Commit dc646da8 authored by Leigh Stoller's avatar Leigh Stoller

Cherrypick some really easy pages for page argument checks. Mostly

playing with coding practices for comment.
parent bd0d7087
...@@ -14,7 +14,10 @@ Here is what I think we need to do: ...@@ -14,7 +14,10 @@ Here is what I think we need to do:
* Anything that goes to the shell needs even tighter checks. * Anything that goes to the shell needs even tighter checks.
* Kill all the stripslashes call on data that came from the DB since * Kill all the stripslashes call on data that came from the DB since
they are not needed (no slashes stored in the DB). they are not needed (no slashes stored in the DB).
* Make sure we use addslashes on all stuff going into DB slots (update
and insert statements).
apc.php apc.php
approveproject.php3 approveproject.php3
...@@ -49,8 +52,8 @@ deletepubkey.php3 ...@@ -49,8 +52,8 @@ deletepubkey.php3
deletesfskey.php3 deletesfskey.php3
deleteuser.php3 deleteuser.php3
doc.php3 doc.php3
doc/docwrapper.php3 doc/docwrapper.php3 X
docwrapper.php3 docwrapper.php3 X
editexp.php3 editexp.php3
editgroup.php3 editgroup.php3
editgroup_form.php3 editgroup_form.php3
...@@ -145,8 +148,8 @@ swapexp.php3 ...@@ -145,8 +148,8 @@ swapexp.php3
tbauth.php3 tbauth.php3
toggle.php toggle.php
top2image.php3 top2image.php3
tutorial/docwrapper.php3 tutorial/docwrapper.php3 X
tutorial/tutorial.php3 tutorial/tutorial.php3 X
updateaccounts.php3 updateaccounts.php3
updown.php3 updown.php3
verifyusr.php3 verifyusr.php3
......
...@@ -158,6 +158,13 @@ function FORMERROR($field) { ...@@ -158,6 +158,13 @@ function FORMERROR($field) {
"Please go back and fill out the \"$field\" field!", 1); "Please go back and fill out the \"$field\" field!", 1);
} }
#
# A page argument error.
#
function PAGEARGERROR() {
USERERROR("Invalid page arguments: " . $_SERVER['REQUEST_URI'], 1);
}
# #
# SUEXEC stuff. # SUEXEC stuff.
# #
......
...@@ -8,6 +8,18 @@ chdir(".."); ...@@ -8,6 +8,18 @@ chdir("..");
require("defs.php3"); require("defs.php3");
chdir("doc"); chdir("doc");
# Page arguments.
$printable = $_GET['printable'];
$docname = $_GET['docname'];
# Pedantic page arument checking. Good practice!
if (!isset($docname) ||
(isset($printable) && !($printable == "1" || $printable == "0"))) {
PAGEARGERROR();
}
if (!isset($printable))
$printable = 0;
# #
# Standard Testbed Header # Standard Testbed Header
# #
...@@ -22,13 +34,13 @@ if (!$printable) { ...@@ -22,13 +34,13 @@ if (!$printable) {
$first = substr($docname, 0, 1); $first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 || if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) { strcmp($first, "/") == 0) {
USERERROR("Invalid document name: $docname!", 1); USERERROR("Illegal document name: $docname!", 1);
} }
# #
# Nothing that looks like a ../ is allowed anywhere in the name # Nothing that looks like a ../ is allowed anywhere in the name
# #
if (strstr($docname, "../")) { if (strstr($docname, "../")) {
USERERROR("Invalid document name: $docname!", 1); USERERROR("Illegal document name: $docname!", 1);
} }
# #
......
<?php <?php
# #
# EMULAB-COPYRIGHT # EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group. # Copyright (c) 2000-2003 University of Utah and the Flux Group.
# All rights reserved. # All rights reserved.
# #
require("defs.php3"); require("defs.php3");
# Page arguments.
$printable = $_GET['printable'];
$docname = $_GET['docname'];
# Pedantic page arument checking. Good practice!
if (!isset($docname) ||
(isset($printable) && !($printable == "1" || $printable == "0"))) {
PAGEARGERROR();
}
if (!isset($printable))
$printable = 0;
# #
# Standard Testbed Header # Standard Testbed Header
# #
...@@ -20,13 +32,13 @@ if (!$printable) { ...@@ -20,13 +32,13 @@ if (!$printable) {
$first = substr($docname, 0, 1); $first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 || if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) { strcmp($first, "/") == 0) {
USERERROR("Invalid document name: $docname!", 1); USERERROR("Illegal document name: $docname!", 1);
} }
# #
# Nothing that looks like a ../ is allowed anywhere in the name # Nothing that looks like a ../ is allowed anywhere in the name
# #
if (strstr($docname, "../")) { if (strstr($docname, "../")) {
USERERROR("Invalid document name: $docname!", 1); USERERROR("Illegal document name: $docname!", 1);
} }
if ($printable) { if ($printable) {
......
...@@ -622,7 +622,7 @@ function PAGEERROR($msg) { ...@@ -622,7 +622,7 @@ function PAGEERROR($msg) {
global $drewheader; global $drewheader;
if (! $drewheader) if (! $drewheader)
PAGEHEADER(""); PAGEHEADER("Page Error");
echo "$msg\n"; echo "$msg\n";
......
<?php <?php
# #
# EMULAB-COPYRIGHT # EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group. # Copyright (c) 2000-2003 University of Utah and the Flux Group.
# All rights reserved. # All rights reserved.
# #
chdir(".."); chdir("..");
require("defs.php3"); require("defs.php3");
chdir("tutorial"); chdir("tutorial");
# Page arguments.
$printable = $_GET['printable'];
$docname = $_GET['docname'];
# Pedantic page arument checking. Good practice!
if (!isset($docname) ||
(isset($printable) && !($printable == "1" || $printable == "0"))) {
PAGEARGERROR();
}
if (!isset($printable))
$printable = 0;
# #
# Standard Testbed Header # Standard Testbed Header
# #
...@@ -22,13 +34,13 @@ if (!$printable) { ...@@ -22,13 +34,13 @@ if (!$printable) {
$first = substr($docname, 0, 1); $first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 || if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) { strcmp($first, "/") == 0) {
USERERROR("Invalid document name: $docname!", 1); USERERROR("Illegal document name: $docname!", 1);
} }
# #
# Nothing that looks like a ../ is allowed anywhere in the name # Nothing that looks like a ../ is allowed anywhere in the name
# #
if (strstr($docname, "../")) { if (strstr($docname, "../")) {
USERERROR("Invalid document name: $docname!", 1); USERERROR("Illegal document name: $docname!", 1);
} }
if ($printable) { if ($printable) {
......
<?php <?php
# #
# EMULAB-COPYRIGHT # EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group. # Copyright (c) 2000-2003 University of Utah and the Flux Group.
# All rights reserved. # All rights reserved.
# #
chdir(".."); chdir("..");
require("defs.php3"); require("defs.php3");
chdir("tutorial");
# Page arguments.
$printable = $_GET['printable'];
# Pedantic page arument checking. Good practice!
if (isset($printable) && !($printable == "1" || $printable == "0")) {
PAGEARGERROR();
}
if (!isset($printable))
$printable = 0;
# #
# Standard Testbed Header # Standard Testbed Header
...@@ -20,7 +30,6 @@ if (!$printable) { ...@@ -20,7 +30,6 @@ if (!$printable) {
Printable version of this document</a></b><br>\n"; Printable version of this document</a></b><br>\n";
} }
chdir("tutorial");
readfile("tutorial.html"); readfile("tutorial.html");
# #
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment