Plug 4 SQL injection holes.

www/editexp.php3

@@ -441,6 +441,7 @@ if (!isset($formfields["idleswap"]) ||
 	         addslashes($formfields["noidleswap_reason"]) . "'";
 }
 elseif (!isset($formfields["idleswap_timeout"]) ||
+	!preg_match("/^[\d]+$/", $formfields["idleswap_timeout"]) ||
 	($formfields["idleswap_timeout"] + 0) <= 0 ||
 	( (($formfields["idleswap_timeout"] + 0) > $idleswaptimeout) &&
 	  !ISADMIN()) ) {
@@ -463,6 +464,7 @@ if (!isset($formfields["autoswap"]) ||
     $inserts[] = "autoswap_timeout=0";
 }
 elseif (!isset($formfields["autoswap_timeout"]) ||
+	!preg_match("/^[\d]+$/", $formfields["autoswap_timeout"]) ||
 	($formfields["autoswap_timeout"] + 0) == 0) {
     $errors["Max Duration"] = "Invalid time provided";
 }
@@ -490,7 +492,10 @@ else {
 if (isset($formfields["cpu_usage"]) &&
     strcmp($formfields["cpu_usage"], "")) {
 
-    if (($formfields["cpu_usage"] + 0) < 0 ||
+    if (!preg_match("/^[\d]+$/", $formfields["cpu_usage"])) {
+	$errors["CPU Usage"] = "Invalid character";
+    }
+    elseif (($formfields["cpu_usage"] + 0) < 0 ||
 	($formfields["cpu_usage"] + 0) > 5) {
 	$errors["CPU Usage"] = "Invalid (0 <= X <= 5)";
     }
@@ -508,7 +513,10 @@ else {
 if (isset($formfields["mem_usage"]) &&
     strcmp($formfields["mem_usage"], "")) {
 
-    if (($formfields["mem_usage"] + 0) < 0 ||
+    if (!preg_match("/^[\d]+$/", $formfields["mem_usage"])) {
+	$errors["Mem Usage"] = "Invalid character";
+    }
+    elseif (($formfields["mem_usage"] + 0) < 0 ||
 	($formfields["mem_usage"] + 0) > 5) {
 	$errors["Mem Usage"] = "Invalid (0 <= X <= 5)";
     }
@@ -526,9 +534,12 @@ else {
 if (isset($formfields["linktest_level"]) &&
     strcmp($formfields["linktest_level"], "")) {
 
-    if (($formfields["linktest_level"] + 0) < 0 ||
+    if (!preg_match("/^[\d]+$/", $formfields["linktest_level"])) {
+	$errors["Linktest Level"] = "Invalid character";
+    }
+    elseif (($formfields["linktest_level"] + 0) < 0 ||
 	($formfields["linktest_level"] + 0) > 4) {
-	$errors["Linktest Level"] = "Invalid linktest level";
+	$errors["Linktest Level"] = "Invalid (0 <= X <= 4)";
     }
     else {
 	$inserts[] = "linktest_level=" . $formfields["linktest_level"];

www/sec-check/results/analyze_probes.txt

@@ -328,9 +328,8 @@ editexp.php3.1.html
      Page Error</h2>
       Probe label: \'**{editexp.php3:formfields[noswap_reason]}**
 editexp.php3.10.html
-     	 <title>MyEmulab.Net - Page Error</title>
-     Page Error</h2>
-      Probe label: '**{editexp.php3:formfields[linktest_level]}**
+      &nbsp;Oops, please fix the following errors!&nbsp;
+      <font color=red>Invalid character</font></td>
 editexp.php3.4.html
      	 <title>MyEmulab.Net - Page Error</title>
      Page Error</h2>
@@ -340,17 +339,15 @@ editexp.php3.6.html
      Page Error</h2>
       Probe label: \'**{editexp.php3:formfields[noidleswap_reason]}**
 editexp.php3.8.html
-     	 <title>MyEmulab.Net - Page Error</title>
-     Page Error</h2>
-      Probe label: '**{editexp.php3:formfields[cpu_usage]}**
+      &nbsp;Oops, please fix the following errors!&nbsp;
+      <font color=red>Invalid character</font></td>
 editexp.php3.9.html
      	 <title>MyEmulab.Net - Page Error</title>
      Page Error</h2>
       Probe label: \'**{editexp.php3:formfields[description]}**
 editexp.php3.html
-     	 <title>MyEmulab.Net - Page Error</title>
-     Page Error</h2>
-      Probe label: '**{editexp.php3:formfields[mem_usage]}**
+      &nbsp;Oops, please fix the following errors!&nbsp;
+      <font color=red>Invalid character</font></td>
 editgroup.php3.1.html
       Could not map page arguments to 'group'
 editgroup.php3.10.html
@@ -1018,7 +1015,7 @@ showsumstats.php3.1.html
 showsumstats.php3.html
       Invalid range argument: '**{showsumstats.php3:range}**!
 showuser_list.php3.html
-      Probe label: '**{showuser_list.php3:searchfor}**
+      Invalid page arguments: /showuser_list.php3<br><br>Invalid characters in 'searchfor': '**{showuser_list.php3:searchfor}**
 swapexp.php3.1.html
      	 <title>MyEmulab.Net - Page Error</title>
      Page Error</h2>

www/sec-check/results/probe-labels.list

             Probe label: \'**{approveproject.php3:head_uid}**
             Probe label: \'**{editexp.php3:formfields[noswap_reason]}**
-            Probe label: '**{editexp.php3:formfields[linktest_level]}**
             Probe label: \'**{editexp.php3:formfields[noidleswap_reason]}**
-            Probe label: '**{editexp.php3:formfields[cpu_usage]}**
             Probe label: \'**{editexp.php3:formfields[description]}**
-            Probe label: '**{editexp.php3:formfields[mem_usage]}**
             Probe label: \'**{editimageid.php3:formfields[description]}**
             Probe label: \'**{kb-manage.php3:formfields[xref_tag]}**
             Probe label: \'**{kb-manage.php3:formfields[body]}**
@@ -14,4 +11,3 @@
             Probe label: \'**{moduserinfo.php3:formfields[usr_country]}**
             Probe label: \'**{newgroup.php3:group_description}**
             Probe label: \'**{newgroup.php3:group_leader}**
-            Probe label: '**{showuser_list.php3:searchfor}**

www/sec-check/results/uncaught-files.list

-editexp.php3
-showuser_list.php3

www/sec-check/results/uncaught-probes.list

-            Probe label: '**{editexp.php3:formfields[cpu_usage]}**
-            Probe label: '**{editexp.php3:formfields[linktest_level]}**
-            Probe label: '**{editexp.php3:formfields[mem_usage]}**
-            Probe label: '**{showuser_list.php3:searchfor}**

www/url_defs.php

@@ -576,7 +576,7 @@ function VerifyPageArguments($argspec, $required)
 		$yep = 1;
 
                 # Pages never get arguments with special chars. Check.
-		if (preg_match("/^[\'\"]+$/", $object)) {
+		if (preg_match("/[\'\"]/", $object)) {
 		    PAGEARGERROR("Invalid characters in '$name': $object");
 		}
 	    }