[geeklog-hg] geeklog: Configuration string input sanitizing overhaul. Now can...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Fri Oct 2 13:51:49 EDT 2015
changeset 9627:44821e0c4479
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/44821e0c4479
user: Tom
date: Fri Oct 02 13:45:46 2015 -0400
description:
Configuration string input sanitizing overhaul. Now can be config option specific by adding sanitize rule in config validation file. Default is now all strings are stripped of tags.
diffstat:
language/english.php | 1 +
language/english_utf-8.php | 1 +
public_html/admin/configuration.php | 23 +++
public_html/admin/configuration_validation.php | 18 +-
system/classes/config.class.php | 176 ++++++++++++++++--------
5 files changed, 155 insertions(+), 64 deletions(-)
diffs (truncated from 337 to 300 lines):
diff -r a5198b021772 -r 44821e0c4479 language/english.php
--- a/language/english.php Thu Sep 24 15:13:28 2015 -0400
+++ b/language/english.php Fri Oct 02 13:45:46 2015 -0400
@@ -2398,6 +2398,7 @@
'rdf_limit' => 'This field must be numeric',
'path' => 'Path does not exist',
'file' => 'File does not exist',
+ 'fileName' => 'This field must be a proper file name',
'search_limits' => 'This field must be numeric and separated with a comma',
'num_search_results' => "This field must be numeric and from the 'search_limits' field above",
'theme' => 'Theme directory does not exist',
diff -r a5198b021772 -r 44821e0c4479 language/english_utf-8.php
--- a/language/english_utf-8.php Thu Sep 24 15:13:28 2015 -0400
+++ b/language/english_utf-8.php Fri Oct 02 13:45:46 2015 -0400
@@ -2398,6 +2398,7 @@
'rdf_limit' => 'This field must be numeric',
'path' => 'Path does not exist',
'file' => 'File does not exist',
+ 'fileName' => 'This field must be a proper file name',
'search_limits' => 'This field must be numeric and separated with a comma',
'num_search_results' => "This field must be numeric and from the 'search_limits' field above",
'theme' => 'Theme directory does not exist',
diff -r a5198b021772 -r 44821e0c4479 public_html/admin/configuration.php
--- a/public_html/admin/configuration.php Thu Sep 24 15:13:28 2015 -0400
+++ b/public_html/admin/configuration.php Fri Oct 02 13:45:46 2015 -0400
@@ -469,6 +469,29 @@
}
/**
+ * Custom validation rule to determine if HTML or PHP tags exist
+ *
+ * @param string $rule String of rule name
+ * @param array $ruleParams Parameter of validation
+ * @return boolean Success
+ *
+ */
+function custom_validation_noTags($rule, $ruleParams) {
+ $ret = false;
+
+ if (isset($ruleParams[0])) {
+ foreach ($ruleParams[0] as $paramName => $paramValue ) {
+ break;
+ }
+ if ($ruleParams[0][$paramName] == strip_tags($ruleParams[0][$paramName])) {
+ $ret = true;
+ }
+ }
+
+ return $ret;
+}
+
+/**
* Custom validation rule for single character
*
* @param string $rule String of rule name
diff -r a5198b021772 -r 44821e0c4479 public_html/admin/configuration_validation.php
--- a/public_html/admin/configuration_validation.php Thu Sep 24 15:13:28 2015 -0400
+++ b/public_html/admin/configuration_validation.php Fri Oct 02 13:45:46 2015 -0400
@@ -41,7 +41,7 @@
$_CONF_VALIDATE['Core']['site_slogan'] = array('rule' => 'stringOrEmpty');
$_CONF_VALIDATE['Core']['owner_name'] = array('rule' => 'stringOrEmpty');
$_CONF_VALIDATE['Core']['microsummary_short'] = array('rule' => 'stringOrEmpty');
-$_CONF_VALIDATE['Core']['site_disabled_msg'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['site_disabled_msg'] = array('rule' => 'stringOrEmpty', 'sanitize' => 'approveHTML');
$_CONF_VALIDATE['Core']['copyrightyear'] = array(
'rule' => 'copyrightyear',
'message' => isset($LANG_VALIDATION['yearOrRange']) ? $LANG_VALIDATION['yearOrRange'] : $LANG_VALIDATION['default']
@@ -92,12 +92,18 @@
$_CONF_VALIDATE['Core']['rdf_storytext'] = array('rule' => 'numeric');
$_CONF_VALIDATE['Core']['rdf_language'] = array('rule' => 'notEmpty');
$_CONF_VALIDATE['Core']['syndication_max_headlines'] = array('rule' => 'numeric');
-$_CONF_VALIDATE['Core']['comment_feeds_article_tag'] = array('rule' => 'notEmpty');
+$_CONF_VALIDATE['Core']['comment_feeds_article_tag'] = array(
+ 'sanitize' => 'approveHTML',
+ 'rule' => 'notEmpty');
$_CONF_VALIDATE['Core']['comment_feeds_article_tag_position'] = array(
'rule' => array('inList', array('start', 'end', 'none'), true)
);
-$_CONF_VALIDATE['Core']['comment_feeds_article_author_tag'] = array('rule' => 'stringOrEmpty');
-$_CONF_VALIDATE['Core']['comment_feeds_comment_author_tag'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['comment_feeds_article_author_tag'] = array(
+ 'sanitize' => 'approveHTML',
+ 'rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['comment_feeds_comment_author_tag'] = array(
+ 'sanitize' => 'approveHTML',
+ 'rule' => 'stringOrEmpty');
/* Subgroup Site, Tab Paths */
$_CONF_VALIDATE['Core']['path_html'] = array(
@@ -169,7 +175,9 @@
$_CONF_VALIDATE['Core']['search_show_sort'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['search_show_num'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['search_show_type'] = array('rule' => 'boolean');
-$_CONF_VALIDATE['Core']['search_separator'] = array('rule' => 'string');
+$_CONF_VALIDATE['Core']['search_separator'] = array(
+ 'sanitize' => 'approveHTML',
+ 'rule' => 'string');
$_CONF_VALIDATE['Core']['search_def_keytype'] = array(
'rule' => array('inList', array('all', 'any', 'phrase'), true)
);
diff -r a5198b021772 -r 44821e0c4479 system/classes/config.class.php
--- a/system/classes/config.class.php Thu Sep 24 15:13:28 2015 -0400
+++ b/system/classes/config.class.php Fri Oct 02 13:45:46 2015 -0400
@@ -1565,6 +1565,7 @@
foreach ($this->config_array[$group] as $param_name => $param_value) {
if (array_key_exists($param_name, $change_array)) {
+ // Sanitize input before validation of input begins
$change_array[$param_name] =
$this->_validate_input($param_name, $group, $change_array[$param_name]);
@@ -1614,6 +1615,7 @@
if ( empty($this->validationErrors) ) {
// only set if there is no validation error
foreach ( $pass_validation as $param => $val ) {
+ /*
if ($group === 'Core') {
switch ($param) {
case 'site_name':
@@ -1650,13 +1652,14 @@
break;
}
}
+ */
$this->set($param, $val, $group);
$success_array[$param] = true;
}
$this->_post_configuration();
} else {
- // temporaly save the changed values
+ // temporally save the changed values
foreach ( $pass_validation as $param => $val ) {
$this->tmpValues[$group][$param] = $val;
}
@@ -1723,17 +1726,70 @@
}
} else {
$r = COM_stripslashes($input_val);
+ // Boolean default check
+ // Numeric check
+ // String Sanitize
if ($r == 'b:0' OR $r == 'b:1') {
$r = ($r == 'b:1');
- }
- //if (is_numeric($r)) {
- if (is_numeric($r) && $this->_validate_numeric($config, $group)) {
+ } elseif (is_numeric($r) && $this->_validate_numeric($config, $group)) {
$r = $r + 0;
+ } else {
+ $r = $this->_sanitize_string($config, $group, $input_val);
}
}
return $r;
}
+
+ /**
+ * Returns sanitized string.
+ *
+ * @param string $config Configuration variable
+ * @param string $group Configuration group
+ * @return sanitized string
+ * @access public
+ */
+ function _sanitize_string($config, $group, $input_val) {
+ global $_CONF_VALIDATE;
+
+ if ( isset($_CONF_VALIDATE[$group][$config]) &&
+ !empty($_CONF_VALIDATE[$group][$config]) )
+ {
+ $default_strip_tags = true;
+ foreach ($_CONF_VALIDATE[$group][$config] as $index => $validator) {
+ if ($index == 'sanitize') {
+ if (is_array($validator)) {
+ $rule_type = $validator[0];
+ } else {
+ $rule_type = $validator;
+ }
+ switch ($rule_type) {
+ case 'none':
+ $default_strip_tags = false;
+ break;
+
+ case 'noTags':
+ $input_val = strip_tags($input_val);
+ $default_strip_tags = false;
+ break;
+
+ case 'approveHTML':
+ $input_val = COM_checkHTML($input_val);
+ $default_strip_tags = false;
+ break;
+
+ default:
+ break;
+ }
+ }
+ }
+ if ($default_strip_tags) {
+ $input_val = strip_tags($input_val);
+ }
+ }
+
+ return $input_val;
+ }
/**
* Returns true if configuration field should be numeric.
@@ -1792,70 +1848,72 @@
);
foreach ($_CONF_VALIDATE[$group][$config] as $index => $validator) {
- if (!is_array($validator)) {
- if ( $index == 'message' && is_string($validator) ) continue;
+ if ( $index != 'sanitize') {
+ if (!is_array($validator)) {
+ if ( $index == 'message' && is_string($validator) ) continue;
- $validator = array('rule' => $validator);
- } else {
- if ( $index == 'rule' ) {
$validator = array('rule' => $validator);
+ } else {
+ if ( $index == 'rule' ) {
+ $validator = array('rule' => $validator);
+ }
}
- }
- if ( isset($_CONF_VALIDATE[$group][$config]['message']) &&
- is_string($_CONF_VALIDATE[$group][$config]['message']) )
- {
- $validator['message'] = $_CONF_VALIDATE[$group][$config]['message'];
- unset($_CONF_VALIDATE[$group][$config]['message']);
- }
- $validator = array_merge($default, $validator);
+ if ( isset($_CONF_VALIDATE[$group][$config]['message']) &&
+ is_string($_CONF_VALIDATE[$group][$config]['message']) )
+ {
+ $validator['message'] = $_CONF_VALIDATE[$group][$config]['message'];
+ unset($_CONF_VALIDATE[$group][$config]['message']);
+ }
+ $validator = array_merge($default, $validator);
- if (isset($validator['message'])) {
- $message = $validator['message'];
- } else if ( is_string($validator['rule']) && isset($LANG_VALIDATION[$validator['rule']]) ) {
- $message = $LANG_VALIDATION[$validator['rule']];
- } else if ( is_array($validator['rule']) && isset($LANG_VALIDATION[$validator['rule'][0]]) ) {
- $message = $LANG_VALIDATION[$validator['rule'][0]];
- } else {
- $message = $LANG_VALIDATION['default'];
- }
-
- if ( is_array($validator['rule']) ) {
- $rule = $validator['rule'][0];
- unset($validator['rule'][0]);
- $ruleParams = array_merge(array($value), array_values($validator['rule']));
- } else {
- $rule = $validator['rule'];
- $ruleParams = array($value);
- }
-
- $valid = true;
- $custom_function = 'custom_validation_' . strtolower($rule);
- if ( function_exists($custom_function) ) {
- $ruleParams[] = $validator;
- $ruleParams[0] = array($config => $ruleParams[0]);
-
- if ( is_array($relatedValue) && !empty($relatedValue) ) {
- $ruleParams[] = $relatedValue;
+ if (isset($validator['message'])) {
+ $message = $validator['message'];
+ } else if ( is_string($validator['rule']) && isset($LANG_VALIDATION[$validator['rule']]) ) {
+ $message = $LANG_VALIDATION[$validator['rule']];
+ } else if ( is_array($validator['rule']) && isset($LANG_VALIDATION[$validator['rule'][0]]) ) {
+ $message = $LANG_VALIDATION[$validator['rule'][0]];
+ } else {
+ $message = $LANG_VALIDATION['default'];
}
- $valid = $custom_function($rule, $ruleParams);
- } elseif (method_exists($_validator, $rule)) {
- $valid = $_validator->dispatchMethod($rule, $ruleParams);
- } elseif (!is_array($validator['rule'])) {
- $valid = preg_match($rule, $value);
- }
-
- if (!$valid || (is_string($valid) && strlen($valid) > 0)) {
- if (is_string($valid) && strlen($valid) > 0) {
- $validator['message'] = $valid;
- } elseif (!isset($validator['message'])) {
- $validator['message'] = $message;
+ if ( is_array($validator['rule']) ) {
+ $rule = $validator['rule'][0];
+ unset($validator['rule'][0]);
+ $ruleParams = array_merge(array($value), array_values($validator['rule']));
+ } else {
+ $rule = $validator['rule'];
+ $ruleParams = array($value);
More information about the geeklog-cvs
mailing list