From 106f7893326e5f09cb2bbeb3c412257233fda1a6 Mon Sep 17 00:00:00 2001 From: Carsten Schmitz Date: Tue, 25 Aug 2015 12:08:38 +0200 Subject: [PATCH] Fixed issue #9840: XSS possible where token variables are used --- application/models/Token.php | 37 +++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/application/models/Token.php b/application/models/Token.php index 64cde8d6e0e..373911b116b 100644 --- a/application/models/Token.php +++ b/application/models/Token.php @@ -52,13 +52,9 @@ public function attributeLabels() { 'validfrom' => gT('Valid from'), 'validuntil' => gT('Valid until'), ); - // Check if we have custom attributes. - if ($this->hasAttribute('attribute_1')) + foreach (decodeTokenAttributes($this->survey->attributedescriptions) as $key => $info) { - foreach (decodeTokenAttributes($this->survey->attributedescriptions) as $key => $info) - { - $labels[$key] = $info['description']; - } + $labels[$key] = $info['description']; } return $labels; } @@ -109,7 +105,7 @@ public static function createTable($surveyId, array $extraFields = []) foreach ($extraFields as $extraField) { $fields[$extraField] = 'text'; } - + // create fields for the custom token attributes associated with this survey $tokenattributefieldnames = Survey::model()->findByPk($surveyId)->tokenAttributes; foreach($tokenattributefieldnames as $attrname=>$attrdetails) @@ -118,7 +114,7 @@ public static function createTable($surveyId, array $extraFields = []) $fields[$attrname] = 'string(255)'; } } - + $db = \Yii::app()->db; $sTableName = self::constructTableName($surveyId); @@ -130,10 +126,10 @@ public static function createTable($surveyId, array $extraFields = []) * - MSSQL * */ - $db->createCommand()->createIndex("token_unique", $sTableName,'token'); + $db->createCommand()->createIndex("idx_token_token_{$surveyId}_".rand(1,50000), $sTableName,'token'); // Refresh schema cache just in case the table existed in the past, and return if table exist - return $db->schema->getTable($sTableName, true); + return $db->schema->getTable($sTableName, true); } public function findByToken($token) { @@ -161,7 +157,7 @@ public function generateToken() } } } - + /** * Generates a token for all token objects in this survey. * Syntax: Token::model(12345)->generateTokens(); @@ -177,14 +173,14 @@ public function generateTokens() { $surveyId = $this->dynamicId; $tokenLength = isset($this->survey) && is_numeric($this->survey->tokenlength) ? $this->survey->tokenlength : 15; - + $tkresult = Yii::app()->db->createCommand("SELECT tid FROM {{tokens_{$surveyId}}} WHERE token IS NULL OR token=''")->queryAll(); //Exit early if there are not empty tokens if (count($tkresult)===0) return array(0,0); //get token length from survey settings $tlrow = Survey::model()->findByAttributes(array("sid"=>$surveyId)); - + //Add some criteria to select only the token field $criteria = $this->getDbCriteria(); $criteria->select = 'token'; @@ -239,7 +235,7 @@ public static function model($className = null) { } /** - * + * * @param int $surveyId * @param string $scenario * @return Token Description @@ -278,10 +274,12 @@ protected function getResponseCount() { } public function rules() { - return [ + $aRules= array( array('token', 'unique', 'allowEmpty' => true), + array('firstname','LSYii_Validators'), + array('lastname','LSYii_Validators'), array(implode(',', $this->tableSchema->columnNames), 'safe'), - array('remindercount','numerical', 'integerOnly'=>true,'allowEmpty'=>true), + array('remindercount','numerical', 'integerOnly'=>true,'allowEmpty'=>true), array('email','filter','filter'=>'trim'), array('email','LSYii_EmailIDNAValidator', 'allowEmpty'=>true, 'allowMultiple'=>true,'except'=>'allowinvalidemail'), array('usesleft','numerical', 'integerOnly'=>true,'allowEmpty'=>true), @@ -294,7 +292,12 @@ public function rules() [['lastname', 'firstname'], 'safe', 'on' => 'register'], ['captcha', 'captcha', 'on' => 'register'], - ]; + ); + foreach (decodeTokenAttributes($this->survey->attributedescriptions) as $key => $info) + { + $aRules[]=array($key,'LSYii_Validators'); + } + return $aRules; } public function scopes()