Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape the whole engelsystem log on output (instead of input) #607

Merged
merged 3 commits into from Jun 3, 2019
Merged

Escape the whole engelsystem log on output (instead of input) #607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b003988
Escape log messages
MyIgel Apr 29, 2019
2eb9c79
Log messages without inline HTML
MyIgel May 31, 2019
0eb4859
Fixed docker build
MyIgel May 31, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions config/config.default.php
View file
Open in desktop
Expand Up @@ -31,9 +31,9 @@
// Contact email address, linked on every page
'Contact' => env('CONTACT_EMAIL', 'mailto:ticket@c3heaven.de'),
],

// Link to documentation/help
'documentation_url' => 'https://engelsystem.de/doc/',
'documentation_url' => 'https://engelsystem.de/doc/',

// Email config
'email' => [
Expand Down
2 changes: 1 addition & 1 deletion contrib/Dockerfile
View file
Open in desktop
Expand Up @@ -3,7 +3,7 @@ ARG NGINX_IMAGE=engelsystem-nginx:latest

# composer install
FROM composer AS composer
COPY composer.json /app/
COPY ./ /app/
RUN composer --no-ansi install --no-dev --ignore-platform-reqs
RUN composer --no-ansi dump-autoload --optimize

Expand Down
47 changes: 25 additions & 22 deletions includes/controller/user_angeltypes_controller.php
View file
Open in desktop
Expand Up @@ -62,7 +62,7 @@ function user_angeltypes_delete_all_controller()
if ($request->hasPostData('deny_all')) {
UserAngelTypes_delete_all($angeltype['id']);

engelsystem_log(sprintf('Denied all users for angeltype %s', AngelType_name_render($angeltype)));
engelsystem_log(sprintf('Denied all users for angeltype %s', AngelType_name_render($angeltype, true)));
success(sprintf(__('Denied all users for angeltype %s.'), AngelType_name_render($angeltype)));
redirect(page_link_to('angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype['id']]));
}
Expand Down Expand Up @@ -102,7 +102,7 @@ function user_angeltypes_confirm_all_controller()
if ($request->hasPostData('confirm_all')) {
UserAngelTypes_confirm_all($angeltype['id'], $user->id);

engelsystem_log(sprintf('Confirmed all users for angeltype %s', AngelType_name_render($angeltype)));
engelsystem_log(sprintf('Confirmed all users for angeltype %s', AngelType_name_render($angeltype, true)));
success(sprintf(__('Confirmed all users for angeltype %s.'), AngelType_name_render($angeltype)));
redirect(page_link_to('angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype['id']]));
}
Expand Down Expand Up @@ -156,8 +156,8 @@ function user_angeltype_confirm_controller()

engelsystem_log(sprintf(
'%s confirmed for angeltype %s',
User_Nick_render($user_source),
AngelType_name_render($angeltype)
User_Nick_render($user_source, true),
AngelType_name_render($angeltype, true)
));
success(sprintf(
__('%s confirmed for angeltype %s.'),
Expand Down Expand Up @@ -214,9 +214,8 @@ function user_angeltype_delete_controller()
if ($request->hasPostData('delete')) {
UserAngelType_delete($user_angeltype);

$success_message = sprintf(__('User %s removed from %s.'), User_Nick_render($user_source), $angeltype['name']);
engelsystem_log($success_message);
success($success_message);
engelsystem_log(sprintf('User %s removed from %s.', User_Nick_render($user_source, true), $angeltype['name']));
success(sprintf(__('User %s removed from %s.'), User_Nick_render($user_source), $angeltype['name']));

redirect(page_link_to('angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype['id']]));
}
Expand Down Expand Up @@ -275,15 +274,19 @@ function user_angeltype_update_controller()
if ($request->hasPostData('submit')) {
UserAngelType_update($user_angeltype['id'], $supporter);

$success_message = sprintf(
$supporter
? __('Added supporter rights for %s to %s.')
: __('Removed supporter rights for %s from %s.'),
$msg = $supporter
? __('Added supporter rights for %s to %s.')
: __('Removed supporter rights for %s from %s.');
engelsystem_log(sprintf(
$msg,
AngelType_name_render($angeltype, true),
User_Nick_render($user_source, true)
));
success(sprintf(
$msg,
AngelType_name_render($angeltype),
User_Nick_render($user_source)
);
engelsystem_log($success_message);
success($success_message);
));

redirect(page_link_to('angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype['id']]));
}
Expand Down Expand Up @@ -324,8 +327,8 @@ function user_angeltype_add_controller()

engelsystem_log(sprintf(
'User %s added to %s.',
User_Nick_render($user_source),
AngelType_name_render($angeltype)
User_Nick_render($user_source, true),
AngelType_name_render($angeltype, true)
));
success(sprintf(
__('User %s added to %s.'),
Expand All @@ -336,8 +339,8 @@ function user_angeltype_add_controller()
UserAngelType_confirm($user_angeltype_id, $user_source->id);
engelsystem_log(sprintf(
'User %s confirmed as %s.',
User_Nick_render($user_source),
AngelType_name_render($angeltype)
User_Nick_render($user_source, true),
AngelType_name_render($angeltype, true)
));

redirect(page_link_to('angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype['id']]));
Expand Down Expand Up @@ -372,17 +375,17 @@ function user_angeltype_join_controller($angeltype)
$success_message = sprintf(__('You joined %s.'), $angeltype['name']);
engelsystem_log(sprintf(
'User %s joined %s.',
User_Nick_render($user),
AngelType_name_render($angeltype)
User_Nick_render($user, true),
AngelType_name_render($angeltype, true)
));
success($success_message);

if (auth()->can('admin_user_angeltypes')) {
UserAngelType_confirm($user_angeltype_id, $user->id);
engelsystem_log(sprintf(
'User %s confirmed as %s.',
User_Nick_render($user),
AngelType_name_render($angeltype)
User_Nick_render($user, true),
AngelType_name_render($angeltype, true)
));
}

Expand Down
4 changes: 2 additions & 2 deletions includes/controller/users_controller.php
View file
Open in desktop
Expand Up @@ -85,7 +85,7 @@ function user_delete_controller()

mail_user_delete($user_source);
success(__('User deleted.'));
engelsystem_log(sprintf('Deleted %s', User_Nick_render($user_source)));
engelsystem_log(sprintf('Deleted %s', User_Nick_render($user_source, true)));

redirect(users_link());
}
Expand Down Expand Up @@ -170,7 +170,7 @@ function user_edit_vouchers_controller()
$user_source->state->save();

success(__('Saved the number of vouchers.'));
engelsystem_log(User_Nick_render($user_source) . ': ' . sprintf('Got %s vouchers',
engelsystem_log(User_Nick_render($user_source, true) . ': ' . sprintf('Got %s vouchers',
$user_source->state->got_voucher));

redirect(user_link($user_source->id));
Expand Down
2 changes: 1 addition & 1 deletion includes/model/AngelType_model.php
View file
Open in desktop
Expand Up @@ -48,7 +48,7 @@ function AngelType_delete($angeltype)
WHERE `id`=?
LIMIT 1
', [$angeltype['id']]);
engelsystem_log('Deleted angeltype: ' . AngelType_name_render($angeltype));
engelsystem_log('Deleted angeltype: ' . AngelType_name_render($angeltype, true));
}

/**
Expand Down
4 changes: 2 additions & 2 deletions includes/model/ShiftEntry_model.php
View file
Open in desktop
Expand Up @@ -94,7 +94,7 @@ function ShiftEntry_create($shift_entry)
]
);
engelsystem_log(
'User ' . User_Nick_render($user)
'User ' . User_Nick_render($user, true)
. ' signed up for shift ' . $shift['name']
. ' from ' . date('Y-m-d H:i', $shift['start'])
. ' to ' . date('Y-m-d H:i', $shift['end'])
Expand Down Expand Up @@ -156,7 +156,7 @@ function ShiftEntry_delete($shiftEntry)
$angeltype = AngelType($shiftEntry['TID']);

engelsystem_log(
'Shift signout: ' . User_Nick_render($signout_user) . ' from shift ' . $shifttype['name']
'Shift signout: ' . User_Nick_render($signout_user, true) . ' from shift ' . $shifttype['name']
. ' at ' . $room['Name']
. ' from ' . date('Y-m-d H:i', $shift['start'])
. ' to ' . date('Y-m-d H:i', $shift['end'])
Expand Down
6 changes: 3 additions & 3 deletions includes/model/UserWorkLog_model.php
View file
Open in desktop
Expand Up @@ -47,7 +47,7 @@ function UserWorkLog_delete($userWorkLog)

engelsystem_log(sprintf(
'Delete work log for %s, %s hours, %s',
User_Nick_render($user_source),
User_Nick_render($user_source, true),
$userWorkLog['work_hours'],
$userWorkLog['comment']
));
Expand Down Expand Up @@ -78,7 +78,7 @@ function UserWorkLog_update($userWorkLog)

engelsystem_log(sprintf(
'Updated work log for %s, %s hours, %s',
User_Nick_render($user_source),
User_Nick_render($user_source, true),
$userWorkLog['work_hours'],
$userWorkLog['comment'])
);
Expand Down Expand Up @@ -115,7 +115,7 @@ function UserWorkLog_create($userWorkLog)
time()
]);

engelsystem_log(sprintf('Added work log entry for %s, %s hours, %s', User_Nick_render($user_source),
engelsystem_log(sprintf('Added work log entry for %s, %s hours, %s', User_Nick_render($user_source, true),
$userWorkLog['work_hours'], $userWorkLog['comment']));

return $result;
Expand Down
13 changes: 7 additions & 6 deletions includes/model/User_model.php
View file
Open in desktop
Expand Up @@ -5,6 +5,7 @@
use Engelsystem\Models\User\PasswordReset;
use Engelsystem\Models\User\User;
use Engelsystem\ValidationResult;
use Illuminate\Database\Query\JoinClause;

/**
* User model
Expand Down Expand Up @@ -117,14 +118,14 @@ function Users_by_angeltype($angeltype)
function User_validate_Nick($nick)
{
$nick = trim($nick);
if(strlen($nick) == 0 || strlen($nick) > 23) {

if (strlen($nick) == 0 || strlen($nick) > 23) {
return new ValidationResult(false, $nick);
}
if(preg_match('/([^\p{L}\p{N}\-_. ]+)/ui', $nick)) {
if (preg_match('/([^\p{L}\p{N}\-_. ]+)/ui', $nick)) {
return new ValidationResult(false, $nick);
}

return new ValidationResult(true, $nick);
}

Expand Down Expand Up @@ -222,7 +223,7 @@ function User_reset_api_key($user, $log = true)
$user->save();

if ($log) {
engelsystem_log(sprintf('API key resetted (%s).', User_Nick_render($user)));
engelsystem_log(sprintf('API key resetted (%s).', User_Nick_render($user, true)));
}
}

Expand All @@ -239,7 +240,7 @@ function User_generate_password_recovery_token($user)
$reset->token = md5($user->name . time() . rand());
$reset->save();

engelsystem_log('Password recovery for ' . User_Nick_render($user) . ' started.');
engelsystem_log('Password recovery for ' . User_Nick_render($user, true) . ' started.');

return $reset->token;
}
Expand Down
10 changes: 5 additions & 5 deletions includes/pages/admin_active.php
View file
Open in desktop
Expand Up @@ -86,7 +86,7 @@ function admin_active()
foreach ($users as $usr) {
$usr->state->active = true;
$usr->state->save();
$user_nicks[] = User_Nick_render($usr);
$user_nicks[] = User_Nick_render($usr, true);
}

State::whereForceActive(true)->update(['active' => true]);
Expand All @@ -108,7 +108,7 @@ function admin_active()
if ($user_source) {
$user_source->state->active = true;
$user_source->state->save();
engelsystem_log('User ' . User_Nick_render($user_source) . ' is active now.');
engelsystem_log('User ' . User_Nick_render($user_source, true) . ' is active now.');
$msg = success(__('Angel has been marked as active.'), true);
} else {
$msg = error(__('Angel not found.'), true);
Expand All @@ -119,7 +119,7 @@ function admin_active()
if ($user_source) {
$user_source->state->active = false;
$user_source->state->save();
engelsystem_log('User ' . User_Nick_render($user_source) . ' is NOT active now.');
engelsystem_log('User ' . User_Nick_render($user_source, true) . ' is NOT active now.');
$msg = success(__('Angel has been marked as not active.'), true);
} else {
$msg = error(__('Angel not found.'), true);
Expand All @@ -130,7 +130,7 @@ function admin_active()
if ($user_source) {
$user_source->state->got_shirt = true;
$user_source->state->save();
engelsystem_log('User ' . User_Nick_render($user_source) . ' has tshirt now.');
engelsystem_log('User ' . User_Nick_render($user_source, true) . ' has tshirt now.');
$msg = success(__('Angel has got a t-shirt.'), true);
} else {
$msg = error('Angel not found.', true);
Expand All @@ -141,7 +141,7 @@ function admin_active()
if ($user_source) {
$user_source->state->got_shirt = false;
$user_source->state->save();
engelsystem_log('User ' . User_Nick_render($user_source) . ' has NO tshirt.');
engelsystem_log('User ' . User_Nick_render($user_source, true) . ' has NO tshirt.');
$msg = success(__('Angel has got no t-shirt.'), true);
} else {
$msg = error(__('Angel not found.'), true);
Expand Down
4 changes: 2 additions & 2 deletions includes/pages/admin_arrive.php
View file
Open in desktop
Expand Up @@ -37,7 +37,7 @@ function admin_arrive()
$user_source->state->arrival_date = null;
$user_source->state->save();

engelsystem_log('User set to not arrived: ' . User_Nick_render($user_source));
engelsystem_log('User set to not arrived: ' . User_Nick_render($user_source, true));
success(__('Reset done. Angel has not arrived.'));
redirect(user_link($user_source->id));
} else {
Expand All @@ -55,7 +55,7 @@ function admin_arrive()
$user_source->state->arrival_date = new Carbon\Carbon();
$user_source->state->save();

engelsystem_log('User set has arrived: ' . User_Nick_render($user_source));
engelsystem_log('User set has arrived: ' . User_Nick_render($user_source, true));
success(__('Angel has been marked as arrived.'));
redirect(user_link($user_source->id));
} else {
Expand Down
1 change: 1 addition & 0 deletions includes/pages/admin_log.php
View file
Open in desktop
Expand Up @@ -25,6 +25,7 @@ function admin_log()
$entries = [];
foreach ($log_entries as $entry) {
$data = $entry->toArray();
$data['message'] = nl2br(htmlspecialchars($data['message']));
$data['created_at'] = date_format($entry->created_at, 'd.m.Y H:i');
$entries[] = $data;
}
Expand Down
6 changes: 3 additions & 3 deletions includes/pages/admin_questions.php
View file
Open in desktop
Expand Up @@ -130,9 +130,9 @@ function admin_questions()
);
engelsystem_log(
'Question '
. htmlspecialchars($question['Question'])
. $question['Question']
. ' answered: '
. htmlspecialchars($answer)
. $answer
);
redirect(page_link_to('admin_questions'));
} else {
Expand All @@ -159,7 +159,7 @@ function admin_questions()
);
if (!empty($question)) {
DB::delete('DELETE FROM `Questions` WHERE `QID`=? LIMIT 1', [$question_id]);
engelsystem_log('Question deleted: ' . htmlspecialchars($question['Question']));
engelsystem_log('Question deleted: ' . $question['Question']);
redirect(page_link_to('admin_questions'));
} else {
return error('No question found.', true);
Expand Down
4 changes: 2 additions & 2 deletions includes/pages/admin_user.php
View file
Open in desktop
Expand Up @@ -240,7 +240,7 @@ function admin_user()
}
$user_source = User::find($user_id);
engelsystem_log(
'Set groups of ' . User_Nick_render($user_source) . ' to: '
'Set groups of ' . User_Nick_render($user_source, true) . ' to: '
. join(', ', $user_groups_info)
);
$html .= success('Benutzergruppen gespeichert.', true);
Expand Down Expand Up @@ -293,7 +293,7 @@ function admin_user()
) {
set_password($user_id, $request->postData('new_pw'));
$user_source = User::find($user_id);
engelsystem_log('Set new password for ' . User_Nick_render($user_source));
engelsystem_log('Set new password for ' . User_Nick_render($user_source, true));
$html .= success('Passwort neu gesetzt.', true);
} else {
$html .= error(
Expand Down
12 changes: 7 additions & 5 deletions includes/pages/guest_login.php
View file
Open in desktop
Expand Up @@ -86,10 +86,11 @@ function guest_register()
if ($request->has('nick')) {
$nickValidation = User_validate_Nick($request->input('nick'));
$nick = $nickValidation->getValue();
if(!$nickValidation->isValid()) {

if (!$nickValidation->isValid()) {
$valid = false;
$msg .= error(sprintf(__('Please enter a valid nick.') . ' ' . __('Use up to 23 letters, numbers, connecting punctuations or spaces for your nickname.'), $nick), true);
$msg .= error(sprintf(__('Please enter a valid nick.') . ' ' . __('Use up to 23 letters, numbers, connecting punctuations or spaces for your nickname.'),
$nick), true);
}
if (User::whereName($nick)->count() > 0) {
$valid = false;
Expand Down Expand Up @@ -246,7 +247,7 @@ function guest_register()
}

engelsystem_log(
'User ' . User_Nick_render($user)
'User ' . User_Nick_render($user, true)
. ' signed up as: ' . join(', ', $user_angel_types_info)
);
success(__('Angel registration successful!'));
Expand Down Expand Up @@ -287,7 +288,8 @@ function guest_register()
div('row', [
div('col-sm-4', [
form_text('nick', __('Nick') . ' ' . entry_required(), $nick),
form_info('', __('Use up to 23 letters, numbers, connecting punctuations or spaces for your nickname.'))
form_info('',
__('Use up to 23 letters, numbers, connecting punctuations or spaces for your nickname.'))
]),
div('col-sm-8', [
form_email('mail', __('E-Mail') . ' ' . entry_required(), $mail),
Expand Down