Fix query string injections

asset.php

@@ -39,7 +39,7 @@
   	header("Location: asset.php");
   } else if ( $action == "clear" and $asset ) {
   	clearCacheFileASSET($asset);
-  	header("Location: asset.php?asset=".$asset."");
+    header("Location: asset.php?asset=".urlencode($asset));
   }
 }
 
@@ -49,9 +49,9 @@
   $start = time() - $hours*3600;
   $end = time();
 
-  $title = "AS-Stats | History for AS-SET: ".$asset;
+  $title = "AS-Stats | History for AS-SET: ".htmlentities($asset);
   $header = 'History for AS-SET';
-  $header_small = $asset;
+  $header_small = htmlentities($asset);
   $select_form = "";
 
   $aslist = getASSET($asset);
@@ -191,11 +191,11 @@
   } else {
     $aff_astable .= '<div class="alert alert-info">';
     $aff_astable .= '<h4><i class="icon fa fa-warning"></i> Alert!</h4>';
-    $aff_astable .= 'No data for AS-SET <b>' . $asset . '</b>';
+    $aff_astable .= 'No data for AS-SET <b>' . htmlentities($asset) . '</b>';
     $aff_astable .= '</div>';
   }
   // TOOLSBOX
-  $aff_toolsbox_add = '<a href="asset.php?asset='.$asset.'&action=clear" class="list-group-item"><i class="fa fa-remove text-red"></i> Remove AS-SET cache file for '.$asset.'.</a>';
+  $aff_toolsbox_add = '<a href="asset.php?asset='.htmlentities($asset).'&action=clear" class="list-group-item"><i class="fa fa-remove text-red"></i> Remove AS-SET cache file for '.htmlentities($asset).'.</a>';
 } else {
   $title = "AS-Stats | View AS-SET";
   $header = 'History for AS-SET';
@@ -252,7 +252,7 @@
                 <div class="box-body">
                   <form class="navbar-form navbar-left" role="search">
                   <div class="input-group">
-                  <input type="text" class="form-control menu-input" name="asset" placeholder="Search AS-SET" value="<?php echo $val_searchasset; ?>">
+                  <input type="text" class="form-control menu-input" name="asset" placeholder="Search AS-SET" value="<?php echo htmlspecialchars($val_searchasset); ?>">
                   <span class="input-group-btn">
                   <button type="submit" class="btn btn-flat button-input"><i class="fa fa-search"></i></button>
                   </span>
@@ -284,7 +284,7 @@
             <div class="col-lg-12">
 
               <form method='get'>
-                <input type='hidden' name='asset' value='<?php echo $asset; ?>'/>
+                <input type='hidden' name='asset' value='<?php echo htmlspecialchars($asset); ?>'/>
                 <div class="box box-primary">
                   <div class="box-header with-border">
                     <h3 class="box-title">Legend</h3>

func.inc

@@ -326,7 +326,7 @@ function menu($selected_links) {
 
   $return .='</ul>';
 
-	$val_ntop = isset($_GET['n']) ? $_GET['n'] : "";
+	$val_ntop = isset($_GET['n']) ? htmlentities($_GET['n']) : "";
 
 	if ($dpagename == "index" || $dpagename == "ix") {
 		$return .='<form class="navbar-form navbar-left" role="search">';
@@ -336,7 +336,7 @@ function menu($selected_links) {
 		}
 
     if ( $dpagename == "ix" && isset($_GET['ix']) ) {
-      $return .='<input type="hidden" name="ix" value="'.$_GET['ix'].'">';
+      $return .='<input type="hidden" name="ix" value="'.htmlspecialchars($_GET['ix']).'">';
     }
 
 	  $return .='<div class="input-group">';

gengraph.php

@@ -35,7 +35,9 @@
 	foreach($knownlinks as $link)
 		$reverse[$link['tag']] = array('color' => $link['color'], 'descr' => $link['descr']);
 	$links = array();
-	foreach(explode(',', $_GET['selected_links']) as $tag){
+    foreach(explode(',', $_GET['selected_links']) as $tag){
+        if (preg_match('/[^a-zA-Z0-9]/', $tag))
+            continue;
 		$link = array('tag' => $tag,
 				'color' => $reverse[$tag]['color'],
 				'descr' => $reverse[$tag]['descr']);

ix.php

@@ -223,7 +223,7 @@
   <!-- =============================================== -->
 
   <div class="content-wrapper">
-    <?php echo content_header($ix_name . ' Top ' . $ntop . ' AS', '('.$label.')'); ?>
+    <?php echo content_header(htmlentities($ix_name) . ' Top ' . $ntop . ' AS', '('.$label.')'); ?>
 
     <section class="content">
 			<div class="row">
@@ -261,7 +261,7 @@
                   <input type='hidden' name='numhours' value='<?php echo $hours; ?>'/>
                   <input type='hidden' name='n' value='<?php echo $ntop; ?>'/>
 									<input type='hidden' name='ix' value='<?php echo $ix_id; ?>'/>
-									<input type='hidden' name='name_ix' value='<?php echo $name_ix; ?>'/>
+									<input type='hidden' name='name_ix' value='<?php echo htmlspecialchars($name_ix); ?>'/>
                   <div class="box box-primary">
                     <div class="box-header with-border">
                       <h3 class="box-title">Legend</h3>
@@ -309,8 +309,7 @@
                     <h3 class="box-title">Search IX</h3>
                   </div>
                   <div class="box-body">
-                    <?php $val_name_ix = isset($_GET['name_ix']) ? $_GET['name_ix'] : ""; ?>
-                    <input type="text" class="form-control" name="name_ix" placeholder="Search IX" id="peeringdb" data-provide="typeahead" autocomplete="off" value="<?php echo $val_name_ix; ?>">
+                    <input type="text" class="form-control" name="name_ix" placeholder="Search IX" id="peeringdb" data-provide="typeahead" autocomplete="off" value="<?php echo htmlspecialchars($name_ix); ?>">
                     <input type='hidden' id='ix' name='ix'/>
                     <div id="message"></div>
                   </div>
@@ -323,7 +322,7 @@
 							<form method='get'>
                 <input type='hidden' name='ix' value='<?php echo $ix_id; ?>'/>
                 <input type='hidden' name='n' value='<?php echo $ntop; ?>'/>
-								<input type='hidden' name='name_ix' value='<?php echo $name_ix; ?>'/>
+								<input type='hidden' name='name_ix' value='<?php echo htmlspecialchars($name_ix); ?>'/>
                 <div class="box box-primary">
                   <div class="box-header with-border">
                     <h3 class="box-title">Interval</h3>

lib/class/peeringdb.php

@@ -90,7 +90,8 @@ public function GetIXASN($id = NULL) {
   }
 
   public function GetIXName( $regex = NULL) {
-    if ( $regex ) { $regex = '?name__contains='.$regex; }
+    if (is_string($regex)) { $regex = '?name__contains='.urlencode($regex); }
+    else $regex = '';
     $json = json_decode($this->sendRequest($this->url."/ix".$regex));
     return $json->data;
   }