Merge branch 'devel' into Issue11

admin/base_roleadmin.php

@@ -103,8 +103,7 @@
 			// $roleinfo[0] = $rid
 			// $roleinfo[1] = $rname
 			// $roleinfo[2] = $rdesc
-			// Anti XSS Output Data
-			$roleinfo = XSSPrintSafe($role->returnEditRole($roleid));
+			$roleinfo = $role->returnEditRole($roleid); // Anti XSS by default.
 			$rid = $roleinfo[0];
 			$ron = $roleinfo[1];
 			$rod = $roleinfo[2];

admin/base_useradmin.php

@@ -117,8 +117,7 @@
 			// $userinfo[2] = $rid // Role id
 			// $userinfo[3] = $ufn // Full Name
 			// $userinfo[4] = $uso // Operative
-			// Anti XSS Output Data
-			$userinfo = XSSPrintSafe($user->returnEditUser($userid));
+			$userinfo = $user->returnEditUser($userid); // Anti XSS by default.
 			$uid = $userinfo[0];
 			$usn = $userinfo[1];
 			$rid = $userinfo[2];

base_qry_main.php

@@ -127,18 +127,22 @@
 		}
 		$cs->InitState();
 	}
-  /* is this a new query, invoked from the SEARCH screen ? */
-  /* if the query string if very long (> 700) then this must be from the Search screen  */
-  $back = ImportHTTPVar("back", VAR_DIGIT);
-  if ( ( $GLOBALS['maintain_history'] == 1 ) && ( $back != 1 ) &&  ( $submit == _QUERYDB ) && ( isset($_GET['search']) && $_GET['search']  == 1  )) {
+	// Is this a new query, invoked from the SEARCH screen ?
+	// If the query string if very long (> 700) then this must be from the
+	// Search screen.
+if ( isset($maintain_history) && $maintain_history == 1 ){
+	$back = ImportHTTPVar("back", VAR_DIGIT);
+	if ( $back != 1 && $submit == _QUERYDB
+		&& isset($_GET['search']) && $_GET['search']  == 1
+	){
     !empty($_SESSION['back_list_cnt']) ? $_SESSION['back_list_cnt']-- : $_SESSION['back_list_cnt'] = 0;    /* save on top of initial blank query screen   */
     $submit = "";          /*  save entered search criteria as if one hit Enter */
     $_POST['submit'] = $submit;
     $cs->ReadState();      /* save the search criteria       */
     $submit = _QUERYDB;    /* restore the real submit value  */
     $_POST['submit'] = $submit;
-  }
-
+	}
+}
   $cs->ReadState();
 
   $qs = new QueryState();

base_user.php

@@ -72,8 +72,7 @@
         $user = new BaseUser();
         $userlogin = $user->returnUser();
         $userid = $user->returnUserID($userlogin);
-			// Anti XSS Output Data
-			$userinfo = XSSPrintSafe($user->returnEditUser($userid));
+			$userinfo = $user->returnEditUser($userid); // Anti XSS by default.
         $form = "<table border=1 class='query'>";
         $form = $form . "<tr><td width='25%' align='right'>"._FRMUID."</td>";
         $form = $form . "<td align='left'>". $userinfo[0] ."</td></tr>";

composer.json

@@ -12,7 +12,7 @@
 	"support": {
 		"forum": "https://sourceforge.net/p/secureideas/discussion",
 		"issues": "https://github.com/NathanGibbs3/BASE/issues",
-		"wiki": "https://sourceforge.net/p/secureideas/wiki/Home",
+		"wiki": "https://github.com/NathanGibbs3/BASE/wiki",
 		"docs": "https://github.com/NathanGibbs3/BASE/tree/master/docs",
 		"source": "https://github.com/NathanGibbs3/BASE"
 	},

docs/CHANGELOG.md

@@ -105,6 +105,12 @@ https://github.com/NathanGibbs3/BASE/issues/62)
 https://github.com/NathanGibbs3/BASE/issues/75)
 - [#77 PrintTiming() retuns parital event log.](
 https://github.com/NathanGibbs3/BASE/issues/77)
+- [#26 `CriteriaState::ReadState()` does not check for unset conf variable
+`$maintain_history` before access.](
+https://github.com/NathanGibbs3/BASE/issues/26)
+- [#81 BASE does not check for unset conf variable `$maintain_history` before
+access.](
+https://github.com/NathanGibbs3/BASE/issues/81)
 
 Contributor(s): [Nathan Gibbs]
 - [#57 `tr bgcolor="#"` if `$prio` not in `$priority_colors`
@@ -122,6 +128,14 @@ https://github.com/NathanGibbs3/BASE/issues/13)
 https://github.com/NathanGibbs3/BASE/issues/74)
 - [#78 Standardize code to authorize page access via role, Page, & URI.](
 https://github.com/NathanGibbs3/BASE/issues/78)
+- [#33 Add Anti XSS code to `returnEditUser()`.](
+https://github.com/NathanGibbs3/BASE/issues/33)
+- [#80 Add Anti XSS code to `returnEditRole()`.](
+https://github.com/NathanGibbs3/BASE/issues/80)
+- [#82 Add Input Validation code to `returnEditRole()`.](
+https://github.com/NathanGibbs3/BASE/issues/82)
+- [#83 Add Input Validation code to `returnEditUser()`.](
+https://github.com/NathanGibbs3/BASE/issues/83)
 
 Contributor(s): [Nathan Gibbs]
 

docs/contributing.md

@@ -3,7 +3,7 @@
 ## Did you find an Issue/Bug?
 - Ensure you are running the latest codebase. Sometimes, we have already
 fixed the Issue. This can be found in either:
-  - The latest release.
+  - The [latest release](https://github.com/NathanGibbs3/BASE/releases).
   - The latest commit to the
   [master](https://github.com/NathanGibbs3/BASE/tree/master) branch.
   - The latest commit to the
@@ -17,18 +17,24 @@ sure to include a **title and clear description**, as much relevant
 information as possible, including the expected and current app behaviors.
 
 ## Did you write a patch that fixes an Issue?
+This means code or documentation suitable for inclusion in BASE.
 - Open a new GitHub pull request with the patch.
 - Ensure the PR description clearly describes the problem and solution.
 Include the relevant issue number if applicable.
+- Ensure that the patch has Unit tests when possible.
 
 ## Did you write BASE related code or documentation?
 This means code or documentation that may not be suitable for inclusion in
-BASE itself; but may be useful to the BASE community.
+BASE; but may be useful to the BASE community.
 - Fork the [GitHub repo](https://github.com/NathanGibbs3/BASE).
 - Put contributed code in the contrib directory.
 - Put contributed documentation in the docs/contrib directory.
 - Open a new GitHub pull request with the contributions.
 - Ensure the PR description clearly describes the code and documentation.
 
+## New to Open Source development & contributing to projects?
+Welcome, check out this [awesome video](https://youtu.be/jTTf4oLkvaM) by
+Dan Bader [@dbader](https://github.com/dbader) that explains the process.
+
 Thank you.  
 BASE [Project Team](https://github.com/NathanGibbs3/BASE/wiki/Project-Team)

includes/base_auth.inc.php

@@ -264,9 +264,7 @@ function returnUserID($login)
         $usrid = $rs->baseFetchRow();
         return $usrid[0];
     }
-
-    function returnUsers()
-    {
+	function returnUsers(){
         /* returns an array of all users info
          * each array item is formatted as
          * array[] = usr_id|usr_login|role_id|usr_name|usr_enabled
@@ -286,25 +284,32 @@ function returnUsers()
         $result->baseFreeRows();
         return $userarray;
     }
-
-    function returnEditUser($userid)
-    {
-        /* returns an array of all users info
-         * each array item is formatted as
-         * array[0] = usr_id|usr_login|role_id|usr_name|usr_enabled
-        */
-
-        $db = $this->db;
-        $sql = "SELECT usr_id, usr_login, role_id, usr_name, usr_enabled ";
-        $sql = $sql . "FROM base_users WHERE usr_id = '" . $userid . "';";
-        $result = $db->baseExecute($sql);
-
-        $myrow = $result->baseFetchRow();
-        $result->baseFreeRows();
-        return $myrow;
-
-    }
-
+	function returnEditUser( $userid, $XSS = 1 ){
+		// Returns an array of user's info.
+		// Each array item is formatted as:
+		// array[0] = usr_id|usr_login|role_id|usr_name|usr_enabled
+		// Returns false on Error.
+		$Ret = false;
+		$userid = intval($userid); // Input Validation
+		if ( !is_numeric($XSS) ){
+			$XSS = 1;
+		}
+		if ( $userid > 0 ){
+			$db = $this->db;
+			$sql = "SELECT usr_id, usr_login, role_id, usr_name, usr_enabled ";
+			$sql .= "FROM base_users WHERE usr_id = '" . $userid . "';";
+			$result = $db->baseExecute($sql);
+			if ( $result != false ){ // Error Check
+				$myrow = $result->baseFetchRow();
+				$result->baseFreeRows();
+				if ( $XSS > 0 ){ // Anti XSS Output Data
+					$myrow = XSSPrintSafe($myrow);
+				}
+				$Ret = $myrow;
+			}
+		}
+		return $Ret;
+	}
     function roleName($roleID)
     {
         // returns rolename for a specified role id
@@ -437,25 +442,31 @@ function addRole($roleid, $rolename, $desc)
         $db->baseExecute($sql, -1, -1, false);
         return _ROLEADDED;
     }
-
-    function returnEditRole($roleid)
-    {
-        /* returns an array of all Role's info
-         * each array item is formatted as
-         * array[0] = role_id|role_name|role_desc
-        */
-
-        $db = $this->db;
-        $sql = "SELECT role_id, role_name, role_desc ";
-        $sql = $sql . "FROM base_roles WHERE role_id = '" . $roleid . "';";
-        $result = $db->baseExecute($sql);
-
-        $myrow = $result->baseFetchRow();
-        $result->baseFreeRows();
-        return $myrow;
-
-    }
-
+	function returnEditRole( $roleid, $XSS = 1 ){
+		// Returns an array of Role's info.
+		// Each array item is formatted as:
+		// array[0] = role_id|role_name|role_desc
+		$Ret = false;
+		$roleid = intval($roleid); // Input Validation
+		if ( !is_numeric($XSS) ){
+			$XSS = 1;
+		}
+		if ( $roleid > 0 ){
+			$db = $this->db;
+			$sql = "SELECT role_id, role_name, role_desc ";
+			$sql .= "FROM base_roles WHERE role_id = '" . $roleid . "';";
+			$result = $db->baseExecute($sql);
+			if ( $result != false ){ // Error Check
+				$myrow = $result->baseFetchRow();
+				$result->baseFreeRows();
+				if ( $XSS == 1 ){ // Anti XSS Output Data
+					$myrow = XSSPrintSafe($myrow);
+				}
+				$Ret = $myrow;
+			}
+		}
+		return $Ret;
+	}
     function updateRole($rolearray)
     {
         /* This function accepts an array in the following format

includes/base_state_criteria.inc.php

@@ -86,51 +86,39 @@ function InitState()
      foreach ( $valid_criteria_list as $cname )
          $this->criteria[$cname]->Init();
   }
-
-  function ReadState()
-  {
-     RegisterGlobalState();
-
-     /* 
-      * If the BACK button was clicked, shuffle the appropriate
-      * criteria variables from the $back_list (history) array into
-      * the current session ($_SESSION)
-      */
-     if ( ($GLOBALS['maintain_history'] == 1) &&
-          (ImportHTTPVar("back", VAR_DIGIT) == 1) )
-     {
-        PopHistory();
-     }
-
-     /* 
-      * Import, update and sanitize all persistant criteria variables 
-      */
-     $valid_criteria_list = array_keys($this->criteria);
-     foreach ( $valid_criteria_list as $cname )
-     {
-        $this->criteria[$cname]->Import();
-        $this->criteria[$cname]->Sanitize();
-     }
-
-     /* 
-      * Check whether criteria elements need to be cleared 
-      */
-     $this->clear_criteria_name = ImportHTTPVar("clear_criteria", "", 
-                                                array_keys($this->criteria));
-     $this->clear_criteria_element = ImportHTTPVar("clear_criteria_element", "", 
-                                                   array_keys($this->criteria));
-
-     if ( $this->clear_criteria_name != "" )
-        $this->ClearCriteriaStateElement($this->clear_criteria_name,
-                                         $this->clear_criteria_element);
-
-     /*
-      * Save the current criteria into $back_list (history)
-      */
-     if ( $GLOBALS['maintain_history'] == 1 )
-        PushHistory();
-  }
-
+	function ReadState(){
+		GLOBAL $maintain_history;
+		RegisterGlobalState();
+		// If the BACK button was clicked, shuffle the appropriate criteria
+		// variables from the $back_list (history) array into the current
+		// session ($_SESSION).
+		if ( $maintain_history == 1 && ImportHTTPVar("back", VAR_DIGIT) == 1 ){
+			PopHistory();
+		}
+		// Import, update and sanitize all persistant criteria variables.
+		$valid_criteria_list = array_keys($this->criteria);
+		foreach ( $valid_criteria_list as $cname ){
+			$this->criteria[$cname]->Import();
+			$this->criteria[$cname]->Sanitize();
+		}
+		// Check whether criteria elements need to be cleared.
+		$this->clear_criteria_name = ImportHTTPVar(
+			'clear_criteria', '', array_keys($this->criteria)
+		);
+		$this->clear_criteria_element = ImportHTTPVar(
+			'clear_criteria_element', '', array_keys($this->criteria)
+		);
+		if ( $this->clear_criteria_name != "" ){
+			$this->ClearCriteriaStateElement(
+				$this->clear_criteria_name,
+				$this->clear_criteria_element
+			);
+		}
+		// Save the current criteria into $back_list (history).
+		if ( $maintain_history == 1 ){
+			PushHistory();
+		}
+	}
   function GetBackLink()
   {
     return PrintBackButton();