Sanitize input.

poweradmin · Dec 1, 2023 · 3455ba2 · 3455ba2
1 parent bfa1a57
commit 3455ba2
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 14 deletions.
diff --git a/edit.php b/edit.php
@@ -134,13 +134,16 @@ public function run(): void
         }
 
         if (isset($_POST['save_as'])) {
-            if (ZoneTemplate::zone_templ_name_exists($this->db, $_POST['templ_name'])) {
+            $template_name = htmlspecialchars($_POST['templ_name']) ?? '';
+            if (ZoneTemplate::zone_templ_name_exists($this->db, $template_name)) {
                 $this->showError(_('Zone template with this name already exists, please choose another one.'));
-            } elseif ($_POST['templ_name'] == '') {
+            } elseif ($template_name == '') {
                 $this->showError(_('Template name can\'t be an empty string.'));
             } else {
                 $records = DnsRecord::get_records_from_domain_id($this->db, $this->config('db_type'), $zone_id);
-                ZoneTemplate::add_zone_templ_save_as($this->db, $this->config('db_type'), $_POST['templ_name'], $_POST['templ_descr'], $_SESSION['userid'], $records, DnsRecord::get_domain_name_by_id($this->db, $zone_id));
+
+                $description = htmlspecialchars($_POST['templ_descr']) ?? '';
+                ZoneTemplate::add_zone_templ_save_as($this->db, $this->config('db_type'), $template_name, $description, $_SESSION['userid'], $records, DnsRecord::get_domain_name_by_id($this->db, $zone_id));
                 $this->setMessage('edit', 'success', _('Zone template has been added successfully.'));
             }
         }
@@ -165,15 +168,20 @@ public function run(): void
         }
 
         $types = ZoneType::getTypes();
-        if (isset($_POST['type_change']) && in_array($_POST['newtype'], $types)) {
-            DnsRecord::change_zone_type($this->db, $_POST['newtype'], $zone_id);
+
+        $new_type = htmlspecialchars($_POST['newtype'] ?? '');
+        if (isset($_POST['type_change']) && in_array($new_type, $types)) {
+            DnsRecord::change_zone_type($this->db, $new_type, $zone_id);
         }
+
         if (isset($_POST["newowner"]) && is_numeric($_POST["domain"]) && is_numeric($_POST["newowner"])) {
             DnsRecord::add_owner_to_zone($this->db, $_POST["domain"], $_POST["newowner"]);
         }
+
         if (isset($_POST["delete_owner"]) && is_numeric($_POST["delete_owner"])) {
             DnsRecord::delete_owner_from_zone($this->db, $zone_id, $_POST["delete_owner"]);
         }
+
         if (isset($_POST["template_change"])) {
             if (!isset($_POST['zone_template']) || "none" == $_POST['zone_template']) {
                 $new_zone_template = 0;

diff --git a/edit_user.php b/edit_user.php
@@ -74,19 +74,19 @@ public function saveUser($edit_id): void
         $i_perm_templ = "0";
 
         if (isset($_POST['username'])) {
-            $i_username = $_POST['username'];
+            $i_username = htmlspecialchars($_POST['username']);
         }
 
         if (isset($_POST['fullname'])) {
-            $i_fullname = $_POST['fullname'];
+            $i_fullname = htmlspecialchars($_POST['fullname']);
         }
 
         if (isset($_POST['email'])) {
-            $i_email = $_POST['email'];
+            $i_email = htmlspecialchars($_POST['email']);
         }
 
         if (isset($_POST['description'])) {
-            $i_description = $_POST['description'];
+            $i_description = htmlspecialchars($_POST['description']);
         }
 
         if (isset($_POST['password'])) {

diff --git a/edit_zone_templ.php b/edit_zone_templ.php
@@ -60,7 +60,6 @@ public function run(): void
             $this->showFirstError($v->errors());
         }
 
-        $zone_templ_id = htmlspecialchars($_GET['id']);
         if (ZoneTemplate::zone_templ_id_exists($this->db, $zone_templ_id) == "0") {
             $this->showError(_('There is no zone template with this ID.'));
         }

diff --git a/install/helpers/install_helpers.php b/install/helpers/install_helpers.php
@@ -76,6 +76,11 @@ function step4($twig, $current_step, $default_config_file): void {
         $credentials['db_file'] = $credentials['db_name'];
     }
 
+    foreach ($credentials as $key => $value) {
+        $value = strip_tags(trim($value));
+        $credentials[$key] = $value;
+    }
+
     $pa_pass = $_POST['pa_pass'];
 
     $databaseConnection = new PDODatabaseConnection();

diff --git a/search.php b/search.php
@@ -68,10 +68,10 @@ public function run(): void
         if ($this->isPost()) {
             $parameters['query'] = !empty($_POST['query']) ? htmlspecialchars($_POST['query']) : '';
 
-            $parameters['zones'] = $_POST['zones'] ?? false;
-            $parameters['records'] = $_POST['records'] ?? false;
-            $parameters['wildcard'] = $_POST['wildcard'] ?? false;
-            $parameters['reverse'] = $_POST['reverse'] ?? false;
+            $parameters['zones'] = htmlspecialchars($_POST['zones']) ?? false;
+            $parameters['records'] = htmlspecialchars($_POST['records']) ?? false;
+            $parameters['wildcard'] = htmlspecialchars($_POST['wildcard']) ?? false;
+            $parameters['reverse'] = htmlspecialchars($_POST['reverse']) ?? false;
 
             $zones_page = isset($_POST['zones_page']) ? (int)$_POST['zones_page'] : 1;