Exemplo n.º 1
0
function clean_incoming_data()
{
    global $sugar_config;
    if (get_magic_quotes_gpc() == 1) {
        $req = array_map("preprocess_param", $_REQUEST);
        $post = array_map("preprocess_param", $_POST);
        $get = array_map("preprocess_param", $_GET);
    } else {
        $req = array_map("securexss", $_REQUEST);
        $post = array_map("securexss", $_POST);
        $get = array_map("securexss", $_GET);
    }
    // PHP cannot stomp out superglobals reliably
    foreach ($post as $k => $v) {
        $_POST[$k] = $v;
    }
    foreach ($get as $k => $v) {
        $_GET[$k] = $v;
    }
    foreach ($req as $k => $v) {
        $_REQUEST[$k] = $v;
        //ensure the keys are safe as well
        securexsskey($k);
    }
    // Any additional variables that need to be cleaned should be added here
    if (isset($_REQUEST['login_theme'])) {
        clean_string($_REQUEST['login_theme']);
    }
    if (isset($_REQUEST['login_module'])) {
        clean_string($_REQUEST['login_module']);
    }
    if (isset($_REQUEST['login_action'])) {
        clean_string($_REQUEST['login_action']);
    }
    if (isset($_REQUEST['login_language'])) {
        clean_string($_REQUEST['login_language']);
    }
    if (isset($_REQUEST['action'])) {
        clean_string($_REQUEST['action']);
    }
    if (isset($_REQUEST['module'])) {
        clean_string($_REQUEST['module']);
    }
    if (isset($_REQUEST['record'])) {
        clean_string($_REQUEST['record'], 'STANDARDSPACE');
    }
    if (isset($_SESSION['authenticated_user_theme'])) {
        clean_string($_SESSION['authenticated_user_theme']);
    }
    if (isset($_SESSION['authenticated_user_language'])) {
        clean_string($_SESSION['authenticated_user_language']);
    }
    if (isset($_REQUEST['language'])) {
        clean_string($_REQUEST['language']);
    }
    if (isset($sugar_config['default_theme'])) {
        clean_string($sugar_config['default_theme']);
    }
    if (isset($_REQUEST['offset'])) {
        clean_string($_REQUEST['offset']);
    }
    if (isset($_REQUEST['stamp'])) {
        clean_string($_REQUEST['stamp']);
    }
    if (isset($_REQUEST['lvso'])) {
        set_superglobals('lvso', strtolower($_REQUEST['lvso']) === 'desc' ? 'desc' : 'asc');
    }
    // Clean "offset" and "order_by" parameters in URL
    foreach ($_REQUEST as $key => $val) {
        if (str_end($key, "_offset")) {
            clean_string($_REQUEST[$key], "ALPHANUM");
            // keep this ALPHANUM for disable_count_query
            set_superglobals($key, $_REQUEST[$key]);
        } elseif (str_end($key, "_ORDER_BY")) {
            clean_string($_REQUEST[$key], "SQL_COLUMN_LIST");
            set_superglobals($key, $_REQUEST[$key]);
        }
    }
    return 0;
}
Exemplo n.º 2
0
Arquivo: bios.php Projeto: NazarK/sqp
function uses_file($file)
{
    if (str_end(strtolower($file), ".js") && file_exists("uses/" . $file)) {
        $filetime = filemtime("uses/" . $file);
        $content = "<script src='uses/{$file}?{$filetime}'></script>";
        return $content;
    }
    if (str_end(strtolower($file), ".html") && file_exists("uses/" . $file)) {
        return file_get_contents("uses/" . $file);
    }
    if (str_end(strtolower($file), ".css") && file_exists("uses/" . $file)) {
        $fname = "uses/" . $file;
        $filetime = filemtime($fname);
        $content = "<link rel='stylesheet' href='{$fname}?{$filetime}' type='text/css' />";
        return $content;
    }
}
Exemplo n.º 3
0
function clean_incoming_data()
{
    global $sugar_config;
    global $RAW_REQUEST;
    if (get_magic_quotes_gpc()) {
        // magic quotes screw up data, we'd have to clean up
        $RAW_REQUEST = array_map('cleanup_slashes', $_REQUEST);
    } else {
        $RAW_REQUEST = $_REQUEST;
    }
    if (get_magic_quotes_gpc() == 1) {
        $req = array_map('preprocess_param', $_REQUEST);
        $post = array_map('preprocess_param', $_POST);
        $get = array_map('preprocess_param', $_GET);
    } else {
        $req = array_map('securexss', $_REQUEST);
        $post = array_map('securexss', $_POST);
        $get = array_map('securexss', $_GET);
    }
    // PHP cannot stomp out superglobals reliably
    foreach ($post as $k => $v) {
        $_POST[$k] = $v;
    }
    foreach ($get as $k => $v) {
        $_GET[$k] = $v;
    }
    foreach ($req as $k => $v) {
        $_REQUEST[$k] = $v;
        //ensure the keys are safe as well.  If mbstring encoding translation is on, the post keys don't
        //get translated, so scrub the data but don't die
        if (ini_get('mbstring.encoding_translation') === '1') {
            securexsskey($k, false);
        } else {
            securexsskey($k, true);
        }
    }
    // Any additional variables that need to be cleaned should be added here
    if (isset($_REQUEST['login_theme'])) {
        clean_string($_REQUEST['login_theme']);
    }
    if (isset($_REQUEST['login_module'])) {
        clean_string($_REQUEST['login_module']);
    }
    if (isset($_REQUEST['login_action'])) {
        clean_string($_REQUEST['login_action']);
    }
    if (isset($_REQUEST['login_language'])) {
        clean_string($_REQUEST['login_language']);
    }
    if (isset($_REQUEST['action'])) {
        clean_string($_REQUEST['action']);
    }
    if (isset($_REQUEST['module'])) {
        clean_string($_REQUEST['module']);
    }
    if (isset($_REQUEST['record'])) {
        clean_string($_REQUEST['record'], 'STANDARDSPACE');
    }
    if (isset($_SESSION['authenticated_user_theme'])) {
        clean_string($_SESSION['authenticated_user_theme']);
    }
    if (isset($_SESSION['authenticated_user_language'])) {
        clean_string($_SESSION['authenticated_user_language']);
    }
    if (isset($_REQUEST['language'])) {
        clean_string($_REQUEST['language']);
    }
    if (isset($sugar_config['default_theme'])) {
        clean_string($sugar_config['default_theme']);
    }
    if (isset($_REQUEST['offset'])) {
        clean_string($_REQUEST['offset']);
    }
    if (isset($_REQUEST['stamp'])) {
        clean_string($_REQUEST['stamp']);
    }
    if (isset($_REQUEST['lvso'])) {
        set_superglobals('lvso', strtolower($_REQUEST['lvso']) === 'desc' ? 'desc' : 'asc');
    }
    // Clean "offset" and "order_by" parameters in URL
    foreach ($_REQUEST as $key => $val) {
        if (str_end($key, '_offset')) {
            clean_string($_REQUEST[$key], 'ALPHANUM');
            // keep this ALPHANUM for disable_count_query
            set_superglobals($key, $_REQUEST[$key]);
        } elseif (str_end($key, '_ORDER_BY')) {
            clean_string($_REQUEST[$key], 'SQL_COLUMN_LIST');
            set_superglobals($key, $_REQUEST[$key]);
        }
    }
    return 0;
}
Exemplo n.º 4
0
function replace_files(&$html)
{
    preg_match_all("|{![^}]*}|", $html, $matches);
    foreach ($matches[0] as $value) {
        $varname = substr($value, 2, strlen($value) - 3);
        if (str_end($varname, ".html") && file_exists("uses/" . $varname)) {
            $content = file_get_contents("uses/" . $varname);
            replace_files($content);
            $html = str_replace("{!{$varname}}", $content, $html);
        }
        if (str_end($varname, ".js") && file_exists("uses/" . $varname)) {
            $content = "<script src='uses/{$varname}'></script>";
            $html = str_replace("{!{$varname}}", $content, $html);
        }
        if (str_end($varname, ".png") && file_exists("images/" . $varname)) {
            $content = "<img src='images/{$varname}'>";
            $html = str_replace("{!{$varname}}", $content, $html);
        }
        if (str_end($varname, ".css") && file_exists("uses/" . $varname)) {
            $content = "<link rel='stylesheet' href='uses/{$varname}' type='text/css' />";
            $html = str_replace("{!{$varname}}", $content, $html);
        }
    }
}