From 23795029dc01875e5da367f3418a368e0430d3fd Mon Sep 17 00:00:00 2001
From: Brady Miller <brady.g.miller@gmail.com>
Date: Sun, 8 May 2022 18:45:07 -0700
Subject: [PATCH] bug fix c2

---
 portal/lib/doc_lib.php                        | 37 ++++++++++++++-----
 portal/patient/scripts/app/onsitedocuments.js |  1 +
 .../templates/OnsiteDocumentListView.tpl.php  |  3 ++
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/portal/lib/doc_lib.php b/portal/lib/doc_lib.php
index ef9225ac4a5..a6e1df82f33 100644
--- a/portal/lib/doc_lib.php
+++ b/portal/lib/doc_lib.php
@@ -17,9 +17,23 @@
 OpenEMR\Common\Session\SessionUtil::portalSessionStart();
 
 if (isset($_SESSION['pid']) && isset($_SESSION['patient_portal_onsite_two'])) {
+    // ensure patient is bootstrapped (if sent)
+    if (!empty($_POST['cpid'])) {
+        if ($_POST['cpid'] != $_SESSION['pid']) {
+            echo "illegal Action";
+            OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
+            exit;
+        }
+    }
     $pid = $_SESSION['pid'];
     $ignoreAuth_onsite_portal = true;
     require_once(__DIR__ . "/../../interface/globals.php");
+    // only support download handler from patient portal
+    if ($_POST['handler'] != 'download') {
+        echo xlt("Not authorized");
+        OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
+        exit;
+    }
 } else {
     OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
     $ignoreAuth = false;
@@ -36,6 +50,16 @@
 require_once(__DIR__ . "/appsql.class.php");
 
 use Mpdf\Mpdf;
+use OpenEMR\Common\Csrf\CsrfUtils;
+
+if (!(isset($GLOBALS['portal_onsite_two_enable'])) || !($GLOBALS['portal_onsite_two_enable'])) {
+    echo xlt('Patient Portal is turned off');
+    exit;
+}
+// confirm csrf (from both portal and core)
+if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"], 'doc-lib')) {
+    CsrfUtils::csrfNotVerified();
+}
 
 $logit = new ApplicationTable();
 $htmlin = $_POST['content'];
@@ -49,9 +73,6 @@
         $category = $result['id'] ?: 3;
     }
     $form_filename = convert_safe_file_dir_name($_REQUEST['docid']) . '_' . convert_safe_file_dir_name($cpid) . '.pdf';
-    $templatedir = $GLOBALS['OE_SITE_DIR'] . "/documents/onsite_portal_documents/patient_documents";
-    $templatepath = "$templatedir/$form_filename";
-    $htmlout = '';
     $config_mpdf = array(
         'tempDir' => $GLOBALS['MPDF_WRITE_DIR'],
         'mode' => $GLOBALS['pdf_language'],
@@ -100,6 +121,8 @@
         $pdf->SetDirectionality('rtl');
     }
 
+    // purify html
+    $htmlin = (new \HTMLPurifier(\HTMLPurifier_Config::createDefault()))->purify($htmlin);
     $htmlin = "<html><body>$htmlin</body></html>";
     // need custom stylesheet for templates
     $pdf->writeHtml($htmlin);
@@ -112,12 +135,6 @@
         exit();
     }
 
-    if ($dispose == 'view') {
-        Header("Content-type: application/pdf");
-        $pdf->Output($templatepath, 'I');
-        exit();
-    }
-
     if ($dispose == 'chart') {
         if (!$cpid) {
             echo js_escape("ERROR " . xla("Missing Patient ID"));
@@ -130,5 +147,5 @@
         exit();
     };
 } catch (Exception $e) {
-    die($e->getMessage());
+    die(text($e->getMessage()));
 }
diff --git a/portal/patient/scripts/app/onsitedocuments.js b/portal/patient/scripts/app/onsitedocuments.js
index 6923731805f..82bf9753688 100644
--- a/portal/patient/scripts/app/onsitedocuments.js
+++ b/portal/patient/scripts/app/onsitedocuments.js
@@ -492,6 +492,7 @@ var page = {
 
         signerAlertMsg(alertMsg1, 3000, "warning");
         let posting = $.post("./../lib/doc_lib.php", {
+            csrf_token_form: csrfTokenDoclib,
             cpid: cpid,
             docid: docid,
             catid: catid,
diff --git a/portal/patient/templates/OnsiteDocumentListView.tpl.php b/portal/patient/templates/OnsiteDocumentListView.tpl.php
index 482780a610a..e9de3628fbd 100644
--- a/portal/patient/templates/OnsiteDocumentListView.tpl.php
+++ b/portal/patient/templates/OnsiteDocumentListView.tpl.php
@@ -12,6 +12,7 @@
  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */
 
+use OpenEMR\Common\Csrf\CsrfUtils;
 use OpenEMR\Core\Header;
 use OpenEMR\Services\DocumentTemplates\DocumentTemplateService;
 
@@ -74,6 +75,7 @@
         ";var catid=" . js_escape($category) . ";var catname=" . js_escape($catname) . ";</script>";
     echo "<script>var recid=" . js_escape($recid) . ";var docid=" . js_escape($docid) . ";var isNewDoc=" . js_escape($isnew) . ";var newFilename=" . js_escape($new_filename) . ";var help_id=" . js_escape($help_id) . ";</script>";
     echo "<script>var isPortal=" . js_escape($is_portal) . ";var isModule=" . js_escape($is_module) . ";var webRoot=" . js_escape($webroot) . ";var webroot_url = webRoot;</script>";
+    echo "<script>var csrfTokenDoclib=" . js_escape(CsrfUtils::collectCsrfToken('doc-lib')) . ";</script>";
     // translations
     echo "<script>var alertMsg1='" . xlt("Saved to Patient Documents") . '->' . xlt("Category") . ": " . attr($catname) . "';</script>";
     echo "<script>var msgSuccess='" . xlt("Updates Successful") . "';</script>";
@@ -351,6 +353,7 @@ function restoreDocumentEdits() {
                                     <div class="text-center overflow-hidden"><i class="fa fa-circle-notch fa-spin fa-2x ml-auto"></i></div>
                                 </div>
                             </div>
+                            <input type="hidden" name="csrf_token_form" id="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken('doc-lib')); ?>" />
                             <input type="hidden" name="content" id="content" value="" />
                             <input type="hidden" name="cpid" id="cpid" value="" />
                             <input type="hidden" name="docid" id="docid" value="" />