From 84eaf1b49536425061f57fdb400f04a9cf8d0e75 Mon Sep 17 00:00:00 2001 From: OpenXE <> Date: Fri, 16 Dec 2022 14:40:19 +0000 Subject: [PATCH] Modified GetPOSTArray and GetGETArray, because keys were not filled in --- phpwf/plugins/class.secure.php | 678 +++++++++++++++++---------------- 1 file changed, 341 insertions(+), 337 deletions(-) diff --git a/phpwf/plugins/class.secure.php b/phpwf/plugins/class.secure.php index 3c252cfa..1da04a77 100644 --- a/phpwf/plugins/class.secure.php +++ b/phpwf/plugins/class.secure.php @@ -1,340 +1,344 @@ -app = $app; - // clear global variables, that everybody have to go over secure layer - $this->GET = $_GET; - if(isset($this->GET['msgs']) && isset($this->app->Location)) { - $this->GET['msg'] = $this->app->Location->getMessage($this->GET['msgs']); - } - // $_GET=""; - $this->POST = $_POST; - // $_POST=""; - if(!isset($this->app->stringcleaner) && file_exists(__DIR__. '/class.stringcleaner.php')) { - if(!class_exists('StringCleaner')) { - require_once __DIR__ . '/class.stringcleaner.php'; - } - $this->app->stringcleaner = new StringCleaner($this->app); - } - - $this->AddRule('notempty','reg','.'); // at least one sign - $this->AddRule('alpha','reg','[a-zA-Z]'); - $this->AddRule('digit','reg','[0-9]'); - $this->AddRule('space','reg','[ ]'); - $this->AddRule('specialchars','reg','[_-]'); - $this->AddRule('email','reg','^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$'); - $this->AddRule('datum','reg','([0-9]{1,2})\.([0-9]{1,2})\.([0-9]{4})'); - - $this->AddRule('username','glue','alpha+digit'); - $this->AddRule('password','glue','alpha+digit+specialchars'); - } - - /** - * @param string $name - * @param null $rule - * @param string $maxlength - * @param string $sqlcheckoff - * - * @return array|mixed|string - */ - public function GetGET($name,$rule=null,$maxlength='',$sqlcheckoff='') - { - if($name === 'msg' && isset($this->app->erp) && method_exists($this, 'xss_clean')) { - $ret = $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'','',$maxlength,$sqlcheckoff); - $ret = $this->app->erp->base64_url_decode($ret); - if(strpos($ret,'"button"') === false){ - $ret = $this->xss_clean($ret); - } - - return $this->app->erp->base64_url_encode($ret); - } - if($rule === null) { - $rule = $this->NameToRule($name); - } - return $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'',$rule,$maxlength,$sqlcheckoff); - } - - function NameToRule($name) - { - switch($name) - { - case 'id': - return 'doppelid'; - break; - case 'sid': - return 'alphadigits'; - break; - case 'module': - case 'smodule': - case 'action': - case 'saction': - return 'module'; - break; - case 'cmd': - return 'moduleminus'; - break; - } - return 'nothtml'; - } - - public function GetPOST($name,$rule=null,$maxlength="",$sqlcheckoff="") - { - if($rule === null) { - $rule = $this->NameToRule($name); - if(isset($this->POST['ishtml_cke_'.$name]) && $this->POST['ishtml_cke_'.$name]) { - $rule = 'nojs'; - } - } - - return $this->Syntax(isset($this->POST[$name])?$this->POST[$name]:'',$rule,$maxlength,$sqlcheckoff); - } - - public function GetPOSTForForms($name,$rule="",$maxlength="",$sqlcheckoff="") - { - return $this->SyntaxForForms($this->POST[$name],$rule,$maxlength,$sqlcheckoff); - } - - public function CleanString($string, $rule='nohtml',$sqlcheckoff='') - { - return $this->Syntax($string, $rule, '', $sqlcheckoff); - } - - public function xss_clean($data) - { - return $this->app->stringcleaner->xss_clean($data); - } - - public function GetPOSTArray() - { - if(!empty($this->POST) && count($this->POST)>0) - { - foreach($this->POST as $key=>$value) - { - $key = $this->GetPOST($key,"alpha+digit+specialchars",20); - $ret[$key]=$this->GetPOST($value); - } - } - if(!empty($ret)) - { - return $ret; - } - - return null; - } - - public function GetGETArray() - { - if(!empty($this->GET) && count($this->GET)>0) - { - foreach($this->GET as $key=>$value) - { - $key = $this->GetGET($key,"alpha+digit+specialchars",20); - $ret[$key]=$this->GetGET($value); - } - } - if(!empty($ret)) - { - return $ret; - } - - return null; - } - - function stripallslashes($string) { - - while(strstr($string,'\\')) { - $string = stripslashes($string); - } - return $string; - } - - public function smartstripslashes($str) { - $cd1 = substr_count($str, "\""); - $cd2 = substr_count($str, "\\\""); - $cs1 = substr_count($str, "'"); - $cs2 = substr_count($str, "\\'"); - $tmp = strtr($str, array("\\\"" => "", "\\'" => "")); - $cb1 = substr_count($tmp, "\\"); - $cb2 = substr_count($tmp, "\\\\"); - if ($cd1 == $cd2 && $cs1 == $cs2 && $cb1 == 2 * $cb2) { - return strtr($str, array("\\\"" => "\"", "\\'" => "'", "\\\\" => "\\")); - } - return $str; - } - - public function SyntaxForForms($value,$rule,$maxlength="",$sqlcheckoff="") - { - return $value;//mysqli_real_escape_string($this->app->DB->connection,$value);//mysqli_real_escape_string($value); - } - - // check actual value with given rule - public function Syntax($value,$rule,$maxlength='',$sqlcheckoff='') - { - $striptags = false; - if(is_array($value)) - { - if($sqlcheckoff != '') - { - return $value; - } - foreach($value as $k => $v) - { - if(is_array($v)) - { - $value[$k] = $v; - }else{ - $v = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$v); - if($striptags){ - $v = $this->stripallslashes($v); - $v = $this->smartstripslashes($v); - $v = $this->app->erp->superentities($v); - } - $value[$k] = $this->app->DB->real_escape_string($v); - } - } - return $value; - } - - - $value = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$value); - - if($striptags){ - $value = $this->stripallslashes($value); - $value = $this->smartstripslashes($value); - - $value = $this->app->erp->superentities($value); - } - - if(!empty($this->app->stringcleaner)) { - if( $sqlcheckoff == '') { - return $this->app->DB->real_escape_string($this->app->stringcleaner->CleanString($value, $rule)); - } - return $this->app->stringcleaner->CleanString($value, $rule); - } - - if($rule === 'nohtml') { - if( $sqlcheckoff == '') { - return $this->app->DB->real_escape_string(strip_tags($value)); - } - - return strip_tags($value); - - } - if($rule === 'nojs') { - if( $sqlcheckoff == '') { - return $this->app->DB->real_escape_string($this->xss_clean($value)); - } - - return $this->xss_clean($value); - } - - if($rule=='' && $sqlcheckoff == '') { - return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value); - } - if($rule=='' && $sqlcheckoff != '') { - return $value; - } - - // build complete regexp - - // check if rule exists - - if($this->GetRegexp($rule)!=''){ - //$v = '/^['.$this->GetRegexp($rule).']+$/'; - $v = $this->GetRegexp($rule); - if (preg_match_all('/'.$v.'/i', $value, $teffer) ) { - if($sqlcheckoff==''){ - return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value); - } - - return $value; - } - return ''; - } - - echo " -
Rule $rule doesn't exists!
"; - return ''; - } - - - function RuleCheck($value,$rule) - { - $found = false; - if(!empty($this->app->stringcleaner)) { - $value_ = $this->app->stringcleaner->RuleCheck($value, $rule, $found); - if($found) { - if($value_) { - return true; - } - return false; - } - } - - $v = $this->GetRegexp($rule); - if (preg_match_all('/'.$v.'/i', $value, $teffer) ){ - return true; - } - - return false; - } - - function AddRule($name,$type,$rule) - { - // type: reg = regular expression - // type: glue ( already exists rules copy to new e.g. number+digit) - $this->rules[$name]=array('type'=>$type,'rule'=>$rule); - } - - // get complete regexp by rule name - function GetRegexp($rule) - { - $rules = explode('+',$rule); - $ret = ''; - foreach($rules as $key) { - // check if rule is last in glue string - if($this->rules[$key]['type']==='glue') { - $subrules = explode('+',$this->rules[$key]['rule']); - if(count($subrules)>0) { - foreach($subrules as $subkey) { - $ret .= $this->GetRegexp($subkey); - } - } - } - elseif($this->rules[$key]['type']==='reg') { - $ret .= $this->rules[$key]['rule']; - } - } - if($ret==''){ - $ret = 'none'; - } - return $ret; - } - -} - +app = $app; + // clear global variables, that everybody have to go over secure layer + $this->GET = $_GET; + if(isset($this->GET['msgs']) && isset($this->app->Location)) { + $this->GET['msg'] = $this->app->Location->getMessage($this->GET['msgs']); + } + // $_GET=""; + $this->POST = $_POST; + // $_POST=""; + if(!isset($this->app->stringcleaner) && file_exists(__DIR__. '/class.stringcleaner.php')) { + if(!class_exists('StringCleaner')) { + require_once __DIR__ . '/class.stringcleaner.php'; + } + $this->app->stringcleaner = new StringCleaner($this->app); + } + + $this->AddRule('notempty','reg','.'); // at least one sign + $this->AddRule('alpha','reg','[a-zA-Z]'); + $this->AddRule('digit','reg','[0-9]'); + $this->AddRule('space','reg','[ ]'); + $this->AddRule('specialchars','reg','[_-]'); + $this->AddRule('email','reg','^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$'); + $this->AddRule('datum','reg','([0-9]{1,2})\.([0-9]{1,2})\.([0-9]{4})'); + + $this->AddRule('username','glue','alpha+digit'); + $this->AddRule('password','glue','alpha+digit+specialchars'); + } + + /** + * @param string $name + * @param null $rule + * @param string $maxlength + * @param string $sqlcheckoff + * + * @return array|mixed|string + */ + public function GetGET($name,$rule=null,$maxlength='',$sqlcheckoff='') + { + if($name === 'msg' && isset($this->app->erp) && method_exists($this, 'xss_clean')) { + $ret = $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'','',$maxlength,$sqlcheckoff); + $ret = $this->app->erp->base64_url_decode($ret); + if(strpos($ret,'"button"') === false){ + $ret = $this->xss_clean($ret); + } + + return $this->app->erp->base64_url_encode($ret); + } + if($rule === null) { + $rule = $this->NameToRule($name); + } + return $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'',$rule,$maxlength,$sqlcheckoff); + } + + function NameToRule($name) + { + switch($name) + { + case 'id': + return 'doppelid'; + break; + case 'sid': + return 'alphadigits'; + break; + case 'module': + case 'smodule': + case 'action': + case 'saction': + return 'module'; + break; + case 'cmd': + return 'moduleminus'; + break; + } + return 'nothtml'; + } + + public function GetPOST($name,$rule=null,$maxlength="",$sqlcheckoff="") + { + if($rule === null) { + $rule = $this->NameToRule($name); + if(isset($this->POST['ishtml_cke_'.$name]) && $this->POST['ishtml_cke_'.$name]) { + $rule = 'nojs'; + } + } + + return $this->Syntax(isset($this->POST[$name])?$this->POST[$name]:'',$rule,$maxlength,$sqlcheckoff); + } + + public function GetPOSTForForms($name,$rule="",$maxlength="",$sqlcheckoff="") + { + return $this->SyntaxForForms($this->POST[$name],$rule,$maxlength,$sqlcheckoff); + } + + public function CleanString($string, $rule='nohtml',$sqlcheckoff='') + { + return $this->Syntax($string, $rule, '', $sqlcheckoff); + } + + public function xss_clean($data) + { + return $this->app->stringcleaner->xss_clean($data); + } + + public function GetPOSTArray() + { + if(!empty($this->POST) && count($this->POST)>0) + { + foreach($this->POST as $key=>$value) + { + $value = $this->GetPOST($key); + if ($value !== null) { + $ret[$key] = $value; + } + } + } + if(!empty($ret)) + { + return $ret; + } + + return null; + } + + public function GetGETArray() + { + if(!empty($this->GET) && count($this->GET)>0) + { + foreach($this->GET as $key=>$value) + { + $value = $this->GetGET($key); + if ($value !== null) { + $ret[$key] = $value; + } + } + } + if(!empty($ret)) + { + return $ret; + } + + return null; + } + + function stripallslashes($string) { + + while(strstr($string,'\\')) { + $string = stripslashes($string); + } + return $string; + } + + public function smartstripslashes($str) { + $cd1 = substr_count($str, "\""); + $cd2 = substr_count($str, "\\\""); + $cs1 = substr_count($str, "'"); + $cs2 = substr_count($str, "\\'"); + $tmp = strtr($str, array("\\\"" => "", "\\'" => "")); + $cb1 = substr_count($tmp, "\\"); + $cb2 = substr_count($tmp, "\\\\"); + if ($cd1 == $cd2 && $cs1 == $cs2 && $cb1 == 2 * $cb2) { + return strtr($str, array("\\\"" => "\"", "\\'" => "'", "\\\\" => "\\")); + } + return $str; + } + + public function SyntaxForForms($value,$rule,$maxlength="",$sqlcheckoff="") + { + return $value;//mysqli_real_escape_string($this->app->DB->connection,$value);//mysqli_real_escape_string($value); + } + + // check actual value with given rule + public function Syntax($value,$rule,$maxlength='',$sqlcheckoff='') + { + $striptags = false; + if(is_array($value)) + { + if($sqlcheckoff != '') + { + return $value; + } + foreach($value as $k => $v) + { + if(is_array($v)) + { + $value[$k] = $v; + }else{ + $v = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$v); + if($striptags){ + $v = $this->stripallslashes($v); + $v = $this->smartstripslashes($v); + $v = $this->app->erp->superentities($v); + } + $value[$k] = $this->app->DB->real_escape_string($v); + } + } + return $value; + } + + + $value = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$value); + + if($striptags){ + $value = $this->stripallslashes($value); + $value = $this->smartstripslashes($value); + + $value = $this->app->erp->superentities($value); + } + + if(!empty($this->app->stringcleaner)) { + if( $sqlcheckoff == '') { + return $this->app->DB->real_escape_string($this->app->stringcleaner->CleanString($value, $rule)); + } + return $this->app->stringcleaner->CleanString($value, $rule); + } + + if($rule === 'nohtml') { + if( $sqlcheckoff == '') { + return $this->app->DB->real_escape_string(strip_tags($value)); + } + + return strip_tags($value); + + } + if($rule === 'nojs') { + if( $sqlcheckoff == '') { + return $this->app->DB->real_escape_string($this->xss_clean($value)); + } + + return $this->xss_clean($value); + } + + if($rule=='' && $sqlcheckoff == '') { + return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value); + } + if($rule=='' && $sqlcheckoff != '') { + return $value; + } + + // build complete regexp + + // check if rule exists + + if($this->GetRegexp($rule)!=''){ + //$v = '/^['.$this->GetRegexp($rule).']+$/'; + $v = $this->GetRegexp($rule); + if (preg_match_all('/'.$v.'/i', $value, $teffer) ) { + if($sqlcheckoff==''){ + return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value); + } + + return $value; + } + return ''; + } + + echo " +
Rule $rule doesn't exists!
"; + return ''; + } + + + function RuleCheck($value,$rule) + { + $found = false; + if(!empty($this->app->stringcleaner)) { + $value_ = $this->app->stringcleaner->RuleCheck($value, $rule, $found); + if($found) { + if($value_) { + return true; + } + return false; + } + } + + $v = $this->GetRegexp($rule); + if (preg_match_all('/'.$v.'/i', $value, $teffer) ){ + return true; + } + + return false; + } + + function AddRule($name,$type,$rule) + { + // type: reg = regular expression + // type: glue ( already exists rules copy to new e.g. number+digit) + $this->rules[$name]=array('type'=>$type,'rule'=>$rule); + } + + // get complete regexp by rule name + function GetRegexp($rule) + { + $rules = explode('+',$rule); + $ret = ''; + foreach($rules as $key) { + // check if rule is last in glue string + if($this->rules[$key]['type']==='glue') { + $subrules = explode('+',$this->rules[$key]['rule']); + if(count($subrules)>0) { + foreach($subrules as $subkey) { + $ret .= $this->GetRegexp($subkey); + } + } + } + elseif($this->rules[$key]['type']==='reg') { + $ret .= $this->rules[$key]['rule']; + } + } + if($ret==''){ + $ret = 'none'; + } + return $ret; + } + +} +