From b6c99341a539a44b051064d579459c18661e8be9 Mon Sep 17 00:00:00 2001
From: Craig Knudsen <craig@k5n.us>
Date: Fri, 15 Oct 2021 12:12:05 -0400
Subject: [PATCH] Fix CWE-1004 by preventing access to cookies within JS -
 Details for CWE-1004: https://cwe.mitre.org/data/definitions/1004.html

---
 edit_remotes.php       | 143 -----------------------------------------
 includes/functions.php |   6 +-
 includes/js/util.js    |  35 ----------
 remotes.php            |  43 -------------
 4 files changed, 3 insertions(+), 224 deletions(-)
 delete mode 100644 edit_remotes.php
 delete mode 100644 remotes.php
diff --git a/edit_remotes.php b/edit_remotes.php
deleted file mode 100644
index d5b537f99..000000000
--- a/edit_remotes.php
+++ /dev/null
@@ -1,143 +0,0 @@
-<?php
-/**
- * Allows a user to specify a remote calendar by URL that can be imported
- * manually into the NUC calendar specified. The user will also be allowed to
- * create a layer to display this calendar on top of their own calendar.
- *
- * @author Ray Jones <rjones@umces.edu>
- * @copyright Craig Knudsen, <cknudsen@cknudsen.com>, http://www.k5n.us/cknudsen
- * @license http://www.gnu.org/licenses/gpl.html GNU GPL
- * @package WebCalendar
- * @subpackage Edit Remotes
- *
- * Security
- * $REMOTES_ENABLED must be enabled under System Settings and if
- * if UAC is enabled, then the user must be allowed to ACCESS_IMPORT.
-*/
-include_once 'includes/init.php';
-print_header ( array ( 'js/edit_remotes.php/false', 'js/visible.php' ),
-  '', '', true );
-
-$error = '';
-
-if ( ! $NONUSER_PREFIX )
-  $error = translate ( 'NONUSER_PREFIX not set' );
-
-if ( $REMOTES_ENABLED != 'Y' || ( access_is_enabled() && !
-      access_can_access_function ( ACCESS_IMPORT ) ) )
-  $error = print_not_auth();
-
-if ( $error ) {
-  echo print_error ( $error ) . '
-  </body>
-</html>';
-  exit;
-}
-$add = getValue ( 'add' );
-$nid = getValue ( 'nid' );
-
-// Adding/Editing remote calendar.
-if ( ( $add == '1' || ! empty ( $nid ) ) && empty ( $error ) ) {
-  $userlist = get_nonuser_cals ( $login, true );
-
-  if ( empty ( $nid ) ) {
-    $id_display = '<input type="text" name="nid" id="nid" size="20" '
-     . 'maxlength="20" onchange="check_name();" /> '
-     . translate ( 'word characters only' );
-    $lableStr = translate ( 'Add Remote Calendar' );
-  } else {
-    $nid = clean_html ( $nid );
-    nonuser_load_variables ( $nid, 'remotestemp_' );
-
-    $button = translate ( 'Save' );
-    $buttonAction = 'Save';
-    $id_display = $nid . ' <input type="hidden" name="nid" id="nid" value="'
-     . $nid . '" />';
-    $lableStr = translate ( 'Edit Remote Calendar' );
-    $remotestemp_login = substr ( $remotestemp_login, strlen ( $NONUSER_PREFIX ) );
-  }
-
-  $button = translate ( 'Add' );
-  $buttonAction = 'Add';
-  $calIdStr = translate ( 'Calendar ID' );
-  $colorStr = translate ( 'Color' );
-  $confirmStr = translate( 'Are you sure you want to delete this entry?' );
-  $createLayerStr = translate ( 'Create Layer' );
-  $deleteStr = translate ( 'Delete' );
-  $firstNameStr = translate ( 'First Name' );
-  $lastNameStr = translate ( 'Last Name' );
-  $reloadStr = translate ( 'Reload' );
-  $requiredStr = translate ( 'Required to View Remote Calendar' );
-  $selectStr = translate ( 'Select' );
-  $urlStr = translate ( 'URL' );
-
-  $firstNameValue = ( empty ( $remotestemp_firstname )
-    ? '' : htmlspecialchars ( $remotestemp_firstname ) );
-  $lastNameValue = ( empty ( $remotestemp_lastname )
-    ? '' : htmlspecialchars ( $remotestemp_lastname ) );
-  $urlValue = ( empty ( $remotestemp_url )
-    ? '' : htmlspecialchars ( $remotestemp_url ) );
-
-  $formKey = csrf_form_key();
-  echo <<<EOT
-    <h2>{$lableStr}</h2>
-    <form action="edit_remotes_handler.php" method="post" name="prefform"
-      onsubmit="return valid_form( this );">
-      ${formKey}
-      <table cellpadding="2">
-        <tr>
-          <td><label for="calid">{$calIdStr}:</label></td>
-          <td colspan="3">{$id_display}</td>
-        </tr>
-        <tr>
-          <td><label for="nfirstname">{$firstNameStr}:</label></td>
-          <td colspan="3"><input type="text" name="nfirstname" id="nfirstname"
-            size="20" maxlength="25" value="{$firstNameValue}" /></td>
-        </tr>
-        <tr>
-          <td><label for="nlastname">{$lastNameStr}:</label></td>
-          <td colspan="3"><input type="text" name="nlastname" id="nlastname"
-            size="20" maxlength="25" value="{$lastNameValue}" /></td>
-        </tr>
-        <tr>
-          <td><label for="nurl">{$urlStr}:</label></td>
-          <td colspan="3"><input type="text" name="nurl" id="nurl" size="75"
-            maxlength="255" value="{$urlValue}" /></td>
-        </tr>
-EOT;
-  if ( empty ( $nid ) ) {
-    echo <<<EOT
-        <tr>
-          <td><label for="nlayer">{$createLayerStr}:</label></td>
-          <td colspan="3">
-            <input type="hidden" name="reload" id="reload" value="true" />
-            <input type="checkbox" name="nlayer" id="nlayer" value="Y"
-              onchange="toggle_layercolor();" />{$requiredStr}
-          </td>
-        </tr>
-        <tr id="nlayercolor" style="visibility:hidden" >
-          <td>
-EOT;
-    echo print_color_input_html ( 'layercolor', $colorStr, '#000000' ) . '
-          </td>
-        </tr>';
-  }
-  echo <<<EOT
-      </table>
-      <input type="hidden" name="nadmin" id="nadmin" value="{$login}" />
-      <input type="submit" name="{$buttonAction}" value="{$button}" />
-EOT;
-
-  if ( ! empty ( $nid ) )
-    echo <<<EOT
-      <input type="submit" name="delete" value="{$deleteStr}"
-        onclick="return confirm( '{$confirmStr}' )" />
-      <input type="submit" name="reload" value="{$reloadStr}" />
-EOT;
-
-  echo '
-    </form>';
-}
-echo print_trailer ( false, true, true );
-
-?>
diff --git a/includes/functions.php b/includes/functions.php
index 580d6f269..4cad92f3c 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -6529,12 +6529,12 @@ function isSecure() {
     || $_SERVER['SERVER_PORT'] == 443;
 }
 
-function sendCookie($name, $value, $expiration=0, $sensitive=true) {
-  $path = '';
+function sendCookie($name, $value, $expiration=0, $path='', $sensitive=true) {
   $domain = '';
+  $httpOnly = true; // don't allow JS access to cookies.
   // If sensitive and HTTPS is supported, set secure to true
   $secure = $sensitive && isSecure();
-  SetCookie ( $name, $value, $expiration, $path, $domain, $secure, false);
+  SetCookie ( $name, $value, $expiration, $path, $domain, $secure, $httpOnly);
 }
 
 ?>
diff --git a/includes/js/util.js b/includes/js/util.js
index 3bd96a0bf..716ffe75e 100644
--- a/includes/js/util.js
+++ b/includes/js/util.js
@@ -219,39 +219,4 @@ function showResponse(originalRequest) {
   document.body.style.cursor = 'default';
 }
 
-function altrows() {
-   if( ! document.getElementsByTagName )
-     return false;
 
-   var rows = $$( 'div tbody tr' );
-   for ( var i = 0; i < rows.length; i++ ) {
-     if ( ! rows[i].hasClassName( 'ignore' ) ) {
-       rows[i].onmouseover = function() { $( this ).addClassName( 'alt' ); }
-       rows[i].onmouseout  = function() { $( this ).removeClassName( 'alt' ); }
-    }
-   }
-}
-
-function altps() {
-   if( ! document.getElementsByTagName )
-     return false;
-
-   var rows = $$( 'div p' );
-   for( var i = 0; i < rows.length; i++ ) {
-     if ( ! rows[i].hasClassName( 'ignore' ) ) {
-       rows[i].onmouseover = function() { $( this ).addClassName( 'alt' ); }
-       rows[i].onmouseout  = function() { $( this ).removeClassName( 'alt' ); }
-    }
-   }
-}
-function showFrame(foo,f,section) {
-  document.getElementById(foo).style.display = "block";
-  if (f) { setCookie(foo, "o", section); }
-}
-
-function hideFrame(foo,f,section) {
-  if (document.getElementById(foo)) {
-    document.getElementById(foo).style.display = "none";
-    if (f) { deleteCookie(foo, section); }
-  }
-}
\ No newline at end of file
diff --git a/remotes.php b/remotes.php
deleted file mode 100644
index 27132b0d0..000000000
--- a/remotes.php
+++ /dev/null
@@ -1,43 +0,0 @@
-<?php
-defined ( '_ISVALID' ) or die ( 'You cannot access this file directly!' );
-
-$newRemoteStr = translate ( 'Add New Remote Calendar' );
-$targetStr =
-'target="remotesiframe" onclick="showFrame( \'remotesiframe\' );">';
-
-if ( ! $NONUSER_PREFIX ) {
-  echo print_error_header() . translate ( 'NONUSER_PREFIX not set' ) . '
-  </body>
-</html>';
-  exit;
-}
-$add = getValue ( 'add' );
-echo '
-    <a name="tabnonusers"></a>
-    <div id="tabscontent_remotes">';
-
-if ( empty ( $error ) ) {
-  echo '
-      <a title="' . $newRemoteStr . '" href="edit_remotes.php?add=1"'
-   . $targetStr . $newRemoteStr . '</a><br />';
-  // Displaying Remote Calendars
-  $userlist = get_nonuser_cals ( $login, true );
-  if ( ! empty ( $userlist ) ) {
-    echo '
-      <ul>';
-    for ( $i = 0, $cnt = count ( $userlist ); $i < $cnt; $i++ ) {
-      echo '
-        <li><a title="' . $userlist[$i]['cal_fullname']
-       . '" href="edit_remotes.php?nid=' . $userlist[$i]['cal_login'] . '"'
-       . $targetStr . $userlist[$i]['cal_fullname'] . '</a></li>';
-    }
-    echo '
-      </ul>';
-  }
-}
-
-echo '
-      <iframe name="remotesiframe" id="remotesiframe" style="width: 90%; '
- . 'border: 0; height: 250px;"></iframe>
-    </div>';
-?>

{$calIdStr}:	{$id_display}
{$firstNameStr}:
{$lastNameStr}:
{$urlStr}:
{$createLayerStr}:	- - {$requiredStr} -
-EOT; - echo print_color_input_html ( 'layercolor', $colorStr, '#000000' ) . ' -