From 885e37257d28829aeb0c8d4f6907c78677b5f7c2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Tue, 4 Feb 2020 19:08:03 +0100 Subject: [PATCH] Escape few things (that can be escaped early without breaking functionality). Should stop xss but is far from perfect (in case of bad things in sqlite databse). https://www.openbugbounty.org/reports/1080461/ --- index.php | 76 ++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 56 insertions(+), 20 deletions(-) diff --git a/index.php b/index.php index 14a11ae..6eca071 100644 --- a/index.php +++ b/index.php @@ -49,16 +49,19 @@ textdomain("messages"); if (isset($_GET["dist"]) && isset($_GET["arch"])) { - $dist = basename($_GET["dist"]); - $arch = basename($_GET["arch"]); + $dist = $_GET["dist"]; + $dist = basename(htmlspecialchars($dist, ENT_QUOTES, 'UTF-8')); + $arch = $_GET["arch"]; + $arch = basename(htmlspecialchars($arch, ENT_QUOTES, 'UTF-8')); } if (isset($_POST["dist"])) $dist = basename($_POST["dist"]); if (isset($_POST["arch"])) $arch = basename($_POST["arch"]); if (isset($_GET["name"])) { - $name_url = urlencode($_GET["name"]); - $name = basename($_GET["name"]); + $name_url = urlencode($_GET["name"]); + $name = $_GET["name"]; + $name = $dist = basename(htmlspecialchars($name, ENT_QUOTES, 'UTF-8')); } if (isset($_GET["ok"]))$ok=(int)$_GET["ok"]; else $ok=""; @@ -66,14 +69,26 @@ if (isset($_GET["ns"]))$ns=(int)$_GET["ns"]; else $ns=""; if (isset($_GET["cnt"]))$cnt=(int)$_GET["cnt"]; else $cnt = 50; -if (isset($_GET["action"]))$action=$_GET["action"]; -else $action=""; +if (isset($_GET["action"])) { + $action = $_GET["action"]; + $action = htmlspecialchars($action, ENT_QUOTES, 'UTF-8'); +} else + $action=""; if (isset($_GET["off"]))$off=(int)$_GET["off"]; else $off = 0; -if (isset($_GET["id"]))$id=$_GET["id"]; +if (isset($_GET["id"])) { + $id = $_GET["id"]; + $id = htmlspecialchars($id, ENT_QUOTES, 'UTF-8'); +} -if (isset($_POST["str"]))$str=$_POST["str"]; -if (isset($_POST["action"]))$action=$_POST["action"]; +if (isset($_POST["str"])) { + $str = $_POST["str"]; + $str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8'); +} +if (isset($_POST["action"])) { + $action = $_POST["action"]; + $action = htmlspecialchars($action, ENT_QUOTES, 'UTF-8'); +} if (isset($arch) && $arch == "src") $arch = "SRPMS"; @@ -158,7 +173,13 @@ function list_logs() global $big_url, $ns; global $off, $cnt, $root_directory, $url; - $big_url = "$url?dist=$dist&arch=$arch&ok=$ok&ns=$ns&cnt=$cnt"; + $query_data = array( + 'dist' => $dist, + 'arch' => $arch, + 'ok' => $ok, + 'ns' => $ns, + 'cnt' => $cnt); + $big_url = $url . '?' . http_build_query($query_data); if ($ok == 1) { echo "

"._("Listing of")." $dist/$arch/OK " @@ -185,23 +206,32 @@ function list_logs() if ($ns == 0) $order = "mtime DESC"; else $order = "name"; - $query = "SELECT log_id, dist, arch, ok, name, mtime, size, id FROM logs WHERE " - . "dist = '$dist' AND arch = '$arch' AND ok = $ok ORDER BY $order LIMIT $cnt OFFSET $off"; + $query = "SELECT log_id, dist, arch, ok, name, mtime, size, id FROM logs WHERE + dist = :dist AND arch = :arch AND ok = :ok ORDER BY $order LIMIT :limitnr OFFSET :offset "; try { $dbh = new PDO("$database"); + $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + $dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC); } catch (PDOException $e) { mydie("new PDO: " . $e->getMessage()); } $now = time(); $i = $off; - foreach ($dbh->query("$query") as $row) { - $name = $row["name"]; - $id = $row["id"]; - $dist = $row["dist"]; - $arch = $row["arch"]; + $stmt = $dbh->prepare($query); + $stmt->bindParam(':dist', $dist, PDO::PARAM_STR); + $stmt->bindParam(':arch', $arch, PDO::PARAM_STR); + $stmt->bindParam(':ok', $ok, PDO::PARAM_INT); + $stmt->bindParam(':limitnr', $cnt, PDO::PARAM_INT); + $stmt->bindParam(':offset', $off, PDO::PARAM_INT); + $stmt->execute([$dist, $arch, $ok, $cnt, $off]); + while ($row = $stmt->fetch()) { + $name = $row["name"]; + $id = $row["id"]; + $dist = $row["dist"]; + $arch = $row["arch"]; $f = $name; - $name_url = urlencode($name); + $name_url = urlencode($name); $t = $now - $row["mtime"]; $s = $row["size"]; $h = $row["log_id"]; @@ -221,9 +251,15 @@ function list_logs() $t = round($t); $t = $t . " " . ngettext("minute","minutes",$t); } - $u = "$url?dist=$dist&arch=$arch&ok=$ok&name=$name_url&id=$id"; + $url_data = array( + 'dist' => $dist, + 'arch' => $arch, + 'ok' => $ok, + 'name' => $name_url, + 'id' => $id); + $u = $url . '?' . http_build_query($url_data); echo "".($i+1).".". - "$f ". + "".htmlspecialchars($f, ENT_QUOTES, 'UTF-8')." ". "["._("text")." | ". ""._("tail")."]". "". -- 2.44.0