sanitize parameter

sanitize parameters sanitize parameters sanitize values sanitize parameters Commit cleanup and fix some warnings in phplot and typo in banners_infobox for OSC-999 Escape shell arguments in the checkdnsrr() compatibility function. Fix OSC-762 Escape the filename of the href link. Fix OSC-763 Apply magic_quotes to the GET parameters when Search Engine Friendly URLs is enabled. Fix OSC-761 Parse the date of birth values. Fix OSC-684 Parse values in the query Verify selected payment method
osCommerce · Sep 12, 2010 · 8ab1f3c · 8ab1f3c
1 parent 2884034
commit 8ab1f3c
Show file tree

Hide file tree

Showing 18 changed files with 32 additions and 27 deletions.
diff --git a/catalog/account_edit.php b/catalog/account_edit.php
@@ -52,7 +52,7 @@
     }
 
     if (ACCOUNT_DOB == 'true') {
-      if (!checkdate(substr(tep_date_raw($dob), 4, 2), substr(tep_date_raw($dob), 6, 2), substr(tep_date_raw($dob), 0, 4))) {
+      if ((is_numeric(tep_date_raw($dob)) == false) || (@checkdate(substr(tep_date_raw($dob), 4, 2), substr(tep_date_raw($dob), 6, 2), substr(tep_date_raw($dob), 0, 4)) == false)) {
         $error = true;
 
         $messageStack->add('account_edit', ENTRY_DATE_OF_BIRTH_ERROR);

diff --git a/catalog/address_book_process.php b/catalog/address_book_process.php
@@ -21,7 +21,7 @@
   require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_ADDRESS_BOOK_PROCESS);
 
   if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'deleteconfirm') && isset($HTTP_GET_VARS['delete']) && is_numeric($HTTP_GET_VARS['delete']) && isset($HTTP_GET_VARS['formid']) && ($HTTP_GET_VARS['formid'] == md5($sessiontoken))) {
-    if ($HTTP_GET_VARS['delete'] == $customer_default_address_id) {
+    if ((int)$HTTP_GET_VARS['delete'] == $customer_default_address_id) {
       $messageStack->add_session('addressbook', WARNING_PRIMARY_ADDRESS_DELETION, 'warning');
     } else {
       tep_db_query("delete from " . TABLE_ADDRESS_BOOK . " where address_book_id = '" . (int)$HTTP_GET_VARS['delete'] . "' and customers_id = '" . (int)$customer_id . "'");

diff --git a/catalog/admin/includes/classes/phplot.php b/catalog/admin/includes/classes/phplot.php
@@ -672,12 +672,12 @@ function DrawText($which_font,$which_angle,$which_xpos,$which_ypos,$which_color,
 				$which_xpos, $which_ypos, $which_color, $which_font, $which_text); 
 		} else { 
 			if ($which_valign == 'top') { 
-				$which_ypos = $which_ypos - ImageFontHeight($which_font);
+				$which_ypos = $which_ypos - ImageFontHeight((int)$which_font);
 			}
 			$which_text = preg_replace("/\r/","",$which_text);
 			$str = explode("\n",$which_text); //multiple lines submitted by Remi Ricard
-			$height = ImageFontHeight($which_font);
-			$width = ImageFontWidth($which_font);
+			$height = ImageFontHeight((int)$which_font);
+			$width = ImageFontWidth((int)$which_font);
 			if ($which_angle == 90) {  //Vertical Code Submitted by Marlin Viss
 				for($i=0;$i<count($str);$i++) { 
 					ImageStringUp($this->img, $which_font, ($i*$height + $which_xpos), $which_ypos, $str[$i], $which_color);
@@ -686,9 +686,9 @@ function DrawText($which_font,$which_angle,$which_xpos,$which_ypos,$which_color,
 				for($i=0;$i<count($str);$i++) { 
 					if ($which_halign == 'center') { 
                     	$xpos = $which_xpos - strlen($str[$i]) * $width/2;
- 						ImageString($this->img, $which_font, $xpos, ($i*$height + $which_ypos), $str[$i], $which_color);
+ 						ImageString($this->img, (int)$which_font, $xpos, ($i*$height + $which_ypos), $str[$i], $which_color);
 					} else { 
-						ImageString($this->img, $which_font, $which_xpos, ($i*$height + $which_ypos), $str[$i], $which_color); 
+						ImageString($this->img, (int)$which_font, $which_xpos, ($i*$height + $which_ypos), $str[$i], $which_color);
 					}
 				} 
 			}

diff --git a/catalog/admin/includes/functions/compatibility.php b/catalog/admin/includes/functions/compatibility.php
@@ -85,7 +85,7 @@ function move_uploaded_file($file, $target) {
   if (!function_exists('checkdnsrr')) {
     function checkdnsrr($host, $type) {
       if(tep_not_null($host) && tep_not_null($type)) {
-        @exec("nslookup -type=$type $host", $output);
+        @exec("nslookup -type=" . escapeshellarg($type) . " " . escapeshellarg($host), $output);
         while(list($k, $line) = each($output)) {
           if(preg_match("/^$host/i", $line)) {
             return true;

diff --git a/catalog/admin/includes/functions/html_output.php b/catalog/admin/includes/functions/html_output.php
@@ -13,6 +13,8 @@
 ////
 // The HTML href link wrapper function
   function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL') {
+    $page = tep_output_string($page);
+
     if ($page == '') {
       die('</td></tr></table></td></tr></table><br><br><font color="#ff0000"><b>Error!</b></font><br><br><b>Unable to determine the page link!<br><br>Function used:<br><br>tep_href_link(\'' . $page . '\', \'' . $parameters . '\', \'' . $connection . '\')</b>');
     }
@@ -30,7 +32,7 @@ function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL') {
     if ($parameters == '') {
       $link = $link . $page . '?' . SID;
     } else {
-      $link = $link . $page . '?' . $parameters . '&' . SID;
+      $link = $link . $page . '?' . tep_output_string($parameters) . '&' . SID;
     }
 
     while ( (substr($link, -1) == '&') || (substr($link, -1) == '?') ) $link = substr($link, 0, -1);

diff --git a/catalog/admin/login.php b/catalog/admin/login.php
@@ -69,7 +69,7 @@
           $username = tep_db_prepare_input($HTTP_POST_VARS['username']);
           $password = tep_db_prepare_input($HTTP_POST_VARS['password']);
 
-          tep_db_query('insert into ' . TABLE_ADMINISTRATORS . ' (user_name, user_password) values ("' . $username . '", "' . tep_encrypt_password($password) . '")');
+          tep_db_query("insert into " . TABLE_ADMINISTRATORS . " (user_name, user_password) values ('" . tep_db_input($username) . "', '" . tep_db_input(tep_encrypt_password($password)) . "')");
         }
 
         tep_redirect(tep_href_link(FILENAME_LOGIN));

diff --git a/catalog/checkout_confirmation.php b/catalog/checkout_confirmation.php
@@ -52,7 +52,7 @@
 
   $payment_modules->update_status();
 
-  if ( ( is_array($payment_modules->modules) && (sizeof($payment_modules->modules) > 1) && !is_object($$payment) ) || (is_object($$payment) && ($$payment->enabled == false)) ) {
+  if ( ($payment_modules->selected_module != $payment) || ( is_array($payment_modules->modules) && (sizeof($payment_modules->modules) > 1) && !is_object($$payment) ) || (is_object($$payment) && ($$payment->enabled == false)) ) {
     tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode(ERROR_NO_PAYMENT_MODULE_SELECTED), 'SSL'));
   }
 

diff --git a/catalog/checkout_payment_address.php b/catalog/checkout_payment_address.php
@@ -166,7 +166,7 @@
 
       $billto = $HTTP_POST_VARS['address'];
 
-      $check_address_query = tep_db_query("select count(*) as total from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . $customer_id . "' and address_book_id = '" . $billto . "'");
+      $check_address_query = tep_db_query("select count(*) as total from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . (int)$customer_id . "' and address_book_id = '" . (int)$billto . "'");
       $check_address = tep_db_fetch_array($check_address_query);
 
       if ($check_address['total'] == '1') {

diff --git a/catalog/checkout_process.php b/catalog/checkout_process.php
@@ -68,7 +68,7 @@
 
   $payment_modules->update_status();
 
-  if ( ( is_array($payment_modules->modules) && (sizeof($payment_modules->modules) > 1) && !is_object($$payment) ) || (is_object($$payment) && ($$payment->enabled == false)) ) {
+  if ( ($payment_modules->selected_module != $payment) || ( is_array($payment_modules->modules) && (sizeof($payment_modules->modules) > 1) && !is_object($$payment) ) || (is_object($$payment) && ($$payment->enabled == false)) ) {
     tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode(ERROR_NO_PAYMENT_MODULE_SELECTED), 'SSL'));
   }
 

diff --git a/catalog/create_account.php b/catalog/create_account.php
@@ -77,7 +77,7 @@
     }
 
     if (ACCOUNT_DOB == 'true') {
-      if (checkdate(substr(tep_date_raw($dob), 4, 2), substr(tep_date_raw($dob), 6, 2), substr(tep_date_raw($dob), 0, 4)) == false) {
+      if ((is_numeric(tep_date_raw($dob)) == false) || (@checkdate(substr(tep_date_raw($dob), 4, 2), substr(tep_date_raw($dob), 6, 2), substr(tep_date_raw($dob), 0, 4)) == false)) {
         $error = true;
 
         $messageStack->add('create_account', ENTRY_DATE_OF_BIRTH_ERROR);

diff --git a/catalog/includes/application_top.php b/catalog/includes/application_top.php
@@ -93,6 +93,7 @@
       $GET_array = array();
       $PHP_SELF = str_replace(getenv('PATH_INFO'), '', $PHP_SELF);
       $vars = explode('/', substr(getenv('PATH_INFO'), 1));
+      do_magic_quotes_gpc($vars);
       for ($i=0, $n=sizeof($vars); $i<$n; $i++) {
         if (strpos($vars[$i], '[]')) {
           $GET_array[substr($vars[$i], 0, -2)][] = $vars[$i+1];

diff --git a/catalog/includes/boxes/currencies.php b/catalog/includes/boxes/currencies.php
@@ -30,7 +30,7 @@
     $hidden_get_variables = '';
     reset($HTTP_GET_VARS);
     while (list($key, $value) = each($HTTP_GET_VARS)) {
-      if ( ($key != 'currency') && ($key != tep_session_name()) && ($key != 'x') && ($key != 'y') ) {
+      if ( is_string($value) && ($key != 'currency') && ($key != tep_session_name()) && ($key != 'x') && ($key != 'y') ) {
         $hidden_get_variables .= tep_draw_hidden_field($key, $value);
       }
     }

diff --git a/catalog/includes/boxes/tell_a_friend.php b/catalog/includes/boxes/tell_a_friend.php
@@ -22,7 +22,7 @@
   $info_box_contents = array();
   $info_box_contents[] = array('form' => tep_draw_form('tell_a_friend', tep_href_link(FILENAME_TELL_A_FRIEND, '', 'NONSSL', false), 'get'),
                                'align' => 'center',
-                               'text' => tep_draw_input_field('to_email_address', '', 'size="10"') . '&nbsp;' . tep_image_submit('button_tell_a_friend.gif', BOX_HEADING_TELL_A_FRIEND) . tep_draw_hidden_field('products_id', $HTTP_GET_VARS['products_id']) . tep_hide_session_id() . '<br>' . BOX_TELL_A_FRIEND_TEXT);
+                               'text' => tep_draw_input_field('to_email_address', '', 'size="10"') . '&nbsp;' . tep_image_submit('button_tell_a_friend.gif', BOX_HEADING_TELL_A_FRIEND) . tep_draw_hidden_field('products_id', (int)$HTTP_GET_VARS['products_id']) . tep_hide_session_id() . '<br>' . BOX_TELL_A_FRIEND_TEXT);
 
   new infoBox($info_box_contents);
 ?>

diff --git a/catalog/includes/functions/compatibility.php b/catalog/includes/functions/compatibility.php
@@ -171,7 +171,7 @@ function str_repeat($string, $number) {
   if (!function_exists('checkdnsrr')) {
     function checkdnsrr($host, $type) {
       if(tep_not_null($host) && tep_not_null($type)) {
-        @exec("nslookup -type=$type $host", $output);
+        @exec("nslookup -type=" . escapeshellarg($type) . " " . escapeshellarg($host), $output);
         while(list($k, $line) = each($output)) {
           if(preg_match("/^$host/i", $line)) {
             return true;

diff --git a/catalog/includes/functions/general.php b/catalog/includes/functions/general.php
@@ -160,7 +160,7 @@ function tep_get_all_get_params($exclude_array = '') {
     if (is_array($HTTP_GET_VARS) && (sizeof($HTTP_GET_VARS) > 0)) {
       reset($HTTP_GET_VARS);
       while (list($key, $value) = each($HTTP_GET_VARS)) {
-        if ( (strlen($value) > 0) && ($key != tep_session_name()) && ($key != 'error') && (!in_array($key, $exclude_array)) && ($key != 'x') && ($key != 'y') ) {
+        if ( is_string($value) && (strlen($value) > 0) && ($key != tep_session_name()) && ($key != 'error') && (!in_array($key, $exclude_array)) && ($key != 'x') && ($key != 'y') ) {
           $get_url .= $key . '=' . rawurlencode(stripslashes($value)) . '&';
         }
       }
@@ -914,7 +914,7 @@ function tep_get_product_path($products_id) {
 // Return a product ID with attributes
   function tep_get_uprid($prid, $params) {
     if (is_numeric($prid)) {
-      $uprid = $prid;
+      $uprid = (int)$prid;
 
       if (is_array($params) && (sizeof($params) > 0)) {
         $attributes_check = true;
@@ -974,7 +974,7 @@ function tep_get_prid($uprid) {
     $pieces = explode('{', $uprid);
 
     if (is_numeric($pieces[0])) {
-      return $pieces[0];
+      return (int)$pieces[0];
     } else {
       return false;
     }

diff --git a/catalog/includes/functions/html_output.php b/catalog/includes/functions/html_output.php
@@ -15,6 +15,8 @@
   function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
     global $request_type, $session_started, $SID;
 
+    $page = tep_output_string($page);
+
     if (!tep_not_null($page)) {
       die('</td></tr></table></td></tr></table><br><br><font color="#ff0000"><b>Error!</b></font><br><br><b>Unable to determine the page link!<br><br>');
     }

diff --git a/catalog/product_info.php b/catalog/product_info.php
@@ -139,7 +139,7 @@ function popupWindow(url) {
           }
         }
 
-        if (isset($cart->contents[$HTTP_GET_VARS['products_id']]['attributes'][$products_options_name['products_options_id']])) {
+        if (is_string($HTTP_GET_VARS['products_id']) && isset($cart->contents[$HTTP_GET_VARS['products_id']]['attributes'][$products_options_name['products_options_id']])) {
           $selected_attribute = $cart->contents[$HTTP_GET_VARS['products_id']]['attributes'][$products_options_name['products_options_id']];
         } else {
           $selected_attribute = false;

diff --git a/catalog/tell_a_friend.php b/catalog/tell_a_friend.php
@@ -28,7 +28,7 @@
   }
 
   if ($valid_product == false) {
-    tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));
+    tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . (int)$HTTP_GET_VARS['products_id']));
   }
 
   require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_TELL_A_FRIEND);
@@ -74,14 +74,14 @@
         $email_body .= $message . "\n\n";
       }
 
-      $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'], 'NONSSL', false)) . "\n\n" .
+      $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . (int)$HTTP_GET_VARS['products_id'], 'NONSSL', false)) . "\n\n" .
                      sprintf(TEXT_EMAIL_SIGNATURE, STORE_NAME . "\n" . HTTP_SERVER . DIR_WS_CATALOG . "\n");
 
       tep_mail($to_name, $to_email_address, $email_subject, $email_body, $from_name, $from_email_address);
 
       $messageStack->add_session('header', sprintf(TEXT_EMAIL_SUCCESSFUL_SENT, $product_info['products_name'], tep_output_string_protected($to_name)), 'success');
 
-      tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));
+      tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . (int)$HTTP_GET_VARS['products_id']));
     }
   } elseif (tep_session_is_registered('customer_id')) {
     $account_query = tep_db_query("select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_id = '" . (int)$customer_id . "'");
@@ -91,7 +91,7 @@
     $from_email_address = $account['customers_email_address'];
   }
 
-  $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_TELL_A_FRIEND, 'products_id=' . $HTTP_GET_VARS['products_id']));
+  $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_TELL_A_FRIEND, 'products_id=' . (int)$HTTP_GET_VARS['products_id']));
 ?>
 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html <?php echo HTML_PARAMS; ?>>
@@ -115,7 +115,7 @@
 <!-- left_navigation_eof //-->
     </table></td>
 <!-- body_text //-->
-    <td width="100%" valign="top"><?php echo tep_draw_form('email_friend', tep_href_link(FILENAME_TELL_A_FRIEND, 'action=process&products_id=' . $HTTP_GET_VARS['products_id']), 'post', '', true); ?><table border="0" width="100%" cellspacing="0" cellpadding="0">
+    <td width="100%" valign="top"><?php echo tep_draw_form('email_friend', tep_href_link(FILENAME_TELL_A_FRIEND, 'action=process&products_id=' . (int)$HTTP_GET_VARS['products_id']), 'post', '', true); ?><table border="0" width="100%" cellspacing="0" cellpadding="0">
       <tr>
         <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
           <tr>
@@ -211,7 +211,7 @@
             <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
               <tr>
                 <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
-                <td><?php echo '<a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']) . '">' . tep_image_button('button_back.gif', IMAGE_BUTTON_BACK) . '</a>'; ?></td>
+                <td><?php echo '<a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . (int)$HTTP_GET_VARS['products_id']) . '">' . tep_image_button('button_back.gif', IMAGE_BUTTON_BACK) . '</a>'; ?></td>
                 <td align="right"><?php echo tep_image_submit('button_continue.gif', IMAGE_BUTTON_CONTINUE); ?></td>
                 <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               </tr>