From 64273335d1bae12b2fe7d9664e1665d6e69d47af Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 24 Aug 2012 09:43:50 +0200
Subject: [PATCH] more $INPUT use FS#2577
---
inc/auth.php | 44 ++++++++++++++++---------------------
lib/exe/ajax.php | 24 ++++++++++----------
lib/plugins/acl/admin.php | 46 +++++++++++++++++++++------------------
lib/plugins/acl/ajax.php | 11 ++++++----
4 files changed, 64 insertions(+), 61 deletions(-)
diff --git a/inc/auth.php b/inc/auth.php
index cedfdee36..905cc14bf 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -733,68 +733,62 @@ function register() {
global $conf;
/* @var auth_basic $auth */
global $auth;
+ global $INPUT;
- if(!$_POST['save']) return false;
+ if(!$INPUT->post->bool('save')) return false;
if(!actionOK('register')) return false;
- //clean username
- $_POST['login'] = trim($auth->cleanUser($_POST['login']));
-
- //clean fullname and email
- $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['fullname']));
- $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['email']));
+ // gather input
+ $login = trim($auth->cleanUser($INPUT->post->str('login')));
+ $fullname = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('fullname')));
+ $email = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('email')));
+ $pass = $INPUT->post->str('pass');
+ $passchk = $INPUT->post->str('passchk');
- if(empty($_POST['login']) ||
- empty($_POST['fullname']) ||
- empty($_POST['email'])
- ) {
+ if(empty($login) || empty($fullname) || empty($email)) {
msg($lang['regmissing'], -1);
return false;
}
if($conf['autopasswd']) {
$pass = auth_pwgen(); // automatically generate password
- } elseif(empty($_POST['pass']) ||
- empty($_POST['passchk'])
- ) {
+ } elseif(empty($pass) || empty($passchk)) {
msg($lang['regmissing'], -1); // complain about missing passwords
return false;
- } elseif($_POST['pass'] != $_POST['passchk']) {
+ } elseif($pass != $passchk) {
msg($lang['regbadpass'], -1); // complain about misspelled passwords
return false;
- } else {
- $pass = $_POST['pass']; // accept checked and valid password
}
//check mail
- if(!mail_isvalid($_POST['email'])) {
+ if(!mail_isvalid($email)) {
msg($lang['regbadmail'], -1);
return false;
}
//okay try to create the user
- if(!$auth->triggerUserMod('create', array($_POST['login'], $pass, $_POST['fullname'], $_POST['email']))) {
+ if(!$auth->triggerUserMod('create', array($login, $pass, $fullname, $email))) {
msg($lang['reguexists'], -1);
return false;
}
// create substitutions for use in notification email
$substitutions = array(
- 'NEWUSER' => $_POST['login'],
- 'NEWNAME' => $_POST['fullname'],
- 'NEWEMAIL' => $_POST['email'],
+ 'NEWUSER' => $login,
+ 'NEWNAME' => $fullname,
+ 'NEWEMAIL' => $email,
);
if(!$conf['autopasswd']) {
msg($lang['regsuccess2'], 1);
- notify('', 'register', '', $_POST['login'], false, $substitutions);
+ notify('', 'register', '', $login, false, $substitutions);
return true;
}
// autogenerated password? then send him the password
- if(auth_sendPassword($_POST['login'], $pass)) {
+ if(auth_sendPassword($login, $pass)) {
msg($lang['regsuccess'], 1);
- notify('', 'register', '', $_POST['login'], false, $substitutions);
+ notify('', 'register', '', $login, false, $substitutions);
return true;
} else {
msg($lang['regmailfail'], -1);
diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php
index 945091f34..496b2f1a1 100644
--- a/lib/exe/ajax.php
+++ b/lib/exe/ajax.php
@@ -162,7 +162,8 @@ function ajax_lock(){
* @author Andreas Gohr <andi@splitbrain.org>
*/
function ajax_draftdel(){
- $id = cleanID($_REQUEST['id']);
+ global $INPUT;
+ $id = cleanID($INPUT->str('id'));
if(empty($id)) return;
$client = $_SERVER['REMOTE_USER'];
@@ -218,11 +219,11 @@ function ajax_medialist(){
* @author Kate Arzamastseva <pshns@ukr.net>
*/
function ajax_mediadetails(){
- global $DEL, $NS, $IMG, $AUTH, $JUMPTO, $REV, $lang, $fullscreen, $conf;
+ global $DEL, $NS, $IMG, $AUTH, $JUMPTO, $REV, $lang, $fullscreen, $conf, $INPUT;
$fullscreen = true;
require_once(DOKU_INC.'lib/exe/mediamanager.php');
- if ($_REQUEST['image']) $image = cleanID($_REQUEST['image']);
+ if ($INPUT->has('image')) $image = cleanID($INPUT->str('image'));
if (isset($IMG)) $image = $IMG;
if (isset($JUMPTO)) $image = $JUMPTO;
if (isset($REV) && !$JUMPTO) $rev = $REV;
@@ -237,25 +238,26 @@ function ajax_mediadetails(){
*/
function ajax_mediadiff(){
global $NS;
+ global $INPUT;
- if ($_REQUEST['image']) $image = cleanID($_REQUEST['image']);
+ if ($INPUT->has('image')) $image = cleanID($INPUT->str('image'));
$NS = $_POST['ns'];
- $auth = auth_quickaclcheck("$ns:*");
+ $auth = auth_quickaclcheck("$NS:*");
media_diff($image, $NS, $auth, true);
}
function ajax_mediaupload(){
- global $NS, $MSG;
+ global $NS, $MSG, $INPUT;
if ($_FILES['qqfile']['tmp_name']) {
- $id = ((empty($_POST['mediaid'])) ? $_FILES['qqfile']['name'] : $_POST['mediaid']);
- } elseif (isset($_GET['qqfile'])) {
- $id = $_GET['qqfile'];
+ $id = $INPUT->post->str('mediaid', $_FILES['qqfile']['name']);
+ } elseif ($INPUT->get->has('qqfile')) {
+ $id = $INPUT->get->str('qqfile');
}
$id = cleanID($id);
- $NS = $_REQUEST['ns'];
+ $NS = $INPUT->str('ns');
$ns = $NS.':'.getNS($id);
$AUTH = auth_quickaclcheck("$ns:*");
@@ -264,7 +266,7 @@ function ajax_mediaupload(){
if ($_FILES['qqfile']['error']) unset($_FILES['qqfile']);
if ($_FILES['qqfile']['tmp_name']) $res = media_upload($NS, $AUTH, $_FILES['qqfile']);
- if (isset($_GET['qqfile'])) $res = media_upload_xhr($NS, $AUTH);
+ if ($INPUT->get->has('qqfile')) $res = media_upload_xhr($NS, $AUTH);
if ($res) $result = array('success' => true,
'link' => media_managerURL(array('ns' => $ns, 'image' => $NS.':'.$id), '&'),
diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php
index 64d6ff3ca..1197892f2 100644
--- a/lib/plugins/acl/admin.php
+++ b/lib/plugins/acl/admin.php
@@ -56,22 +56,23 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
global $ID;
global $auth;
global $config_cascade;
+ global $INPUT;
// fresh 1:1 copy without replacements
$AUTH_ACL = file($config_cascade['acl']['default']);
// namespace given?
- if($_REQUEST['ns'] == '*'){
+ if($INPUT->str('ns') == '*'){
$this->ns = '*';
}else{
- $this->ns = cleanID($_REQUEST['ns']);
+ $this->ns = cleanID($INPUT->str('ns'));
}
- if ($_REQUEST['current_ns']) {
- $this->current_item = array('id' => cleanID($_REQUEST['current_ns']), 'type' => 'd');
- } elseif ($_REQUEST['current_id']) {
- $this->current_item = array('id' => cleanID($_REQUEST['current_id']), 'type' => 'f');
+ if ($INPUT->str('current_ns')) {
+ $this->current_item = array('id' => cleanID($INPUT->str('current_ns')), 'type' => 'd');
+ } elseif ($INPUT->str('current_id')) {
+ $this->current_item = array('id' => cleanID($INPUT->str('current_id')), 'type' => 'f');
} elseif ($this->ns) {
$this->current_item = array('id' => $this->ns, 'type' => 'd');
} else {
@@ -79,24 +80,25 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
}
// user or group choosen?
- $who = trim($_REQUEST['acl_w']);
- if($_REQUEST['acl_t'] == '__g__' && $who){
+ $who = trim($INPUT->str('acl_w'));
+ if($INPUT->str('acl_t') == '__g__' && $who){
$this->who = '@'.ltrim($auth->cleanGroup($who),'@');
- }elseif($_REQUEST['acl_t'] == '__u__' && $who){
+ }elseif($INPUT->str('acl_t') == '__u__' && $who){
$this->who = ltrim($who,'@');
if($this->who != '%USER%' && $this->who != '%GROUP%'){ #keep wildcard as is
$this->who = $auth->cleanUser($this->who);
}
- }elseif($_REQUEST['acl_t'] &&
- $_REQUEST['acl_t'] != '__u__' &&
- $_REQUEST['acl_t'] != '__g__'){
- $this->who = $_REQUEST['acl_t'];
+ }elseif($INPUT->str('acl_t') &&
+ $INPUT->str('acl_t') != '__u__' &&
+ $INPUT->str('acl_t') != '__g__'){
+ $this->who = $INPUT->str('acl_t');
}elseif($who){
$this->who = $who;
}
// handle modifications
- if(isset($_REQUEST['cmd']) && checkSecurityToken()){
+ if($INPUT->has('cmd') && checkSecurityToken()){
+ $cmd = $INPUT->extract('cmd')->str('cmd');
// scope for modifications
if($this->ns){
@@ -109,19 +111,21 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
$scope = $ID;
}
- if(isset($_REQUEST['cmd']['save']) && $scope && $this->who && isset($_REQUEST['acl'])){
+ if($cmd == 'save' && $scope && $this->who && $INPUT->has('acl')){
// handle additions or single modifications
$this->_acl_del($scope, $this->who);
- $this->_acl_add($scope, $this->who, (int) $_REQUEST['acl']);
- }elseif(isset($_REQUEST['cmd']['del']) && $scope && $this->who){
+ $this->_acl_add($scope, $this->who, $INPUT->int('acl'));
+ }elseif($cmd == 'del' && $scope && $this->who){
// handle single deletions
$this->_acl_del($scope, $this->who);
- }elseif(isset($_REQUEST['cmd']['update'])){
+ }elseif($cmd == 'update'){
+ $acl = $INPUT->arr('acl');
+
// handle update of the whole file
- foreach((array) $_REQUEST['del'] as $where => $names){
+ foreach($INPUT->arr('del') as $where => $names){
// remove all rules marked for deletion
foreach($names as $who)
- unset($_REQUEST['acl'][$where][$who]);
+ unset($acl[$where][$who]);
}
// prepare lines
$lines = array();
@@ -134,7 +138,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
}
}
// re-add all rules
- foreach((array) $_REQUEST['acl'] as $where => $opt){
+ foreach($acl as $where => $opt){
foreach($opt as $who => $perm){
if ($who[0]=='@') {
if ($who!='@ALL') {
diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php
index 3a5d89c08..10e18af97 100644
--- a/lib/plugins/acl/ajax.php
+++ b/lib/plugins/acl/ajax.php
@@ -11,6 +11,10 @@ require_once(DOKU_INC.'inc/init.php');
//close session
session_write_close();
+global $conf;
+global $ID;
+global $INPUT;
+
//fix for Opera XMLHttpRequests
$postData = http_get_raw_post_data();
if(!count($_POST) && !empty($postData)){
@@ -22,20 +26,19 @@ if(!checkSecurityToken()) die('CRSF Attack');
$ID = getID();
+/** @var $acl admin_plugin_acl */
$acl = plugin_load('admin','acl');
$acl->handle();
-$ajax = $_REQUEST['ajax'];
+$ajax = $INPUT->str('ajax');
header('Content-Type: text/html; charset=utf-8');
if($ajax == 'info'){
$acl->_html_info();
}elseif($ajax == 'tree'){
- global $conf;
- global $ID;
$dir = $conf['datadir'];
- $ns = $_REQUEST['ns'];
+ $ns = $INPUT->str('ns');
if($ns == '*'){
$ns ='';
}
--
GitLab