From 1182453c18a83309a3470b2775c148ede740806c Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Thu, 27 Oct 2022 14:06:00 +0200 Subject: [PATCH] fix possible code-injection when adding/editing admins/customers; dont output invalid email address in index on error message Signed-off-by: Michael Kaufmann --- index.php | 7 ++++++- lib/Froxlor/Api/Commands/Admins.php | 4 ++-- lib/Froxlor/Api/Commands/Customers.php | 20 ++++++++++---------- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/index.php b/index.php index 07a96e82df..c410881e80 100644 --- a/index.php +++ b/index.php @@ -22,6 +22,7 @@ use Froxlor\Database\Database; use Froxlor\Settings; use Froxlor\FroxlorLogger; +use Froxlor\Validate\Validate; if ($action == '') { $action = 'login'; @@ -353,7 +354,11 @@ break; case 4: $cmail = isset($_GET['customermail']) ? $_GET['customermail'] : 'unknown'; - $message = str_replace('%s', $cmail, $lng['error']['errorsendingmail']); + if (!Validate::validateEmail($cmail)) { + $message = str_replace('%s', 'invalid.address', $lng['error']['errorsendingmail']); + } else { + $message = str_replace('%s', $cmail, $lng['error']['errorsendingmail']); + } break; case 5: $message = $lng['error']['user_banned']; diff --git a/lib/Froxlor/Api/Commands/Admins.php b/lib/Froxlor/Api/Commands/Admins.php index 6799f46936..c3bef13204 100644 --- a/lib/Froxlor/Api/Commands/Admins.php +++ b/lib/Froxlor/Api/Commands/Admins.php @@ -227,7 +227,7 @@ public function add() $ipaddress = $this->getParam('ipaddress', true, - 1); // validation - $name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true); + $name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $idna_convert = new \Froxlor\Idna\IdnaWrapper(); $email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true)); $def_language = \Froxlor\Validate\Validate::validate($def_language, 'default language', '', '', array(), true); @@ -527,7 +527,7 @@ public function update() } // validation - $name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true); + $name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $idna_convert = new \Froxlor\Idna\IdnaWrapper(); $email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true)); $def_language = \Froxlor\Validate\Validate::validate($def_language, 'default language', '', '', array(), true); diff --git a/lib/Froxlor/Api/Commands/Customers.php b/lib/Froxlor/Api/Commands/Customers.php index d5b9fb4c89..41fdbf1429 100644 --- a/lib/Froxlor/Api/Commands/Customers.php +++ b/lib/Froxlor/Api/Commands/Customers.php @@ -404,12 +404,12 @@ public function add() } // validation - $name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true); - $firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', '', '', array(), true); - $company = \Froxlor\Validate\Validate::validate($company, 'company', '', '', array(), true); - $street = \Froxlor\Validate\Validate::validate($street, 'street', '', '', array(), true); + $name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); + $firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); + $company = \Froxlor\Validate\Validate::validate($company, 'company', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); + $street = \Froxlor\Validate\Validate::validate($street, 'street', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $zipcode = \Froxlor\Validate\Validate::validate($zipcode, 'zipcode', '/^[0-9 \-A-Z]*$/', '', array(), true); - $city = \Froxlor\Validate\Validate::validate($city, 'city', '', '', array(), true); + $city = \Froxlor\Validate\Validate::validate($city, 'city', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $phone = \Froxlor\Validate\Validate::validate($phone, 'phone', '/^[0-9\- \+\(\)\/]*$/', '', array(), true); $fax = \Froxlor\Validate\Validate::validate($fax, 'fax', '/^[0-9\- \+\(\)\/]*$/', '', array(), true); $idna_convert = new \Froxlor\Idna\IdnaWrapper(); @@ -998,12 +998,12 @@ public function update() // validation if ($this->isAdmin()) { $idna_convert = new \Froxlor\Idna\IdnaWrapper(); - $name = \Froxlor\Validate\Validate::validate($name, 'name', '', '', array(), true); - $firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', '', '', array(), true); - $company = \Froxlor\Validate\Validate::validate($company, 'company', '', '', array(), true); - $street = \Froxlor\Validate\Validate::validate($street, 'street', '', '', array(), true); + $name = \Froxlor\Validate\Validate::validate($name, 'name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); + $firstname = \Froxlor\Validate\Validate::validate($firstname, 'first name', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); + $company = \Froxlor\Validate\Validate::validate($company, 'company', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); + $street = \Froxlor\Validate\Validate::validate($street, 'street', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $zipcode = \Froxlor\Validate\Validate::validate($zipcode, 'zipcode', '/^[0-9 \-A-Z]*$/', '', array(), true); - $city = \Froxlor\Validate\Validate::validate($city, 'city', '', '', array(), true); + $city = \Froxlor\Validate\Validate::validate($city, 'city', \Froxlor\Validate\Validate::REGEX_DESC_TEXT, '', array(), true); $phone = \Froxlor\Validate\Validate::validate($phone, 'phone', '/^[0-9\- \+\(\)\/]*$/', '', array(), true); $fax = \Froxlor\Validate\Validate::validate($fax, 'fax', '/^[0-9\- \+\(\)\/]*$/', '', array(), true); $email = $idna_convert->encode(\Froxlor\Validate\Validate::validate($email, 'email', '', '', array(), true));