Commit 6cf701f9 authored by Leigh B Stoller's avatar Leigh B Stoller

Cleanup in the web interface to prevent XSS attacks.

We had a couple of different problems actually.

* We allow users to insert html into many DB fields (say, a project or
  experiment description).

* We did not sanitize that output when displaying back.

* We did not sanitize initial page arguments that were reflected in the
  output (say, in a form).

Since no one has the time to analyze every line of code, I took a couple of
shortcuts. The first is that I changed the regex table to not allow any <>
chars to go from the user into the DB. Brutal, but in fact there are only a
couple of places where a user legitimately needs them. For example, a
startup command that includes redirection. I handle those as special
cases. As more come up, we can fix them.

I did a quick pass through all of the forms, and made sure that we run
htmlspecialchars on everything including initial form args. This was not
too bad cause of the way all of the forms are structured, with a
"formfields" array.

I also removed a bunch of obsolete code and added an update script to
actually remove them from the www directory.

Lastly, I purged some XMLRPC code I did a long time ago in the Begin
Experiment path. Less complexity, easier to grok and fix.

	modified:   sql/database-fill.sql
	modified:   sql/dbfill-update.sql
parent d1d3ff11
#
# Delete some obsolete www files.
#
use strict;
use libinstall;
use installvars;
my $DBFILL_UPDATE = "$TOP_SRCDIR/sql/dbfill-update.sql";
sub InstallUpdate($$)
{
my ($version, $phase) = @_;
if ($phase eq "pre") {
Phase "dbfill", "Updating regex table", sub {
ExecQuietFatal("cat $DBFILL_UPDATE | mysql tbdb");
};
my @deletedfiles = (
"approveuser_form.php3",
"approvewauser.php3",
"beginexp_html.php3",
"beginexp_xml.php3",
"deletesfskey.php3",
"kb-manage.php3",
"kb-search.php3",
"nsgen.php3",
"plab_ez.php3",
"plab_ez_footnote1.html",
"plab_ez_footnote2.html",
"plab_ez_footnote3.html",
"plab_ez_footnote4.html",
"plab_ez_footnote5.html",
"plab_ez_footnote6.html",
"plab_ez_footnote7.html",
"plab_ez_footnote8.html",
"plabmetrics.php3",
"plabstats.php3",
"robotmap.php3",
"showsfskeys.php3");
my @deleteddirs = (
"robotrack",
"webdb",
"hyperview");
foreach my $file (@deletedfiles) {
$file = "$TBROOT/www/$file";
next
if (! -e $file);
Phase "$file", "Deleting $file", sub {
DeleteFileFatal($file);
};
}
foreach my $dir (@deleteddirs) {
$dir = "$TBROOT/www/$dir";
next
if (! -e $dir);
Phase "$dir", "Deleting $dir", sub {
ExecQuietFatal("/bin/rm -rf $dir");
};
}
}
return 0;
}
1;
# Local Variables:
# mode:perl
# End:
......@@ -733,8 +733,8 @@ REPLACE INTO table_regex VALUES ('eventlist','vnode','text','redirect','virt_age
REPLACE INTO table_regex VALUES ('eventlist','vname','text','regex','^[-\\w\\(\\)]+$',1,64,NULL);
REPLACE INTO table_regex VALUES ('eventlist','objecttype','int','redirect','default:tinyint',0,0,NULL);
REPLACE INTO table_regex VALUES ('eventlist','eventtype','int','redirect','default:tinyint',0,0,NULL);
REPLACE INTO table_regex VALUES ('eventlist','arguments','text','redirect','default:text',0,1024,NULL);
REPLACE INTO table_regex VALUES ('eventlist','atstring','text','redirect','default:text',0,1024,NULL);
REPLACE INTO table_regex VALUES ('eventlist','arguments','text','redirect','default:html_text',0,1024,NULL);
REPLACE INTO table_regex VALUES ('eventlist','atstring','text','redirect','default:html_text',0,1024,NULL);
REPLACE INTO table_regex VALUES ('eventlist','triggertype','int','redirect','default:tinyint',0,0,NULL);
REPLACE INTO table_regex VALUES ('experiments','eid','text','regex','^[a-zA-Z0-9][-a-zA-Z0-9]+$',2,19,'Must ensure not too long for the database. PID is 12, and the max is 32, so the user is not allowed to specify an EID more than 19, since other parts of the system may concatenate them together with a hyphen');
......@@ -764,7 +764,7 @@ REPLACE INTO table_regex VALUES ('nodes','node_id','text','regex','^[-\\w]+$',1,
REPLACE INTO table_regex VALUES ('nseconfigs','pid','text','redirect','projects:pid',0,0,NULL);
REPLACE INTO table_regex VALUES ('nseconfigs','eid','text','redirect','experiments:eid',0,0,NULL);
REPLACE INTO table_regex VALUES ('nseconfigs','vname','text','redirect','virt_nodes:vname',0,0,NULL);
REPLACE INTO table_regex VALUES ('nseconfigs','nseconfig','text','regex','^[\\040-\\176\\012\\011\\015]*$',0,16777215,NULL);
REPLACE INTO table_regex VALUES ('nseconfigs','nseconfig','text','redirect','default:fulltext',0,16777215,NULL);
REPLACE INTO table_regex VALUES ('projects','newuser_xml','text','regex','^[-_\\w\\.\\/:+]*$',1,256,NULL);
REPLACE INTO table_regex VALUES ('projects','newpid','text','regex','^[a-zA-Z][-a-zA-Z0-9]+$',2,48,NULL);
......@@ -793,7 +793,7 @@ REPLACE INTO table_regex VALUES ('users','usr_email','text','regex','^([-\\w\\+\
REPLACE INTO table_regex VALUES ('users','usr_shell','text','regex','^(csh|sh|bash|tcsh|zsh)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('users','usr_title','text','redirect','default:tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('users','usr_affil','text','redirect','default:tinytext',0,0,NULL);
REPLACE INTO `table_regex` VALUES ('users','usr_affil_abbrev','text','regex','^[\\040-\\176]*$',0,16,NULL);
REPLACE INTO table_regex VALUES ('users','usr_affil_abbrev','text','regex','default:tinytext',0,16,NULL);
REPLACE INTO table_regex VALUES ('users','usr_addr','text','redirect','default:tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('users','usr_addr2','text','redirect','default:tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('users','usr_state','text','redirect','default:tinytext',0,0,NULL);
......@@ -889,7 +889,7 @@ REPLACE INTO table_regex VALUES ('virt_nodes','ips','text','regex','^(\\d{1,2}:\
REPLACE INTO table_regex VALUES ('virt_nodes','cmd_line','text','redirect','default:tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','rpms','text','regex','^([-\\w\\.\\/\\+:~]+;{0,1})*$',0,4096,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','deltas','text','regex','^([-\\w\\.\\/\\+]+:{0,1})*$',0,1024,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','startupcmd','text','redirect','default:tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','startupcmd','text','redirect','default:html_tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','tarfiles','text','regex','^([-\\w\\.\\/\\+]+\\s+[-\\w\\.\\/\\+:~]+;{0,1})*$',0,1024,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','vname','text','regex','^[-\\w]+$',1,32,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','type','text','regex','^[-\\w]*$',0,30,NULL);
......@@ -903,7 +903,7 @@ REPLACE INTO table_regex VALUES ('virt_programs','pid','text','redirect','projec
REPLACE INTO table_regex VALUES ('virt_programs','eid','text','redirect','experiments:eid',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_programs','vnode','text','redirect','virt_nodes:vname',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_programs','vname','text','regex','^[-\\w\\(\\)]+$',1,32,NULL);
REPLACE INTO table_regex VALUES ('virt_programs','command','text','redirect','default:tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_programs','command','text','redirect','default:html_tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_routes','pid','text','redirect','projects:pid',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_routes','eid','text','redirect','experiments:eid',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_routes','vname','text','redirect','virt_nodes:vname',0,0,NULL);
......@@ -931,15 +931,7 @@ REPLACE INTO table_regex VALUES ('virt_vtypes','eid','text','redirect','experime
REPLACE INTO table_regex VALUES ('virt_vtypes','name','text','regex','^[-\\w]+$',1,32,NULL);
REPLACE INTO table_regex VALUES ('virt_vtypes','weight','float','redirect','default:float',0,1,NULL);
REPLACE INTO table_regex VALUES ('virt_vtypes','members','text','regex','^( ?[-\\w]+ ?)+$',0,1024,NULL);
REPLACE INTO table_regex VALUES ('default','tinytext','text','regex','^[\\040-\\176]*$',0,256,NULL);
REPLACE INTO table_regex VALUES ('default','text','text','regex','^[\\040-\\176]*$',0,65535,NULL);
REPLACE INTO table_regex VALUES ('projects','why','text','regex','^[\\040-\\176\\012\\015\\011]*$',0,4096,NULL);
REPLACE INTO table_regex VALUES ('default','tinyint','int','regex','^[\\d]+$',-128,127,'Default regex for tiny int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','boolean','int','regex','^(0|1)$',0,1,'Default regex for tiny int fields that are int booleans. Allow any 0 or 1');
REPLACE INTO table_regex VALUES ('default','tinyuint','int','regex','^[\\d]+$',0,255,'Default regex for tiny int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','int','int','regex','^[\\d]+$',-2147483648,2147483647,'Default regex for int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','float','float','regex','^[+-]?\\ *(\\d+(\\.\\d*)?|\\.\\d+)([eE][+-]?\\d+)?$',-2147483648,2147483647,'Default regex for float fields. Allow any digits and the decimal point');
REPLACE INTO table_regex VALUES ('default','default','text','regex','^[\\040-\\176]*$',0,256,'Default regex if one is not defined for a table/slot. Allow any standard ascii character, but no binary data');
REPLACE INTO table_regex VALUES ('projects','why','text','redirect','default:fulltext',0,4096,NULL);
REPLACE INTO table_regex VALUES ('projects','num_members','int','redirect','default:int',0,256,NULL);
REPLACE INTO table_regex VALUES ('projects','num_pcs','int','redirect','default:int',0,2048,NULL);
REPLACE INTO table_regex VALUES ('projects','num_pcplab','int','redirect','default:int',0,2048,NULL);
......@@ -954,7 +946,7 @@ REPLACE INTO table_regex VALUES ('experiments','ipassign_args','text','regex','^
REPLACE INTO table_regex VALUES ('experiments','expt_name','text','redirect','default:fulltext',1,255,NULL);
REPLACE INTO table_regex VALUES ('experiments','dpdb','int','redirect','default:tinyint',0,1,NULL);
REPLACE INTO table_regex VALUES ('experiments','description','text','regex','^[\\040-\\176\\012\\015\\011]*$',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiments','description','text','redirect','default:fulltext',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiments','idle_ignore','int','redirect','default:boolean',0,0,NULL);
REPLACE INTO table_regex VALUES ('experiments','swappable','int','redirect','default:boolean',0,0,NULL);
REPLACE INTO table_regex VALUES ('experiments','noswap_reason','text','redirect','default:tinytext',1,255,NULL);
......@@ -1025,7 +1017,7 @@ REPLACE INTO table_regex VALUES ('images','imagename','text','regex','^[a-zA-Z0-
REPLACE INTO table_regex VALUES ('images','imageid','text','redirect','default:int',0,100000000,NULL);
REPLACE INTO table_regex VALUES ('images','pid','text','redirect','projects:pid',0,0,NULL);
REPLACE INTO table_regex VALUES ('images','gid','text','redirect','groups:gid',0,0,NULL);
REPLACE INTO table_regex VALUES ('images','description','text','regex','^[\\040-\\176\\012\\015\\011]*$',1,256,NULL);
REPLACE INTO table_regex VALUES ('images','description','text','redirect','default:fulltext',1,256,NULL);
REPLACE INTO table_regex VALUES ('images','loadpart','text','redirect','default:tinyint',0,4,NULL);
REPLACE INTO table_regex VALUES ('images','loadlength','text','redirect','default:tinyint',1,4,NULL);
REPLACE INTO table_regex VALUES ('images','part1_osid','text','redirect','os_info:osid',0,0,NULL);
......@@ -1113,15 +1105,14 @@ REPLACE INTO table_regex VALUES ('mailman_lists','listname','text','redirect','m
REPLACE INTO table_regex VALUES ('mailman_listnames','listname','text','regex','^[-\\w\\.\\+]+$',3,64,NULL);
REPLACE INTO table_regex VALUES ('default','fulltext','text','regex','^[\\040-\\176\\012\\015\\011]*$',0,20000,NULL);
REPLACE INTO table_regex VALUES ('node_attributes','attrkey','text','regex','^[-\\w]+$',1,32,NULL);
REPLACE INTO table_regex VALUES ('node_attributes','attrvalue','text','regex','^[-\\w\\.+,\\s]+$',0,255,NULL);
REPLACE INTO table_regex VALUES ('archive_tags','description','text','redirect','projects:why',1,2048,NULL);
REPLACE INTO table_regex VALUES ('archive_tags','tag','text','regex','^[a-zA-Z][-\\w\\.\\+]+$',2,64,NULL);
REPLACE INTO table_regex VALUES ('experiment_templates','description','text','regex','^[\\040-\\176\\012\\015\\011]*$',1,4096,NULL);
REPLACE INTO table_regex VALUES ('experiment_templates','description','text','redirect','default:fulltext',1,4096,NULL);
REPLACE INTO table_regex VALUES ('experiment_templates','guid','text','regex','^[\\w]+$',1,32,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_metadata','name','text','regex','^[\\040-\\176]*$',1,64,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_metadata','value','text','regex','^[\\040-\\176\\012\\015\\011]*$',0,4096,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_metadata','name','text','redirect','default:tinytext',1,64,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_metadata','value','text','redirect','default:fulltext',0,4096,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_metadata','metadata_type','text','regex','^[\\w]*$',1,64,NULL);
REPLACE INTO table_regex VALUES ('virt_parameters','pid','text','redirect','projects:pid',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_parameters','eid','text','redirect','experiments:eid',0,0,NULL);
......@@ -1131,10 +1122,10 @@ REPLACE INTO table_regex VALUES ('virt_parameters','description','text','redirec
REPLACE INTO table_regex VALUES ('experiment_template_instance_bindings','name','text','regex','^\\w[-\\w]+$',1,64,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_instance_bindings','value','text','redirect','default:tinytext',0,256,NULL);
REPLACE INTO table_regex VALUES ('experiment_runs','runid','text','redirect','experiments:eid',0,0,NULL);
REPLACE INTO table_regex VALUES ('experiment_runs','description','text','regex','^[\\040-\\176\\012\\015\\011]*$',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiment_runs','description','text','redirect','default:tinytext',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiment_run_bindings','name','text','regex','^\\w[-\\w]+$',1,64,NULL);
REPLACE INTO table_regex VALUES ('experiment_run_bindings','value','text','redirect','default:tinytext',0,256,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_instances','description','text','regex','^[\\040-\\176\\012\\015\\011]*$',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_instances','description','text','redirect','default:tinytext',1,256,NULL);
REPLACE INTO table_regex VALUES ('virt_node_motelog','vname','text','redirect','virt_nodes:vname',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_node_motelog','logfileid','text','regex','^[-\\w\\.+]+$',2,45,NULL);
REPLACE INTO table_regex VALUES ('virt_node_motelog','pid','text','redirect','projects:pid',0,0,NULL);
......@@ -1161,8 +1152,8 @@ REPLACE INTO table_regex VALUES ('os_info','reboot_waittime','int','redirect','d
REPLACE INTO table_regex VALUES ('sitevariables','name','text','regex','^[\\w\\/]+$',1,255,NULL);
REPLACE INTO table_regex VALUES ('sitevariables','value','text','redirect','default:text',0,0,NULL);
REPLACE INTO table_regex VALUES ('sitevariables','reset','text','redirect','default:boolean',0,0,NULL);
REPLACE INTO table_regex VALUES ('sitevariables','defaultvalue','text','redirect','default:text',0,0,NULL);
REPLACE INTO table_regex VALUES ('sitevariables','description','text','redirect','default:text',0,0,NULL);
REPLACE INTO table_regex VALUES ('sitevariables','defaultvalue','text','redirect','default:html_text',0,0,NULL);
REPLACE INTO table_regex VALUES ('sitevariables','description','text','redirect','default:html_text',0,0,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_searches','name','text','regex','^[-\\w]*$',2,64,NULL);
REPLACE INTO table_regex VALUES ('user_pubkeys','verify','text','redirect','default:boolean',0,0,NULL);
......@@ -1219,6 +1210,22 @@ REPLACE INTO table_regex VALUES ('virt_client_service_hooks','service_idx','int'
REPLACE INTO table_regex VALUES ('virt_client_service_hooks','vnode','text','redirect','virt_nodes:vname',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_client_service_hooks','whence','text','regex','^(first|every)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('default','fulltext','text','regex','^[\\040-\\073\\075\\077-\\176\\012\\015\\011]*$',0,20000,NULL);
REPLACE INTO table_regex VALUES ('default','html_fulltext','text','regex','^[\\040-\\176\\012\\015\\011]*$',0,20000,NULL);
REPLACE INTO table_regex VALUES ('default','tinytext','text','regex','^[\\040-\\073\\075\\077-\\176]*$',0,256,NULL);
REPLACE INTO table_regex VALUES ('default','html_tinytext','text','regex','^[\\040-\\176]*$',0,256,NULL);
REPLACE INTO table_regex VALUES ('default','text','text','regex','^[\\040-\\073\\075\\077-\\176]*$',0,65535,NULL);
REPLACE INTO table_regex VALUES ('default','html_text','text','regex','^[\\040-\\176]*$',0,65535,NULL);
REPLACE INTO table_regex VALUES ('default','default','text','regex','^[\\040-\\073\\075\\077-\\176]*$',0,256,'Default regex if one is not defined for a table/slot. Allow any standard ascii character, but no binary data');
REPLACE INTO table_regex VALUES ('default','tinyint','int','regex','^[\\d]+$',-128,127,'Default regex for tiny int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','boolean','int','regex','^(0|1)$',0,1,'Default regex for tiny int fields that are int booleans. Allow any 0 or 1');
REPLACE INTO table_regex VALUES ('default','tinyuint','int','regex','^[\\d]+$',0,255,'Default regex for tiny int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','int','int','regex','^[\\d]+$',-2147483648,2147483647,'Default regex for int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','float','float','regex','^[+-]?\\ *(\\d+(\\.\\d*)?|\\.\\d+)([eE][+-]?\\d+)?$',-2147483648,2147483647,'Default regex for float fields. Allow any digits and the decimal point');
REPLACE INTO table_regex VALUES ('default','tinytext_utf8','text','regex','^(?:[\\x20-\\x7E]|[\\xC2-\\xDF][\\x80-\\xBF]|\\xE0[\\xA0-\\xBF][\\x80-\\xBF]|[\\xE1-\\xEC\\xEE\\xEF][\\x80-\\xBF]{2}|\\xED[\\x80-\\x9F][\\x80-\\xBF])*$',0,256,'adopted from http://www.w3.org/International/questions/qa-forms-utf-8.en.php');
REPLACE INTO table_regex VALUES ('default','text_utf8','text','regex','^(?:[\\x20-\\x7E]|[\\xC2-\\xDF][\\x80-\\xBF]|\\xE0[\\xA0-\\xBF][\\x80-\\xBF]|[\\xE1-\\xEC\\xEE\\xEF][\\x80-\\xBF]{2}|\\xED[\\x80-\\x9F][\\x80-\\xBF])*$',0,65535,'adopted from http://www.w3.org/International/questions/qa-forms-utf-8.en.php');
......
REPLACE INTO table_regex VALUES ('eventlist','arguments','text','redirect','default:html_text',0,1024,NULL);
REPLACE INTO table_regex VALUES ('eventlist','atstring','text','redirect','default:html_text',0,1024,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','startupcmd','text','redirect','default:html_tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_programs','command','text','redirect','default:html_tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('sitevariables','defaultvalue','text','redirect','default:html_text',0,0,NULL);
REPLACE INTO table_regex VALUES ('sitevariables','description','text','redirect','default:html_text',0,0,NULL);
REPLACE INTO table_regex VALUES ('default','fulltext','text','regex','^[\\040-\\073\\075\\077-\\176\\012\\015\\011]*$',0,20000,NULL);
REPLACE INTO table_regex VALUES ('default','html_fulltext','text','regex','^[\\040-\\176\\012\\015\\011]*$',0,20000,NULL);
REPLACE INTO table_regex VALUES ('default','tinytext','text','regex','^[\\040-\\073\\075\\077-\\176]*$',0,256,NULL);
REPLACE INTO table_regex VALUES ('default','html_tinytext','text','regex','^[\\040-\\176]*$',0,256,NULL);
REPLACE INTO table_regex VALUES ('default','text','text','regex','^[\\040-\\073\\075\\077-\\176]*$',0,65535,NULL);
REPLACE INTO table_regex VALUES ('default','html_text','text','regex','^[\\040-\\176]*$',0,65535,NULL);
REPLACE INTO table_regex VALUES ('default','default','text','regex','^[\\040-\\073\\075\\077-\\176]*$',0,256,'Default regex if one is not defined for a table/slot. Allow any standard ascii character, but no binary data');
REPLACE INTO table_regex VALUES ('default','tinyint','int','regex','^[\\d]+$',-128,127,'Default regex for tiny int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','boolean','int','regex','^(0|1)$',0,1,'Default regex for tiny int fields that are int booleans. Allow any 0 or 1');
REPLACE INTO table_regex VALUES ('default','tinyuint','int','regex','^[\\d]+$',0,255,'Default regex for tiny int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','int','int','regex','^[\\d]+$',-2147483648,2147483647,'Default regex for int fields. Allow any standard ascii integer, but no binary data');
REPLACE INTO table_regex VALUES ('default','float','float','regex','^[+-]?\\ *(\\d+(\\.\\d*)?|\\.\\d+)([eE][+-]?\\d+)?$',-2147483648,2147483647,'Default regex for float fields. Allow any digits and the decimal point');
REPLACE INTO table_regex VALUES ('users','usr_affil_abbrev','text','regex','default:tinytext',0,16,NULL);
REPLACE INTO table_regex VALUES ('nseconfigs','nseconfig','text','redirect','default:fulltext',0,16777215,NULL);
REPLACE INTO table_regex VALUES ('projects','why','text','redirect','default:fulltext',0,4096,NULL);
REPLACE INTO table_regex VALUES ('experiments','description','text','redirect','default:fulltext',1,256,NULL);
REPLACE INTO table_regex VALUES ('images','description','text','redirect','default:fulltext',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiment_templates','description','text','redirect','default:fulltext',1,4096,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_metadata','name','text','redirect','default:tinytext',1,64,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_metadata','value','text','redirect','default:fulltext',0,4096,NULL);
REPLACE INTO table_regex VALUES ('experiment_runs','description','text','redirect','default:tinytext',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiment_template_instances','description','text','redirect','default:tinytext',1,256,NULL);
......@@ -22,7 +22,7 @@ HTMLINSTALL = $(INSTALL_SBINDIR)/htmlinstall
include $(OBJDIR)/Makeconf
SUBDIRS = garcia-telemetry tutorial
SUBDIRS = tutorial
#
# Force dependencies to make sure configure regenerates if the .in file
......@@ -68,10 +68,6 @@ AUTOICONS += $(wildcard $(SRCDIR)/autostatus-icons/*.png)
FLOORMAPFILES = $(wildcard $(SRCDIR)/floormap/*.jpg)
FLOORMAPFILES += $(wildcard $(SRCDIR)/floormap/*.gif)
ROBOTRACKFILES = $(wildcard $(SRCDIR)/robotrack/*.php3)
ROBOTRACKFILES += $(wildcard $(SRCDIR)/robotrack/*.jpg)
ROBOTRACKFILES += $(wildcard $(SRCDIR)/robotrack/*.jar)
WIRELESSSTATSFILES = $(wildcard $(SRCDIR)/wireless-stats/*.php3)
WIRELESSSTATSFILES += $(wildcard $(SRCDIR)/wireless-stats/*.jar)
......@@ -116,9 +112,6 @@ ifeq ($(PGENISUPPORT),1)
PGENIFILES += $(wildcard $(SRCDIR)/protogeni/*.xml)
endif
WEBDBFILES = $(wildcard $(SRCDIR)/webdb/*.php3)
WEBDBFILES += $(wildcard $(SRCDIR)/webdb/*.php)
HYFILES = $(wildcard $(SRCDIR)/hyperviewer/*.php3)
HYFILES += $(wildcard $(SRCDIR)/hyperviewer/*.html)
HYFILES += $(wildcard $(SRCDIR)/hyperviewer/*.jpg)
......@@ -180,7 +173,6 @@ ALLPIXES = $(notdir $(PIXFILES))
ALLDOCS = $(notdir $(DOCFILES))
ALLTUTS = $(notdir $(TUTFILES))
ALLICONS = $(notdir $(AUTOICONS))
ALLWEBDB = $(notdir $(WEBDBFILES))
ALLPGENI = $(notdir $(PGENIFILES))
ALLDOWNLOADS = $(notdir $(DOWNLOADFILES))
ALLCVSWEB = $(notdir $(CVSWEBFILES))
......@@ -191,7 +183,6 @@ ALLHY = $(notdir $(HYFILES))
ALLTT = $(notdir $(TTFILES))
ALLUM = $(notdir $(UMFILES))
ALLJS = $(notdir $(JSFILES))
ALLROBO = $(notdir $(ROBOTRACKFILES))
ALLWISTATS = $(notdir $(WIRELESSSTATSFILES))
ALLBLOB = $(notdir $(BLOBFILES))
......@@ -201,7 +192,6 @@ INSTALLFILES = $(addprefix $(INSTALL_SBINDIR)/, htmlinstall) \
$(addprefix $(INSTALL_WWWDIR)/pix/, $(ALLPIXES)) \
$(addprefix $(INSTALL_WWWDIR)/tutorial/, $(ALLTUTS)) \
$(addprefix $(INSTALL_WWWDIR)/doc/, $(ALLDOCS)) \
$(addprefix $(INSTALL_WWWDIR)/webdb/, $(ALLWEBDB)) \
$(addprefix $(INSTALL_WWWDIR)/protogeni/, $(ALLPGENI)) \
$(addprefix $(INSTALL_WWWDIR)/downloads/, $(ALLDOWNLOADS)) \
$(addprefix $(INSTALL_WWWDIR)/buildui/, $(ALLBUI)) \
......@@ -210,7 +200,6 @@ INSTALLFILES = $(addprefix $(INSTALL_SBINDIR)/, htmlinstall) \
$(addprefix $(INSTALL_WWWDIR)/timetree/, $(ALLTT)) \
$(addprefix $(INSTALL_WWWDIR)/usermap/, $(ALLUM)) \
$(addprefix $(INSTALL_WWWDIR)/js/, $(ALLJS)) \
$(addprefix $(INSTALL_WWWDIR)/robotrack/, $(ALLROBO)) \
$(addprefix $(INSTALL_WWWDIR)/wireless-stats/, $(ALLWISTATS)) \
$(addprefix $(INSTALL_WWWDIR)/autostatus-icons/, $(ALLICONS)) \
$(addprefix $(INSTALL_WWWDIR)/blob/, $(ALLBLOB)) \
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
......@@ -132,7 +132,7 @@ if ($approval == "postpone") {
echo "<input type=hidden name=pcplab_okay value=$pcplab_okay>\n";
echo "<input type=hidden name=ron_okay value=$ron_okay>\n";
echo "<input type=hidden name=message value='".
htmlspecialchars($message, ENT_QUOTES) . "'>\n";
CleanString($message) . "'>\n";
echo "<b><input type=submit name=back value=Back></b>\n";
echo "</form>\n";
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
......@@ -228,7 +228,7 @@ echo "<tr>
<td align=center class=left>
<textarea name=message rows=15 cols=70>";
if (isset($message)) {
echo ereg_replace("\r", "", $message);
echo ereg_replace("\r", "", CleanString($message));
}
echo "</textarea>
</td>
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2003, 2006, 2007 University of Utah and the Flux Group.
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
......@@ -154,17 +154,17 @@ while (list ($uid_idx, $grouplist) = each ($approvelist)) {
$date_applied = "--";
}
$name = $user->name();
$email = $user->email();
$title = $user->title();
$affil = $user->affil();
$addr = $user->addr();
$addr2 = $user->addr2();
$city = $user->city();
$state = $user->state();
$zip = $user->zip();
$country = $user->country();
$phone = $user->phone();
$name = CleanString($user->name());
$email = CleanString($user->email());
$title = CleanString($user->title());
$affil = CleanString($user->affil());
$addr = CleanString($user->addr());
$addr2 = CleanString($user->addr2());
$city = CleanString($user->city());
$state = CleanString($user->state());
$zip = CleanString($user->zip());
$country = CleanString($user->country());
$phone = CleanString($user->phone());
echo "<tr>
<td rowspan=2>$newuid</td>
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002, 2006 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
#
# Only known and logged in users can be verified.
#
$this_user = CheckLoginOrDie();
$uid = $this_user->uid();
$isadmin = ISADMIN();
if (! $isadmin) {
USERERROR("Only testbed administrators people can access this page!", 1);
}
ignore_user_abort(1);
#
# Walk the list of post variables, looking for the special post format.
# See approvewauser_form.php3:
#
# uid menu node_id
# name=stoller$$approval-node_id value=approved,denied,postpone
# name=stoller$$trust-node_id value=user,local_root
#
# We make two passes over the post vars. The first does a sanity check so
# that we can bail out without doing anything. This allows the user to
# back up and make changes without worrying about some stuff being done and
# other stuff not.
#
while (list ($header, $value) = each ($HTTP_POST_VARS)) {
#echo "$header: $value<br>\n";
$approval_string = strstr($header, "\$\$approval-");
if (! $approval_string) {
continue;
}
$user = substr($header, 0, strpos($header, "\$\$", 0));
$node_id = substr($approval_string, strlen("\$\$approval-"));
$approval = $value;
if (!$user || strcmp($user, "") == 0) {
TBERROR("Parse error finding user in approvewauser.php3", 1);
}
if (!$node_id || strcmp($node_id, "") == 0) {
TBERROR("Parse error finding node_id in approvewauser.php3", 1);
}
if (!$approval || strcmp($approval, "") == 0) {
TBERROR("Parse error finding approval in approvewauser.php3", 1);
}
#
# There should be a corresponding trust variable in the POST vars.
# Note that we construct the variable name and indirect to it.
#
$foo = "$user\$\$trust-$node_id";
$newtrust = $$foo;
if (!$newtrust || strcmp($newtrust, "") == 0) {
TBERROR("Parse error finding trust in approvewauser.php3", 1);
}
#echo "User $user, NodeID $node_id,
# Approval $approval, Trust $newtrust<br>\n";
if (strcmp($newtrust, "user") &&
strcmp($newtrust, "local_root")) {
TBERROR("Invalid trust $newtrust for user $user approvewauser.php3.",
1);
}
#
# Verify an actual user that is being approved.
#
if (! ($target_user = User::Lookup($user))) {
TBERROR("Trying to approve unknown user $user.", 1);
}
#
# Check if already approved. If already an approved account,
# something went wrong.
#
$query_result =
DBQueryFatal("select trust from widearea_accounts ".
"where uid='$user' and node_id='$node_id' and ".
" trust!='none'");
if (mysql_num_rows($query_result)) {
$row = mysql_fetch_array($query_result);
$trust = $row[trust];
USERERROR("$user is already approved on $node_id with $trust!", 1);
}
#
# Verify approval value.
#
if (strcmp($approval, "postpone") &&
strcmp($approval, "deny") &&
strcmp($approval, "nuke") &&
strcmp($approval, "approve")) {
TBERROR("Invalid approval value $approval in approvewauser.php3.", 1);
}
}
#
# Standard Testbed Header
#
PAGEHEADER("Widearea Accounts Approval Form");
reset($HTTP_POST_VARS);
#
# Okay, all sanity tests passed for all post vars. Now do the actual work.
#
while (list ($header, $value) = each ($HTTP_POST_VARS)) {
#echo "$header: $value<br>\n";
$approval_string = strstr($header, "\$\$approval-");
if (! $approval_string) {
continue;
}
$user = substr($header, 0, strpos($header, "\$\$", 0));
$node_id = substr($approval_string, strlen("\$\$approval-"));
$approval = $value;
#
# Corresponding trust value.
#
$foo = "$user\$\$trust-$node_id";
$newtrust = $$foo;
#
# Get the current status for the user, which we might need to change.
#
# We change the status only if this person is getting a new account.
# In this case, the status will be either "newuser" or "unapproved",
# and we will change it to "unapproved" or "active", respectively.
# If the status is "active", we leave it alone.
#
if (! ($target_user = User::Lookup($user))) {
TBERROR("Trying to approve unknown user $user.", 1);
}
$curstatus = $target_user->status();
$user_email = $target_user->email();
$user_name = $target_user->name();
#echo "Status = $curstatus, Email = $user_email<br>\n";
#
# Email info for current user.
#
$uid_name = $this_user->name();
$uid_email = $this_user->email();
#
# Well, looks like everything is okay. Change the project membership
# value appropriately.
#
if (strcmp($approval, "postpone") == 0) {
echo "<p>
Account status for user $user was
<b>postponed</b> for later decision.\n";
continue;
}
if (strcmp($approval, "deny") == 0) {
#
# Must delete the widearea_account record since we require that the
# user reapply once denied. Send the luser email to let him know.
#
$query_result =
DBQueryFatal("delete from widearea_accounts ".
"where uid='$user' and node_id='$node_id'");
TBMAIL("$user_name '$user' <$user_email>",
"Account request on $node_id denied",
"\n".
"This message is to notify you that you have been denied\n".
"local account access on $node_id!\n".
"\n\n".
"Thanks,\n".
"Testbed Operations\n",
"From: $uid_name <$uid_email>\n".
"Cc: $TBMAIL_OPS\n".
"Bcc: $TBMAIL_AUDIT\n".
"Errors-To: $TBMAIL_WWW");
echo "<p>
User $user was <b>denied</b> an account on $node_id.
<br>
The user will need to reapply again if this was in error.\n";
continue;
}
if (strcmp($approval, "nuke") == 0) {
#
# Must delete the group_membership record since we require that the
# user reapply once denied. Send the luser email to let him know.
#
$query_result =
DBQueryFatal("delete from widearea_accounts ".
"where uid='$user' and node_id='$node_id'");
#
# See if user is in any other projects (even unapproved).
#
$project_list = $target_user->ProjectMembershipList();
#
# If yes, then we cannot safely delete the user account.
#
if (count($project_list)) {
echo "<p>
User $user was <b>denied</b> an account on $node_id.
<br>
Since the user is a member (or requesting membership)
in other projects, the account cannot be safely removed.\n";
continue;
}
#
# No other project membership. If the user is unapproved/newuser,
# it means he was never approved in any project, and so will
# likely not be missed. He will be unapproved if he did his