TOCHECK 3.06 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Here is what I think we need to do:

* Remove our reliance on register_globals. This is going to be a lot
  of messy work since $foo now becomes $_GET['foo'] or $_POST['foo']
  or $_SERVER['DOCUMENT_ROOT'] or $_COOKIE['authname'].

* Chack all args before handing off to DB queries. We are not going to
  use magic quotes, so before we can give a random argument (like uid)
  to a DB query, we have to check it.

  We should add some utility functions for this. Generally, all args
  need better checking.

* Anything that goes to the shell needs even tighter checks.

* Kill all the stripslashes call on data that came from the DB since
17 18 19 20
  they are not needed (no slashes stored in the DB).

* Make sure we use addslashes on all stuff going into DB slots (update
  and insert statements). 
21

22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
apc.php
approveproject.php3
approveproject_form.php3
approveproject_list.php3
approveuser.php3
approveuser_form.php3
approvewauser.php3
approvewauser_form.php3
beginexp.php3
boot.php3
buildui/bui.php3
buildui/nssave.php3
cdrom.php
cdromcheckin.php3
cdromdownload.php
cdrominstallhelp.php
cdromnewkey.php
cdromqueue.php3
cdromrequest.php3
clearapc.php
cvsweb/cvsweb.php3
dbdefs.php3.in
defs.php3.in
delaycontrol.php3
deletegroup.php3
deleteimageid.php3
deletenodelog.php3
deleteosid.php3
deleteproject.php3
51 52
deletepubkey.php3		X
deletesfskey.php3		X
53 54
deleteuser.php3
doc.php3
55 56
doc/docwrapper.php3		X
docwrapper.php3			X
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
editexp.php3
editgroup.php3
editgroup_form.php3
editimageid.php3
editimageid_form.php3
editsitevars.php3
emailus.php3
endexp.php3
error.php3
expaccess.php3
expaccess_form.php3
explist.php3
faq.php3
foo.php3
freenode.php3
freezeuser.php3
index.php3
joinproject.php3
loadimage.php3
76 77
login.php3		X
logout.php3		X
78 79 80
menu.php3
menu.php3.java
modifyexp.php3
Leigh Stoller's avatar
Leigh Stoller committed
81
moduserinfo.php3	X
82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132
netemu.php3
newgroup.php3
newgroup_form.php3
newimageid.php3
newimageid_ez.php3
newnode-defs.php3
newnode_edit.php3
newnodecheckin.php
newnodelog.php3
newnodelog_form.php3
newnodes_list.php3
newosid.php3
newosid_form.php3
newproject.php3
news.php3
nodecontrol.php3
nodecontrol_form.php3
nodecontrol_list.php3
nodemon.php3
nodemon_all.php3
nodessh.php3
nodetipacl.php3
nologins.php3
nscheck.php3
nscheck_form.php3
password.php3
people.php3
plabmetrics.php3
plabstats.php3
projectlist.php3
pubs.php3
reqaccount.php3
request_swapexp.php3
resendkey.php3
sc2002tut.php3
search.php3
sendemail.php3
showexp.php3
showexp_list.php3
showexpstats.php3
showgroup.php3
showimageid.php3
showimageid_list.php3
shownode.php3
shownodelog.php3
shownodetype.php3
shownsfile.php3
showosid_list.php3
showosinfo.php3
showproject.php3
showproject_list.php3
133 134
showpubkeys.php3		X
showsfskeys.php3		X
135 136 137 138 139 140 141 142 143 144 145 146 147 148
showstats.php3
showstuff.php3
showsumstats.php3
showthumb.php3
showuser.php3
showuser_list.php3
software.php3
spewlogfile.php3
spewrpmtar.php3
spitnsdata.php3
start.php3
survey.php3
swapexp.php3
tbauth.php3
149
toggle.php			X
150
top2image.php3
151 152
tutorial/docwrapper.php3	X
tutorial/tutorial.php3		X
153 154 155 156 157 158 159 160 161 162
updateaccounts.php3
updown.php3
verifyusr.php3
verifyusr_form.php3
webdb/webdb.php3
webdb/webdb_backend.php3
widearea_info.php3
widearea_redirect.php
widearea_register.php
wideareakeys.php3