From fc374ed1e4e223c36b5be934aa236a81ad2f388c Mon Sep 17 00:00:00 2001 From: "robert%accettura.com" Date: Sat, 29 Jan 2005 18:27:58 +0000 Subject: [PATCH] trim and remove html of all service input. Not part of any build. --- tools/reporter/app/includes/iolib.inc.php | 11 ++++- tools/reporter/service/index.php | 54 +++++++++++++++-------- 2 files changed, 44 insertions(+), 21 deletions(-) diff --git a/tools/reporter/app/includes/iolib.inc.php b/tools/reporter/app/includes/iolib.inc.php index 99dfe2f2efe0..66568a70277a 100644 --- a/tools/reporter/app/includes/iolib.inc.php +++ b/tools/reporter/app/includes/iolib.inc.php @@ -292,5 +292,12 @@ function printheaders(){ header('Cache-Control: post-check=0, pre-check=0', false); header('Pragma: no-cache'); header('X-Powered-By: A Barrel of Monkey\'s '); -} -?> \ No newline at end of file +} + +function strip_all_tags($input){ + while($input != strip_tags($input)) { + $input = strip_tags($input); + } + return $input; +} +?> diff --git a/tools/reporter/service/index.php b/tools/reporter/service/index.php index 5e80bdc38577..a797555f19ad 100644 --- a/tools/reporter/service/index.php +++ b/tools/reporter/service/index.php @@ -38,6 +38,7 @@ require_once('../config.inc.php'); require_once('DB.php'); +require_once($config['app_path'].'/includes/iolib.inc.php'); require_once($config['nusoap_path'].'/nusoap.php'); // Create the server instance @@ -57,13 +58,13 @@ $server->register( $server->register( 'submitReport', // method name - array('rmoVers' => 'xsd:string', - 'url' => 'xsd:string', - 'problem_type' => 'xsd:string', - 'description' => 'xsd:string', - 'behind_login' => 'xsd:string', - 'platform' => 'xsd:string', - 'oscpu' => 'xsd:string', + array('rmoVers' => 'xsd:string', + 'url' => 'xsd:string', + 'problem_type' => 'xsd:string', + 'description' => 'xsd:string', + 'behind_login' => 'xsd:string', + 'platform' => 'xsd:string', + 'oscpu' => 'xsd:string', 'gecko' => 'xsd:string', 'product' => 'xsd:string', 'useragent' => 'xsd:string', @@ -78,7 +79,23 @@ $server->register( 'encoded' // use ); function submitReport($rmoVers, $url, $problem_type, $description, $behind_login, $platform, $oscpu, $gecko, $product, $useragent, $buildconfig, $language, $email, $sysid) { - global $config; + global $config; + + // Remove any HTML tags and whitespace + $rmoVers = trim(strip_all_tags($rmoVers)); + $url = trim(strip_all_tags($url)); + $problem_type = trim(strip_all_tags($problem_type)); + $description = trim(strip_all_tags($description)); + $behind_login = trim(strip_all_tags($behind_login)); + $platform = trim(strip_all_tags($platform)); + $oscpu = trim(strip_all_tags($oscpu)); + $gecko = trim(strip_all_tags($gecko)); + $product = trim(strip_all_tags($product)); + $useragent = trim(strip_all_tags($useragent)); + $buildconfig = trim(strip_all_tags($buildconfig)); + $language = trim(strip_all_tags($language)); + $email = trim(strip_all_tags($email)); + $sysid = trim(strip_all_tags($sysid)); // check verison if ($rmoVers < $config['min_vers']){ @@ -130,7 +147,6 @@ function submitReport($rmoVers, $url, $problem_type, $description, $behind_login $report_id = 'RMO'.str_replace(".", "", array_sum(explode(' ', microtime()))); // Initialize Database - //PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'handleErrorsSOAP'); $db =& DB::connect($config['db_dsn']); $sysIDQuery = $db->query("SELECT `sysid_id` FROM `sysid` WHERE `sysid_id` = '".$db->escapeSimple($sysid)."'"); @@ -147,8 +163,8 @@ function submitReport($rmoVers, $url, $problem_type, $description, $behind_login // We add the URL $addURL = $db->query("INSERT INTO `host` (`host_id`, `host_hostname`, `host_date_added`) VALUES ( - '".$db->escapeSimple($host_id)."', - '".$db->escapeSimple($parsedURL['host'])."', + '".$db->escapeSimple($host_id)."', + '".$db->escapeSimple($parsedURL['host'])."', now() ) "); @@ -165,13 +181,13 @@ function submitReport($rmoVers, $url, $problem_type, $description, $behind_login } $addReport = $db->query("INSERT INTO `report` ( - `report_id`, - `report_url`, - `report_host_id`, - `report_problem_type`, - `report_description`, - `report_behind_login`, - `report_useragent`, + `report_id`, + `report_url`, + `report_host_id`, + `report_problem_type`, + `report_description`, + `report_behind_login`, + `report_useragent`, `report_platform`, `report_oscpu`, `report_language`, @@ -184,7 +200,7 @@ function submitReport($rmoVers, $url, $problem_type, $description, $behind_login `report_sysid` ) VALUES ( - '".$db->escapeSimple($report_id)."', + '".$db->escapeSimple($report_id)."', '".$db->escapeSimple($url)."', '".$db->escapeSimple($host_id)."', '".$db->escapeSimple($problem_type)."',