Merge branch 'input-validation' of git://github.com/whoopdedo/dokuwiki into pull-request-110

* 'input-validation' of git://github.com/whoopdedo/dokuwiki: fix incorrect usage of tpl_getMediaFile fix necessary global declaration Input wrapper for html forms Input validation for media manager Input wrapper for exe scripts more INPUT wrapper uses: cache purge, sectok, getID Input wrapper for action.php Conflicts: lib/exe/css.php
author: Andreas Gohr <andi@splitbrain.org> 2012-07-06 11:07:34 +0200
committer: Andreas Gohr <andi@splitbrain.org> 2012-07-06 11:07:34 +0200
commit: 29f2dfdcb84bbfd8394b14e2e79809828e923247 (patch)
tree: f573b232a06346d2d1b41910bb8f7e34fe518397 /lib
parent: 14e2b802ac28e91a3e1f468396950ed5b318109d (diff)
parent: 36d61a2c62ee2c4198229406af6aa91b14bf6125 (diff)
download: rpg-29f2dfdcb84bbfd8394b14e2e79809828e923247.tar.gz
rpg-29f2dfdcb84bbfd8394b14e2e79809828e923247.tar.bz2
5 files changed, 31 insertions, 29 deletions
diff --git a/lib/exe/css.php b/lib/exe/css.php
index 1b2b0c86b..8de3db11b 100644
--- a/lib/exe/css.php
+++ b/lib/exe/css.php
@@ -30,8 +30,9 @@ function css_out(){
     global $conf;
     global $lang;
     global $config_cascade;
+    global $INPUT;
 
-    if (isset($_REQUEST['s']) && ($_REQUEST['s'] == 'feed')) {
+    if ($INPUT->str('s') == 'feed') {
         $mediatypes = array('feed');
         $type = 'feed';
     } else {
@@ -39,7 +40,7 @@ function css_out(){
         $type = '';
     }
 
-    $tpl = trim(preg_replace('/[^\w-]+/','',$_REQUEST['t']));
+    $tpl = trim(preg_replace('/[^\w-]+/','',$INPUT->str('t')));
     if($tpl){
         $tplinc = DOKU_INC.'lib/tpl/'.$tpl.'/';
         $tpldir = DOKU_BASE.'lib/tpl/'.$tpl.'/';
diff --git a/lib/exe/detail.php b/lib/exe/detail.php
index 35186f5dd..ea46bc037 100644
--- a/lib/exe/detail.php
+++ b/lib/exe/detail.php
@@ -6,9 +6,9 @@ require_once(DOKU_INC.'inc/init.php');
 session_write_close();
 
 $IMG  = getID('media');
-$ID   = cleanID($_REQUEST['id']);
+$ID   = cleanID($INPUT->str('id'));
 
-if($conf['allowdebug'] && $_REQUEST['debug']){
+if($conf['allowdebug'] && $INPUT->has('debug')){
     print '<pre>';
     foreach(explode(' ','basedir userewrite baseurl useslash') as $x){
         print '$'."conf['$x'] = '".$conf[$x]."';\n";
diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php
index 143d40f22..60843460e 100644
--- a/lib/exe/fetch.php
+++ b/lib/exe/fetch.php
@@ -17,10 +17,10 @@
 
   //get input
   $MEDIA  = stripctl(getID('media',false)); // no cleaning except control chars - maybe external
-  $CACHE  = calc_cache($_REQUEST['cache']);
-  $WIDTH  = (int) $_REQUEST['w'];
-  $HEIGHT = (int) $_REQUEST['h'];
-  $REV   = (int) @$_REQUEST['rev'];
+  $CACHE  = calc_cache($INPUT->str('cache'));
+  $WIDTH  = $INPUT->int('w');
+  $HEIGHT = $INPUT->int('h');
+  $REV    = &$INPUT->ref('rev');
   //sanitize revision
   $REV = preg_replace('/[^0-9]/','',$REV);
 
diff --git a/lib/exe/indexer.php b/lib/exe/indexer.php
index 738a29503..e149770c0 100644
--- a/lib/exe/indexer.php
+++ b/lib/exe/indexer.php
@@ -20,10 +20,10 @@ if(!$defer){
     sendGIF(); // send gif
 }
 
-$ID = cleanID($_REQUEST['id']);
+$ID = cleanID($INPUT->str('id'));
 
 // Catch any possible output (e.g. errors)
-$output = isset($_REQUEST['debug']) && $conf['allowdebug'];
+$output = $INPUT->has('debug') && $conf['allowdebug'];
 if(!$output) ob_start();
 
 // run one of the jobs
@@ -261,7 +261,8 @@ function sendDigest() {
  * @author Harry Fuecks <fuecks@gmail.com>
  */
 function sendGIF(){
-    if(isset($_REQUEST['debug'])){
+    global $INPUT;
+    if($INPUT->has('debug')){
         header('Content-Type: text/plain');
         return;
     }
diff --git a/lib/exe/mediamanager.php b/lib/exe/mediamanager.php
index 5f09fe1f8..04dd178cc 100644
--- a/lib/exe/mediamanager.php
+++ b/lib/exe/mediamanager.php
@@ -10,25 +10,25 @@
     trigger_event('MEDIAMANAGER_STARTED',$tmp=array());
     session_write_close();  //close session
 
+    global $INPUT;
     // handle passed message
-    if($_REQUEST['msg1']) msg(hsc($_REQUEST['msg1']),1);
-    if($_REQUEST['err']) msg(hsc($_REQUEST['err']),-1);
+    if($INPUT->str('msg1')) msg(hsc($INPUT->str('msg1')),1);
+    if($INPUT->str('err')) msg(hsc($INPUT->str('err')),-1);
 
 
     // get namespace to display (either direct or from deletion order)
-    if($_REQUEST['delete']){
-        $DEL = cleanID($_REQUEST['delete']);
+    if($INPUT->str('delete')){
+        $DEL = cleanID($INPUT->str('delete'));
         $IMG = $DEL;
         $NS  = getNS($DEL);
-    }elseif($_REQUEST['edit']){
-        $IMG = cleanID($_REQUEST['edit']);
+    }elseif($INPUT->str('edit')){
+        $IMG = cleanID($INPUT->str('edit'));
         $NS  = getNS($IMG);
-    }elseif($_REQUEST['img']){
-        $IMG = cleanID($_REQUEST['img']);
+    }elseif($INPUT->str('img')){
+        $IMG = cleanID($INPUT->str('img'));
         $NS  = getNS($IMG);
     }else{
-        $NS = $_REQUEST['ns'];
-        $NS = cleanID($NS);
+        $NS = cleanID($INPUT->str('ns'));
     }
 
     // check auth
@@ -76,18 +76,18 @@
     }
 
     // handle meta saving
-    if($IMG && @array_key_exists('save', $_REQUEST['do'])){
-        $JUMPTO = media_metasave($IMG,$AUTH,$_REQUEST['meta']);
+    if($IMG && @array_key_exists('save', $INPUT->arr('do'))){
+        $JUMPTO = media_metasave($IMG,$AUTH,$INPUT->arr('meta'));
     }
 
-    if($IMG && ($_REQUEST['mediado'] == 'save' || @array_key_exists('save', $_REQUEST['mediado']))) {
-        $JUMPTO = media_metasave($IMG,$AUTH,$_REQUEST['meta']);
+    if($IMG && ($INPUT->str('mediado') == 'save' || @array_key_exists('save', $INPUT->arr('mediado')))) {
+        $JUMPTO = media_metasave($IMG,$AUTH,$INPUT->arr('meta'));
     }
 
-    if ($_REQUEST['rev'] && $conf['mediarevisions']) $REV = (int) $_REQUEST['rev'];
+    if ($INPUT->int('rev') && $conf['mediarevisions']) $REV = $INPUT->int('rev');
 
-    if($_REQUEST['mediado'] == 'restore' && $conf['mediarevisions']){
-        $JUMPTO = media_restore($_REQUEST['image'], $REV, $AUTH);
+    if($INPUT->str('mediado') == 'restore' && $conf['mediarevisions']){
+        $JUMPTO = media_restore($INPUT->str('image'), $REV, $AUTH);
     }
 
     // handle deletion
@@ -101,7 +101,7 @@
             if ($res & DOKU_MEDIA_EMPTY_NS && !$fullscreen) {
                 // current namespace was removed. redirecting to root ns passing msg along
                 send_redirect(DOKU_URL.'lib/exe/mediamanager.php?msg1='.
-                        rawurlencode($msg).'&edid='.$_REQUEST['edid']);
+                        rawurlencode($msg).'&edid='.$INPUT->str('edid'));
             }
             msg($msg,1);
         } elseif ($res & DOKU_MEDIA_INUSE) {
author	Andreas Gohr <andi@splitbrain.org>	2012-07-06 11:07:34 +0200
committer	Andreas Gohr <andi@splitbrain.org>	2012-07-06 11:07:34 +0200
commit	29f2dfdcb84bbfd8394b14e2e79809828e923247 (patch)
tree	f573b232a06346d2d1b41910bb8f7e34fe518397 /lib
parent	14e2b802ac28e91a3e1f468396950ed5b318109d (diff)
parent	36d61a2c62ee2c4198229406af6aa91b14bf6125 (diff)
download	rpg-29f2dfdcb84bbfd8394b14e2e79809828e923247.tar.gz rpg-29f2dfdcb84bbfd8394b14e2e79809828e923247.tar.bz2