From 6463135bf046d8131189c163158cd5db8f7a9675 Mon Sep 17 00:00:00 2001 From: Matias Griese Date: Wed, 3 Nov 2021 12:42:27 +0200 Subject: [PATCH] Fixed unescaped messages in JSON responses --- CHANGELOG.md | 6 ++++ classes/plugin/AdminBaseController.php | 18 ++++++----- classes/plugin/AdminController.php | 30 +++++++++---------- .../plugin/Controllers/AbstractController.php | 2 +- 4 files changed, 33 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc06bf7a6..88b460c65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# v1.10.25 +## mm/dd/2021 + +3. [](#bugfix) + * Fixed unescaped messages in JSON responses + # v1.10.24 ## 10/26/2021 diff --git a/classes/plugin/AdminBaseController.php b/classes/plugin/AdminBaseController.php index ebdb45f5c..13e583eec 100644 --- a/classes/plugin/AdminBaseController.php +++ b/classes/plugin/AdminBaseController.php @@ -271,7 +271,7 @@ public function taskFilesUpload() $this->admin->json_response = [ 'status' => 'error', 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD', null), - $filename, 'Bad filename') + htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'), 'Bad filename') ]; return false; @@ -291,7 +291,7 @@ public function taskFilesUpload() $this->admin->json_response = [ 'status' => 'error', 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_PREVENT_SELF', null), - $settings->destination) + htmlspecialchars($settings->destination, ENT_QUOTES | ENT_HTML5, 'UTF-8')) ]; return false; @@ -302,7 +302,8 @@ public function taskFilesUpload() $this->admin->json_response = [ 'status' => 'error', 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD', null), - $filename, $this->upload_errors[$upload->file->error]) + htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'), + $this->upload_errors[$upload->file->error]) ]; return false; @@ -340,7 +341,7 @@ public function taskFilesUpload() if ($isMime) { $match = preg_match('#' . $find . '$#', $mime); if (!$match) { - $errors[] = 'The MIME type "' . $mime . '" for the file "' . $filename . '" is not an accepted.'; + $errors[] = htmlspecialchars('The MIME type "' . $mime . '" for the file "' . $filename . '" is not an accepted.', ENT_QUOTES | ENT_HTML5, 'UTF-8'); } else { $accepted = true; break; @@ -348,7 +349,7 @@ public function taskFilesUpload() } else { $match = preg_match('#' . $find . '$#', $filename); if (!$match) { - $errors[] = 'The File Extension for the file "' . $filename . '" is not an accepted.'; + $errors[] = htmlspecialchars('The File Extension for the file "' . $filename . '" is not an accepted.', ENT_QUOTES | ENT_HTML5, 'UTF-8'); } else { $accepted = true; break; @@ -379,8 +380,11 @@ public function taskFilesUpload() if (!move_uploaded_file($tmp_file, $tmp)) { $this->admin->json_response = [ 'status' => 'error', - 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_MOVE', null), '', - $tmp) + 'message' => sprintf( + $this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_MOVE', null), + '', + htmlspecialchars($tmp, ENT_QUOTES | ENT_HTML5, 'UTF-8') + ) ]; return false; diff --git a/classes/plugin/AdminController.php b/classes/plugin/AdminController.php index 05df15e47..fe0b33910 100644 --- a/classes/plugin/AdminController.php +++ b/classes/plugin/AdminController.php @@ -288,7 +288,7 @@ public function taskRegenerate2FASecret() $debugger = $this->grav['debugger']; $debugger->addException($e); - $this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; + $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')]; return false; } @@ -407,7 +407,7 @@ protected function taskGetNotifications() $debugger = $this->grav['debugger']; $debugger->addException($e); - $json_response = ['status' => 'error', 'message' => $e->getMessage()]; + $json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')]; } $this->sendJsonResponse($json_response); @@ -490,7 +490,7 @@ protected function taskGetNewsFeed() $debugger = $this->grav['debugger']; $debugger->addException($e); - $json_response = ['status' => 'error', 'message' => $e->getMessage()]; + $json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')]; } $this->sendJsonResponse($json_response); @@ -540,7 +540,7 @@ protected function taskBackup() $this->admin->json_response = [ 'status' => 'error', - 'message' => $this->admin::translate('PLUGIN_ADMIN.AN_ERROR_OCCURRED') . '. ' . $e->getMessage() + 'message' => $this->admin::translate('PLUGIN_ADMIN.AN_ERROR_OCCURRED') . '. ' . htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8') ]; return true; @@ -917,7 +917,7 @@ protected function taskGetUpdates() $debugger = $this->grav['debugger']; $debugger->addException($e); - $this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; + $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')]; return false; } @@ -961,7 +961,7 @@ protected function taskGetPackagesDependencies() $debugger = $this->grav['debugger']; $debugger->addException($e); - $this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; + $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')]; return false; } @@ -1004,7 +1004,7 @@ protected function taskInstallDependenciesOfPackages() $debugger = $this->grav['debugger']; $debugger->addException($e); - $this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; + $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')]; return false; } @@ -1059,7 +1059,7 @@ protected function taskInstallPackage($reinstall = false) $msg = Utils::contains($msg, '401 Unauthorized') ? "ERROR: License key for this resource is invalid." : $msg; $msg = Utils::contains($msg, '404 Not Found') ? "ERROR: Resource not found" : $msg; - $this->admin->json_response = ['status' => 'error', 'message' => $msg]; + $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($msg, ENT_QUOTES | ENT_HTML5, 'UTF-8')]; return false; } @@ -1133,7 +1133,7 @@ protected function taskRemovePackage(): bool $debugger = $this->grav['debugger']; $debugger->addException($e); - $json_response = ['status' => 'error', 'message' => $e->getMessage()]; + $json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')]; $this->sendJsonResponse($json_response, 200); } @@ -2068,7 +2068,7 @@ protected function taskProcessMarkdown() $debugger = $this->grav['debugger']; $debugger->addException($e); - $this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; + $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')]; return false; } @@ -2225,7 +2225,7 @@ protected function taskAddmedia() $this->admin->json_response = [ 'status' => 'error', 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD'), - $filename, 'Bad filename') + htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'), 'Bad filename') ]; return false; @@ -2453,7 +2453,7 @@ protected function taskDelmedia() if (!$result) { $this->admin->json_response = [ 'status' => 'error', - 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . $filename + 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8') ]; return false; @@ -2474,7 +2474,7 @@ protected function taskDelmedia() if (!$result) { $this->admin->json_response = [ 'status' => 'error', - 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . $filename + 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8') ]; return false; @@ -2489,7 +2489,7 @@ protected function taskDelmedia() if (!$found) { $this->admin->json_response = [ 'status' => 'error', - 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_NOT_FOUND') . ': ' . $filename + 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_NOT_FOUND') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8') ]; return false; @@ -2500,7 +2500,7 @@ protected function taskDelmedia() $this->admin->json_response = [ 'status' => 'success', - 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_DELETED') . ': ' . $filename + 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8') ]; return true; diff --git a/classes/plugin/Controllers/AbstractController.php b/classes/plugin/Controllers/AbstractController.php index ff7a8ff9a..4949727c1 100644 --- a/classes/plugin/Controllers/AbstractController.php +++ b/classes/plugin/Controllers/AbstractController.php @@ -292,7 +292,7 @@ public function createErrorResponse(\Exception $exception): ResponseInterface $response = [ 'code' => $code, 'status' => 'error', - 'message' => $message + 'message' => htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8') ]; $accept = $this->getAccept(['application/json', 'text/html']);