Commit dc646da8 authored by Leigh Stoller's avatar Leigh Stoller

Cherrypick some really easy pages for page argument checks. Mostly

playing with coding practices for comment.
parent bd0d7087
......@@ -16,6 +16,9 @@ Here is what I think we need to do:
* Kill all the stripslashes call on data that came from the DB since
they are not needed (no slashes stored in the DB).
* Make sure we use addslashes on all stuff going into DB slots (update
and insert statements).
apc.php
approveproject.php3
approveproject_form.php3
......@@ -49,8 +52,8 @@ deletepubkey.php3
deletesfskey.php3
deleteuser.php3
doc.php3
doc/docwrapper.php3
docwrapper.php3
doc/docwrapper.php3 X
docwrapper.php3 X
editexp.php3
editgroup.php3
editgroup_form.php3
......@@ -145,8 +148,8 @@ swapexp.php3
tbauth.php3
toggle.php
top2image.php3
tutorial/docwrapper.php3
tutorial/tutorial.php3
tutorial/docwrapper.php3 X
tutorial/tutorial.php3 X
updateaccounts.php3
updown.php3
verifyusr.php3
......
......@@ -158,6 +158,13 @@ function FORMERROR($field) {
"Please go back and fill out the \"$field\" field!", 1);
}
#
# A page argument error.
#
function PAGEARGERROR() {
USERERROR("Invalid page arguments: " . $_SERVER['REQUEST_URI'], 1);
}
#
# SUEXEC stuff.
#
......
......@@ -8,6 +8,18 @@ chdir("..");
require("defs.php3");
chdir("doc");
# Page arguments.
$printable = $_GET['printable'];
$docname = $_GET['docname'];
# Pedantic page arument checking. Good practice!
if (!isset($docname) ||
(isset($printable) && !($printable == "1" || $printable == "0"))) {
PAGEARGERROR();
}
if (!isset($printable))
$printable = 0;
#
# Standard Testbed Header
#
......@@ -22,13 +34,13 @@ if (!$printable) {
$first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) {
USERERROR("Invalid document name: $docname!", 1);
USERERROR("Illegal document name: $docname!", 1);
}
#
# Nothing that looks like a ../ is allowed anywhere in the name
#
if (strstr($docname, "../")) {
USERERROR("Invalid document name: $docname!", 1);
USERERROR("Illegal document name: $docname!", 1);
}
#
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# Copyright (c) 2000-2003 University of Utah and the Flux Group.
# All rights reserved.
#
require("defs.php3");
# Page arguments.
$printable = $_GET['printable'];
$docname = $_GET['docname'];
# Pedantic page arument checking. Good practice!
if (!isset($docname) ||
(isset($printable) && !($printable == "1" || $printable == "0"))) {
PAGEARGERROR();
}
if (!isset($printable))
$printable = 0;
#
# Standard Testbed Header
#
......@@ -20,13 +32,13 @@ if (!$printable) {
$first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) {
USERERROR("Invalid document name: $docname!", 1);
USERERROR("Illegal document name: $docname!", 1);
}
#
# Nothing that looks like a ../ is allowed anywhere in the name
#
if (strstr($docname, "../")) {
USERERROR("Invalid document name: $docname!", 1);
USERERROR("Illegal document name: $docname!", 1);
}
if ($printable) {
......
......@@ -622,7 +622,7 @@ function PAGEERROR($msg) {
global $drewheader;
if (! $drewheader)
PAGEHEADER("");
PAGEHEADER("Page Error");
echo "$msg\n";
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# Copyright (c) 2000-2003 University of Utah and the Flux Group.
# All rights reserved.
#
chdir("..");
require("defs.php3");
chdir("tutorial");
# Page arguments.
$printable = $_GET['printable'];
$docname = $_GET['docname'];
# Pedantic page arument checking. Good practice!
if (!isset($docname) ||
(isset($printable) && !($printable == "1" || $printable == "0"))) {
PAGEARGERROR();
}
if (!isset($printable))
$printable = 0;
#
# Standard Testbed Header
#
......@@ -22,13 +34,13 @@ if (!$printable) {
$first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) {
USERERROR("Invalid document name: $docname!", 1);
USERERROR("Illegal document name: $docname!", 1);
}
#
# Nothing that looks like a ../ is allowed anywhere in the name
#
if (strstr($docname, "../")) {
USERERROR("Invalid document name: $docname!", 1);
USERERROR("Illegal document name: $docname!", 1);
}
if ($printable) {
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# Copyright (c) 2000-2003 University of Utah and the Flux Group.
# All rights reserved.
#
chdir("..");
require("defs.php3");
chdir("tutorial");
# Page arguments.
$printable = $_GET['printable'];
# Pedantic page arument checking. Good practice!
if (isset($printable) && !($printable == "1" || $printable == "0")) {
PAGEARGERROR();
}
if (!isset($printable))
$printable = 0;
#
# Standard Testbed Header
......@@ -20,7 +30,6 @@ if (!$printable) {
Printable version of this document</a></b><br>\n";
}
chdir("tutorial");
readfile("tutorial.html");
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment