From e4ff08476be954b99efd19913f4c8f80f6e139c4 Mon Sep 17 00:00:00 2001
From: Michael Larabel <michael@phoronix.com>
Date: Sat, 25 Jun 2022 05:20:53 -0500
Subject: [PATCH] phoromatic: Additional input sanitization / safety checks

---
 pts-core/objects/pts_result_viewer_embed.php |  5 +++++
 pts-core/objects/pts_strings.php             | 16 ++++++++++++++++
 pts-core/phoromatic/phoromatic_functions.php |  5 +++++
 pts-core/phoromatic/public_html/public.php   |  2 +-
 4 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/pts-core/objects/pts_result_viewer_embed.php b/pts-core/objects/pts_result_viewer_embed.php
index 62d6d8dd9a..6116c07cbc 100644
--- a/pts-core/objects/pts_result_viewer_embed.php
+++ b/pts-core/objects/pts_result_viewer_embed.php
@@ -36,6 +36,11 @@ public function __construct(&$result_file, $public_id = null)
 	{
 		$this->result_file = &$result_file;
 		$this->result_public_id = $public_id;
+
+		if(isset($_SERVER['REQUEST_URI']) && !empty($_SERVER['REQUEST_URI']))
+		{
+			pts_strings::exit_if_contains_unsafe_data($_SERVER['REQUEST_URI']);
+		}
 	}
 	public function allow_modifying_results($can_modify)
 	{
diff --git a/pts-core/objects/pts_strings.php b/pts-core/objects/pts_strings.php
index cca6e6d25b..3f452507cc 100644
--- a/pts-core/objects/pts_strings.php
+++ b/pts-core/objects/pts_strings.php
@@ -791,6 +791,22 @@ public static function safety_strings_to_reject()
 	{
 		return array('<', '>', 'document.write', '../', 'onerror', 'onload', 'alert(', 'String.', 'confirm(', 'focus=', '&lt', '&gt', '&#');
 	}
+	public static function exit_if_contains_unsafe_data($check, $exit_msg = 'Exited due to suspicious URL.')
+	{
+		if(empty($check))
+		{
+			return;
+		}
+
+		foreach(pts_strings::safety_strings_to_reject() as $invalid_string)
+		{
+			if(stripos($check, $invalid_string) !== false)
+			{
+				echo '<strong>' . $exit_msg . '</strong>';
+				exit;
+			}
+		}
+	}
 }
 
 ?>
diff --git a/pts-core/phoromatic/phoromatic_functions.php b/pts-core/phoromatic/phoromatic_functions.php
index 7a691a4515..74ccc5444c 100644
--- a/pts-core/phoromatic/phoromatic_functions.php
+++ b/pts-core/phoromatic/phoromatic_functions.php
@@ -87,6 +87,11 @@ function phoromatic_init_web_page_setup()
 
 	include('../../pts-core.php');
 	pts_core::init();
+
+	if(isset($_SERVER['REQUEST_URI']) && !empty($_SERVER['REQUEST_URI']))
+	{
+		pts_strings::exit_if_contains_unsafe_data($_SERVER['REQUEST_URI']);
+	}
 }
 function phoromatic_webui_header($left_items, $right = null)
 {
diff --git a/pts-core/phoromatic/public_html/public.php b/pts-core/phoromatic/public_html/public.php
index 783149f545..6fe0609dfc 100644
--- a/pts-core/phoromatic/public_html/public.php
+++ b/pts-core/phoromatic/public_html/public.php
@@ -178,7 +178,7 @@
 
 	$result_limit = isset($_POST['result_limit']) && is_numeric($_POST['result_limit']) && $_POST['result_limit'] > 9 ? $_POST['result_limit'] : 50;
 	$main .= '<br /><br /><br />';
-	$main .= '<form action="' . $_SERVER['REQUEST_URI'] . '" method="post"><div style="text-align: left; font-weight: bold;">Show Results For <select id="result_time_limit" name="time">';
+	$main .= '<form method="post"><div style="text-align: left; font-weight: bold;">Show Results For <select id="result_time_limit" name="time">';
 	$results_for_length = array(
 		'24 hours' => '24 Hours',
 		'3 days' => '3 Days',