Browse files

Revert "MDL-31746 calendar: insufficient parameter cleaning"

Potential SQL injection with this solution

This reverts commit 47013fc.
  • Loading branch information...
1 parent 47013fc commit 7d20a8a05c4a2328a7294874e1bd436c37f9cb8f @danpoltawski danpoltawski committed Mar 26, 2012
Showing with 11 additions and 39 deletions.
  1. +11 −39 calendar/event.php
View
50 calendar/event.php
@@ -103,7 +103,6 @@
}
$form = null;
- $err = array();
switch($action) {
case 'delete':
@@ -130,7 +129,8 @@
}
if($form = data_submitted() and confirm_sesskey()) {
- validate_form($form, $err);
+
+ $form->name = clean_param(strip_tags($form->name,'<lang><span>'), PARAM_CLEAN);
$form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin);
if($form->duration == 1) {
@@ -146,6 +146,8 @@
$form->timeduration = 0;
}
+ validate_form($form, $err);
+
if (count($err) == 0) {
if($event->repeatid && $repeats) {
@@ -192,7 +194,9 @@
$title = get_string('newevent', 'calendar');
$form = data_submitted();
if(!empty($form) && !empty($form->name) && confirm_sesskey()) {
- validate_form($form, $err);
+
+ $form->name = clean_text(strip_tags($form->name, '<lang><span>'));
+
$form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin);
if($form->duration == 1) {
$form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart;
@@ -209,7 +213,7 @@
if(!calendar_add_event_allowed($form)) {
error('You are not authorized to do this');
}
-
+ validate_form($form, $err);
if (count($err) == 0) {
$form->timemodified = time();
@@ -564,34 +568,9 @@
function validate_form(&$form, &$err) {
- //first clean the form values
- $form->name = clean_param(strip_tags($form->name, '<lang><span>'),PARAM_CLEAN);
+
$form->name = trim($form->name);
- $form->description = clean_param($form->description, PARAM_CLEANHTML);
- $form->duration = clean_param($form->duration, PARAM_INT);
- $form->startmon = clean_param($form->startmon, PARAM_INT);
- $form->startday = clean_param($form->startday, PARAM_INT);
- $form->startyr = clean_param($form->startyr, PARAM_INT);
- $form->starthr = clean_param($form->starthr, PARAM_INT);
- $form->startmin = clean_param($form->startmin, PARAM_INT);
- $form->endmon = clean_param($form->endmon, PARAM_INT);
- $form->endday = clean_param($form->endday, PARAM_INT);
- $form->endyr = clean_param($form->endyr, PARAM_INT);
- $form->endhr = clean_param($form->endhr, PARAM_INT);
- $form->endmin = clean_param($form->endmin, PARAM_INT);
- $form->minutes = clean_param($form->minutes, PARAM_INT);
- $form->repeat = clean_param($form->repeat, PARAM_INT);
- $form->repeats = clean_param($form->repeats, PARAM_INT);
- $form->courseid = clean_param($form->courseid, PARAM_INT);
- $form->groupid = clean_param($form->groupid, PARAM_INT);
- $form->userid = clean_param($form->userid, PARAM_INT);
- $form->modulename = clean_param($form->modulename, PARAM_CLEAN);
- $form->eventtype = clean_param($form->eventtype, PARAM_ALPHA);
- $form->instance = clean_param($form->instance, PARAM_INT);
- $form->format = clean_param($form->format, PARAM_INT);
- $form->action = clean_param($form->action, PARAM_ALPHA);
- $form->type = clean_param($form->type, PARAM_ALPHA);
- $form->course = clean_param($form->course, PARAM_INT);
+ $form->description = trim($form->description);
if(empty($form->name)) {
$err['name'] = get_string('errornoeventname', 'calendar');
@@ -613,7 +592,7 @@ function validate_form(&$form, &$err) {
if (!empty($form->repeat) and !($form->repeats > 1 and $form->repeats < 100)) {
$err['repeats'] = get_string('errorinvalidrepeats', 'calendar');
}
- if (!empty($form->courseid)) {
+ if(!empty($form->courseid)) {
// Timestamps must be >= course startdate
$course = get_record('course', 'id', $form->courseid);
if($course === false) {
@@ -623,13 +602,6 @@ function validate_form(&$form, &$err) {
$err['timestart'] = get_string('errorbeforecoursestart', 'calendar');
}
}
- if (!empty($form->modulename)) {
- // Check that passed modulename actually exists (possible SQL Injection route)
- $module = get_record('modules', 'name', $form->modulename);
- if ($module === false) {
- error('Invalid module name');
- }
- }
}
function calendar_add_event_allowed($event) {

0 comments on commit 7d20a8a

Please sign in to comment.