? patch.diff
? data/screenshots/18
? data/screenshots/9
? data/screenshots/originals/18
? data/screenshots/originals/9
? data/screenshots/thumbnails/18
? data/screenshots/thumbnails/9
Index: account.php
===================================================================
RCS file: /home/wine/appdb/account.php,v
retrieving revision 1.15
diff -u -p -r1.15 account.php
--- account.php 5 Feb 2006 20:46:10 -0000 1.15
+++ account.php 15 Jun 2006 00:20:41 -0000
@@ -11,11 +11,16 @@ require(BASE."include/mail.php");
header("Pragma: no-cache");
header("Cache-control: no-cache");
+$aClean = array(); //array of filtered user input
+
// check command and process
if(isset($_POST['cmd']))
- do_account($_POST['cmd']);
+
+ $aClean['cmd'] = makeSafe($_POST['cmd']);
else
- do_account($_GET['cmd']);
+ $aClean['cmd'] = makeSafe($_GET['cmd']);
+
+ do_account($aClean['cmd']);
/**
@@ -76,24 +81,31 @@ function retry($cmd, $msg)
*/
function cmd_do_new()
{
-
- if(!ereg("^.+@.+\\..+$", $_POST['ext_email']))
+ $aClean = array(); //array of filtered user input
+
+ $aClean['ext_email'] = makeSafe($_POST['ext_email']);
+ $aClean['ext_password'] = makeSafe($_POST['ext_password']);
+ $aClean['ext_password2'] = makeSafe($_POST['ext_password2']);
+ $aClean['ext_realname'] = makeSafe($_POST['ext_realname']);
+ $aClean['CVSRelease'] = makeSafe($_POST['CVSRelease']);
+
+ if(!ereg("^.+@.+\\..+$", $aClean['ext_email']))
{
- $_POST['ext_email'] = "";
+ $aClean['ext_email'] = "";
retry("new", "Invalid email address");
return;
}
- if(strlen($_POST['ext_password']) < 5)
+ if(strlen($aClean['ext_password']) < 5)
{
retry("new", "Password must be at least 5 characters");
return;
}
- if($_POST['ext_password'] != $_POST['ext_password2'])
+ if($aClean['ext_password'] != $aClean['ext_password2'])
{
retry("new", "Passwords don't match");
return;
}
- if(!isset($_POST['ext_realname']))
+ if(empty($aClean['ext_realname']))
{
retry("new", "You don't have a Real name?");
return;
@@ -101,15 +113,15 @@ function cmd_do_new()
$user = new User();
- $result = $user->create($_POST['ext_email'], $_POST['ext_password'], $_POST['ext_realname'], $_POST['CVSrelease']);
+ $result = $user->create($aClean['ext_email'], $aClean['ext_password'], $aClean['ext_realname'], $aClean['CVSrelease']);
if($result == true)
{
/* if we can log the user in, log them in automatically */
- if($user->login($_POST['ext_email'], $_POST['ext_password']))
+ if($user->login($aClean['ext_email'], $aClean['ext_password']))
$_SESSION['current'] = $user;
- addmsg("Account created! (".$_POST['ext_email'].")", "green");
+ addmsg("Account created! (".$aClean['ext_email'].")", "green");
redirect(apidb_fullurl());
}
else
@@ -125,11 +137,14 @@ function cmd_do_new()
*/
function cmd_send_passwd()
{
+ $aClean = array(); //array of filtered user input
+
+ $aClean['ext_email'] = makeSafe($_POST['ext_email']);
$note = '(Note : accounts for appdb .winehq.org and bugs .winehq.org '
.'are separated, so You might need to create second account for appdb.)';
- $userid = user_exists($_POST['ext_email']);
+ $userid = user_exists($aClean['ext_email']);
$passwd = generate_passwd();
$user = new User($userid);
if ($userid)
@@ -159,7 +174,7 @@ function cmd_send_passwd()
}
else
{
- addmsg("Sorry, that user (".$_POST['ext_email'].") does not exist. "
+ addmsg("Sorry, that user (".$aClean['ext_email'].") does not exist. "
.$note, "red");
}
@@ -171,8 +186,13 @@ function cmd_send_passwd()
*/
function cmd_do_login()
{
+ $aClean = array(); //array of filtered user input
+
+ $aClean['ext_email'] = makeSafe($_POST['ext_email']);
+ $aClean['ext_password'] = makeSafe($_POST['ext_password']);
+
$user = new User();
- $result = $user->login($_POST['ext_email'], $_POST['ext_password']);
+ $result = $user->login($aClean['ext_email'], $aClean['ext_password']);
if($result == true)
{
Index: addcomment.php
===================================================================
RCS file: /home/wine/appdb/addcomment.php,v
retrieving revision 1.20
diff -u -p -r1.20 addcomment.php
--- addcomment.php 9 Feb 2005 23:52:49 -0000 1.20
+++ addcomment.php 15 Jun 2006 00:20:41 -0000
@@ -1,4 +1,16 @@
isLoggedIn())
{
@@ -19,24 +26,24 @@ if(!$_SESSION['current']->isLoggedIn())
exit;
}
-if(!is_numeric($_REQUEST['versionId']))
+if( !is_numeric($aClean['versionId']) )
{
errorpage('Internal Database Access Error');
exit;
}
-if(!is_numeric($_REQUEST['thread']))
+if(!is_numeric($aClean['thread']))
{
- $_REQUEST['thread'] = 0;
+ $aClean['thread'] = 0;
}
############################
# ADDS COMMENT TO DATABASE #
############################
-if(isset($_REQUEST['body']))
+if(!empty($aClean['body']))
{
$oComment = new Comment();
- $oComment->create($_REQUEST['subject'], $_REQUEST['body'], $_REQUEST['thread'], $_REQUEST['versionId']);
+ $oComment->create($aClean['subject'], $aClean['body'], $aClean['thread'], $aClean['versionId']);
redirect(apidb_fullurl("appview.php?versionId=".$oComment->iVersionId));
}
@@ -49,9 +56,9 @@ else
$mesTitle = "Post New Comment ";
- if($_REQUEST['thread'] > 0)
+ if($aClean['thread'] > 0)
{
- $result = query_appdb("SELECT * FROM appComments WHERE commentId = ".$_REQUEST['thread']);
+ $result = query_appdb("SELECT * FROM appComments WHERE commentId = ".$aClean['thread']);
$ob = mysql_fetch_object($result);
if($ob)
{
@@ -71,8 +78,8 @@ else
echo "
\n";
echo " \n";
echo " \n";
@@ -81,10 +88,10 @@ else
echo html_frame_end();
- echo " \n";
- echo " \n";
- echo " \n";
- if (isset($_REQUEST['thread']))
+ echo " \n";
+ echo " \n";
+ echo " \n";
+ if (!empty($aClean['thread']))
{
echo " \n";
}
Index: appbrowse.php
===================================================================
RCS file: /home/wine/appdb/appbrowse.php,v
retrieving revision 1.11
diff -u -p -r1.11 appbrowse.php
--- appbrowse.php 11 May 2005 02:26:11 -0000 1.11
+++ appbrowse.php 15 Jun 2006 00:20:41 -0000
@@ -8,36 +8,43 @@ require(BASE."include/"."incl.php");
require(BASE."include/"."appdb.php");
require(BASE."include/"."category.php");
+$aClean = array(); //array of filtered user input
+
+$aClean['catId'] = makeSafe($_REQUEST['catId']);
function admin_menu()
{
- if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
- else $catId="";
+ if( empty( $aClean['catId']) )
+ {
+ $aClean['catId'] = "";
+ }
$m = new htmlmenu("Admin");
- $m->add("Edit this Category", BASE."admin/addCategory.php?catId=$catId");
- $url = BASE."admin/deleteAny.php?what=category&catId=$catId&confirmed=yes";
+ $m->add("Edit this Category", BASE."admin/addCategory.php?catId']}");
+ $url = BASE."admin/deleteAny.php?what=category&catId={$aClean['catId']}&confirmed=yes";
$m->add("Delete this Category", "javascript:deleteURL(\"Are you sure?\", \"".$url."\")");
$m->done();
}
-if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
-else $catId=0; // ROOT
+if( empty( $aClean['catId']) )
+{
+ $aClean['catId'] = 0; // ROOT
+}
-if( !is_numeric($catId) )
+if( !is_numeric($aClean['catId']) )
{
errorpage("Something went wrong with the category ID");
exit;
}
// list sub categories
-$cat = new Category($catId);
+$cat = new Category($aClean['catId']);
$catFullPath = make_cat_path($cat->getCategoryPath());
$subs = $cat->aSubcatsIds;
//display admin box
-if($_SESSION['current']->hasPriv("admin") && $catId != 0)
+if($_SESSION['current']->hasPriv("admin") && $aClean['catId'] != 0)
apidb_sidebar_add("admin_menu");
//output header
@@ -125,7 +132,7 @@ if($apps)
}
// Disabled for now
-//if ($catId != 0)
+//if ($aClean['catId'] != 0)
//{
// log_category_visit($cat->id);
//}
Index: appimage.php
===================================================================
RCS file: /home/wine/appdb/appimage.php,v
retrieving revision 1.16
diff -u -p -r1.16 appimage.php
--- appimage.php 5 Aug 2005 22:07:41 -0000 1.16
+++ appimage.php 15 Jun 2006 00:20:41 -0000
@@ -7,22 +7,28 @@ include("path.php");
require(BASE."include/"."incl.php");
require_once(BASE."include/"."screenshot.php");
+$aClean = array(); //array of filtered user input
+
+$aClean['id'] = makeSafe($_REQUEST['id']);
+$aClean['REQUEST_METHOD'] = makeSafe($_REQUEST['REQUEST_METHOD']);
+$aClean['thumbnail'] = makeSafe($_REQUEST['thumbnail']);
+
/* an image doesn't have a link, so a cookie makes no sense */
header("Set-Cookie: ");
header("Pragma: ");
/* if the user isn't supposed to be viewing this image */
/* display an error message and exit */
-if(!$_SESSION['current']->canViewImage($_REQUEST['id']))
+if(!$_SESSION['current']->canViewImage($aClean['id']))
{
errorpage("Insufficient privileges.");
exit;
}
-if ($_REQUEST['REQUEST_METHOD']='HEAD')
+if ($aClean['REQUEST_METHOD']='HEAD')
{
/* WARNING! optimization of logic in include/screenshots.php */
- if (sscanf($_REQUEST['id'],"%d", &$iId) < 1)
+ if (sscanf($aClean['id'],"%d", &$iId) < 1)
{
errorpage("Bad parameter");
exit;
@@ -67,12 +73,12 @@ if ($_REQUEST['REQUEST_METHOD']='HEAD')
header("Expires: ");
header("Last-Modified: ".fHttpDate($iModTime));
}
-$oScreenshot = new Screenshot($_REQUEST['id']);
+$oScreenshot = new Screenshot($aClean['id']);
/* at this point, we know that .../screenshots/$id and
* .../screenshots/thumbnails/$id both exist as normally
* they would both be created at the same time. */
-$fstat_val = stat(appdb_fullpath("data/screenshots/".$_REQUEST['id']));
+$fstat_val = stat(appdb_fullpath("data/screenshots/".$aClean['id']));
$iModTime = $fstat_val['mtime'];
header("Cache-Control: public");
@@ -90,9 +96,8 @@ if (isset($_SERVER['HTTP_IF_MODIFIED_SIN
header("Last-Modified: ".fHttpDate($iModTime));
-if(!$_REQUEST['thumbnail'])
+if(!$aClean['thumbnail'])
$oScreenshot->oScreenshotImage->output_to_browser(1);
else
$oScreenshot->oThumbnailImage->output_to_browser(1);
-
-?>
\ No newline at end of file
+?>
Index: appsubmit.php
===================================================================
RCS file: /home/wine/appdb/appsubmit.php,v
retrieving revision 1.39
diff -u -p -r1.39 appsubmit.php
--- appsubmit.php 4 May 2006 00:22:32 -0000 1.39
+++ appsubmit.php 15 Jun 2006 00:20:42 -0000
@@ -10,6 +10,19 @@ require_once(BASE."include/application.p
require_once(BASE."include/mail.php");
require_once(BASE."include/testResults.php");
+$aClean = array(); //array of filtered user input
+
+$aClean['apptype'] = makeSafe($_REQUEST['apptype']);
+$aClean['sub'] = makeSafe($_REQUEST['sub']);
+$aClean['appId'] = makeSafe($_REQUEST['appId']);
+$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
+$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
+$aClean['appVendorName'] = makeSafe($_REQUEST['appVendorName']);
+$aClean['vendorId'] = makeSafe($_REQUEST['vendorId']);
+$aClean['appWebpage'] = makeSafe($_REQUEST['appWebpage']);
+$aClean['appKeywords'] = makeSafe($_REQUEST['appKeywords']);
+$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
+$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
function get_vendor_from_keywords($sKeywords)
{
@@ -27,7 +40,7 @@ function newSubmition($errors)
echo "and you will be notified via e-mail if it is added to the database or rejected.\n";
echo "
Before continuing, please ensure that you have \n";
echo "\n";
- if ($_REQUEST['apptype'] == 1)
+ if ($aClean['apptype'] == 1)
{
echo " Searched for this application in the database. Duplicate submissions will be rejected \n";
echo " Really want to submit an application instead of a new version of an application\n";
@@ -58,18 +71,18 @@ if(!$_SESSION['current']->isLoggedIn())
}
-if ($_REQUEST['sub'])
+if ($aClean['sub'])
{
- if($_REQUEST['apptype'] == 'application')
+ if($aClean['apptype'] == 'application')
{
- $oApp = new Application($_REQUEST['appId']);
+ $oApp = new Application( $aClean['appId']);
if($oApp->iAppId)
{
// if we are processing a queued application there MUST be an implicitly queued
// version to go along with it. Find this version so we can display its information
// during application processing so the admin can make a better choice about
// whether to accept or reject the overall application
- $sQuery = "Select versionId from appVersion where appId='".$_REQUEST['appId']."';";
+ $sQuery = "Select versionId from appVersion where appId='".$aClean['appId']."';";
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult);
@@ -89,9 +102,9 @@ if ($_REQUEST['sub'])
}
}
- else if($_REQUEST['apptype'] == 'version')
+ else if($aClean['apptype'] == 'version')
{
- $oVersion = new Version($_REQUEST['versionId']);
+ $oVersion = new Version($aClean['versionId']);
// make sure the user has permission to view this version
if(!$_SESSION['current']->hasAppVersionModifyPermission($oVersion) &&
@@ -123,35 +136,35 @@ if ($_REQUEST['sub'])
}
//process according to sub flag
- if ($_REQUEST['sub'] == 'Submit')
+ if ($aClean['sub'] == 'Submit')
{
$errors = "";
- $oVersion = new Version($_REQUEST['versionId']);
- $oTest = new testData($_REQUEST['iTestingId']);
+ $oVersion = new Version($aClean['versionId']);
+ $oTest = new testData($aClean['iTestingId']);
$errors .= $oVersion->CheckOutputEditorInput();
$errors .= $oTest->CheckOutputEditorInput();
$oVersion->GetOutputEditorValues();
$oTest->GetOutputEditorValues();
- if ($_REQUEST['apptype'] == "application") // application
+ if ($aClean['apptype'] == "application") // application
{
- $oApp = new Application($_REQUEST['appId']);
+ $oApp = new Application($aClean['appId']);
$errors .= $oApp->CheckOutputEditorInput();
$oApp->GetOutputEditorValues(); // load the values from $_REQUEST
if(empty($errors))
{
- if($_REQUEST['appVendorName'])
+ if($aClean['appVendorName'])
{
- $_REQUEST['vendorId']="";
+ $aClean['vendorId']="";
//FIXME: fix this when we fix vendor submission
if($_SESSION['current']->hasPriv("admin"))
{
$oVendor = new Vendor();
- $oVendor->create($_REQUEST['appVendorName'],$_REQUEST['appWebpage']);
+ $oVendor->create($aClean['appVendorName'],$aClean['appWebpage']);
}
}
//FIXME: remove this when we fix vendor submission
- $oApp->sKeywords = $_REQUEST['appKeywords']." *** ".$_REQUEST['appVendorName'];
+ $oApp->sKeywords = $aClean['appKeywords']." *** ".$aClean['appVendorName'];
if(is_numeric($oApp->iAppId))
{
$oApp->update();
@@ -167,7 +180,7 @@ if ($_REQUEST['sub'])
if(!empty($errors))
{
addmsg("we've got Errors???:".$errors.":");
- $_REQUEST['sub'] = 'view';
+ $aClean['sub'] = 'view';
}
else
{
@@ -180,10 +193,10 @@ if ($_REQUEST['sub'])
{
$oVersion->create();
}
- if(!$_REQUEST['iDistributionId'])
+ if(!$aClean['iDistributionId'])
{
- $sDistribution = trim($_REQUEST['sDistribution']);
- if(!empty($sDistribution))
+ $sDistribution = $aClean['sDistribution'];
+ if( !empty($sDistribution) )
{
$oDistribution = new distribution();
$oDistribution->sName = $sDistribution;
@@ -203,13 +216,13 @@ if ($_REQUEST['sub'])
redirect($_SERVER['PHP_SELF']);
}
}
- if ($_REQUEST['sub'] == 'Delete')
+ if ($aClean['sub'] == 'Delete')
{
- if (($_REQUEST['apptype'] == "application") && is_numeric($_REQUEST['appId'])) // application
+ if (($aClean['apptype'] == "application") && is_numeric($aClean['appId'])) // application
{
// get the queued versions that refers to the application entry we just removed
// and delete them as we implicitly added a version entry when adding a new application
- $sQuery = "SELECT versionId FROM appVersion WHERE appVersion.appId = '".$_REQUEST['appId']."' AND appVersion.queued = 'rejected';";
+ $sQuery = "SELECT versionId FROM appVersion WHERE appVersion.appId = '".$aClean['appId']."' AND appVersion.queued = 'rejected';";
$hResult = query_appdb($sQuery);
if($hResult)
{
@@ -221,17 +234,17 @@ if ($_REQUEST['sub'])
}
// delete the application entry
- $oApp = new Application($_REQUEST['appId']);
+ $oApp = new Application($aClean['appId']);
$oApp->delete();
- } else if(($_REQUEST['apptype'] == "version") && is_numeric($_REQUEST['versionId'])) // version
+ } else if(($aClean['apptype'] == "version") && is_numeric($aClean['versionId'])) // version
{
- $oVersion = new Version($_REQUEST['versionId']);
+ $oVersion = new Version($aClean['versionId']);
$oVersion->delete();
}
redirect($_SERVER['PHP_SELF']);
}
- if ($_REQUEST['sub'] == 'view')
+ if ($aClean['sub'] == 'view')
{
$x = new TableVE("view");
apidb_header("Application Queue");
@@ -241,7 +254,7 @@ if ($_REQUEST['sub'])
echo html_back_link(1,$_SERVER['PHP_SELF']);
- if($_REQUEST['apptype'] == 'application') // application
+ if($aClean['apptype'] == 'application') // application
{
if ($oApp->sName != "")
{
@@ -275,7 +288,7 @@ if ($_REQUEST['sub'])
if(!$iVendorId)
{
$sVendor = get_vendor_from_keywords($oApp->sKeywords);
- $sQuery = "SELECT vendorId FROM vendor WHERE vendorname = '".$_REQUEST['appVendorName']."';";
+ $sQuery = "SELECT vendorId FROM vendor WHERE vendorname = '".$aClean['appVendorName']."';";
$hResult = query_appdb($sQuery);
if($hResult)
{
@@ -287,7 +300,7 @@ if ($_REQUEST['sub'])
// try for a partial match
if(!$iVendorId)
{
- $sQuery = "select * from vendor where vendorname like '%".$_REQUEST['appVendorName']."%';";
+ $sQuery = "select * from vendor where vendorname like '%".$aClean['appVendorName']."%';";
$hResult = query_appdb($sQuery);
if($hResult)
{
@@ -297,7 +310,7 @@ if ($_REQUEST['sub'])
}
//vendor field
if($iVendorId)
- $_REQUEST['appVendorName'] = "";
+ $aClean['appVendorName'] = "";
} else //app version
{
if(is_numeric($oVersion->iVersionId))
@@ -330,20 +343,20 @@ if ($_REQUEST['sub'])
if(!($oTest->sTestedDate))
$oTest->sTestedDate = date('Y-m-d H:i:s');
- if($_REQUEST['apptype'] == 'application')
+ if($aClean['apptype'] == 'application')
{
- $oApp->OutputEditor($_REQUEST['appVendorName']);
+ $oApp->OutputEditor($aClean['appVendorName']);
$oVersion->OutputEditor(false, false);
} else
{
$oVersion->OutputEditor(false, false);
}
- $oTest->OutputEditor($_REQUEST['sDistribution'],true);
+ $oTest->OutputEditor($aClean['sDistribution'],true);
echo "\n";
- if($_REQUEST['apptype'] == 'application') // application
+ if($aClean['apptype'] == 'application') // application
{
echo ' ';
if(is_numeric($oApp->iAppId))
@@ -359,7 +372,7 @@ if ($_REQUEST['sub'])
} else // version
{
echo ' ';
- echo ' ';
+ echo ' ';
if(is_numeric($oVersion->iVersionId))
{
echo '' ,"\n";
@@ -384,7 +397,7 @@ if ($_REQUEST['sub'])
redirect($_SERVER['PHP_SELF']);
}
}
-else // if ($_REQUEST['sub']) is not defined, display the main app queue page
+else // if ($aClean['sub']) is not defined, display the main app queue page
{
apidb_header("Resubmit application");
Index: appview.php
===================================================================
RCS file: /home/wine/appdb/appview.php,v
retrieving revision 1.79
diff -u -p -r1.79 appview.php
--- appview.php 29 Jan 2006 04:04:46 -0000 1.79
+++ appview.php 15 Jun 2006 00:20:42 -0000
@@ -17,9 +17,15 @@ require(BASE."include/mail.php");
require(BASE."include/monitor.php");
require_once(BASE."include/testResults.php");
+$aClean = array(); //array of filtered user input
-$oApp = new Application($_REQUEST['appId']);
-$oVersion = new Version($_REQUEST['versionId']);
+$aClean['appId'] = makeSafe($_REQUEST['appId']);
+$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
+$aClean['sub'] = makeSafe($_REQUEST['sub']);
+$aClean['buglinkId'] = makeSafe($_REQUEST['buglinkId']);
+
+$oApp = new Application($aClean['appId']);
+$oVersion = new Version($aClean['versionId']);
/**
* display the full path of the Category we are looking at
@@ -122,63 +128,63 @@ function show_note($sType,$oData){
return $s;
}
-if(!is_numeric($_REQUEST['appId']) && !is_numeric($_REQUEST['versionId']))
+if(!is_numeric($aClean['appId']) && !is_numeric($aClean['versionId']))
{
errorpage("Something went wrong with the application or version id");
exit;
}
-if ($_REQUEST['sub'])
+if ($aClean['sub'])
{
- if(($_REQUEST['sub'] == 'delete' ) && ($_REQUEST['buglinkId']))
+ if(($aClean['sub'] == 'delete' ) && ($aClean['buglinkId']))
{
if(($_SESSION['current']->hasPriv("admin") ||
$_SESSION['current']->isMaintainer($oVersion->iVersionId) ||
$_SESSION['current']->isSuperMaintainer($oVersion->iAppId)))
{
- $oBuglink = new bug($_REQUEST['buglinkId']);
+ $oBuglink = new bug($aClean['buglinkId']);
$oBuglink->delete();
- redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
+ redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
}
- if(($_REQUEST['sub'] == 'unqueue' ) && ($_REQUEST['buglinkId']))
+ if(($aClean['sub'] == 'unqueue' ) && ($aClean['buglinkId']))
{
if(($_SESSION['current']->hasPriv("admin") ||
$_SESSION['current']->isMaintainer($oVersion->iVersionId) ||
$_SESSION['current']->isSuperMaintainer($oVersion->iAppId)))
{
- $oBuglink = new bug($_REQUEST['buglinkId']);
+ $oBuglink = new bug($aClean['buglinkId']);
$oBuglink->unqueue();
- redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
+ redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
}
- if(($_REQUEST['sub'] == 'Submit a new bug link.' ) && ($_REQUEST['buglinkId']))
+ if(($aClean['sub'] == 'Submit a new bug link.' ) && ($aClean['buglinkId']))
{
$oBuglink = new bug();
- $oBuglink->create($_REQUEST['versionId'],$_REQUEST['buglinkId']);
- redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
+ $oBuglink->create($aClean['versionId'],$aClean['buglinkId']);
+ redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
- if($_REQUEST['sub'] == 'StartMonitoring')
+ if($aClean['sub'] == 'StartMonitoring')
{
$oMonitor = new Monitor();
- $oMonitor->create($_SESSION['current']->iUserId,$_REQUEST['appId'],$_REQUEST['versionId']);
- redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
+ $oMonitor->create($_SESSION['current']->iUserId,$aClean['appId'],$aClean['versionId']);
+ redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
- if($_REQUEST['sub'] == 'StopMonitoring')
+ if($aClean['sub'] == 'StopMonitoring')
{
$oMonitor = new Monitor();
- $oMonitor->find($_SESSION['current']->iUserId,$_REQUEST['appId'],$_REQUEST['versionId']);
+ $oMonitor->find($_SESSION['current']->iUserId,$aClean['appId'],$aClean['versionId']);
if($oMonitor->iMonitorId)
{
$oMonitor->delete();
}
- redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
+ redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
@@ -187,13 +193,13 @@ if ($_REQUEST['sub'])
/**
* We want to see an application family (=no version).
*/
-if($_REQUEST['appId'])
+if($aClean['appId'])
{
- $oApp = new Application($_REQUEST['appId']);
+ $oApp = new Application($aClean['appId']);
$oApp->display();
-} else if($_REQUEST['versionId']) // We want to see a particular version.
+} else if($aClean['versionId']) // We want to see a particular version.
{
- $oVersion = new Version($_REQUEST['versionId']);
+ $oVersion = new Version($aClean['versionId']);
$oVersion->display();
} else
{
Index: commentview.php
===================================================================
RCS file: /home/wine/appdb/commentview.php,v
retrieving revision 1.7
diff -u -p -r1.7 commentview.php
--- commentview.php 24 Aug 2005 00:29:34 -0000 1.7
+++ commentview.php 15 Jun 2006 00:20:42 -0000
@@ -12,15 +12,22 @@ include("path.php");
include(BASE."include/incl.php");
require_once(BASE."include/comment.php");
+$aClean = array(); //array of filtered user input
+
+$aClean['appId'] = makeSafe($_REQUEST['appId']);
+$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
+$aClean['threadId'] = makeSafe($_REQUEST['threadId']);
+
apidb_header("Comments");
-if(!is_numeric($_REQUEST['appId']) OR !is_numeric($_REQUEST['versionId']) OR (isset($_REQUEST['threadId']) AND !is_numeric($_REQUEST['threadId'])))
+
+if(!is_numeric($aClean['appId']) OR !is_numeric($aClean['versionId']) OR (!empty($aClean['threadId']) AND !is_numeric($aClean['threadId'])))
{
errorpage("Wrong IDs");
exit;
}
-view_app_comments($_REQUEST['versionId'], $_REQUEST['threadId']);
+view_app_comments($aClean['versionId'], $aClean['threadId']);
apidb_footer();
?>
Index: deletecomment.php
===================================================================
RCS file: /home/wine/appdb/deletecomment.php,v
retrieving revision 1.21
diff -u -p -r1.21 deletecomment.php
--- deletecomment.php 12 Mar 2005 17:13:08 -0000 1.21
+++ deletecomment.php 15 Jun 2006 00:20:42 -0000
@@ -11,7 +11,13 @@ require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
-$oComment = new Comment($_REQUEST['commentId']);
+$aClean = array(); //array of filtered user input
+
+$aClean['str_why'] = makeSafe($_REQUEST['str_why']);
+$aClean['commentId'] = makeSafe($_REQUEST['commentId']);
+$aClean['int_delete_it'] = makeSafe($_REQUEST['int_delete_it']);
+
+$oComment = new Comment($aClean['commentId']);
/* if we aren't an admin or the maintainer of this app we shouldn't be */
/* allowed to delete any comments */
@@ -23,7 +29,7 @@ if (!$_SESSION['current']->hasPriv("admi
exit;
}
-if($_SESSION['current']->getPref("confirm_comment_deletion") != "no" && !isset($_REQUEST['int_delete_it']))
+if($_SESSION['current']->getPref("confirm_comment_deletion") != "no" && !isset($aClean['int_delete_it']))
{
apidb_header("Delete Comment");
$mesTitle = "Please state why you are deleting the following comment ";
@@ -47,7 +53,7 @@ if($_SESSION['current']->getPref("confir
apidb_footer();
} else
{
- $oComment->delete($_REQUEST['str_why']);
+ $oComment->delete($aClean['str_why']);
redirect(apidb_fullurl("appview.php?versionId=".$oComment->iVersionId));
}
?>
Index: distributionView.php
===================================================================
RCS file: /home/wine/appdb/distributionView.php,v
retrieving revision 1.7
diff -u -p -r1.7 distributionView.php
--- distributionView.php 23 Jan 2006 02:10:31 -0000 1.7
+++ distributionView.php 15 Jun 2006 00:20:42 -0000
@@ -11,7 +11,12 @@ require(BASE."include/incl.php");
require(BASE."include/distributions.php");
require(BASE."include/testResults.php");
-if ($_REQUEST['sub'])
+$aClean = array(); //array of filtered user input
+
+$aClean['sub'] = makeSafe($_REQUEST['sub']);
+$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
+
+if ($aClean['sub'])
{
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -19,14 +24,14 @@ if ($_REQUEST['sub'])
exit;
}
- if($_REQUEST['sub'] == 'delete')
+ if($aClean['sub'] == 'delete')
{
- $oDistribution = new distribution($_REQUEST['iDistributionId']);
+ $oDistribution = new distribution($aClean['iDistributionId']);
$oDistribution->delete();
redirect($_SERVER['PHP_SELF']);
}
}
-$oDistribution = new distribution($_REQUEST['iDistributionId']);
+$oDistribution = new distribution($aClean['iDistributionId']);
//exit with error if no vendor
if(!$oDistribution->iDistributionId)
Index: maintainerdelete.php
===================================================================
RCS file: /home/wine/appdb/maintainerdelete.php,v
retrieving revision 1.16
diff -u -p -r1.16 maintainerdelete.php
--- maintainerdelete.php 6 Jun 2006 18:56:14 -0000 1.16
+++ maintainerdelete.php 15 Jun 2006 00:20:42 -0000
@@ -11,27 +11,30 @@ require(BASE."include/incl.php");
require(BASE."include/category.php");
require(BASE."include/application.php");
+$aClean = array(); //array of filtered user input
+
+$aClean['appId'] = makeSafe(strip_tags($_POST['appId']));
+$aClean['versionId'] = makeSafe(strip_tags($_POST['versionId']));
+$aClean['confirmed'] = makeSafe(strip_tags($_POST['confirmed']));
+$aClean['superMaintainer'] = makeSafe(strip_tags($_POST['superMaintainer']);
+
if(!$_SESSION['current']->isLoggedIn())
{
errorpage("You need to be logged in to resign from being a maintainer.");
exit;
}
-$appId = strip_tags($_POST['appId']);
-$versionId = strip_tags($_POST['versionId']);
-$confirmed = strip_tags($_POST['confirmed']);
-$superMaintainer = strip_tags($_POST['superMaintainer']);
-if($confirmed)
+if($aClean['confirmed'])
{
- $oApp = new Application($appId);
- if($superMaintainer)
+ $oApp = new Application($aClean['appId']);
+ if($aClean['superMaintainer'])
{
apidb_header("You have resigned as super maintainer of ".$oApp->sName);
$result = $_SESSION['current']->deleteMaintainer($oApp->iAppId, null);
} else
{
- $oVersion = new Version($versionId);
+ $oVersion = new Version($aClean['versionId']);
apidb_header("You have resigned as maintainer of ".$oApp->sName." ".$oVersion->sName);
$result = $_SESSION['current']->deleteMaintainer($oApp->iAppId, $oVersion->iVersionId);
}
@@ -39,14 +42,14 @@ if($confirmed)
*/
if($result)
{
- if($superMaintainer)
+ if($aClean['superMaintainer'])
echo "You were removed as a super maintainer of ".$oApp->sName;
else
echo "You were removed as a maintainer of ".$oApp->sName." ".$oVersion->sName;
}
} else
{
- if($superMaintainer)
+ if($aClean['superMaintainer'])
apidb_header("Confirm super maintainer resignation of ".$oApp->sName);
else
apidb_header("Confirm maintainer resignation of ".$oApp->sName." ".$oVersion->sName);
@@ -56,12 +59,12 @@ if($confirmed)
echo html_frame_start("Confirm",400,"",0);
echo "\n";
- echo " ";
- echo " ";
- echo " ";
+ echo " ";
+ echo " ";
+ echo " ";
echo " ";
- if($superMaintainer)
+ if($aClean['superMaintainer'])
{
echo "Are you sure that you want to be removed as a super maintainer of this application? \n";
echo ' ', "\n";
Index: maintainersubmit.php
===================================================================
RCS file: /home/wine/appdb/maintainersubmit.php,v
retrieving revision 1.22
diff -u -p -r1.22 maintainersubmit.php
--- maintainersubmit.php 6 Jun 2006 18:54:12 -0000 1.22
+++ maintainersubmit.php 15 Jun 2006 00:20:43 -0000
@@ -11,15 +11,23 @@ require(BASE."include/incl.php");
require(BASE."include/category.php");
require(BASE."include/application.php");
+$aClean = array(); //array of filtered user input
+
+$aClean['maintainReason'] = makeSafe($_REQUEST['maintainReason']);
+$aClean['appId'] = makeSafe(strip_tags($_POST['appId']));
+$aClean['versionId'] = makeSafe(strip_tags($_POST['versionId']));
+$aClean['superMaintainer'] = makeSafe(strip_tags($_POST['superMaintainer']));
+
+
/**
* Check the input of a submitted form. And output with a list
* of errors. ()
*/
-function checkAppMaintainerInput( $fields )
+function checkAppMaintainerInput( $maintainReason )
{
$errors = "";
- if ( empty( $fields['maintainReason']) )
+ if ( empty( $maintainReason ) )
{
$errors .= "Please enter why you would like to be an application maintainer. \n";
}
@@ -41,29 +49,26 @@ if(!$_SESSION['current']->isLoggedIn())
exit;
}
-$appId = strip_tags($_POST['appId']);
-$versionId = strip_tags($_POST['versionId']);
-$superMaintainer = strip_tags($_POST['superMaintainer']);
/* if we have a versionId to check against see if */
/* the user is already a maintainer */
-if(!$superMaintainer && $_SESSION['current']->isMaintainer($versionId))
+if(!$aClean['superMaintainer'] && $_SESSION['current']->isMaintainer($aClean['versionId']))
{
echo "You are already a maintainer of this app!";
exit;
}
/* if this user is a super maintainer they maintain all of the versionIds of this appId */
-if($_SESSION['current']->isSuperMaintainer($appId))
+if($_SESSION['current']->isSuperMaintainer($aClean['appId']))
{
echo "You are already a supermaintainer of the whole application family!";
exit;
}
-if($_REQUEST['maintainReason'])
+if( $aClean['maintainReason'])
{
// check the input for empty/invalid fields
- $errors = checkAppMaintainerInput($_REQUEST);
+ $errors = checkAppMaintainerInput($aClean['maintainReason']);
if(!empty($errors))
{
errorpage("We found the following errors:"," Please go back and correct them.");
@@ -71,18 +76,18 @@ if($_REQUEST['maintainReason'])
}
// header
- if($superMaintainer)
+ if($aClean['superMaintainer'])
apidb_header("Submit SuperMaintainer Request");
else
apidb_header("Submit Maintainer Request");
// add to queue
$query = "INSERT INTO appMaintainerQueue VALUES (null, '".
- addslashes($_REQUEST['appId'])."', '".
- addslashes($_REQUEST['versionId'])."', '".
+ $aClean['appId']."', '".
+ $aClean['versionId']."', '".
addslashes($_SESSION['current']->iUserId)."', '".
- addslashes($_REQUEST['maintainReason'])."', '".
- addslashes($_REQUEST['superMaintainer'])."',".
+ $aClean['maintainReason']."', '".
+ $aClean['superMaintainer']."',".
"NOW()".");";
if (query_appdb($query))
@@ -93,15 +98,15 @@ if($_REQUEST['maintainReason'])
} else
{
// header
- if($versionId)
+ if($aClean['versionId'])
{
- $oVersion = new Version($versionId);
+ $oVersion = new Version($aClean['versionId']);
$oApp = new Application($oVersion->iAppId);
apidb_header("Request to become an application maintainer of ".$oApp->sName." ".$oVersion->sName);
}
else
{
- $oApp = new Application($appId);
+ $oApp = new Application($aClean['appId']);
apidb_header("Request to become an application super maintainer of ".$oApp->sName);
}
@@ -123,7 +128,7 @@ if($_REQUEST['maintainReason'])
echo "don't have the experience with Wine that is necessary to help other users out.\n";
/* Special message for super maintainer applications */
- if($superMaintainer)
+ if($aClean['superMaintainer'])
{
echo "Super maintainers are just like normal maintainers but they can modify EVERY version of\n";
echo "this application (and the application itself). We don't expect you to run every version but at least to help keep\n";
@@ -131,7 +136,7 @@ if($_REQUEST['maintainReason'])
}
echo " ";
- if($superMaintainer)
+ if($aClean['superMaintainer'])
echo html_frame_start("New Super Maintainer Form",400,"",0);
else
echo html_frame_start("New Maintainer Form",400,"",0);
@@ -140,17 +145,17 @@ if($_REQUEST['maintainReason'])
echo "
";
echo 'Application '.$oApp->sName;
echo ' ',"\n";
- if($versionId)
+ if($aClean['versionId'])
{
echo "";
echo 'Version '.$oVersion->sName;
echo ' ',"\n";
}
- echo " ";
- echo " ";
- echo " ";
+ echo " ";
+ echo " ";
+ echo " ']}";
- if($superMaintainer)
+ if($aClean['superMaintainer'])
echo 'Why you want to and should be an application super maintainer ',"\n";
else
echo 'Why you want to and should be an application maintainer ',"\n";
Index: preferences.php
===================================================================
RCS file: /home/wine/appdb/preferences.php,v
retrieving revision 1.19
diff -u -p -r1.19 preferences.php
--- preferences.php 6 Jun 2006 18:56:48 -0000 1.19
+++ preferences.php 15 Jun 2006 00:20:43 -0000
@@ -9,6 +9,19 @@
include("path.php");
include(BASE."include/"."incl.php");
+$aClean = array(); //array of filtered user input
+
+$aClean['userId'] = makeSafe($REQUEST['userId']);
+$aClean['iLimit'] = makeSafe($REQUEST['iLimit']);
+$aClean['sOrderBy'] = makeSafe($REQUEST['sOrderBy']);
+$aClean['ext_password'] = makeSafe($REQUEST['ext_password']);
+$aClean['ext_password2'] = makeSafe($REQUEST['ext_password2']);
+$aClean['ext_email'] = makeSafe($REQUEST['ext_email']);
+$aClean['ext_realname'] = makeSafe($REQUEST['ext_realname']);
+$aClean['CVSrelease'] = makeSafe($REQUEST['CVSrelease']);
+$aClean['ext_hasadmin'] = makeSafe($POST['ext_hasadmin']);
+
+
if(!$_SESSION['current']->isLoggedIn())
{
errorpage("You must be logged in to edit preferences");
@@ -17,12 +30,12 @@ if(!$_SESSION['current']->isLoggedIn())
// we come from the administration to edit an user
if($_SESSION['current']->hasPriv("admin") &&
- is_numeric($_REQUEST['userId']) &&
- is_numeric($_REQUEST['iLimit']) &&
- in_array($_REQUEST['sOrderBy'],array("email","realname","created"))
+ is_numeric($aClean['userId']) &&
+ is_numeric($aClean['iLimit']) &&
+ in_array($aClean['sOrderBy'],array("email","realname","created"))
)
{
- $oUser = new User($_REQUEST['userId']);
+ $oUser = new User($aClean['userId']);
} else
{
$oUser = &$_SESSION['current'];
@@ -80,32 +93,32 @@ function show_user_fields()
if($_POST)
{
- while(list($key, $value) = each($_REQUEST))
+ while(list($key, $value) = each($aClean))
{
if(!ereg("^pref_(.+)$", $key, $arr))
continue;
$oUser->setPref($arr[1], $value);
}
- if ($_REQUEST['ext_password'] == $_REQUEST['ext_password2'])
+ if ($aClean['ext_password'] == $aClean['ext_password2'])
{
- $str_passwd = $_REQUEST['ext_password'];
+ $str_passwd = $aClean['ext_password'];
}
- else if ($_REQUEST['ext_password'])
+ else if ($aClean['ext_password'])
{
addmsg("The Passwords you entered did not match.", "red");
}
- if ($oUser->update($_REQUEST['ext_email'], $str_passwd, $_REQUEST['ext_realname'], $_REQUEST['CVSrelease']))
+ if ($oUser->update($aClean['ext_email'], $str_passwd, $aClean['ext_realname'], $aClean['CVSrelease']))
{
addmsg("Preferences Updated", "green");
// we were managing an user, let's go back to the admin after updating tha admin status
- if($oUser->iUserId == $_REQUEST['userId'] && $_SESSION['current']->hasPriv("admin"))
+ if($oUser->iUserId == $aClean['userId'] && $_SESSION['current']->hasPriv("admin"))
{
- if($_POST['ext_hasadmin']=="on")
+ if($aClean['ext_hasadmin']=="on")
$oUser->addPriv("admin");
else
$oUser->delPriv("admin");
- redirect(BASE."admin/adminUsers.php?userId=".$oUser->iUserId."&sSearch=".$_REQUEST['sSearch']."&iLimit=".$_REQUEST['iLimit']."&sOrderBy=".$_REQUEST['sOrderBy']."&sSubmit=true");
+ redirect(BASE."admin/adminUsers.php?userId=".$oUser->iUserId."&sSearch=".$aClean['sSearch']."&iLimit=".$aClean['iLimit']."&sOrderBy=".$aClean['sOrderBy']."&sSubmit=true");
}
}
else
@@ -119,12 +132,12 @@ apidb_header("User Preferences");
echo "