/** * sanitize() - clean input for known injection vulnerabilities * * Remove anything that could be dangerous from user input. * Our organization names should contain only [a-z][0-9], like the nren * names, like the states. So all inputs can be limited to [a-z][0-9] * * TODO: This function spphould be accessible for all forms taking data * TODO: Make sure it accepts all legal characters in the \DN */ static function sanitize($input) { if (!isset($input) || $input === "") { return null; } if (is_array($input)) { foreach ($input as $var => $val) { $output[$var] = Input::sanitize($val); } } $output = preg_replace('/[^a-z0-9_.@ ]+/i', '', $input); return $output; }
$xml->addAttribute("elementCount", $element_count); Logger::log_event(LOG_DEBUG, "Returning list with {$element_count} entries."); header("content-type: text/xml"); echo $xml->asXML(); } /* Safe environment? */ assertEnvironment(); /* Is the certificate a legit cert? */ $admin = createAdminPerson(); if (!isset($admin) || !$admin->isAuth()) { echo "Not authenticated! Cannot continue<br />\n"; exit(0); } /* Get list of issued certiticates */ if (isset($_POST['action'])) { $action = Input::sanitize($_POST['action']); } else { /* if no action provided, assume the client wants a list of issued certificates. */ $action = 'cert_list'; } switch ($action) { case 'cert_list': Logger::log_event(LOG_NOTICE, "[RI] " . $admin->getEPPN() . " cert-list request."); $res = Robot::createCertList($admin); printXMLRes($res, 'userList'); break; case 'revoke_list': if (!isset($_POST['list'])) { echo "No data provided.\n"; exit(0); }
<?php require_once 'confusa_include.php'; require_once 'Config.php'; require_once 'Input.php'; require_once 'confusa_constants.php'; /* * Get the custom NREN logo from the filesystem and return it as an image */ if (isset($_GET['nren'])) { $nren = Input::sanitize($_GET['nren']); $position = Input::sanitize($_GET['pos']); $suffix = Input::sanitize($_GET['suffix']); $logo_path = Config::get_config('custom_logo') . $nren . '/custom_' . $position . '.'; $logo_path .= $suffix; } else { if (isset($_GET['op'])) { $logo_path = Config::get_config('operator_logo'); $suffix = substr($logo_path, strlen($logo_path) - 3, strlen($logo_path) - 1); } else { exit(1); } } /* * Search if there is one custom.png, custom.jpg or custom.any_other_ * allowed_suffix file in the custom-logo folder. * * If there isn't return null */ if (file_exists($logo_path)) { $fp = fopen($logo_path, "r");
public function process() { if (!$this->person->isNRENAdmin()) { $errorTag = PW::create(); Logger::logEvent(LOG_NOTICE, "NRENAdmin", "process()", "User " . stripslashes($this->person->getX509ValidCN()) . " tried to access the NREN-area", __LINE__, $errorTag); $this->tpl->assign('reason', "[{$errorTag}] You are not an NREN-admin"); $this->tpl->assign('content', $this->tpl->fetch('restricted_access.tpl')); return; } $this->tpl->assign('nrenName', $this->person->getNREN()); $this->tpl->assign('org_states', ConfusaConstants::$ORG_STATES); /* Export the NREN UID key */ $map = $this->person->getNREN()->getMap(); $this->tpl->assign('nren_eppn_key', $map['eppn']); if (isset($_GET['target'])) { switch (Input::sanitize($_GET['target'])) { case 'list': /* get all info from database and publish to template */ $this->tpl->assign('subscriber_list', $this->getSubscribers()); $this->tpl->assign('self_subscriber', $this->person->getSubscriber()->getIdPName()); $this->tpl->assign('list_subscribers', true); break; case 'add': $am = AuthHandler::getAuthManager($this->person); $attributes = $am->getAttributes(); $nren = $this->person->getNREN(); if (isset($attributes[$map['epodn']])) { $this->tpl->assign('foundUniqueName', $attributes[$map['epodn']][0]); $this->tpl->assign('nrenOrgAttr', $map['epodn']); } if (isset($attributes[$map['eppn']])) { $this->form_data['eppnAttr'] = $map['eppn']; } $this->tpl->assign('form_data', $this->form_data); $this->tpl->assign('add_subscriber', true); break; default: break; } } else { /* get all info from database and publish to template */ $this->tpl->assign('subscriber_list', $this->getSubscribers()); $subscriber = $this->person->getSubscriber(); if (isset($subscriber)) { $this->tpl->assign('self_subscriber', $subscriber); } else { $this->tpl->assign('self_subscriber', ''); Framework::error_output($this->translateTag('l10n_error_illegalattributemap', 'nrenadmin') . '<a href="attributes.php">' . $this->translateTag('item_attributes', 'menu') . '</a>.'); } $this->tpl->assign('list_subscribers', true); } /* render page */ $this->tpl->assign('content', $this->tpl->fetch('nren_admin.tpl')); }
public function process() { if (!$this->person->isSubscriberAdmin()) { /* not authorized */ return false; } /* get menu-flags and assign to the framework */ $this->tpl->assign('rv_list', false); $this->tpl->assign('rv_upload', false); $this->tpl->assign('rv_info', false); if (isset($_GET['robot_view'])) { switch (Input::sanitize($_GET['robot_view'])) { case 'list': $this->tpl->assign('rv_list', true); $this->tpl->assign('robotCerts', $this->getRobotCertList()); break; case 'upload': $this->tpl->assign('rv_upload', true); break; case 'info': $this->tpl->assign('rv_info', true); $this->tpl->assign('ri_path', Config::get_config('server_url') . "ri.php"); break; default: break; } } else { /* We default to listing the certificates */ $this->tpl->assign('robotCerts', $this->getRobotCertList()); $this->tpl->assign('rv_list', true); } $this->tpl->assign('content', $this->tpl->fetch('robot.tpl')); }
/** * getCertFromDB() take the registred Certificate and find a match in * the DB * * Robot_Certificates are used for authenticating remote * clients. Therefore, we will *always* start the object with a * certificate. * * The authN-mechanism lies in whether or not the certicate is also * present in the database. * * @param Boolean $db_authoriative the values in the database is * authorative (overwrite local values if * present). * @return Boolean flag indicating if the certificate was found and * it matches the current @access private */ private function getCertFromDB($db_authorative = false) { $fp = $this->getFingerprint(); if (!$fp) { return false; } try { $query = "SELECT * FROM robot_certs WHERE fingerprint=?"; $res = MDB2Wrapper::execute($query, array('text'), array($fp)); if (count($res) == 1) { if ($res[0]['cert'] == $this->getPEMContent()) { if ($db_authorative) { $this->db_id = Input::sanitize($res[0]['id']); $this->owner = Input::sanitize($res[0]['uploaded_by']); $this->subscriber = Input::sanitize($res[0]['subscriber_id']); $this->lwsent = Input::sanitize($res[0]['last_warning_sent']); $this->uploaded_date = Input::sanitize($res[0]['uploaded_date']); } return true; } } return false; } catch (DBStatementException $dbse) { Logger::log_event(LOG_NOTICE, "Corrupted statement in query (" . __FILE__ . ":" . __LINE__ . " " . $dbse->getMessage()); } catch (DBQueryException $dbqe) { Logger::log_event(LOG_NOTICE, "Corrupted content in query (" . __FILE__ . ":" . __LINE__ . " " . $dbqe->getMessage()); } return false; }
public function pre_process($person) { parent::pre_process($person); /* if $person is not a NREN admin we stop here */ if (!$this->person->isNRENAdmin()) { return false; } if (isset($_POST['stylist_operation'])) { switch (htmlentities($_POST['stylist_operation'])) { case 'change_help_text': $new_text = Input::sanitizeText($_POST['help_text']); $this->updateNRENHelpText($this->person->getNREN(), $new_text); break; case 'change_about_text': $new_text = Input::sanitizeText($_POST['about_text']); $this->updateNRENAboutText($this->person->getNREN(), $new_text); break; case 'change_privnotice_text': $new_text = Input::sanitizeText($_POST['privnotice_text']); $this->updateNRENPrivacyNotice($this->person->getNREN(), $new_text); break; case 'change_css': if (isset($_POST['reset'])) { $this->resetNRENCSS($this->person->getNREN()); } else { if (isset($_POST['download'])) { $new_css = Input::sanitizeCSS($_POST['css_content']); $this->downloadNRENCSS($new_css); } else { if (isset($_POST['change'])) { /* the CSS will not be inserted into the DB or executed in another way. * Hence do not sanitize it. It will contain 'dangerous' string portions, * such as { : ' anyways, so it would be hard to insert it into the DB properly*/ $new_css = Input::sanitizeCSS($_POST['css_content']); $this->updateNRENCSS($this->person->getNREN(), $new_css); } } } break; case 'change_mail': if (isset($_POST['reset'])) { $this->resetNRENMailTpl($this->person->getNREN()); } else { if (isset($_POST['change'])) { $new_template = strip_tags($_POST['mail_content']); $this->updateNRENMailTpl($this->person->getNREN(), $new_template); } else { if (isset($_POST['test'])) { /* see where mail_content is set in * process() for how the current * template is kept. */ $this->sendNRENTestMail($this->person, strip_tags($_POST['mail_content'])); } } } break; case 'upload_logo': $position = $_POST['position']; if (array_search($position, ConfusaConstants::$ALLOWED_LOGO_POSITIONS) === FALSE) { Framework::error_output("The specified position " . htmlentities($position) . " is not a legal logo position!"); return; } if (isset($_FILES['nren_logo']['name'])) { /* only allow image uploads */ if (strpos($_FILES['nren_logo']['type'], 'image/') !== false) { $this->uploadLogo('nren_logo', $position, $this->person->getNREN()); } else { Framework::error_output($this->translateTag('l10n_error_upload_logo_invalid', 'stylist')); } } break; case 'delete_logo': $position = $_POST['position']; if (array_search($position, ConfusaConstants::$ALLOWED_LOGO_POSITIONS) === FALSE) { Framework::error_output($this->translateTag('l10n_error_upload_logo_position', 'stylist')); return; } $this->deleteLogo($position, $this->person->getNREN()); break; case 'change_title': if (isset($_POST['portalTitle'])) { $titleValue = Input::sanitize($_POST['portalTitle']); } else { $titleValue = ""; } if (isset($_POST['changeButton'])) { $showTitle = isset($_POST['showPortalTitle']); $this->updateNRENTitle($this->person->getNREN(), $titleValue, $showTitle); } break; default: Framework::error_output("Unknown operation chosen in the stylist!"); break; } } }