function clean_incoming_data() { global $sugar_config; if (get_magic_quotes_gpc() == 1) { $req = array_map("preprocess_param", $_REQUEST); $post = array_map("preprocess_param", $_POST); $get = array_map("preprocess_param", $_GET); } else { $req = array_map("securexss", $_REQUEST); $post = array_map("securexss", $_POST); $get = array_map("securexss", $_GET); } // PHP cannot stomp out superglobals reliably foreach ($post as $k => $v) { $_POST[$k] = $v; } foreach ($get as $k => $v) { $_GET[$k] = $v; } foreach ($req as $k => $v) { $_REQUEST[$k] = $v; //ensure the keys are safe as well securexsskey($k); } // Any additional variables that need to be cleaned should be added here if (isset($_REQUEST['login_theme'])) { clean_string($_REQUEST['login_theme']); } if (isset($_REQUEST['login_module'])) { clean_string($_REQUEST['login_module']); } if (isset($_REQUEST['login_action'])) { clean_string($_REQUEST['login_action']); } if (isset($_REQUEST['login_language'])) { clean_string($_REQUEST['login_language']); } if (isset($_REQUEST['action'])) { clean_string($_REQUEST['action']); } if (isset($_REQUEST['module'])) { clean_string($_REQUEST['module']); } if (isset($_REQUEST['record'])) { clean_string($_REQUEST['record'], 'STANDARDSPACE'); } if (isset($_SESSION['authenticated_user_theme'])) { clean_string($_SESSION['authenticated_user_theme']); } if (isset($_SESSION['authenticated_user_language'])) { clean_string($_SESSION['authenticated_user_language']); } if (isset($_REQUEST['language'])) { clean_string($_REQUEST['language']); } if (isset($sugar_config['default_theme'])) { clean_string($sugar_config['default_theme']); } if (isset($_REQUEST['offset'])) { clean_string($_REQUEST['offset']); } if (isset($_REQUEST['stamp'])) { clean_string($_REQUEST['stamp']); } if (isset($_REQUEST['lvso'])) { set_superglobals('lvso', strtolower($_REQUEST['lvso']) === 'desc' ? 'desc' : 'asc'); } // Clean "offset" and "order_by" parameters in URL foreach ($_REQUEST as $key => $val) { if (str_end($key, "_offset")) { clean_string($_REQUEST[$key], "ALPHANUM"); // keep this ALPHANUM for disable_count_query set_superglobals($key, $_REQUEST[$key]); } elseif (str_end($key, "_ORDER_BY")) { clean_string($_REQUEST[$key], "SQL_COLUMN_LIST"); set_superglobals($key, $_REQUEST[$key]); } } return 0; }
function uses_file($file) { if (str_end(strtolower($file), ".js") && file_exists("uses/" . $file)) { $filetime = filemtime("uses/" . $file); $content = "<script src='uses/{$file}?{$filetime}'></script>"; return $content; } if (str_end(strtolower($file), ".html") && file_exists("uses/" . $file)) { return file_get_contents("uses/" . $file); } if (str_end(strtolower($file), ".css") && file_exists("uses/" . $file)) { $fname = "uses/" . $file; $filetime = filemtime($fname); $content = "<link rel='stylesheet' href='{$fname}?{$filetime}' type='text/css' />"; return $content; } }
function clean_incoming_data() { global $sugar_config; global $RAW_REQUEST; if (get_magic_quotes_gpc()) { // magic quotes screw up data, we'd have to clean up $RAW_REQUEST = array_map('cleanup_slashes', $_REQUEST); } else { $RAW_REQUEST = $_REQUEST; } if (get_magic_quotes_gpc() == 1) { $req = array_map('preprocess_param', $_REQUEST); $post = array_map('preprocess_param', $_POST); $get = array_map('preprocess_param', $_GET); } else { $req = array_map('securexss', $_REQUEST); $post = array_map('securexss', $_POST); $get = array_map('securexss', $_GET); } // PHP cannot stomp out superglobals reliably foreach ($post as $k => $v) { $_POST[$k] = $v; } foreach ($get as $k => $v) { $_GET[$k] = $v; } foreach ($req as $k => $v) { $_REQUEST[$k] = $v; //ensure the keys are safe as well. If mbstring encoding translation is on, the post keys don't //get translated, so scrub the data but don't die if (ini_get('mbstring.encoding_translation') === '1') { securexsskey($k, false); } else { securexsskey($k, true); } } // Any additional variables that need to be cleaned should be added here if (isset($_REQUEST['login_theme'])) { clean_string($_REQUEST['login_theme']); } if (isset($_REQUEST['login_module'])) { clean_string($_REQUEST['login_module']); } if (isset($_REQUEST['login_action'])) { clean_string($_REQUEST['login_action']); } if (isset($_REQUEST['login_language'])) { clean_string($_REQUEST['login_language']); } if (isset($_REQUEST['action'])) { clean_string($_REQUEST['action']); } if (isset($_REQUEST['module'])) { clean_string($_REQUEST['module']); } if (isset($_REQUEST['record'])) { clean_string($_REQUEST['record'], 'STANDARDSPACE'); } if (isset($_SESSION['authenticated_user_theme'])) { clean_string($_SESSION['authenticated_user_theme']); } if (isset($_SESSION['authenticated_user_language'])) { clean_string($_SESSION['authenticated_user_language']); } if (isset($_REQUEST['language'])) { clean_string($_REQUEST['language']); } if (isset($sugar_config['default_theme'])) { clean_string($sugar_config['default_theme']); } if (isset($_REQUEST['offset'])) { clean_string($_REQUEST['offset']); } if (isset($_REQUEST['stamp'])) { clean_string($_REQUEST['stamp']); } if (isset($_REQUEST['lvso'])) { set_superglobals('lvso', strtolower($_REQUEST['lvso']) === 'desc' ? 'desc' : 'asc'); } // Clean "offset" and "order_by" parameters in URL foreach ($_REQUEST as $key => $val) { if (str_end($key, '_offset')) { clean_string($_REQUEST[$key], 'ALPHANUM'); // keep this ALPHANUM for disable_count_query set_superglobals($key, $_REQUEST[$key]); } elseif (str_end($key, '_ORDER_BY')) { clean_string($_REQUEST[$key], 'SQL_COLUMN_LIST'); set_superglobals($key, $_REQUEST[$key]); } } return 0; }
function replace_files(&$html) { preg_match_all("|{![^}]*}|", $html, $matches); foreach ($matches[0] as $value) { $varname = substr($value, 2, strlen($value) - 3); if (str_end($varname, ".html") && file_exists("uses/" . $varname)) { $content = file_get_contents("uses/" . $varname); replace_files($content); $html = str_replace("{!{$varname}}", $content, $html); } if (str_end($varname, ".js") && file_exists("uses/" . $varname)) { $content = "<script src='uses/{$varname}'></script>"; $html = str_replace("{!{$varname}}", $content, $html); } if (str_end($varname, ".png") && file_exists("images/" . $varname)) { $content = "<img src='images/{$varname}'>"; $html = str_replace("{!{$varname}}", $content, $html); } if (str_end($varname, ".css") && file_exists("uses/" . $varname)) { $content = "<link rel='stylesheet' href='uses/{$varname}' type='text/css' />"; $html = str_replace("{!{$varname}}", $content, $html); } } }