Security: Reduce XSS/CSRF probability as admin user - refs BT#21289

Author: 84335353+christianbeeznest@users.noreply.github.com
2 years ago · 34c3357f4a
parent 67076c4a7a
commit 34c3357f4a
6 changed files with 36 additions and 27 deletions
--- a/main/admin/add_courses_to_usergroup.php
+++ b/main/admin/add_courses_to_usergroup.php
@ -46,8 +46,8 @@ function remove_item(origin) {

 $errorMsg = '';
 if (isset($_POST['form_sent']) && $_POST['form_sent']) {
-    $form_sent = $_POST['form_sent'];
-    $elements_posted = $_POST['elements_in_name'];
+    $form_sent = (int) $_POST['form_sent'];
+    $elements_posted = Security::remove_XSS($_POST['elements_in_name']);
    if (!is_array($elements_posted)) {
        $elements_posted = [];
    }
@ -187,7 +187,7 @@ echo '<div id="advanced_search_options" style="display:none">';
 $searchForm->display();
 echo '</div>';
 ?>
-<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($_GET['add'])) {
+<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($add)) {
    echo '&add=true';
 } ?>" style="margin:0px;" <?php if ($ajax_search) {
    echo ' onsubmit="valide();"';
--- a/main/admin/add_sessions_to_usergroup.php
+++ b/main/admin/add_sessions_to_usergroup.php
@ -73,8 +73,8 @@ function validate_filter() {

 $errorMsg = '';
 if (isset($_POST['form_sent']) && $_POST['form_sent']) {
-    $form_sent = $_POST['form_sent'];
-    $elements_posted = $_POST['elements_in_name'];
+    $form_sent = (int) $_POST['form_sent'];
+    $elements_posted = Security::remove_XSS($_POST['elements_in_name']);
    if (!is_array($elements_posted)) {
        $elements_posted = [];
    }
@ -168,7 +168,7 @@ echo '</div>';
 echo '<div id="advancedSearch" style="display: none">'.get_lang('SearchSessions'); ?> :
     <input name="SearchSession" onchange = "xajax_search_usergroup_sessions(this.value,'searchbox')" onkeyup="this.onchange()">
     </div>
-<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($_GET['add'])) {
+<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($add)) {
    echo '&add=true';
 } ?>" style="margin:0px;" <?php if ($ajax_search) {
    echo ' onsubmit="valide();"';
--- a/main/admin/dashboard_add_sessions_to_user.php
+++ b/main/admin/dashboard_add_sessions_to_user.php
@ -29,7 +29,7 @@ $tbl_session_rel_user = Database::get_main_table(TABLE_MAIN_SESSION_USER);
 $tbl_session_rel_access_url = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_SESSION);

 // Initializing variables
-$user_id = isset($_GET['user']) ? intval($_GET['user']) : null;
+$user_id = isset($_GET['user']) ? (int) $_GET['user'] : null;
 $user_info = api_get_user_info($user_id);
 $user_anonymous = api_get_anonymous_id();
 $current_user_id = api_get_user_id();
@ -72,10 +72,10 @@ function search_sessions($needle, $type)

        if (api_is_multiple_url_enabled()) {
            $sql = " SELECT s.id, s.name FROM $tbl_session s
-                     LEFT JOIN $tbl_session_rel_access_url a 
+                     LEFT JOIN $tbl_session_rel_access_url a
                     ON (s.id = a.session_id)
-                     WHERE  
-                        s.name LIKE '$needle%' $without_assigned_sessions AND 
+                     WHERE
+                        s.name LIKE '$needle%' $without_assigned_sessions AND
                        access_url_id = ".api_get_current_access_url_id();
        } else {
            $sql = "SELECT s.id, s.name FROM $tbl_session s
@ -150,12 +150,12 @@ function remove_item(origin) {
 </script>';

 $formSent = 0;
-$firstLetterSession = isset($_POST['firstLetterSession']) ? $_POST['firstLetterSession'] : null;
+$firstLetterSession = isset($_POST['firstLetterSession']) ? Security::remove_XSS($_POST['firstLetterSession']) : null;
 $errorMsg = '';
 $UserList = [];

-if (isset($_POST['formSent']) && intval($_POST['formSent']) == 1) {
-    $sessions_list = $_POST['SessionsList'];
+if (isset($_POST['formSent']) && 1 == (int) $_POST['formSent']) {
+    $sessions_list = Security::remove_XSS($_POST['SessionsList']);
    $userInfo = api_get_user_info($user_id);
    $affected_rows = SessionManager::subscribeSessionsToDrh(
        $userInfo,
--- a/main/admin/dashboard_add_users_to_user.php
+++ b/main/admin/dashboard_add_users_to_user.php
@ -37,7 +37,7 @@ $current_user_id = api_get_user_id();

 $userStatus = api_get_user_status($user_id);

-$firstLetterUser = isset($_POST['firstLetterUser']) ? $_POST['firstLetterUser'] : null;
+$firstLetterUser = isset($_POST['firstLetterUser']) ? Security::remove_XSS($_POST['firstLetterUser']) : null;

 // setting the name of the tool
 $isAdmin = UserManager::is_admin($user_id);
@ -287,7 +287,7 @@ if (!empty($filters) && !empty($filterData)) {
 }

 if (isset($_POST['formSent']) && intval($_POST['formSent']) == 1) {
-    $user_list = isset($_POST['UsersList']) ? $_POST['UsersList'] : null;
+    $user_list = isset($_POST['UsersList']) ? Security::remove_XSS($_POST['UsersList']) : null;
    switch ($userStatus) {
        case DRH:
        case PLATFORM_ADMIN:
--- a/main/auth/sort_my_courses.php
+++ b/main/auth/sort_my_courses.php
@ -12,7 +12,7 @@ $auth = new Auth();
 $user_course_categories = CourseManager::get_user_course_categories(api_get_user_id());
 $courses_in_category = $auth->getCoursesInCategory(false);

-$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
+$action = isset($_REQUEST['action']) ? Security::remove_XSS($_REQUEST['action']) : '';
 $currentUrl = api_get_self();

 $interbreadcrumb[] = [
@ -22,7 +22,9 @@ $interbreadcrumb[] = [

 // We are moving the course of the user to a different user defined course category (=Sort My Courses).
 if (isset($_POST['submit_change_course_category'])) {
-    $result = $auth->updateCourseCategory($_POST['course_2_edit_category'], $_POST['course_categories']);
+    $course2EditCategory = Security::remove_XSS($_POST['course_2_edit_category']);
+    $courseCategories = Security::remove_XSS($_POST['course_categories']);
+    $result = $auth->updateCourseCategory($course2EditCategory, $courseCategories);
    if ($result) {
        Display::addFlash(
            Display::return_message(get_lang('EditCourseCategorySucces'))
@ -36,7 +38,9 @@ if (isset($_POST['submit_change_course_category'])) {
 if (isset($_POST['submit_edit_course_category']) &&
    isset($_POST['title_course_category'])
 ) {
-    $result = $auth->store_edit_course_category($_POST['title_course_category'], $_POST['category_id']);
+    $titleCourseCategory = Security::remove_XSS($_POST['title_course_category']);
+    $categoryId = Security::remove_XSS($_POST['category_id']);
+    $result = $auth->store_edit_course_category($titleCourseCategory, $categoryId);
    if ($result) {
        Display::addFlash(
            Display::return_message(get_lang('CourseCategoryEditStored'))
@ -52,7 +56,8 @@ if (isset($_POST['create_course_category']) &&
    isset($_POST['title_course_category']) &&
    strlen(trim($_POST['title_course_category'])) > 0
 ) {
-    $result = $auth->store_course_category($_POST['title_course_category']);
+    $titleCourseCategory = Security::remove_XSS($_POST['title_course_category']);
+    $result = $auth->store_course_category($titleCourseCategory);
    if ($result) {
        Display::addFlash(
            Display::return_message(get_lang('CourseCategoryStored'))
@ -71,16 +76,19 @@ if (isset($_POST['create_course_category']) &&

 // We are moving a course or category of the user up/down the list (=Sort My Courses).
 if (isset($_GET['move'])) {
-    if (isset($_GET['course'])) {
-        $result = $auth->move_course($_GET['move'], $_GET['course'], $_GET['category']);
+    $getCourse = isset($_GET['course']) ? Security::remove_XSS($_GET['course']) : '';
+    $getMove = Security::remove_XSS($_GET['move']);
+    $getCategory = isset($_GET['category']) ? Security::remove_XSS($_GET['category']) : '';
+    if (!empty($getCourse)) {
+        $result = $auth->move_course($getMove, $getCourse, $getCategory);
        if ($result) {
            Display::addFlash(
                Display::return_message(get_lang('CourseSortingDone'))
            );
        }
    }
-    if (isset($_GET['category']) && !isset($_GET['course'])) {
-        $result = $auth->move_category($_GET['move'], $_GET['category']);
+    if (!empty($getCategory) && empty($getCourse)) {
+        $result = $auth->move_category($getMove, $getCategory);
        if ($result) {
            Display::addFlash(
                Display::return_message(get_lang('CategorySortingDone'))
@ -152,7 +160,8 @@ switch ($action) {
        // we are deleting a course category
        if (isset($_GET['id'])) {
            if (Security::check_token('get')) {
-                $result = $auth->delete_course_category($_GET['id']);
+                $getId = Security::remove_XSS($_GET['id']);
+                $result = $auth->delete_course_category($getId);
                if ($result) {
                    Display::addFlash(
                        Display::return_message(get_lang('CourseCategoryDeleted'))
@ -182,7 +191,7 @@ switch ($action) {
        $userId = api_get_user_id();
        $categoryId = isset($_REQUEST['categoryid']) ? (int) $_REQUEST['categoryid'] : 0;
        $option = isset($_REQUEST['option']) ? (int) $_REQUEST['option'] : 0;
-        $redirect = isset($_REQUEST['redirect']) ? $_REQUEST['redirect'] : 0;
+        $redirect = isset($_REQUEST['redirect']) ? Security::remove_XSS($_REQUEST['redirect']) : 0;

        if (empty($userId) || empty($categoryId)) {
            api_not_allowed(true);
--- a/main/session/session_add.php
+++ b/main/session/session_add.php
@ -115,8 +115,8 @@ function emptyDuration() {
 }
 </script>";

-if (isset($_POST['formSent']) && $_POST['formSent']) {
-    $formSent = 1;
+if (isset($_POST['formSent'])) {
+    $formSent = (int) $_POST['formSent'];
 }

 $tool_name = get_lang('AddSession');