gnucash-htdocs master: Sanitize remaining GET parameters.
John Ralls
jralls at code.gnucash.org
Sat Sep 18 14:46:32 EDT 2021
Updated via https://github.com/Gnucash/gnucash-htdocs/commit/3ec987f3 (commit)
from https://github.com/Gnucash/gnucash-htdocs/commit/b10e4976 (commit)
commit 3ec987f3e69a7f246d26c1c9c256ead04af681f4
Author: John Ralls <jralls at ceridwen.us>
Date: Sat Sep 18 10:28:29 2021 -0700
Sanitize remaining GET parameters.
diff --git a/atom.php b/atom.php
index d5c5f63..7a90fc1 100644
--- a/atom.php
+++ b/atom.php
@@ -1,74 +1,74 @@
<?php
- // TODO:
- // - reasonable permalinks
- // - I18N?
+// TODO:
+// - reasonable permalinks
+// - I18N?
- $top_dir = ".";
- require_once $top_dir.'/externals/global_params.php';
-
- $contentType = "application/atom+xml";
- if (isset($_GET["content-type"]))
- {
- $contentType = $_GET["content-type"];
- }
- $charset = "utf-8";
- header("Content-Type: $contentType; charset=$charset");
+$top_dir = ".";
+require_once $top_dir.'/externals/global_params.php';
- $entry_count = 10;
- $newsdir = "$top_dir/news";
+$content_type = filter_input(INPUT_GET, 'content-type', FILTER_SANITIZE_STRING);
+if (!$content_type) {
+ $contentType = "application/atom+xml";
+}
- /**
- * In php5, this is simply: date(DATE_ATOM, strtotime($news_date)).
- * php4 doesn't know what 'DATE_ATOM' is, and doesn't know what the 'P'
- * argument is ("+04:00"). The 'O' argument is supported and close ("+0400"),
- * but we need to insert the ':', as such...
- **/
- function date_convert_news_to_atom($news_date)
- {
+$charset = "utf-8";
+header("Content-Type: $contentType; charset=$charset");
+
+$entry_count = 10;
+$newsdir = "$top_dir/news";
+
+/**
+ * In php5, this is simply: date(DATE_ATOM, strtotime($news_date)).
+ * php4 doesn't know what 'DATE_ATOM' is, and doesn't know what the 'P'
+ * argument is ("+04:00"). The 'O' argument is supported and close ("+0400"),
+ * but we need to insert the ':', as such...
+ **/
+function date_convert_news_to_atom($news_date)
+{
$DATE_ATOM_MOSTLY = "Y-m-d\TH:i:sO";
$semi_atom_date = date($DATE_ATOM_MOSTLY, strtotime($news_date));
$len = strlen($semi_atom_date);
return substr($semi_atom_date, 0, $len-2) . ":" . substr($semi_atom_date, $len-2);
- }
+}
?>
<?="<?xml version=\"1.0\" encoding=\"$charset\"?>"?>
<?php
- include("$newsdir/news-script.php");
+include("$newsdir/news-script.php");
?>
<feed xmlns="http://www.w3.org/2005/Atom">
- <title>GnuCash News</title>
- <subtitle><?=strip_tags($default_description)?></subtitle>
- <generator>GnuCash htdocs/master/atom.php 1.0 <gnucash-devel at gnucash.org></generator>
- <logo><?=\DEFAULT_URL?>images/icons/gnc-icon.png</logo>
- <link rel="alternate" href="<?=\DEFAULT_URL?>" />
- <link rel="self" href="<?=\DEFAULT_URL?>atom.php" />
- <id><?=\DEFAULT_URL?></id>
- <?php
- $news_items = get_news($newsdir, $newsdir);
- $news_items = array_slice($news_items, 0, $entry_count);
- reset($news_items);
- $most_recent = file(key($news_items));
- $most_recent_update = chop($most_recent[1]);
- ?>
- <updated><?= date_convert_news_to_atom($most_recent_update) ?></updated>
+ <title>GnuCash News</title>
+ <subtitle><?=strip_tags($default_description)?></subtitle>
+ <generator>GnuCash htdocs/master/atom.php 1.0 <gnucash-devel at gnucash.org></generator>
+ <logo><?=\DEFAULT_URL?>images/icons/gnc-icon.png</logo>
+ <link rel="alternate" href="<?=\DEFAULT_URL?>" />
+ <link rel="self" href="<?=\DEFAULT_URL?>atom.php" />
+ <id><?=\DEFAULT_URL?></id>
+ <?php
+ $news_items = get_news($newsdir, $newsdir);
+ $news_items = array_slice($news_items, 0, $entry_count);
+ reset($news_items);
+ $most_recent = file(key($news_items));
+ $most_recent_update = chop($most_recent[1]);
+ ?>
+ <updated><?= date_convert_news_to_atom($most_recent_update) ?></updated>
- <?php for (reset($news_items); $key = key($news_items); next($news_items))
- {
- $fa = file($key);
- $n = count($fa);
- $title = strip_tags(chop($fa[0]));
- $update_date = chop($fa[1]);
+ <?php for (reset($news_items); $key = key($news_items); next($news_items))
+ {
+ $fa = file($key);
+ $n = count($fa);
+ $title = strip_tags(chop($fa[0]));
+ $update_date = chop($fa[1]);
?>
- <entry>
- <id>urn:x-gnucash:news:<?= urlencode($key) ?></id>
- <title><?= $title ?></title>
- <link rel="alternate" href="<?=\DEFAULT_URL?>news.phtml#n-<?=generate_anchor($key);?>" />
- <author>
- <name>GnuCash Developers</name>
- <email>gnucash-devel at gnucash.org</email>
- </author>
- <updated><?= date_convert_news_to_atom($update_date) ?></updated>
+ <entry>
+ <id>urn:x-gnucash:news:<?= urlencode($key) ?></id>
+ <title><?= $title ?></title>
+ <link rel="alternate" href="<?=\DEFAULT_URL?>news.phtml#n-<?=generate_anchor($key);?>" />
+ <author>
+ <name>GnuCash Developers</name>
+ <email>gnucash-devel at gnucash.org</email>
+ </author>
+ <updated><?= date_convert_news_to_atom($update_date) ?></updated>
</entry>
<?php
} ?>
diff --git a/viewdoc.phtml b/viewdoc.phtml
index 69489ea..c37bca0 100644
--- a/viewdoc.phtml
+++ b/viewdoc.phtml
@@ -22,39 +22,37 @@ $showdoc = $tcdoc;
$req_doc_ok = true;
$showrev = $current_stable;
$req_rev_ok = true;
-
-if (isset ($_GET["lang"])) {
- $showlang = $_GET["lang"];
-} else {
- # Fallback: Requested language is set in $locale by included lang.php
- if ($locale == "en_US") {
- $showlang = "C"; # Fixme: causes a PHP Notice:
- # Undefined offset: 1 in /home/frank/git/gnucash-htdocs/viewdoc.phtml on line 98
- # list($shortlang,$rest) = explode ("_", $showlang);
- } else {
- $showlang = $locale;
- }
+$showlang = 'C';
+
+$doc_languages = array('de', 'it', 'ja', 'pt');
+$get_lang = filter_input(INPUT_GET, 'lang', FILTER_SANITIZE_STRING);
+if (in_array($get_lang, $doc_languages, true)) {
+ $showlang = $get_lang;
+} elseif ($locale) {
+ $showlang = $locale;
}
# Parse requested document
-if (isset ($_GET["doc"])) {
- switch ($_GET["doc"]) {
+$doc_to_show = filter_input(INPUT_GET, 'doc', FILTER_SANITIZE_STRING);
+if ($doc_to_show) {
+ switch ($doc_to_show) {
case "help":
$showdoc = $helpdoc;
break;
case "guide":
$showdoc = $tcdoc;
break;
- default: /* unknown document requested, will present help by default */
+ default: /* unknown document requested, will present guide by default */
$req_doc_ok = false;
break;
}
}
# Parse requested version
-if (isset ($_GET["rev"])) {
- switch ($_GET["rev"]) {
+$rev_to_show = filter_input(INPUT_GET, 'rev', FILTER_SANITIZE_STRING);
+if ($rev_to_show) {
+ switch ($rev_to_show) {
case "1.8":
$showrev = "1.8";
break;
@@ -90,7 +88,6 @@ if (isset ($_GET["rev"])) {
break;
}
}
-
# Now check if the requested combination of doc, revision and language actually exists
# If not, try the default C locale instead.
@@ -106,7 +103,7 @@ if ($showrev == "maint") {
$req_lang_ok = false;
$basepath = "https://lists.gnucash.org/docs";
$trunk_langs = array ( $helpdoc => array( "C", "de", "it", "pt"),
- $tcdoc => array( "C", "de", "it", "ja", "pt", "ru"));
+ $tcdoc => array( "C", "de", "it", "ja", "pt"));
if (in_array ($showlang, $trunk_langs[$showdoc])) {
$req_lang_ok = true;
@@ -118,7 +115,7 @@ if ($showrev == "maint") {
} else {
$showlang = "C";
}
-
+
$showurl=$basepath."/".$showlang."/".$showdoc;
} else {
# For the stable versions, we can simply check file availability because we're
@@ -147,10 +144,9 @@ if ($showrev == "maint") {
<?php if (! $req_doc_ok ) { ?>
<p style="color: red;"><?= T_("The document requested is not available. The tutorial and concepts guide will be displayed instead.")?></p>
<?php } ?>
- <?php if (! $req_rev_ok ) {
- $reqrev=$_GET["rev"]; ?>
+ <?php if (! $req_rev_ok ) {?>
<p style="color: red;"><?php printf (T_("The document requested is not available for version %s. Version %s will be displayed instead."),
- $reqrev, $showrev); ?></p>
+ $rev_to_show, $showrev); ?></p>
<?php } ?>
<?php if (! $req_lang_ok ) { ?>
<p style="color: red;"><?php printf (T_("The document requested is not available in the requested language (tried [%s]). The English version will be displayed instead."),
Summary of changes:
atom.php | 110 +++++++++++++++++++++++++++++-----------------------------
viewdoc.phtml | 42 ++++++++++------------
2 files changed, 74 insertions(+), 78 deletions(-)
More information about the gnucash-changes
mailing list