Merge branch 'master' into 192_dev

LimeSurvey · Sep 12, 2012 · 4b75d20 · 4b75d20
2 parents 0190c6b + 76cd751
commit 4b75d20
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 61 deletions.
diff --git a/admin/activate_functions.php b/admin/activate_functions.php
@@ -27,7 +27,7 @@ function fixNumbering($fixnumbering)
 
     LimeExpressionManager::RevertUpgradeConditionsToRelevance($surveyid);
     //Fix a question id - requires renumbering a question
-    $oldqid = $fixnumbering;
+    $oldqid = sanitize_int($fixnumbering);
     $query = "SELECT qid FROM {$dbprefix}questions ORDER BY qid DESC";
     $result = db_select_limit_assoc($query, 1) or safe_die($query."<br />".$connect->ErrorMsg());
     while ($row=$result->FetchRow()) {$lastqid=$row['qid'];}
@@ -149,7 +149,7 @@ function checkQuestions($postsid, $surveyid, $qtypes)
     }
 
     //NOW CHECK THAT ALL QUESTIONS HAVE A 'QUESTION TYPE' FIELD SET
-    $chkquery = "SELECT qid, question, gid FROM {$dbprefix}questions WHERE sid={$_GET['sid']} AND type = ''";
+    $chkquery = "SELECT qid, question, gid FROM {$dbprefix}questions WHERE sid={$surveyid} AND type = ''";
     $chkresult = db_execute_assoc($chkquery) or safe_die ("Couldn't check questions for missing types<br />$chkquery<br />".$connect->ErrorMsg());
     while ($chkrow = $chkresult->FetchRow())
     {
@@ -160,14 +160,14 @@ function checkQuestions($postsid, $surveyid, $qtypes)
 
 
     //ChECK THAT certain array question types have answers set
-    $chkquery = "SELECT q.qid, question, gid FROM {$dbprefix}questions as q WHERE (select count(*) from {$dbprefix}answers as a where a.qid=q.qid and scale_id=0)=0 and sid={$_GET['sid']} AND type IN ('F', 'H', 'W', 'Z', '1') and q.parent_qid=0";
+    $chkquery = "SELECT q.qid, question, gid FROM {$dbprefix}questions as q WHERE (select count(*) from {$dbprefix}answers as a where a.qid=q.qid and scale_id=0)=0 and sid={$surveyid} AND type IN ('F', 'H', 'W', 'Z', '1') and q.parent_qid=0";
     $chkresult = db_execute_assoc($chkquery) or safe_die ("Couldn't check questions for missing answers<br />$chkquery<br />".$connect->ErrorMsg());
     while($chkrow = $chkresult->FetchRow()){
         $failedcheck[]=array($chkrow['qid'], $chkrow['question'], ": ".$clang->gT("This question requires answers, but none are set."), $chkrow['gid']);
     } // while
 
     //CHECK THAT DUAL Array has answers set
-    $chkquery = "SELECT q.qid, question, gid FROM {$dbprefix}questions as q WHERE (select count(*) from {$dbprefix}answers as a where a.qid=q.qid and scale_id=1)=0 and sid={$_GET['sid']} AND type='1' and q.parent_qid=0";
+    $chkquery = "SELECT q.qid, question, gid FROM {$dbprefix}questions as q WHERE (select count(*) from {$dbprefix}answers as a where a.qid=q.qid and scale_id=1)=0 and sid={$surveyid} AND type='1' and q.parent_qid=0";
     $chkresult = db_execute_assoc($chkquery) or safe_die ("Couldn't check questions for missing 2nd answer set<br />$chkquery<br />".$connect->ErrorMsg());
     while($chkrow = $chkresult->FetchRow()){
         $failedcheck[]=array($chkrow['qid'], $chkrow['question'], ": ".$clang->gT("This question requires a second answer set but none is set."), $chkrow['gid']);
@@ -176,7 +176,7 @@ function checkQuestions($postsid, $surveyid, $qtypes)
 
     //CHECK THAT ALL CONDITIONS SET ARE FOR QUESTIONS THAT PRECEED THE QUESTION CONDITION
     //A: Make an array of all the qids in order of appearance
-    //	$qorderquery="SELECT * FROM {$dbprefix}questions, {$dbprefix}groups WHERE {$dbprefix}questions.gid={$dbprefix}groups.gid AND {$dbprefix}questions.sid={$_GET['sid']} ORDER BY {$dbprefix}groups.sortorder, {$dbprefix}questions.title";
+    //	$qorderquery="SELECT * FROM {$dbprefix}questions, {$dbprefix}groups WHERE {$dbprefix}questions.gid={$dbprefix}groups.gid AND {$dbprefix}questions.sid={$surveyid} ORDER BY {$dbprefix}groups.sortorder, {$dbprefix}questions.title";
     //	$qorderresult=$connect->Execute($qorderquery) or safe_die("Couldn't generate a list of questions in order<br />$qorderquery<br />".$connect->ErrorMsg());
     //	$qordercount=$qorderresult->RecordCount();
     //	$c=0;

diff --git a/admin/preview.php b/admin/preview.php
@@ -32,7 +32,7 @@
 {
     $language = GetBaseLanguageFromSurveyID($surveyid);
 } else {
-    $language = $_GET['lang'];
+    $language = sanitize_languagecode($_GET['lang']);
 }
 
 $_SESSION['s_lang'] = $language;
@@ -109,17 +109,17 @@ function fixnum_checkconditions(value, name, type, evt_type, intonly)
         $('#answer'+name).val(displayVal);
 
         if (typeof evt_type === 'undefined')
-        { 
-            evt_type = 'onchange'; 
-        }    
+        {
+            evt_type = 'onchange';
+        }
         checkconditions(newval, name, type, evt_type);
 	}
 
 	function checkconditions(value, name, type, evt_type)
 	{
-        if (typeof evt_type === 'undefined') 
-        { 
-            evt_type = 'onchange'; 
+        if (typeof evt_type === 'undefined')
+        {
+            evt_type = 'onchange';
         }
         if (type == 'radio' || type == 'select-one')
         {

diff --git a/admin/surveytable_functions.php b/admin/surveytable_functions.php
@@ -12,34 +12,34 @@ function surveyFixColumns($surveyid)
     global $dbprefix, $connect;
     // Check and fix duplicate column names
     surveyFixDuplicateColumns($surveyid);
-    
+
     // Get latest fieldmap
     $fieldmap=createFieldMap($surveyid);
-    
+
     // Find any fields that do not exist
     $fieldlist = array();
     foreach($fieldmap as $fielddata)
     {
         $fieldlist[]=$fielddata['fieldname'];
     }
-        
+
     $dict = NewDataDictionary($connect);
     $sqlfields = $dict->MetaColumns("{$dbprefix}survey_{$surveyid}");
     $sqllist = array();
     foreach ($sqlfields as $sqlfield)
     {
         $sqllist[]=$sqlfield->name;
     }
-    
+
     $missingFields = array_diff($fieldlist, $sqllist);
     $removedFields = array_diff($sqllist, $fieldlist);
-    
+
     die(print_r($missingFields).print_r($removedFields));
-    
+
     // Find any fields that have been removed
-    
+
     // Add fields that need to be added
-    
+
     // Remove fields that need to be removed
 }
 
@@ -144,7 +144,7 @@ function surveyFixQuestionNumbering($qid)
     //Now answers
     $query = "UPDATE {$dbprefix}answers SET qid=$newqid WHERE qid=$oldqid";
     $result = $connect->Execute($query) or safe_die($query."<br />".$connect->ErrorMsg());
-    
+
     LimeExpressionManager::UpgradeConditionsToRelevance(NULL,$qid);
 }
 
@@ -212,23 +212,23 @@ function surveyCheckStructure($surveyid)
     }
 
     //NOW CHECK THAT ALL QUESTIONS HAVE A 'QUESTION TYPE' FIELD SET
-    $chkquery = "SELECT qid, question, gid FROM {$dbprefix}questions WHERE sid={$_GET['sid']} AND type = ''";
+    $chkquery = "SELECT qid, question, gid FROM {$dbprefix}questions WHERE sid={$surveyid} AND type = ''";
     $chkresult = db_execute_assoc($chkquery) or safe_die ("Couldn't check questions for missing types<br />$chkquery<br />".$connect->ErrorMsg());
     while ($chkrow = $chkresult->FetchRow())
     {
         $failedcheck[]=array($chkrow['qid'], $chkrow['question'], ": ".$clang->gT("This question does not have a question 'type' set."), $chkrow['gid']);
     }
 
     //ChECK THAT certain array question types have answers set
-    $chkquery = "SELECT q.qid, question, gid FROM {$dbprefix}questions as q WHERE (select count(*) from {$dbprefix}answers as a where a.qid=q.qid and scale_id=0)=0 and sid={$_GET['sid']} AND type IN ('F', 'H', 'W', 'Z', '1')";
+    $chkquery = "SELECT q.qid, question, gid FROM {$dbprefix}questions as q WHERE (select count(*) from {$dbprefix}answers as a where a.qid=q.qid and scale_id=0)=0 and sid={$surveyid} AND type IN ('F', 'H', 'W', 'Z', '1')";
     $chkresult = db_execute_assoc($chkquery) or safe_die ("Couldn't check questions for missing answers<br />$chkquery<br />".$connect->ErrorMsg());
     while($chkrow = $chkresult->FetchRow())
     {
         $failedcheck[]=array($chkrow['qid'], $chkrow['question'], ": ".$clang->gT("This question requires answers, but none are set."), $chkrow['gid']);
     } // while
 
     //CHECK THAT DUAL Array has answers set
-    $chkquery = "SELECT q.qid, question, gid FROM {$dbprefix}questions as q WHERE (select count(*) from {$dbprefix}answers as a where a.qid=q.qid and scale_id=1)=0 and sid={$_GET['sid']} AND type='1'";
+    $chkquery = "SELECT q.qid, question, gid FROM {$dbprefix}questions as q WHERE (select count(*) from {$dbprefix}answers as a where a.qid=q.qid and scale_id=1)=0 and sid={$surveyid} AND type='1'";
     $chkresult = db_execute_assoc($chkquery) or safe_die ("Couldn't check questions for missing 2nd answer set<br />$chkquery<br />".$connect->ErrorMsg());
     while($chkrow = $chkresult->FetchRow())
     {
@@ -237,7 +237,7 @@ function surveyCheckStructure($surveyid)
 
     //CHECK THAT ALL CONDITIONS SET ARE FOR QUESTIONS THAT PRECEED THE QUESTION CONDITION
     //A: Make an array of all the qids in order of appearance
-    //	$qorderquery="SELECT * FROM {$dbprefix}questions, {$dbprefix}groups WHERE {$dbprefix}questions.gid={$dbprefix}groups.gid AND {$dbprefix}questions.sid={$_GET['sid']} ORDER BY {$dbprefix}groups.sortorder, {$dbprefix}questions.title";
+    //	$qorderquery="SELECT * FROM {$dbprefix}questions, {$dbprefix}groups WHERE {$dbprefix}questions.gid={$dbprefix}groups.gid AND {$dbprefix}questions.sid={$surveyid} ORDER BY {$dbprefix}groups.sortorder, {$dbprefix}questions.title";
     //	$qorderresult=$connect->Execute($qorderquery) or safe_die("Couldn't generate a list of questions in order<br />$qorderquery<br />".$connect->ErrorMsg());
     //	$qordercount=$qorderresult->RecordCount();
     //	$c=0;
@@ -308,15 +308,15 @@ function surveyCreateTable($surveyid)
 {
     global $dbprefix, $databasetabletype, $connect;
     $createsurvey='';
-     
+
     //Check for any additional fields for this survey and create necessary fields (token and datestamp)
     $pquery = "SELECT anonymized, allowregister, datestamp, ipaddr, refurl FROM {$dbprefix}surveys WHERE sid={$surveyid}";
     $presult=db_execute_assoc($pquery);
     $prow=$presult->FetchRow();
 
     //Get list of questions for the base language
     $fieldmap=createFieldMap($surveyid);
- 
+
     foreach ($fieldmap as $arow) //With each question, create the appropriate field(s)
     {
         $createsurvey .= " `{$arow['fieldname']}`";
@@ -352,7 +352,7 @@ function surveyCreateTable($surveyid)
         }
         $createsurvey .= ",\n";
     }
-    
+
     //strip trailing comma and new line feed (if any)
     $createsurvey = rtrim($createsurvey, ",\n");
 

diff --git a/admin/userrighthandling.php b/admin/userrighthandling.php
@@ -27,7 +27,6 @@
 
 if (($ugid && !$surveyid) || $action == "editusergroups" || $action == "addusergroup" || $action=="usergroupindb" || $action == "editusergroup" || $action == "mailusergroup")
 {
-
     if($ugid)
     {
         $grpquery = "SELECT gp.* FROM ".db_table_name('user_groups')." AS gp, ".db_table_name('user_in_groups')." AS gu WHERE gp.ugid=gu.ugid AND gp.ugid = $ugid AND gu.uid=".$_SESSION['loginID'];
@@ -637,7 +636,7 @@
 {
     if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1)
     {
-        $query = "SELECT * FROM ".db_table_name('user_groups')." WHERE ugid = ".$_GET['ugid']." AND owner_id = ".$_SESSION['loginID'];
+        $query = "SELECT * FROM ".db_table_name('user_groups')." WHERE ugid = ".$ugid." AND owner_id = ".$_SESSION['loginID'];
         $result = db_select_limit_assoc($query, 1);
         $esrow = $result->FetchRow();
         $usersummary = "<div class='header ui-widget-header'>".sprintf($clang->gT("Editing user group (Owner: %s)"),$_SESSION['user'])."</div>"

diff --git a/common_functions.php b/common_functions.php
@@ -998,26 +998,6 @@ function question_class($input)
     };
 };
 
-if(!defined('COLSTYLE'))
-{
-    /**
-    * The following prepares and defines the 'COLSTYLE' constant which
-    * dictates how columns are to be marked up for list type questions.
-    *
-    * $column_style is initialised at the end of config-defaults.php or from within config.php
-    */
-    if( !isset($column_style)   ||
-    $column_style  != 'css' ||
-    $column_style  != 'ul'  ||
-    $column_style  != 'table' ||
-    $column_style  != null )
-    {
-        $column_style = 'ul';
-    };
-    define('COLSTYLE' ,strtolower($column_style), true);
-};
-
-
 function setup_columns($columns, $answer_count)
 {
     /**
@@ -1046,10 +1026,8 @@ function setup_columns($columns, $answer_count)
     *    $wrapper['cols']          = Number of columns to be inserted
     *                                (and checked against)
     *
-    * It also expect the constant COLSTYLE which sets how columns should
-    * be rendered.
-    *
-    * COLSTYLE is defined 30 lines above.
+    * It also expect the global parameter $column_style
+    * initialised at the end of config-defaults.php or from within config.php
     *
     * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     * Columns are a problem.
@@ -1088,7 +1066,11 @@ function setup_columns($columns, $answer_count)
     */
 
 
-    $colstyle = COLSTYLE;
+    global $column_style;
+    if ( !in_array($column_style,array('css','ul','table')) && !is_null($column_style) )
+    {
+        $column_style = 'ul';
+    };
 
     /*
     if(defined('PRINT_TEMPLATE')) // This forces tables based columns for printablesurvey
@@ -1098,7 +1080,7 @@ function setup_columns($columns, $answer_count)
     */
     if($columns < 2)
     {
-        $colstyle = null;
+        $column_style = null;
         $columns = 1;
     }
 
@@ -1113,9 +1095,9 @@ function setup_columns($columns, $answer_count)
     }
 
     $class_first = '';
-    if($columns > 1 && $colstyle != null)
+    if($columns > 1 && !is_null($column_style))
     {
-        if($colstyle == 'ul')
+        if($column_style == 'ul')
         {
             $ul = '-ul';
         }
@@ -1147,7 +1129,7 @@ function setup_columns($columns, $answer_count)
     ,'cols'     => $columns
     );
 
-    switch($colstyle)
+    switch($column_style)
     {
         case 'ul':  if($columns > 1)
             {
@@ -3265,7 +3247,7 @@ function questionAttributes($returnByName=false)
     "caption"=>$clang->gT('Category separator'));
 
     $qattributes["display_columns"]=array(
-    "types"=>"GLM",
+    "types"=>"LM",
     'category'=>$clang->gT('Display'),
     'sortorder'=>100,
     'inputtype'=>'integer',

diff --git a/docs/release_notes.txt b/docs/release_notes.txt
@@ -78,6 +78,14 @@ HOW TO UPGRADE from a LimeSurvey 1.70(+) version to the latest 1.9x
 Thank you to everyone who helped with this new release!
 
 
+Changes from 1.92+ (build 120822) to 1.92+ (build 120909) September 9, 2012
+-Fixed issue #6530: Since latest update unable to upload documents in survey (Denis Chenu)
+-Fixed issue #6543: SQL injection in activate_functions.php - parameter "sid" (jcleeland)
+-Fixed issue #6544: SQL injection in activate_functions.php - parameter "fixnumbering" (jcleeland)
+-Fixed issue #6545: SQL injection in preview.php - parameter "lang". Sanitized language string. (jcleeland)
+-Fixed issue #6546: SQL injection in userrighthandling.php - parameter "ugid" (jcleeland)
+
+
 Changes from 1.92+ (build 120815) to 1.92+ (build 120822) August 22, 2012
 -Fixed issue #6423: Potential XSS in 'Resume survey' load form (Carsten Schmitz)
 #Updated translation: Chinese (Simplified) by jun9

diff --git a/scripts/modaldialog.js b/scripts/modaldialog.js
@@ -126,7 +126,7 @@ $(document).ready(function() {
 
 function getQueryVariable(variable, url) {
     var query = url.split("?");
-    var vars = query[1].split("&");
+    var vars = query[1].replace(/\&amp;/g,'&').split("&");
     for (var i=0;i<vars.length;i++) {
         var pair = vars[i].split("=");
         if (pair[0] == variable) {