Skip to content
Snippets Groups Projects
Commit 64273335 authored by Andreas Gohr's avatar Andreas Gohr
Browse files

more $INPUT use FS#2577

parent c51e9570
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
inc/auth.php
+ 19
25
View file @ 64273335
......@@ -733,68 +733,62 @@ function register() {
global $conf;
/* @var auth_basic $auth */
global $auth;
global $INPUT;
if(!$_POST['save']) return false;
if(!$INPUT->post->bool('save')) return false;
if(!actionOK('register')) return false;
//clean username
$_POST['login'] = trim($auth->cleanUser($_POST['login']));
//clean fullname and email
$_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['fullname']));
$_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['email']));
// gather input
$login = trim($auth->cleanUser($INPUT->post->str('login')));
$fullname = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('fullname')));
$email = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('email')));
$pass = $INPUT->post->str('pass');
$passchk = $INPUT->post->str('passchk');
if(empty($_POST['login']) ||
empty($_POST['fullname']) ||
empty($_POST['email'])
) {
if(empty($login) || empty($fullname) || empty($email)) {
msg($lang['regmissing'], -1);
return false;
}
if($conf['autopasswd']) {
$pass = auth_pwgen(); // automatically generate password
} elseif(empty($_POST['pass']) ||
empty($_POST['passchk'])
) {
} elseif(empty($pass) || empty($passchk)) {
msg($lang['regmissing'], -1); // complain about missing passwords
return false;
} elseif($_POST['pass'] != $_POST['passchk']) {
} elseif($pass != $passchk) {
msg($lang['regbadpass'], -1); // complain about misspelled passwords
return false;
} else {
$pass = $_POST['pass']; // accept checked and valid password
}
//check mail
if(!mail_isvalid($_POST['email'])) {
if(!mail_isvalid($email)) {
msg($lang['regbadmail'], -1);
return false;
}
//okay try to create the user
if(!$auth->triggerUserMod('create', array($_POST['login'], $pass, $_POST['fullname'], $_POST['email']))) {
if(!$auth->triggerUserMod('create', array($login, $pass, $fullname, $email))) {
msg($lang['reguexists'], -1);
return false;
}
// create substitutions for use in notification email
$substitutions = array(
'NEWUSER' => $_POST['login'],
'NEWNAME' => $_POST['fullname'],
'NEWEMAIL' => $_POST['email'],
'NEWUSER' => $login,
'NEWNAME' => $fullname,
'NEWEMAIL' => $email,
);
if(!$conf['autopasswd']) {
msg($lang['regsuccess2'], 1);
notify('', 'register', '', $_POST['login'], false, $substitutions);
notify('', 'register', '', $login, false, $substitutions);
return true;
}
// autogenerated password? then send him the password
if(auth_sendPassword($_POST['login'], $pass)) {
if(auth_sendPassword($login, $pass)) {
msg($lang['regsuccess'], 1);
notify('', 'register', '', $_POST['login'], false, $substitutions);
notify('', 'register', '', $login, false, $substitutions);
return true;
} else {
msg($lang['regmailfail'], -1);
......
lib/exe/ajax.php
+ 13
11
View file @ 64273335
......@@ -162,7 +162,8 @@ function ajax_lock(){
* @author Andreas Gohr <andi@splitbrain.org>
*/
function ajax_draftdel(){
$id = cleanID($_REQUEST['id']);
global $INPUT;
$id = cleanID($INPUT->str('id'));
if(empty($id)) return;
$client = $_SERVER['REMOTE_USER'];
......@@ -218,11 +219,11 @@ function ajax_medialist(){
* @author Kate Arzamastseva <pshns@ukr.net>
*/
function ajax_mediadetails(){
global $DEL, $NS, $IMG, $AUTH, $JUMPTO, $REV, $lang, $fullscreen, $conf;
global $DEL, $NS, $IMG, $AUTH, $JUMPTO, $REV, $lang, $fullscreen, $conf, $INPUT;
$fullscreen = true;
require_once(DOKU_INC.'lib/exe/mediamanager.php');
if ($_REQUEST['image']) $image = cleanID($_REQUEST['image']);
if ($INPUT->has('image')) $image = cleanID($INPUT->str('image'));
if (isset($IMG)) $image = $IMG;
if (isset($JUMPTO)) $image = $JUMPTO;
if (isset($REV) && !$JUMPTO) $rev = $REV;
......@@ -237,25 +238,26 @@ function ajax_mediadetails(){
*/
function ajax_mediadiff(){
global $NS;
global $INPUT;
if ($_REQUEST['image']) $image = cleanID($_REQUEST['image']);
if ($INPUT->has('image')) $image = cleanID($INPUT->str('image'));
$NS = $_POST['ns'];
$auth = auth_quickaclcheck("$ns:*");
$auth = auth_quickaclcheck("$NS:*");
media_diff($image, $NS, $auth, true);
}
function ajax_mediaupload(){
global $NS, $MSG;
global $NS, $MSG, $INPUT;
if ($_FILES['qqfile']['tmp_name']) {
$id = ((empty($_POST['mediaid'])) ? $_FILES['qqfile']['name'] : $_POST['mediaid']);
} elseif (isset($_GET['qqfile'])) {
$id = $_GET['qqfile'];
$id = $INPUT->post->str('mediaid', $_FILES['qqfile']['name']);
} elseif ($INPUT->get->has('qqfile')) {
$id = $INPUT->get->str('qqfile');
}
$id = cleanID($id);
$NS = $_REQUEST['ns'];
$NS = $INPUT->str('ns');
$ns = $NS.':'.getNS($id);
$AUTH = auth_quickaclcheck("$ns:*");
......@@ -264,7 +266,7 @@ function ajax_mediaupload(){
if ($_FILES['qqfile']['error']) unset($_FILES['qqfile']);
if ($_FILES['qqfile']['tmp_name']) $res = media_upload($NS, $AUTH, $_FILES['qqfile']);
if (isset($_GET['qqfile'])) $res = media_upload_xhr($NS, $AUTH);
if ($INPUT->get->has('qqfile')) $res = media_upload_xhr($NS, $AUTH);
if ($res) $result = array('success' => true,
'link' => media_managerURL(array('ns' => $ns, 'image' => $NS.':'.$id), '&'),
......
lib/plugins/acl/admin.php
+ 25
21
View file @ 64273335
......@@ -56,22 +56,23 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
global $ID;
global $auth;
global $config_cascade;
global $INPUT;
// fresh 1:1 copy without replacements
$AUTH_ACL = file($config_cascade['acl']['default']);
// namespace given?
if($_REQUEST['ns'] == '*'){
if($INPUT->str('ns') == '*'){
$this->ns = '*';
}else{
$this->ns = cleanID($_REQUEST['ns']);
$this->ns = cleanID($INPUT->str('ns'));
}
if ($_REQUEST['current_ns']) {
$this->current_item = array('id' => cleanID($_REQUEST['current_ns']), 'type' => 'd');
} elseif ($_REQUEST['current_id']) {
$this->current_item = array('id' => cleanID($_REQUEST['current_id']), 'type' => 'f');
if ($INPUT->str('current_ns')) {
$this->current_item = array('id' => cleanID($INPUT->str('current_ns')), 'type' => 'd');
} elseif ($INPUT->str('current_id')) {
$this->current_item = array('id' => cleanID($INPUT->str('current_id')), 'type' => 'f');
} elseif ($this->ns) {
$this->current_item = array('id' => $this->ns, 'type' => 'd');
} else {
......@@ -79,24 +80,25 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
}
// user or group choosen?
$who = trim($_REQUEST['acl_w']);
if($_REQUEST['acl_t'] == '__g__' && $who){
$who = trim($INPUT->str('acl_w'));
if($INPUT->str('acl_t') == '__g__' && $who){
$this->who = '@'.ltrim($auth->cleanGroup($who),'@');
}elseif($_REQUEST['acl_t'] == '__u__' && $who){
}elseif($INPUT->str('acl_t') == '__u__' && $who){
$this->who = ltrim($who,'@');
if($this->who != '%USER%' && $this->who != '%GROUP%'){ #keep wildcard as is
$this->who = $auth->cleanUser($this->who);
}
}elseif($_REQUEST['acl_t'] &&
$_REQUEST['acl_t'] != '__u__' &&
$_REQUEST['acl_t'] != '__g__'){
$this->who = $_REQUEST['acl_t'];
}elseif($INPUT->str('acl_t') &&
$INPUT->str('acl_t') != '__u__' &&
$INPUT->str('acl_t') != '__g__'){
$this->who = $INPUT->str('acl_t');
}elseif($who){
$this->who = $who;
}
// handle modifications
if(isset($_REQUEST['cmd']) && checkSecurityToken()){
if($INPUT->has('cmd') && checkSecurityToken()){
$cmd = $INPUT->extract('cmd')->str('cmd');
// scope for modifications
if($this->ns){
......@@ -109,19 +111,21 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
$scope = $ID;
}
if(isset($_REQUEST['cmd']['save']) && $scope && $this->who && isset($_REQUEST['acl'])){
if($cmd == 'save' && $scope && $this->who && $INPUT->has('acl')){
// handle additions or single modifications
$this->_acl_del($scope, $this->who);
$this->_acl_add($scope, $this->who, (int) $_REQUEST['acl']);
}elseif(isset($_REQUEST['cmd']['del']) && $scope && $this->who){
$this->_acl_add($scope, $this->who, $INPUT->int('acl'));
}elseif($cmd == 'del' && $scope && $this->who){
// handle single deletions
$this->_acl_del($scope, $this->who);
}elseif(isset($_REQUEST['cmd']['update'])){
}elseif($cmd == 'update'){
$acl = $INPUT->arr('acl');
// handle update of the whole file
foreach((array) $_REQUEST['del'] as $where => $names){
foreach($INPUT->arr('del') as $where => $names){
// remove all rules marked for deletion
foreach($names as $who)
unset($_REQUEST['acl'][$where][$who]);
unset($acl[$where][$who]);
}
// prepare lines
$lines = array();
......@@ -134,7 +138,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
}
}
// re-add all rules
foreach((array) $_REQUEST['acl'] as $where => $opt){
foreach($acl as $where => $opt){
foreach($opt as $who => $perm){
if ($who[0]=='@') {
if ($who!='@ALL') {
......
lib/plugins/acl/ajax.php
+ 7
4
View file @ 64273335
......@@ -11,6 +11,10 @@ require_once(DOKU_INC.'inc/init.php');
//close session
session_write_close();
global $conf;
global $ID;
global $INPUT;
//fix for Opera XMLHttpRequests
$postData = http_get_raw_post_data();
if(!count($_POST) && !empty($postData)){
......@@ -22,20 +26,19 @@ if(!checkSecurityToken()) die('CRSF Attack');
$ID = getID();
/** @var $acl admin_plugin_acl */
$acl = plugin_load('admin','acl');
$acl->handle();
$ajax = $_REQUEST['ajax'];
$ajax = $INPUT->str('ajax');
header('Content-Type: text/html; charset=utf-8');
if($ajax == 'info'){
$acl->_html_info();
}elseif($ajax == 'tree'){
global $conf;
global $ID;
$dir = $conf['datadir'];
$ns = $_REQUEST['ns'];
$ns = $INPUT->str('ns');
if($ns == '*'){
$ns ='';
}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment