sec(Calendar) sanitize inputs and use pquery to protect SQL

modules/Calendar4You/CalendarView.php

@@ -206,7 +206,7 @@
 );
 
 if (isset($_REQUEST['viewOption']) && $_REQUEST['viewOption']!= '') {
-	$default_view = $_REQUEST['viewOption'];
+	$default_view = vtlib_purify($_REQUEST['viewOption']);
 } else {
 	if ($current_user->activity_view == 'This Year') {
 		$default_view = 'month';
@@ -228,7 +228,7 @@
 $smarty->assign('upESTATUSBLOCK_DISPLAY', isset($Ch_Views['8']) ? $Ch_Views['8'] : 'block');
 $smarty->assign('upTPRIORITYBLOCK_DISPLAY', isset($Ch_Views['9']) ? $Ch_Views['9'] : 'block');
 if (isset($_REQUEST['user_view_type']) && $_REQUEST['user_view_type'] != '') {
-	$user_view_type = $_REQUEST['user_view_type'];
+	$user_view_type = vtlib_purify($_REQUEST['user_view_type']);
 } else {
 	if ($Calendar_Settings['user_view']== 'all') {
 		$user_view_type = 'all';

modules/Calendar4You/Events.php

@@ -26,12 +26,12 @@
 $save = (isset($_REQUEST['save']) ? vtlib_purify($_REQUEST['save']) : '');
 $full_calendar_view = vtlib_purify($_REQUEST['view']);
 if (isset($_REQUEST['record']) && $_REQUEST['record'] != '') {
-	$record = $_REQUEST['record'];
+	$record = vtlib_purify($_REQUEST['record']);
 }
 
 if (!empty($_REQUEST['usersids'])) {
 	$all_users = true;
-	$Users_Ids = explode(',', $_REQUEST['usersids']);
+	$Users_Ids = explode(',', vtlib_purify($_REQUEST['usersids']));
 } else {
 	$all_users = false;
 	if ($user_view_type != 'all') {
@@ -169,7 +169,7 @@
 $showGroupEvents = GlobalVariable::getVariable('Calendar_Show_Group_Events', 1);
 $modtab = array_flip($tasklabel);
 foreach ($Users_Ids as $userid) {
-	if (!$userid) {
+	if (empty($userid) || !is_numeric($userid)) {
 		continue;
 	}
 	if ($showGroupEvents) {
@@ -264,10 +264,12 @@
 		} else {
 			$list_query = getCalendar4YouListQuery($userid, $invites);
 			if ($record != '') {
-				$list_query .= " AND vtiger_crmentity.crmid = '".$record."'";
+				$list_query .= ' AND vtiger_crmentity.crmid=?';
+				$list_array[] = $record;
 			} else {
-				$list_query .= " AND vtiger_activity.dtstart <= '".$usredtime."'";
-				$list_query .= " AND vtiger_activity.dtend >= '".$usrsttime."'";
+				$list_query .= ' AND vtiger_activity.dtstart<=? AND vtiger_activity.dtend>=?';
+				$list_array[] = $usredtime;
+				$list_array[] = $usrsttime;
 			}
 			if (!$invites) {
 				if ($showGroupEvents && $groups != '') {

modules/Calendar4You/SaveEventSettings.php

@@ -10,7 +10,7 @@
 require_once 'include/database/PearDatabase.php';
 global $adb,$current_user;
 
-$user_view_type = $_REQUEST['user_view_type'];
+$user_view_type = vtlib_purify($_REQUEST['user_view_type']);
 
 $mode = vtlib_purify($_REQUEST['mode']);
 if ($mode=='module') {
@@ -29,7 +29,7 @@
 }
 
 $Save_Data = array();
-$save_fields = $_REQUEST['save_fields'];
+$save_fields = vtlib_purify($_REQUEST['save_fields']);
 
 if ($save_fields == '1') {
 	$event = $entity;
@@ -40,9 +40,9 @@
 	$Views = array('day','week','month');
 
 	foreach ($Views as $view) {
-		$Save_Data[] = array($userid,$event,'1',$view,$_REQUEST[$view.'_showed_field']);
+		$Save_Data[] = array($userid,$event,'1',$view,vtlib_purify($_REQUEST[$view.'_showed_field']));
 
-		$Selected_Fields = explode(';', $_REQUEST[$view.'_selected_fields']);
+		$Selected_Fields = explode(';', vtlib_purify($_REQUEST[$view.'_selected_fields']));
 
 		if (count($Selected_Fields) > 0) {
 			foreach ($Selected_Fields as $fieldname) {

modules/Calendar4You/updateCalendarSharing.php

@@ -17,28 +17,28 @@
 	$hour_format = '12';
 }
 
-$activity_view = $_REQUEST['activity_view'];
+$activity_view = vtlib_purify($_REQUEST['activity_view']);
 
-$user_view = $_REQUEST['user_view'];
+$user_view = vtlib_purify($_REQUEST['user_view']);
 
-$adb->pquery('delete from vtiger_sharedcalendar where userid=?', array($_REQUEST['current_userid']));
+$adb->pquery('delete from vtiger_sharedcalendar where userid=?', array(vtlib_purify($_REQUEST['current_userid'])));
 
-$selectedid = $_REQUEST['shar_userid'];
+$selectedid = vtlib_purify($_REQUEST['shar_userid']);
 $sharedid = explode(';', $selectedid);
 if (isset($sharedid) && $sharedid != null) {
 	foreach ($sharedid as $sid) {
 		if ($sid != '') {
-			$adb->pquery('insert into vtiger_sharedcalendar values (?,?)', array($_REQUEST['current_userid'], $sid));
+			$adb->pquery('insert into vtiger_sharedcalendar values (?,?)', array(vtlib_purify($_REQUEST['current_userid']), $sid));
 		}
 	}
 }
 if (isset($_REQUEST['start_hour']) && $_REQUEST['start_hour'] != '') {
-	$adb->pquery('update vtiger_users set start_hour=? where id=?', array($_REQUEST['start_hour'], $current_user->id));
+	$adb->pquery('update vtiger_users set start_hour=? where id=?', array(vtlib_purify($_REQUEST['start_hour']), $current_user->id));
 }
 
 $adb->pquery('update vtiger_users set hour_format=?, activity_view=? where id=?', array($hour_format, $activity_view, $current_user->id));
 
-$dayoftheweek = $_REQUEST['dayoftheweek'];
+$dayoftheweek = vtlib_purify($_REQUEST['dayoftheweek']);
 
 if (isset($_REQUEST['show_weekends']) && $_REQUEST['show_weekends'] == '1') {
 	$show_weekends = '1';
@@ -57,7 +57,7 @@
 	$adb->pquery($sql3, array($current_user->id, $dayoftheweek, $show_weekends, $user_view));
 }
 
-$update_google_account = (isset($_REQUEST['update_google_account']) ? $_REQUEST['update_google_account'] : '0');
+$update_google_account = (isset($_REQUEST['update_google_account']) ? vtlib_purify($_REQUEST['update_google_account']) : '0');
 
 if ($update_google_account == '1') {
 	$google_login = vtlib_purify($_REQUEST['google_login']);
@@ -92,6 +92,6 @@
 
 RecalculateSharingRules();
 $url = 'Location: index.php?action=index&module=Calendar4You&viewOption='.vtlib_purify($_REQUEST['view']).'&hour='.vtlib_purify($_REQUEST['hour'])
-	.'&day='.vtlib_purify($_REQUEST['day']).'&month='.vtlib_purify($_REQUEST['month']).'&year='.vtlib_purify($_REQUEST['year']).'&user_view_type='.$user_view;
+	.'&day='.vtlib_purify($_REQUEST['day']).'&month='.vtlib_purify($_REQUEST['month']).'&year='.vtlib_purify($_REQUEST['year']).'&user_view_type='.urlencode($user_view);
 header($url);
 ?>