*** empty log message ***

svn path=/trunk/boinc/; revision=5435
2005-02-15 22:29:32 +00:00 · 2005-02-15 22:29:32 +00:00 · d38bdf43ec
parent e7e9d6d9a6
commit d38bdf43ec
13 changed files with 146 additions and 132 deletions
--- a/21
+++ b/21
@ -24818,4 +24818,23 @@ Bruce 15 Feb 2005
        sched_send.C
        server_types.h
 
-    
+David  15 Feb 2005
+    - User web: security-related PHP cleanup
+        Replace $_GET["id"] with getint("id) here and there.
+        Use lookup_x() instead of explicit SQL
+
+    html/
+        inc/
+            db.inc
+            util.inc
+        user/
+            confirm_email_change.php
+            edit_email_action.php
+            host_edit_form.php
+            host_venue_action.php
+            hosts_user.php
+            results.php
+            show_user.php
+            team_display.php
+            team_quit_form.php
+            userw.php
--- a/html/inc/db.inc
+++ b/html/inc/db.inc
@ -75,6 +75,16 @@ function lookup_wu($id) {
    return null;
 }

+function lookup_result($id) {
+    $result = mysql_query("select * from result where id=$id");
+    if ($result) {
+        $r = mysql_fetch_object($result);
+        mysql_free_result($result);
+        return $r;
+    }
+    return null;
+}
+
 function lookup_app($id) {
    $result = mysql_query("select * from app where id=$id");
    if ($result) {
--- a/html/inc/util.inc
+++ b/html/inc/util.inc
@ -442,6 +442,15 @@ function get_str($name, $optional=false) {
    return $x;
 }

+function get_venue($name) {
+    $x = $_GET[$name];
+    if ($x == "") return $x;
+    if ($x == "home") return $x;
+    if ($x == "work") return $x;
+    if ($x == "school") return $x;
+    error_page("no such venue: $x");
+}
+
 function post_str($name, $optional=false) {
    $x = $_POST[$name];
    if (!$x && !optional) {
--- a/html/user/confirm_email_change.php
+++ b/html/user/confirm_email_change.php
@ -9,30 +9,25 @@
    $id = get_int("id");
    $str = process_user_text(get_str("str"));

-    $user = null;
-    $result = mysql_query("select * from user where id=$id");
-    if ($result) {
-        $user = mysql_fetch_object($result);
+    $user = lookup_user_id($id);
+    if (!$user) {
+        error_page("No such user");
    }

    page_head("Verify email address change");
-    if ($user) {
-        if (split_munged_email_addr($user->email_addr, $str, $new_email)) {
-            $new_email = trim(strtolower($new_email));
-            $result = mysql_query("update user set email_addr='$new_email' where id=$user->id");
-            if ($result) {
-                echo "Email address change verified";
-            } else {
-                echo "Verification failed due to database error.  Please try again later.";
-            }
+    if (split_munged_email_addr($user->email_addr, $str, $new_email)) {
+        $new_email = trim(strtolower($new_email));
+        $result = mysql_query("update user set email_addr='$new_email' where id=$user->id");
+        if ($result) {
+            echo "Email address change verified";
        } else {
-            $user = null;
+            echo "Verification failed due to database error.  Please try again later.";
        }
    } else {
-        echo "User not found";
-    }
-    if (!$user) {
-        echo "We weren't expecting a verification of this account's email address.  Please request the change again.";
+        echo "
+            We weren't expecting a verification of this account's email address.
+            Please request the change again.
+        ";
    }
    page_tail();

--- a/html/user/edit_email_action.php
+++ b/html/user/edit_email_action.php
@ -15,49 +15,49 @@ To confirm this change, please visit the following URL:
    );
 }

-    db_init();
-    $user = get_logged_in_user();
+db_init();
+$user = get_logged_in_user();

-    $email_addr = process_user_text(post_str("email_addr"));
+$email_addr = process_user_text(post_str("email_addr"));

-    page_head("Edit email address");
-    if ($email_addr == "Verification pending") {
-        echo "You previously requested an email address change.
-            An email was sent to the new address,
-            containing a URL that you must visit to verify the new address.
-        ";
-    } else if (!is_valid_email_addr($email_addr)) {
-        echo "Invalid email address requested";
-    } else if ($email_addr == $user->email_addr) {
-        echo "No change requested";
+page_head("Edit email address");
+if ($email_addr == "Verification pending") {
+    echo "You previously requested an email address change.
+        An email was sent to the new address,
+        containing a URL that you must visit to verify the new address.
+    ";
+} else if (!is_valid_email_addr($email_addr)) {
+    echo "Invalid email address requested";
+} else if ($email_addr == $user->email_addr) {
+    echo "No change requested";
+} else {
+    $existing = null;
+    $result = mysql_query("select * from user where email_addr='$email_addr'");
+    if ($result) {
+        $existing = mysql_fetch_object($result);
+        mysql_free_result($result);
+    }
+    if ($existing) {
+        echo "There's already an account with that email address";
    } else {
-        $existing = null;
-        $result = mysql_query("select * from user where email_addr='$email_addr'");
+        $x = random_string();
+        $y = munge_email_addr($email_addr, $x);
+        $result = mysql_query("update user set email_addr='$y' where id=$user->id");
        if ($result) {
-            $existing = mysql_fetch_object($result);
-            mysql_free_result($result);
-        }
-        if ($existing) {
-            echo "There's already an account with that email address";
+            send_verify_email($user, $email_addr, $x);
+            echo "
+                An email has been sent to $email_addr,
+                containing a URL that you must visit to verify the address.
+            ";
        } else {
-            $x = random_string();
-            $y = munge_email_addr($email_addr, $x);
-            $result = mysql_query("update user set email_addr='$y' where id=$user->id");
-            if ($result) {
-                send_verify_email($user, $email_addr, $x);
-                echo "
-                    An email has been sent to $email_addr,
-                    containing a URL that you must visit to verify the address.
-                ";
-            } else {
-                echo "
-                    We can't update your email address
-                    due to a database problem.  Please try again later.
-                ";
-            }
+            echo "
+                We can't update your email address
+                due to a database problem.  Please try again later.
+            ";
        }
    }
+}

-    page_tail();
+page_tail();

 ?>
--- a/html/user/host_edit_form.php
+++ b/html/user/host_edit_form.php
@ -7,17 +7,14 @@ require_once("../inc/host.inc");
 db_init();
 $user = get_logged_in_user();

-page_head("Merge host");
-
-$hostid = $_GET["hostid"];
-$result = mysql_query("select * from host where id=$hostid");
-$host = mysql_fetch_object($result);
-mysql_free_result($result);
+$hostid = get_int("hostid");
+$host = lookup_host($hostid);
 if (!$host || $host->userid != $user->id) {
-    echo "We have no record of that computer";
-    exit();
+    error_page("We have no record of that computer");
 }

+page_head("Merge host");
+
 $t = time_str($host->create_time);
 echo "
    Sometimes BOINC assigns separate identities to the same computer by mistake.
--- a/html/user/host_venue_action.php
+++ b/html/user/host_venue_action.php
@ -6,20 +6,15 @@

    $user = get_logged_in_user();

-    $venue = $_GET["venue"];
-    $hostid = $_GET["hostid"];
-
-    $result = mysql_query("select * from host where id = $hostid");
-    $host = mysql_fetch_object($result);
-    mysql_free_result($result);
+    $venue = get_venue("venue");
+    $hostid = get_int("hostid");

+    $host = lookup_host($hostid);
    if (!$host) {
-        echo "Couldn't find host.";
-        exit();
+        error_page("No such host");
    }
    if ($host->userid != $user->id) {
-        echo "Not your host\n";
-        exit();
+        error_page("Not your host");
    }

    $retval = mysql_query("update host set venue='$venue' where id = $hostid");
--- a/html/user/hosts_user.php
+++ b/html/user/hosts_user.php
@ -8,14 +8,15 @@
    require_once("../inc/cache.inc");

    db_init();
-    $userid = $_GET["userid"];
+    $userid = get_int("userid", true);
    if ($userid) {
+        $user = lookup_user_id($userid);
+        if (!$user) {
+            error_page("No such user");
+        }
        $cache_args = "userid=$userid";
        $caching=true;
        start_cache(USER_PAGE_TTL, $cache_args);
-        $result = mysql_query("select * from user where id=$userid");
-        $user = mysql_fetch_object($result);
-        mysql_free_result($result);
        if ($user->show_hosts) {
            page_head("Computers belonging to $user->name");
            user_host_table_start(false);
--- a/html/user/result.php
+++ b/html/user/result.php
@ -1,20 +1,19 @@
 <?php
-    // show a result

-    require_once("../inc/db.inc");
-    require_once("../inc/util.inc");
-    require_once("../inc/result.inc");
+// show a result
+
+require_once("../inc/db.inc");
+require_once("../inc/util.inc");
+require_once("../inc/result.inc");
+
+db_init();
+$resultid = get_int("resultid");
+$result = lookup_result($resultid);
+if (!$result) {
+    error_page("No such result");
+}
+page_head("Result");
+show_result($result);
+page_tail();

-    db_init();
-    $resultid = $_GET["resultid"];
-    page_head("Result");
-    $r = mysql_query("select * from result where id=$resultid");
-    $result = mysql_fetch_object($r);
-    mysql_free_result($r);
-    if (!$result) {
-        echo "No such result";
-        exit();
-    }
-    show_result($result);
-    page_tail();
 ?>
--- a/html/user/show_user.php
+++ b/html/user/show_user.php
@ -4,20 +4,22 @@

    $id = get_int("userid");
    $format = get_str("format", true);
-    $cache_args = "userid=$id";
-    if ($format=="xml") {
-        $cache_args .= "&format=xml";
-    }
-    start_cache(USER_PAGE_TTL, $cache_args);

    require_once("../inc/db.inc");
    require_once("../inc/user.inc");
    require_once("../inc/forum.inc");
    db_init();

-    $result = mysql_query("select * from user where id = $id");
-    $user = mysql_fetch_object($result);
-    mysql_free_result($result);
+    $user = lookup_user_id($id);
+    if (!$user) {
+        error_page("no such user");
+    }
+
+    $cache_args = "userid=$id";
+    if ($format=="xml") {
+        $cache_args .= "&format=xml";
+    }
+    start_cache(USER_PAGE_TTL, $cache_args);

    $user = getForumPreferences($user);

--- a/html/user/team_display.php
+++ b/html/user/team_display.php
@ -3,9 +3,9 @@ require_once("../inc/cache.inc");

 $sort_by = $_GET["sort_by"];
 if (!$sort_by) $sort_by = "expavg_credit";
-$offset = $_GET["offset"];
+$offset = get_int("offset", true);
 if (!$offset) $offset=0;
-$teamid = $_GET["teamid"];
+$teamid = get_int("teamid");

 if ($offset > 1000) {
    page_head("Limit exceeded");
@ -24,13 +24,9 @@ require_once("../inc/team.inc");
 db_init();
 $user = get_logged_in_user(false);

-$result = mysql_query("select * from team where id=$teamid");
-if ($result) {
-    $team = mysql_fetch_object($result);
-}
+$team = lookup_team($teamid);
 if (!$team) {
-    echo ("Can't find team in database");
-    exit();
+    error_page("No such team");
 }

 display_team_page($team, $offset, $sort_by);
--- a/html/user/team_quit_form.php
+++ b/html/user/team_quit_form.php
@ -1,4 +1,4 @@
-<?php {
+<?php

 require_once("../inc/db.inc");
 require_once("../inc/util.inc");
@ -6,16 +6,13 @@ require_once("../inc/team.inc");

 db_init();
 $user = get_logged_in_user(true);
-$id = $user->teamid;

-$result = mysql_query("select * from team where id=$id");
-if ($result) {
-    $team = mysql_fetch_object($result);
-    mysql_free_result($result);
+$team = lookup_team($user->teamid);
+if (!$team) {
+    error_page("No such team");
 }
-$team_name = $team->name;
-$team_id = $team->id;
-page_head("Quit $team_name");
+
+page_head("Quit $team->name");
 echo "
    <b>Please note before quitting a team:</b>
    <ul>
@ -26,10 +23,10 @@ echo "
    </ul>
    </p>
    <form method=post action=team_quit_action.php>
-    <input type=hidden name=id value=$team_id>
+    <input type=hidden name=id value=$team->id>
    <input type=submit value=\"Quit Team\">
    </form>
 ";
 page_tail();

-} ?>
+?>
--- a/html/user/userw.php
+++ b/html/user/userw.php
@ -2,20 +2,14 @@
    require_once("../inc/util.inc");
    require_once("../inc/userw.inc");
    require_once("../inc/db.inc");
-   // require_once("../inc/trickle.inc");
    require_once("../inc/wap.inc");
 
-    // show the home page of app user from envvar
-
-    $userid = $_GET['id'];
-    if (!$userid) {
-        echo "User id (userw.php?id=###) missing!";
-        exit(); // can't do much without a userid!
-    }
-
+    $userid = get_int('id');
    db_init();
-    $res = mysql_query("select * from user where id = $userid") or die("error in query");
-    $user = mysql_fetch_object($res) or die("error in fetch_object");
+
+    $user = lookup_user_id($userid);
+    if (!$user) {
+        error_page("No such user");
+    }
    show_user_wap($user);
-    mysql_free_result($res);
 ?>