diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2012-07-06 11:07:34 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2012-07-06 11:07:34 +0200 |
| commit | 29f2dfdcb84bbfd8394b14e2e79809828e923247 (patch) | |
| tree | f573b232a06346d2d1b41910bb8f7e34fe518397 /inc | |
| parent | 14e2b802ac28e91a3e1f468396950ed5b318109d (diff) | |
| parent | 36d61a2c62ee2c4198229406af6aa91b14bf6125 (diff) | |
| download | rpg-29f2dfdcb84bbfd8394b14e2e79809828e923247.tar.gz rpg-29f2dfdcb84bbfd8394b14e2e79809828e923247.tar.bz2 | |
Merge branch 'input-validation' of git://github.com/whoopdedo/dokuwiki into pull-request-110
* 'input-validation' of git://github.com/whoopdedo/dokuwiki:
fix incorrect usage of tpl_getMediaFile
fix necessary global declaration
Input wrapper for html forms
Input validation for media manager
Input wrapper for exe scripts
more INPUT wrapper uses: cache purge, sectok, getID
Input wrapper for action.php
Conflicts:
lib/exe/css.php
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/actions.php | 28 | ||||
| -rw-r--r-- | inc/cache.php | 3 | ||||
| -rw-r--r-- | inc/common.php | 3 | ||||
| -rw-r--r-- | inc/form.php | 5 | ||||
| -rw-r--r-- | inc/html.php | 49 | ||||
| -rw-r--r-- | inc/media.php | 66 | ||||
| -rw-r--r-- | inc/pageutils.php | 3 | ||||
| -rw-r--r-- | inc/parser/code.php | 3 |
8 files changed, 95 insertions, 65 deletions
diff --git a/inc/actions.php b/inc/actions.php index e85cbfccc..0c35bc88c 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -20,6 +20,7 @@ function act_dispatch(){ global $ID; global $INFO; global $QUERY; + global $INPUT; global $lang; global $conf; @@ -131,14 +132,14 @@ function act_dispatch(){ //handle admin tasks if($ACT == 'admin'){ // retrieve admin plugin name from $_REQUEST['page'] - if (!empty($_REQUEST['page'])) { + if (($page = $INPUT->str('page', '', true)) != '') { $pluginlist = plugin_list('admin'); - if (in_array($_REQUEST['page'], $pluginlist)) { + if (in_array($page, $pluginlist)) { // attempt to load the plugin - if ($plugin =& plugin_load('admin',$_REQUEST['page']) !== null){ + if ($plugin =& plugin_load('admin',$page) !== null){ if($plugin->forAdminOnly() && !$INFO['isadmin']){ // a manager tried to load a plugin that's for admins only - unset($_REQUEST['page']); + $INPUT->remove('page'); msg('For admins only',-1); }else{ $plugin->handle(); @@ -300,13 +301,14 @@ function act_draftdel($act){ function act_draftsave($act){ global $INFO; global $ID; + global $INPUT; global $conf; - if($conf['usedraft'] && $_POST['wikitext']){ + if($conf['usedraft'] && $INPUT->post->has('wikitext')) { $draft = array('id' => $ID, - 'prefix' => substr($_POST['prefix'], 0, -1), - 'text' => $_POST['wikitext'], - 'suffix' => $_POST['suffix'], - 'date' => (int) $_POST['date'], + 'prefix' => substr($INPUT->post->str('prefix'), 0, -1), + 'text' => $INPUT->post->str('wikitext'), + 'suffix' => $INPUT->post->str('suffix'), + 'date' => $INPUT->post->int('date'), 'client' => $INFO['client'], ); $cname = getCacheName($draft['client'].$ID,'.draft'); @@ -335,6 +337,7 @@ function act_save($act){ global $SUM; global $lang; global $INFO; + global $INPUT; //spam check if(checkwordblock()) { @@ -346,7 +349,7 @@ function act_save($act){ return 'conflict'; //save it - saveWikiText($ID,con($PRE,$TEXT,$SUF,1),$SUM,$_REQUEST['minor']); //use pretty mode for con + saveWikiText($ID,con($PRE,$TEXT,$SUF,1),$SUM,$INPUT->bool('minor')); //use pretty mode for con //unlock it unlock($ID); @@ -669,6 +672,7 @@ function act_subscription($act){ global $lang; global $INFO; global $ID; + global $INPUT; // subcriptions work for logged in users only if(!$_SERVER['REMOTE_USER']) return 'show'; @@ -676,8 +680,8 @@ function act_subscription($act){ // get and preprocess data. $params = array(); foreach(array('target', 'style', 'action') as $param) { - if (isset($_REQUEST["sub_$param"])) { - $params[$param] = $_REQUEST["sub_$param"]; + if ($INPUT->has("sub_$param")) { + $params[$param] = $INPUT->str("sub_$param"); } } diff --git a/inc/cache.php b/inc/cache.php index ff78e37ae..204c6f006 100644 --- a/inc/cache.php +++ b/inc/cache.php @@ -84,7 +84,8 @@ class cache { * it should only overwrite a dependency when the new value is more stringent than the old */ function _addDependencies() { - if (isset($_REQUEST['purge'])) $this->depends['purge'] = true; // purge requested + global $INPUT; + if ($INPUT->has('purge')) $this->depends['purge'] = true; // purge requested } /** diff --git a/inc/common.php b/inc/common.php index 768260bbf..02ed2432b 100644 --- a/inc/common.php +++ b/inc/common.php @@ -63,9 +63,10 @@ function getSecurityToken() { * Check the secret CSRF token */ function checkSecurityToken($token = null) { + global $INPUT; if(!$_SERVER['REMOTE_USER']) return true; // no logged in user, no need for a check - if(is_null($token)) $token = $_REQUEST['sectok']; + if(is_null($token)) $token = $INPUT->str('sectok'); if(getSecurityToken() != $token) { msg('Security Token did not match. Possible CSRF attack.', -1); return false; diff --git a/inc/form.php b/inc/form.php index e74c52c5d..bdf520a2e 100644 --- a/inc/form.php +++ b/inc/form.php @@ -295,8 +295,9 @@ class Doku_Form { */ function addRadioSet($name, $entries) { - $value = (isset($_POST[$name]) && isset($entries[$_POST[$name]])) ? - $_POST[$name] : key($entries); + global $INPUT; + $value = (array_key_exists($INPUT->post->str($name), $entries)) ? + $INPUT->str($name) : key($entries); foreach($entries as $val => $cap) { $data = ($value === $val) ? array('checked' => 'checked') : array(); $this->addElement(form_makeRadioField($name, $val, $cap, '', '', $data)); diff --git a/inc/html.php b/inc/html.php index f9712d975..505474e0d 100644 --- a/inc/html.php +++ b/inc/html.php @@ -46,6 +46,7 @@ function html_login(){ global $lang; global $conf; global $ID; + global $INPUT; print p_locale_xhtml('login'); print '<div class="centeralign">'.NL; @@ -53,7 +54,7 @@ function html_login(){ $form->startFieldset($lang['btn_login']); $form->addHidden('id', $ID); $form->addHidden('do', 'login'); - $form->addElement(form_makeTextField('u', ((!$_REQUEST['http_credentials']) ? $_REQUEST['u'] : ''), $lang['user'], 'focus__this', 'block')); + $form->addElement(form_makeTextField('u', ((!$INPUT->bool('http_credentials')) ? $INPUT->str('u') : ''), $lang['user'], 'focus__this', 'block')); $form->addElement(form_makePasswordField('p', $lang['pass'], '', 'block')); if($conf['rememberme']) { $form->addElement(form_makeCheckboxField('r', '1', $lang['remember'], 'remember__me', 'simple')); @@ -1076,8 +1077,9 @@ function html_diff($text='',$intro=true,$type=null){ global $REV; global $lang; global $conf; + global $INPUT; - if(!$type) $type = $_REQUEST['difftype']; + if(!$type) $type = $INPUT->str('difftype'); if($type != 'inline') $type = 'sidebyside'; // we're trying to be clever here, revisions to compare can be either @@ -1085,16 +1087,16 @@ function html_diff($text='',$intro=true,$type=null){ // array in rev2. $rev1 = $REV; - if(is_array($_REQUEST['rev2'])){ - $rev1 = (int) $_REQUEST['rev2'][0]; - $rev2 = (int) $_REQUEST['rev2'][1]; + if(is_array($INPUT->ref('rev2'))){ + $rev1 = (int) $INPUT->int('rev2')[0]; + $rev2 = (int) $INPUT->int('rev2')[1]; if(!$rev1){ $rev1 = $rev2; unset($rev2); } }else{ - $rev2 = (int) $_REQUEST['rev2']; + $rev2 = $INPUT->int('rev2'); } $r_minor = ''; @@ -1252,6 +1254,7 @@ function html_register(){ global $lang; global $conf; global $ID; + global $INPUT; print p_locale_xhtml('register'); print '<div class="centeralign">'.NL; @@ -1259,13 +1262,13 @@ function html_register(){ $form->startFieldset($lang['btn_register']); $form->addHidden('do', 'register'); $form->addHidden('save', '1'); - $form->addElement(form_makeTextField('login', $_POST['login'], $lang['user'], '', 'block', array('size'=>'50'))); + $form->addElement(form_makeTextField('login', $INPUT->post->str('login'), $lang['user'], '', 'block', array('size'=>'50'))); if (!$conf['autopasswd']) { $form->addElement(form_makePasswordField('pass', $lang['pass'], '', 'block', array('size'=>'50'))); $form->addElement(form_makePasswordField('passchk', $lang['passchk'], '', 'block', array('size'=>'50'))); } - $form->addElement(form_makeTextField('fullname', $_POST['fullname'], $lang['fullname'], '', 'block', array('size'=>'50'))); - $form->addElement(form_makeTextField('email', $_POST['email'], $lang['email'], '', 'block', array('size'=>'50'))); + $form->addElement(form_makeTextField('fullname', $INPUT->post->str('fullname'), $lang['fullname'], '', 'block', array('size'=>'50'))); + $form->addElement(form_makeTextField('email', $INPUT->post->str('email'), $lang['email'], '', 'block', array('size'=>'50'))); $form->addElement(form_makeButton('submit', '', $lang['btn_register'])); $form->endFieldset(); html_form('register', $form); @@ -1282,26 +1285,27 @@ function html_register(){ function html_updateprofile(){ global $lang; global $conf; + global $INPUT; global $ID; global $INFO; global $auth; print p_locale_xhtml('updateprofile'); - if (empty($_POST['fullname'])) $_POST['fullname'] = $INFO['userinfo']['name']; - if (empty($_POST['email'])) $_POST['email'] = $INFO['userinfo']['mail']; + $fullname = $INPUT->post->str('fullname', $INFO['userinfo']['name'], true); + $email = $INPUT->post->str('email', $INFO['userinfo']['mail'], true); print '<div class="centeralign">'.NL; $form = new Doku_Form(array('id' => 'dw__register')); $form->startFieldset($lang['profile']); $form->addHidden('do', 'profile'); $form->addHidden('save', '1'); - $form->addElement(form_makeTextField('fullname', $_SERVER['REMOTE_USER'], $lang['user'], '', 'block', array('size'=>'50', 'disabled'=>'disabled'))); + $form->addElement(form_makeTextField('login', $_SERVER['REMOTE_USER'], $lang['user'], '', 'block', array('size'=>'50', 'disabled'=>'disabled'))); $attr = array('size'=>'50'); if (!$auth->canDo('modName')) $attr['disabled'] = 'disabled'; - $form->addElement(form_makeTextField('fullname', $_POST['fullname'], $lang['fullname'], '', 'block', $attr)); + $form->addElement(form_makeTextField('fullname', $fullname, $lang['fullname'], '', 'block', $attr)); $attr = array('size'=>'50'); if (!$auth->canDo('modMail')) $attr['disabled'] = 'disabled'; - $form->addElement(form_makeTextField('email', $_POST['email'], $lang['email'], '', 'block', $attr)); + $form->addElement(form_makeTextField('email', $email, $lang['email'], '', 'block', $attr)); $form->addElement(form_makeTag('br')); if ($auth->canDo('modPass')) { $form->addElement(form_makePasswordField('newpass', $lang['newpass'], '', 'block', array('size'=>'50'))); @@ -1326,6 +1330,7 @@ function html_updateprofile(){ * @triggers HTML_EDITFORM_OUTPUT */ function html_edit(){ + global $INPUT; global $ID; global $REV; global $DATE; @@ -1338,8 +1343,8 @@ function html_edit(){ global $TEXT; global $RANGE; - if (isset($_REQUEST['changecheck'])) { - $check = $_REQUEST['changecheck']; + if ($INPUT->has('changecheck')) { + $check = $INPUT->str('changecheck'); } elseif(!$INFO['exists']){ // $TEXT has been loaded from page template $check = md5(''); @@ -1374,8 +1379,8 @@ function html_edit(){ $data = array('form' => $form, 'wr' => $wr, 'media_manager' => true, - 'target' => (isset($_REQUEST['target']) && $wr && - $RANGE !== '') ? $_REQUEST['target'] : 'section', + 'target' => ($INPUT->has('target') && $wr && + $RANGE !== '') ? $INPUT->str('target') : 'section', 'intro_locale' => $include); if ($data['target'] !== 'section') { @@ -1461,6 +1466,7 @@ function html_edit_form($param) { function html_minoredit(){ global $conf; global $lang; + global $INPUT; // minor edits are for logged in users only if(!$conf['useacl'] || !$_SERVER['REMOTE_USER']){ return false; @@ -1468,7 +1474,7 @@ function html_minoredit(){ $p = array(); $p['tabindex'] = 3; - if(!empty($_REQUEST['minor'])) $p['checked']='checked'; + if($INPUT->bool('minor')) $p['checked']='checked'; return form_makeCheckboxField('minor', '1', $lang['minoredit'], 'minoredit', 'nowrap', $p); } @@ -1674,8 +1680,9 @@ function html_resendpwd() { global $lang; global $conf; global $ID; + global $INPUT; - $token = preg_replace('/[^a-f0-9]+/','',$_REQUEST['pwauth']); + $token = preg_replace('/[^a-f0-9]+/','',$INPUT->str('pwauth')); if(!$conf['autopasswd'] && $token){ print p_locale_xhtml('resetpwd'); @@ -1700,7 +1707,7 @@ function html_resendpwd() { $form->addHidden('do', 'resendpwd'); $form->addHidden('save', '1'); $form->addElement(form_makeTag('br')); - $form->addElement(form_makeTextField('login', $_POST['login'], $lang['user'], '', 'block')); + $form->addElement(form_makeTextField('login', $INPUT->post->str('login'), $lang['user'], '', 'block')); $form->addElement(form_makeTag('br')); $form->addElement(form_makeTag('br')); $form->addElement(form_makeButton('submit', '', $lang['btn_resendpwd'])); diff --git a/inc/media.php b/inc/media.php index e1d5d511e..4bca2e71a 100644 --- a/inc/media.php +++ b/inc/media.php @@ -226,8 +226,9 @@ function media_delete($id,$auth){ */ function media_upload_xhr($ns,$auth){ if(!checkSecurityToken()) return false; + global $INPUT; - $id = $_GET['qqfile']; + $id = $INPUT->get->str('qqfile'); list($ext,$mime,$dl) = mimetype($id); $input = fopen("php://input", "r"); if (!($tmp = io_mktmpdir())) return false; @@ -247,7 +248,7 @@ function media_upload_xhr($ns,$auth){ 'mime' => $mime, 'ext' => $ext), $ns.':'.$id, - (($_REQUEST['ow'] == 'checked') ? true : false), + (($INPUT->get->str('ow') == 'checked') ? true : false), $auth, 'copy' ); @@ -270,9 +271,10 @@ function media_upload_xhr($ns,$auth){ function media_upload($ns,$auth,$file=false){ if(!checkSecurityToken()) return false; global $lang; + global $INPUT; // get file and id - $id = $_POST['mediaid']; + $id = $INPUT->post->str('mediaid'); if (!$file) $file = $_FILES['upload']; if(empty($id)) $id = $file['name']; @@ -294,7 +296,7 @@ function media_upload($ns,$auth,$file=false){ $res = media_save(array('name' => $file['tmp_name'], 'mime' => $imime, 'ext' => $iext), $ns.':'.$id, - $_REQUEST['ow'], $auth, 'move_uploaded_file'); + $INPUT->post->bool('ow'), $auth, 'move_uploaded_file'); if (is_array($res)) { msg($res[0], $res[1]); return false; @@ -641,7 +643,9 @@ function media_tabs_details($image, $selected_tab = ''){ * @author Kate Arzamastseva <pshns@ukr.net> */ function media_tab_files_options(){ - global $lang, $NS; + global $lang; + global $NS; + global $INPUT; $form = new Doku_Form(array('class' => 'options', 'method' => 'get', 'action' => wl($ID))); $media_manager_params = media_managerURL(array(), '', false, true); @@ -649,8 +653,8 @@ function media_tab_files_options(){ $form->addHidden($pKey, $pVal); } $form->addHidden('sectok', null); - if (isset($_REQUEST['q'])) { - $form->addHidden('q', $_REQUEST['q']); + if ($INPUT->has('q')) { + $form->addHidden('q', $INPUT->str('q')); } $form->addElement('<ul>'.NL); foreach(array('list' => array('listType', array('thumbs', 'rows')), @@ -694,9 +698,10 @@ function _media_get_list_type() { } function _media_get_display_param($param, $values) { - if (isset($_REQUEST[$param]) && in_array($_REQUEST[$param], $values)) { + global $INPUT; + if (in_array($INPUT->str($param), $values)) { // FIXME: Set cookie - return $_REQUEST[$param]; + return $INPUT->str($param); } else { $val = get_doku_pref($param, $values['default']); if (!in_array($val, $values)) { @@ -746,10 +751,10 @@ function media_tab_upload($ns,$auth=null,$jump='') { */ function media_tab_search($ns,$auth=null) { global $lang; + global $INPUT; - $do = $_REQUEST['mediado']; - $query = $_REQUEST['q']; - if (!$query) $query = ''; + $do = $INPUT->str('mediado'); + $query = $INPUT->str('q'); echo '<div class="search">'.NL; media_searchform($ns, $query, true); @@ -801,14 +806,16 @@ function media_tab_edit($image, $ns, $auth=null) { */ function media_tab_history($image, $ns, $auth=null) { global $lang; + global $INPUT; + if(is_null($auth)) $auth = auth_quickaclcheck("$ns:*"); - $do = $_REQUEST['mediado']; + $do = $INPUT->str('mediado'); if ($auth >= AUTH_READ && $image) { if ($do == 'diff'){ media_diff($image, $ns, $auth); } else { - $first = isset($_REQUEST['first']) ? intval($_REQUEST['first']) : 0; + $first = $INPUT->int('first'); html_revisions($first, $image); } } else { @@ -1002,21 +1009,22 @@ function media_details($image, $auth, $rev=false, $meta=false) { function media_diff($image, $ns, $auth, $fromajax = false) { global $lang; global $conf; + global $INPUT; if ($auth < AUTH_READ || !$image || !$conf['mediarevisions']) return ''; - $rev1 = (int) $_REQUEST['rev']; + $rev1 = $INPUT->int('rev'); - if(is_array($_REQUEST['rev2'])){ - $rev1 = (int) $_REQUEST['rev2'][0]; - $rev2 = (int) $_REQUEST['rev2'][1]; + if(is_array($INPUT->ref('rev2'))){ + $rev1 = (int) $INPUT->arr('rev2')[0]; + $rev2 = (int) $INPUT->arr('rev2')[1]; if(!$rev1){ $rev1 = $rev2; unset($rev2); } }else{ - $rev2 = (int) $_REQUEST['rev2']; + $rev2 = $INPUT->int('rev2'); } if ($rev1 && !file_exists(mediaFN($image, $rev1))) $rev1 = false; @@ -1071,7 +1079,9 @@ function _media_file_diff($data) { * @author Kate Arzamastseva <pshns@ukr.net> */ function media_file_diff($image, $l_rev, $r_rev, $ns, $auth, $fromajax){ - global $lang, $config_cascade; + global $lang; + global $config_cascade; + global $INPUT; $l_meta = new JpegMeta(mediaFN($image, $l_rev)); $r_meta = new JpegMeta(mediaFN($image, $r_rev)); @@ -1082,7 +1092,7 @@ function media_file_diff($image, $l_rev, $r_rev, $ns, $auth, $fromajax){ $r_size = media_image_preview_size($image, $r_rev, $r_meta); $is_img = ($l_size && $r_size && ($l_size[0] >= 30 || $r_size[0] >= 30)); - $difftype = $_REQUEST['difftype']; + $difftype = $INPUT->str('difftype'); if (!$fromajax) { $form = new Doku_Form(array( @@ -1527,11 +1537,12 @@ function media_printimgdetail($item, $fullscreen=false){ function media_managerURL($params=false, $amp='&', $abs=false, $params_array=false) { global $conf; global $ID; + global $INPUT; $gets = array('do' => 'media'); $media_manager_params = array('tab_files', 'tab_details', 'image', 'ns', 'list', 'sort'); foreach ($media_manager_params as $x) { - if (isset($_REQUEST[$x])) $gets[$x] = $_REQUEST[$x]; + if ($INPUT->has($x)) $gets[$x] = $INPUT->str($x); } if ($params) { @@ -1555,7 +1566,9 @@ function media_managerURL($params=false, $amp='&', $abs=false, $params_array * @author Kate Arzamastseva <pshns@ukr.net> */ function media_uploadform($ns, $auth, $fullscreen = false){ - global $lang, $conf; + global $lang; + global $conf; + global $INPUT; if($auth < AUTH_UPLOAD) { echo '<div class="nothing">'.$lang['media_perm_upload'].'</div>'.NL; @@ -1565,9 +1578,9 @@ function media_uploadform($ns, $auth, $fullscreen = false){ $update = false; $id = ''; - if ($auth >= $auth_ow && $fullscreen && $_REQUEST['mediado'] == 'update') { + if ($auth >= $auth_ow && $fullscreen && $INPUT->str('mediado') == 'update') { $update = true; - $id = cleanID($_REQUEST['image']); + $id = cleanID($INPUT->str('image')); } // The default HTML upload form @@ -1697,12 +1710,13 @@ function media_nstree($ns){ * @author Andreas Gohr <andi@splitbrain.org> */ function media_nstree_item($item){ + global $INPUT; $pos = strrpos($item['id'], ':'); $label = substr($item['id'], $pos > 0 ? $pos + 1 : 0); if(!$item['label']) $item['label'] = $label; $ret = ''; - if (!($_REQUEST['do'] == 'media')) + if (!($INPUT->str('do') == 'media')) $ret .= '<a href="'.DOKU_BASE.'lib/exe/mediamanager.php?ns='.idfilter($item['id']).'" class="idx_dir">'; else $ret .= '<a href="'.media_managerURL(array('ns' => idfilter($item['id'], false), 'tab_files' => 'files')) .'" class="idx_dir">'; diff --git a/inc/pageutils.php b/inc/pageutils.php index f525c44d0..5e741c491 100644 --- a/inc/pageutils.php +++ b/inc/pageutils.php @@ -19,9 +19,10 @@ * @author Andreas Gohr <andi@splitbrain.org> */ function getID($param='id',$clean=true){ + global $INPUT; global $conf; - $id = isset($_REQUEST[$param]) ? $_REQUEST[$param] : null; + $id = $INPUT->str($param); //construct page id from request URI if(empty($id) && $conf['userewrite'] == 2){ diff --git a/inc/parser/code.php b/inc/parser/code.php index 4d94dcf4e..ff44a4e1e 100644 --- a/inc/parser/code.php +++ b/inc/parser/code.php @@ -16,11 +16,12 @@ class Doku_Renderer_code extends Doku_Renderer { * When the correct block was found it exits the script. */ function code($text, $language = NULL, $filename='' ) { + global $INPUT; if(!$language) $language = 'txt'; if(!$filename) $filename = 'snippet.'.$language; $filename = basename($filename); - if($this->_codeblock == $_REQUEST['codeblock']){ + if($this->_codeblock == $INPUT->str('codeblock')){ header("Content-Type: text/plain; charset=utf-8"); header("Content-Disposition: attachment; filename=$filename"); header("X-Robots-Tag: noindex"); |