Commit ed4a1179 authored by Leigh B. Stoller's avatar Leigh B. Stoller

More security hacking; switch to using superglobals (includig $_FILES

for key upload). Add more regexes and addslashes().
parent 110ed564
......@@ -10,6 +10,8 @@ $TBDB_PIDLEN = 12;
$TBDB_GIDLEN = 12;
$TBDB_UNIXGLEN = 16;
$TBDB_NODEIDLEN = 10;
$TBDB_PHONELEN = 32;
$TBDB_USRNAMELEN= 64;
#
# Current policy is to prefix the EID with the PID. Make sure it is not
......@@ -140,8 +142,36 @@ define("TBDB_IFACEROLE_GW", "gw");
define("TBDB_IFACEROLE_OTHER", "other");
# Some regex functions to check various arguments
function TBvalid_uid($uid) { return preg_match("/^[a-zA-Z][-\w]+$/", $uid);}
function TBvalid_phone($ph) { return preg_match("/^[-\d\(\)\+\.x ]+$/", $ph);}
function TBvalid_uid($uid) {
global $TBDB_UIDLEN;
return (strlen($uid) <= $TBDB_UIDLEN) &&
preg_match("/^[a-zA-Z][-\w]+$/", $uid);
}
function TBvalid_pid($pid) {
global $TBDB_PIDLEN;
return (strlen($pid) <= $TBDB_PIDLEN) &&
preg_match("/^[a-zA-Z][-\w]+$/", $pid);
}
function TBvalid_gid($gid) {
global $TBDB_GIDLEN;
return (strlen($gid) <= $TBDB_GIDLEN) &&
preg_match("/^[a-zA-Z][-\w]+$/", $gid);
}
function TBvalid_phone($phone) {
global $TBDB_PHONELEN;
return (strlen($phone) <= $TBDB_PHONELEN) &&
preg_match("/^[-\d\(\)\+\.x ]+$/", $phone);
}
function TBvalid_usrname($name) {
global $TBDB_USRNAMELEN;
return (strlen($name) <= $TBDB_USRNAMELEN) &&
preg_match("/^[-\w\. ]+$/", $name);
}
#
# Convert a trust string to the above numeric values.
......
......@@ -49,7 +49,6 @@ $EMAILWARNING =
function SPITFORM($formfields, $returning, $errors)
{
global $TBDB_UIDLEN, $TBDB_PIDLEN, $TBDB_GIDLEN;
global $usr_keyfile;
global $ACCOUNTWARNING, $EMAILWARNING;
PAGEHEADER("Apply for Project Membership");
......@@ -241,7 +240,7 @@ function SPITFORM($formfields, $returning, $errors)
<input type=hidden name=MAX_FILE_SIZE value=1024>
<input type=file
name=usr_keyfile
value=\"" . $usr_keyfile . "\"
value=\"" . $_FILES['usr_keyfile']['name'] . "\"
size=50>
<br>
<br>
......@@ -342,7 +341,7 @@ function SPITFORM($formfields, $returning, $errors)
#
# The conclusion of a join request. See below.
#
if (isset($finished)) {
if (isset($_GET['finished'])) {
PAGEHEADER("Apply for Project Membership");
#
......@@ -370,7 +369,7 @@ if (isset($finished)) {
#
# On first load, display a virgin form and exit.
#
if (! isset($submit)) {
if (! isset($_POST['submit'])) {
$defaults = array();
$defaults[usr_URL] = "$HTTPTAG";
$defaults[usr_country] = "USA";
......@@ -389,6 +388,15 @@ if (! isset($submit)) {
PAGEFOOTER();
return;
}
else {
# Form submitted. Make sure we have a formfields array and a target_uid.
if (!isset($_POST['formfields']) ||
!is_array($_POST['formfields']) ||
!isset($_POST['formfields']['joining_uid'])) {
PAGEARGERROR("Invalid form arguments.");
}
$formfields = $_POST['formfields'];
}
#
# Otherwise, must validate and redisplay if errors
......@@ -404,7 +412,7 @@ if (! $returning) {
$errors["Username"] = "Missing Field";
}
else {
if (! ereg("^[a-zA-Z][-_a-zA-Z0-9]+$", $formfields[joining_uid])) {
if (! TBvalid_uid($formfields[joining_uid])) {
$errors["UserName"] =
"Must be lowercase alphanumeric only<br>".
"and must begin with a lowercase alpha";
......@@ -426,7 +434,7 @@ if (! $returning) {
strcmp($formfields[usr_name], "") == 0) {
$errors["Full Name"] = "Missing Field";
}
elseif (! preg_match("/^[-\w\. ]*$/", $formfields[usr_name])) {
elseif (! TBvalid_usrname($formfields[usr_name])) {
$errors["Full Name"] = "Invalid characters";
}
if (!isset($formfields[usr_affil]) ||
......@@ -437,16 +445,8 @@ if (! $returning) {
strcmp($formfields[usr_email], "") == 0) {
$errors["Email Address"] = "Missing Field";
}
else {
$usr_email = $formfields[usr_email];
$email_domain = strstr($usr_email, "@");
if (! $email_domain ||
strcmp($usr_email, $email_domain) == 0 ||
strlen($email_domain) <= 1 ||
! strstr($email_domain, ".")) {
$errors["Email Address"] = "Looks invalid!";
}
elseif (! CHECKEMAIL($formfields[usr_email])) {
$errors["Email Address"] = "Looks invalid!";
}
if (isset($formfields[usr_URL]) &&
strcmp($formfields[usr_URL], "") &&
......@@ -478,7 +478,7 @@ if (! $returning) {
strcmp($formfields[usr_phone], "") == 0) {
$errors["Phone #"] = "Missing Field";
}
elseif (! ereg("^[-0-9ext\(\)\+\. ]+$", $formfields[usr_phone])) {
elseif (!TBvalid_phone($formfields[usr_phone])) {
$errors["Phone"] = "Invalid characters";
}
if (!isset($formfields[password1]) ||
......@@ -534,7 +534,7 @@ if (!$returning) {
$usr_URL = "";
}
else {
$usr_URL = $formfields[usr_URL];
$usr_URL = addslashes($formfields[usr_URL]);
}
if (! isset($formfields[usr_addr2])) {
......@@ -569,13 +569,19 @@ if (!$returning) {
#
# If usr provided a file for the key, it overrides the paste in text.
#
if (isset($usr_keyfile) &&
strcmp($usr_keyfile, "") &&
strcmp($usr_keyfile, "none")) {
if (isset($_FILES['usr_keyfile']) &&
$_FILES['usr_keyfile']['name'] != "" &&
$_FILES['usr_keyfile']['name'] != "none") {
$localfile = $_FILES['usr_keyfile']['tmp_name'];
if (! stat($usr_keyfile)) {
if (! stat($localfile)) {
$errors["PubKey File"] = "No such file";
}
# Taint check shell arguments always!
elseif (! preg_match("/^[-\w\.\/]*$/", $localfile)) {
$errors["PubKey File"] = "Invalid characters";
}
else {
$addpubkeyargs = "$joining_uid $usr_keyfile";
chmod($usr_keyfile, 0644);
......@@ -604,23 +610,20 @@ else {
$usr_phone = $row[usr_phone];
$usr_URL = $row[usr_URL];
}
$pid = $formfields[pid];
$usr_expires = date("Y:m:d", time() + (86400 * 120));
$pid = $formfields[pid];
if (isset($formfields[gid]) && strcmp($formfields[gid], "")) {
if (isset($formfields[gid]) && $formfields[gid] != "") {
$gid = $formfields[gid];
}
else {
$gid = $pid;
}
if (! ereg("^[a-zA-Z][-_a-zA-Z0-9]+$", $pid) ||
strlen($pid) > $TBDB_PIDLEN || ! TBValidProject($pid)) {
if (!TBvalid_pid($pid) || !TBValidProject($pid)) {
$errors["Project Name"] = "Invalid Project Name";
}
elseif (! ereg("^[a-zA-Z][-_a-zA-Z0-9]+$", $gid) ||
strlen($gid) > $TBDB_GIDLEN ||
!TBValidGroup($pid, $gid)) {
elseif (!TBvalid_gid($gid) || !TBValidGroup($pid, $gid)) {
$errors["Group Name"] = "Invalid Group Name";
}
elseif (TBGroupMember($joining_uid, $pid, $gid, $approved)) {
......
......@@ -397,6 +397,9 @@ if (!isset($formfields[usr_name]) ||
strcmp($formfields[usr_name], "") == 0) {
$errors["Full Name"] = "Missing Field";
}
elseif (! TBvalid_usrname($formfields[usr_name])) {
$errors["Full Name"] = "Invalid characters";
}
if (!isset($formfields[usr_affil]) ||
strcmp($formfields[usr_affil], "") == 0) {
$errors["Affiliation"] = "Missing Field";
......
......@@ -264,7 +264,7 @@ function SPITFORM($formfields, $returning, $errors)
<input type=hidden name=MAX_FILE_SIZE value=1024>
<input type=file
name=usr_keyfile
value=\"" . $usr_keyfile . "\"
value=\"" . $_FILES['usr_keyfile']['name'] . "\"
size=50>
<br>
<br>
......@@ -503,7 +503,7 @@ function SPITFORM($formfields, $returning, $errors)
#
# The conclusion of a newproject request. See below.
#
if (isset($finished)) {
if (isset($_GET['finished'])) {
PAGEHEADER("Start a New Testbed Project");
echo "<center><h2>
......@@ -529,7 +529,7 @@ if (isset($finished)) {
#
# On first load, display a virgin form and exit.
#
if (! isset($submit)) {
if (! isset($_POST['submit'])) {
$defaults = array();
$defaults[proj_URL] = "$HTTPTAG";
$defaults[usr_URL] = "$HTTPTAG";
......@@ -543,6 +543,15 @@ if (! isset($submit)) {
PAGEFOOTER();
return;
}
else {
# Form submitted. Make sure we have a formfields array and a target_uid.
if (!isset($_POST['formfields']) ||
!is_array($_POST['formfields']) ||
!isset($_POST['formfields']['proj_head_uid'])) {
PAGEARGERROR("Invalid form arguments.");
}
$formfields = $_POST['formfields'];
}
#
# Otherwise, must validate and redisplay if errors
......@@ -558,7 +567,7 @@ if (! $returning) {
$errors["Username"] = "Missing Field";
}
else {
if (! ereg("^[a-zA-Z][-_a-zA-Z0-9]+$", $formfields[proj_head_uid])) {
if (! TBvalid_uid($formfields[proj_head_uid])) {
$errors["UserName"] =
"Must be lowercase alphanumeric only<br>".
"and must begin with a lowercase alpha";
......@@ -580,7 +589,7 @@ if (! $returning) {
strcmp($formfields[usr_name], "") == 0) {
$errors["Full Name"] = "Missing Field";
}
elseif (! preg_match("/^[-\w\. ]*$/", $formfields[usr_name])) {
elseif (! TBvalid_usrname($formfields[usr_name])) {
$errors["Full Name"] = "Invalid characters";
}
if (!isset($formfields[usr_affil]) ||
......@@ -591,16 +600,8 @@ if (! $returning) {
strcmp($formfields[usr_email], "") == 0) {
$errors["Email Address"] = "Missing Field";
}
else {
$usr_email = $formfields[usr_email];
$email_domain = strstr($usr_email, "@");
if (! $email_domain ||
strcmp($usr_email, $email_domain) == 0 ||
strlen($email_domain) <= 1 ||
! strstr($email_domain, ".")) {
$errors["Email Address"] = "Looks invalid!";
}
elseif (! CHECKEMAIL($formfields[usr_email])) {
$errors["Email Address"] = "Looks invalid!";
}
if (isset($formfields[usr_URL]) &&
strcmp($formfields[usr_URL], "") &&
......@@ -632,7 +633,7 @@ if (! $returning) {
strcmp($formfields[usr_phone], "") == 0) {
$errors["Phone #"] = "Missing Field";
}
elseif (! ereg("^[-0-9ext\(\)\+\. ]+$", $formfields[usr_phone])) {
elseif (!TBvalid_phone($formfields[usr_phone])) {
$errors["Phone"] = "Invalid characters";
}
if (!isset($formfields[password1]) ||
......@@ -659,20 +660,16 @@ if (!isset($formfields[pid]) ||
$errors["Project Name"] = "Missing Field";
}
else {
if (! ereg("^[a-zA-Z][-_a-zA-Z0-9]+$", $formfields[pid])) {
$errors["Project Name"] =
"Must be alphanumeric (includes _ and -)<br>".
"and must begin with an alpha";
}
elseif (strlen($formfields[pid]) > $TBDB_PIDLEN) {
$errors["Project Name"] =
"Too long! Must be less than or equal to $TBDB_PIDLEN";
if (!TBvalid_pid($formfields[pid])) {
$errors["Project Name"] = "Must be alphanumeric only<br>".
"and must begin with an alpha";
}
elseif (TBValidProject($formfields[pid])) {
$errors["Project Name"] =
"Already in use. Select another";
}
}
if (!isset($formfields[proj_name]) ||
strcmp($formfields[proj_name], "") == 0) {
$errors["Project Description"] = "Missing Field";
......@@ -765,7 +762,7 @@ if (!$returning) {
$usr_URL = "";
}
else {
$usr_URL = $formfields[usr_URL];
$usr_URL = addslashes($formfields[usr_URL]);
}
if (! isset($formfields[usr_addr2])) {
......@@ -800,13 +797,19 @@ if (!$returning) {
#
# If usr provided a file for the key, it overrides the paste in text.
#
if (isset($usr_keyfile) &&
strcmp($usr_keyfile, "") &&
strcmp($usr_keyfile, "none")) {
if (isset($_FILES['usr_keyfile']) &&
$_FILES['usr_keyfile']['name'] != "" &&
$_FILES['usr_keyfile']['name'] != "none") {
$localfile = $_FILES['usr_keyfile']['tmp_name'];
if (! stat($usr_keyfile)) {
if (! stat($localfile)) {
$errors["PubKey File"] = "No such file";
}
# Taint check shell arguments always!
elseif (! preg_match("/^[-\w\.\/]*$/", $localfile)) {
$errors["PubKey File"] = "Invalid characters";
}
else {
$addpubkeyargs = "$proj_head_uid $usr_keyfile";
chmod($usr_keyfile, 0644);
......@@ -851,7 +854,7 @@ else {
}
$pid = $formfields[pid];
$proj_name = addslashes($formfields[proj_name]);
$proj_URL = $formfields[proj_URL];
$proj_URL = addslashes($formfields[proj_URL]);
$proj_funders = addslashes($formfields[proj_funders]);
$proj_whynotpublic = addslashes($formfields[proj_whynotpublic]);
$proj_members = $formfields[proj_members];
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment