Commit ab1761e5 authored by Russ Fish's avatar Russ Fish

When I fixed the regexp in PAGEARG_STRING that checks for quotes, it plugged

one SQL injection hole, and shifted detection of probes  earlier in a lot
of other pages.  But some inputs that were marked PAGEARG_STRING should
actually be PAGEARG_ANYTHING, since they're text fields where quotes make
sense, and are escaped properly in the logic that handles them.

  approveproject.php3 - message
  editnodetype.php3 - newattribute_value
  newnodelog.php3 - log_entry
  newosid.php3 - description
  nodecontrol.php3 - startupcmd (node_control strips single-quotes from values.)
parent 34f19ee9
......@@ -22,7 +22,7 @@ $reqargs = RequiredPageArguments("project", PAGEARG_PROJECT,
"approval", PAGEARG_STRING);
$optargs = OptionalPageArguments("head_uid", PAGEARG_STRING,
"user_interface", PAGEARG_STRING,
"message", PAGEARG_STRING,
"message", PAGEARG_ANYTHING,
"silent", PAGEARG_BOOLEAN);
#
......
......@@ -30,7 +30,7 @@ $optargs = OptionalPageArguments("submit", PAGEARG_STRING,
"attributes", PAGEARG_ARRAY,
"newattribute_type", PAGEARG_STRING,
"newattribute_name", PAGEARG_STRING,
"newattribute_value", PAGEARG_STRING);
"newattribute_value", PAGEARG_ANYTHING);
if (!isset($node_type)) { $node_type = ""; }
if (!isset($attributes)) { $attributes = array(); }
......
......@@ -24,7 +24,7 @@ $isadmin = ISADMIN();
#
$reqargs = RequiredPageArguments("node", PAGEARG_NODE,
"log_type", PAGEARG_STRING,
"log_entry", PAGEARG_STRING);
"log_entry", PAGEARG_ANYTHING);
#
# Only Admins can enter log entries.
......
......@@ -26,7 +26,7 @@ $isadmin = ISADMIN();
#
$optargs = OptionalPageArguments("osname", PAGEARG_STRING,
"project", PAGEARG_PROJECT,
"description", PAGEARG_STRING,
"description", PAGEARG_ANYTHING,
"os_path", PAGEARG_STRING,
"os_version", PAGEARG_STRING,
"OS", PAGEARG_STRING,
......
......@@ -25,7 +25,7 @@ $isadmin = ISADMIN();
$reqargs = RequiredPageArguments("node", PAGEARG_NODE,
"def_boot_osid", PAGEARG_STRING,
"def_boot_cmd_line", PAGEARG_STRING,
"startupcmd", PAGEARG_STRING,
"startupcmd", PAGEARG_ANYTHING,
"tarballs", PAGEARG_STRING,
"rpms", PAGEARG_STRING);
$optargs = OptionalPageArguments("next_boot_osid", PAGEARG_STRING,
......@@ -57,7 +57,7 @@ if ($def_boot_cmd_line != $node->def_boot_cmd_line()) {
$command_string .= "default_boot_cmdline='$def_boot_cmd_line' ";
}
if ($startupcmd != $node->startupcmd()) {
$command_string .= "startup_command='$startupcmd' ";
$command_string .= "startup_command=" . escapeshellarg($startupcmd) . " ";
}
if ($tarballs != $node->tarballs()) {
$command_string .= "tarfiles='$tarballs' ";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment