fix possible code-injection when adding/editing admins/customers; dont output invalid email address in index on error message
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
@@ -22,6 +22,7 @@ require './lib/init.php';
|
||||
use Froxlor\Database\Database;
|
||||
use Froxlor\Settings;
|
||||
use Froxlor\FroxlorLogger;
|
||||
use Froxlor\Validate\Validate;
|
||||
|
||||
if ($action == '') {
|
||||
$action = 'login';
|
||||
@@ -353,7 +354,11 @@ if ($action == '2fa_entercode') {
|
||||
break;
|
||||
case 4:
|
||||
$cmail = isset($_GET['customermail']) ? $_GET['customermail'] : 'unknown';
|
||||
$message = str_replace('%s', $cmail, $lng['error']['errorsendingmail']);
|
||||
if (!Validate::validateEmail($cmail)) {
|
||||
$message = str_replace('%s', 'invalid.address', $lng['error']['errorsendingmail']);
|
||||
} else {
|
||||
$message = str_replace('%s', $cmail, $lng['error']['errorsendingmail']);
|
||||
}
|
||||
break;
|
||||
case 5:
|
||||
$message = $lng['error']['user_banned'];
|
||||
|
||||
@@ -227,7 +227,7 @@ class Admins extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
|
||||
$ipaddress = $this->getParam('ipaddress', true, - 1);
|
||||
|
||||
// validation
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$idna_convert = new \Froxlor\Idna\IdnaWrapper();
|
||||
$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));
|
||||
$def_language = \Froxlor\Validate\Validate::validate($def_language, 'default language', '', '', array(), true);
|
||||
@@ -527,7 +527,7 @@ class Admins extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
|
||||
}
|
||||
|
||||
// validation
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$idna_convert = new \Froxlor\Idna\IdnaWrapper();
|
||||
$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));
|
||||
$def_language = \Froxlor\Validate\Validate::validate($def_language, 'default language', '', '', array(), true);
|
||||
|
||||
@@ -404,12 +404,12 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
|
||||
}
|
||||
|
||||
// validation
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
|
||||
$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', '', '', array(), true);
|
||||
$company = \Froxlor\Validate\Validate::validate($company, 'company', '', '', array(), true);
|
||||
$street = \Froxlor\Validate\Validate::validate($street, 'street', '', '', array(), true);
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$company = \Froxlor\Validate\Validate::validate($company, 'company', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$street = \Froxlor\Validate\Validate::validate($street, 'street', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$zipcode = \Froxlor\Validate\Validate::validate($zipcode, 'zipcode', '/^[0-9 \-A-Z]*$/', '', array(), true);
|
||||
$city = \Froxlor\Validate\Validate::validate($city, 'city', '', '', array(), true);
|
||||
$city = \Froxlor\Validate\Validate::validate($city, 'city', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$phone = \Froxlor\Validate\Validate::validate($phone, 'phone', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
|
||||
$fax = \Froxlor\Validate\Validate::validate($fax, 'fax', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
|
||||
$idna_convert = new \Froxlor\Idna\IdnaWrapper();
|
||||
@@ -998,12 +998,12 @@ class Customers extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resource
|
||||
// validation
|
||||
if ($this->isAdmin()) {
|
||||
$idna_convert = new \Froxlor\Idna\IdnaWrapper();
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true);
|
||||
$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', '', '', array(), true);
|
||||
$company = \Froxlor\Validate\Validate::validate($company, 'company', '', '', array(), true);
|
||||
$street = \Froxlor\Validate\Validate::validate($street, 'street', '', '', array(), true);
|
||||
$name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$company = \Froxlor\Validate\Validate::validate($company, 'company', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$street = \Froxlor\Validate\Validate::validate($street, 'street', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$zipcode = \Froxlor\Validate\Validate::validate($zipcode, 'zipcode', '/^[0-9 \-A-Z]*$/', '', array(), true);
|
||||
$city = \Froxlor\Validate\Validate::validate($city, 'city', '', '', array(), true);
|
||||
$city = \Froxlor\Validate\Validate::validate($city, 'city', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true);
|
||||
$phone = \Froxlor\Validate\Validate::validate($phone, 'phone', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
|
||||
$fax = \Froxlor\Validate\Validate::validate($fax, 'fax', '/^[0-9\- \+\(\)\/]*$/', '', array(), true);
|
||||
$email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));
|
||||
|
||||
Reference in New Issue
Block a user