diff --git a/pts-core/phoromatic/pages/phoromatic_benchmark.php b/pts-core/phoromatic/pages/phoromatic_benchmark.php index 809f081c46..5c64cf711c 100644 --- a/pts-core/phoromatic/pages/phoromatic_benchmark.php +++ b/pts-core/phoromatic/pages/phoromatic_benchmark.php @@ -79,7 +79,7 @@ public static function render_page_process($PATH) if(!empty($row)) { - if(isset($_GET['remove'])) + if(isset($_GET['remove']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('DELETE FROM phoromatic_benchmark_tickets WHERE AccountID = :account_id AND TicketID = :ticket_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -87,7 +87,7 @@ public static function render_page_process($PATH) $result = $stmt->execute(); header('Location: /?benchmark'); } - else if(isset($_GET['repeat'])) + else if(isset($_GET['repeat']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_benchmark_tickets SET TicketIssueTime = :new_ticket_time, State = 1 WHERE AccountID = :account_id AND TicketID = :ticket_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -95,7 +95,7 @@ public static function render_page_process($PATH) $stmt->bindValue(':new_ticket_time', time()); $result = $stmt->execute(); } - else if(isset($_GET['disable'])) + else if(isset($_GET['disable']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_benchmark_tickets SET State = 0 WHERE AccountID = :account_id AND TicketID = :ticket_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -107,7 +107,7 @@ public static function render_page_process($PATH) $main .= '

' . $row['Title'] . '

'; $main .= '

' . $row['Description'] . '

'; $main .= '

This benchmark ticket was created on ' . date('j F Y \a\t H:i', strtotime($row['LastModifiedOn'])) . ' by ' . $row['LastModifiedBy'] . '. The ticket was last issued for testing at ' . date('j F Y \a\t H:i', $row['TicketIssueTime']) . '.'; - $main .= '

Repeat Ticket       Remove Ticket' . (!isset($_GET['disable']) && $row['State'] > 0 ? '       End Ticket' : null) . '

'; + $main .= '

Repeat Ticket       Remove Ticket' . (!isset($_GET['disable']) && $row['State'] > 0 ? '       End Ticket' : null) . '

'; if(!empty($row['RunTargetSystems'])) { diff --git a/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php b/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php index 9edb5fa9c5..5cbc43ade5 100644 --- a/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php +++ b/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php @@ -37,6 +37,7 @@ public static function preload($PAGE) } public static function render_page_process($PATH) { + phoromatic_quit_if_invalid_input_found(array('tp')); $test_profile = new pts_test_profile($_GET['tp']); $name = $test_profile->get_title(); $description = $test_profile->get_description(); diff --git a/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php b/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php index 6a8323ca97..5ae916aca9 100644 --- a/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php +++ b/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php @@ -36,6 +36,7 @@ public static function preload($PAGE) } public static function render_page_process($PATH) { + phoromatic_quit_if_invalid_input_found(array('ts')); $ts = $_GET['ts']; $ts_file = phoromatic_server::find_suite_file($_SESSION['AccountID'], $ts); $test_suite = new pts_test_suite($ts_file); diff --git a/pts-core/phoromatic/pages/phoromatic_schedules.php b/pts-core/phoromatic/pages/phoromatic_schedules.php index 9424a65577..333221d4b3 100644 --- a/pts-core/phoromatic/pages/phoromatic_schedules.php +++ b/pts-core/phoromatic/pages/phoromatic_schedules.php @@ -57,7 +57,7 @@ public static function render_page_process($PATH) if(!PHOROMATIC_USER_IS_VIEWER) { - if(isset($_POST['add_to_schedule_select_test'])) + if(isset($_POST['add_to_schedule_select_test']) && verify_submission_token()) { phoromatic_quit_if_invalid_input_found(array('add_to_schedule_select_test')); $name = $_POST['add_to_schedule_select_test']; @@ -89,7 +89,7 @@ public static function render_page_process($PATH) phoromatic_add_activity_stream_event('tests_for_schedule', $PATH[0], 'added'); } } - else if(isset($_POST['suite_add'])) + else if(isset($_POST['suite_add']) && verify_submission_token()) { $test_suite = phoromatic_server::find_suite_file($_SESSION['AccountID'], $_POST['suite_add']); if(is_file($test_suite)) @@ -154,7 +154,7 @@ public static function render_page_process($PATH) $row['State'] = $new_state; phoromatic_add_activity_stream_event('schedule', $PATH[0], $PATH[1]); } - else if(isset($_POST['do_manual_test_run'])) + else if(isset($_POST['do_manual_test_run']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('INSERT INTO phoromatic_schedules_triggers (AccountID, ScheduleID, Trigger, TriggeredOn) VALUES (:account_id, :schedule_id, :trigger, :triggered_on)'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -164,7 +164,7 @@ public static function render_page_process($PATH) $stmt->execute(); $main .= '

Manual Test Run Triggered

'; } - else if(isset($_POST['skip_current_ticket'])) + else if(isset($_POST['skip_current_ticket']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('INSERT INTO phoromatic_schedules_trigger_skips (AccountID, ScheduleID, Trigger) VALUES (:account_id, :schedule_id, :trigger)'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -251,10 +251,10 @@ public static function render_page_process($PATH) $main .= '

This test schedule can be manually triggered to run at any time by calling ' . $trigger_url . ' where XXX is the trigger value to be used (if relevant, such as a time-stamp, Git/SVN commit number or hash, etc). There\'s also the option of sub-targeting system(s) part of this schedule. One option is appending &sub_target_this_ip if this URL is being called from one of the client test systems to only sub-target the triggered testing on that client, among other options.

'; $main .= '

If you wish to run this test schedule now, click the following button and the schedule will be run on all intended systems at their next earliest possible convenience.

'; $main .= '

'; - $main .= ''; + $main .= write_token_in_form() . ''; $main .= '

'; $main .= '

'; - $main .= ''; + $main .= write_token_in_form() . ''; $main .= '

'; } @@ -329,7 +329,7 @@ public static function render_page_process($PATH) { $main .= '

Add A Test

'; $main .= '
'; - $main .= ''; $dc = pts_client::download_cache_path(); $dc_exists = is_file($dc . 'pts-download-cache.json'); if($dc_exists) @@ -376,7 +376,7 @@ public static function render_page_process($PATH) $main .= '

Add A Suite:

'; $main .= ''; - $main .= '

'; foreach(array_merge($local_suites, $official_suites) as $title => $id) { $main .= ''; diff --git a/pts-core/phoromatic/pages/phoromatic_system_claim.php b/pts-core/phoromatic/pages/phoromatic_system_claim.php index cdf2c8a866..1cc075115a 100644 --- a/pts-core/phoromatic/pages/phoromatic_system_claim.php +++ b/pts-core/phoromatic/pages/phoromatic_system_claim.php @@ -42,7 +42,7 @@ public static function render_page_process($PATH) if(!PHOROMATIC_USER_IS_VIEWER) { - if(function_exists('ssh2_connect') && isset($_POST['ip']) && isset($_POST['port']) && isset($_POST['password']) && isset($_POST['username'])) + if(function_exists('ssh2_connect') && isset($_POST['ip']) && isset($_POST['port']) && isset($_POST['password']) && isset($_POST['username']) && verify_submission_token()) { $connection = ssh2_connect($_POST['ip'], $_POST['port']); @@ -72,7 +72,7 @@ public static function render_page_process($PATH) ssh2_exec($connection, 'rm' . $tmp_remote_file); } } - if((isset($_POST['ip_claim']) && !empty($_POST['ip_claim'])) && isset($_POST['ping'])) + if((isset($_POST['ip_claim']) && !empty($_POST['ip_claim'])) && isset($_POST['ping']) && verify_submission_token()) { $ip_ping = ip2long($_POST['ip_claim']) !== false ? $_POST['ip_claim'] : null; if($ip_ping) @@ -83,7 +83,7 @@ public static function render_page_process($PATH) echo ''; } } - else if((isset($_POST['ip_claim']) && !empty($_POST['ip_claim'])) || (isset($_POST['mac_claim']) && !empty($_POST['mac_claim']))) + else if(((isset($_POST['ip_claim']) && !empty($_POST['ip_claim'])) || (isset($_POST['mac_claim']) && !empty($_POST['mac_claim']))) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('INSERT INTO phoromatic_system_association_claims (AccountID, IPAddress, NetworkMAC, CreationTime) VALUES (:account_id, :ip_address, :mac_address, :creation_time)'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -92,7 +92,7 @@ public static function render_page_process($PATH) $stmt->bindValue(':creation_time', phoromatic_server::current_time()); $result = $stmt->execute(); } - if(isset($_POST['remove_claim']) && !empty($_POST['remove_claim'])) + if(isset($_POST['remove_claim']) && !empty($_POST['remove_claim']) && verify_submission_token()) { list($ipc, $macc) = explode(',', $_POST['remove_claim']); $stmt = phoromatic_server::$db->prepare('DELETE FROM phoromatic_system_association_claims WHERE AccountID = :account_id AND NetworkMAC = :mac_address AND IPAddress = :ip_address'); @@ -109,7 +109,7 @@ public static function render_page_process($PATH) if(function_exists('ssh2_connect')) { $main .= '

Phoromatic Client SSH Information:

'; - $main .= ' + $main .= '' . write_token_in_form() . '

IP Address:

SSH Port:

Username:

@@ -124,7 +124,7 @@ public static function render_page_process($PATH) $main .= '
'; $main .= '

Add Phoromatic Server Info Via IP/MAC

If deploying a Phoromatic Server within an organization, you can attempt for automatic configuration of Phoromatic clients if you know the system\'s IP or MAC addresses. When specifying either of these fields, if a Phoromatic client attempts to connect to this Phoromatic system without being associated to an account, it will be claimed by this account as long as no other Phoromatic accounts are attempting to claim the IP/MAC. This method can be particularly useful if running the Phoromatic client as a systemd/Upstart service where it will continually poll every 90 seconds auto-detected Phoromatic Servers on the LAN via zero-conf networking. For this feature to work, the zero-conf networking (Avahi) support must be enabled and working.

'; - $main .= ' + $main .= '' . write_token_in_form() . '

IP Address Claim:

MAC Address Claim:

 

@@ -147,7 +147,7 @@ public static function render_page_process($PATH) if(!empty($claims)) { $main .= '

Remove Claim

Removing a claimed IP / MAC address.

'; - $main .= '

' . write_token_in_form(); foreach($claims as $claim) { diff --git a/pts-core/phoromatic/pages/phoromatic_systems.php b/pts-core/phoromatic/pages/phoromatic_systems.php index 55fb345419..f550490af3 100644 --- a/pts-core/phoromatic/pages/phoromatic_systems.php +++ b/pts-core/phoromatic/pages/phoromatic_systems.php @@ -52,7 +52,7 @@ public static function render_page_process($PATH) $stmt->bindValue(':block_power_offs', $_POST['block_power_offs']); $stmt->execute(); } - if(!PHOROMATIC_USER_IS_VIEWER && !empty($PATH[0]) && isset($_POST['maintenance_mode'])) + if(!PHOROMATIC_USER_IS_VIEWER && !empty($PATH[0]) && isset($_POST['maintenance_mode']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_systems SET MaintenanceMode = :maintenance_mode WHERE AccountID = :account_id AND SystemID = :system_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -67,7 +67,7 @@ public static function render_page_process($PATH) $stmt->bindValue(':system_id', $PATH[0]); $stmt->execute(); } - if(!PHOROMATIC_USER_IS_VIEWER && !empty($PATH[0]) && isset($_POST['tick_thread_reboot'])) + if(!PHOROMATIC_USER_IS_VIEWER && !empty($PATH[0]) && isset($_POST['tick_thread_reboot']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_systems SET TickThreadEvent = :event WHERE AccountID = :account_id AND SystemID = :system_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -75,7 +75,7 @@ public static function render_page_process($PATH) $stmt->bindValue(':event', time() . ':reboot'); $stmt->execute(); } - if(!PHOROMATIC_USER_IS_VIEWER && !empty($PATH[0]) && isset($_POST['tick_thread_halt'])) + if(!PHOROMATIC_USER_IS_VIEWER && !empty($PATH[0]) && isset($_POST['tick_thread_halt']) && verify_submission_token()) { $stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_systems SET TickThreadEvent = :event WHERE AccountID = :account_id AND SystemID = :system_id'); $stmt->bindValue(':account_id', $_SESSION['AccountID']); @@ -92,6 +92,7 @@ public static function render_page_process($PATH) } if(!PHOROMATIC_USER_IS_VIEWER && !empty($PATH[0]) && isset($_POST['system_var_names'])&& isset($_POST['system_var_values'])) { + phoromatic_quit_if_invalid_input_found(array('system_var_names', 'system_var_values')); $vars = array(); foreach($_POST['system_var_names'] as $i => $name) { @@ -199,13 +200,13 @@ public static function render_page_process($PATH) $mm_onclick = 'return confirm(\'Enter maintenance mode now?\');'; } - $main .= '

Putting the system into maintenance mode will power up the system (if supported and applicable) and cause the Phoronix Test Suite Phoromatic client to idle and block all testing until the mode has been disabled. If a test is already running on the system, the maintenance mode will not be entered until after the testing has completed. The maintenance mode can be used if wishing to update the system software or carry out other tasks without interfering with the Phoromatic client process. Once disabled, the Phoronix Test Suite will continue to function as normal.

'; + $main .= '

' . write_token_in_form() . '
Putting the system into maintenance mode will power up the system (if supported and applicable) and cause the Phoronix Test Suite Phoromatic client to idle and block all testing until the mode has been disabled. If a test is already running on the system, the maintenance mode will not be entered until after the testing has completed. The maintenance mode can be used if wishing to update the system software or carry out other tasks without interfering with the Phoromatic client process. Once disabled, the Phoronix Test Suite will continue to function as normal.

'; if($row['CoreVersion'] >= 5730) { - $main .= '

If the system is currently powered up and connected to the Phoromatic Server, this will send a message to the system to issue a reboot -- in case the system is hung on a test or you wish to otherwise manually reboot the server.

'; + $main .= '

' . write_token_in_form() . '
If the system is currently powered up and connected to the Phoromatic Server, this will send a message to the system to issue a reboot -- in case the system is hung on a test or you wish to otherwise manually reboot the server.

'; - $main .= '

If the system is currently powered up and running a test/benchmark via the Phoromatic Server, this will tell the system to halt the testing prematurely as soon as the currently-active test has finished. The results successfully ran will then be uploaded to the Phoromatic Server.

'; + $main .= '

' . write_token_in_form() . '
If the system is currently powered up and running a test/benchmark via the Phoromatic Server, this will tell the system to halt the testing prematurely as soon as the currently-active test has finished. The results successfully ran will then be uploaded to the Phoromatic Server.

'; } } diff --git a/pts-core/phoromatic/phoromatic_functions.php b/pts-core/phoromatic/phoromatic_functions.php index 45820488b6..ffbef1c5ed 100644 --- a/pts-core/phoromatic/phoromatic_functions.php +++ b/pts-core/phoromatic/phoromatic_functions.php @@ -527,9 +527,9 @@ function write_token_in_form() { return ''; } -function append_token_to_url() +function append_token_to_url($prefix = '/') { - return '/&token_submit=' . $_SESSION['Token']; + return $prefix . '&token_submit=' . $_SESSION['Token']; } function verify_submission_token() {