Print potential XSS in error message handler

collectiveaccess · Apr 30, 2022 · 49de453 · 49de453
1 parent bd61ef4
commit 49de453
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/app/controllers/system/ErrorController.php b/app/controllers/system/ErrorController.php
@@ -29,8 +29,6 @@
 require_once(__CA_LIB_DIR__."/ApplicationError.php");
 
 class ErrorController extends ActionController {
-	# -------------------------------------------------------
-
 	# -------------------------------------------------------
 	function Show() {
 		$o_purify = caGetHTMLPurifier();

diff --git a/app/lib/ApplicationError.php b/app/lib/ApplicationError.php
@@ -175,7 +175,7 @@ public function __construct($pn_error_number=0, $ps_error_description='', $ps_er
  * @return integer Always returns 1
  */		
 	public function setError ($pn_error_number, $ps_error_description='', $ps_error_context='', $ps_error_source='') {
-		$this->opn_error_number = $pn_error_number;
+		$this->opn_error_number = (int)$pn_error_number;
 		$this->ops_error_description = $ps_error_description;
 		$this->ops_error_context = $ps_error_context;
 		$this->ops_error_source = $ps_error_source;
@@ -321,7 +321,7 @@ public function getErrorMessage() {
 		if ($vs_error_message) {
 			return $vs_error_message;
 		} else {
-			return "Unknown error: ".$this->opn_error_number;
+			return "Unknown error: ".(int)$this->opn_error_number;
 		}
 	}
 

diff --git a/app/lib/Controller/Request/RequestHTTP.php b/app/lib/Controller/Request/RequestHTTP.php
@@ -576,12 +576,15 @@ public function getParameter($pa_name, $pn_type, $ps_http_method=null, $pa_optio
 		if (!isset($vm_val)) { return ""; }
 
 		$vm_val = str_replace("\0", '', $vm_val);
+
+		$purified = false;
 		if((caGetOption('purify', $pa_options, true) && $this->config->get('purify_all_text_input')) || caGetOption('forcePurify', $pa_options, false)) {
 		    if(is_array($vm_val)) {
 		        $vm_val = array_map(function($v) { return is_array($v) ? $v : str_replace("&amp;", "&", RequestHTTP::getPurifier()->purify(rawurldecode($v))); }, $vm_val);
 		    } else {
 		        $vm_val = str_replace("&amp;", "&", RequestHTTP::getPurifier()->purify(rawurldecode($vm_val)));
 		    }
+		    $purified = true;
 		}
 
 		if ($vm_val == "") { return ($pn_type == pArray) ? [] : ''; }
@@ -607,7 +610,7 @@ public function getParameter($pa_name, $pn_type, $ps_http_method=null, $pa_optio
 					if(caGetOption('retainBackslashes', $pa_options, true)) {
 						$vm_val = str_replace("\\", "\\\\", $vm_val);	// retain backslashes for some strange people desire them as valid input
 					}
-					if(caGetOption('urldecode', $pa_options, true)) {
+					if(!$purified && caGetOption('urldecode', $pa_options, true)) {
 						$vm_val = rawurldecode($vm_val);
 					}
 					return $vm_val;