Fixed issue #9840: XSS possible where token variables are used

LimeSurvey · Aug 25, 2015 · 106f789 · SamMousa · Aug 26, 2015 · 106f789
1 parent 8fc56ca
commit 106f789
Showing 1 changed file with 20 additions and 17 deletions.
diff --git a/application/models/Token.php b/application/models/Token.php
@@ -52,13 +52,9 @@ public function attributeLabels() {
                 'validfrom' => gT('Valid from'),
                 'validuntil' => gT('Valid until'),
             );
-            // Check if we have custom attributes.
-			if ($this->hasAttribute('attribute_1'))
+			foreach (decodeTokenAttributes($this->survey->attributedescriptions) as $key => $info)
             {
-				foreach (decodeTokenAttributes($this->survey->attributedescriptions) as $key => $info)
-                {
-                    $labels[$key] = $info['description'];
-                }
+                $labels[$key] = $info['description'];
             }
             return $labels;
         }
@@ -109,7 +105,7 @@ public static function createTable($surveyId, array $extraFields = [])
             foreach ($extraFields as $extraField) {
                 $fields[$extraField] = 'text';
             }
-            
+
             // create fields for the custom token attributes associated with this survey
             $tokenattributefieldnames = Survey::model()->findByPk($surveyId)->tokenAttributes;
             foreach($tokenattributefieldnames as $attrname=>$attrdetails)
@@ -118,7 +114,7 @@ public static function createTable($surveyId, array $extraFields = [])
                     $fields[$attrname] = 'string(255)';
                 }
             }
-            
+
             $db = \Yii::app()->db;
             $sTableName = self::constructTableName($surveyId);
 
@@ -130,10 +126,10 @@ public static function createTable($surveyId, array $extraFields = [])
              * - MSSQL
              *
              */
-            $db->createCommand()->createIndex("token_unique",  $sTableName,'token');
+            $db->createCommand()->createIndex("idx_token_token_{$surveyId}_".rand(1,50000),  $sTableName,'token');
 
             // Refresh schema cache just in case the table existed in the past, and return if table exist
-            return $db->schema->getTable($sTableName, true); 
+            return $db->schema->getTable($sTableName, true);
         }
         public function findByToken($token)
         {
@@ -161,7 +157,7 @@ public function generateToken()
                 }
             }
         }
-        
+
         /**
          * Generates a token for all token objects in this survey.
          * Syntax: Token::model(12345)->generateTokens();
@@ -177,14 +173,14 @@ public function generateTokens() {
 
             $surveyId = $this->dynamicId;
             $tokenLength = isset($this->survey) && is_numeric($this->survey->tokenlength) ? $this->survey->tokenlength : 15;
-            
+
             $tkresult = Yii::app()->db->createCommand("SELECT tid FROM {{tokens_{$surveyId}}} WHERE token IS NULL OR token=''")->queryAll();
             //Exit early if there are not empty tokens
             if (count($tkresult)===0) return array(0,0);
 
             //get token length from survey settings
             $tlrow = Survey::model()->findByAttributes(array("sid"=>$surveyId));
-            
+
             //Add some criteria to select only the token field
             $criteria = $this->getDbCriteria();
             $criteria->select = 'token';
@@ -239,7 +235,7 @@ public static function model($className = null) {
         }
 
         /**
-         * 
+         *
          * @param int $surveyId
          * @param string $scenario
          * @return Token Description
@@ -278,10 +274,12 @@ protected function getResponseCount() {
         }
         public function rules()
         {
-            return [
+            $aRules= array(
                 array('token', 'unique', 'allowEmpty' => true),
+                array('firstname','LSYii_Validators'),
+                array('lastname','LSYii_Validators'),
                 array(implode(',', $this->tableSchema->columnNames), 'safe'),
-                array('remindercount','numerical', 'integerOnly'=>true,'allowEmpty'=>true), 
+                array('remindercount','numerical', 'integerOnly'=>true,'allowEmpty'=>true),
                 array('email','filter','filter'=>'trim'),
                 array('email','LSYii_EmailIDNAValidator', 'allowEmpty'=>true, 'allowMultiple'=>true,'except'=>'allowinvalidemail'),
                 array('usesleft','numerical', 'integerOnly'=>true,'allowEmpty'=>true),
@@ -294,7 +292,12 @@ public function rules()
                 [['lastname', 'firstname'], 'safe', 'on' => 'register'],
                 ['captcha', 'captcha', 'on' => 'register'],
 
-            ];
+            );
+            foreach (decodeTokenAttributes($this->survey->attributedescriptions) as $key => $info)
+            {
+                 $aRules[]=array($key,'LSYii_Validators');
+            }
+            return $aRules;
         }
 
         public function scopes()