Security update, enforce XSS and remove dumps

renderpci · Aug 14, 2018 · eb10a27 · eb10a27
1 parent d662701
commit eb10a27
Show file tree

Hide file tree

Showing 14 changed files with 110 additions and 152 deletions.
diff --git a/install/set_psw/trigger.set_psw.php b/install/set_psw/trigger.set_psw.php
@@ -14,7 +14,7 @@
 
 
 
-if($mode=='set_psw') {
+if($mode==='set_psw') {
 
 	if (empty($username) || empty($password) || empty($reference) ) {
 		exit("Error: few vars");
@@ -44,9 +44,9 @@
 	$strQuery 	= "UPDATE matrix_users SET datos = $1 WHERE section_id = $2 AND section_tipo = $3";
 	$result 	= pg_query_params(DBi::_getConnection(), $strQuery, array( json_handler::encode($dato), -1, DEDALO_SECTION_USERS_TIPO ));
 	if(!$result) {
-		if(SHOW_DEBUG) {
-			dump($strQuery,"strQuery");
-			throw new Exception("Error Processing Save Update Request ". pg_last_error(), 1);;
+		debug_log(__METHOD__." strQuery ".to_string($strQuery), logger::ERROR);
+		if(SHOW_DEBUG) {			
+			throw new Exception("Error Processing Save Update Request ". pg_last_error(), 1);
 		}
 		return "Error: sorry an error ocurred on UPDATE record. Data is not saved";
 	}	

diff --git a/lib/dedalo/backup/class.backup.php b/lib/dedalo/backup/class.backup.php
@@ -63,7 +63,6 @@ public static function init_backup_secuence($user_id, $username, $skip_backup_ti
 				$last_modification_time_secs = get_last_modification_date( $file_path, $allowedExtensions=array('backup'), $ar_exclude=array('/acc/'));
 				$current_time_secs 			 = time();
 				$difference_in_hours 		 = round( ($current_time_secs/3600) - round($last_modification_time_secs/3600), 0 );
-					#dump($difference_in_hours, ' difference_in_hours ++ '.to_string( ($current_time_secs/3600).' - '.($last_modification_time_secs/3600) ));
 				if ( $difference_in_hours < DEDALO_BACKUP_TIME_RANGE ) {
 					$msg = " Skipped backup. A recent backup (about $difference_in_hours hours early) already exists. Is not necessary build another";					
 					debug_log(__METHOD__." $msg ".to_string(), logger::DEBUG);					
@@ -221,8 +220,6 @@ public static function get_tables() {
 		while($rows = pg_fetch_assoc($result)) {		
 			$tableList[] = $rows['table_name'];
 		}
-		#dump($tableList, ' $tableList ++ '.to_string($strQuery));
-
 
 		return (array)$tableList;
 	}//end get_tables
@@ -256,7 +253,6 @@ public static function copy_to_file($table, $path_file, $tld) {
 				#debug_log(__METHOD__." matrix_dd copy command ".to_string($command), logger::ERROR);
 				break;
 		}		
-		#dump($res, ' res ++ '.to_string($path_file));
 
 		if (!file_exists($path_file)) {
 			throw new Exception("Error Processing Request. File $path_file not created!", 1);			
@@ -322,20 +318,17 @@ public static function copy_from_file($table, $path_file, $tld) {
 				# DELETE . Remove previous records
 				#$strQuery = "DELETE FROM \"matrix_descriptors_dd\" WHERE \"parent\" LIKE '{$tld}%';"; #pg_query(DBi::_getConnection(), $strQuery);
 				$command = $command_base . " -c \"DELETE FROM \"$table\" \" "; # -c "DELETE FROM \"jer_dd\" WHERE \"terminoID\" LIKE 'dd%'"				
-				#dump($command, ' command ++ '.to_string());
 				$res .= shell_exec($command);
 				#$res .= exec( $command );
 				$command_history[] = $command;
 
 				# COPY . Load data from file
 				$command = $command_base . " -c \"\copy matrix_dd from {$path_file}\" ";
-				#dump($command, ' command ++ '.to_string());
 				$res .= shell_exec($command);
 				#$res .= exec( $command );
 				$command_history[] = $command;
 				break;		
 		}
-		#dump($res, ' res ++ '.to_string($path_file));
 		$res = str_replace("\n",' ',$res);
 
 		#debug_log(__METHOD__." res:$res - command: ".implode('; ',$command_history), logger::DEBUG);
@@ -678,7 +671,6 @@ public static function import_structure($db_name='dedalo4_development_str.custom
 
 		# LOW PRIORITY ( nice , at 22:56 , etc)
 		#$command = "nice ".$command ;
-			#dump($command, ' command');
 
 		#exec($command,$output,$worked);
 		exec($command.' 2>&1', $output, $worked_result);
@@ -924,7 +916,6 @@ public static function load_dedalo_str_tables_data_from_files() {
 					if (empty($res1)) {
 						$msg .= "<br>Error on import $table {$tld} . Please try again";
 						if(SHOW_DEBUG===true) {
-							#dump($res1, '$res1 ++ '.to_string($res1));
 							#throw new Exception("Error Processing Request: $msg", 1);
 						}
 						#print("<div class=\"error\">$msg</div>");
@@ -942,7 +933,6 @@ public static function load_dedalo_str_tables_data_from_files() {
 					if (empty($res2)) {
 						$msg .= "<br>Error on import $table {$tld} . Please try again";
 						if(SHOW_DEBUG===true) {
-							#dump($res2, '$res2 ++ '.to_string($res2));
 							#throw new Exception("Error Processing Request: $msg", 1);
 						}
 						#print("<div class=\"error\">$msg</div>");
@@ -1084,7 +1074,6 @@ public static function db_system_config_verify() {
 
 		# File permissions
 		$perms = decoct(fileperms($file) & 0777);
-			#dump($perms, ' perms ++ '.to_string());
 		if ($perms!='600') {
 			#die( wrap_pre("Error. Database system configuration not allow import (2). pgpass invalid permissions") );
 			$response->msg 		= 'Error. Database system configuration not allow import (2). pgpass invalid permissions '.__METHOD__;
@@ -1264,6 +1253,7 @@ public static function get_remote_data($data) {
 	* @return bool
 	*/
 	public static function download_remote_structure_file($obj, $target_dir) {
+		$start_time=microtime(1);
 
 		$data = array(
 				"code" => STRUCTURE_SERVER_CODE,
@@ -1272,6 +1262,10 @@ public static function download_remote_structure_file($obj, $target_dir) {
 			);
 
 		$result = self::get_remote_data($data);
+		#if(SHOW_DEBUG===true) {
+		#	$fist_line = strtok($result, "\n\r");
+		#	debug_log(__METHOD__." download type:$obj->type - name:$obj->name result fist_line: \n".to_string($fist_line), logger::DEBUG);
+		#}
 
 		# Create downloads folder if not exists
 		if (backup::$checked_download_str_dir!==true) {
@@ -1284,8 +1278,7 @@ public static function download_remote_structure_file($obj, $target_dir) {
 				debug_log(__METHOD__." CREATED DIR: $folder_path  ".to_string(), logger::DEBUG);
 			}
 			backup::$checked_download_str_dir = true;
-		}
-
+		}		
 
 		# Delete previous version file if exists
 		if (file_exists($target_dir .'/'. $obj->name)) {
@@ -1295,6 +1288,15 @@ public static function download_remote_structure_file($obj, $target_dir) {
 		# Write downloaded file to local directory
 		file_put_contents( $target_dir .'/'. $obj->name, $result);
 
+		if(SHOW_DEBUG===true) {
+			$fist_line = strtok($result, "\n\r");
+			$total=round(microtime(1)-$start_time,3);
+			debug_log(__METHOD__." Get remote and write str data type:$obj->type - name:$obj->name in secs. $total \n".$fist_line, logger::DEBUG);
+			// Clean memory footprint
+			unset($fist_line); strtok('', '');
+		}
+
+
 		return true;
 	}//end download_remote_structure_file
 

diff --git a/lib/dedalo/component_pdf/class.component_pdf.php b/lib/dedalo/component_pdf/class.component_pdf.php
@@ -50,7 +50,7 @@ function __construct($tipo=null, $parent=null, $modo='edit', $lang=DEDALO_DATA_L
 			# Dato
 			$this->set_dato($locator);
 			$need_save=true;
-		}#end if(empty($dato->counter) && $this->parent>0)
+		}//end if(empty($dato->counter) && $this->parent>0)
 
 
 			#
@@ -61,15 +61,12 @@ function __construct($tipo=null, $parent=null, $modo='edit', $lang=DEDALO_DATA_L
 
 			# INITIAL MEDIA PATH SET
 			$this->initial_media_path = $this->get_initial_media_path();
-				#dump($this->initial_media_path, ' this->initial_media_path');
 
 			# ADITIONAL_PATH : Set and fix current aditional image path
 			$this->aditional_path = $this->get_aditional_path();
-				#dump($this->aditional_path,'$this->aditional_path');
 
 			# PDFOBJ : Add a PdfObj obj
 			$this->PdfObj = new PdfObj( $this->pdf_id, $this->get_quality(), $this->aditional_path, $this->initial_media_path );
-				#dump($this->PdfObj,"PdfObj en construct");
 
 		/*
 		if ($need_save) {
@@ -81,15 +78,15 @@ function __construct($tipo=null, $parent=null, $modo='edit', $lang=DEDALO_DATA_L
 				$name = RecordObj_dd::get_termino_by_tipo($this->tipo,true);
 				error_log("DEBUG INFO ".__METHOD__." Saved $name with dato ".$locator->get_flat()." of current ".get_called_class()." (tipo:$this->tipo - section_tipo:$this->section_tipo - parent:$this->parent - lang:$this->lang)");
 			}		
-		}#end if ($need_save)
+		}//end if ($need_save)
 		
 		if(SHOW_DEBUG===true) {
 			global$TIMER;$TIMER[__METHOD__.'_OUT_'.$this->tipo.'_'.$this->modo.'_'.microtime(1)]=microtime(1);
 		}
 		*/
 
 		return true;
-	}#end __construct
+	}//end __construct
 
 
 
@@ -138,7 +135,6 @@ public function get_aditional_path() {
 			if ( substr($dato, -1) === '/' ) {
 				$dato = substr($dato, 0, -1);
 			}
-			#dump($dato,'$dato');
 
 			$ar_aditional_path[$this->pdf_id] = $dato;
 
@@ -170,8 +166,6 @@ public function get_initial_media_path() {
 		$component_tipo = $this->tipo;
 		$parent_section = section::get_instance($this->parent,$this->section_tipo);
 		$propiedades 	= $parent_section->get_propiedades();
-			#dump($propiedades," propiedades component_tipo:$component_tipo"); 
-			#dump($propiedades->initial_media_path->$component_tipo," ");
 
 		if (isset($propiedades->initial_media_path->$component_tipo)) {
 			$this->initial_media_path = $propiedades->initial_media_path->$component_tipo;
@@ -227,7 +221,6 @@ public function get_pdf_id() {
 		$dato = $this->get_dato();
 		if (!isset($dato->section_id)) {
 			if(SHOW_DEBUG===true) {
-				#dump($dato, ' dato ++ '.to_string());
 				trigger_error(__METHOD__." Component dato (parent:$this->parent,section_tipo:$this->section_tipo) is empty for: ".to_string($dato));
 			}
 			return 0;	
@@ -309,7 +302,6 @@ public function get_pdf_url($quality=false) {
 		$quality 	= $this->get_quality();
 		$pdf_id 	= $this->get_pdf_id();
 
-			#dump($this->PdfObj,"PdfObj");dump($this,"this");
 		if (!isset($this->PdfObj)) {
 			throw new Exception("Error Processing Request (get_pdf_url)", 1);			
 		}
@@ -396,9 +388,7 @@ public function remove_component_media_files() {
 		foreach ($ar_quality as $current_quality) {
 			# media_path
 			$media_path = $this->get_pdf_path($current_quality);
-			if(SHOW_DEBUG===true) {
-				#dump($media_path, ' media_path $current_quality:'.$current_quality);
-			}
+
 			if (!file_exists($media_path)) continue; # Skip
 
 			# move / rename file
@@ -417,14 +407,13 @@ public function remove_component_media_files() {
 
 			if(SHOW_DEBUG===true) {
 				$msg=__METHOD__." \nMoved file \n$media_path to \n$media_path_moved";
-				error_log($msg);
-				dump($msg, ' msg');
+				error_log($msg);				
 			}
-		}#end foreach
+		}//end foreach
 
 
 		return true;
-	}#end remove_component_media_files
+	}//end remove_component_media_files
 
 
 
@@ -444,14 +433,10 @@ public function restore_component_media_files() {
 			# media_path
 			$media_path = $this->get_target_dir().'/deleted';
 			$pdf_id 	= $this->get_pdf_id();
-			if(SHOW_DEBUG===true) {
-				#dump($media_path, "media_path $current_quality:$current_quality - get_pdf_id:$pdf_id");
-			}
+
 			$file_pattern 	= $media_path.'/'.$pdf_id.'_*.'.DEDALO_PDF_EXTENSION;
 			$ar_files 		= glob($file_pattern);
-			if(SHOW_DEBUG===true) {
-				#dump($ar_files, ' ar_files');
-			}
+
 			if (empty($ar_files)) {
 				error_log("No files to restore were found for pdf_id:$pdf_id. Nothing was restored (1)");
 				continue; // Skip
@@ -464,13 +449,12 @@ public function restore_component_media_files() {
 			if(SHOW_DEBUG===true) {
 				$msg=__METHOD__." \nMoved file \n$last_file_path to \n$new_file_path";
 				error_log($msg);
-				#dump($msg, ' msg');
 			}
 
-		}#end foreach
+		}//end foreach
 
 		return true;
-	}#end restore_component_media_files
+	}//end restore_component_media_files
 
 
 
@@ -525,7 +509,6 @@ public function get_pdf_thumb($force_create=false, $absolute=false) {
 			$command 	= MAGICK_PATH ."convert -alpha off {$path}[0] -thumbnail '$dimensions' -background white -flatten -gravity center -unsharp 0x.5 -quality 90 $thumb_path";
 
 			exec($command.' 2>&1', $output, $result);
-				#dump($command, ' $command ++ '.to_string()); dump($output, ' result ++ '.to_string($result));
 
 			if ($result===0) {
 				# All is ok
@@ -543,7 +526,7 @@ public function get_pdf_thumb($force_create=false, $absolute=false) {
 		}
 
 		return $url;		
-	}#end get_pdf_thumb
+	}//end get_pdf_thumb
 
 
 
@@ -576,7 +559,7 @@ public static function render_list_value($value, $tipo, $parent, $modo, $lang, $
 		#}
 
 		return $value;
-	}#end render_list_value
+	}//end render_list_value
 
 
 
@@ -618,7 +601,7 @@ public function get_valor_export( $valor=null, $lang=DEDALO_DATA_LANG, $quotes,
 		$valor 			= $this->get_pdf_thumb($force_create, $absolute);	// Note this absolute url is converted to image on export
 
 		return $valor;
-	}#end get_valor_export
+	}//end get_valor_export
 
 
 
@@ -632,7 +615,7 @@ public function get_related_component_text_area_tipo() {
 		$related_component_text_area_tipo = common::get_ar_related_by_model($modelo_name, $this->tipo);
 
 		return $related_component_text_area_tipo;		
-	}#end get_related_component_text_area_tipo
+	}//end get_related_component_text_area_tipo
 
 
 

diff --git a/lib/dedalo/component_text_area/component_text_area.php b/lib/dedalo/component_text_area/component_text_area.php
@@ -369,7 +369,7 @@
 
 				$ar_comparison_operators 	= $this->build_search_comparison_operators();
 				$ar_logical_operators 		= $this->build_search_logical_operators();
-				$valor 						= isset($_GET['tipo']) ? safe_xss($_GET['tipo']) : null;
+				$valor 						= isset($_GET['tipo']) ? safe_tipo($_GET['tipo']) : null;
 
 				# Search input name (var search_input_name is injected in search -> records_search_list.phtml)
 				# and recovered in component_common->get_search_input_name()
@@ -409,8 +409,9 @@
 				}
 
 				if (!is_string($list_value)) {
-					dump( debug_backtrace() );
-					dump($list_value, ' list_value ++ '.to_string()); die();
+					debug_log(__METHOD__." Error. Expected string in list_value: ".to_string($list_value), logger::DEBUG);
+					trigger_error("Error. Expected string in list_value");					 
+					die();
 				}		
 
 				# TRUNCATE ALL FRAGMENTS		

diff --git a/lib/dedalo/component_text_area/html/component_text_area_edit.phtml b/lib/dedalo/component_text_area/html/component_text_area_edit.phtml
@@ -173,9 +173,9 @@
 				# BUTTON PORTAL ADD RESOURCE
 					if ( isset($_GET['portal_tipo']) && strpos($context->context_name, 'portal')!==false ) {
 
-						$portal_tipo 		 = safe_xss($_GET['portal_tipo']);
+						$portal_tipo 		 = safe_tipo($_GET['portal_tipo']);
 						$portal_parent 		 = safe_xss($_GET['portal_parent']);
-						$portal_section_tipo = safe_xss($_GET['portal_section_tipo']);
+						$portal_section_tipo = safe_tipo($_GET['portal_section_tipo']);
 
 						$button_action 	= 'tool_portal.add_resource(this)';#"tool_portal.add_fragment_resource(this)";