From 6817a6b10286b0ba7d7b8b9b56cdb23c47e93c81 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 12:45:07 +0200 Subject: [PATCH 01/19] First try of implementing assignHTML --- apps/calendar/index.php | 6 +-- apps/contacts/ajax/addbook.php | 4 +- apps/contacts/ajax/createaddressbook.php | 2 +- apps/contacts/ajax/editaddressbook.php | 4 +- apps/contacts/ajax/loadcard.php | 12 ++--- apps/contacts/index.php | 20 ++++---- .../templates/part.chooseaddressbook.php | 4 +- apps/files/admin.php | 10 ++-- apps/files/index.php | 26 +++++----- apps/user_ldap/group_ldap.php | 2 +- lib/template.php | 47 +++++++++++++------ 11 files changed, 78 insertions(+), 59 deletions(-) diff --git a/apps/calendar/index.php b/apps/calendar/index.php index cf03a7a3cd..803f973d6e 100644 --- a/apps/calendar/index.php +++ b/apps/calendar/index.php @@ -54,9 +54,9 @@ OCP\Util::addscript('contacts','jquery.multi-autocomplete'); OCP\Util::addscript('','oc-vcategories'); OCP\App::setActiveNavigationEntry('calendar_index'); $tmpl = new OCP\Template('calendar', 'calendar', 'user'); -$tmpl->assign('eventSources', $eventSources); -$tmpl->assign('categories', $categories); +$tmpl->assignHTML('eventSources', $eventSources); +$tmpl->assignHTML('categories', $categories); if(array_key_exists('showevent', $_GET)){ - $tmpl->assign('showevent', $_GET['showevent']); + $tmpl->assignHTML('showevent', $_GET['showevent']); } $tmpl->printPage(); diff --git a/apps/contacts/ajax/addbook.php b/apps/contacts/ajax/addbook.php index 70f47cc812..0b075a0e47 100644 --- a/apps/contacts/ajax/addbook.php +++ b/apps/contacts/ajax/addbook.php @@ -14,7 +14,7 @@ $book = array( 'displayname' => '', ); $tmpl = new OCP\Template('contacts', 'part.editaddressbook'); -$tmpl->assign('new', true); -$tmpl->assign('addressbook', $book); +$tmpl->assignHTML('new', true); +$tmpl->assignHTML('addressbook', $book); $tmpl->printPage(); ?> diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php index af7c19eef5..4a256458ca 100644 --- a/apps/contacts/ajax/createaddressbook.php +++ b/apps/contacts/ajax/createaddressbook.php @@ -33,7 +33,7 @@ if(!OC_Contacts_Addressbook::setActive($bookid, 1)) { } $addressbook = OC_Contacts_App::getAddressbook($bookid); $tmpl = new OCP\Template('contacts', 'part.chooseaddressbook.rowfields'); -$tmpl->assign('addressbook', $addressbook); +$tmpl->assignHTML('addressbook', $addressbook); OCP\JSON::success(array( 'page' => $tmpl->fetchPage(), 'addressbook' => $addressbook, diff --git a/apps/contacts/ajax/editaddressbook.php b/apps/contacts/ajax/editaddressbook.php index 7a9b757ae0..18ddfef6dd 100644 --- a/apps/contacts/ajax/editaddressbook.php +++ b/apps/contacts/ajax/editaddressbook.php @@ -11,7 +11,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); $addressbook = OC_Contacts_App::getAddressbook($_GET['bookid']); $tmpl = new OCP\Template("contacts", "part.editaddressbook"); -$tmpl->assign('new', false); -$tmpl->assign('addressbook', $addressbook); +$tmpl->assignHTML('new', false); +$tmpl->assignHTML('addressbook', $addressbook); $tmpl->printPage(); ?> diff --git a/apps/contacts/ajax/loadcard.php b/apps/contacts/ajax/loadcard.php index fbb831f4a1..a07120a33f 100644 --- a/apps/contacts/ajax/loadcard.php +++ b/apps/contacts/ajax/loadcard.php @@ -36,12 +36,12 @@ $phone_types = OC_Contacts_App::getTypesOfProperty('TEL'); $email_types = OC_Contacts_App::getTypesOfProperty('EMAIL'); $tmpl = new OCP\Template('contacts','part.contact'); -$tmpl->assign('uploadMaxFilesize', $maxUploadFilesize); -$tmpl->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); -$tmpl->assign('adr_types',$adr_types); -$tmpl->assign('phone_types',$phone_types); -$tmpl->assign('email_types',$email_types); -$tmpl->assign('id',''); +$tmpl->assignHTML('uploadMaxFilesize', $maxUploadFilesize); +$tmpl->assignHTML('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); +$tmpl->assignHTML('adr_types',$adr_types); +$tmpl->assignHTML('phone_types',$phone_types); +$tmpl->assignHTML('email_types',$email_types); +$tmpl->assignHTML('id',''); $page = $tmpl->fetchPage(); OCP\JSON::success(array('data' => array( 'page' => $page ))); diff --git a/apps/contacts/index.php b/apps/contacts/index.php index 74b7c43c55..865a0cc35f 100644 --- a/apps/contacts/index.php +++ b/apps/contacts/index.php @@ -59,16 +59,16 @@ OCP\Util::addStyle('contacts','jquery.Jcrop'); OCP\Util::addStyle('contacts','contacts'); $tmpl = new OCP\Template( "contacts", "index", "user" ); -$tmpl->assign('uploadMaxFilesize', $maxUploadFilesize); -$tmpl->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); -$tmpl->assign('property_types', $property_types); -$tmpl->assign('phone_types', $phone_types); -$tmpl->assign('email_types', $email_types); -$tmpl->assign('categories', $categories); -$tmpl->assign('addressbooks', $addressbooks); -$tmpl->assign('contacts', $contacts); -$tmpl->assign('details', $details ); -$tmpl->assign('id',$id); +$tmpl->assignHTML('uploadMaxFilesize', $maxUploadFilesize); +$tmpl->assignHTML('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); +$tmpl->assignHTML('property_types', $property_types); +$tmpl->assignHTML('phone_types', $phone_types); +$tmpl->assignHTML('email_types', $email_types); +$tmpl->assignHTML('categories', $categories); +$tmpl->assignHTML('addressbooks', $addressbooks); +$tmpl->assignHTML('contacts', $contacts); +$tmpl->assignHTML('details', $details ); +$tmpl->assignHTML('id',$id); $tmpl->printPage(); ?> diff --git a/apps/contacts/templates/part.chooseaddressbook.php b/apps/contacts/templates/part.chooseaddressbook.php index a0ec053ab9..74fab99010 100644 --- a/apps/contacts/templates/part.chooseaddressbook.php +++ b/apps/contacts/templates/part.chooseaddressbook.php @@ -5,8 +5,8 @@ $option_addressbooks = OC_Contacts_Addressbook::all(OCP\USER::getUser()); for($i = 0; $i < count($option_addressbooks); $i++){ echo ""; $tmpl = new OCP\Template('contacts', 'part.chooseaddressbook.rowfields'); - $tmpl->assign('addressbook', $option_addressbooks[$i]); - $tmpl->assign('active', OC_Contacts_Addressbook::isActive($option_addressbooks[$i]['id'])); + $tmpl->assignHTML('addressbook', $option_addressbooks[$i]); + $tmpl->assignHTML('active', OC_Contacts_Addressbook::isActive($option_addressbooks[$i]['id'])); $tmpl->printpage(); echo ""; } diff --git a/apps/files/admin.php b/apps/files/admin.php index d05eb7267b..5534c5545e 100644 --- a/apps/files/admin.php +++ b/apps/files/admin.php @@ -54,9 +54,9 @@ OCP\App::setActiveNavigationEntry( "files_administration" ); $htaccessWritable=is_writable(OC::$SERVERROOT.'/.htaccess'); $tmpl = new OCP\Template( 'files', 'admin' ); -$tmpl->assign( 'uploadChangable', $htaccessWorking and $htaccessWritable ); -$tmpl->assign( 'uploadMaxFilesize', $maxUploadFilesize); -$tmpl->assign( 'maxPossibleUploadSize', OCP\Util::humanFileSize(PHP_INT_MAX)); -$tmpl->assign( 'allowZipDownload', $allowZipDownload); -$tmpl->assign( 'maxZipInputSize', $maxZipInputSize); +$tmpl->assignHTML( 'uploadChangable', $htaccessWorking and $htaccessWritable ); +$tmpl->assignHTML( 'uploadMaxFilesize', $maxUploadFilesize); +$tmpl->assignHTML( 'maxPossibleUploadSize', OCP\Util::humanFileSize(PHP_INT_MAX)); +$tmpl->assignHTML( 'allowZipDownload', $allowZipDownload); +$tmpl->assignHTML( 'maxZipInputSize', $maxZipInputSize); return $tmpl->fetchPage(); \ No newline at end of file diff --git a/apps/files/index.php b/apps/files/index.php index 60a3836cb5..8f98f34794 100644 --- a/apps/files/index.php +++ b/apps/files/index.php @@ -73,12 +73,12 @@ foreach( explode( '/', $dir ) as $i ){ // make breadcrumb und filelist markup $list = new OCP\Template( 'files', 'part.list', '' ); -$list->assign( 'files', $files ); -$list->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); -$list->assign( 'downloadURL', OCP\Util::linkTo('files', 'download.php').'?file='); +$list->assignHTML( 'files', $files ); +$list->assignHTML( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); +$list->assignHTML( 'downloadURL', OCP\Util::linkTo('files', 'download.php').'?file='); $breadcrumbNav = new OCP\Template( 'files', 'part.breadcrumb', '' ); -$breadcrumbNav->assign( 'breadcrumb', $breadcrumb ); -$breadcrumbNav->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); +$breadcrumbNav->assignHTML( 'breadcrumb', $breadcrumb ); +$breadcrumbNav->assignHTML( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); $upload_max_filesize = OCP\Util::computerFileSize(ini_get('upload_max_filesize')); $post_max_size = OCP\Util::computerFileSize(ini_get('post_max_size')); @@ -89,14 +89,14 @@ $freeSpace=max($freeSpace,0); $maxUploadFilesize = min($maxUploadFilesize ,$freeSpace); $tmpl = new OCP\Template( 'files', 'index', 'user' ); -$tmpl->assign( 'fileList', $list->fetchPage() ); -$tmpl->assign( 'breadcrumb', $breadcrumbNav->fetchPage() ); -$tmpl->assign( 'dir', $dir); -$tmpl->assign( 'readonly', !OC_Filesystem::is_writable($dir.'/')); -$tmpl->assign( 'files', $files ); -$tmpl->assign( 'uploadMaxFilesize', $maxUploadFilesize); -$tmpl->assign( 'uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); -$tmpl->assign( 'allowZipDownload', intval(OCP\Config::getSystemValue('allowZipDownload', true))); +$tmpl->assignHTML( 'fileList', $list->fetchPage() ); +$tmpl->assignHTML( 'breadcrumb', $breadcrumbNav->fetchPage() ); +$tmpl->assignHTML( 'dir', $dir); +$tmpl->assignHTML( 'readonly', !OC_Filesystem::is_writable($dir.'/')); +$tmpl->assignHTML( 'files', $files ); +$tmpl->assignHTML( 'uploadMaxFilesize', $maxUploadFilesize); +$tmpl->assignHTML( 'uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); +$tmpl->assignHTML( 'allowZipDownload', intval(OCP\Config::getSystemValue('allowZipDownload', true))); $tmpl->printPage(); ?> diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 78bc5b4656..d2404a80aa 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -186,7 +186,7 @@ class OC_GROUP_LDAP extends OC_Group_Backend { if(!$this->configured) { return array(); } - if(empty($this->_groups)) { + if(is_null($this->_groups)) { $ldap_groups = OC_LDAP::fetchListOfGroups($this->ldapGroupFilter, array(OC_LDAP::conf('ldapGroupDisplayName'), 'dn')); $this->_groups = OC_LDAP::ownCloudGroupNames($ldap_groups); } diff --git a/lib/template.php b/lib/template.php index 14833a1e5b..5230ad031f 100644 --- a/lib/template.php +++ b/lib/template.php @@ -156,9 +156,11 @@ class OC_Template{ $this->application = $app; $this->vars = array(); $this->l10n = OC_L10N::get($app); - header('X-Frame-Options: Sameorigin'); - header('X-XSS-Protection: 1; mode=block'); - header('X-Content-Type-Options: nosniff'); + + // Some security settings + header('X-Frame-Options: Sameorigin'); + header('X-XSS-Protection: 1; mode=block'); + header('X-Content-Type-Options: nosniff'); $this->findTemplate($name); } @@ -256,7 +258,7 @@ class OC_Template{ } /** - * @brief Assign variables + * @brief Assign variables and sanitizes the data * @param $key key * @param $value value * @returns true @@ -267,6 +269,23 @@ class OC_Template{ * If the key existed before, it will be overwritten */ public function assign( $key, $value ){ + $this->vars[$key] = htmlentities($value); + return true; + } + + + /** + * @brief Assign variables + * @param $key key + * @param $value value + * @returns true + * + * This function assigns a variable. It can be accessed via $_[$key] in + * the template. + * + * If the key existed before, it will be overwritten + */ + public function assignHTML( $key, $value ){ $this->vars[$key] = $value; return true; } @@ -354,20 +373,20 @@ class OC_Template{ // Decide which page we show if( $this->renderas == "user" ){ $page = new OC_Template( "core", "layout.user" ); - $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); + $page->assignHTML('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ - $page->assign('bodyid','body-settings'); + $page->assignHTML('bodyid','body-settings'); }else{ - $page->assign('bodyid','body-user'); + $page->assignHTML('bodyid','body-user'); } // Add navigation entry $navigation = OC_App::getNavigation(); - $page->assign( "navigation", $navigation); - $page->assign( "settingsnavigation", OC_App::getSettingsNavigation()); + $page->assignHTML( "navigation", $navigation); + $page->assignHTML( "settingsnavigation", OC_App::getSettingsNavigation()); foreach($navigation as $entry) { if ($entry['active']) { - $page->assign( 'application', $entry['name'] ); + $page->assignHTML( 'application', $entry['name'] ); break; } } @@ -381,7 +400,7 @@ class OC_Template{ // Read the detected formfactor and use the right file name. $fext = self::getFormFactorExtension(); - $page->assign('jsfiles', array()); + $page->assignHTML('jsfiles', array()); // Add the core js files or the js files provided by the selected theme foreach(OC_Util::$scripts as $script){ // Is it in 3rd party? @@ -418,7 +437,7 @@ class OC_Template{ } } // Add the css files - $page->assign('cssfiles', array()); + $page->assignHTML('cssfiles', array()); foreach(OC_Util::$styles as $style){ // is it in 3rdparty? if($page->appendIfExist('cssfiles', OC::$THIRDPARTYROOT, OC::$THIRDPARTYWEBROOT, $style.'.css')) { @@ -456,13 +475,13 @@ class OC_Template{ } // Add custom headers - $page->assign('headers',$this->headers); + $page->assignHTML('headers',$this->headers); foreach(OC_Util::$headers as $header){ $page->append('headers',$header); } // Add css files and js files - $page->assign( "content", $data ); + $page->assignHTML( "content", $data ); return $page->fetchPage(); } else{ From ec4c373eaaf279e7a7d441ec52ec40a7a4886a53 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 12:48:47 +0200 Subject: [PATCH 02/19] Settings... --- settings/admin.php | 4 ++-- settings/apps.php | 2 +- settings/help.php | 6 +++--- settings/personal.php | 12 ++++++------ settings/users.php | 8 ++++---- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/settings/admin.php b/settings/admin.php index a997bad4e3..d160b3dcfd 100644 --- a/settings/admin.php +++ b/settings/admin.php @@ -23,8 +23,8 @@ function compareEntries($a,$b){ usort($entries, 'compareEntries'); $tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 )); -$tmpl->assign('entries',$entries); -$tmpl->assign('forms',array()); +$tmpl->assignHTML('entries',$entries); +$tmpl->assignHTML('forms',array()); foreach($forms as $form){ $tmpl->append('forms',$form); } diff --git a/settings/apps.php b/settings/apps.php index 7908e6cc18..4f51a286ea 100644 --- a/settings/apps.php +++ b/settings/apps.php @@ -92,7 +92,7 @@ usort($apps, 'app_sort'); $tmpl = new OC_Template( "settings", "apps", "user" ); -$tmpl->assign('apps',$apps); +$tmpl->assignHTML('apps',$apps); $tmpl->printPage(); diff --git a/settings/help.php b/settings/help.php index f0abed8f55..e75607cd69 100644 --- a/settings/help.php +++ b/settings/help.php @@ -21,9 +21,9 @@ unset($kbe['totalitems']); $pagecount=ceil($totalitems/$pagesize); $tmpl = new OC_Template( "settings", "help", "user" ); -$tmpl->assign( "kbe", $kbe ); -$tmpl->assign( "pagecount", $pagecount ); -$tmpl->assign( "page", $page ); +$tmpl->assignHTML( "kbe", $kbe ); +$tmpl->assignHTML( "pagecount", $pagecount ); +$tmpl->assignHTML( "page", $page ); $tmpl->printPage(); ?> diff --git a/settings/personal.php b/settings/personal.php index 64e08be89e..927d9a407c 100644 --- a/settings/personal.php +++ b/settings/personal.php @@ -48,14 +48,14 @@ foreach($languageCodes as $lang){ // Return template $tmpl = new OC_Template( 'settings', 'personal', 'user'); -$tmpl->assign('usage',OC_Helper::humanFileSize($used)); -$tmpl->assign('total_space',OC_Helper::humanFileSize($total)); -$tmpl->assign('usage_relative',$relative); -$tmpl->assign('email',$email); -$tmpl->assign('languages',$languages); +$tmpl->assignHTML('usage',OC_Helper::humanFileSize($used)); +$tmpl->assignHTML('total_space',OC_Helper::humanFileSize($total)); +$tmpl->assignHTML('usage_relative',$relative); +$tmpl->assignHTML('email',$email); +$tmpl->assignHTML('languages',$languages); $forms=OC_App::getForms('personal'); -$tmpl->assign('forms',array()); +$tmpl->assignHTML('forms',array()); foreach($forms as $form){ $tmpl->append('forms',$form); } diff --git a/settings/users.php b/settings/users.php index 96515a90ce..1003ca8112 100644 --- a/settings/users.php +++ b/settings/users.php @@ -34,10 +34,10 @@ foreach($quotaPreset as &$preset){ $defaultQuota=OC_Appconfig::getValue('files','default_quota','none'); $tmpl = new OC_Template( "settings", "users", "user" ); -$tmpl->assign( "users", $users ); -$tmpl->assign( "groups", $groups ); -$tmpl->assign( 'quota_preset', $quotaPreset); -$tmpl->assign( 'default_quota', $defaultQuota); +$tmpl->assignHTML( "users", $users ); +$tmpl->assignHTML( "groups", $groups ); +$tmpl->assignHTML( 'quota_preset', $quotaPreset); +$tmpl->assignHTML( 'default_quota', $defaultQuota); $tmpl->printPage(); ?> From c009bc4b87fcbb34b71ba04a5c7d043e4ea5abdc Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 13:27:32 +0200 Subject: [PATCH 03/19] Revert --- apps/calendar/index.php | 6 +-- apps/contacts/ajax/addbook.php | 4 +- apps/contacts/ajax/createaddressbook.php | 2 +- apps/contacts/ajax/editaddressbook.php | 4 +- apps/contacts/ajax/loadcard.php | 12 ++--- apps/contacts/index.php | 20 ++++---- .../templates/part.chooseaddressbook.php | 4 +- apps/files/admin.php | 10 ++-- apps/files/index.php | 26 +++++----- lib/template.php | 51 +++++++------------ lib/util.php | 18 ------- settings/admin.php | 4 +- settings/apps.php | 2 +- settings/help.php | 6 +-- settings/personal.php | 12 ++--- settings/users.php | 8 +-- 16 files changed, 78 insertions(+), 111 deletions(-) mode change 100755 => 100644 lib/util.php diff --git a/apps/calendar/index.php b/apps/calendar/index.php index 803f973d6e..cf03a7a3cd 100644 --- a/apps/calendar/index.php +++ b/apps/calendar/index.php @@ -54,9 +54,9 @@ OCP\Util::addscript('contacts','jquery.multi-autocomplete'); OCP\Util::addscript('','oc-vcategories'); OCP\App::setActiveNavigationEntry('calendar_index'); $tmpl = new OCP\Template('calendar', 'calendar', 'user'); -$tmpl->assignHTML('eventSources', $eventSources); -$tmpl->assignHTML('categories', $categories); +$tmpl->assign('eventSources', $eventSources); +$tmpl->assign('categories', $categories); if(array_key_exists('showevent', $_GET)){ - $tmpl->assignHTML('showevent', $_GET['showevent']); + $tmpl->assign('showevent', $_GET['showevent']); } $tmpl->printPage(); diff --git a/apps/contacts/ajax/addbook.php b/apps/contacts/ajax/addbook.php index 0b075a0e47..70f47cc812 100644 --- a/apps/contacts/ajax/addbook.php +++ b/apps/contacts/ajax/addbook.php @@ -14,7 +14,7 @@ $book = array( 'displayname' => '', ); $tmpl = new OCP\Template('contacts', 'part.editaddressbook'); -$tmpl->assignHTML('new', true); -$tmpl->assignHTML('addressbook', $book); +$tmpl->assign('new', true); +$tmpl->assign('addressbook', $book); $tmpl->printPage(); ?> diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php index 4a256458ca..af7c19eef5 100644 --- a/apps/contacts/ajax/createaddressbook.php +++ b/apps/contacts/ajax/createaddressbook.php @@ -33,7 +33,7 @@ if(!OC_Contacts_Addressbook::setActive($bookid, 1)) { } $addressbook = OC_Contacts_App::getAddressbook($bookid); $tmpl = new OCP\Template('contacts', 'part.chooseaddressbook.rowfields'); -$tmpl->assignHTML('addressbook', $addressbook); +$tmpl->assign('addressbook', $addressbook); OCP\JSON::success(array( 'page' => $tmpl->fetchPage(), 'addressbook' => $addressbook, diff --git a/apps/contacts/ajax/editaddressbook.php b/apps/contacts/ajax/editaddressbook.php index 18ddfef6dd..7a9b757ae0 100644 --- a/apps/contacts/ajax/editaddressbook.php +++ b/apps/contacts/ajax/editaddressbook.php @@ -11,7 +11,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); $addressbook = OC_Contacts_App::getAddressbook($_GET['bookid']); $tmpl = new OCP\Template("contacts", "part.editaddressbook"); -$tmpl->assignHTML('new', false); -$tmpl->assignHTML('addressbook', $addressbook); +$tmpl->assign('new', false); +$tmpl->assign('addressbook', $addressbook); $tmpl->printPage(); ?> diff --git a/apps/contacts/ajax/loadcard.php b/apps/contacts/ajax/loadcard.php index a07120a33f..fbb831f4a1 100644 --- a/apps/contacts/ajax/loadcard.php +++ b/apps/contacts/ajax/loadcard.php @@ -36,12 +36,12 @@ $phone_types = OC_Contacts_App::getTypesOfProperty('TEL'); $email_types = OC_Contacts_App::getTypesOfProperty('EMAIL'); $tmpl = new OCP\Template('contacts','part.contact'); -$tmpl->assignHTML('uploadMaxFilesize', $maxUploadFilesize); -$tmpl->assignHTML('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); -$tmpl->assignHTML('adr_types',$adr_types); -$tmpl->assignHTML('phone_types',$phone_types); -$tmpl->assignHTML('email_types',$email_types); -$tmpl->assignHTML('id',''); +$tmpl->assign('uploadMaxFilesize', $maxUploadFilesize); +$tmpl->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); +$tmpl->assign('adr_types',$adr_types); +$tmpl->assign('phone_types',$phone_types); +$tmpl->assign('email_types',$email_types); +$tmpl->assign('id',''); $page = $tmpl->fetchPage(); OCP\JSON::success(array('data' => array( 'page' => $page ))); diff --git a/apps/contacts/index.php b/apps/contacts/index.php index 865a0cc35f..74b7c43c55 100644 --- a/apps/contacts/index.php +++ b/apps/contacts/index.php @@ -59,16 +59,16 @@ OCP\Util::addStyle('contacts','jquery.Jcrop'); OCP\Util::addStyle('contacts','contacts'); $tmpl = new OCP\Template( "contacts", "index", "user" ); -$tmpl->assignHTML('uploadMaxFilesize', $maxUploadFilesize); -$tmpl->assignHTML('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); -$tmpl->assignHTML('property_types', $property_types); -$tmpl->assignHTML('phone_types', $phone_types); -$tmpl->assignHTML('email_types', $email_types); -$tmpl->assignHTML('categories', $categories); -$tmpl->assignHTML('addressbooks', $addressbooks); -$tmpl->assignHTML('contacts', $contacts); -$tmpl->assignHTML('details', $details ); -$tmpl->assignHTML('id',$id); +$tmpl->assign('uploadMaxFilesize', $maxUploadFilesize); +$tmpl->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); +$tmpl->assign('property_types', $property_types); +$tmpl->assign('phone_types', $phone_types); +$tmpl->assign('email_types', $email_types); +$tmpl->assign('categories', $categories); +$tmpl->assign('addressbooks', $addressbooks); +$tmpl->assign('contacts', $contacts); +$tmpl->assign('details', $details ); +$tmpl->assign('id',$id); $tmpl->printPage(); ?> diff --git a/apps/contacts/templates/part.chooseaddressbook.php b/apps/contacts/templates/part.chooseaddressbook.php index 74fab99010..a0ec053ab9 100644 --- a/apps/contacts/templates/part.chooseaddressbook.php +++ b/apps/contacts/templates/part.chooseaddressbook.php @@ -5,8 +5,8 @@ $option_addressbooks = OC_Contacts_Addressbook::all(OCP\USER::getUser()); for($i = 0; $i < count($option_addressbooks); $i++){ echo ""; $tmpl = new OCP\Template('contacts', 'part.chooseaddressbook.rowfields'); - $tmpl->assignHTML('addressbook', $option_addressbooks[$i]); - $tmpl->assignHTML('active', OC_Contacts_Addressbook::isActive($option_addressbooks[$i]['id'])); + $tmpl->assign('addressbook', $option_addressbooks[$i]); + $tmpl->assign('active', OC_Contacts_Addressbook::isActive($option_addressbooks[$i]['id'])); $tmpl->printpage(); echo ""; } diff --git a/apps/files/admin.php b/apps/files/admin.php index 5534c5545e..d05eb7267b 100644 --- a/apps/files/admin.php +++ b/apps/files/admin.php @@ -54,9 +54,9 @@ OCP\App::setActiveNavigationEntry( "files_administration" ); $htaccessWritable=is_writable(OC::$SERVERROOT.'/.htaccess'); $tmpl = new OCP\Template( 'files', 'admin' ); -$tmpl->assignHTML( 'uploadChangable', $htaccessWorking and $htaccessWritable ); -$tmpl->assignHTML( 'uploadMaxFilesize', $maxUploadFilesize); -$tmpl->assignHTML( 'maxPossibleUploadSize', OCP\Util::humanFileSize(PHP_INT_MAX)); -$tmpl->assignHTML( 'allowZipDownload', $allowZipDownload); -$tmpl->assignHTML( 'maxZipInputSize', $maxZipInputSize); +$tmpl->assign( 'uploadChangable', $htaccessWorking and $htaccessWritable ); +$tmpl->assign( 'uploadMaxFilesize', $maxUploadFilesize); +$tmpl->assign( 'maxPossibleUploadSize', OCP\Util::humanFileSize(PHP_INT_MAX)); +$tmpl->assign( 'allowZipDownload', $allowZipDownload); +$tmpl->assign( 'maxZipInputSize', $maxZipInputSize); return $tmpl->fetchPage(); \ No newline at end of file diff --git a/apps/files/index.php b/apps/files/index.php index 8f98f34794..60a3836cb5 100644 --- a/apps/files/index.php +++ b/apps/files/index.php @@ -73,12 +73,12 @@ foreach( explode( '/', $dir ) as $i ){ // make breadcrumb und filelist markup $list = new OCP\Template( 'files', 'part.list', '' ); -$list->assignHTML( 'files', $files ); -$list->assignHTML( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); -$list->assignHTML( 'downloadURL', OCP\Util::linkTo('files', 'download.php').'?file='); +$list->assign( 'files', $files ); +$list->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); +$list->assign( 'downloadURL', OCP\Util::linkTo('files', 'download.php').'?file='); $breadcrumbNav = new OCP\Template( 'files', 'part.breadcrumb', '' ); -$breadcrumbNav->assignHTML( 'breadcrumb', $breadcrumb ); -$breadcrumbNav->assignHTML( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); +$breadcrumbNav->assign( 'breadcrumb', $breadcrumb ); +$breadcrumbNav->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); $upload_max_filesize = OCP\Util::computerFileSize(ini_get('upload_max_filesize')); $post_max_size = OCP\Util::computerFileSize(ini_get('post_max_size')); @@ -89,14 +89,14 @@ $freeSpace=max($freeSpace,0); $maxUploadFilesize = min($maxUploadFilesize ,$freeSpace); $tmpl = new OCP\Template( 'files', 'index', 'user' ); -$tmpl->assignHTML( 'fileList', $list->fetchPage() ); -$tmpl->assignHTML( 'breadcrumb', $breadcrumbNav->fetchPage() ); -$tmpl->assignHTML( 'dir', $dir); -$tmpl->assignHTML( 'readonly', !OC_Filesystem::is_writable($dir.'/')); -$tmpl->assignHTML( 'files', $files ); -$tmpl->assignHTML( 'uploadMaxFilesize', $maxUploadFilesize); -$tmpl->assignHTML( 'uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); -$tmpl->assignHTML( 'allowZipDownload', intval(OCP\Config::getSystemValue('allowZipDownload', true))); +$tmpl->assign( 'fileList', $list->fetchPage() ); +$tmpl->assign( 'breadcrumb', $breadcrumbNav->fetchPage() ); +$tmpl->assign( 'dir', $dir); +$tmpl->assign( 'readonly', !OC_Filesystem::is_writable($dir.'/')); +$tmpl->assign( 'files', $files ); +$tmpl->assign( 'uploadMaxFilesize', $maxUploadFilesize); +$tmpl->assign( 'uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); +$tmpl->assign( 'allowZipDownload', intval(OCP\Config::getSystemValue('allowZipDownload', true))); $tmpl->printPage(); ?> diff --git a/lib/template.php b/lib/template.php index 5230ad031f..1e01b41159 100644 --- a/lib/template.php +++ b/lib/template.php @@ -156,11 +156,9 @@ class OC_Template{ $this->application = $app; $this->vars = array(); $this->l10n = OC_L10N::get($app); - - // Some security settings - header('X-Frame-Options: Sameorigin'); - header('X-XSS-Protection: 1; mode=block'); - header('X-Content-Type-Options: nosniff'); + header('X-Frame-Options: Sameorigin'); + header('X-XSS-Protection: 1; mode=block'); + header('X-Content-Type-Options: nosniff'); $this->findTemplate($name); } @@ -257,27 +255,11 @@ class OC_Template{ return false; } - /** - * @brief Assign variables and sanitizes the data - * @param $key key - * @param $value value - * @returns true - * - * This function assigns a variable. It can be accessed via $_[$key] in - * the template. - * - * If the key existed before, it will be overwritten - */ - public function assign( $key, $value ){ - $this->vars[$key] = htmlentities($value); - return true; - } - - /** * @brief Assign variables * @param $key key * @param $value value + * @param $sanitizeHTML false, if data shouldn't get passed through htmlentities * @returns true * * This function assigns a variable. It can be accessed via $_[$key] in @@ -285,7 +267,10 @@ class OC_Template{ * * If the key existed before, it will be overwritten */ - public function assignHTML( $key, $value ){ + public function assign( $key, $value, $sanitizeHTML=true ){ + if($sanitizeHTML) { + $this->vars[$key] = htmlentities($value); + } $this->vars[$key] = $value; return true; } @@ -373,20 +358,20 @@ class OC_Template{ // Decide which page we show if( $this->renderas == "user" ){ $page = new OC_Template( "core", "layout.user" ); - $page->assignHTML('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); + $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ - $page->assignHTML('bodyid','body-settings'); + $page->assign('bodyid','body-settings'); }else{ - $page->assignHTML('bodyid','body-user'); + $page->assign('bodyid','body-user'); } // Add navigation entry $navigation = OC_App::getNavigation(); - $page->assignHTML( "navigation", $navigation); - $page->assignHTML( "settingsnavigation", OC_App::getSettingsNavigation()); + $page->assign( "navigation", $navigation); + $page->assign( "settingsnavigation", OC_App::getSettingsNavigation()); foreach($navigation as $entry) { if ($entry['active']) { - $page->assignHTML( 'application', $entry['name'] ); + $page->assign( 'application', $entry['name'] ); break; } } @@ -400,7 +385,7 @@ class OC_Template{ // Read the detected formfactor and use the right file name. $fext = self::getFormFactorExtension(); - $page->assignHTML('jsfiles', array()); + $page->assign('jsfiles', array()); // Add the core js files or the js files provided by the selected theme foreach(OC_Util::$scripts as $script){ // Is it in 3rd party? @@ -437,7 +422,7 @@ class OC_Template{ } } // Add the css files - $page->assignHTML('cssfiles', array()); + $page->assign('cssfiles', array()); foreach(OC_Util::$styles as $style){ // is it in 3rdparty? if($page->appendIfExist('cssfiles', OC::$THIRDPARTYROOT, OC::$THIRDPARTYWEBROOT, $style.'.css')) { @@ -475,13 +460,13 @@ class OC_Template{ } // Add custom headers - $page->assignHTML('headers',$this->headers); + $page->assign('headers',$this->headers); foreach(OC_Util::$headers as $header){ $page->append('headers',$header); } // Add css files and js files - $page->assignHTML( "content", $data ); + $page->assign( "content", $data ); return $page->fetchPage(); } else{ diff --git a/lib/util.php b/lib/util.php old mode 100755 new mode 100644 index b6f3cb5df4..7c85db71f5 --- a/lib/util.php +++ b/lib/util.php @@ -358,30 +358,12 @@ class OC_Util { * Todo: Write howto */ public static function callRegister(){ - //mamimum time before token exires - $maxtime=(60*60); // 1 hour - // generate a random token. $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); // store the token together with a timestamp in the session. $_SESSION['requesttoken-'.$token]=time(); - // cleanup old tokens garbage collector - // only run every 20th time so we don´t waste cpu cycles - if(rand(0,20)==0) { - foreach($_SESSION as $key=>$value) { - // search all tokens in the session - if(substr($key,0,12)=='requesttoken') { - if($value+$maxtimeassign('loglevel',OC_Config::getValue( "loglevel", 2 )); -$tmpl->assignHTML('entries',$entries); -$tmpl->assignHTML('forms',array()); +$tmpl->assign('entries',$entries); +$tmpl->assign('forms',array()); foreach($forms as $form){ $tmpl->append('forms',$form); } diff --git a/settings/apps.php b/settings/apps.php index 4f51a286ea..7908e6cc18 100644 --- a/settings/apps.php +++ b/settings/apps.php @@ -92,7 +92,7 @@ usort($apps, 'app_sort'); $tmpl = new OC_Template( "settings", "apps", "user" ); -$tmpl->assignHTML('apps',$apps); +$tmpl->assign('apps',$apps); $tmpl->printPage(); diff --git a/settings/help.php b/settings/help.php index e75607cd69..f0abed8f55 100644 --- a/settings/help.php +++ b/settings/help.php @@ -21,9 +21,9 @@ unset($kbe['totalitems']); $pagecount=ceil($totalitems/$pagesize); $tmpl = new OC_Template( "settings", "help", "user" ); -$tmpl->assignHTML( "kbe", $kbe ); -$tmpl->assignHTML( "pagecount", $pagecount ); -$tmpl->assignHTML( "page", $page ); +$tmpl->assign( "kbe", $kbe ); +$tmpl->assign( "pagecount", $pagecount ); +$tmpl->assign( "page", $page ); $tmpl->printPage(); ?> diff --git a/settings/personal.php b/settings/personal.php index 927d9a407c..64e08be89e 100644 --- a/settings/personal.php +++ b/settings/personal.php @@ -48,14 +48,14 @@ foreach($languageCodes as $lang){ // Return template $tmpl = new OC_Template( 'settings', 'personal', 'user'); -$tmpl->assignHTML('usage',OC_Helper::humanFileSize($used)); -$tmpl->assignHTML('total_space',OC_Helper::humanFileSize($total)); -$tmpl->assignHTML('usage_relative',$relative); -$tmpl->assignHTML('email',$email); -$tmpl->assignHTML('languages',$languages); +$tmpl->assign('usage',OC_Helper::humanFileSize($used)); +$tmpl->assign('total_space',OC_Helper::humanFileSize($total)); +$tmpl->assign('usage_relative',$relative); +$tmpl->assign('email',$email); +$tmpl->assign('languages',$languages); $forms=OC_App::getForms('personal'); -$tmpl->assignHTML('forms',array()); +$tmpl->assign('forms',array()); foreach($forms as $form){ $tmpl->append('forms',$form); } diff --git a/settings/users.php b/settings/users.php index 1003ca8112..96515a90ce 100644 --- a/settings/users.php +++ b/settings/users.php @@ -34,10 +34,10 @@ foreach($quotaPreset as &$preset){ $defaultQuota=OC_Appconfig::getValue('files','default_quota','none'); $tmpl = new OC_Template( "settings", "users", "user" ); -$tmpl->assignHTML( "users", $users ); -$tmpl->assignHTML( "groups", $groups ); -$tmpl->assignHTML( 'quota_preset', $quotaPreset); -$tmpl->assignHTML( 'default_quota', $defaultQuota); +$tmpl->assign( "users", $users ); +$tmpl->assign( "groups", $groups ); +$tmpl->assign( 'quota_preset', $quotaPreset); +$tmpl->assign( 'default_quota', $defaultQuota); $tmpl->printPage(); ?> From b63795ccb8565197aae8578f7e71ad2f7c15256d Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 14:36:11 +0200 Subject: [PATCH 04/19] Handling arrays --- lib/template.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/template.php b/lib/template.php index 1e01b41159..d7a87705e3 100644 --- a/lib/template.php +++ b/lib/template.php @@ -268,13 +268,28 @@ class OC_Template{ * If the key existed before, it will be overwritten */ public function assign( $key, $value, $sanitizeHTML=true ){ + if(is_array($value) && $sanitizeHTML) { + array_walk_recursive($value,'OC_Template::sanitizeHTML'); + $this->vars[$key] = $value; + return true; + } if($sanitizeHTML) { - $this->vars[$key] = htmlentities($value); + $this->vars[$key] = htmlentities($value, ENT_QUOTES); + return true; } $this->vars[$key] = $value; return true; } + /** + * @brief Internaly used to sanitze HTML + * + * This function is internally used to sanitize HTML. + */ + private function sanitizeHTML( &$value ){ + $value = htmlentities( $value, ENT_QUOTES ); + } + /** * @brief Appends a variable * @param $key key From 18e44ba2f38c67c43b64f0f753472407f30c98e0 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 15:03:45 +0200 Subject: [PATCH 05/19] Some updates... --- lib/template.php | 42 ++++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/lib/template.php b/lib/template.php index d7a87705e3..35b941794b 100644 --- a/lib/template.php +++ b/lib/template.php @@ -267,27 +267,41 @@ class OC_Template{ * * If the key existed before, it will be overwritten */ - public function assign( $key, $value, $sanitizeHTML=true ){ - if(is_array($value) && $sanitizeHTML) { + public function assign( $key, $value, $sanitizeHTML=true ){ + if($sanitizeHTML == true) { + if(is_array($value)) { + array_walk_recursive($value,'OC_Template::sanitizeHTML'); + } else { + $value = OC_Template::sanitizeHTML($value); + } + } + $this->vars[$key] = $value; + return true; + } + + +/* public function assign( $key, $value, $sanitizeHTML = true ){ + if(is_array($value) && $sanitizeHTML == true) { array_walk_recursive($value,'OC_Template::sanitizeHTML'); $this->vars[$key] = $value; return true; } - if($sanitizeHTML) { + if($sanitizeHTML == true) { $this->vars[$key] = htmlentities($value, ENT_QUOTES); return true; } $this->vars[$key] = $value; return true; - } + }*/ /** * @brief Internaly used to sanitze HTML * * This function is internally used to sanitize HTML. */ - private function sanitizeHTML( &$value ){ + private static function sanitizeHTML( &$value ){ $value = htmlentities( $value, ENT_QUOTES ); + return $value; } /** @@ -373,20 +387,20 @@ class OC_Template{ // Decide which page we show if( $this->renderas == "user" ){ $page = new OC_Template( "core", "layout.user" ); - $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); + $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ), false); if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ - $page->assign('bodyid','body-settings'); + $page->assign('bodyid','body-settings', false); }else{ - $page->assign('bodyid','body-user'); + $page->assign('bodyid','body-user', false); } // Add navigation entry $navigation = OC_App::getNavigation(); - $page->assign( "navigation", $navigation); - $page->assign( "settingsnavigation", OC_App::getSettingsNavigation()); + $page->assign( "navigation", $navigation, false); + $page->assign( "settingsnavigation", OC_App::getSettingsNavigation(), false); foreach($navigation as $entry) { if ($entry['active']) { - $page->assign( 'application', $entry['name'] ); + $page->assign( 'application', $entry['name'], false ); break; } } @@ -400,7 +414,7 @@ class OC_Template{ // Read the detected formfactor and use the right file name. $fext = self::getFormFactorExtension(); - $page->assign('jsfiles', array()); + $page->assign('jsfiles', array(), false); // Add the core js files or the js files provided by the selected theme foreach(OC_Util::$scripts as $script){ // Is it in 3rd party? @@ -475,13 +489,13 @@ class OC_Template{ } // Add custom headers - $page->assign('headers',$this->headers); + $page->assign('headers',$this->headers, false); foreach(OC_Util::$headers as $header){ $page->append('headers',$header); } // Add css files and js files - $page->assign( "content", $data ); + $page->assign( "content", $data, false ); return $page->fetchPage(); } else{ From 6d68b7620cd38fda23d2d5dec73a80818035c38d Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 18:12:46 +0200 Subject: [PATCH 06/19] Check for string --- lib/template.php | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/lib/template.php b/lib/template.php index 35b941794b..688199a878 100644 --- a/lib/template.php +++ b/lib/template.php @@ -280,28 +280,16 @@ class OC_Template{ } -/* public function assign( $key, $value, $sanitizeHTML = true ){ - if(is_array($value) && $sanitizeHTML == true) { - array_walk_recursive($value,'OC_Template::sanitizeHTML'); - $this->vars[$key] = $value; - return true; - } - if($sanitizeHTML == true) { - $this->vars[$key] = htmlentities($value, ENT_QUOTES); - return true; - } - $this->vars[$key] = $value; - return true; - }*/ - /** * @brief Internaly used to sanitze HTML * * This function is internally used to sanitize HTML. */ private static function sanitizeHTML( &$value ){ + if(is_string($value)) { $value = htmlentities( $value, ENT_QUOTES ); return $value; + } } /** From 2b22c538c8cafafedb057947ff90abb5d219c903 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 19:07:51 +0200 Subject: [PATCH 07/19] Make some apps compatible --- apps/calendar/index.php | 4 ++-- apps/contacts/ajax/addproperty.php | 13 +++++++++++-- apps/contacts/templates/part.contacts.php | 2 +- apps/files/ajax/list.php | 2 +- apps/files/index.php | 14 +++++++------- apps/gallery/lib/tiles.php | 4 ++-- apps/user_ldap/group_ldap.php | 2 +- apps/user_ldap/settings.php | 5 +++-- apps/user_ldap/templates/settings.php | 1 + core/templates/login.php | 2 +- index.php | 1 + lib/template.php | 16 +++++++--------- lib/util.php | 21 ++++++++++++++++++++- settings/admin.php | 2 +- settings/apps.php | 2 +- settings/templates/admin.php | 2 +- settings/templates/help.php | 6 +++--- 17 files changed, 64 insertions(+), 35 deletions(-) mode change 100644 => 100755 lib/util.php diff --git a/apps/calendar/index.php b/apps/calendar/index.php index cf03a7a3cd..05a808a5ae 100644 --- a/apps/calendar/index.php +++ b/apps/calendar/index.php @@ -54,9 +54,9 @@ OCP\Util::addscript('contacts','jquery.multi-autocomplete'); OCP\Util::addscript('','oc-vcategories'); OCP\App::setActiveNavigationEntry('calendar_index'); $tmpl = new OCP\Template('calendar', 'calendar', 'user'); -$tmpl->assign('eventSources', $eventSources); +$tmpl->assign('eventSources', $eventSources,false); $tmpl->assign('categories', $categories); if(array_key_exists('showevent', $_GET)){ - $tmpl->assign('showevent', $_GET['showevent']); + $tmpl->assign('showevent', $_GET['showevent'], false); } $tmpl->printPage(); diff --git a/apps/contacts/ajax/addproperty.php b/apps/contacts/ajax/addproperty.php index 42b0c78203..94e09bac19 100644 --- a/apps/contacts/ajax/addproperty.php +++ b/apps/contacts/ajax/addproperty.php @@ -82,6 +82,7 @@ if(is_array($value)) { $value = strip_tags($value); } +/* preprocessing value */ switch($name) { case 'BDAY': $date = New DateTime($value); @@ -94,6 +95,8 @@ switch($name) { case 'N': case 'ORG': case 'NOTE': + $value = str_replace('\n', ' \\n', $value); + break; case 'NICKNAME': // TODO: Escape commas and semicolons. break; @@ -105,8 +108,14 @@ switch($name) { break; } - -$property = $vcard->addProperty($name, $value); //, $parameters); +switch($name) { + case 'NOTE': + $vcard->setString('NOTE', $value); + break; + default: + $property = $vcard->addProperty($name, $value); //, $parameters); + break; +} $line = count($vcard->children) - 1; diff --git a/apps/contacts/templates/part.contacts.php b/apps/contacts/templates/part.contacts.php index 5751750540..00a61f72fd 100644 --- a/apps/contacts/templates/part.contacts.php +++ b/apps/contacts/templates/part.contacts.php @@ -8,5 +8,5 @@ } } ?> -
    • +
    • diff --git a/apps/files/ajax/list.php b/apps/files/ajax/list.php index ceb8d15858..f0600a179d 100644 --- a/apps/files/ajax/list.php +++ b/apps/files/ajax/list.php @@ -38,7 +38,7 @@ foreach( OC_Files::getdirectorycontent( $dir ) as $i ){ } $list = new OCP\Template( "files", "part.list", "" ); -$list->assign( "files", $files ); +$list->assign( "files", $files, false ); $data = array('files' => $list->fetchPage()); OCP\JSON::success(array('data' => $data)); diff --git a/apps/files/index.php b/apps/files/index.php index 60a3836cb5..ed36c5edab 100644 --- a/apps/files/index.php +++ b/apps/files/index.php @@ -73,12 +73,12 @@ foreach( explode( '/', $dir ) as $i ){ // make breadcrumb und filelist markup $list = new OCP\Template( 'files', 'part.list', '' ); -$list->assign( 'files', $files ); -$list->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); -$list->assign( 'downloadURL', OCP\Util::linkTo('files', 'download.php').'?file='); +$list->assign( 'files', $files, false ); +$list->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir=', false); +$list->assign( 'downloadURL', OCP\Util::linkTo('files', 'download.php').'?file=', false); $breadcrumbNav = new OCP\Template( 'files', 'part.breadcrumb', '' ); -$breadcrumbNav->assign( 'breadcrumb', $breadcrumb ); -$breadcrumbNav->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir='); +$breadcrumbNav->assign( 'breadcrumb', $breadcrumb, false ); +$breadcrumbNav->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir=', false); $upload_max_filesize = OCP\Util::computerFileSize(ini_get('upload_max_filesize')); $post_max_size = OCP\Util::computerFileSize(ini_get('post_max_size')); @@ -89,8 +89,8 @@ $freeSpace=max($freeSpace,0); $maxUploadFilesize = min($maxUploadFilesize ,$freeSpace); $tmpl = new OCP\Template( 'files', 'index', 'user' ); -$tmpl->assign( 'fileList', $list->fetchPage() ); -$tmpl->assign( 'breadcrumb', $breadcrumbNav->fetchPage() ); +$tmpl->assign( 'fileList', $list->fetchPage(), false ); +$tmpl->assign( 'breadcrumb', $breadcrumbNav->fetchPage(), false ); $tmpl->assign( 'dir', $dir); $tmpl->assign( 'readonly', !OC_Filesystem::is_writable($dir.'/')); $tmpl->assign( 'files', $files ); diff --git a/apps/gallery/lib/tiles.php b/apps/gallery/lib/tiles.php index 5837c752ef..e43c99bb76 100644 --- a/apps/gallery/lib/tiles.php +++ b/apps/gallery/lib/tiles.php @@ -141,7 +141,7 @@ class TileStack extends TileBase { } public function get() { - $r = '
    '.htmlentities($this->stack_name).'
    '; + $r = '
    '.$this->stack_name.'
    '; for ($i = 0; $i < count($this->tiles_array); $i++) { $top = rand(-5, 5); $left = rand(-5, 5); @@ -168,7 +168,7 @@ class TileStack extends TileBase { } public function getOnClickAction() { - return 'javascript:openNewGal(\''.htmlentities($this->stack_name).'\');'; + return 'javascript:openNewGal(\''.$this->stack_name.'\');'; } private $tiles_array; diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index d2404a80aa..78bc5b4656 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -186,7 +186,7 @@ class OC_GROUP_LDAP extends OC_Group_Backend { if(!$this->configured) { return array(); } - if(is_null($this->_groups)) { + if(empty($this->_groups)) { $ldap_groups = OC_LDAP::fetchListOfGroups($this->ldapGroupFilter, array(OC_LDAP::conf('ldapGroupDisplayName'), 'dn')); $this->_groups = OC_LDAP::ownCloudGroupNames($ldap_groups); } diff --git a/apps/user_ldap/settings.php b/apps/user_ldap/settings.php index f1a474ff27..42084855e8 100644 --- a/apps/user_ldap/settings.php +++ b/apps/user_ldap/settings.php @@ -20,7 +20,7 @@ * License along with this library. If not, see . * */ -$params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr', 'ldap_group_member_assoc_attribute'); +$params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_group_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr', 'ldap_group_member_assoc_attribute'); OCP\Util::addscript('user_ldap', 'settings'); @@ -47,13 +47,14 @@ if ($_POST) { // fill template $tmpl = new OCP\Template( 'user_ldap', 'settings'); foreach($params as $param){ - $value = htmlentities(OCP\Config::getAppValue('user_ldap', $param,'')); + $value = OCP\Config::getAppValue('user_ldap', $param,''); $tmpl->assign($param, $value); } // settings with default values $tmpl->assign( 'ldap_port', OCP\Config::getAppValue('user_ldap', 'ldap_port', '389')); $tmpl->assign( 'ldap_display_name', OCP\Config::getAppValue('user_ldap', 'ldap_display_name', 'uid')); +$tmpl->assign( 'ldap_group_display_name', OCP\Config::getAppValue('user_ldap', 'ldap_group_display_name', 'cn')); $tmpl->assign( 'ldap_group_member_assoc_attribute', OCP\Config::getAppValue('user_ldap', 'ldap_group_member_assoc_attribute', 'uniqueMember')); $tmpl->assign( 'ldap_agent_password', base64_decode(OCP\Config::getAppValue('user_ldap', 'ldap_agent_password'))); diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php index 3462f2473f..31f453b5a5 100644 --- a/apps/user_ldap/templates/settings.php +++ b/apps/user_ldap/templates/settings.php @@ -22,6 +22,7 @@

    >

    t('Currently the display name field needs to be the same you matched %%uid against in the filter above, because ownCloud doesn\'t distinguish between user id and user name.');?>

    +

    bytes

    diff --git a/core/templates/login.php b/core/templates/login.php index 41d6ba41ef..a40bf5c330 100644 --- a/core/templates/login.php +++ b/core/templates/login.php @@ -1,7 +1,7 @@
    - '; } ?> + '; } ?> t('Lost your password?'); ?> diff --git a/index.php b/index.php index 07f8436720..b90b1b310a 100755 --- a/index.php +++ b/index.php @@ -112,6 +112,7 @@ elseif(OC_User::isLoggedIn()) { if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"])) { //OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG); OC_User::unsetMagicInCookie(); + $_REQUEST['redirect_url'] = (isset($_SERVER['REQUEST_URI'])?$_SERVER['REQUEST_URI']:''); OC_Util::redirectToDefaultPage(); }else{ $error = true; diff --git a/lib/template.php b/lib/template.php index 688199a878..ba82b21774 100644 --- a/lib/template.php +++ b/lib/template.php @@ -286,10 +286,8 @@ class OC_Template{ * This function is internally used to sanitize HTML. */ private static function sanitizeHTML( &$value ){ - if(is_string($value)) { - $value = htmlentities( $value, ENT_QUOTES ); - return $value; - } + $value = htmlentities( $value ); + return $value; } /** @@ -528,13 +526,13 @@ class OC_Template{ $_ = array_merge( $additionalparams, $this->vars ); } - // Einbinden + // Include ob_start(); include( $this->path.$file.'.php' ); $data = ob_get_contents(); @ob_end_clean(); - // Daten zurückgeben + // Return data return $data; } @@ -548,7 +546,7 @@ class OC_Template{ public static function printUserPage( $application, $name, $parameters = array() ){ $content = new OC_Template( $application, $name, "user" ); foreach( $parameters as $key => $value ){ - $content->assign( $key, $value ); + $content->assign( $key, $value, false ); } print $content->printPage(); } @@ -563,7 +561,7 @@ class OC_Template{ public static function printAdminPage( $application, $name, $parameters = array() ){ $content = new OC_Template( $application, $name, "admin" ); foreach( $parameters as $key => $value ){ - $content->assign( $key, $value ); + $content->assign( $key, $value, false ); } return $content->printPage(); } @@ -578,7 +576,7 @@ class OC_Template{ public static function printGuestPage( $application, $name, $parameters = array() ){ $content = new OC_Template( $application, $name, "guest" ); foreach( $parameters as $key => $value ){ - $content->assign( $key, $value ); + $content->assign( $key, $value,false ); } return $content->printPage(); } diff --git a/lib/util.php b/lib/util.php old mode 100644 new mode 100755 index 7c85db71f5..d1d5983dcf --- a/lib/util.php +++ b/lib/util.php @@ -332,7 +332,8 @@ class OC_Util { * Redirect to the user default page */ public static function redirectToDefaultPage(){ - if(isset($_REQUEST['redirect_url']) && substr($_REQUEST['redirect_url'], 0, strlen(OC::$WEBROOT)) == OC::$WEBROOT) { + OC_Log::write('core','redirectToDefaultPage',OC_Log::DEBUG); + if(isset($_REQUEST['redirect_url']) && (substr($_REQUEST['redirect_url'], 0, strlen(OC::$WEBROOT)) == OC::$WEBROOT || $_REQUEST['redirect_url'][0] == '/')) { header( 'Location: '.$_REQUEST['redirect_url']); } else { header( 'Location: '.OC::$WEBROOT.'/'.OC_Appconfig::getValue('core', 'defaultpage', '?app=files')); @@ -358,12 +359,30 @@ class OC_Util { * Todo: Write howto */ public static function callRegister(){ + //mamimum time before token exires + $maxtime=(60*60); // 1 hour + // generate a random token. $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); // store the token together with a timestamp in the session. $_SESSION['requesttoken-'.$token]=time(); + // cleanup old tokens garbage collector + // only run every 20th time so we don´t waste cpu cycles + if(rand(0,20)==0) { + foreach($_SESSION as $key=>$value) { + // search all tokens in the session + if(substr($key,0,12)=='requesttoken') { + if($value+$maxtimeassign('loglevel',OC_Config::getValue( "loglevel", 2 )); +$tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 ), false); $tmpl->assign('entries',$entries); $tmpl->assign('forms',array()); foreach($forms as $form){ diff --git a/settings/apps.php b/settings/apps.php index 7908e6cc18..f85b28158f 100644 --- a/settings/apps.php +++ b/settings/apps.php @@ -92,7 +92,7 @@ usort($apps, 'app_sort'); $tmpl = new OC_Template( "settings", "apps", "user" ); -$tmpl->assign('apps',$apps); +$tmpl->assign('apps',$apps, false); $tmpl->printPage(); diff --git a/settings/templates/admin.php b/settings/templates/admin.php index d167f2780e..38c6042c82 100644 --- a/settings/templates/admin.php +++ b/settings/templates/admin.php @@ -29,7 +29,7 @@ $levels=array('Debug','Info','Warning','Error','Fatal'); app;?> - message);?> + message;?> time);?> diff --git a/settings/templates/help.php b/settings/templates/help.php index cf61207e60..a53ec76d68 100644 --- a/settings/templates/help.php +++ b/settings/templates/help.php @@ -26,9 +26,9 @@
    "") { echo(''); } ?> - '') echo('

    '.htmlentities($kb["name"]).'

    ');?> -

    - '') echo('

    '.$l->t('Answer').':

    '.htmlentities($kb['answer']).'

    ');?> + '') echo('

    '.$kb["name"].'

    ');?> +

    + '') echo('

    '.$l->t('Answer').':

    '.$kb['answer'].'

    ');?>
    From 6defbc7f4d2573178ccf1b157e6ac37aa1db41d4 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 19:20:48 +0200 Subject: [PATCH 08/19] Removed some unessecary sanitizations --- apps/calendar/templates/part.choosecalendar.rowfields.php | 2 +- apps/files/templates/index.php | 2 +- apps/files_external/templates/settings.php | 8 ++++---- apps/user_openid/settings.php | 2 +- core/templates/404.php | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/apps/calendar/templates/part.choosecalendar.rowfields.php b/apps/calendar/templates/part.choosecalendar.rowfields.php index 268c335601..bad268897b 100644 --- a/apps/calendar/templates/part.choosecalendar.rowfields.php +++ b/apps/calendar/templates/part.choosecalendar.rowfields.php @@ -2,7 +2,7 @@ echo ''; echo ''; echo ''; -echo ''; +echo ''; echo ''; echo ''; echo ''; diff --git a/apps/files/templates/index.php b/apps/files/templates/index.php index 3bd5a1ceef..44000171a1 100644 --- a/apps/files/templates/index.php +++ b/apps/files/templates/index.php @@ -15,7 +15,7 @@ - + diff --git a/apps/files_external/templates/settings.php b/apps/files_external/templates/settings.php index af185c2803..9f65cfca96 100644 --- a/apps/files_external/templates/settings.php +++ b/apps/files_external/templates/settings.php @@ -16,7 +16,7 @@ array())); ?> $mount): ?> > - + + - + - + diff --git a/apps/user_openid/settings.php b/apps/user_openid/settings.php index 062322f6fe..921fa371dd 100644 --- a/apps/user_openid/settings.php +++ b/apps/user_openid/settings.php @@ -2,7 +2,7 @@ $tmpl = new OCP\Template( 'user_openid', 'settings'); $identity=OCP\Config::getUserValue(OCP\USER::getUser(),'user_openid','identity',''); -$tmpl->assign('identity',htmlentities($identity)); +$tmpl->assign('identity',$identity); OCP\Util::addscript('user_openid','settings'); diff --git a/core/templates/404.php b/core/templates/404.php index cd4f2b40bb..13a8101034 100644 --- a/core/templates/404.php +++ b/core/templates/404.php @@ -10,6 +10,6 @@ if(!isset($_)){//also provide standalone error page
    • t( 'Cloud not found' ); ?>
      -

      +

    From d2a34f4b358627ae8b0077399b800d2296e84514 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 19:33:16 +0200 Subject: [PATCH 09/19] Fixes a issue with the log --- settings/admin.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/settings/admin.php b/settings/admin.php index fed0fe9ff8..4cbd67c367 100644 --- a/settings/admin.php +++ b/settings/admin.php @@ -22,8 +22,8 @@ function compareEntries($a,$b){ } usort($entries, 'compareEntries'); -$tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 ), false); -$tmpl->assign('entries',$entries); +$tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 )); +$tmpl->assign('entries',$entries,false); $tmpl->assign('forms',array()); foreach($forms as $form){ $tmpl->append('forms',$form); From ad36fc8938409975df61c00953555b3e11435a76 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 19:43:37 +0200 Subject: [PATCH 10/19] Fix double sanitization --- apps/calendar/templates/part.choosecalendar.rowfields.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/calendar/templates/part.choosecalendar.rowfields.php b/apps/calendar/templates/part.choosecalendar.rowfields.php index bad268897b..965523f847 100644 --- a/apps/calendar/templates/part.choosecalendar.rowfields.php +++ b/apps/calendar/templates/part.choosecalendar.rowfields.php @@ -1,6 +1,6 @@ '; -echo ''; +echo ''; echo ''; echo ''; echo ''; From 68f819ee2077717bdbd1c9cd9a8e4c22e6685368 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 19:47:42 +0200 Subject: [PATCH 11/19] Removed double sanitization --- apps/calendar/lib/app.php | 4 ++-- .../templates/part.choosecalendar.rowfields.shared.php | 2 +- apps/calendar/templates/part.eventform.php | 8 ++++---- apps/calendar/templates/part.import.php | 2 +- apps/calendar/templates/part.showevent.php | 6 +++--- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apps/calendar/lib/app.php b/apps/calendar/lib/app.php index 2cd28c0f78..ff7ad1cb93 100644 --- a/apps/calendar/lib/app.php +++ b/apps/calendar/lib/app.php @@ -377,8 +377,8 @@ class OC_Calendar_App{ $lastmodified = ($last_modified)?$last_modified->getDateTime()->format('U'):0; $output = array('id'=>(int)$event['id'], - 'title' => htmlspecialchars(($event['summary']!=NULL || $event['summary'] != '')?$event['summary']: self::$l10n->t('unnamed')), - 'description' => isset($vevent->DESCRIPTION)?htmlspecialchars($vevent->DESCRIPTION->value):'', + 'title' => ($event['summary']!=NULL || $event['summary'] != '')?$event['summary']: self::$l10n->t('unnamed'), + 'description' => isset($vevent->DESCRIPTION)?$vevent->DESCRIPTION->value:'', 'lastmodified'=>$lastmodified); $dtstart = $vevent->DTSTART; diff --git a/apps/calendar/templates/part.choosecalendar.rowfields.shared.php b/apps/calendar/templates/part.choosecalendar.rowfields.shared.php index 6a212858a2..a23266da0c 100644 --- a/apps/calendar/templates/part.choosecalendar.rowfields.shared.php +++ b/apps/calendar/templates/part.choosecalendar.rowfields.shared.php @@ -1,4 +1,4 @@ '; -echo ''; +echo ''; echo '' . $l->t('shared with you by') . ' ' . $_['share']['owner'] . ''; \ No newline at end of file diff --git a/apps/calendar/templates/part.eventform.php b/apps/calendar/templates/part.eventform.php index 2d86ce4d31..95eecf2622 100644 --- a/apps/calendar/templates/part.eventform.php +++ b/apps/calendar/templates/part.eventform.php @@ -18,7 +18,7 @@ echo 'Calendar.UI.Share.idtype = "event";' . "\n" . 'Calendar.UI.Share.currentid t("Title");?>: - " value="" maxlength="100" name="title"/> + " value="" maxlength="100" name="title"/> @@ -26,7 +26,7 @@ echo 'Calendar.UI.Share.idtype = "event";' . "\n" . 'Calendar.UI.Share.currentid t("Category");?>: - + <?php echo $l->t('Edit categories'); ?> 1) { ?> @@ -80,7 +80,7 @@ echo 'Calendar.UI.Share.idtype = "event";' . "\n" . 'Calendar.UI.Share.currentid t("Location");?>: - " value="" maxlength="100" name="location" /> + " value="" maxlength="100" name="location" /> @@ -88,7 +88,7 @@ echo 'Calendar.UI.Share.idtype = "event";' . "\n" . 'Calendar.UI.Share.currentid t("Description");?>: - + diff --git a/apps/calendar/templates/part.import.php b/apps/calendar/templates/part.import.php index b966100cc1..70ff961215 100644 --- a/apps/calendar/templates/part.import.php +++ b/apps/calendar/templates/part.import.php @@ -9,7 +9,7 @@ $calendar_options = OC_Calendar_Calendar::allCalendars(OCP\USER::getUser()); $calendar_options[] = array('id'=>'newcal', 'displayname'=>$l->t('create a new calendar')); for($i = 0;$i'id', 'label'=>'displayname')); ?> diff --git a/apps/calendar/templates/part.showevent.php b/apps/calendar/templates/part.showevent.php index 3646baf5bb..a5bbfd5b8f 100644 --- a/apps/calendar/templates/part.showevent.php +++ b/apps/calendar/templates/part.showevent.php @@ -10,7 +10,7 @@ t("Title");?>: - + @@ -79,7 +79,7 @@ t("Location");?>: - + @@ -87,7 +87,7 @@ t("Description");?>: - + From f9bf34340c7618a90f8ac3452b7d89085882cab3 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jun 2012 19:49:24 +0200 Subject: [PATCH 12/19] Removed unecessary sanitization --- apps/tasks/templates/part.taskform.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/tasks/templates/part.taskform.php b/apps/tasks/templates/part.taskform.php index c00560903b..0a25ed33c9 100644 --- a/apps/tasks/templates/part.taskform.php +++ b/apps/tasks/templates/part.taskform.php @@ -5,7 +5,7 @@
    - + <?php echo $l->t('Edit categories'); ?>
    From b9d5f510c37b3591cb969132d3099561dc55a89f Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Wed, 13 Jun 2012 17:22:28 +0200 Subject: [PATCH 13/19] urlencode link fort password reset (bug #970) --- core/lostpassword/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php index 6bed7bdd93..bd2a3e897e 100644 --- a/core/lostpassword/index.php +++ b/core/lostpassword/index.php @@ -17,7 +17,7 @@ if (isset($_POST['user'])) { OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token); $email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', ''); if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) { - $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.$_POST['user'].'&token='.$token; + $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token; $tmpl = new OC_Template('core/lostpassword', 'email'); $tmpl->assign('link', $link); $msg = $tmpl->fetchPage(); From 9e9c40eabd07cc4b44f2a9ae3d7935ad2a07b9fa Mon Sep 17 00:00:00 2001 From: Frank Karlitschek Date: Wed, 13 Jun 2012 17:27:49 +0200 Subject: [PATCH 14/19] fix time call --- lib/util.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/util.php b/lib/util.php index d1d5983dcf..e4efd953ec 100755 --- a/lib/util.php +++ b/lib/util.php @@ -409,7 +409,7 @@ class OC_Util { // check if the token is in the user session and if the timestamp is from the last hour. if(isset($_SESSION['requesttoken-'.$token])) { $timestamp=$_SESSION['requesttoken-'.$token]; - if($timestamp+$maxtime Date: Wed, 13 Jun 2012 17:33:19 +0200 Subject: [PATCH 15/19] Added JSON methods for CSRF prevention. Make request token accessible from template and add js var. --- core/templates/layout.user.php | 10 ++++++++ lib/json.php | 12 ++++++++++ lib/public/json.php | 7 ++++++ lib/template.php | 4 ++++ lib/util.php | 43 +++++++++++++++++----------------- 5 files changed, 54 insertions(+), 22 deletions(-) diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php index e04fcabf13..6f9b02237c 100644 --- a/core/templates/layout.user.php +++ b/core/templates/layout.user.php @@ -30,6 +30,16 @@ echo '/>'; ?> + diff --git a/lib/json.php b/lib/json.php index f3bbe9ac89..dfc0a7b894 100644 --- a/lib/json.php +++ b/lib/json.php @@ -41,6 +41,18 @@ class OC_JSON{ } } + /** + * @brief Check an ajax get/post call if the request token is valid. + * @return json Error msg if not valid. + */ + public static function callCheck(){ + if( !OC_Util::isCallRegistered()){ + $l = OC_L10N::get('core'); + self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') ))); + exit(); + } + } + /** * Check if the user is a admin, send json error msg if not */ diff --git a/lib/public/json.php b/lib/public/json.php index a8554671d1..b6edbd65bd 100644 --- a/lib/public/json.php +++ b/lib/public/json.php @@ -53,6 +53,13 @@ class JSON { return(\OC_JSON::checkLoggedIn()); } + /** + * @brief Check an ajax get/post call if the request token is valid. + * @return json Error msg if not valid. + */ + public static function callCheck(){ + return(\OC_JSON::callCheck()); + } /** * @brief Send json success msg diff --git a/lib/template.php b/lib/template.php index 14833a1e5b..9ce041a71c 100644 --- a/lib/template.php +++ b/lib/template.php @@ -155,6 +155,9 @@ class OC_Template{ $this->renderas = $renderas; $this->application = $app; $this->vars = array(); + if($renderas == 'user') { + $this->vars['requesttoken'] = OC_Util::callRegister(); + } $this->l10n = OC_L10N::get($app); header('X-Frame-Options: Sameorigin'); header('X-XSS-Protection: 1; mode=block'); @@ -355,6 +358,7 @@ class OC_Template{ if( $this->renderas == "user" ){ $page = new OC_Template( "core", "layout.user" ); $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); + $page->assign('requesttoken', $this->vars['requesttoken']); if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ $page->assign('bodyid','body-settings'); }else{ diff --git a/lib/util.php b/lib/util.php index e4efd953ec..0266a8ecc5 100755 --- a/lib/util.php +++ b/lib/util.php @@ -355,8 +355,9 @@ class OC_Util { } /** - * Register an get/post call. This is important to prevent CSRF attacks + * @brief Register an get/post call. This is important to prevent CSRF attacks * Todo: Write howto + * @return $token Generated token. */ public static function callRegister(){ //mamimum time before token exires @@ -381,50 +382,48 @@ class OC_Util { } } } - - // return the token return($token); } /** - * Check an ajax get/post call if the request token is valid. exit if not. - * Todo: Write howto + * @brief Check an ajax get/post call if the request token is valid. + * @return boolean False if request token is not set or is invalid. */ - public static function callCheck(){ + public static function isCallRegistered(){ //mamimum time before token exires $maxtime=(60*60); // 1 hour - - // searches in the get and post arrays for the token. if(isset($_GET['requesttoken'])) { $token=$_GET['requesttoken']; }elseif(isset($_POST['requesttoken'])){ $token=$_POST['requesttoken']; + }elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){ + $token=$_SERVER['HTTP_REQUESTTOKEN']; }else{ - //no token found. exiting - exit; + //no token found. + return false; } - - // check if the token is in the user session and if the timestamp is from the last hour. if(isset($_SESSION['requesttoken-'.$token])) { $timestamp=$_SESSION['requesttoken-'.$token]; if($timestamp+$maxtime Date: Wed, 13 Jun 2012 17:35:42 +0200 Subject: [PATCH 16/19] Contacts: implemented CSRF prevention. --- apps/contacts/ajax/activation.php | 1 + apps/contacts/ajax/addcontact.php | 1 + apps/contacts/ajax/addproperty.php | 10 ++++++++++ apps/contacts/ajax/createaddressbook.php | 1 + apps/contacts/ajax/cropphoto.php | 2 ++ apps/contacts/ajax/deletebook.php | 1 + apps/contacts/ajax/deletecard.php | 11 +++++++++++ apps/contacts/ajax/deleteproperty.php | 1 + apps/contacts/ajax/savecrop.php | 1 + apps/contacts/ajax/saveproperty.php | 19 +++++++++++++++---- apps/contacts/ajax/uploadphoto.php | 2 ++ apps/contacts/js/contacts.js | 4 ++-- apps/contacts/templates/part.contact.php | 2 ++ apps/contacts/templates/part.cropphoto.php | 2 ++ 14 files changed, 52 insertions(+), 6 deletions(-) diff --git a/apps/contacts/ajax/activation.php b/apps/contacts/ajax/activation.php index 388a3b5438..74cb738ab8 100644 --- a/apps/contacts/ajax/activation.php +++ b/apps/contacts/ajax/activation.php @@ -10,6 +10,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $bookid = $_POST['bookid']; $book = OC_Contacts_App::getAddressbook($bookid);// is owner access check diff --git a/apps/contacts/ajax/addcontact.php b/apps/contacts/ajax/addcontact.php index af9b2bbcc0..e45072c954 100644 --- a/apps/contacts/ajax/addcontact.php +++ b/apps/contacts/ajax/addcontact.php @@ -23,6 +23,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $aid = isset($_POST['aid'])?$_POST['aid']:null; if(!$aid) { diff --git a/apps/contacts/ajax/addproperty.php b/apps/contacts/ajax/addproperty.php index 94e09bac19..c1fca9abea 100644 --- a/apps/contacts/ajax/addproperty.php +++ b/apps/contacts/ajax/addproperty.php @@ -23,6 +23,16 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +foreach($_SERVER as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} +foreach($_POST as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} +foreach($_GET as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} +OCP\JSON::callCheck(); function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php index af7c19eef5..616766bb1a 100644 --- a/apps/contacts/ajax/createaddressbook.php +++ b/apps/contacts/ajax/createaddressbook.php @@ -11,6 +11,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $userid = OCP\USER::getUser(); $name = trim(strip_tags($_POST['name'])); diff --git a/apps/contacts/ajax/cropphoto.php b/apps/contacts/ajax/cropphoto.php index caba7c8c4e..eb9f1fcdb5 100644 --- a/apps/contacts/ajax/cropphoto.php +++ b/apps/contacts/ajax/cropphoto.php @@ -25,10 +25,12 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); $tmpkey = $_GET['tmpkey']; +$requesttoken = $_GET['requesttoken']; $id = $_GET['id']; $tmpl = new OCP\Template("contacts", "part.cropphoto"); $tmpl->assign('tmpkey', $tmpkey); $tmpl->assign('id', $id); +$tmpl->assign('requesttoken', $requesttoken); $page = $tmpl->fetchPage(); OCP\JSON::success(array('data' => array( 'page' => $page ))); diff --git a/apps/contacts/ajax/deletebook.php b/apps/contacts/ajax/deletebook.php index fe582daa00..1b86ecf223 100644 --- a/apps/contacts/ajax/deletebook.php +++ b/apps/contacts/ajax/deletebook.php @@ -23,6 +23,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); //$id = $_GET['id']; $id = $_POST['id']; diff --git a/apps/contacts/ajax/deletecard.php b/apps/contacts/ajax/deletecard.php index e6d0405a24..2a6bd277d1 100644 --- a/apps/contacts/ajax/deletecard.php +++ b/apps/contacts/ajax/deletecard.php @@ -28,6 +28,17 @@ function bailOut($msg) { // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); + +// foreach($_SERVER as $key=>$value) { +// OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.$value, OCP\Util::DEBUG); +// } +foreach($_POST as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} +foreach($_GET as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} $id = isset($_POST['id'])?$_POST['id']:null; if(!$id) { diff --git a/apps/contacts/ajax/deleteproperty.php b/apps/contacts/ajax/deleteproperty.php index e6c2bd9f80..55f7e32308 100644 --- a/apps/contacts/ajax/deleteproperty.php +++ b/apps/contacts/ajax/deleteproperty.php @@ -23,6 +23,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $id = $_POST['id']; $checksum = $_POST['checksum']; diff --git a/apps/contacts/ajax/savecrop.php b/apps/contacts/ajax/savecrop.php index b3aab6a881..6faf6a173d 100644 --- a/apps/contacts/ajax/savecrop.php +++ b/apps/contacts/ajax/savecrop.php @@ -22,6 +22,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); // Firefox and Konqueror tries to download application/json for me. --Arthur OCP\JSON::setContentTypeHeader('text/plain'); diff --git a/apps/contacts/ajax/saveproperty.php b/apps/contacts/ajax/saveproperty.php index d840073471..c779c49611 100644 --- a/apps/contacts/ajax/saveproperty.php +++ b/apps/contacts/ajax/saveproperty.php @@ -20,10 +20,6 @@ * */ -// Check if we are a user -OCP\JSON::checkLoggedIn(); -OCP\JSON::checkAppEnabled('contacts'); - function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG); @@ -33,6 +29,21 @@ function debug($msg) { OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG); } +// Check if we are a user +OCP\JSON::checkLoggedIn(); +OCP\JSON::checkAppEnabled('contacts'); + +foreach($_SERVER as $key=>$value) { + debug('_SERVER: '.$key.'=>'.print_r($value, true)); +} +foreach($_POST as $key=>$value) { + debug('_POST: '.$key.'=>'.print_r($value, true)); +} +foreach($_GET as $key=>$value) { + debug('_GET: '.$key.'=>'.print_r($value, true)); +} +OCP\JSON::callCheck(); + $id = isset($_POST['id'])?$_POST['id']:null; $name = isset($_POST['name'])?$_POST['name']:null; $value = isset($_POST['value'])?$_POST['value']:null; diff --git a/apps/contacts/ajax/uploadphoto.php b/apps/contacts/ajax/uploadphoto.php index 32abc6c285..889de6a1f8 100644 --- a/apps/contacts/ajax/uploadphoto.php +++ b/apps/contacts/ajax/uploadphoto.php @@ -23,6 +23,8 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); + // Firefox and Konqueror tries to download application/json for me. --Arthur OCP\JSON::setContentTypeHeader('text/plain'); function bailOut($msg) { diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js index 6b83504c9c..45509a7f9d 100644 --- a/apps/contacts/js/contacts.js +++ b/apps/contacts/js/contacts.js @@ -622,7 +622,7 @@ Contacts={ q = q + '&id=' + this.id + '&name=' + name; if(checksum != undefined && checksum != '') { // save q = q + '&checksum=' + checksum; - //console.log('Saving: ' + q); + console.log('Saving: ' + q); $(obj).attr('disabled', 'disabled'); $.post(OC.filePath('contacts', 'ajax', 'saveproperty.php'),q,function(jsondata){ if(jsondata.status == 'success'){ @@ -640,7 +640,7 @@ Contacts={ } },'json'); } else { // add - //console.log('Adding: ' + q); + console.log('Adding: ' + q); $(obj).attr('disabled', 'disabled'); $.post(OC.filePath('contacts', 'ajax', 'addproperty.php'),q,function(jsondata){ if(jsondata.status == 'success'){ diff --git a/apps/contacts/templates/part.contact.php b/apps/contacts/templates/part.contact.php index c1ba1ccdc2..ca682baaf8 100644 --- a/apps/contacts/templates/part.contact.php +++ b/apps/contacts/templates/part.contact.php @@ -3,6 +3,7 @@ $id = isset($_['id']) ? $_['id'] : ''; ?>
    + @@ -23,6 +24,7 @@ $id = isset($_['id']) ? $_['id'] : '';
    +
    diff --git a/apps/contacts/templates/part.cropphoto.php b/apps/contacts/templates/part.cropphoto.php index d7f0efc57d..1e025ef4e0 100644 --- a/apps/contacts/templates/part.cropphoto.php +++ b/apps/contacts/templates/part.cropphoto.php @@ -1,6 +1,7 @@