[projects/buildlogs] Escape few things (that can be escaped early without breaking functionality). Should stop xss but is

Tue Feb 4 19:08:16 CET 2020

commit 885e37257d28829aeb0c8d4f6907c78677b5f7c2
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Tue Feb 4 19:08:03 2020 +0100

    Escape few things (that can be escaped early without breaking functionality). Should stop xss but is far from perfect (in case of bad things in sqlite databse). https://www.openbugbounty.org/reports/1080461/

 index.php | 76 ++++++++++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 56 insertions(+), 20 deletions(-)
---

diff --git a/index.php b/index.php
index 14a11ae..6eca071 100644
--- a/index.php
+++ b/index.php
@@ -49,16 +49,19 @@ textdomain("messages");
 
 if (isset($_GET["dist"]) && isset($_GET["arch"]))
 {
-	$dist = basename($_GET["dist"]);
-	$arch = basename($_GET["arch"]);
+	$dist = $_GET["dist"];
+	$dist = basename(htmlspecialchars($dist, ENT_QUOTES, 'UTF-8'));
+	$arch = $_GET["arch"];
+	$arch = basename(htmlspecialchars($arch, ENT_QUOTES, 'UTF-8'));
 }
 
 if (isset($_POST["dist"])) $dist = basename($_POST["dist"]);
 if (isset($_POST["arch"])) $arch = basename($_POST["arch"]);
 
 if (isset($_GET["name"])) {
-  $name_url = urlencode($_GET["name"]);
-	$name = basename($_GET["name"]);
+	$name_url = urlencode($_GET["name"]);
+	$name = $_GET["name"];
+	$name = $dist = basename(htmlspecialchars($name, ENT_QUOTES, 'UTF-8'));
 }
 if (isset($_GET["ok"]))$ok=(int)$_GET["ok"];
 else $ok="";
@@ -66,14 +69,26 @@ if (isset($_GET["ns"]))$ns=(int)$_GET["ns"];
 else $ns="";
 if (isset($_GET["cnt"]))$cnt=(int)$_GET["cnt"];
 else $cnt = 50;
-if (isset($_GET["action"]))$action=$_GET["action"];
-else $action="";
+if (isset($_GET["action"])) {
+	$action = $_GET["action"];
+	$action = htmlspecialchars($action, ENT_QUOTES, 'UTF-8');
+} else
+	$action="";
 if (isset($_GET["off"]))$off=(int)$_GET["off"];
 else $off = 0;
-if (isset($_GET["id"]))$id=$_GET["id"];
+if (isset($_GET["id"])) {
+	$id = $_GET["id"];
+	$id = htmlspecialchars($id, ENT_QUOTES, 'UTF-8');
+}
 
-if (isset($_POST["str"]))$str=$_POST["str"];
-if (isset($_POST["action"]))$action=$_POST["action"];
+if (isset($_POST["str"])) {
+	$str = $_POST["str"];
+	$str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
+}
+if (isset($_POST["action"])) {
+	$action = $_POST["action"];
+	$action = htmlspecialchars($action, ENT_QUOTES, 'UTF-8');
+}
 
 if (isset($arch) && $arch == "src")
 	$arch = "SRPMS";
@@ -158,7 +173,13 @@ function list_logs()
 	global $big_url, $ns;
 	global $off, $cnt, $root_directory, $url;
 
-	$big_url = "$url?dist=$dist&arch=$arch&ok=$ok&ns=$ns&cnt=$cnt";
+	$query_data = array(
+		'dist' => $dist,
+		'arch' => $arch,
+		'ok' => $ok,
+		'ns' => $ns,
+		'cnt' => $cnt);
+	$big_url = $url . '?' . http_build_query($query_data);
 
 	if ($ok == 1) {
 		echo "<h1>"._("Listing of")." $dist/$arch/OK "
@@ -185,23 +206,32 @@ function list_logs()
 	if ($ns == 0) $order = "mtime DESC";
 	else $order = "name";
 
-	$query = "SELECT log_id, dist, arch, ok, name, mtime, size, id FROM logs WHERE "
-	. "dist = '$dist' AND arch = '$arch' AND ok = $ok ORDER BY $order LIMIT $cnt OFFSET $off";
+	$query = "SELECT log_id, dist, arch, ok, name, mtime, size, id FROM logs WHERE
+			  dist = :dist AND arch = :arch AND ok = :ok ORDER BY $order LIMIT :limitnr OFFSET :offset ";
 
 	try {
 		$dbh = new PDO("$database");
+		$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+		$dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
 	} catch (PDOException $e) {
 		mydie("new PDO: " . $e->getMessage());
 	}
 	$now = time();
 	$i = $off;
-	foreach ($dbh->query("$query") as $row) {
-    $name = $row["name"];
-    $id = $row["id"];
-    $dist = $row["dist"];
-    $arch = $row["arch"];
+	$stmt = $dbh->prepare($query);
+	$stmt->bindParam(':dist', $dist, PDO::PARAM_STR);
+	$stmt->bindParam(':arch', $arch, PDO::PARAM_STR);
+	$stmt->bindParam(':ok', $ok, PDO::PARAM_INT);
+	$stmt->bindParam(':limitnr', $cnt, PDO::PARAM_INT);
+	$stmt->bindParam(':offset', $off, PDO::PARAM_INT);
+	$stmt->execute([$dist, $arch, $ok, $cnt, $off]);
+	while ($row = $stmt->fetch()) {
+		$name = $row["name"];
+		$id = $row["id"];
+		$dist = $row["dist"];
+		$arch = $row["arch"];
 		$f = $name;
-    $name_url = urlencode($name);
+		$name_url = urlencode($name);
 		$t = $now - $row["mtime"];
 		$s = $row["size"];
 		$h = $row["log_id"];
@@ -221,9 +251,15 @@ function list_logs()
 			$t = round($t);
 			$t = $t . " " . ngettext("minute","minutes",$t);
 		}
-		$u = "$url?dist=$dist&arch=$arch&ok=$ok&name=$name_url&id=$id";
+		$url_data = array(
+			'dist' => $dist,
+			'arch' => $arch,
+			'ok' => $ok,
+			'name' => $name_url,
+			'id' => $id);
+		$u = $url . '?' . http_build_query($url_data);
 		echo "<tr><td bgcolor=\"#CCCCCC\" align=\"right\">".($i+1).".</td>".
-		     "<td bgcolor=\"#CCCCCC\"><a href=\"$u\">$f</a> ".
+		     "<td bgcolor=\"#CCCCCC\"><a href=\"$u\">".htmlspecialchars($f, ENT_QUOTES, 'UTF-8')."</a> ".
 		     "[<a href=\"$u&action=text\">"._("text")."</a> | ".
 		      "<a href=\"$u&action=tail\">"._("tail")."</a>]".
 		     "</td><td bgcolor=\"#CCCCCC\" align=\"right\">".
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/projects/buildlogs.git/commitdiff/885e37257d28829aeb0c8d4f6907c78677b5f7c2

