Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security fixes #1757

Merged
merged 2 commits into from Jul 14, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions ccdaservice/ccda_gateway.php
Expand Up @@ -128,10 +128,10 @@ function checkService($ip = "localhost", $port = '6661')
if ($result === false) {
$path = $GLOBALS['fileroot'] . "/ccdaservice";
if (IS_WINDOWS) {
$cmd = "node " . $path . "/serveccda.js";
$cmd = "node " . escapeshellarg($path . "/serveccda.js");
pclose(popen("start /B " . $cmd, "r"));
} else {
$cmd = "nodejs " . $path . "/serveccda.js";
$cmd = "nodejs " . escapeshellarg($path . "/serveccda.js");
exec($cmd . " > /dev/null &");
}
sleep(2); // give cpu a rest
Expand Down
30 changes: 15 additions & 15 deletions interface/billing/sl_eob_search.php
Expand Up @@ -560,7 +560,7 @@ function upload_file_to_client_pdf($file_to_send, $aPatFirstName = '', $aPatID =
if ($DEBUG) {
$alertmsg = xl("Printing skipped; see test output in") .' '. $STMT_TEMP_FILE;
} else {
exec("$STMT_PRINT_CMD $STMT_TEMP_FILE");
exec(escapeshellcmd($STMT_PRINT_CMD) . " " . escapeshellarg($STMT_TEMP_FILE));
if ($_POST['form_without']) {
$alertmsg = xl('Now printing') .' '. $stmt_count .' '. xl('statements; invoices will not be updated.');
} else {
Expand Down Expand Up @@ -705,13 +705,13 @@ function npopup(pid) {
&nbsp;<span><?php echo xlt('Select Method');?></span>&nbsp;<i id='select-method-tooltip' class="fa fa-info-circle oe-superscript" aria-hidden="true"></i>
<div id="radio-div" class="pull-right oe-legend-radio">
<label class="radio-inline">
<input type="radio" id="invoice_search" name="radio-search" onclick="" value="inv-search"><?php echo xlt('Invoice Search'); ?>
<input type="radio" id="invoice_search" name="radio-search" onclick="" value="inv-search"><?php echo xlt('Invoice Search'); ?>
</label>
<label class="radio-inline">
<input type="radio" id="era_upload" name="radio-search" onclick="" value="era-upld"><?php echo xlt('ERA Upload'); ?>
</label>
</div>

<input type="hidden" id="hid1" value="<?php echo xlt('Invoice Search');?>">
<input type="hidden" id="hid2" value="<?php echo xlt('ERA Upload');?>">
<input type="hidden" id="hid3" value="<?php echo xlt('Select Method');?>">
Expand Down Expand Up @@ -755,11 +755,11 @@ function npopup(pid) {
</div>
<div class="col-xs-12 .oe-custom-line oe-show-hide" id = 'era-upld'>
<div class="form-group col-xs9 oe-file-div">
<div class="input-group">
<div class="input-group">
<label class="input-group-btn">
<span class="btn btn-default">
Browse&hellip;<input type="file" id="uploadedfile" name="form_erafile" style="display: none;" >
<input name="MAX_FILE_SIZE" type="hidden" value="5000000">
<input name="MAX_FILE_SIZE" type="hidden" value="5000000">
</span>
</label>
<input type="text" class="form-control" placeholder="<?php echo xlt('Click Browse and select one Electronic Remittance Advice (ERA) file...'); ?>" readonly>
Expand All @@ -771,9 +771,9 @@ function npopup(pid) {
<div class="form-group clearfix">
<div class="col-sm-12 position-override oe-show-hide" id="search-btn">
<div class="btn-group" role="group">
<button type='submit' class="btn btn-default btn-search oe-show-hide" name='form_search'
<button type='submit' class="btn btn-default btn-search oe-show-hide" name='form_search'
id="btn-inv-search" value='<?php echo xla("Search"); ?>'><?php echo xlt("Search"); ?></button>
<button type='submit' class="btn btn-default btn-save oe-show-hide" name='form_search'
<button type='submit' class="btn btn-default btn-save oe-show-hide" name='form_search'
id="btn-era-upld" value='<?php echo xla("Upload"); ?>'><?php echo xlt("Upload"); ?></button>
</div>
</div>
Expand Down Expand Up @@ -802,7 +802,7 @@ function npopup(pid) {
exec("unzip -p $tmp_name.zip > $tmp_name");
unlink("$tmp_name.zip");
}

echo "<!-- Notes from ERA upload processing:\n";
$alertmsg .= parse_era($tmp_name, 'era_callback');
echo "-->\n";
Expand Down Expand Up @@ -1055,14 +1055,14 @@ function npopup(pid) {
<button type="button" class="btn btn-default btn-undo" name="Submit2"
onclick='checkAll(false)'><?php echo xlt('Clear All');?></button>
<?php if ($GLOBALS['statement_appearance'] != '1') { ?>
<button type="submit" class="btn btn-default btn-print" name='form_print'
<button type="submit" class="btn btn-default btn-print" name='form_print'
value="<?php echo xla('Print Selected Statements'); ?>">
<?php echo xlt('Print Selected Statements');?></button>
<button type="submit" class="btn btn-default btn-download" name='form_download'
<button type="submit" class="btn btn-default btn-download" name='form_download'
value="<?php echo xla('Download Selected Statements'); ?>">
<?php echo xlt('Download Selected Statements');?></button>
<?php } ?>
<button type="submit" class="btn btn-default btn-download" name='form_pdf'
<button type="submit" class="btn btn-default btn-download" name='form_pdf'
value="<?php echo xla('PDF Download Selected Statements'); ?>">
<?php echo xlt('PDF Download Selected Statements');?></button>
<button type="submit" class="btn btn-default btn-mail" name='form_download'
Expand Down Expand Up @@ -1093,7 +1093,7 @@ function npopup(pid) {
//help_modal.php lives in interface, set path accordingly
require_once "../help_modal.php";
}
?>
?>
<script language="JavaScript">
function processERA() {
var f = document.forms[0];
Expand All @@ -1117,10 +1117,10 @@ function processERA() {
$(':file').on('fileselect', function(event, numFiles, label) {
var input = $(this).parents('.input-group').find(':text'),
log = numFiles > 1 ? numFiles + ' files selected' : label;

if( input.length ) {
input.val(log);
}
}
else {
if( log ) alert(log);
}
Expand Down Expand Up @@ -1196,6 +1196,6 @@ function processERA() {
<?php
}
?>

</body>
</html>
Expand Up @@ -106,9 +106,9 @@
if ($row = sqlFetchArray($res)) {
$no_of_items = addslashes($row['count']);
if ($no_of_items == 0) {
$cmd="cp ".$GLOBALS['webserver_root']."/sql/metadata_de_identification.txt ".$GLOBALS['temporary_files_dir']."/metadata_de_identification.txt";
$cmd="cp " . escapeshellarg($GLOBALS['webserver_root']."/sql/metadata_de_identification.txt") . " " . escapeshellarg($GLOBALS['temporary_files_dir']."/metadata_de_identification.txt");
$output3=shell_exec($cmd);
$query = "LOAD DATA INFILE '".$GLOBALS['temporary_files_dir']."/metadata_de_identification.txt' INTO TABLE metadata_de_identification FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'";
$query = "LOAD DATA INFILE '" . add_escape_custom($GLOBALS['temporary_files_dir']) ."/metadata_de_identification.txt' INTO TABLE metadata_de_identification FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'";
$res = sqlStatement($query);
}
}
Expand Down Expand Up @@ -202,7 +202,7 @@

$timestamp = str_replace(" ", "_", $timestamp);
$de_identified_file = $GLOBALS['temporary_files_dir']."/de_identified_data".$timestamp.".xls";
$query = "update de_identification_status set last_available_de_identified_data_file = '" . $de_identified_file . "'";
$query = "update de_identification_status set last_available_de_identified_data_file = '" . add_escape_custom($de_identified_file) . "'";
$res = sqlStatement($query);
$query = "select * from de_identified_data into outfile '$de_identified_file' ";
$res = sqlStatement($query);
Expand Down
18 changes: 9 additions & 9 deletions interface/de_identification_forms/find_code_popup.php
Expand Up @@ -172,11 +172,11 @@ function check_search_str()
if ($form_code_type == 'PROD') {
$query = "SELECT dt.drug_id, dt.selector, d.name " .
"FROM drug_templates AS dt, drugs AS d WHERE " .
"( d.name LIKE '%$search_term%' OR " .
"dt.selector LIKE '%$search_term%' ) " .
"( d.name LIKE ? OR " .
"dt.selector LIKE ? ) " .
"AND d.drug_id = dt.drug_id " .
"ORDER BY d.name, dt.selector, dt.drug_id";
$res = sqlStatement($query);
$res = sqlStatement($query, array('%'.$search_term.'%', '%'.$search_term.'%'));
$row_count = 0;
while ($row = sqlFetchArray($res)) {
$row_count = $row_count + 1;
Expand All @@ -188,9 +188,9 @@ function check_search_str()
}
} else {
$query = "SELECT count(*) as count FROM codes " .
"WHERE (code_text LIKE '%$search_term%' OR " .
"code LIKE '%$search_term%') " ;
$res = sqlStatement($query);
"WHERE (code_text LIKE ? OR " .
"code LIKE ?) " ;
$res = sqlStatement($query, array('%'.$search_term.'%', '%'.$search_term.'%'));
if ($row = sqlFetchArray($res)) {
$no_of_items = addslashes($row['count']);
if ($no_of_items < 1) {
Expand All @@ -206,11 +206,11 @@ function check_search_str()
}

$query = "SELECT code_type, code, modifier, code_text FROM codes " .
"WHERE (code_text LIKE '%$search_term%' OR " .
"code LIKE '%$search_term%') " .
"WHERE (code_text LIKE ? OR " .
"code LIKE ?) " .
"ORDER BY code";
// echo "\n<!-- $query -->\n"; // debugging
$res = sqlStatement($query);
$res = sqlStatement($query, array('%'.$search_term.'%', '%'.$search_term.'%'));
$row_count = 0;
while ($row = sqlFetchArray($res)) {
$row_count = $row_count + 1;
Expand Down
44 changes: 22 additions & 22 deletions interface/de_identification_forms/find_drug_popup.php
Expand Up @@ -38,14 +38,14 @@
<script language="JavaScript">
//pass value selected to the parent window
function window_submit(chk)
{
{
var str;
var len=chk.length;
if (len==undefined && chk.checked==1)
if (len==undefined && chk.checked==1)
{
if(!str)
str = chk.value;
else
else
str = "#"+chk.value;
}
else
Expand All @@ -56,7 +56,7 @@ function window_submit(chk)
{
if(!str)
str = chk[pr].value;
else
else
str = str+"#"+chk[pr].value;
}
}
Expand All @@ -67,16 +67,16 @@ function window_submit(chk)
alert("<?php echo xl('The destination form was closed')?>");
else
opener.set_related(str,"drugs");

window.close();

}

function window_close(chk)
{
window.close();
}

function chkbox_select_none(chk)
{
var len=chk.length;
Expand Down Expand Up @@ -112,8 +112,8 @@ function check_search_str()
return false;
}
top.restoreSession();
return true;
}
return true;
}

</script>
</head>
Expand All @@ -133,7 +133,7 @@ function check_search_str()
<input type='text' name='search_term' id='search_term' size='12' value='<?php echo $_REQUEST['search_term']; ?>'
title='<?php xl('Any part of the drug id or drug name', 'e'); ?>' />
&nbsp;
<input type='submit' name='bn_search' id='bn_search' value='<?php xl('Search', 'e'); ?>' />
<input type='submit' name='bn_search' id='bn_search' value='<?php xl('Search', 'e'); ?>' />
</b>
</td>
</tr>
Expand All @@ -152,9 +152,9 @@ function check_search_str()
$search_term = $_REQUEST['search_term'];
{
$query = "SELECT count(*) as count FROM drugs " .
"WHERE (drug_id LIKE '%$search_term%' OR " .
"name LIKE '%$search_term%') ";
$res = sqlStatement($query);
"WHERE (drug_id LIKE ? OR " .
"name LIKE ?) ";
$res = sqlStatement($query, array('%'.$search_term.'%', '%'.$search_term.'%'));
if ($row = sqlFetchArray($res)) {
$no_of_items = addslashes($row['count']);
if ($no_of_items < 1) {
Expand All @@ -165,15 +165,15 @@ function check_search_str()
echo xl('Please enter new search string');?>");
document.theform.search_term.value=" ";
document.theform.search_term.focus();
</script>
</script>
<?php
}

$query = "SELECT drug_id, name FROM drugs " .
"WHERE (drug_id LIKE '%$search_term%' OR " .
"name LIKE '%$search_term%') " .
"WHERE (drug_id LIKE ? OR " .
"name LIKE ?) " .
"ORDER BY drug_id";
$res = sqlStatement($query);
$res = sqlStatement($query, array('%'.$search_term.'%', '%'.$search_term.'%'));
$row_count = 0;
while ($row = sqlFetchArray($res)) {
$row_count = $row_count + 1;
Expand All @@ -191,13 +191,13 @@ function check_search_str()
</table>
<center>
<input type='button' name='select_all' value='<?php xl('Select All', 'e'); ?>' onclick="chkbox_select_all(document.select_drug.chkbox);"/>

<input type='button' name='unselect_all' value='<?php xl('Unselect All', 'e'); ?>' onclick="chkbox_select_none(document.select_drug.chkbox);"/>

<input type='button' name='submit' value='<?php xl('Submit', 'e'); ?>' onclick="window_submit(document.select_drug.chkbox);"/>

<input type='button' name='cancel' value='<?php xl('Cancel', 'e'); ?>' onclick="window_close();"/>
</center>
</center>
<?php } ?>
</form>
</body>
Expand Down
8 changes: 4 additions & 4 deletions interface/de_identification_forms/find_immunization_popup.php
Expand Up @@ -144,8 +144,8 @@ function check_search_str()
$search_term = $_REQUEST['search_term'];
{
$query = "SELECT count(*) as count FROM list_options " .
"WHERE (list_id = 'immunizations' and title LIKE '%$search_term%' AND activity = 1) " ;
$res = sqlStatement($query);
"WHERE (list_id = 'immunizations' and title LIKE ? AND activity = 1) " ;
$res = sqlStatement($query, array('%'.$search_term.'%'));
if ($row = sqlFetchArray($res)) {
$no_of_items = addslashes($row['count']);
if ($no_of_items < 1) {
Expand All @@ -161,9 +161,9 @@ function check_search_str()
}

$query = "SELECT option_id,title FROM list_options " .
"WHERE (list_id = 'immunizations' and title LIKE '%$search_term%' AND activity = 1) " .
"WHERE (list_id = 'immunizations' and title LIKE ? AND activity = 1) " .
"ORDER BY title";
$res = sqlStatement($query);
$res = sqlStatement($query, array('%'.$search_term.'%'));
$row_count = 0;
while ($row = sqlFetchArray($res)) {
$row_count = $row_count + 1;
Expand Down
2 changes: 1 addition & 1 deletion interface/fax/fax_dispatch.php
Expand Up @@ -314,7 +314,7 @@ function mergeTiffs()
$cpstring = str_replace('{MESSAGE}', $form_message, $cpstring);
fwrite($tmph, $cpstring);
fclose($tmph);
$tmp0 = exec("cd $webserver_root/custom; " . $GLOBALS['hylafax_enscript'] .
$tmp0 = exec("cd $webserver_root/custom; " . escapeshellcmd($GLOBALS['hylafax_enscript']) .
" -o $tmpfn2 $tmpfn1", $tmp1, $tmp2);
if ($tmp2) {
$info_msg .= "enscript returned $tmp2: $tmp0 ";
Expand Down
2 changes: 1 addition & 1 deletion interface/fax/faxq.php
Expand Up @@ -29,7 +29,7 @@
if ($GLOBALS['enable_hylafax']) {
// Get the recvq entries, parse and sort by filename.
$statlines = array();
exec("faxstat -r -l -h " . $GLOBALS['hylafax_server'], $statlines);
exec("faxstat -r -l -h " . escapeshellarg($GLOBALS['hylafax_server']), $statlines);
foreach ($statlines as $line) {
// This gets pagecount, sender, time, filename. We are expecting the
// string to start with "-rw-rw-" so as to exclude faxes not yet fully
Expand Down
2 changes: 1 addition & 1 deletion interface/main/daemon_frame.php
Expand Up @@ -24,7 +24,7 @@
$faxcount = 0;
if ($GLOBALS['enable_hylafax']) {
$statlines = array();
exec("faxstat -r -l -h " . $GLOBALS['hylafax_server'], $statlines);
exec("faxstat -r -l -h " . escapeshellarg($GLOBALS['hylafax_server']), $statlines);
foreach ($statlines as $line) {
if (substr($line, 0, 1) == '-') {
++$faxcount;
Expand Down
14 changes: 7 additions & 7 deletions interface/patient_file/encounter/search_code.php
Expand Up @@ -4,8 +4,8 @@
// THIS MODULE REPLACES cptcm_codes.php, hcpcs_codes.php AND icd9cm_codes.php.
////////////////////////////////////////////////////////////////////////////////

include_once("../../globals.php");
include_once("../../../custom/code_types.inc.php");
require_once("../../globals.php");
require_once("../../../custom/code_types.inc.php");

//the maximum number of records to pull out with the search:
$M = 30;
Expand Down Expand Up @@ -58,18 +58,18 @@

// The above is obsolete now, fees come from the prices table:
$sql = "SELECT codes.*, prices.pr_price FROM codes " .
"LEFT OUTER JOIN patient_data ON patient_data.pid = '$pid' " .
"LEFT OUTER JOIN patient_data ON patient_data.pid = ? " .
"LEFT OUTER JOIN prices ON prices.pr_id = codes.id AND " .
"prices.pr_selector = '' AND " .
"prices.pr_level = patient_data.pricelevel " .
"WHERE (code_text LIKE '%" . $_POST["text"] . "%' OR " .
"code LIKE '%" . $_POST["text"] . "%') AND " .
"code_type = '" . $code_types[$code_type]['id'] . "' " .
"WHERE (code_text LIKE ? OR " .
"code LIKE ?) AND " .
"code_type = ? " .
"ORDER BY code ".
" LIMIT " . ($M + 1).
"";

if ($res = sqlStatement($sql)) {
if ($res = sqlStatement($sql, array($pid, "%".$_POST["text"]."%", "%".$_POST["text"]."%", $code_types[$code_type]['id']))) {
for ($iter=0; $row=sqlFetchArray($res); $iter++) {
$result[$iter] = $row;
}
Expand Down