psalm fixes; make safepost()/safeget() return strings

2024-09-19 19:22:14 +02:00 · 2020-11-09 21:40:52 +00:00 · 2020-11-09 21:40:52 +00:00 · 750838d7f7
commit 750838d7f7
parent 4712d83c98
15 changed files with 83 additions and 30 deletions
--- a/config.inc.php
+++ b/config.inc.php
@ -228,6 +228,15 @@ $CONF['password_validation'] = array(
    '/.{5}/'                => 'password_too_short 5',      # minimum length 5 characters
    '/([a-zA-Z].*){3}/'     => 'password_no_characters 3',  # must contain at least 3 characters
    '/([0-9].*){2}/'        => 'password_no_digits 2',      # must contain at least 2 digits
+
+    /*  support a 'callable' value which if it returns a non-empty string will be assumed to have failed. */
+
+    /**
+     * 'any-key' =>  function($password) { 
+     *                   if ( rand(0, 5) == 0 ) { return 'password_too_short'; } 
+     *                   // add some remote api check here ... or whatever 
+     *               },
+     */
 );

 // Generate Password
--- a/functions.inc.php
+++ b/functions.inc.php
@ -361,12 +361,12 @@ function escape_string($string_or_int) {
 *  $param = safeget('param', 'default')
 *
 * @param string $param parameter name.
- * @param string|array $default (optional) - default value if key is not set.
- * @return string|array
+ * @param string $default (optional) - default value if key is not set.
+ * @return string
 */
 function safeget($param, $default = "") {
    $retval = $default;
-    if (isset($_GET[$param])) {
+    if (isset($_GET[$param]) && is_string($_GET[$param])) {
        $retval = $_GET[$param];
    }
    return $retval;
@ -377,11 +377,11 @@ function safeget($param, $default = "") {
 * @see safeget()
 * @param string $param parameter name
 * @param string $default (optional) default value (defaults to "")
- * @return string|array - value in $_POST[$param] or $default
+ * @return string - value in $_POST[$param] or $default
 */
 function safepost($param, $default = "") {
    $retval = $default;
-    if (isset($_POST[$param])) {
+    if (isset($_POST[$param]) && is_string($_POST[$param])) {
        $retval = $_POST[$param];
    }
    return $retval;
@ -411,7 +411,7 @@ function safeserver($param, $default = "") {
 */
 function safecookie($param, $default = "") {
    $retval = $default;
-    if (isset($_COOKIE[$param])) {
+    if (isset($_COOKIE[$param]) && is_string($_COOKIE[$param])) {
        $retval = $_COOKIE[$param];
    }
    return $retval;
@ -426,7 +426,7 @@ function safecookie($param, $default = "") {
 */
 function safesession($param, $default = "") {
    $retval = $default;
-    if (isset($_SESSION[$param])) {
+    if (isset($_SESSION[$param]) && is_string($_SESSION[$param])) {
        $retval = $_SESSION[$param];
    }
    return $retval;
--- a/public/backup.php
+++ b/public/backup.php
@ -29,6 +29,8 @@ $smarty = PFASmarty::getInstance();

 (($CONF['backup'] == 'NO') ? header("Location: main.php") && exit : '1');

+$version = Config::read_string('version');
+
 // TODO: make backup supported for postgres
 if (db_pgsql()) {
    flash_error('Sorry: Backup is currently not supported for your DBMS ('.$CONF['database_type'].').');
@ -115,7 +117,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
                $fields = array_keys($row);
                $values = array_values($row);
                $values = array_map(function ($str) {
-                    return escape_string($str);
+                    return escape_string((string) $str);
                }, $values);

                fwrite($fh, "INSERT INTO ". $tables[$i] . " (". implode(',', $fields) . ") VALUES ('" . implode('\',\'', $values) . "');\n");
--- a/public/delete.php
+++ b/public/delete.php
@ -29,6 +29,10 @@ $username = authentication_get_username(); # enforce login
 $id    = safepost('delete');
 $table = safepost('table');

+if (empty($table)) {
+    die('Invalid call');
+}
+
 $handlerclass = ucfirst($table) . 'Handler';

 if (!preg_match('/^[a-z]+$/', $table) || !file_exists(dirname(__FILE__) . "/../model/$handlerclass.php")) { # validate $table
--- a/public/edit.php
+++ b/public/edit.php
@ -29,9 +29,11 @@ $smarty = PFASmarty::getInstance();
 $username = authentication_get_username(); # enforce login

 $table = safepost('table', safeget('table'));
-if (!is_string($table)) {
+
+if (empty($table)) {
    die("Invalid table name given!");
 }
+
 $handlerclass = ucfirst($table) . 'Handler';

 if (!preg_match('/^[a-z]+$/', $table) || !file_exists(dirname(__FILE__) . "/../model/$handlerclass.php")) { # validate $table
@ -103,7 +105,12 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if (safepost('token') != $_SESSION['PFA_token']) {
        die('Invalid token!');
    }
-    $inp_values = safepost('value', array());
+
+    $inp_values = [];
+
+    if (isset($_POST['value']) && is_array($_POST['value'])) {
+        $inp_values = $_POST['value'];
+    }

    foreach ($form_fields as $key => $field) {
        if ($field['editable'] && $field['display_in_form']) {
--- a/public/editactive.php
+++ b/public/editactive.php
@ -25,10 +25,14 @@ if (safeget('token') != $_SESSION['PFA_token']) {

 $username = authentication_get_username(); # enforce login

-$id     = safeget('id');
-$table  = safeget('table');
+$id = safeget('id');
+$table = safeget('table');
 $active = safeget('active');

+if (empty($table)) {
+    die("Invalid table name given");
+}
+
 $handlerclass = ucfirst($table) . 'Handler';

 if (!preg_match('/^[a-z]+$/', $table) || !file_exists(dirname(__FILE__) . "/../model/$handlerclass.php")) { # validate $table
--- a/public/list-virtual.php
+++ b/public/list-virtual.php
@ -41,7 +41,14 @@ if (safesession('list-virtual:domain') != $fDomain) {
    unset($_SESSION['list-virtual:limit']);
 }
 $fDisplay = (int) safepost('limit', safeget('limit', safesession('list-virtual:limit')));
-$search   = safepost('search', safeget('search', array())); # not remembered in the session
+$search   = null;
+
+if (isset($_POST['search']) && is_array($_POST['search'])) {
+    $search = $_POST['search'];
+} elseif (isset($_GET['search']) && is_array($_GET['search'])) {
+    $search = $_GET['search'];
+}
+
 if (!is_array($search)) {
    die(Config::Lang('invalid_parameter'));
 }
@ -62,7 +69,7 @@ if ((is_array($list_domains) and sizeof($list_domains) > 0)) {
    }
 }

-if (!is_string($fDomain)) {
+if (empty($fDomain)) {
    die(Config::Lang('invalid_parameter'));
 }

--- a/public/list.php
+++ b/public/list.php
@ -26,9 +26,10 @@ $smarty = PFASmarty::getInstance();

 $table = safeget('table');

-if (!is_string($table)) {
-    die("table parameter must be a string");
+if (empty($table)) {
+    die("table parameter missing or invalid.");
 }
+
 $handlerclass = ucfirst($table) . 'Handler';

 if (!preg_match('/^[a-z]+$/', $table) || !file_exists(dirname(__FILE__) . "/../model/$handlerclass.php")) { # validate $table
@ -62,18 +63,25 @@ if ($is_admin) {
    }
 }

-$search     = safeget('search', safesession("search_$table", array()));
-$searchmode = safeget('searchmode', safesession("searchmode_$table", array()));
-
-if (!is_array($search) || !is_array($searchmode)) {
-    # avoid injection of raw SQL if $search is a string instead of an array
-    die("Invalid parameter");
+$search = [];
+$searchmode = [];
+if (isset($_GET['search']) && is_array($_GET['search'])) {
+    $search = $_GET['search'];
+} elseif (isset($_SESSION["search_$table"]) && is_array($_SESSION["search_$table"])) {
+    $search = $_SESSION["search_$table"];
 }

-if (safeget('reset_search', 0)) {
+if (isset($_GET['searchmode']) && is_array($_GET['searchmode'])) {
+    $searchmode = $_GET['searchmode'];
+} elseif (isset($_SESSION["searchmode_$table"]) && is_array($_SESSION["searchmode_$table"])) {
+    $searchmode = $_SESSION["searchmode_$table"];
+}
+
+if (array_key_exists('reset_search', $_GET)) {
    $search = array();
    $searchmode = array();
 }
+
 $_SESSION["search_$table"] = $search;
 $_SESSION["searchmode_$table"] = $searchmode;

@ -97,7 +105,7 @@ if (count($handler->infomsg)) {
 if (safeget('output') == 'csv') {
    $out = fopen('php://output', 'w');
    header('Content-Type: text/csv; charset=utf-8');
-    header('Content-Disposition: attachment;filename='.$table.'.csv');
+    header('Content-Disposition: attachment;filename=' . $table . '.csv');
    print "\xEF\xBB\xBF"; # utf8 byte-order to indicate the file is utf8 encoded
    print "\n";

--- a/public/login.php
+++ b/public/login.php
@ -91,7 +91,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
    session_start();
 }

-$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
+$_SESSION['PFA_token'] = md5(uniqid("pfa" . rand(), true));

 $smarty->assign('language_selector', language_selector(), false);
 $smarty->assign('smarty_template', 'login');
--- a/public/users/edit-alias.php
+++ b/public/users/edit-alias.php
@ -20,6 +20,9 @@

 $rel_path = '../';
 require_once('../common.php');
+
+$smarty = PFASmarty::getInstance();
+
 $smarty->assign('smarty_template', 'users_edit-alias');

 authentication_require_role('user');
--- a/public/users/login.php
+++ b/public/users/login.php
@ -30,6 +30,8 @@
 $rel_path = '../';
 require_once("../common.php");

+$smarty = PFASmarty::getInstance();
+
 check_db_version(); # check if the database layout is up to date (and error out if not)

 if ($_SERVER['REQUEST_METHOD'] == "POST") {
@ -63,7 +65,7 @@ session_unset();
 session_destroy();
 session_start();

-$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
+$_SESSION['PFA_token'] = md5(uniqid('pfa'  . rand(), true));

 $smarty->assign('language_selector', language_selector(), false);
 $smarty->assign('smarty_template', 'login');
--- a/public/users/main.php
+++ b/public/users/main.php
@ -27,6 +27,8 @@ require_once('../common.php');
 authentication_require_role('user');
 $USERID_USERNAME = authentication_get_username();

+$smarty = PFASmarty::getInstance();
+
 $vh = new VacationHandler($USERID_USERNAME);
 if ($vh->check_vacation()) {
    $tummVacationtext = $PALANG['pUsersMain_vacationSet'];
--- a/public/users/password-recover.php
+++ b/public/users/password-recover.php
@ -25,6 +25,8 @@
 */


+$smarty = PFASmarty::getInstance();
+
 /* if in .../users, we need to load a different common.php; not this file is symlinked with public/ */
 if (preg_match('/\/users\//', $_SERVER['REQUEST_URI'])) {
    $rel_path = '../';
@ -65,8 +67,8 @@ function sendCodebySMS($to, $username, $code) {
 if ($_SERVER['REQUEST_METHOD'] === "POST") {
    $start_time = microtime(true);

-    $username = safepost('fUsername', null);
-    if (empty($username) || !is_string($username)) {
+    $username = safepost('fUsername');
+    if (empty($username)) {
        die("fUsername field required");
    }

--- a/public/users/password.php
+++ b/public/users/password.php
@ -35,6 +35,8 @@ $username = authentication_get_username();
 $pPassword_password_text = "";
 $pPassword_password_current_text = "";

+$smarty = PFASmarty::getInstance();
+
 if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if (safepost('token') != $_SESSION['PFA_token']) {
        die('Invalid token!');
--- a/public/vacation.php
+++ b/public/vacation.php
@ -73,7 +73,7 @@ $error = 0;

 $vh = new VacationHandler($fUsername);

-$choice_of_reply = Config::read('vacation_choice_of_reply');
+$choice_of_reply = Config::read_array('vacation_choice_of_reply');
 foreach (array_keys($choice_of_reply) as $key) {
    $choice_of_reply[$key] = Config::Lang($choice_of_reply[$key]);
 }
@ -82,6 +82,7 @@ $tUseremail = null;
 $tInterval_Time = null;
 $tBody = null;
 $tSubject = null;
+$details = ['active' => 0];

 if ($_SERVER['REQUEST_METHOD'] == "GET") {
    $tSubject = '';
@ -92,7 +93,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
    $tInterval_Time = '';

    $details = $vh->get_details();
-    if ($details != false) {
+    if (is_array($details )) {
        $tSubject = $details['subject'];
        $tBody = $details['body'];
        $tInterval_Time = $details['interval_time'];