mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-19 19:22:14 +02:00
psalm fixes; make safepost()/safeget() return strings
This commit is contained in:
parent
4712d83c98
commit
750838d7f7
@ -228,6 +228,15 @@ $CONF['password_validation'] = array(
|
||||
'/.{5}/' => 'password_too_short 5', # minimum length 5 characters
|
||||
'/([a-zA-Z].*){3}/' => 'password_no_characters 3', # must contain at least 3 characters
|
||||
'/([0-9].*){2}/' => 'password_no_digits 2', # must contain at least 2 digits
|
||||
|
||||
/* support a 'callable' value which if it returns a non-empty string will be assumed to have failed. */
|
||||
|
||||
/**
|
||||
* 'any-key' => function($password) {
|
||||
* if ( rand(0, 5) == 0 ) { return 'password_too_short'; }
|
||||
* // add some remote api check here ... or whatever
|
||||
* },
|
||||
*/
|
||||
);
|
||||
|
||||
// Generate Password
|
||||
|
@ -361,12 +361,12 @@ function escape_string($string_or_int) {
|
||||
* $param = safeget('param', 'default')
|
||||
*
|
||||
* @param string $param parameter name.
|
||||
* @param string|array $default (optional) - default value if key is not set.
|
||||
* @return string|array
|
||||
* @param string $default (optional) - default value if key is not set.
|
||||
* @return string
|
||||
*/
|
||||
function safeget($param, $default = "") {
|
||||
$retval = $default;
|
||||
if (isset($_GET[$param])) {
|
||||
if (isset($_GET[$param]) && is_string($_GET[$param])) {
|
||||
$retval = $_GET[$param];
|
||||
}
|
||||
return $retval;
|
||||
@ -377,11 +377,11 @@ function safeget($param, $default = "") {
|
||||
* @see safeget()
|
||||
* @param string $param parameter name
|
||||
* @param string $default (optional) default value (defaults to "")
|
||||
* @return string|array - value in $_POST[$param] or $default
|
||||
* @return string - value in $_POST[$param] or $default
|
||||
*/
|
||||
function safepost($param, $default = "") {
|
||||
$retval = $default;
|
||||
if (isset($_POST[$param])) {
|
||||
if (isset($_POST[$param]) && is_string($_POST[$param])) {
|
||||
$retval = $_POST[$param];
|
||||
}
|
||||
return $retval;
|
||||
@ -411,7 +411,7 @@ function safeserver($param, $default = "") {
|
||||
*/
|
||||
function safecookie($param, $default = "") {
|
||||
$retval = $default;
|
||||
if (isset($_COOKIE[$param])) {
|
||||
if (isset($_COOKIE[$param]) && is_string($_COOKIE[$param])) {
|
||||
$retval = $_COOKIE[$param];
|
||||
}
|
||||
return $retval;
|
||||
@ -426,7 +426,7 @@ function safecookie($param, $default = "") {
|
||||
*/
|
||||
function safesession($param, $default = "") {
|
||||
$retval = $default;
|
||||
if (isset($_SESSION[$param])) {
|
||||
if (isset($_SESSION[$param]) && is_string($_SESSION[$param])) {
|
||||
$retval = $_SESSION[$param];
|
||||
}
|
||||
return $retval;
|
||||
|
@ -29,6 +29,8 @@ $smarty = PFASmarty::getInstance();
|
||||
|
||||
(($CONF['backup'] == 'NO') ? header("Location: main.php") && exit : '1');
|
||||
|
||||
$version = Config::read_string('version');
|
||||
|
||||
// TODO: make backup supported for postgres
|
||||
if (db_pgsql()) {
|
||||
flash_error('Sorry: Backup is currently not supported for your DBMS ('.$CONF['database_type'].').');
|
||||
@ -115,7 +117,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
|
||||
$fields = array_keys($row);
|
||||
$values = array_values($row);
|
||||
$values = array_map(function ($str) {
|
||||
return escape_string($str);
|
||||
return escape_string((string) $str);
|
||||
}, $values);
|
||||
|
||||
fwrite($fh, "INSERT INTO ". $tables[$i] . " (". implode(',', $fields) . ") VALUES ('" . implode('\',\'', $values) . "');\n");
|
||||
|
@ -29,6 +29,10 @@ $username = authentication_get_username(); # enforce login
|
||||
$id = safepost('delete');
|
||||
$table = safepost('table');
|
||||
|
||||
if (empty($table)) {
|
||||
die('Invalid call');
|
||||
}
|
||||
|
||||
$handlerclass = ucfirst($table) . 'Handler';
|
||||
|
||||
if (!preg_match('/^[a-z]+$/', $table) || !file_exists(dirname(__FILE__) . "/../model/$handlerclass.php")) { # validate $table
|
||||
|
@ -29,9 +29,11 @@ $smarty = PFASmarty::getInstance();
|
||||
$username = authentication_get_username(); # enforce login
|
||||
|
||||
$table = safepost('table', safeget('table'));
|
||||
if (!is_string($table)) {
|
||||
|
||||
if (empty($table)) {
|
||||
die("Invalid table name given!");
|
||||
}
|
||||
|
||||
$handlerclass = ucfirst($table) . 'Handler';
|
||||
|
||||
if (!preg_match('/^[a-z]+$/', $table) || !file_exists(dirname(__FILE__) . "/../model/$handlerclass.php")) { # validate $table
|
||||
@ -103,7 +105,12 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||
if (safepost('token') != $_SESSION['PFA_token']) {
|
||||
die('Invalid token!');
|
||||
}
|
||||
$inp_values = safepost('value', array());
|
||||
|
||||
$inp_values = [];
|
||||
|
||||
if (isset($_POST['value']) && is_array($_POST['value'])) {
|
||||
$inp_values = $_POST['value'];
|
||||
}
|
||||
|
||||
foreach ($form_fields as $key => $field) {
|
||||
if ($field['editable'] && $field['display_in_form']) {
|
||||
|
@ -25,10 +25,14 @@ if (safeget('token') != $_SESSION['PFA_token']) {
|
||||
|
||||
$username = authentication_get_username(); # enforce login
|
||||
|
||||
$id = safeget('id');
|
||||
$table = safeget('table');
|
||||
$id = safeget('id');
|
||||
$table = safeget('table');
|
||||
$active = safeget('active');
|
||||
|
||||
if (empty($table)) {
|
||||
die("Invalid table name given");
|
||||
}
|
||||
|
||||
$handlerclass = ucfirst($table) . 'Handler';
|
||||
|
||||
if (!preg_match('/^[a-z]+$/', $table) || !file_exists(dirname(__FILE__) . "/../model/$handlerclass.php")) { # validate $table
|
||||
|
@ -41,7 +41,14 @@ if (safesession('list-virtual:domain') != $fDomain) {
|
||||
unset($_SESSION['list-virtual:limit']);
|
||||
}
|
||||
$fDisplay = (int) safepost('limit', safeget('limit', safesession('list-virtual:limit')));
|
||||
$search = safepost('search', safeget('search', array())); # not remembered in the session
|
||||
$search = null;
|
||||
|
||||
if (isset($_POST['search']) && is_array($_POST['search'])) {
|
||||
$search = $_POST['search'];
|
||||
} elseif (isset($_GET['search']) && is_array($_GET['search'])) {
|
||||
$search = $_GET['search'];
|
||||
}
|
||||
|
||||
if (!is_array($search)) {
|
||||
die(Config::Lang('invalid_parameter'));
|
||||
}
|
||||
@ -62,7 +69,7 @@ if ((is_array($list_domains) and sizeof($list_domains) > 0)) {
|
||||
}
|
||||
}
|
||||
|
||||
if (!is_string($fDomain)) {
|
||||
if (empty($fDomain)) {
|
||||
die(Config::Lang('invalid_parameter'));
|
||||
}
|
||||
|
||||
|
@ -26,9 +26,10 @@ $smarty = PFASmarty::getInstance();
|
||||
|
||||
$table = safeget('table');
|
||||
|
||||
if (!is_string($table)) {
|
||||
die("table parameter must be a string");
|
||||
if (empty($table)) {
|
||||
die("table parameter missing or invalid.");
|
||||
}
|
||||
|
||||
$handlerclass = ucfirst($table) . 'Handler';
|
||||
|
||||
if (!preg_match('/^[a-z]+$/', $table) || !file_exists(dirname(__FILE__) . "/../model/$handlerclass.php")) { # validate $table
|
||||
@ -62,18 +63,25 @@ if ($is_admin) {
|
||||
}
|
||||
}
|
||||
|
||||
$search = safeget('search', safesession("search_$table", array()));
|
||||
$searchmode = safeget('searchmode', safesession("searchmode_$table", array()));
|
||||
|
||||
if (!is_array($search) || !is_array($searchmode)) {
|
||||
# avoid injection of raw SQL if $search is a string instead of an array
|
||||
die("Invalid parameter");
|
||||
$search = [];
|
||||
$searchmode = [];
|
||||
if (isset($_GET['search']) && is_array($_GET['search'])) {
|
||||
$search = $_GET['search'];
|
||||
} elseif (isset($_SESSION["search_$table"]) && is_array($_SESSION["search_$table"])) {
|
||||
$search = $_SESSION["search_$table"];
|
||||
}
|
||||
|
||||
if (safeget('reset_search', 0)) {
|
||||
if (isset($_GET['searchmode']) && is_array($_GET['searchmode'])) {
|
||||
$searchmode = $_GET['searchmode'];
|
||||
} elseif (isset($_SESSION["searchmode_$table"]) && is_array($_SESSION["searchmode_$table"])) {
|
||||
$searchmode = $_SESSION["searchmode_$table"];
|
||||
}
|
||||
|
||||
if (array_key_exists('reset_search', $_GET)) {
|
||||
$search = array();
|
||||
$searchmode = array();
|
||||
}
|
||||
|
||||
$_SESSION["search_$table"] = $search;
|
||||
$_SESSION["searchmode_$table"] = $searchmode;
|
||||
|
||||
@ -97,7 +105,7 @@ if (count($handler->infomsg)) {
|
||||
if (safeget('output') == 'csv') {
|
||||
$out = fopen('php://output', 'w');
|
||||
header('Content-Type: text/csv; charset=utf-8');
|
||||
header('Content-Disposition: attachment;filename='.$table.'.csv');
|
||||
header('Content-Disposition: attachment;filename=' . $table . '.csv');
|
||||
print "\xEF\xBB\xBF"; # utf8 byte-order to indicate the file is utf8 encoded
|
||||
print "\n";
|
||||
|
||||
|
@ -91,7 +91,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||
session_start();
|
||||
}
|
||||
|
||||
$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
|
||||
$_SESSION['PFA_token'] = md5(uniqid("pfa" . rand(), true));
|
||||
|
||||
$smarty->assign('language_selector', language_selector(), false);
|
||||
$smarty->assign('smarty_template', 'login');
|
||||
|
@ -20,6 +20,9 @@
|
||||
|
||||
$rel_path = '../';
|
||||
require_once('../common.php');
|
||||
|
||||
$smarty = PFASmarty::getInstance();
|
||||
|
||||
$smarty->assign('smarty_template', 'users_edit-alias');
|
||||
|
||||
authentication_require_role('user');
|
||||
|
@ -30,6 +30,8 @@
|
||||
$rel_path = '../';
|
||||
require_once("../common.php");
|
||||
|
||||
$smarty = PFASmarty::getInstance();
|
||||
|
||||
check_db_version(); # check if the database layout is up to date (and error out if not)
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||
@ -63,7 +65,7 @@ session_unset();
|
||||
session_destroy();
|
||||
session_start();
|
||||
|
||||
$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
|
||||
$_SESSION['PFA_token'] = md5(uniqid('pfa' . rand(), true));
|
||||
|
||||
$smarty->assign('language_selector', language_selector(), false);
|
||||
$smarty->assign('smarty_template', 'login');
|
||||
|
@ -27,6 +27,8 @@ require_once('../common.php');
|
||||
authentication_require_role('user');
|
||||
$USERID_USERNAME = authentication_get_username();
|
||||
|
||||
$smarty = PFASmarty::getInstance();
|
||||
|
||||
$vh = new VacationHandler($USERID_USERNAME);
|
||||
if ($vh->check_vacation()) {
|
||||
$tummVacationtext = $PALANG['pUsersMain_vacationSet'];
|
||||
|
@ -25,6 +25,8 @@
|
||||
*/
|
||||
|
||||
|
||||
$smarty = PFASmarty::getInstance();
|
||||
|
||||
/* if in .../users, we need to load a different common.php; not this file is symlinked with public/ */
|
||||
if (preg_match('/\/users\//', $_SERVER['REQUEST_URI'])) {
|
||||
$rel_path = '../';
|
||||
@ -65,8 +67,8 @@ function sendCodebySMS($to, $username, $code) {
|
||||
if ($_SERVER['REQUEST_METHOD'] === "POST") {
|
||||
$start_time = microtime(true);
|
||||
|
||||
$username = safepost('fUsername', null);
|
||||
if (empty($username) || !is_string($username)) {
|
||||
$username = safepost('fUsername');
|
||||
if (empty($username)) {
|
||||
die("fUsername field required");
|
||||
}
|
||||
|
||||
|
@ -35,6 +35,8 @@ $username = authentication_get_username();
|
||||
$pPassword_password_text = "";
|
||||
$pPassword_password_current_text = "";
|
||||
|
||||
$smarty = PFASmarty::getInstance();
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||
if (safepost('token') != $_SESSION['PFA_token']) {
|
||||
die('Invalid token!');
|
||||
|
@ -73,7 +73,7 @@ $error = 0;
|
||||
|
||||
$vh = new VacationHandler($fUsername);
|
||||
|
||||
$choice_of_reply = Config::read('vacation_choice_of_reply');
|
||||
$choice_of_reply = Config::read_array('vacation_choice_of_reply');
|
||||
foreach (array_keys($choice_of_reply) as $key) {
|
||||
$choice_of_reply[$key] = Config::Lang($choice_of_reply[$key]);
|
||||
}
|
||||
@ -82,6 +82,7 @@ $tUseremail = null;
|
||||
$tInterval_Time = null;
|
||||
$tBody = null;
|
||||
$tSubject = null;
|
||||
$details = ['active' => 0];
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "GET") {
|
||||
$tSubject = '';
|
||||
@ -92,7 +93,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
|
||||
$tInterval_Time = '';
|
||||
|
||||
$details = $vh->get_details();
|
||||
if ($details != false) {
|
||||
if (is_array($details )) {
|
||||
$tSubject = $details['subject'];
|
||||
$tBody = $details['body'];
|
||||
$tInterval_Time = $details['interval_time'];
|
||||
|
Loading…
Reference in New Issue
Block a user