Unverified Commit c1959643 authored by Cédric Anne's avatar Cédric Anne Committed by GitHub
Browse files

Move sanitize logic into a dedicated class

parent 94710084
......@@ -51,10 +51,13 @@ The present file will list all changes made to the project; according to the
- `Html::weblink_extract()`
- `RuleImportComputer` class
- `RuleImportComputerCollection` class
- `Toolbox::clean_cross_side_scripting_deep()`
- `Toolbox::doubleEncodeEmails()`
- `Toolbox::getHtmlToDisplay()`
- `Toolbox::useCache()`
- `Toolbox::unclean_cross_side_scripting_deep()`
- `Toolbox::unclean_html_cross_side_scripting_deep()`
- `Toolbox::sanitize()`
#### Removed
- `Update::declareOldItems()`
......
......@@ -30,6 +30,8 @@
* ---------------------------------------------------------------------
*/
use Glpi\Toolbox\Sanitizer;
$AJAX_INCLUDE = 1;
include ('../inc/includes.php');
......@@ -43,6 +45,6 @@ if (isset($_POST['name'])) {
echo "<input type='text' ".(isset($_POST["size"])?" size='".$_POST["size"]."' ":"")." ".
(isset($_POST["maxlength"])?"maxlength='".$_POST["maxlength"]."' ":"")." name='".
$_POST['name']."' value=\"".
Html::cleanInputText(Toolbox::clean_cross_side_scripting_deep(rawurldecode(stripslashes($_POST["data"])))).
Html::cleanInputText(Sanitizer::sanitize(rawurldecode(stripslashes($_POST["data"])))).
"\">";
}
......@@ -31,6 +31,7 @@
*/
use Glpi\Features\Kanban;
use Glpi\Toolbox\Sanitizer;
$AJAX_INCLUDE = 1;
......@@ -122,7 +123,7 @@ if ($_REQUEST['action'] === 'update') {
$inputs = [];
parse_str($_REQUEST['inputs'], $inputs);
$item->add(Toolbox::clean_cross_side_scripting_deep($inputs));
$item->add(Sanitizer::sanitize($inputs));
} else if ($_REQUEST['action'] === 'bulk_add_item') {
$checkParams(['inputs']);
$item = new $itemtype();
......@@ -135,7 +136,7 @@ if ($_REQUEST['action'] === 'update') {
foreach ($bulk_item_list as $item_entry) {
$item_entry = trim($item_entry);
if (!empty($item_entry)) {
$item->add(Toolbox::clean_cross_side_scripting_deep($inputs + ['name' => $item_entry]));
$item->add(Sanitizer::sanitize($inputs + ['name' => $item_entry]));
}
}
}
......
......@@ -30,6 +30,8 @@
* ---------------------------------------------------------------------
*/
use Glpi\Toolbox\Sanitizer;
$AJAX_INCLUDE=1;
include ('../inc/includes.php');
......@@ -41,6 +43,6 @@ Session::checkLoginUser();
if (isset($_POST['name'])) {
echo "<textarea ".(isset($_POST['rows'])?" rows='".$_POST['rows']."' ":"")." ".
(isset($_POST['cols'])?" cols='".$_POST['cols']."' ":"")." name='".$_POST['name']."'>";
echo Html::cleanPostForTextArea(Toolbox::clean_cross_side_scripting_deep(rawurldecode(($_POST["data"]))));
echo Html::cleanPostForTextArea(Sanitizer::sanitize(rawurldecode(($_POST["data"]))));
echo "</textarea>";
}
......@@ -34,6 +34,8 @@
* @since 0.85
*/
use Glpi\Toolbox\Sanitizer;
include ('../inc/includes.php');
......@@ -55,7 +57,7 @@ if (isset($_SESSION['namfield']) && isset($_POST[$_SESSION['namfield']])) {
$login = '';
}
if (isset($_SESSION['pwdfield']) && isset($_POST[$_SESSION['pwdfield']])) {
$password = Toolbox::unclean_cross_side_scripting_deep($_POST[$_SESSION['pwdfield']]);
$password = Sanitizer::unsanitize($_POST[$_SESSION['pwdfield']]);
} else {
$password = '';
}
......
......@@ -47,6 +47,7 @@ use Config;
use Contract;
use Document;
use Dropdown;
use Glpi\Toolbox\Sanitizer;
use Html;
use Infocom;
use Item_Devices;
......@@ -1726,7 +1727,7 @@ abstract class API {
$object["_add"] = true;
//add current item
$object = Toolbox::sanitize($object);
$object = Sanitizer::sanitize($object, true);
$new_id = $item->add($object);
if ($new_id === false) {
$failed++;
......@@ -1853,7 +1854,7 @@ abstract class API {
}
//update item
$object = Toolbox::sanitize((array)$object);
$object = Sanitizer::sanitize((array)$object, true);
$update_return = $item->update($object);
if ($update_return === false) {
$failed++;
......
......@@ -31,6 +31,7 @@
*/
use Glpi\Event;
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -938,7 +939,7 @@ class Auth extends CommonGLPI {
if (!$DB->isSlave()) {
// GET THE IP OF THE CLIENT
$ip = getenv("HTTP_X_FORWARDED_FOR")?
Toolbox::clean_cross_side_scripting_deep(getenv("HTTP_X_FORWARDED_FOR")):
Sanitizer::sanitize(getenv("HTTP_X_FORWARDED_FOR")):
getenv("REMOTE_ADDR");
if ($this->auth_succeded) {
......
......@@ -30,6 +30,8 @@
* ---------------------------------------------------------------------
*/
use Glpi\Toolbox\Sanitizer;
/**
* Class used to manage Auth LDAP config
*/
......@@ -1701,7 +1703,7 @@ class AuthLDAP extends CommonDBTM {
$count = 0; //Store the number of results ldap_search
do {
$filter = Toolbox::unclean_cross_side_scripting_deep(Toolbox::stripslashes_deep($filter));
$filter = Sanitizer::unsanitize($filter, true);
if (self::isLdapPageSizeAvailable($config_ldap)) {
if (version_compare(PHP_VERSION, '7.3') < 0) {
//prior to PHP 7.3, use ldap_control_paged_result
......@@ -2284,7 +2286,7 @@ class AuthLDAP extends CommonDBTM {
$cookie = '';
$count = 0;
do {
$filter = Toolbox::unclean_cross_side_scripting_deep(Toolbox::stripslashes_deep($filter));
$filter = Sanitizer::unsanitize($filter, true);
if (self::isLdapPageSizeAvailable($config_ldap)) {
if (version_compare(PHP_VERSION, '7.3') < 0) {
//prior to PHP 7.3, use ldap_control_paged_result
......@@ -3395,7 +3397,7 @@ class AuthLDAP extends CommonDBTM {
$field_counter++;
$field_value = '';
if (isset($_SESSION['ldap_import']['criterias'][$field])) {
$field_value = Html::entities_deep(Toolbox::unclean_cross_side_scripting_deep(Toolbox::stripslashes_deep($_SESSION['ldap_import']['criterias'][$field])));
$field_value = Html::entities_deep(Sanitizer::unsanitize($_SESSION['ldap_import']['criterias'][$field], true));
}
echo "<input type='text' id='criterias$field' name='criterias[$field]' value='$field_value'>";
echo "</td>";
......
......@@ -39,6 +39,7 @@ if (!defined('GLPI_ROOT')) {
use Glpi\CalDAV\Contracts\CalDAVCompatibleItemInterface;
use Glpi\CalDAV\Node\Property;
use Glpi\CalDAV\Traits\CalDAVUriUtilTrait;
use Glpi\Toolbox\Sanitizer;
use Ramsey\Uuid\Uuid;
use Sabre\CalDAV\Backend\AbstractBackend;
use Sabre\CalDAV\Xml\Property\SupportedCalendarComponentSet;
......@@ -323,7 +324,7 @@ class Calendar extends AbstractBackend {
$input['uuid'] = Uuid::uuid4();
}
$input = \Toolbox::sanitize($input);
$input = Sanitizer::sanitize($input, true);
if ($item->isNewItem()) {
// Auto set entities_id if exists and not set
......
......@@ -33,6 +33,7 @@
namespace Glpi\CalDAV\Traits;
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
use RRule\RRule;
use Sabre\VObject\Component;
use Sabre\VObject\Component\VCalendar;
......@@ -96,7 +97,7 @@ trait VobjectConverterTrait {
$vcomp = $vcalendar->add($component_type);
}
$fields = \Toolbox::unclean_cross_side_scripting_deep($item->fields);
$fields = Sanitizer::unsanitize($item->fields);
$utc_tz = new \DateTimeZone('UTC');
if (array_key_exists('uuid', $fields)) {
......
......@@ -35,6 +35,7 @@ if (!defined('GLPI_ROOT')) {
}
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
/**
* CommonITILObject Class
......@@ -1633,11 +1634,7 @@ abstract class CommonITILObject extends CommonDBTM {
// Build name based on content
// Unsanitize
//
// Using `Toolbox::stripslashes_deep()` on sanitized content will produce "r" and "n" instead of "\r" and \n",
// so newlines have to be removed before calling it.
$content = str_replace(['\r', '\n'], ' ', $input['content']);
$content = Toolbox::stripslashes_deep(Toolbox::unclean_cross_side_scripting_deep($content));
$content = Sanitizer::unsanitize($input['content'], true);
// Get unformatted text
$name = RichText::getTextFromHtml($content, false);
......@@ -1646,7 +1643,7 @@ abstract class CommonITILObject extends CommonDBTM {
$name = Toolbox::substr(preg_replace('/\s{2,}/', ' ', $name), 0, 70);
// Sanitize result
$input['name'] = Toolbox::clean_cross_side_scripting_deep(Toolbox::addslashes_deep($name));
$input['name'] = Sanitizer::sanitize($name, true);
}
// Set default dropdown
......@@ -8478,9 +8475,7 @@ abstract class CommonITILObject extends CommonDBTM {
$tasktemplate_content = $tasktemplate->getRenderedContent($this);
// Sanitize generated HTML before adding it in DB
$tasktemplate_content = Toolbox::clean_cross_side_scripting_deep(
Toolbox::addslashes_deep($tasktemplate_content)
);
$tasktemplate_content = Sanitizer::sanitize($tasktemplate_content, true);
$itiltask->add([
'tasktemplates_id' => $tasktemplates_id,
......@@ -8522,9 +8517,7 @@ abstract class CommonITILObject extends CommonDBTM {
$new_fup_content = $fup_template->getRenderedContent($this);
// Sanitize generated HTML before adding it in DB
$new_fup_content = Toolbox::clean_cross_side_scripting_deep(
Toolbox::addslashes_deep($new_fup_content)
);
$new_fup_content = Sanitizer::sanitize($new_fup_content, true);
// Insert new followup from template
$fup = new ITILFollowup();
......
......@@ -37,6 +37,7 @@ if (!defined('GLPI_ROOT')) {
use Glpi\CalDAV\Contracts\CalDAVCompatibleItemInterface;
use Glpi\CalDAV\Traits\VobjectConverterTrait;
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
use Sabre\VObject\Component\VCalendar;
/// TODO extends it from CommonDBChild
......@@ -1177,7 +1178,7 @@ abstract class CommonITILTask extends CommonDBTM implements CalDAVCompatibleItem
$interv[$key]["end"] = $data["end"];
}
$interv[$key]["name"] = Toolbox::unclean_cross_side_scripting_deep($parentitem->fields['name']); // name is re-encoded on JS side
$interv[$key]["name"] = Sanitizer::unsanitize($parentitem->fields['name']); // name is re-encoded on JS side
$interv[$key]["content"] = RichText::getSafeHtml($item->fields['content'], true);
$interv[$key]["status"] = $parentitem->fields["status"];
$interv[$key]["priority"] = $parentitem->fields["priority"];
......
......@@ -34,6 +34,7 @@ use Glpi\Cache\CacheManager;
use Glpi\Dashboard\Grid;
use Glpi\Exception\PasswordTooWeakException;
use Glpi\System\RequirementsManager;
use Glpi\Toolbox\Sanitizer;
use Laminas\Cache\Psr\SimpleCache\SimpleCacheDecorator;
use Laminas\Cache\StorageFactory;
use PHPMailer\PHPMailer\PHPMailer;
......@@ -1915,7 +1916,7 @@ class Config extends CommonDBTM {
echo wordwrap($msg."\n", $width, "\n\t");
if (isset($_SERVER["HTTP_USER_AGENT"])) {
echo "\t" . Toolbox::clean_cross_side_scripting_deep($_SERVER["HTTP_USER_AGENT"]) . "\n";
echo "\t" . Sanitizer::sanitize($_SERVER["HTTP_USER_AGENT"]) . "\n";
}
foreach ($DB->getInfo() as $key => $val) {
......
......@@ -47,6 +47,7 @@ use DB;
use Document_Item;
use Domain;
use Glpi\Console\AbstractCommand;
use Glpi\Toolbox\Sanitizer;
use Infocom;
use Item_Problem;
use Item_Project;
......@@ -63,7 +64,6 @@ use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Question\ConfirmationQuestion;
use Toolbox;
class AppliancesPluginToCoreCommand extends AbstractCommand {
......@@ -403,12 +403,12 @@ class AppliancesPluginToCoreCommand extends AbstractCommand {
OutputInterface::VERBOSITY_VERY_VERBOSE
);
$app_fields = Toolbox::sanitize([
$app_fields = Sanitizer::sanitize([
'id' => $item['id'],
'appliances_id' => $item['plugin_appliances_appliances_id'],
'items_id' => $item['items_id'],
'itemtype' => $item['itemtype']
]);
], true);
$appi = new Appliance_Item();
if (!($appi_id = $appi->getFromDBByCrit($app_fields))) {
......@@ -462,11 +462,11 @@ class AppliancesPluginToCoreCommand extends AbstractCommand {
OutputInterface::VERBOSITY_VERY_VERBOSE
);
$app_fields = Toolbox::sanitize([
$app_fields = Sanitizer::sanitize([
'id' => $env['id'],
'name' => $env['name'],
'comment' => $env['comment']
]);
], true);
$appe = new ApplianceEnvironment();
if (!($appe_id = $appe->getFromDBByCrit($app_fields))) {
......@@ -519,7 +519,7 @@ class AppliancesPluginToCoreCommand extends AbstractCommand {
OutputInterface::VERBOSITY_VERY_VERBOSE
);
$app_fields = Toolbox::sanitize([
$app_fields = Sanitizer::sanitize([
'id' => $appliance['id'],
'entities_id' => $appliance['entities_id'],
'is_recursive' => $appliance['is_recursive'],
......@@ -540,7 +540,7 @@ class AppliancesPluginToCoreCommand extends AbstractCommand {
'externalidentifier' => $appliance['externalid'],
'serial' => $appliance['serial'],
'otherserial' => $appliance['otherserial']
]);
], true);
$app = new Appliance();
if (!($app_id = $app->getFromDBByCrit($app_fields))) {
......@@ -594,14 +594,14 @@ class AppliancesPluginToCoreCommand extends AbstractCommand {
OutputInterface::VERBOSITY_VERY_VERBOSE
);
$appt_fields = Toolbox::sanitize([
$appt_fields = Sanitizer::sanitize([
'id' => $type['id'],
'entities_id' => $type['entities_id'],
'is_recursive' => $type['is_recursive'],
'name' => $type['name'],
'comment' => $type['comment'],
'externalidentifier' => $type['externalid']
]);
], true);
$appt = new ApplianceType();
if (!($appt_id = $appt->getFromDBByCrit($appt_fields))) {
......@@ -687,12 +687,12 @@ class AppliancesPluginToCoreCommand extends AbstractCommand {
}
}
$appr_fields = Toolbox::sanitize([
$appr_fields = Sanitizer::sanitize([
'id' => $row['id'],
'appliances_items_id' => $row['plugin_appliances_appliances_items_id'],
'itemtype' => $itemtype,
'items_id' => $row['relations_id']
]);
], true);
$appr = new Appliance_Item_Relation();
if (!($appr_id = $appr->getFromDBByCrit($appr_fields))) {
......
......@@ -43,6 +43,7 @@ use Datacenter;
use DB;
use DCRoom;
use Glpi\Console\AbstractCommand;
use Glpi\Toolbox\Sanitizer;
use Item_Rack;
use Monitor;
use MonitorModel;
......@@ -68,7 +69,6 @@ use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Question\ChoiceQuestion;
use Symfony\Component\Console\Question\ConfirmationQuestion;
use Toolbox;
class RacksPluginToCoreCommand extends AbstractCommand {
......@@ -599,10 +599,10 @@ class RacksPluginToCoreCommand extends AbstractCommand {
}
$new_model = new $new_model_itemtype();
$new_model_fields = Toolbox::sanitize([
$new_model_fields = Sanitizer::sanitize([
'name' => $othermodel['name'],
'comment' => $othermodel['comment'],
]);
], true);
if (!($new_model_id = $new_model->getFromDBByCrit($new_model_fields))
&& !($new_model_id = $new_model->add($new_model_fields))) {
......@@ -649,13 +649,13 @@ class RacksPluginToCoreCommand extends AbstractCommand {
foreach ($otheritems_iterator as $otheritem) {
$progress_bar->advance(1);
$new_item_fields = Toolbox::sanitize([
$new_item_fields = Sanitizer::sanitize([
'name' => strlen($otheritem['name'])
? $otheritem['name']
: $otheritem['id'],
'entities_id' => $otheritem['entities_id'],
$fk_new_model => $new_model_id
]);
], true);
$new_item = new $new_itemtype();
......@@ -827,11 +827,12 @@ class RacksPluginToCoreCommand extends AbstractCommand {
);
$rackmodel = new RackModel();
$rackmodel_fields = Toolbox::sanitize(
$rackmodel_fields = Sanitizer::sanitize(
[
'name' => $old_model['name'],
'comment' => $old_model['comment'],
]
],
true
);
if (!($rackmodel_id = $rackmodel->getFromDBByCrit($rackmodel_fields))
......@@ -905,13 +906,14 @@ class RacksPluginToCoreCommand extends AbstractCommand {
);
$racktype = new RackType();
$racktype_fields = Toolbox::sanitize(
$racktype_fields = Sanitizer::sanitize(
[
'name' => $old_type['name'],
'entities_id' => $old_type['entities_id'],
'is_recursive' => $old_type['is_recursive'],
'comment' => $old_type['comment'],
]
],
true
);
if (!($racktype_id = $racktype->getFromDBByCrit($racktype_fields))
......@@ -985,11 +987,12 @@ class RacksPluginToCoreCommand extends AbstractCommand {
);
$state = new State();
$state_fields = Toolbox::sanitize(
$state_fields = Sanitizer::sanitize(
[
'name' => $old_state['name'],
'states_id' => 0,
]
],
true
);
if (!($state_id = $state->getFromDBByCrit($state_fields))) {
......@@ -1068,7 +1071,7 @@ class RacksPluginToCoreCommand extends AbstractCommand {
);
$room = new DCRoom();
$room_fields = Toolbox::sanitize(
$room_fields = Sanitizer::sanitize(
[
'name' => $old_room['completename'],
'entities_id' => $old_room['entities_id'],
......@@ -1076,7 +1079,8 @@ class RacksPluginToCoreCommand extends AbstractCommand {
'datacenters_id' => $this->datacenter_id,
'vis_cols' => 10,
'vis_rows' => 10,
]
],
true
);
if (!($room_id = $room->getFromDBByCrit($room_fields))
......@@ -1177,7 +1181,7 @@ class RacksPluginToCoreCommand extends AbstractCommand {
}
$rack = new Rack();
$rack_fields = Toolbox::sanitize(
$rack_fields = Sanitizer::sanitize(
[
'name' => $old_rack['name'],
'comment' => "Imported from rack plugin",
......@@ -1201,7 +1205,8 @@ class RacksPluginToCoreCommand extends AbstractCommand {
'is_deleted' => $old_rack['is_deleted'],
'dcrooms_id' => $room_id,
'bgcolor' => "#FEC95C",
]
],
true
);
if (!($rack_id = $rack->getFromDBByCrit($rack_fields))) {
......
......@@ -36,7 +36,7 @@ use CommonDBTM;
use Entity;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Glpi\ContentTemplates\Parameters\ParametersTypes\ObjectParameter;
use Toolbox;
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -75,7 +75,7 @@ class AssetParameters extends AbstractParameters
protected function defineValues(CommonDBTM $asset): array {
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($asset->fields);
$fields = Sanitizer::unsanitize($asset->fields);
$values = [
'id' => $fields['id'],
......
......@@ -39,11 +39,11 @@ use Entity;
use Glpi\ContentTemplates\Parameters\ParametersTypes\ArrayParameter;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Glpi\ContentTemplates\Parameters\ParametersTypes\ObjectParameter;
use Glpi\Toolbox\Sanitizer;
use Group;
use ITILCategory;
use Session;
use Supplier;
use Toolbox;
use User;
if (!defined('GLPI_ROOT')) {
......@@ -87,7 +87,7 @@ abstract class CommonITILObjectParameters extends AbstractParameters
/** @var CommonITILObject $commonitil */
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($commonitil->fields);
$fields = Sanitizer::unsanitize($commonitil->fields);
// Base values from ticket property
$values = [
......
......@@ -34,7 +34,7 @@ namespace Glpi\ContentTemplates\Parameters;
use CommonDBTM;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Toolbox;
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -57,7 +57,7 @@ abstract class DropdownParameters extends AbstractParameters
protected function defineValues(CommonDBTM $item): array {
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($item->fields);
$fields = Sanitizer::unsanitize($item->fields);
return [
'id' => $fields['id'],
......
......@@ -34,8 +34,8 @@ namespace Glpi\ContentTemplates\Parameters;
use CommonDBTM;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Glpi\Toolbox\Sanitizer;
use KnowbaseItem;
use Toolbox;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -72,7 +72,7 @@ class KnowbaseItemParameters extends AbstractParameters
protected function defineValues(CommonDBTM $kbi): array {
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($kbi->fields);
$fields = Sanitizer::unsanitize($kbi->fields);
return [
'id' => $fields['id'],
......
......@@ -34,8 +34,8 @@ namespace Glpi\ContentTemplates\Parameters;
use CommonDBTM;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Glpi\Toolbox\Sanitizer;
use LevelAgreement;
use Toolbox;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -61,7 +61,7 @@ abstract class LevelAgreementParameters extends AbstractParameters
protected function defineValues(CommonDBTM $sla): array {
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($sla->fields);
$fields = Sanitizer::unsanitize($sla->fields);
return [
'id' => $fields['id'],
......