gitlabFork/ISPConfig3.git - Solinfo Gitblit

Fixed: FS#2221 - SQL Injection Vulnerability

tbrehm

2012-05-11 1f400c49b173e126d674b9917456239620976742

commit \| author \| age
fb02f0	1	<?php
T	2
	3	/*
	4	Copyright (c) 2007, Till Brehm, projektfarm Gmbh
	5	All rights reserved.
	6
	7	Redistribution and use in source and binary forms, with or without modification,
	8	are permitted provided that the following conditions are met:
	9
	10	* Redistributions of source code must retain the above copyright notice,
	11	this list of conditions and the following disclaimer.
	12	* Redistributions in binary form must reproduce the above copyright notice,
	13	this list of conditions and the following disclaimer in the documentation
	14	and/or other materials provided with the distribution.
	15	* Neither the name of ISPConfig nor the names of its contributors
	16	may be used to endorse or promote products derived from this software without
	17	specific prior written permission.
	18
	19	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	20	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	21	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	22	IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
	23	INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	24	BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	25	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	26	OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
	27	NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
	28	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	29	*/
	30
	31	class listform {
	32
	33	private $debug = 0;
	34	private $errorMessage;
	35	public $listDef;
	36	public $searchValues;
	37	public $pagingHTML;
	38	private $pagingValues;
	39	private $searchChanged = 0;
	40	private $module;
	41	public $wordbook;
	42
	43	public function loadListDef($file, $module = '')
	44	{
	45	global $app,$conf;
	46	if(!is_file($file)){
	47	die("List-Definition: $file not found.");
	48	}
	49	require_once($file);
	50	$this->listDef = $liste;
	51	$this->module = $module;
	52
	53	//* Fill datasources
a55e8e	54	if(@is_array($this->listDef['item'])) {
M	55	foreach($this->listDef['item'] as $key => $field) {
	56	if(@is_array($field['datasource'])) {
	57	$this->listDef['item'][$key]['value'] = $this->getDatasourceData($field);
	58	}
	59	}
fb02f0	60	}
a55e8e	61
fb02f0	62	//* Set local Language File
5ded80	63	$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_'.$this->listDef['name'].'_list.lng';
F	64	if(!file_exists($lng_file)) $lng_file = 'lib/lang/en_'.$this->listDef['name'].'_list.lng';
	65	include($lng_file);
fb02f0	66
T	67	$this->wordbook = $wb;
	68
	69	return true;
	70	}
	71
	72	/**
	73	* Get the key => value array of a form filed from a datasource definitiom
	74	*
	75	* @param field = array with field definition
	76	* @param record = Dataset as array
	77	* @return array key => value array for the value field of a form
	78	*/
	79	private function getDatasourceData($field)
	80	{
	81	global $app;
	82	$values = array();
	83
	84	if($field['datasource']['type'] == 'SQL') {
	85
	86	//** Preparing SQL string. We will replace some common placeholders
	87	$querystring = $field['datasource']['querystring'];
	88	$querystring = str_replace('{USERID}', $_SESSION['s']['user']['userid'], $querystring);
	89	$querystring = str_replace('{GROUPID}', $_SESSION['s']['user']['default_group'], $querystring);
	90	$querystring = str_replace('{GROUPS}', $_SESSION['s']['user']['groups'], $querystring);
	91	//TODO:
	92	//$table_idx = $this->formDef['db_table_idx'];
	93	//$querystring = str_replace("{RECORDID}",$record[$table_idx],$querystring);
	94	$app->uses('tform');
	95	$querystring = str_replace("{AUTHSQL}",$app->tform->getAuthSQL('r'),$querystring);
24f38b	96	$querystring = str_replace("{AUTHSQL-A}",$app->tform->getAuthSQL('r','a'),$querystring);
V	97	$querystring = str_replace("{AUTHSQL-B}",$app->tform->getAuthSQL('r','b'),$querystring);
fb02f0	98
T	99	//* Getting the records
	100	$tmp_records = $app->db->queryAllRecords($querystring);
	101	if($app->db->errorMessage != '') die($app->db->errorMessage);
	102	if(is_array($tmp_records)) {
	103	$key_field = $field['datasource']['keyfield'];
	104	$value_field = $field['datasource']['valuefield'];
	105	foreach($tmp_records as $tmp_rec) {
	106	$tmp_id = $tmp_rec[$key_field];
	107	$values[$tmp_id] = $tmp_rec[$value_field];
	108	}
	109	}
	110	}
	111
	112	if($field['datasource']['type'] == 'CUSTOM') {
	113	//* Calls a custom class to validate this record
	114	if($field['datasource']['class'] != '' and $field['datasource']['function'] != '') {
	115	$datasource_class = $field['datasource']['class'];
	116	$datasource_function = $field['datasource']['function'];
	117	$app->uses($datasource_class);
	118	$record = array();
	119	$values = $app->$datasource_class->$datasource_function($field, $record);
	120	} else {
baac49	121	$this->errorMessage .= "Custom datasource class or function is empty<br />\r\n";
fb02f0	122	}
T	123	}
	124	return $values;
	125	}
	126
	127	public function getSearchSQL($sql_where = '')
	128	{
1f400c	129	global $app, $db;
fb02f0	130
T	131	//* Get config variable
	132	$list_name = $this->listDef['name'];
	133	$search_prefix = $this->listDef['search_prefix'];
a59ad3	134
T	135	if(isset($_REQUEST['Filter']) && !isset($_SESSION['search'][$list_name])) {
	136	//* Jump back to page 1 of the list when a new search gets started.
	137	$_SESSION['search'][$list_name]['page'] = 0;
	138	}
fb02f0	139
T	140	//* store retrieval query
a55e8e	141	if(@is_array($this->listDef['item'])) {
M	142	foreach($this->listDef['item'] as $i) {
	143	$field = $i['field'];
fb02f0	144
a55e8e	145	//* The search string has been changed
M	146	if(isset($_REQUEST[$search_prefix.$field]) && isset($_SESSION['search'][$list_name][$search_prefix.$field]) && $_REQUEST[$search_prefix.$field] != $_SESSION['search'][$list_name][$search_prefix.$field]){
	147	$this->searchChanged = 1;
	148
	149	//* Jump back to page 1 of the list when search has changed.
	150	$_SESSION['search'][$list_name]['page'] = 0;
	151	}
fb02f0	152
a55e8e	153	//* Store field in session
1f400c	154	if(isset($_REQUEST[$search_prefix.$field]) && !stristr($_REQUEST[$search_prefix.$field],"'")){
a55e8e	155	$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];
1f400c	156	if(preg_match("/['\\\\]/", $_SESSION['search'][$list_name][$search_prefix.$field]))
T	157	$_SESSION['search'][$list_name][$search_prefix.$field] = '';
	158	}
fb02f0	159
a55e8e	160	if(isset($i['formtype']) && $i['formtype'] == 'SELECT'){
M	161	if(is_array($i['value'])) {
	162	$out = '<option value=""></option>';
	163	foreach($i['value'] as $k => $v) {
	164	// TODO: this could be more elegant
	165	$selected = (isset($_SESSION['search'][$list_name][$search_prefix.$field])
	166	&& $k == $_SESSION['search'][$list_name][$search_prefix.$field]
	167	&& $_SESSION['search'][$list_name][$search_prefix.$field] != '')
	168	? ' SELECTED' : '';
	169	$out .= "<option value='$k'$selected>$v</option>\r\n";
	170	}
	171	}
	172	$this->searchValues[$search_prefix.$field] = $out;
	173	} else {
	174	if(isset($_SESSION['search'][$list_name][$search_prefix.$field])){
	175	$this->searchValues[$search_prefix.$field] = htmlspecialchars($_SESSION['search'][$list_name][$search_prefix.$field]);
fb02f0	176	}
T	177	}
a55e8e	178	}
M	179	}
	180	//* Store variables in object \| $this->searchValues = $_SESSION["search"][$list_name];
	181	if(@is_array($this->listDef['item'])) {
	182	foreach($this->listDef['item'] as $i) {
	183	$field = $i['field'];
	184	// if($_REQUEST[$search_prefix.$field] != '') $sql_where .= " $field ".$i["op"]." '".$i["prefix"].$_REQUEST[$search_prefix.$field].$i["suffix"]."' and";
	185	if(isset($_SESSION['search'][$list_name][$search_prefix.$field]) && $_SESSION['search'][$list_name][$search_prefix.$field] != ''){
1f400c	186	$sql_where .= " $field ".$i['op']." '".$app->db->quote($i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix'])."' and";
fb02f0	187	}
T	188	}
	189	}
	190	return ( $sql_where != '' ) ? $sql_where = substr($sql_where,0,-3) : '1';
	191	}
	192
	193	public function getPagingSQL($sql_where = '1')
	194	{
	195	global $app, $conf;
	196
	197	//* Get Config variables
	198	$list_name = $this->listDef['name'];
	199	$search_prefix = $this->listDef['search_prefix'];
	200	$records_per_page = $this->listDef['records_per_page'];
	201	$table = $this->listDef['table'];
	202
	203	//* set PAGE to zero, if in session not set
	204	if(!isset($_SESSION['search'][$list_name]['page']) \|\| $_SESSION['search'][$list_name]['page'] == ''){
	205	$_SESSION['search'][$list_name]['page'] = 0;
	206	}
	207
	208	//* set PAGE to worth request variable "PAGE" - ? setze page auf wert der request variablen "page"
	209	if(isset($_REQUEST["page"])) $_SESSION["search"][$list_name]["page"] = $_REQUEST["page"];
	210
	211	//* PAGE to 0 set, if look for themselves ? page auf 0 setzen, wenn suche sich ge�ndert hat.
	212	if($this->searchChanged == 1) $_SESSION['search'][$list_name]['page'] = 0;
	213
	214	$sql_von = $_SESSION['search'][$list_name]['page'] * $records_per_page;
	215	$record_count = $app->db->queryOneRecord("SELECT count(*) AS anzahl FROM $table WHERE $sql_where");
	216	$pages = intval(($record_count['anzahl'] - 1) / $records_per_page);
	217
	218
	219	$vars['list_file'] = $_SESSION['s']['module']['name'].'/'.$this->listDef['file'];
	220	$vars['page'] = $_SESSION['search'][$list_name]['page'];
	221	$vars['last_page'] = $_SESSION['search'][$list_name]['page'] - 1;
	222	$vars['next_page'] = $_SESSION['search'][$list_name]['page'] + 1;
	223	$vars['pages'] = $pages;
	224	$vars['max_pages'] = $pages + 1;
	225	$vars['records_gesamt'] = $record_count['anzahl'];
	226	$vars['page_params'] = (isset($this->listDef['page_params'])) ? $this->listDef['page_params'] : '';
	227	//$vars['module'] = $_SESSION['s']['module']['name'];
	228
	229	if($_SESSION['search'][$list_name]['page'] > 0) $vars['show_page_back'] = 1;
	230	if($_SESSION['search'][$list_name]['page'] <= $vars['pages'] - 1) $vars['show_page_next'] = 1;
	231
	232	$this->pagingValues = $vars;
	233	$this->pagingHTML = $this->getPagingHTML($vars);
	234
	235	//* Return limit sql
	236	return "LIMIT $sql_von, $records_per_page";
	237	}
	238
	239	public function getPagingHTML($vars)
	240	{
	241	global $app;
	242	$content = '<a href="'."javascript:loadContent('".$vars['list_file'].'?page=0'.$vars['page_params']."');".'">'
	243	.'<img src="themes/'.$_SESSION['s']['theme'].'/icons/x16/arrow_stop_180.png"></a>   ';
	244	//* Show Back
	245	if(isset($vars['show_page_back']) && $vars['show_page_back'] == 1){
	246	$content .= '<a href="'."javascript:loadContent('".$vars['list_file'].'?page='.$vars['last_page'].$vars['page_params']."');".'">'
	247	.'<img src="themes/'.$_SESSION['s']['theme'].'/icons/x16/arrow_180.png"></a> ';
	248	}
	249	$content .= ' '.$this->lng('page_txt').' '.$vars['next_page'].' '.$this->lng('page_of_txt').' '.$vars['max_pages'].' ';
	250	//* Show Next
	251	if(isset($vars['show_page_next']) && $vars['show_page_next'] == 1){
	252	$content .= '<a href="'."javascript:loadContent('".$vars['list_file'].'?page='.$vars['next_page'].$vars['page_params']."');".'">'
	253	.'<img src="themes/'.$_SESSION['s']['theme'].'/icons/x16/arrow.png"></a>   ';
	254	}
	255	$content .= '<a href="'."javascript:loadContent('".$vars['list_file'].'?page='.$vars['pages'].$vars['page_params']."');".'">'
	256	.'<img src="themes/'.$_SESSION['s']['theme'].'/icons/x16/arrow_stop.png"></a>';
	257	return $content;
	258	}
	259
	260	public function getPagingHTMLasTXT($vars)
	261	{
	262	global $app;
	263	$content = '[<a href="'.$vars['list_file'].'?page=0'.$vars['page_params'].'">\|<< </a>]';
	264	if($vars['show_page_back'] == 1){
	265	$content .= '[<< <a href="'.$vars['list_file'].'?page='.$vars['last_page'].$vars['page_params'].'">'.$app->lng('page_back_txt').'</a>] ';
	266	}
	267	$content .= ' '.$this->lng('page_txt').' '.$vars['next_page'].' '.$this->lng('page_of_txt').' '.$vars['max_pages'].' ';
	268	if($vars['show_page_next'] == 1){
	269	$content .= '[<a href="'.$vars['list_file'].'?page='.$vars['next_page'].$vars['page_params'].'">'.$app->lng('page_next_txt').' >></a>] ';
	270	}
	271	$content .= '[<a href="'.$vars['list_file'].'?page='.$vars['pages'].$vars['page_params'].'"> >>\|</a>]';
	272	return $content;
	273	}
	274
	275	public function getSortSQL()
	276	{
	277	global $app, $conf;
	278	//* Get config vars
	279	$sort_field = $this->listDef['sort_field'];
	280	$sort_direction = $this->listDef['sort_direction'];
	281	return ($sort_field != '' && $sort_direction != '') ? "ORDER BY $sort_field $sort_direction" : '';
	282	}
	283
	284	public function decode($record)
	285	{
1ca823	286	global $conf, $app;
0b376a	287	if(is_array($record) && count($record) > 0 && is_array($this->listDef['item'])) {
fb02f0	288	foreach($this->listDef['item'] as $field){
T	289	$key = $field['field'];
	290	if(isset($record[$key])) {
	291	switch ($field['datatype']){
	292	case 'VARCHAR':
	293	case 'TEXT':
1b91da	294	$record[$key] = htmlentities(stripslashes($record[$key]),ENT_QUOTES,$conf["html_content_encoding"]);
fb02f0	295	break;
T	296
57540e	297	case 'DATETSTAMP':
T	298	if ($record[$key] > 0) {
	299	// is value int?
86bcf0	300	if (preg_match("/^[0-9]+[\.]?[0-9]*$/", $record[$key], $p)) {
57540e	301	$record[$key] = date($this->lng('conf_format_dateshort'), $record[$key]);
T	302	} else {
	303	$record[$key] = date($this->lng('conf_format_dateshort'), strtotime($record[$key]));
	304	}
	305	}
	306	break;
	307	case 'DATE':
e11f5d	308	if ($record[$key] > 0) {
R	309	// is value int?
86bcf0	310	if (preg_match("/^[0-9]+[\.]?[0-9]*$/", $record[$key], $p)) {
e11f5d	311	$record[$key] = date($this->lng('conf_format_dateshort'), $record[$key]);
R	312	} else {
	313	$record[$key] = date($this->lng('conf_format_dateshort'), strtotime($record[$key]));
	314	}
	315	}
	316	break;
	317
	318	case 'DATETIME':
	319	if ($record[$key] > 0) {
	320	// is value int?
86bcf0	321	if (preg_match("/^[0-9]+[\.]?[0-9]*$/", $record[$key], $p)) {
e11f5d	322	$record[$key] = date($this->lng('conf_format_datetime'), $record[$key]);
R	323	} else {
	324	$record[$key] = date($this->lng('conf_format_datetime'), strtotime($record[$key]));
	325	}
	326	}
fb02f0	327	break;
T	328
	329	case 'INTEGER':
	330	$record[$key] = intval($record[$key]);
	331	break;
	332
	333	case 'DOUBLE':
1b91da	334	$record[$key] = htmlentities($record[$key],ENT_QUOTES,$conf["html_content_encoding"]);
fb02f0	335	break;
T	336
	337	case 'CURRENCY':
1ca823	338	$record[$key] = $app->functions->currency_format($record[$key]);
fb02f0	339	break;
T	340
	341	default:
1b91da	342	$record[$key] = htmlentities(stripslashes($record[$key]),ENT_QUOTES,$conf["html_content_encoding"]);
fb02f0	343	}
T	344	}
	345	}
	346	}
	347	return $record;
	348	}
	349
	350	public function encode($record)
	351	{
	352	if(is_array($record)) {
	353	foreach($this->listDef['item'] as $field){
	354	$key = $field['field'];
	355	switch($field['datatype']){
	356
	357	case 'VARCHAR':
	358	case 'TEXT':
	359	if(!is_array($record[$key])) {
	360	$record[$key] = mysql_real_escape_string($record[$key]);
	361	} else {
	362	$record[$key] = implode($this->tableDef[$key]['separator'],$record[$key]);
	363	}
	364	break;
	365
57540e	366	case 'DATETSTAMP':
fb02f0	367	if($record[$key] > 0) {
e11f5d	368	$record[$key] = date('Y-m-d',strtotime($record[$key]));
R	369	}
	370	break;
57540e	371
T	372	case 'DATE':
	373	if($record[$key] != '' && $record[$key] != '0000-00-00') {
	374	$record[$key] = $record[$key];
	375	}
	376	break;
e11f5d	377
R	378	case 'DATETIME':
	379	if($record[$key] > 0) {
	380	$record[$key] = date('Y-m-d H:i:s',strtotime($record[$key]));
fb02f0	381	}
T	382	break;
	383
	384	case 'INTEGER':
	385	$record[$key] = intval($record[$key]);
	386	break;
	387
	388	case 'DOUBLE':
	389	$record[$key] = mysql_real_escape_string($record[$key]);
	390	break;
	391
	392	case 'CURRENCY':
	393	$record[$key] = str_replace(',', '.', $record[$key]);
	394	break;
	395	}
	396	}
	397	}
	398	return $record;
	399	}
	400
	401	function lng($msg) {
	402	global $app;
	403
	404	if(isset($this->wordbook[$msg])) {
	405	return $this->wordbook[$msg];
	406	} else {
	407	return $app->lng($msg);
	408	}
	409	}
ae69e6	410
T	411	function escapeArrayValues($search_values) {
1b91da	412	global $conf;
ae69e6	413
T	414	$out = array();
	415	if(is_array($search_values)) {
	416	foreach($search_values as $key => $val) {
1b91da	417	$out[$key] = htmlentities($val,ENT_QUOTES,$conf["html_content_encoding"]);
ae69e6	418	}
T	419	}
	420
	421	return $out;
	422
	423	}
fb02f0	424
T	425	}
	426
b5a2f8	427	?>