From 64273335d1bae12b2fe7d9664e1665d6e69d47af Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 24 Aug 2012 09:43:50 +0200 Subject: more $INPUT use FS#2577 --- inc/auth.php | 44 +++++++++++++++++++------------------------- lib/exe/ajax.php | 24 +++++++++++++----------- lib/plugins/acl/admin.php | 46 +++++++++++++++++++++++++--------------------- lib/plugins/acl/ajax.php | 11 +++++++---- 4 files changed, 64 insertions(+), 61 deletions(-) diff --git a/inc/auth.php b/inc/auth.php index cedfdee36..905cc14bf 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -733,68 +733,62 @@ function register() { global $conf; /* @var auth_basic $auth */ global $auth; + global $INPUT; - if(!$_POST['save']) return false; + if(!$INPUT->post->bool('save')) return false; if(!actionOK('register')) return false; - //clean username - $_POST['login'] = trim($auth->cleanUser($_POST['login'])); - - //clean fullname and email - $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['fullname'])); - $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['email'])); + // gather input + $login = trim($auth->cleanUser($INPUT->post->str('login'))); + $fullname = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('fullname'))); + $email = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('email'))); + $pass = $INPUT->post->str('pass'); + $passchk = $INPUT->post->str('passchk'); - if(empty($_POST['login']) || - empty($_POST['fullname']) || - empty($_POST['email']) - ) { + if(empty($login) || empty($fullname) || empty($email)) { msg($lang['regmissing'], -1); return false; } if($conf['autopasswd']) { $pass = auth_pwgen(); // automatically generate password - } elseif(empty($_POST['pass']) || - empty($_POST['passchk']) - ) { + } elseif(empty($pass) || empty($passchk)) { msg($lang['regmissing'], -1); // complain about missing passwords return false; - } elseif($_POST['pass'] != $_POST['passchk']) { + } elseif($pass != $passchk) { msg($lang['regbadpass'], -1); // complain about misspelled passwords return false; - } else { - $pass = $_POST['pass']; // accept checked and valid password } //check mail - if(!mail_isvalid($_POST['email'])) { + if(!mail_isvalid($email)) { msg($lang['regbadmail'], -1); return false; } //okay try to create the user - if(!$auth->triggerUserMod('create', array($_POST['login'], $pass, $_POST['fullname'], $_POST['email']))) { + if(!$auth->triggerUserMod('create', array($login, $pass, $fullname, $email))) { msg($lang['reguexists'], -1); return false; } // create substitutions for use in notification email $substitutions = array( - 'NEWUSER' => $_POST['login'], - 'NEWNAME' => $_POST['fullname'], - 'NEWEMAIL' => $_POST['email'], + 'NEWUSER' => $login, + 'NEWNAME' => $fullname, + 'NEWEMAIL' => $email, ); if(!$conf['autopasswd']) { msg($lang['regsuccess2'], 1); - notify('', 'register', '', $_POST['login'], false, $substitutions); + notify('', 'register', '', $login, false, $substitutions); return true; } // autogenerated password? then send him the password - if(auth_sendPassword($_POST['login'], $pass)) { + if(auth_sendPassword($login, $pass)) { msg($lang['regsuccess'], 1); - notify('', 'register', '', $_POST['login'], false, $substitutions); + notify('', 'register', '', $login, false, $substitutions); return true; } else { msg($lang['regmailfail'], -1); diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index 945091f34..496b2f1a1 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -162,7 +162,8 @@ function ajax_lock(){ * @author Andreas Gohr */ function ajax_draftdel(){ - $id = cleanID($_REQUEST['id']); + global $INPUT; + $id = cleanID($INPUT->str('id')); if(empty($id)) return; $client = $_SERVER['REMOTE_USER']; @@ -218,11 +219,11 @@ function ajax_medialist(){ * @author Kate Arzamastseva */ function ajax_mediadetails(){ - global $DEL, $NS, $IMG, $AUTH, $JUMPTO, $REV, $lang, $fullscreen, $conf; + global $DEL, $NS, $IMG, $AUTH, $JUMPTO, $REV, $lang, $fullscreen, $conf, $INPUT; $fullscreen = true; require_once(DOKU_INC.'lib/exe/mediamanager.php'); - if ($_REQUEST['image']) $image = cleanID($_REQUEST['image']); + if ($INPUT->has('image')) $image = cleanID($INPUT->str('image')); if (isset($IMG)) $image = $IMG; if (isset($JUMPTO)) $image = $JUMPTO; if (isset($REV) && !$JUMPTO) $rev = $REV; @@ -237,25 +238,26 @@ function ajax_mediadetails(){ */ function ajax_mediadiff(){ global $NS; + global $INPUT; - if ($_REQUEST['image']) $image = cleanID($_REQUEST['image']); + if ($INPUT->has('image')) $image = cleanID($INPUT->str('image')); $NS = $_POST['ns']; - $auth = auth_quickaclcheck("$ns:*"); + $auth = auth_quickaclcheck("$NS:*"); media_diff($image, $NS, $auth, true); } function ajax_mediaupload(){ - global $NS, $MSG; + global $NS, $MSG, $INPUT; if ($_FILES['qqfile']['tmp_name']) { - $id = ((empty($_POST['mediaid'])) ? $_FILES['qqfile']['name'] : $_POST['mediaid']); - } elseif (isset($_GET['qqfile'])) { - $id = $_GET['qqfile']; + $id = $INPUT->post->str('mediaid', $_FILES['qqfile']['name']); + } elseif ($INPUT->get->has('qqfile')) { + $id = $INPUT->get->str('qqfile'); } $id = cleanID($id); - $NS = $_REQUEST['ns']; + $NS = $INPUT->str('ns'); $ns = $NS.':'.getNS($id); $AUTH = auth_quickaclcheck("$ns:*"); @@ -264,7 +266,7 @@ function ajax_mediaupload(){ if ($_FILES['qqfile']['error']) unset($_FILES['qqfile']); if ($_FILES['qqfile']['tmp_name']) $res = media_upload($NS, $AUTH, $_FILES['qqfile']); - if (isset($_GET['qqfile'])) $res = media_upload_xhr($NS, $AUTH); + if ($INPUT->get->has('qqfile')) $res = media_upload_xhr($NS, $AUTH); if ($res) $result = array('success' => true, 'link' => media_managerURL(array('ns' => $ns, 'image' => $NS.':'.$id), '&'), diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index 64d6ff3ca..1197892f2 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -56,22 +56,23 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { global $ID; global $auth; global $config_cascade; + global $INPUT; // fresh 1:1 copy without replacements $AUTH_ACL = file($config_cascade['acl']['default']); // namespace given? - if($_REQUEST['ns'] == '*'){ + if($INPUT->str('ns') == '*'){ $this->ns = '*'; }else{ - $this->ns = cleanID($_REQUEST['ns']); + $this->ns = cleanID($INPUT->str('ns')); } - if ($_REQUEST['current_ns']) { - $this->current_item = array('id' => cleanID($_REQUEST['current_ns']), 'type' => 'd'); - } elseif ($_REQUEST['current_id']) { - $this->current_item = array('id' => cleanID($_REQUEST['current_id']), 'type' => 'f'); + if ($INPUT->str('current_ns')) { + $this->current_item = array('id' => cleanID($INPUT->str('current_ns')), 'type' => 'd'); + } elseif ($INPUT->str('current_id')) { + $this->current_item = array('id' => cleanID($INPUT->str('current_id')), 'type' => 'f'); } elseif ($this->ns) { $this->current_item = array('id' => $this->ns, 'type' => 'd'); } else { @@ -79,24 +80,25 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { } // user or group choosen? - $who = trim($_REQUEST['acl_w']); - if($_REQUEST['acl_t'] == '__g__' && $who){ + $who = trim($INPUT->str('acl_w')); + if($INPUT->str('acl_t') == '__g__' && $who){ $this->who = '@'.ltrim($auth->cleanGroup($who),'@'); - }elseif($_REQUEST['acl_t'] == '__u__' && $who){ + }elseif($INPUT->str('acl_t') == '__u__' && $who){ $this->who = ltrim($who,'@'); if($this->who != '%USER%' && $this->who != '%GROUP%'){ #keep wildcard as is $this->who = $auth->cleanUser($this->who); } - }elseif($_REQUEST['acl_t'] && - $_REQUEST['acl_t'] != '__u__' && - $_REQUEST['acl_t'] != '__g__'){ - $this->who = $_REQUEST['acl_t']; + }elseif($INPUT->str('acl_t') && + $INPUT->str('acl_t') != '__u__' && + $INPUT->str('acl_t') != '__g__'){ + $this->who = $INPUT->str('acl_t'); }elseif($who){ $this->who = $who; } // handle modifications - if(isset($_REQUEST['cmd']) && checkSecurityToken()){ + if($INPUT->has('cmd') && checkSecurityToken()){ + $cmd = $INPUT->extract('cmd')->str('cmd'); // scope for modifications if($this->ns){ @@ -109,19 +111,21 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { $scope = $ID; } - if(isset($_REQUEST['cmd']['save']) && $scope && $this->who && isset($_REQUEST['acl'])){ + if($cmd == 'save' && $scope && $this->who && $INPUT->has('acl')){ // handle additions or single modifications $this->_acl_del($scope, $this->who); - $this->_acl_add($scope, $this->who, (int) $_REQUEST['acl']); - }elseif(isset($_REQUEST['cmd']['del']) && $scope && $this->who){ + $this->_acl_add($scope, $this->who, $INPUT->int('acl')); + }elseif($cmd == 'del' && $scope && $this->who){ // handle single deletions $this->_acl_del($scope, $this->who); - }elseif(isset($_REQUEST['cmd']['update'])){ + }elseif($cmd == 'update'){ + $acl = $INPUT->arr('acl'); + // handle update of the whole file - foreach((array) $_REQUEST['del'] as $where => $names){ + foreach($INPUT->arr('del') as $where => $names){ // remove all rules marked for deletion foreach($names as $who) - unset($_REQUEST['acl'][$where][$who]); + unset($acl[$where][$who]); } // prepare lines $lines = array(); @@ -134,7 +138,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { } } // re-add all rules - foreach((array) $_REQUEST['acl'] as $where => $opt){ + foreach($acl as $where => $opt){ foreach($opt as $who => $perm){ if ($who[0]=='@') { if ($who!='@ALL') { diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php index 3a5d89c08..10e18af97 100644 --- a/lib/plugins/acl/ajax.php +++ b/lib/plugins/acl/ajax.php @@ -11,6 +11,10 @@ require_once(DOKU_INC.'inc/init.php'); //close session session_write_close(); +global $conf; +global $ID; +global $INPUT; + //fix for Opera XMLHttpRequests $postData = http_get_raw_post_data(); if(!count($_POST) && !empty($postData)){ @@ -22,20 +26,19 @@ if(!checkSecurityToken()) die('CRSF Attack'); $ID = getID(); +/** @var $acl admin_plugin_acl */ $acl = plugin_load('admin','acl'); $acl->handle(); -$ajax = $_REQUEST['ajax']; +$ajax = $INPUT->str('ajax'); header('Content-Type: text/html; charset=utf-8'); if($ajax == 'info'){ $acl->_html_info(); }elseif($ajax == 'tree'){ - global $conf; - global $ID; $dir = $conf['datadir']; - $ns = $_REQUEST['ns']; + $ns = $INPUT->str('ns'); if($ns == '*'){ $ns =''; } -- cgit v1.2.3