From 33538876040f5b401feac04fb8943b60353e67f2 Mon Sep 17 00:00:00 2001 From: Carlos Vargas Date: Wed, 13 May 2009 22:44:24 +0200 Subject: [PATCH] [svn r20605] add remove_XSS in sql inyection in work see FS#4169 --- main/work/work.lib.php | 96 ++++++++++++++++++++---------------------- main/work/work.php | 23 ++++------ 2 files changed, 54 insertions(+), 65 deletions(-) diff --git a/main/work/work.lib.php b/main/work/work.lib.php index 2727d8d4c6..1edca1c90c 100644 --- a/main/work/work.lib.php +++ b/main/work/work.lib.php @@ -1,4 +1,4 @@ -, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default. * @author Roan Embrechts, code refactoring and virtual course support * @author Frederic Vauthier, directories management -* @version $Id: work.lib.php 20519 2009-05-12 00:27:20Z cvargas1 $ +* @version $Id: work.lib.php 20605 2009-05-13 20:44:24Z cvargas1 $ */ /** * Displays action links (for admins, authorized groups members and authorized students) @@ -411,9 +411,6 @@ function display_student_publications_list($work_dir,$sub_course_dir,$currentCou $form_folder = new FormValidator('edit_dir', 'post', api_get_self().'?curdirpath='.$my_sub_dir.'&origin='.$origin.'&gradebook='.$gradebook.'&edit_dir='.$mydir); $group_name[] = FormValidator :: createElement('text','dir_name'); - - //$group_name[] = FormValidator :: createElement('submit','submit_edit_dir',get_lang('Ok')); - $form_folder -> addGroup($group_name,'my_group',get_lang('Title')); $form_folder -> addGroupRule('my_group',get_lang('ThisFieldIsRequired'),'required'); $defaults = array('my_group[dir_name]'=>html_entity_decode($dir),'description'=>html_entity_decode($row['description'])); @@ -432,8 +429,7 @@ function display_student_publications_list($work_dir,$sub_course_dir,$currentCou $form_folder -> addGroup(create_group_date_select(),'ends',get_lang('EndsAt')); } $form_folder -> addRule(array('expires','ends'), get_lang('DateExpiredNotBeLessDeadLine'), 'comparedate'); - } - else { + } else { $form_folder -> addElement('html','
 
@@ -946,8 +942,7 @@ function create_unexisting_work_directory($base_work_dir,$desired_dir_name) * @param string The directory name as the bit after "work/", without trailing slash * @return integer -1 on error */ -function del_dir($base_work_dir,$dir,$id) -{ +function del_dir($base_work_dir,$dir,$id) { if(empty($dir) or $dir=='/') { return -1; } @@ -1015,50 +1010,50 @@ function update_work_url($id,$new_path) * @param string old path * @param string new path */ -function update_dir_name($path, $new_name) -{ - global $base_work_dir; - - include_once(api_get_path(LIBRARY_PATH) . "/fileManage.lib.php"); - include_once(api_get_path(LIBRARY_PATH) . "/fileUpload.lib.php"); +function update_dir_name($path, $new_name) { - $path_to_dir = dirname($path); - - if($path_to_dir=='.') { - $path_to_dir = ''; - }else { - $path_to_dir .= '/'; - } - - $new_name=replace_accents($new_name); - $new_name=disable_dangerous_file($new_name); - $new_name=replace_dangerous_char($new_name); - - my_rename($base_work_dir.'/'.$path,$new_name); - $table = Database::get_course_table(TABLE_STUDENT_PUBLICATION); - - //update all the files in the other directories according with the next query - $sql = 'SELECT id, url FROM '.$table.' WHERE url LIKE BINARY "work/'.$path.'/%"'; // like binary (Case Sensitive) + if (!empty($new_name)){ + + global $base_work_dir; + include_once(api_get_path(LIBRARY_PATH) . "/fileManage.lib.php"); + include_once(api_get_path(LIBRARY_PATH) . "/fileUpload.lib.php"); + $path_to_dir = dirname($path); + if($path_to_dir=='.') { + $path_to_dir = ''; + } else { + $path_to_dir .= '/'; + } + $new_name=replace_accents($new_name); + $new_name=disable_dangerous_file($new_name); + //$new_name=replace_dangerous_char($new_name); + + my_rename($base_work_dir.'/'.$path,$new_name); + $table = Database::get_course_table(TABLE_STUDENT_PUBLICATION); - $rs = api_sql_query($sql, __FILE__, __LINE__); - $work_len=strlen('work/'.$path); + //update all the files in the other directories according with the next query + $sql = 'SELECT id, url FROM '.$table.' WHERE url LIKE BINARY "work/'.$path.'/%"'; // like binary (Case Sensitive) + + $rs = api_sql_query($sql, __FILE__, __LINE__); + $work_len=strlen('work/'.$path); + + while($work = Database :: fetch_array($rs)) { + $new_dir=$work['url']; + $name_with_directory=substr($new_dir,$work_len,strlen($new_dir)); + $sql = 'UPDATE '.$table.' SET url="work/'.$path_to_dir.$new_name.$name_with_directory.'" WHERE id= '.$work['id']; + api_sql_query($sql, __FILE__, __LINE__); + } - while($work = Database :: fetch_array($rs)) { - $new_dir=$work['url']; - $name_with_directory=substr($new_dir,$work_len,strlen($new_dir)); - $sql = 'UPDATE '.$table.' SET url="work/'.$path_to_dir.$new_name.$name_with_directory.'" WHERE id= '.$work['id']; - api_sql_query($sql, __FILE__, __LINE__); - } - - //update all the directory's children according with the next query - $sql = 'SELECT id, url FROM '.$table.' WHERE url LIKE BINARY "/'.$path.'%"'; - $rs = api_sql_query($sql, __FILE__, __LINE__); - $work_len=strlen('/'.$path); - while($work = Database :: fetch_array($rs)) { - $new_dir=$work['url']; - $name_with_directory=substr($new_dir,$work_len,strlen($new_dir)); - $sql = 'UPDATE '.$table.' SET url="/'.$path_to_dir.$new_name.$name_with_directory.'" WHERE id= '.$work['id']; - api_sql_query($sql, __FILE__, __LINE__); + //update all the directory's children according with the next query + $sql = 'SELECT id, url FROM '.$table.' WHERE url LIKE BINARY "/'.$path.'%"'; + $rs = api_sql_query($sql, __FILE__, __LINE__); + $work_len=strlen('/'.$path); + while($work = Database :: fetch_array($rs)) { + $new_dir=$work['url']; + $name_with_directory=substr($new_dir,$work_len,strlen($new_dir)); + $url=$path_to_dir.$new_name.$name_with_directory; + $sql = 'UPDATE '.$table.' SET url="/'.$url.'" WHERE id= '.$work['id']; + api_sql_query($sql, __FILE__, __LINE__); + } } } @@ -1337,7 +1332,6 @@ function to_javascript_work() { * @param string $path * @return true if is found / false if not found */ - function get_work_id($path) { $TBL_STUDENT_PUBLICATION = Database :: get_course_table(TABLE_STUDENT_PUBLICATION); $TBL_PROP_TABLE = Database::get_course_table(TABLE_ITEM_PROPERTY); diff --git a/main/work/work.php b/main/work/work.php index de27216bf7..f481467ca2 100644 --- a/main/work/work.php +++ b/main/work/work.php @@ -1,4 +1,4 @@ -, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default. * @author Roan Embrechts, code refactoring and virtual course support * @author Frederic Vauthier, directories management -* @version $Id: work.php 20519 2009-05-12 00:27:20Z cvargas1 $ +* @version $Id: work.php 20605 2009-05-13 20:44:24Z cvargas1 $ * * @todo refactor more code into functions, use quickforms, coding standards, ... */ @@ -426,15 +426,17 @@ if (api_is_allowed_to_edit(false,true)) { if (isset($delete) && $delete == "all") { $queryString1 = "SELECT url FROM " . $work_table . ""; $queryString2 = "DELETE FROM " . $work_table . ""; + $queryString3 = "DELETE FROM " . $TSTDPUBASG . ""; } else { $queryString1 = "SELECT url FROM " . $work_table . " WHERE id = '$delete'"; - $queryString2 = "DELETE FROM " . $work_table . " WHERE id='$delete'"; + $queryString2 = "DELETE FROM " . $work_table . " WHERE id='$delete'"; + $queryString3 = "DELETE FROM " . $TSTDPUBASG . " WHERE publication_id='$delete'"; } $result1 = api_sql_query($queryString1, __FILE__, __LINE__); $result2 = api_sql_query($queryString2, __FILE__, __LINE__); - + $result3 = api_sql_query($queryString3, __FILE__, __LINE__); } } @@ -552,9 +554,8 @@ if (api_is_allowed_to_edit(false,true)) { isset($course_info)?$course=$course_info:$course=null; $agenda_id = agenda_add_item($course,$_POST['new_dir'],$_POST['new_dir'],date('Y-m-d H:i:s'),get_date_from_select('ends'),null,0); endif; - $sql_add_publication = "INSERT INTO " . $work_table . " SET " . - "url = '".Database::escape_string($dir_name_sql)."', + "url = '".Database::escape_string(Security::remove_XSS($dir_name_sql))."', title = '', description = '".Database::escape_string(Security::remove_XSS($_POST['description']))."', author = '', @@ -746,9 +747,11 @@ else { //we found the current user is the author $queryString1 = "SELECT url FROM " . $work_table . " WHERE id = '$delete'"; $queryString2 = "DELETE FROM " . $work_table . " WHERE id='$delete'"; + $queryString3 = "DELETE FROM " . $TSTDPUBASG . " WHERE publication_id='$delete'"; $result1 = api_sql_query($queryString1, __FILE__, __LINE__); $result2 = api_sql_query($queryString2, __FILE__, __LINE__); + $result3 = api_sql_query($queryString3, __FILE__, __LINE__); if ($result1) { api_item_property_update($_course, 'work', $delete, 'DocumentDeleted', $user_id); @@ -820,30 +823,22 @@ if ($ctok==$_POST['sec_token']) { //check the token inserted into the form //if (!$authors) { $authors = $currentUserFirstName . " " . $currentUserLastName; //} - // compose a unique file name to avoid any conflict - $new_file_name = uniqid('') . $new_file_name; - if (isset ($_SESSION['toolgroup'])) { $post_group_id = $_SESSION['toolgroup']; } else { $post_group_id = '0'; } - //if we come from the group tools the groupid will be saved in $work_table - @move_uploaded_file($_FILES['file']['tmp_name'], $updir . $my_cur_dir_path . $new_file_name); - $url = "work/" . $my_cur_dir_path . $new_file_name; - $result = api_sql_query("SHOW FIELDS FROM " . $work_table . " LIKE 'sent_date'", __FILE__, __LINE__); if (!Database::num_rows($result)) { api_sql_query("ALTER TABLE " . $work_table . " ADD sent_date DATETIME NOT NULL"); } $current_date = date('Y-m-d H:i:s'); - $parent_id = ''; $active = ''; $sql = api_sql_query('SELECT id FROM '.Database::get_course_table(TABLE_STUDENT_PUBLICATION).' WHERE url = '."'/".Database::escape_string($_GET['curdirpath'])."' AND filetype='folder' LIMIT 1");