From 9963f0958b8f85ece82132276ee9b678fb127d4f Mon Sep 17 00:00:00 2001
From: David Anderson <davea@ssl.berkeley.edu>
Date: Tue, 20 May 2008 16:42:01 +0000
Subject: [PATCH] - web: fix for cross-site scripting vulnerability     (from
 Nicolas Alvarez)

svn path=/trunk/boinc/; revision=15261
---
 checkin_notes             | 10 ++++++++++
 html/inc/team.inc         | 29 +++++++++++++++--------------
 html/user/team_search.php |  6 +++++-
 3 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/checkin_notes b/checkin_notes
index c0987ddba2..1bd610c15d 100644
--- a/checkin_notes
+++ b/checkin_notes
@@ -4154,3 +4154,13 @@ David  May 19 2008
         scheduler_op.C
     languages/translations/
         en.po
+
+David  May 20 2008
+    - web: fix for cross-site scripting vulnerability
+        (from Nicolas Alvarez)
+
+    html/
+        inc/
+            team.inc
+        user/
+            team_search.php
diff --git a/html/inc/team.inc b/html/inc/team.inc
index 97f15662ce..5f67b8e482 100644
--- a/html/inc/team.inc
+++ b/html/inc/team.inc
@@ -16,9 +16,10 @@ function team_search_form($params) {
     ";
     start_table();
     row2("<b>Search criteria (use one or more)</b>", "");
-    row2("Key words<br><span class=note>Find teams with these words in their names or descriptions</span>", "<input name=keywords value=\"$params->keywords\">");
+    row2('Key words<br><span class="note">Find teams with these words in their names or descriptions</span>',
+        '<input name="keywords" value="' . htmlspecialchars($params->keywords) . '">');
     row2_init("Country", "");
-    echo "<select name=country><option value=\"\" selected>---</option>";
+    echo '<select name="country"><option value="" selected>---</option>';
     $country = $params->country;
     if (!$country || $country == 'None') $country = "XXX";
     print_country_select($country);
@@ -26,7 +27,7 @@ function team_search_form($params) {
     row2("Type of team", team_type_select($params->type, true));
     $checked = $params->active?"checked":"";
     row2("Show only active teams", "<input type=checkbox name=active $checked>");
-    row2("", "<input type=submit name=submit value=Search>");
+    row2("", '<input type="submit" name="submit" value="Search">');
     end_table();
     echo "
         </form>
@@ -39,15 +40,15 @@ function foundership_transfer_link($user, $team) {
         if ($team->userid == $user->id) {
             return "None";
         } else {
-            return "<a href=\"team_founder_transfer_form.php\">Initiate request</a>";
+            return '<a href="team_founder_transfer_form.php">Initiate request</a>';
         }
     }
     if ($team->ping_user == $user->id) {
         if (transfer_ok($team, now)) {
-            return "Requested by you, and founder response deadline has passed.  <a href=\"team_founder_transfer_form.php\">Complete foundership transfer</a>.";
+            return 'Requested by you, and founder response deadline has passed.  <a href="team_founder_transfer_form.php">Complete foundership transfer</a>.';
         } else {
             $deadline = date_str(transfer_ok_time($team));
-            return "<a href=\"team_founder_transfer_form.php\">Requested by you</a>; founder response deadline is $deadline";
+            return '<a href="team_founder_transfer_form.php">Requested by you</a>; founder response deadline is '.$deadline;
         }
     }
     return "<a href=\"team_founder_transfer_form.php\">Deferred</a>";
@@ -89,7 +90,7 @@ function display_team_page($team, $user) {
         if ($user->teamid != $team->id) {
             $tokens = url_tokens($user->authenticator);
             row2("",
-                "<a href='team_join.php?$tokens&teamid=$team->id'>Join this team</a>
+                "<a href='team_join.php?$tokens&amp;teamid=$team->id'>Join this team</a>
                 <br><span class=note>Note: if 'OK to email' is set in your project preferences, joining a team gives its founder access to your email address.</span>"
             );
         }
@@ -135,9 +136,9 @@ function display_team_page($team, $user) {
         }
     }
     row2("New members in last day", $x);
-    row2("Total members", "$team->nusers (<a href=team_members.php?teamid=$team->id&offset=0&sort_by=expavg_credit>view</a>)");
-    row2("Active members", "$team->nusers_active (<a href=team_members.php?teamid=$team->id&offset=0&sort_by=expavg_credit>view</a>)");
-    row2("Members with credit", "$team->nusers_worked (<a href=team_members.php?teamid=$team->id&offset=0&sort_by=total_credit>view</a>)");
+    row2("Total members", "$team->nusers (<a href=team_members.php?teamid=$team->id&amp;offset=0&amp;sort_by=expavg_credit>view</a>)");
+    row2("Active members", "$team->nusers_active (<a href=team_members.php?teamid=$team->id&amp;offset=0&amp;sort_by=expavg_credit>view</a>)");
+    row2("Members with credit", "$team->nusers_worked (<a href=team_members.php?teamid=$team->id&amp;offset=0&amp;sort_by=total_credit>view</a>)");
     end_table();
 }
 
@@ -172,12 +173,12 @@ function display_team_members($team, $offset, $sort_by) {
             if ($sort_by == "total_credit") {
                 echo "<th>Total credit</th>";
             } else {
-                echo "<th><a href=team_members.php?teamid=$team->id&sort_by=total_credit&offset=$offset>Total credit</a></th>";
+                echo "<th><a href=team_members.php?teamid=$team->id&amp;sort_by=total_credit&amp;offset=$offset>Total credit</a></th>";
             }
             if ($sort_by == "expavg_credit") {
                 echo "<th>Recent average credit</th>";
             } else {
-                echo "<th><a href=team_members.php?teamid=$team->id&sort_by=expavg_credit&offset=$offset>Recent average credit</a></th>";
+                echo "<th><a href=team_members.php?teamid=$team->id&amp;sort_by=expavg_credit&amp;offset=$offset>Recent average credit</a></th>";
             }
         }
     }
@@ -222,11 +223,11 @@ function display_team_members($team, $offset, $sort_by) {
 
     if ($offset > 0) {
         $new_offset = $offset - $n;
-        echo "<a href=team_members.php?teamid=$team->id&sort_by=$sort_by&offset=$new_offset>Last $n</a> | ";
+        echo "<a href=team_members.php?teamid=$team->id&amp;sort_by=$sort_by&amp;offset=$new_offset>Last $n</a> | ";
     }
     if ($j == $offset + $n + 1) {
         $new_offset = $offset + $n;
-        echo "<a href=team_members.php?teamid=$team->id&sort_by=$sort_by&offset=$new_offset>Next $n</a>";
+        echo "<a href=team_members.php?teamid=$team->id&amp;sort_by=$sort_by&amp;offset=$new_offset>Next $n</a>";
     }
 }
 
diff --git a/html/user/team_search.php b/html/user/team_search.php
index f0fbc75b15..e472e41c73 100644
--- a/html/user/team_search.php
+++ b/html/user/team_search.php
@@ -130,7 +130,11 @@ function search($params) {
 $user = get_logged_in_user(false);
 if (isset($_GET['submit'])) {
     $params = null;
-    $params->keywords = $_GET['keywords'];
+    if(get_magic_quotes_gpc()) {
+        $params->keywords = stripslashes($_GET['keywords']);
+    } else {
+        $params->keywords = $_GET['keywords'];
+    }
     $params->country = $_GET['country'];
     $params->type = $_GET['type'];
     $params->active = get_str('active', true);