; - $check_first_id = (int)$_REQUEST["check_first_id"]; - $include_header = API::param_to_bool($_REQUEST["include_header"]); + $force_update = API::param_to_bool(clean($_REQUEST["force_update"])); + $has_sandbox = API::param_to_bool(clean($_REQUEST["has_sandbox"])); + $excerpt_length = (int)clean($_REQUEST["excerpt_length"]); + $check_first_id = (int)clean($_REQUEST["check_first_id"]); + $include_header = API::param_to_bool(clean($_REQUEST["include_header"])); $_SESSION['hasSandbox'] = $has_sandbox; $skip_first_id_check = false; $override_order = false; - switch ($_REQUEST["order_by"]) { + switch (clean($_REQUEST["order_by"])) { case "title": $override_order = "ttrss_entries.title, date_entered, updated"; break; @@ -232,7 +232,7 @@ class API extends Handler { /* do not rely on params below */ - $search = $_REQUEST["search"]; + $search = clean($_REQUEST["search"]); list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset, $filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order, @@ -250,10 +250,10 @@ class API extends Handler { } function updateArticle() { - $article_ids = explode(",", $_REQUEST["article_ids"]); - $mode = (int) $_REQUEST["mode"]; - $data = $_REQUEST["data"]; - $field_raw = (int)$_REQUEST["field"]; + $article_ids = explode(",", clean($_REQUEST["article_ids"])); + $mode = (int) clean($_REQUEST["mode"]); + $data = clean($_REQUEST["data"]); + $field_raw = (int)clean($_REQUEST["field"]); $field = ""; $set_to = ""; @@ -321,7 +321,7 @@ class API extends Handler { function getArticle() { - $article_ids = explode(",", $_REQUEST["article_id"]); + $article_ids = explode(",", clean($_REQUEST["article_id"])); $sanitize_content = !isset($_REQUEST["sanitize"]) || API::param_to_bool($_REQUEST["sanitize"]); @@ -407,7 +407,7 @@ class API extends Handler { } function updateFeed() { - $feed_id = (int) $_REQUEST["feed_id"]; + $feed_id = (int) clean($_REQUEST["feed_id"]); if (!ini_get("open_basedir")) { RSSUtils::update_rss_feed($feed_id); @@ -417,8 +417,8 @@ class API extends Handler { } function catchupFeed() { - $feed_id = $_REQUEST["feed_id"]; - $is_cat = $_REQUEST["is_cat"]; + $feed_id = clean($_REQUEST["feed_id"]); + $is_cat = clean($_REQUEST["is_cat"]); Feeds::catchup_feed($feed_id, $is_cat); @@ -426,13 +426,13 @@ class API extends Handler { } function getPref() { - $pref_name = $_REQUEST["pref_name"]; + $pref_name = clean($_REQUEST["pref_name"]); $this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name))); } function getLabels() { - $article_id = (int)$_REQUEST['article_id']; + $article_id = (int)clean($_REQUEST['article_id']); $rv = array(); @@ -469,9 +469,9 @@ class API extends Handler { function setArticleLabel() { - $article_ids = explode(",", $_REQUEST["article_ids"]); - $label_id = (int) $_REQUEST['label_id']; - $assign = API::param_to_bool($_REQUEST['assign']); + $article_ids = explode(",", clean($_REQUEST["article_ids"])); + $label_id = (int) clean($_REQUEST['label_id']); + $assign = API::param_to_bool(clean($_REQUEST['assign'])); $label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]); @@ -510,9 +510,9 @@ class API extends Handler { } function shareToPublished() { - $title = strip_tags($_REQUEST["title"]); - $url = strip_tags($_REQUEST["url"]); - $content = strip_tags($_REQUEST["content"]); + $title = strip_tags(clean($_REQUEST["title"])); + $url = strip_tags(clean($_REQUEST["url"])); + $content = strip_tags(clean($_REQUEST["content"])); if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) { $this->wrap(self::STATUS_OK, array("status" => 'OK')); @@ -809,7 +809,7 @@ class API extends Handler { } function unsubscribeFeed() { - $feed_id = (int) $_REQUEST["feed_id"]; + $feed_id = (int) clean($_REQUEST["feed_id"]); $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); @@ -824,10 +824,10 @@ class API extends Handler { } function subscribeToFeed() { - $feed_url = $_REQUEST["feed_url"]; - $category_id = (int) $_REQUEST["category_id"]; - $login = $_REQUEST["login"]; - $password = $_REQUEST["password"]; + $feed_url = clean($_REQUEST["feed_url"]); + $category_id = (int) clean($_REQUEST["category_id"]); + $login = clean($_REQUEST["login"]); + $password = clean($_REQUEST["password"]); if ($feed_url) { $rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password); @@ -839,7 +839,7 @@ class API extends Handler { } function getFeedTree() { - $include_empty = API::param_to_bool($_REQUEST['include_empty']); + $include_empty = API::param_to_bool(clean($_REQUEST['include_empty'])); $pf = new Pref_Feeds($_REQUEST); diff --git a/classes/article.php b/classes/article.php index 62794ddf..f1271284 100644 --- a/classes/article.php +++ b/classes/article.php @@ -8,7 +8,7 @@ class Article extends Handler_Protected { } function redirect() { - $id = $_REQUEST['id']; + $id = clean($_REQUEST['id']); $sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries WHERE id = ? AND id = ref_id AND owner_uid = ? @@ -28,9 +28,9 @@ class Article extends Handler_Protected { } function view() { - $id = $_REQUEST["id"]; - $cids = explode(",", $_REQUEST["cids"]); - $mode = $_REQUEST["mode"]; + $id = clean($_REQUEST["id"]); + $cids = explode(",", clean($_REQUEST["cids"])); + $mode = clean($_REQUEST["mode"]); // in prefetch mode we only output requested cids, main article // just gets marked as read (it already exists in client cache) @@ -210,7 +210,7 @@ class Article extends Handler_Protected { print __("Tags for this article (separated by commas):")."
"; - $param = $_REQUEST['param']; + $param = clean($_REQUEST['param']); $tags = Article::get_article_tags($param); @@ -241,8 +241,8 @@ class Article extends Handler_Protected { } function setScore() { - $ids = explode(",", $_REQUEST['id']); - $score = (int)$_REQUEST['score']; + $ids = explode(",", clean($_REQUEST['id'])); + $score = (int)clean($_REQUEST['score']); $ids_qmarks = arr_qmarks($ids); @@ -257,7 +257,7 @@ class Article extends Handler_Protected { } function getScore() { - $id = $_REQUEST['id']; + $id = clean($_REQUEST['id']); $sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?"); $sth->execute([$id, $_SESSION['uid']]); @@ -273,9 +273,9 @@ class Article extends Handler_Protected { function setArticleTags() { - $id = $_REQUEST["id"]; + $id = clean($_REQUEST["id"]); - $tags_str = $_REQUEST["tags_str"]; + $tags_str = clean($_REQUEST["tags_str"]); $tags = array_unique(trim_array(explode(",", $tags_str))); $this->pdo->beginTransaction(); @@ -342,7 +342,7 @@ class Article extends Handler_Protected { function completeTags() { - $search = $_REQUEST["search"]; + $search = clean($_REQUEST["search"]); $sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags WHERE owner_uid = ? AND @@ -369,8 +369,8 @@ class Article extends Handler_Protected { private function labelops($assign) { $reply = array(); - $ids = explode(",", $_REQUEST["ids"]); - $label_id = $_REQUEST["lid"]; + $ids = explode(",", clean($_REQUEST["ids"])); + $label_id = clean($_REQUEST["lid"]); $label = db_escape_string(Labels::find_caption($label_id, $_SESSION["uid"])); diff --git a/classes/backend.php b/classes/backend.php index c9a595b8..d5d0f5a0 100644 --- a/classes/backend.php +++ b/classes/backend.php @@ -84,7 +84,7 @@ class Backend extends Handler { } function help() { - $topic = basename($_REQUEST["topic"]); + $topic = basename(clean($_REQUEST["topic"])); switch ($topic) { case "main": diff --git a/classes/handler/public.php b/classes/handler/public.php index e2df4a3c..8440bc35 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -139,7 +139,7 @@ class Handler_Public extends Handler { $tpl->addBlock('feed'); $tpl->generateOutputToString($tmp); - if (@!$_REQUEST["noxml"]) { + if (@!clean($_REQUEST["noxml"])) { header("Content-Type: text/xml; charset=utf-8"); } else { header("Content-Type: text/plain; charset=utf-8"); @@ -219,8 +219,8 @@ class Handler_Public extends Handler { } function getUnread() { - $login = $_REQUEST["login"]; - $fresh = $_REQUEST["fresh"] == "1"; + $login = clean($_REQUEST["login"]); + $fresh = clean($_REQUEST["fresh"]) == "1"; $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?"); $sth->execute([$login]); @@ -241,7 +241,7 @@ class Handler_Public extends Handler { } function getProfiles() { - $login = $_REQUEST["login"]; + $login = clean($_REQUEST["login"]); $sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title"); @@ -267,7 +267,7 @@ class Handler_Public extends Handler { } function share() { - $uuid = $_REQUEST["key"]; + $uuid = clean($_REQUEST["key"]); $sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE uuid = ?"); @@ -290,19 +290,19 @@ class Handler_Public extends Handler { } function rss() { - $feed = $_REQUEST["id"]; - $key = $_REQUEST["key"]; - $is_cat = $_REQUEST["is_cat"]; - $limit = (int)$_REQUEST["limit"]; - $offset = (int)$_REQUEST["offset"]; + $feed = clean($_REQUEST["id"]); + $key = clean($_REQUEST["key"]); + $is_cat = clean($_REQUEST["is_cat"]); + $limit = (int)clean($_REQUEST["limit"]); + $offset = (int)clean($_REQUEST["offset"]); - $search = $_REQUEST["q"]; - $view_mode = $_REQUEST["view-mode"]; - $order = $_REQUEST["order"]; - $start_ts = $_REQUEST["ts"]; + $search = clean($_REQUEST["q"]); + $view_mode = clean($_REQUEST["view-mode"]); + $order = clean($_REQUEST["order"]); + $start_ts = clean($_REQUEST["ts"]); - $format = $_REQUEST['format']; - $orig_guid = $_REQUEST["orig_guid"]; + $format = clean($_REQUEST['format']); + $orig_guid = clean($_REQUEST["orig_guid"]); if (!$format) $format = 'atom'; @@ -359,16 +359,16 @@ class Handler_Public extends Handler { print " "; - $action = $_REQUEST["action"]; + $action = clean($_REQUEST["action"]); if ($_SESSION["uid"]) { if ($action == 'share') { - $title = strip_tags($_REQUEST["title"]); - $url = strip_tags($_REQUEST["url"]); - $content = strip_tags($_REQUEST["content"]); - $labels = strip_tags($_REQUEST["labels"]); + $title = strip_tags(clean($_REQUEST["title"])); + $url = strip_tags(clean($_REQUEST["url"])); + $content = strip_tags(clean($_REQUEST["content"])); + $labels = strip_tags(clean($_REQUEST["labels"])); Article::create_published_article($title, $url, $content, $labels, $_SESSION["uid"]); @@ -378,8 +378,8 @@ class Handler_Public extends Handler { print ""; } else { - $title = htmlspecialchars($_REQUEST["title"]); - $url = htmlspecialchars($_REQUEST["url"]); + $title = htmlspecialchars(clean($_REQUEST["title"])); + $url = htmlspecialchars(clean($_REQUEST["url"])); ?> @@ -466,9 +466,9 @@ class Handler_Public extends Handler { function login() { if (!SINGLE_USER_MODE) { - $login = $_POST["login"]; - $password = $_POST["password"]; - $remember_me = $_POST["remember_me"]; + $login = clean($_POST["login"]); + $password = clean($_POST["password"]); + $remember_me = clean($_POST["remember_me"]); if ($remember_me) { session_set_cookie_params(SESSION_COOKIE_LIFETIME); @@ -486,11 +486,11 @@ class Handler_Public extends Handler { } $_SESSION["ref_schema_version"] = get_schema_version(true); - $_SESSION["bw_limit"] = !!$_POST["bw_limit"]; + $_SESSION["bw_limit"] = !!clean($_POST["bw_limit"]); - if ($_POST["profile"]) { + if (clean($_POST["profile"])) { - $profile = $_POST["profile"]; + $profile = clean($_POST["profile"]); $sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles WHERE id = ? AND owner_uid = ?"); @@ -505,8 +505,8 @@ class Handler_Public extends Handler { user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); } - if ($_REQUEST['return']) { - header("Location: " . $_REQUEST['return']); + if (clean($_REQUEST['return'])) { + header("Location: " . clean($_REQUEST['return'])); } else { header("Location: " . get_self_url_prefix()); } @@ -516,7 +516,7 @@ class Handler_Public extends Handler { /* function subtest() { header("Content-type: text/plain; charset=utf-8"); - $url = $_REQUEST["url"]; + $url = clean($_REQUEST["url"]); print "$url\n\n"; @@ -532,7 +532,7 @@ class Handler_Public extends Handler { if ($_SESSION["uid"]) { - $feed_url = trim($_REQUEST["feed_url"]); + $feed_url = trim(clean($_REQUEST["feed_url"])); header('Content-Type: text/html; charset=utf-8'); print " @@ -638,7 +638,7 @@ class Handler_Public extends Handler { function forgotpass() { startup_gettext(); - @$hash = $_REQUEST["hash"]; + @$hash = clean($_REQUEST["hash"]); header('Content-Type: text/html; charset=utf-8'); print "Tiny Tiny RSS @@ -656,10 +656,10 @@ class Handler_Public extends Handler { print "

".__("Password recovery")."

"; print "
"; - @$method = $_POST['method']; + @$method = clean($_POST['method']); if ($hash) { - $login = $_REQUEST["login"]; + $login = clean($_REQUEST["login"]); if ($login) { $sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users @@ -725,9 +725,9 @@ class Handler_Public extends Handler { print ""; } else if ($method == 'do') { - $login = $_POST["login"]; - $email = $_POST["email"]; - $test = $_POST["test"]; + $login = clean($_POST["login"]); + $email = clean($_POST["email"]); + $test = clean($_POST["test"]); if (($test != 4 && $test != 'four') || !$email || !$login) { print_error(__('Some of the required form parameters are missing or incorrect.')); @@ -852,7 +852,7 @@ class Handler_Public extends Handler {
load($plugin, PluginHost::KIND_USER, 0); $host->load_data(); diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php index 1c9e7aef..d10343e0 100644 --- a/classes/pluginhandler.php +++ b/classes/pluginhandler.php @@ -5,7 +5,7 @@ class PluginHandler extends Handler_Protected { } function catchall($method) { - $plugin = PluginHost::getInstance()->get_plugin($_REQUEST["plugin"]); + $plugin = PluginHost::getInstance()->get_plugin(clean($_REQUEST["plugin"])); if ($plugin) { if (method_exists($plugin, $method)) { diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index 05f6b8c8..0b5a445f 100755 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -17,8 +17,8 @@ class Pref_Feeds extends Handler_Protected { } function renamecat() { - $title = $_REQUEST['title']; - $id = $_REQUEST['id']; + $title = clean($_REQUEST['title']); + $id = clean($_REQUEST['id']); if ($title) { $sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET @@ -29,14 +29,14 @@ class Pref_Feeds extends Handler_Protected { private function get_category_items($cat_id) { - if ($_REQUEST['mode'] != 2) + if (clean($_REQUEST['mode']) != 2) $search = $_SESSION["prefs_feed_search"]; else $search = ""; // first one is set by API - $show_empty_cats = $_REQUEST['force_show_empty'] || - ($_REQUEST['mode'] != 2 && !$search); + $show_empty_cats = clean($_REQUEST['force_show_empty']) || + (clean($_REQUEST['mode']) != 2 && !$search); $items = array(); @@ -103,7 +103,7 @@ class Pref_Feeds extends Handler_Protected { function makefeedtree() { - if ($_REQUEST['mode'] != 2) + if (clean($_REQUEST['mode']) != 2) $search = $_SESSION["prefs_feed_search"]; else $search = ""; @@ -116,7 +116,7 @@ class Pref_Feeds extends Handler_Protected { $enable_cats = get_pref('ENABLE_FEED_CATS'); - if ($_REQUEST['mode'] == 2) { + if (clean($_REQUEST['mode']) == 2) { if ($enable_cats) { $cat = $this->feedlist_init_cat(-1); @@ -193,8 +193,8 @@ class Pref_Feeds extends Handler_Protected { } if ($enable_cats) { - $show_empty_cats = $_REQUEST['force_show_empty'] || - ($_REQUEST['mode'] != 2 && !$search); + $show_empty_cats = clean($_REQUEST['force_show_empty']) || + (clean($_REQUEST['mode']) != 2 && !$search); $sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title"); @@ -303,7 +303,7 @@ class Pref_Feeds extends Handler_Protected { $fl['identifier'] = 'id'; $fl['label'] = 'name'; - if ($_REQUEST['mode'] != 2) { + if (clean($_REQUEST['mode']) != 2) { $fl['items'] = array($root); } else { $fl['items'] = $root['items']; @@ -389,9 +389,9 @@ class Pref_Feeds extends Handler_Protected { } function savefeedorder() { - $data = json_decode($_POST['payload'], true); + $data = json_decode(clean($_POST['payload']), true); - #file_put_contents("/tmp/saveorder.json", $_POST['payload']); + #file_put_contents("/tmp/saveorder.json", clean($_POST['payload'])); #$data = json_decode(file_get_contents("/tmp/saveorder.json"), true); if (!is_array($data['items'])) @@ -425,7 +425,7 @@ class Pref_Feeds extends Handler_Protected { } function removeicon() { - $feed_id = $_REQUEST["feed_id"]; + $feed_id = clean($_REQUEST["feed_id"]); $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); @@ -457,7 +457,7 @@ class Pref_Feeds extends Handler_Protected { } $icon_file = $tmp_file; - $feed_id = $_REQUEST["feed_id"]; + $feed_id = clean($_REQUEST["feed_id"]); if (is_file($icon_file) && $feed_id) { if (filesize($icon_file) < 65535) { @@ -500,7 +500,7 @@ class Pref_Feeds extends Handler_Protected { global $update_intervals; - $feed_id = $_REQUEST["id"]; + $feed_id = clean($_REQUEST["id"]); $sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); @@ -775,7 +775,7 @@ class Pref_Feeds extends Handler_Protected { global $purge_intervals; global $update_intervals; - $feed_ids = $_REQUEST["ids"]; + $feed_ids = clean($_REQUEST["ids"]); print_notice("Enable the options you wish to apply using checkboxes on the right:"); @@ -924,32 +924,32 @@ class Pref_Feeds extends Handler_Protected { function editsaveops($batch) { - $feed_title = trim($_POST["title"]); - $feed_url = trim($_POST["feed_url"]); - $upd_intl = (int) $_POST["update_interval"]; - $purge_intl = (int) $_POST["purge_interval"]; - $feed_id = (int) $_POST["id"]; /* editSave */ - $feed_ids = explode(",", $_POST["ids"]); /* batchEditSave */ - $cat_id = (int) $_POST["cat_id"]; - $auth_login = trim($_POST["auth_login"]); - $auth_pass = trim($_POST["auth_pass"]); - $private = checkbox_to_sql_bool($_POST["private"]); + $feed_title = trim(clean($_POST["title"])); + $feed_url = trim(clean($_POST["feed_url"])); + $upd_intl = (int) clean($_POST["update_interval"]); + $purge_intl = (int) clean($_POST["purge_interval"]); + $feed_id = (int) clean($_POST["id"]); /* editSave */ + $feed_ids = explode(",", clean($_POST["ids"])); /* batchEditSave */ + $cat_id = (int) clean($_POST["cat_id"]); + $auth_login = trim(clean($_POST["auth_login"])); + $auth_pass = trim(clean($_POST["auth_pass"])); + $private = checkbox_to_sql_bool(clean($_POST["private"])); $include_in_digest = checkbox_to_sql_bool( - $_POST["include_in_digest"]); + clean($_POST["include_in_digest"])); $cache_images = checkbox_to_sql_bool( - $_POST["cache_images"]); + clean($_POST["cache_images"])); $hide_images = checkbox_to_sql_bool( - $_POST["hide_images"]); + clean($_POST["hide_images"])); $always_display_enclosures = checkbox_to_sql_bool( - $_POST["always_display_enclosures"]); + clean($_POST["always_display_enclosures"])); $mark_unread_on_update = checkbox_to_sql_bool( - $_POST["mark_unread_on_update"]); + clean($_POST["mark_unread_on_update"])); - $feed_language = trim($_POST["feed_language"]); + $feed_language = trim(clean($_POST["feed_language"])); if (!$batch) { - if ($_POST["need_auth"] !== 'on') { + if (clean($_POST["need_auth"]) !== 'on') { $auth_login = ''; $auth_pass = ''; } @@ -1008,7 +1008,7 @@ class Pref_Feeds extends Handler_Protected { foreach (array_keys($_POST) as $k) { if ($k != "op" && $k != "method" && $k != "ids") { - $feed_data[$k] = $_POST[$k]; + $feed_data[$k] = clean($_POST[$k]); } } @@ -1102,7 +1102,7 @@ class Pref_Feeds extends Handler_Protected { function remove() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { Pref_Feeds::remove_feed($id, $_SESSION["uid"]); @@ -1112,14 +1112,14 @@ class Pref_Feeds extends Handler_Protected { } function removeCat() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { $this->remove_feed_category($id, $_SESSION["uid"]); } } function addCat() { - $feed_cat = trim($_REQUEST["cat"]); + $feed_cat = trim(clean($_REQUEST["cat"])); add_feed_category($feed_cat); } @@ -1152,7 +1152,7 @@ class Pref_Feeds extends Handler_Protected { onclick=\"showInactiveFeeds()\">" . __("Inactive feeds") . ""; - $feed_search = $_REQUEST["search"]; + $feed_search = clean($_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_feed_search"] = $feed_search; @@ -1675,10 +1675,10 @@ class Pref_Feeds extends Handler_Protected { } function batchAddFeeds() { - $cat_id = $_REQUEST['cat']; - $feeds = explode("\n", $_REQUEST['feeds']); - $login = $_REQUEST['login']; - $pass = trim($_REQUEST['pass']); + $cat_id = clean($_REQUEST['cat']); + $feeds = explode("\n", clean($_REQUEST['feeds'])); + $login = clean($_REQUEST['login']); + $pass = trim(clean($_REQUEST['pass'])); foreach ($feeds as $feed) { $feed = trim($feed); @@ -1714,8 +1714,8 @@ class Pref_Feeds extends Handler_Protected { } function regenFeedKey() { - $feed_id = $_REQUEST['id']; - $is_cat = $_REQUEST['is_cat'] == "true"; + $feed_id = clean($_REQUEST['id']); + $is_cat = clean($_REQUEST['is_cat']) == "true"; $new_key = $this->update_feed_access_key($feed_id, $is_cat); diff --git a/classes/pref/filters.php b/classes/pref/filters.php index 1ff9a372..74aecd30 100755 --- a/classes/pref/filters.php +++ b/classes/pref/filters.php @@ -16,9 +16,9 @@ class Pref_Filters extends Handler_Protected { } function savefilterorder() { - $data = json_decode($_POST['payload'], true); + $data = json_decode(clean($_POST['payload']), true); - #file_put_contents("/tmp/saveorder.json", $_POST['payload']); + #file_put_contents("/tmp/saveorder.json", clean($_POST['payload'])); #$data = json_decode(file_get_contents("/tmp/saveorder.json"), true); if (!is_array($data['items'])) @@ -46,14 +46,14 @@ class Pref_Filters extends Handler_Protected { } function testFilterDo() { - $offset = (int) $_REQUEST["offset"]; - $limit = (int) $_REQUEST["limit"]; + $offset = (int) clean($_REQUEST["offset"]); + $limit = (int) clean($_REQUEST["limit"]); $filter = array(); $filter["enabled"] = true; - $filter["match_any_rule"] = checkbox_to_sql_bool($_REQUEST["match_any_rule"]); - $filter["inverse"] = checkbox_to_sql_bool($_REQUEST["inverse"]); + $filter["match_any_rule"] = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"])); + $filter["inverse"] = checkbox_to_sql_bool(clean($_REQUEST["inverse"])); $filter["rules"] = array(); $filter["actions"] = array("dummy-action"); @@ -68,7 +68,7 @@ class Pref_Filters extends Handler_Protected { $scope_qparts = array(); $rctr = 0; - foreach ($_REQUEST["rule"] AS $r) { + foreach (clean($_REQUEST["rule"]) AS $r) { $rule = json_decode($r, true); if ($rule && $rctr < 5) { @@ -354,7 +354,7 @@ class Pref_Filters extends Handler_Protected { function edit() { - $filter_id = $_REQUEST["id"]; + $filter_id = clean($_REQUEST["id"]); $sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2 WHERE id = ? AND owner_uid = ?"); @@ -533,7 +533,7 @@ class Pref_Filters extends Handler_Protected { } private function getRuleName($rule) { - if (!$rule) $rule = json_decode($_REQUEST["rule"], true); + if (!$rule) $rule = json_decode(clean($_REQUEST["rule"]), true); $feeds = $rule["feed_id"]; $feeds_fmt = []; @@ -573,7 +573,7 @@ class Pref_Filters extends Handler_Protected { } function printRuleName() { - print $this->getRuleName(json_decode($_REQUEST["rule"], true)); + print $this->getRuleName(json_decode(clean($_REQUEST["rule"]), true)); } private function getActionName($action) { @@ -611,19 +611,19 @@ class Pref_Filters extends Handler_Protected { } function printActionName() { - print $this->getActionName(json_decode($_REQUEST["action"], true)); + print $this->getActionName(json_decode(clean($_REQUEST["action"]), true)); } function editSave() { - if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") { + if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") { return $this->testFilter(); } - $filter_id = $_REQUEST["id"]; - $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]); - $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]); - $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]); - $title = $_REQUEST["title"]; + $filter_id = clean($_REQUEST["id"]); + $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"])); + $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"])); + $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"])); + $title = clean($_REQUEST["title"]); $this->pdo->beginTransaction(); @@ -642,7 +642,7 @@ class Pref_Filters extends Handler_Protected { function remove() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); $ids_qmarks = arr_qmarks($ids); $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks) @@ -659,8 +659,8 @@ class Pref_Filters extends Handler_Protected { $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?"); $sth->execute([$filter_id]); - if (!is_array($_REQUEST["rule"])) $_REQUEST["rule"] = []; - if (!is_array($_REQUEST["action"])) $_REQUEST["action"] = []; + if (!is_array(clean($_REQUEST["rule"]))) $_REQUEST["rule"] = []; + if (!is_array(clean($_REQUEST["action"]))) $_REQUEST["action"] = []; if ($filter_id) { /* create rules */ @@ -668,7 +668,7 @@ class Pref_Filters extends Handler_Protected { $rules = array(); $actions = array(); - foreach ($_REQUEST["rule"] as $rule) { + foreach (clean($_REQUEST["rule"]) as $rule) { $rule = json_decode($rule, true); unset($rule["id"]); @@ -677,7 +677,7 @@ class Pref_Filters extends Handler_Protected { } } - foreach ($_REQUEST["action"] as $action) { + foreach (clean($_REQUEST["action"]) as $action) { $action = json_decode($action, true); unset($action["id"]); @@ -729,14 +729,14 @@ class Pref_Filters extends Handler_Protected { } function add() { - if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") { + if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") { return $this->testFilter(); } - $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]); - $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]); - $title = $_REQUEST["title"]; - $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]); + $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"])); + $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"])); + $title = clean($_REQUEST["title"]); + $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"])); $this->pdo->beginTransaction(); @@ -762,7 +762,7 @@ class Pref_Filters extends Handler_Protected { function index() { - $filter_search = $_REQUEST["search"]; + $filter_search = clean($_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_filter_search"] = $filter_search; @@ -948,7 +948,7 @@ class Pref_Filters extends Handler_Protected { } function newrule() { - $rule = json_decode($_REQUEST["rule"], true); + $rule = json_decode(clean($_REQUEST["rule"]), true); if ($rule) { $reg_exp = htmlspecialchars($rule["reg_exp"]); @@ -1022,7 +1022,7 @@ class Pref_Filters extends Handler_Protected { } function newaction() { - $action = json_decode($_REQUEST["action"], true); + $action = json_decode(clean($_REQUEST["action"]), true); if ($action) { $action_param = $action["action_param"]; @@ -1159,7 +1159,7 @@ class Pref_Filters extends Handler_Protected { } function join() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); if (count($ids) > 1) { $base_id = array_shift($ids); diff --git a/classes/pref/labels.php b/classes/pref/labels.php index 8f1f70be..38ec850a 100644 --- a/classes/pref/labels.php +++ b/classes/pref/labels.php @@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected { } function edit() { - $label_id = $_REQUEST['id']; + $label_id = clean($_REQUEST['id']); $sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE id = ? AND owner_uid = ?"); @@ -119,11 +119,11 @@ class Pref_Labels extends Handler_Protected { } function colorset() { - $kind = $_REQUEST["kind"]; - $ids = explode(',', $_REQUEST["ids"]); - $color = $_REQUEST["color"]; - $fg = $_REQUEST["fg"]; - $bg = $_REQUEST["bg"]; + $kind = clean($_REQUEST["kind"]); + $ids = explode(',', clean($_REQUEST["ids"])); + $color = clean($_REQUEST["color"]); + $fg = clean($_REQUEST["fg"]); + $bg = clean($_REQUEST["bg"]); foreach ($ids as $id) { @@ -154,7 +154,7 @@ class Pref_Labels extends Handler_Protected { } function colorreset() { - $ids = explode(',', $_REQUEST["ids"]); + $ids = explode(',', clean($_REQUEST["ids"])); foreach ($ids as $id) { $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET @@ -174,8 +174,8 @@ class Pref_Labels extends Handler_Protected { function save() { - $id = $_REQUEST["id"]; - $caption = trim($_REQUEST["caption"]); + $id = clean($_REQUEST["id"]); + $caption = trim(clean($_REQUEST["caption"])); $this->pdo->beginTransaction(); @@ -206,7 +206,7 @@ class Pref_Labels extends Handler_Protected { $sth->execute([$caption, $old_caption, $_SESSION['uid']]); - print $_REQUEST["value"]; + print clean($_REQUEST["value"]); } else { print $old_caption; } @@ -221,7 +221,7 @@ class Pref_Labels extends Handler_Protected { function remove() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { Labels::remove($id, $_SESSION["uid"]); @@ -230,8 +230,8 @@ class Pref_Labels extends Handler_Protected { } function add() { - $caption = $_REQUEST["caption"]; - $output = $_REQUEST["output"]; + $caption = clean($_REQUEST["caption"]); + $output = clean($_REQUEST["output"]); if ($caption) { diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index 5d999bf3..5fc76b32 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -60,9 +60,9 @@ class Pref_Prefs extends Handler_Protected { function changepassword() { - $old_pw = $_POST["old_password"]; - $new_pw = $_POST["new_password"]; - $con_pw = $_POST["confirm_password"]; + $old_pw = clean($_POST["old_password"]); + $new_pw = clean($_POST["new_password"]); + $con_pw = clean($_POST["confirm_password"]); if ($old_pw == "") { print "ERROR: ".format_error("Old password cannot be blank."); @@ -89,7 +89,7 @@ class Pref_Prefs extends Handler_Protected { } function saveconfig() { - $boolean_prefs = explode(",", $_POST["boolean_prefs"]); + $boolean_prefs = explode(",", clean($_POST["boolean_prefs"])); foreach ($boolean_prefs as $pref) { if (!isset($_POST[$pref])) $_POST[$pref] = 'false'; @@ -129,8 +129,8 @@ class Pref_Prefs extends Handler_Protected { function changeemail() { - $email = $_POST["email"]; - $full_name = $_POST["full_name"]; + $email = clean($_POST["email"]); + $full_name = clean($_POST["full_name"]); $active_uid = $_SESSION["uid"]; $sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?, @@ -880,8 +880,8 @@ class Pref_Prefs extends Handler_Protected { require_once "lib/otphp/lib/otp.php"; require_once "lib/otphp/lib/totp.php"; - $password = $_REQUEST["password"]; - $otp = $_REQUEST["otp"]; + $password = clean($_REQUEST["password"]); + $otp = clean($_REQUEST["otp"]); $authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]); @@ -930,7 +930,7 @@ class Pref_Prefs extends Handler_Protected { } function otpdisable() { - $password = $_REQUEST["password"]; + $password = clean($_REQUEST["password"]); $authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]); @@ -948,8 +948,8 @@ class Pref_Prefs extends Handler_Protected { } function setplugins() { - if (is_array($_REQUEST["plugins"])) - $plugins = join(",", $_REQUEST["plugins"]); + if (is_array(clean($_REQUEST["plugins"]))) + $plugins = join(",", clean($_REQUEST["plugins"])); else $plugins = ""; @@ -957,7 +957,7 @@ class Pref_Prefs extends Handler_Protected { } function clearplugindata() { - $name = $_REQUEST["name"]; + $name = clean($_REQUEST["name"]); PluginHost::getInstance()->clear_data(PluginHost::getInstance()->get_plugin($name)); } diff --git a/classes/pref/users.php b/classes/pref/users.php index b23950bd..d65af168 100644 --- a/classes/pref/users.php +++ b/classes/pref/users.php @@ -25,7 +25,7 @@ class Pref_Users extends Handler_Protected { print "
"; - $id = (int) $_REQUEST["id"]; + $id = (int) clean($_REQUEST["id"]); print_hidden("id", "$id"); print_hidden("op", "pref-users"); @@ -108,7 +108,7 @@ class Pref_Users extends Handler_Protected { } function userdetails() { - $id = (int) $_REQUEST["id"]; + $id = (int) clean($_REQUEST["id"]); $sth = $this->pdo->prepare("SELECT login, ".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login, @@ -177,11 +177,11 @@ class Pref_Users extends Handler_Protected { } function editSave() { - $login = trim($_REQUEST["login"]); - $uid = $_REQUEST["id"]; - $access_level = (int) $_REQUEST["access_level"]; - $email = trim($_REQUEST["email"]); - $password = $_REQUEST["password"]; + $login = trim(clean($_REQUEST["login"])); + $uid = clean($_REQUEST["id"]); + $access_level = (int) clean($_REQUEST["access_level"]); + $email = trim(clean($_REQUEST["email"])); + $password = clean($_REQUEST["password"]); if ($password) { $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); @@ -199,7 +199,7 @@ class Pref_Users extends Handler_Protected { } function remove() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { if ($id != $_SESSION["uid"] && $id != 1) { @@ -217,7 +217,7 @@ class Pref_Users extends Handler_Protected { function add() { - $login = trim($_REQUEST["login"]); + $login = trim(clean($_REQUEST["login"])); $tmp_user_pwd = make_password(8); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true); @@ -316,7 +316,7 @@ class Pref_Users extends Handler_Protected { } function resetPass() { - $uid = $_REQUEST["id"]; + $uid = clean($_REQUEST["id"]); Pref_Users::resetUserPassword($uid, true); } @@ -329,7 +329,7 @@ class Pref_Users extends Handler_Protected { print "
"; - $user_search = trim($_REQUEST["search"]); + $user_search = trim(clean($_REQUEST["search"])); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_user_search"] = $user_search; @@ -344,7 +344,7 @@ class Pref_Users extends Handler_Protected { __('Search')."
"; - $sort = $_REQUEST["sort"]; + $sort = clean($_REQUEST["sort"]); if (!$sort || $sort == "undefined") { $sort = "login"; diff --git a/classes/rpc.php b/classes/rpc.php index cc036736..cb71412a 100755 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -8,14 +8,14 @@ class RPC extends Handler_Protected { } function setprofile() { - $_SESSION["profile"] = $_REQUEST["id"]; + $_SESSION["profile"] = clean($_REQUEST["id"]); // default value if (!$_SESSION["profile"]) $_SESSION["profile"] = null; } function remprofiles() { - $ids = explode(",", trim($_REQUEST["ids"])); + $ids = explode(",", trim(clean($_REQUEST["ids"]))); foreach ($ids as $id) { if ($_SESSION["profile"] != $id) { @@ -28,7 +28,7 @@ class RPC extends Handler_Protected { // Silent function addprofile() { - $title = trim($_REQUEST["title"]); + $title = trim(clean($_REQUEST["title"])); if ($title) { $this->pdo->beginTransaction(); @@ -62,8 +62,8 @@ class RPC extends Handler_Protected { } function saveprofile() { - $id = $_REQUEST["id"]; - $title = trim($_REQUEST["value"]); + $id = clean($_REQUEST["id"]); + $title = trim(clean($_REQUEST["value"])); if ($id == 0) { print __("Default profile"); @@ -82,7 +82,7 @@ class RPC extends Handler_Protected { // Silent function remarchive() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); $sth = $this->pdo->prepare("DELETE FROM ttrss_archived_feeds WHERE (SELECT COUNT(*) FROM ttrss_user_entries @@ -95,10 +95,10 @@ class RPC extends Handler_Protected { } function addfeed() { - $feed = $_REQUEST['feed']; - $cat = $_REQUEST['cat']; - $login = $_REQUEST['login']; - $pass = trim($_REQUEST['pass']); + $feed = clean($_REQUEST['feed']); + $cat = clean($_REQUEST['cat']); + $login = clean($_REQUEST['login']); + $pass = trim(clean($_REQUEST['pass'])); $rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass); @@ -106,7 +106,7 @@ class RPC extends Handler_Protected { } function togglepref() { - $key = $_REQUEST["key"]; + $key = clean($_REQUEST["key"]); set_pref($key, !get_pref($key)); $value = get_pref($key); @@ -115,8 +115,8 @@ class RPC extends Handler_Protected { function setpref() { // set_pref escapes input, so no need to double escape it here - $key = $_REQUEST['key']; - $value = str_replace("\n", "
", $_REQUEST['value']); + $key = clean($_REQUEST['key']); + $value = nl2br($_REQUEST['value']); set_pref($key, $value, false, $key != 'USER_STYLESHEET'); @@ -124,8 +124,8 @@ class RPC extends Handler_Protected { } function mark() { - $mark = $_REQUEST["mark"]; - $id = $_REQUEST["id"]; + $mark = clean($_REQUEST["mark"]); + $id = clean($_REQUEST["id"]); $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET marked = ?, last_marked = NOW() @@ -137,7 +137,7 @@ class RPC extends Handler_Protected { } function delete() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); $ids_qmarks = arr_qmarks($ids); $sth = $this->pdo->prepare("DELETE FROM ttrss_user_entries @@ -150,7 +150,7 @@ class RPC extends Handler_Protected { } function unarchive() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { $this->pdo->beginTransaction(); @@ -203,7 +203,7 @@ class RPC extends Handler_Protected { } function archive() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { $this->archive_article($id, $_SESSION["uid"]); @@ -257,8 +257,8 @@ class RPC extends Handler_Protected { } function publ() { - $pub = $_REQUEST["pub"]; - $id = $_REQUEST["id"]; + $pub = clean($_REQUEST["pub"]); + $id = clean($_REQUEST["id"]); $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET published = ?, last_published = NOW() @@ -270,7 +270,7 @@ class RPC extends Handler_Protected { } function getAllCounters() { - $last_article_id = (int) $_REQUEST["last_article_id"]; + $last_article_id = (int) clean($_REQUEST["last_article_id"]); $reply = array(); @@ -287,8 +287,8 @@ class RPC extends Handler_Protected { /* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */ function catchupSelected() { - $ids = explode(",", $_REQUEST["ids"]); - $cmode = sprintf("%d", $_REQUEST["cmode"]); + $ids = explode(",", clean($_REQUEST["ids"])); + $cmode = sprintf("%d", clean($_REQUEST["cmode"])); Article::catchupArticlesById($ids, $cmode); @@ -296,8 +296,8 @@ class RPC extends Handler_Protected { } function markSelected() { - $ids = explode(",", $_REQUEST["ids"]); - $cmode = (int)$_REQUEST["cmode"]; + $ids = explode(",", clean($_REQUEST["ids"])); + $cmode = (int)clean($_REQUEST["cmode"]); $this->markArticlesById($ids, $cmode); @@ -305,8 +305,8 @@ class RPC extends Handler_Protected { } function publishSelected() { - $ids = explode(",", $_REQUEST["ids"]); - $cmode = (int)$_REQUEST["cmode"]; + $ids = explode(",", clean($_REQUEST["ids"])); + $cmode = (int)clean($_REQUEST["cmode"]); $this->publishArticlesById($ids, $cmode); @@ -314,10 +314,10 @@ class RPC extends Handler_Protected { } function sanityCheck() { - $_SESSION["hasAudio"] = $_REQUEST["hasAudio"] === "true"; - $_SESSION["hasSandbox"] = $_REQUEST["hasSandbox"] === "true"; - $_SESSION["hasMp3"] = $_REQUEST["hasMp3"] === "true"; - $_SESSION["clientTzOffset"] = $_REQUEST["clientTzOffset"]; + $_SESSION["hasAudio"] = clean($_REQUEST["hasAudio"]) === "true"; + $_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true"; + $_SESSION["hasMp3"] = clean($_REQUEST["hasMp3"]) === "true"; + $_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]); $reply = array(); @@ -332,7 +332,7 @@ class RPC extends Handler_Protected { } function completeLabels() { - $search = $_REQUEST["search"]; + $search = clean($_REQUEST["search"]); $sth = $this->pdo->prepare("SELECT DISTINCT caption FROM ttrss_labels2 @@ -351,9 +351,9 @@ class RPC extends Handler_Protected { function updateFeedBrowser() { if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return; - $search = $_REQUEST["search"]; - $limit = $_REQUEST["limit"]; - $mode = (int) $_REQUEST["mode"]; + $search = clean($_REQUEST["search"]); + $limit = clean($_REQUEST["limit"]); + $mode = (int) clean($_REQUEST["mode"]); require_once "feedbrowser.php"; @@ -365,8 +365,8 @@ class RPC extends Handler_Protected { // Silent function massSubscribe() { - $payload = json_decode($_REQUEST["payload"], false); - $mode = $_REQUEST["mode"]; + $payload = json_decode(clean($_REQUEST["payload"]), false); + $mode = clean($_REQUEST["mode"]); if (!$payload || !is_array($payload)) return; @@ -417,11 +417,11 @@ class RPC extends Handler_Protected { } function catchupFeed() { - $feed_id = $_REQUEST['feed_id']; - $is_cat = $_REQUEST['is_cat'] == "true"; - $mode = $_REQUEST['mode']; - $search_query = $_REQUEST['search_query']; - $search_lang = $_REQUEST['search_lang']; + $feed_id = clean($_REQUEST['feed_id']); + $is_cat = clean($_REQUEST['is_cat']) == "true"; + $mode = clean($_REQUEST['mode']); + $search_query = clean($_REQUEST['search_query']); + $search_lang = clean($_REQUEST['search_lang']); Feeds::catchup_feed($feed_id, $is_cat, false, $mode, [$search_query, $search_lang]); @@ -429,7 +429,7 @@ class RPC extends Handler_Protected { } function setpanelmode() { - $wide = (int) $_REQUEST["wide"]; + $wide = (int) clean($_REQUEST["wide"]); setcookie("ttrss_widescreen", $wide, time() + COOKIE_LIFETIME_LONG); @@ -566,7 +566,7 @@ class RPC extends Handler_Protected { } function getlinktitlebyid() { - $id = $_REQUEST['id']; + $id = clean($_REQUEST['id']); $sth = $this->pdo->prepare("SELECT link, title FROM ttrss_entries, ttrss_user_entries WHERE ref_id = ? AND ref_id = id AND owner_uid = ?"); @@ -583,10 +583,10 @@ class RPC extends Handler_Protected { } function log() { - $msg = $_REQUEST['msg']; - $file = basename($_REQUEST['file']); - $line = (int) $_REQUEST['line']; - $context = $_REQUEST['context']; + $msg = clean($_REQUEST['msg']); + $file = basename(clean($_REQUEST['file'])); + $line = (int) clean($_REQUEST['line']); + $context = clean($_REQUEST['context']); if ($msg) { Logger::get()->log_error(E_USER_WARNING, diff --git a/classes/rssutils.php b/classes/rssutils.php index bd599147..b5ff63d3 100644 --- a/classes/rssutils.php +++ b/classes/rssutils.php @@ -304,7 +304,7 @@ class RSSUtils { */ static function update_rss_feed($feed, $no_cache = false) { - $debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || $_REQUEST['xdebug']; + $debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || clean($_REQUEST['xdebug']); _debug_suppress(!$debug_enabled); _debug("start", $debug_enabled); @@ -591,7 +591,7 @@ class RSSUtils { foreach ($items as $item) { $pdo->beginTransaction(); - if ($_REQUEST['xdebug'] == 3) { + if (clean($_REQUEST['xdebug']) == 3) { print_r($item); } @@ -640,7 +640,7 @@ class RSSUtils { $entry_content = $item->get_content(); if (!$entry_content) $entry_content = $item->get_description(); - if ($_REQUEST["xdebug"] == 2) { + if (clean($_REQUEST["xdebug"]) == 2) { print "content: "; print htmlspecialchars($entry_content); print "\n"; @@ -749,7 +749,7 @@ class RSSUtils { $entry_plugin_data .= mb_strtolower(get_class($plugin)) . ","; } - if ($_REQUEST["xdebug"] == 2) { + if (clean($_REQUEST["xdebug"]) == 2) { print "processed content: "; print htmlspecialchars($article["content"]); print "\n"; diff --git a/include/functions.php b/include/functions.php index 417abfbb..0fd8ef61 100644 --- a/include/functions.php +++ b/include/functions.php @@ -725,6 +725,17 @@ } } + // this is used for user http parameters unless HTML code is actually needed + function clean($param) { + if (is_array($param)) { + return array_map(strip_tags, $param); + } else if (is_string($param)) { + return strip_tags($param); + } else { + return $param; + } + } + function make_password($length = 8) { $password = "";