From 6aab8111069f2a5dc37af6a819e3e1b3c7794e48 Mon Sep 17 00:00:00 2001
From: Harris Wong <hwong@ocad.ca>
Date: Fri, 23 Sep 2011 20:37:13 +0000
Subject: [PATCH] AC-4804: Security fixes for XSS, possible sql injection on
 multiple scripts within acontent.

---
 docs/documentation/search.php                      |  4 ++--
 docs/home/search.php                               |  2 +-
 docs/include/classes/DAO/UsersDAO.class.php        |  2 ++
 docs/themes/default/course_category/index.tmpl.php |  2 +-
 .../default/language/language_add_edit.tmpl.php    | 14 +++++++-------
 docs/themes/default/login.tmpl.php                 |  4 ++--
 .../default/user/user_group_create_edit.tmpl.php   |  6 +++---
 docs/updater/patch_edit.php                        |  2 +-
 docs/user/user_create_edit.php                     |  1 +
 9 files changed, 20 insertions(+), 17 deletions(-)
diff --git a/docs/documentation/search.php b/docs/documentation/search.php
index 5d58a32..8611a31 100644
--- a/docs/documentation/search.php
+++ b/docs/documentation/search.php
@@ -55,7 +55,7 @@ if ($_GET['query']) {
 		$final_match_rows = array();
 		foreach ($search_terms as $term)
 		{
-			$match_rows = $languageTextDAO->getHelpByMatchingText($term, $_SESSION['lang']);
+			$match_rows = $languageTextDAO->getHelpByMatchingText($addslashes($term), $_SESSION['lang']);
 
 			if (is_array($match_rows)) $final_match_rows = array_merge($final_match_rows, $match_rows);
 		}
@@ -120,4 +120,4 @@ if ($_GET['query']) {
 }
 ?>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/docs/home/search.php b/docs/home/search.php
index 4e50f6a..22bb69c 100644
--- a/docs/home/search.php
+++ b/docs/home/search.php
@@ -32,7 +32,7 @@ $courseCategoriesDAO = new CourseCategoriesDAO();
 
 //$my_courses = array();
 $search_text = trim($_GET['search_text']);
-$courses = $coursesDAO->getSearchResult($search_text, $_GET['catid']);
+$courses = $coursesDAO->getSearchResult($addslashes($search_text), $_GET['catid']);
 
 // handle submits
 if (isset($_GET['action'], $_GET['cid']) && $_SESSION['user_id'] > 0)
diff --git a/docs/include/classes/DAO/UsersDAO.class.php b/docs/include/classes/DAO/UsersDAO.class.php
index 859e7ca..f646ec0 100644
--- a/docs/include/classes/DAO/UsersDAO.class.php
+++ b/docs/include/classes/DAO/UsersDAO.class.php
@@ -296,6 +296,7 @@ class UsersDAO extends DAO {
 	 */
 	public function getUserByID($userID)
 	{
+	    $userID = intval($userID);
 		$sql = 'SELECT * FROM '.TABLE_PREFIX.'users WHERE user_id='.$userID;
 		if ($rows = $this->execute($sql))
 		{
@@ -313,6 +314,7 @@ class UsersDAO extends DAO {
 	 */
 	public function getUserByWebServiceID($webServiceID)
 	{
+	    $webServiceID = intval($webServiceID);
 		$sql = "SELECT * FROM ".TABLE_PREFIX."users WHERE web_service_id='".$webServiceID."'";
 		if ($rows = $this->execute($sql))
 		{
diff --git a/docs/themes/default/course_category/index.tmpl.php b/docs/themes/default/course_category/index.tmpl.php
index a65e4fc..ba4b5a5 100644
--- a/docs/themes/default/course_category/index.tmpl.php
+++ b/docs/themes/default/course_category/index.tmpl.php
@@ -17,7 +17,7 @@ include(TR_INCLUDE_PATH.'header.inc.php');
 ?>
 
 <div class="input-form">
-  <form name="add_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" >
+  <form name="add_form" method="post" action="<?php echo AT_print($_SERVER['PHP_SELF'], 'input.form'); ?>" >
   <fieldset class="group_form"><legend class="group_form"><?php echo _AT("add_course_category"); ?></legend>
     <table class="form-data" align="left">
     <tr align="left">
diff --git a/docs/themes/default/language/language_add_edit.tmpl.php b/docs/themes/default/language/language_add_edit.tmpl.php
index 2ac2d52..b66f1c0 100644
--- a/docs/themes/default/language/language_add_edit.tmpl.php
+++ b/docs/themes/default/language/language_add_edit.tmpl.php
@@ -16,7 +16,7 @@ $onload = "initial();";
 include(TR_INCLUDE_PATH.'header.inc.php');
 ?>
 
-<form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" >
+<form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.intval($_GET["id"]); ?>" >
 <?php if (isset($this->row["language_code"])) {?>
 <input type="hidden" name="language_code" value="<?php echo $this->row["language_code"]; ?>" />
 <input type="hidden" name="charset" value="<?php echo $this->row["charset"]; ?>" />
@@ -41,7 +41,7 @@ include(TR_INCLUDE_PATH.'header.inc.php');
 	foreach ($this->rows_lang as $row_lang)
 	{
 ?>
-				<option value="<?php echo $row_lang['code_3letters']; ?>" <?php if ((isset($_POST["lang_code"]) && $_REQUEST["lang_code"] == $row_lang['code_3letters']) || (!isset($_REQUEST["lang_code"]) && $this->row["lang_code"] == $row_lang['code_3letters'])) echo 'selected="selected"'; ?>><?php echo $row_lang["description"]. ' - '. $row_lang['code_3letters']; ?></option>
+				<option value="<?php echo $row_lang['code_3letters']; ?>" <?php if ((isset($_POST["lang_code"]) && $_POST["lang_code"] == $row_lang['code_3letters']) || (!isset($_REQUEST["lang_code"]) && $this->row["lang_code"] == $row_lang['code_3letters'])) echo 'selected="selected"'; ?>><?php echo $row_lang["description"]. ' - '. $row_lang['code_3letters']; ?></option>
 <?php
 	}
 ?>
@@ -54,7 +54,7 @@ include(TR_INCLUDE_PATH.'header.inc.php');
 			<th><label for="lang_code">&nbsp;&nbsp;&nbsp;<?php echo _AT('lang_code'); ?></label></th>
 			<td>
 <?php if (isset($this->row['language_code'])) echo $this->row['language_code']; else {?>
-				<input id="lang_code" name="lang_code" type="text" size="2" maxlength="2" value="<?php if (isset($_POST['lang_code'])) echo $_POST['lang_code']; else echo $this->row['language_code']; ?>" />
+				<input id="lang_code" name="lang_code" type="text" size="2" maxlength="2" value="<?php if (isset($_POST['lang_code'])) echo AT_print($_POST['lang_code'], 'input.text'); else echo AT_print($this->row['language_code'], 'input.text'); ?>" />
 <?php }?>
 			</td>
 		</tr>
@@ -63,7 +63,7 @@ include(TR_INCLUDE_PATH.'header.inc.php');
 			<th><label for="locale">&nbsp;&nbsp;&nbsp;<?php echo _AT('locale'); ?></label></th>
 			<td>
 <?php if (isset($this->row['language_code'])) if ($this->row['locale'] == '') echo _AT('na'); else echo $this->row['locale']; else {?>
-				<input id="locale" name="locale" type="text" size="2" maxlength="2" value="<?php if (isset($_POST['locale'])) echo $_POST['locale']; else echo $this->row['locale']; ?>" />
+				<input id="locale" name="locale" type="text" size="2" maxlength="2" value="<?php if (isset($_POST['locale'])) echo AT_print($_POST['locale'], 'input.text'); else echo AT_print($this->row['locale'], 'input.text'); ?>" />
 <?php }?>
 			</td>
 		</tr>
@@ -73,7 +73,7 @@ include(TR_INCLUDE_PATH.'header.inc.php');
 			<label for="charset"><?php echo _AT('charset'); ?></label></th>
 			<td>
 <?php if (isset($this->row['language_code'])) echo $this->row['charset']; else {?>
-				<input type="text" name="charset" id="charset" value="<?php if (isset($_POST['charset'])) echo $_POST['charset']; else if (isset($this->row["charset"])) echo $this->row["charset"]; else echo DEFAULT_CHARSET; ?>" />
+				<input type="text" name="charset" id="charset" value="<?php if (isset($_POST['charset'])) echo $_POST['charset']; else if (isset($this->row["charset"])) echo AT_print($this->row["charset"], 'input.text'); else echo DEFAULT_CHARSET; ?>" />
 <?php }?>
 			</td>
 		</tr>
@@ -81,13 +81,13 @@ include(TR_INCLUDE_PATH.'header.inc.php');
 		<tr align="left">
 			<th><span class="required" title="<?php echo _AT('required_field'); ?>">*</span>
 			<label for="native_name"><?php echo _AT('name_in_language'); ?></label></th>
-			<td><input type="text" name="native_name" id="native_name" value="<?php if (isset($_POST['native_name'])) echo $_POST['native_name']; else echo $this->row["native_name"]; ?>" /></td>
+			<td><input type="text" name="native_name" id="native_name" value="<?php if (isset($_POST['native_name'])) echo $_POST['native_name']; else echo AT_print($this->row["native_name"], 'input.text'); ?>" /></td>
 		</tr>
 
 		<tr align="left">
 			<th><span class="required" title="<?php echo _AT('required_field'); ?>">*</span>
 			<label for="english_name"><?php echo _AT('name_in_english'); ?></label></th>
-			<td><input type="text" name="english_name" id="english_name" value="<?php if (isset($_POST['english_name'])) echo $_POST['english_name']; else echo $this->row["english_name"]; ?>" /></td>
+			<td><input type="text" name="english_name" id="english_name" value="<?php if (isset($_POST['english_name'])) echo $_POST['english_name']; else echo AT_print($this->row["english_name"], 'input.text'); ?>" /></td>
 		</tr>
 
 		<tr align="left">
diff --git a/docs/themes/default/login.tmpl.php b/docs/themes/default/login.tmpl.php
index a17182d..9f369bd 100644
--- a/docs/themes/default/login.tmpl.php
+++ b/docs/themes/default/login.tmpl.php
@@ -31,10 +31,10 @@ function encrypt_password() {
 
 <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="form">
 <?php if (isset($_REQUEST['oauth_token'])) {?>
-<input type="hidden" name="oauth_token" value="<?php echo $_REQUEST['oauth_token']; ?>" />
+<input type="hidden" name="oauth_token" value="<?php echo AT_print($_REQUEST['oauth_token'], 'input.hidden'); ?>" />
 <?php }?>
 <?php if (isset($_REQUEST['oauth_callback'])) {?>
-<input type="hidden" name="oauth_callback" value="<?php echo $_REQUEST['oauth_callback']; ?>" />
+<input type="hidden" name="oauth_callback" value="<?php echo AT_print($_REQUEST['oauth_callback'], 'input.hidden'); ?>" />
 <?php }?>
 <input type="hidden" name="form_password_hidden" value="" />
 	<div class="input-form">
diff --git a/docs/themes/default/user/user_group_create_edit.tmpl.php b/docs/themes/default/user/user_group_create_edit.tmpl.php
index 006e8ed..1093703 100644
--- a/docs/themes/default/user/user_group_create_edit.tmpl.php
+++ b/docs/themes/default/user/user_group_create_edit.tmpl.php
@@ -16,7 +16,7 @@ $onload = "initial();";
 include(TR_INCLUDE_PATH.'header.inc.php');
 ?>
 
-<form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.$_GET["id"]; ?>" >
+<form name="input_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?><?php if (isset($_GET["id"])) echo '?id='.intval($_GET["id"]); ?>" >
 <?php if (isset($this->user_group_row["user_group_id"])) {?>
 <input type="hidden" name="user_group_id" value="<?php echo $this->user_group_row["user_group_id"]; ?>" />
 <?php }?>
@@ -31,12 +31,12 @@ include(TR_INCLUDE_PATH.'header.inc.php');
 
 		<tr>
 			<th align="left"><span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="title"><?php echo _AT('title'); ?></label></th>
-			<td><input type="text" name="title" size="100" id="title" value="<?php if (isset($_POST['title'])) echo $_POST['title']; else echo $this->user_group_row["title"]; ?>" /></td>
+			<td><input type="text" name="title" size="100" id="title" value="<?php if (isset($_POST['title'])) echo AT_print($_POST['title'], 'input.text'); else echo AT_print($this->user_group_row["title"], 'input.text'); ?>" /></td>
 		</tr>
 
 		<tr>
 			<th align="left"><label for="description"><?php echo _AT('description'); ?></label></th>
-			<td><textarea rows="3" cols="30" name="description" id="description"><?php if (isset($_POST['description'])) echo $_POST['description']; else echo $this->user_group_row["description"]; ?></textarea></td>
+			<td><textarea rows="3" cols="30" name="description" id="description"><?php if (isset($_POST['description'])) echo AT_print($_POST['description'], 'input.text'); else echo AT_print($this->user_group_row["description"], 'input.text'); ?></textarea></td>
 		</tr>
 
 		<?php if (isset($this->user_group_row['user_group_id'])) {?>
diff --git a/docs/updater/patch_edit.php b/docs/updater/patch_edit.php
index 949eae4..acfc6ec 100644
--- a/docs/updater/patch_edit.php
+++ b/docs/updater/patch_edit.php
@@ -22,7 +22,7 @@ if (!isset($_REQUEST["myown_patch_id"]))
 	exit;
 }
 
-$myown_patch_id = $_REQUEST["myown_patch_id"];
+$myown_patch_id = intval($_REQUEST["myown_patch_id"]);
 
 $myownPatchesDAO = new MyownPatchesDAO();
 $myownPatchesDependentDAO = new MyownPatchesDependentDAO();
diff --git a/docs/user/user_create_edit.php b/docs/user/user_create_edit.php
index f57de56..16e607d 100644
--- a/docs/user/user_create_edit.php
+++ b/docs/user/user_create_edit.php
@@ -16,6 +16,7 @@ include_once(TR_INCLUDE_PATH.'classes/DAO/UsersDAO.class.php');
 include_once(TR_INCLUDE_PATH.'classes/DAO/UserGroupsDAO.class.php');
 
 // handle submit
+$_GET['id'] = intval($_GET['id']);
 if (isset($_POST['cancel'])) {
 	header('Location: index.php');
 	exit;
-- 
2.17.1


	row['language_code'])) echo $this->row['language_code']; else {?> - +
	row['language_code'])) if ($this->row['locale'] == '') echo _AT('na'); else echo $this->row['locale']; else {?> - +
row['language_code'])) echo $this->row['charset']; else {?> - row["charset"]; else echo DEFAULT_CHARSET; ?>" /> + row["charset"], 'input.text'); else echo DEFAULT_CHARSET; ?>" />
*	" />	" />
*	" />	" />
*	" />	" />
	<?php if (isset($_POST['description'])) echo $_POST['description']; else echo $this->user_group_row["description"]; ?>	<?php if (isset($_POST['description'])) echo AT_print($_POST['description'], 'input.text'); else echo AT_print($this->user_group_row["description"], 'input.text'); ?>