Changeset 448

Timestamp:

07/27/10 13:56:39 (14 years ago)

Author:

Kris Deugau

Message:

/branches/htmlform

Escape forwarded form data with $q->escapeHTML on most forms in
main.cgi (see #15)
Fix up most subs in IPDB.pm that deal with form data that needs
escaping (see #34)

Location:

branches/htmlform/cgi-bin

Files:

• IPDB.pm (modified) (4 diffs)
• main.cgi (modified) (6 diffs)

branches/htmlform/cgi-bin/IPDB.pm

@@ -347 +347 @@
       $cidr = $data[0];  # $cidr is already declared when we get here!
 
-      $sth = $dbh->prepare("update poolips set custid='$custid',".
-        "city='$city',available='n',description='$desc',notes='$notes',".
-        "circuitid='$circid',privdata='$privdata'".
-        " where ip='$cidr'");
-      $sth->execute;
+      $sth = $dbh->prepare("update poolips set custid=?,city=?,".
+        "available='n',description=?,notes=?,circuitid=?,privdata=?".
+        " where ip=?");
+      $sth->execute($custid, $city, $desc, $notes, $circid, $privdata, "$cidr");
 # node hack
       if ($nodeid && $nodeid ne '') {
@@ -399 +398 @@
           $sth = $dbh->prepare("insert into allocations".
                 " (cidr,custid,type,city,description,notes,maskbits,circuitid,privdata)".
-                " values ('$cidr','$custid','$type','$city','$desc','$notes',".
-                $cidr->masklen.",'$circid','$privdata')");
-          $sth->execute;
+                " values (?,?,?,?,?,?,?,?,?)");
+          $sth->execute("$cidr", $custid, $type, $city, $desc, $notes, $cidr->masklen, $circid, $privdata);
 
           # And initialize the pool, if necessary
@@ -509 +507 @@
           $sth = $dbh->prepare("insert into allocations (cidr,custid,type,city,".
                 "description,notes,maskbits,circuitid,privdata)".
-                " values ('$cidr','$custid','$type','$city','$desc','$notes',".
-                $cidr->masklen.",'$circid','$privdata')");
-          $sth->execute;
+                " values (?,?,?,?,?,?,?,?,?)");
+          $sth->execute("$cidr", $custid, $type, $city, $desc, $notes, $cidr->masklen, $circid, $privdata);
 
           # And initialize the pool, if necessary
@@ -633 +630 @@
     eval {
       $msg = "Unable to deallocate $disp_alloctypes{$type} $cidr";
-      $sth = $dbh->prepare("update poolips set custid='$defcustid',available='y',".
-        "city=(select city from allocations where cidr >>= '$cidr'".
+      $sth = $dbh->prepare("update poolips set custid=?,available='y',".
+        "city=(select city from allocations where cidr >>= ?".
         " order by masklen(cidr) desc limit 1),".
-        "description='',notes='',circuitid='' where ip='$cidr'");
-      $sth->execute;
+        "description='',notes='',circuitid='' where ip=?");
+      $sth->execute($defcustid, "$cidr", "$cidr");
       $dbh->commit;
     };

branches/htmlform/cgi-bin/main.cgi

@@ -825 +825 @@
   $html =~ s|\$\$ALLOC_FROM\$\$|$alloc_from|g;
   $html =~ s|\$\$CIDR\$\$|$cidr|g;
-  $webvar{city} = desanitize($webvar{city});
+  $webvar{city} = $q->escapeHTML($webvar{city});
   $html =~ s|\$\$CITY\$\$|$webvar{city}|g;
   $html =~ s|\$\$CUSTID\$\$|$webvar{custid}|g;
-  $webvar{circid} = desanitize($webvar{circid});
+  $webvar{circid} = $q->escapeHTML($webvar{circid});
   $html =~ s|\$\$CIRCID\$\$|$webvar{circid}|g;
-  $webvar{desc} = desanitize($webvar{desc});
+  $webvar{desc} = $q->escapeHTML($webvar{desc});
   $html =~ s|\$\$DESC\$\$|$webvar{desc}|g;
-  $webvar{notes} = desanitize($webvar{notes});
+  $webvar{notes} = $q->escapeHTML($webvar{notes});
   $html =~ s|\$\$NOTES\$\$|$webvar{notes}|g;
   $html =~ s|\$\$ACTION\$\$|insert|g;
@@ -841 +841 @@
   if ($IPDBacl{$authuser} =~ /s/) {
     $privdata = qq(<tr class="color).($i%2).qq("><td>Restricted data:</td>).
-        qq(<td class=regular>$webvar{privdata}).
-        qq(<input type=hidden name=privdata value="$webvar{privdata}"></td></tr>\n);
+        "<td class=regular>".$q->escapeHTML($webvar{privdata}).
+        qq(<input type=hidden name=privdata value=").$q->escapeHTML($webvar{privdata}).
+        qq("></td></tr>\n);
     $i++;
   }
@@ -1180 +1181 @@
     # Relatively simple SQL transaction here.
     my $sql;
+##fixme:  SQL parameters (#34)
+# need to make sure we log roughly the same info
     if (my $pooltype = ($webvar{alloctype} =~ /^(.)i$/) ) {
       $sql = "update poolips set custid='$webvar{custid}',notes='$webvar{notes}',".
@@ -1244 +1247 @@
 my $swiptmp = ($webvar{swip} eq 'on' ? 'Yes' : 'No');
   $html =~ s/\$\$BLOCK\$\$/$webvar{block}/g;
-  $webvar{city} = desanitize($webvar{city});
+  $webvar{city} = $q->escapeHTML($webvar{city});
   $html =~ s/\$\$CITY\$\$/$webvar{city}/g;
   $html =~ s/\$\$ALLOCTYPE\$\$/$webvar{alloctype}/g;
@@ -1250 +1253 @@
   $html =~ s/\$\$CUSTID\$\$/$webvar{custid}/g;
   $html =~ s/\$\$SWIP\$\$/$swiptmp/g;
-  $webvar{circid} = desanitize($webvar{circid});
+  $webvar{circid} = $q->escapeHTML($webvar{circid});
   $html =~ s/\$\$CIRCID\$\$/$webvar{circid}/g;
-  $webvar{desc} = desanitize($webvar{desc});
+  $webvar{desc} = $q->escapeHTML($webvar{desc});
   $html =~ s/\$\$DESC\$\$/$webvar{desc}/g;
-  $webvar{notes} = desanitize($webvar{notes});
+  $webvar{notes} = $q->escapeHTML($webvar{notes});
   $html =~ s/\$\$NOTES\$\$/$webvar{notes}/g;
   $html =~ s/\$\$BACKLINK\$\$/$backlink/g;
@@ -1261 +1264 @@
   if ($IPDBacl{$authuser} =~ /s/) {
     $privdata = qq(<tr class="color2"><td valign="top">Restricted data:</td>).
-        qq(<td class="regular">).desanitize($webvar{privdata}).qq(</td></tr>\n);
+        qq(<td class="regular">).$q->escapeHTML($webvar{privdata}).qq(</td></tr>\n);
   }
   $html =~ s/\$\$PRIVDATA\$\$/$privdata/g;