Skip to content
Permalink
Browse files

Removed GET call with (visible) sensible parameters (user, password, …

…...)
  • Loading branch information...
tvannini committed Apr 22, 2019
1 parent 129ab31 commit 072017a4271458ca658e02d1279736b4510b7909
Showing with 148 additions and 55 deletions.
  1. +85 −38 htdocs/js/env.js
  2. +17 −0 htdocs/jxr.php
  3. +1 −1 jxrnt.php
  4. +22 −7 lib/jxapp.inc
  5. +23 −9 lib/jxfnx.inc
@@ -4398,63 +4398,107 @@ o2jse.cmd.submit = function(exeId) {
};


/**
* Executes a Go-to-URL with parameters using POST.
*
* Parameters are a list of properties or associative array with names and values:
*
* {par1:'val1', par2:'val2', ...}
*
* If param newWindow is passed as TRUE then targetURL is opened in a new browser window.
*
* This method is intended to be used to replace window relocation that uses GET.
*
* @param {String} targetURL
* @param {Object} params
* @param {Boolean} newWindow
*/
o2jse.cmd.post = function(targetURL, params, newWindow) {

// ________________________________________________________ Compose form to submit ___
var form = document.createElement('form');
form.method = "POST";
form.enctype = o2jse.infoForm.enctype;
if (targetURL) {
form.action = targetURL;
}
else {
form.action = o2jse.infoForm.action;
}
// _________________________________________________ Add parameters as form fields ___
for (n in params) {
f = document.createElement("input");
f.setAttribute("type", "hidden");
f.setAttribute("name", n);
f.setAttribute("value", params[n]);
form.appendChild(f);
f = null;
}
if (newWindow) {
win = 'V' + (+new Date).toString(36).slice(-5);
form.target = win;
window.open('', win);
}
document.body.appendChild(form);
form.submit();
document.body.removeChild(form);
form = null;

};


/**
* Return back to server to run program prgName and pass other parameters
*
* @param {String} prgName Name of program to run
*/
o2jse.cmd.run = function(prgName) {

// _________________________________ Compose call path - descending menu hierarchy ___
var pathStr = '';
for (var i = 0; i < o2jse.menu.openMenus.length; i++) {
if (typeof o2jse.menu.openMenus[i].label == 'undefined') {
pathStr = "jxContext";
}
else {
pathStr+= (pathStr ? '|' : '') + o2jse.menu.openMenus[i].label;
}
// ________________________________________________________ Fields to be submitted ___
fields = [];
// ________________________________________________________________ Sesssion stuff ___
fields['o2c'] = prgName;
fields['JXSESSNAME'] = o2jse.sessName;
if (o2jse.infoForm[o2jse.sessName]) {
fields[o2jse.sessName] = o2jse.infoForm[o2jse.sessName].value;
}
// _________________________________________________________ Add passed parameters ___
var extPars = '';
if (arguments.length > 1) {
for (var argID = 1; argID < arguments.length; argID++) {
extPars+= "&extp_" + argID + "=" + arguments[argID];
fields["extp_" + argID] = arguments[argID];
}
}
// _____________________________________________________________________ Menu size ___
var menuStr = '';
var menuH = 0;
var menuW = 0;
if (menuBar = document.getElementById("jxMenuBar")) {
if (o2jse.menuStyle == 'T') {
menuStr = '&jxmbh=' + menuBar.offsetHeight;
fields['jxmbh'] = menuBar.offsetHeight;
}
else {
menuStr = '&jxmbw=' + menuBar.offsetWidth;
fields['jxmbw'] = menuBar.offsetWidth;
}
}
// ____________________________________________________________________ Status Bar ___
var statusStr = '';
if (statusBar = document.getElementById("o2status")) {
statusStr = '&jxsbh=' + statusBar.offsetHeight;
fields['jxsbh'] = statusBar.offsetHeight;
}
// ____________________________________________________________ Client window size ___
var cWidth = (window.innerWidth != null ?
window.innerWidth : document.documentElement.clientWidth) - menuW;
var cHeight = (window.innerHeight != null ?
window.innerHeight : document.documentElement.clientHeight) - menuH;
// ___________________________________________________________________ Compose URL ___
var refStr = '?o2c=' + prgName + '&JXSESSNAME=' + o2jse.sessName +
(o2jse.infoForm[o2jse.sessName] ?
'&' + o2jse.sessName + '=' + o2jse.infoForm[o2jse.sessName].value :
'') +
extPars +
'&jxcsw=' + cWidth + '&jxcsh=' + cHeight +
menuStr + statusStr +
'&o2p=' + encodeURIComponent(pathStr);
window.location.href = refStr;

fields['jxcsw'] = (window.innerWidth != null ?
window.innerWidth : document.documentElement.clientWidth);
fields['jxcsh'] = (window.innerHeight != null ?
window.innerHeight : document.documentElement.clientHeight);
// _________________________________ Compose call path - descending menu hierarchy ___
var pathStr = '';
for (var i = 0; i < o2jse.menu.openMenus.length; i++) {
if (typeof o2jse.menu.openMenus[i].label == 'undefined') {
pathStr = "jxContext";
}
else {
pathStr+= (pathStr ? '|' : '') + o2jse.menu.openMenus[i].label;
}
}
fields['o2p'] = encodeURIComponent(pathStr);
// _______________________________________________________________ Post parameters ___
o2jse.cmd.post(false, fields);
};


@@ -7373,11 +7417,14 @@ o2jse.notify.getList = function(nullObj, listText) {
o2jse.notify.clickOnDispatch = function(trObj) {

if (trObj.jxMsgAct) {
refStr = "?JXSESSNAME=" + o2jse.sessName +
"&jxact=dispatch&jxmsgid=" + trObj.jxMsgID +
(o2jse.infoForm[o2jse.sessName] ?
"&" + o2jse.sessName + "=" + o2jse.infoForm[o2jse.sessName].value : "");
window.location.href = refStr;
var fields = [];
fields['JXSESSNAME'] = o2jse.sessName;
if (o2jse.infoForm[o2jse.sessName]) {
fields[o2jse.sessName] = o2jse.infoForm[o2jse.sessName].value;
}
fields['jxact'] = 'dispatch';
fields['jxmsgid'] = trObj.jxMsgID;
o2jse.cmd.post(false, fields);
}
else {
o2jse.removeEl(trObj);
@@ -112,6 +112,22 @@
if (is_a($app, "o2_app")) {
// _________________________________ Clear all previous output, if any ___
ob_end_clean();
// ________________________________ Add parameters to open new session ___
$params = array('user' => $app->user,
'password' => $app->password,
'auth' => 'local');
if ($app->client_width) {
$params['jxcsw'] = $app->client_width;
}
if ($app->client_height) {
$params['jxcsh'] = $app->client_height;
}
if ($app->runtime->developer) {
$params['dev'] = $app->runtime->developer;
$params['key'] = $app->runtime->dev_key;
}
print "o2jse.cmd.post(false, ".json_encode($params).", true);\n";
/*
// _______________________________________________ JS open new session ___
print "window.open(\"?user=".$app->user."&password=".$app->password.
"&auth=local".
@@ -121,6 +137,7 @@
"&dev=".$app->runtime->developer."&key=".$app->runtime->dev_key :
"").
"\");\n";
*/
}
break;
case "jxdev": // _________________________________________ Development command ___
@@ -44,7 +44,7 @@
*
* @global string $jxbuilt
*/
$jxbuilt = "20190420";
$jxbuilt = "20190422";
/**
* Start execution time
@@ -523,11 +523,14 @@ class o2_app {
* Execute session logout: delete session record and destroy WEB session related
* context.
* If it is passed the client will be redirected to the $exit_url.
* A list of parameters to be POSTed to the exit-url can be passaed as associtative
* array, this way: ['par1'=>'val1', 'par2'=>'val2', ...]
*
* @param string $exit_url
* @param array $params
* @return boolean
*/
function logout($exit_url = "") {
function logout($exit_url = "", $params = false) {
$sess_tab = $this->get_table('o2_sessions');
o2_gateway::deleterec($sess_tab->db->server->type,
@@ -543,14 +546,14 @@ class o2_app {
$this->commit_all(true);
if (session_id()) {
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', 1, $params["path"], $params["domain"],
$params["secure"], $params["httponly"]);
$cookies = session_get_cookie_params();
setcookie(session_name(), '', 1, $cookies["path"], $cookies["domain"],
$cookies["secure"],$cookies["httponly"]);
}
session_destroy();
}
if ($exit_url) {
$url = $exit_url;
$url = strtolower($exit_url);
}
elseif ($this->logout_url) {
$url = strtolower($this->logout_url);
@@ -563,11 +566,23 @@ class o2_app {
$url = false;
}
if ($url) {
if (!is_array($params) || (count($params) < 1)) {
$params = '';
}
else {
$params = ', '.json_encode($params);
}
if ($GLOBALS['jxjs']) {
print "window.location = '".$url."';\n}";
print "o2jse.cmd.post('".$url."'".$params.");\n}";
}
else {
print "<script> window.location = '".$url."'; </script>";
if (!$this->html_started) {
o2html::page_prefix();
}
print "<script> setTimeout( function() { o2jse.cmd.post('".$url."'".
$params.
"); }, 300); ".
"</script></html>";
}
}
die();
@@ -3043,24 +3043,38 @@ function o2app_dir_uploads() {
* Execute session logout: delete session record and destroy WEB session related context.
* If any, after logout navigation will be redirected to provided URL.
*
* A list of parameters to be POSTed to the exit-url can be passaed as associtative array,
* this way: ['par1'=>'val1', 'par2'=>'val2', ...]
*
* If $exit_url is passed as (strict) TRUE then client will be redirected to a new session
*
* @package application
* @param string $exit_url
* @param array $params
* @return boolean
*/
function o2app_logout($exit_url = false) {
function o2app_logout($exit_url = false, $params = false) {
$app = $_SESSION['o2_app'];
// ______________________________________________________ Log-out to a new session ___
if ($exit_url === true) {
$exit_url = '?user='.$app->user.'&password='.$app->password.'&auth=local'.
($app->client_width ? '&jxcsw='.$app->client_width : '').
($app->client_height ? '&jxcsh='.$app->client_height : '').
($app->runtime->developer ?
'&dev='.$app->runtime->developer.
'&key='.$app->runtime->dev_key : '');
}
$app->logout($exit_url);
$exit_url = $app->referer;
// ________________________________________ Add parameters to open new session ___
$params = array('user' => $app->user,
'password' => $app->password,
'auth' => 'local');
if ($app->client_width) {
$params['jxcsw'] = $app->client_width;
}
if ($app->client_height) {
$params['jxcsh'] = $app->client_height;
}
if ($app->runtime->developer) {
$params['dev'] = $app->runtime->developer;
$params['key'] = $app->runtime->dev_key;
}
}
$app->logout($exit_url, $params);
}

0 comments on commit 072017a

Please sign in to comment.
You can’t perform that action at this time.