Ignore:
Timestamp:
07/27/10 13:56:39 (15 years ago)
Author:
Kris Deugau
Message:

/branches/htmlform

Escape forwarded form data with $q->escapeHTML on most forms in
main.cgi (see #15)
Fix up most subs in IPDB.pm that deal with form data that needs
escaping (see #34)

Location:
branches/htmlform/cgi-bin
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/htmlform/cgi-bin/IPDB.pm

    r443 r448  
    347347      $cidr = $data[0];  # $cidr is already declared when we get here!
    348348
    349       $sth = $dbh->prepare("update poolips set custid='$custid',".
    350         "city='$city',available='n',description='$desc',notes='$notes',".
    351         "circuitid='$circid',privdata='$privdata'".
    352         " where ip='$cidr'");
    353       $sth->execute;
     349      $sth = $dbh->prepare("update poolips set custid=?,city=?,".
     350        "available='n',description=?,notes=?,circuitid=?,privdata=?".
     351        " where ip=?");
     352      $sth->execute($custid, $city, $desc, $notes, $circid, $privdata, "$cidr");
    354353# node hack
    355354      if ($nodeid && $nodeid ne '') {
     
    399398          $sth = $dbh->prepare("insert into allocations".
    400399                " (cidr,custid,type,city,description,notes,maskbits,circuitid,privdata)".
    401                 " values ('$cidr','$custid','$type','$city','$desc','$notes',".
    402                 $cidr->masklen.",'$circid','$privdata')");
    403           $sth->execute;
     400                " values (?,?,?,?,?,?,?,?,?)");
     401          $sth->execute("$cidr", $custid, $type, $city, $desc, $notes, $cidr->masklen, $circid, $privdata);
    404402
    405403          # And initialize the pool, if necessary
     
    509507          $sth = $dbh->prepare("insert into allocations (cidr,custid,type,city,".
    510508                "description,notes,maskbits,circuitid,privdata)".
    511                 " values ('$cidr','$custid','$type','$city','$desc','$notes',".
    512                 $cidr->masklen.",'$circid','$privdata')");
    513           $sth->execute;
     509                " values (?,?,?,?,?,?,?,?,?)");
     510          $sth->execute("$cidr", $custid, $type, $city, $desc, $notes, $cidr->masklen, $circid, $privdata);
    514511
    515512          # And initialize the pool, if necessary
     
    633630    eval {
    634631      $msg = "Unable to deallocate $disp_alloctypes{$type} $cidr";
    635       $sth = $dbh->prepare("update poolips set custid='$defcustid',available='y',".
    636         "city=(select city from allocations where cidr >>= '$cidr'".
     632      $sth = $dbh->prepare("update poolips set custid=?,available='y',".
     633        "city=(select city from allocations where cidr >>= ?".
    637634        " order by masklen(cidr) desc limit 1),".
    638         "description='',notes='',circuitid='' where ip='$cidr'");
    639       $sth->execute;
     635        "description='',notes='',circuitid='' where ip=?");
     636      $sth->execute($defcustid, "$cidr", "$cidr");
    640637      $dbh->commit;
    641638    };
  • branches/htmlform/cgi-bin/main.cgi

    r447 r448  
    825825  $html =~ s|\$\$ALLOC_FROM\$\$|$alloc_from|g;
    826826  $html =~ s|\$\$CIDR\$\$|$cidr|g;
    827   $webvar{city} = desanitize($webvar{city});
     827  $webvar{city} = $q->escapeHTML($webvar{city});
    828828  $html =~ s|\$\$CITY\$\$|$webvar{city}|g;
    829829  $html =~ s|\$\$CUSTID\$\$|$webvar{custid}|g;
    830   $webvar{circid} = desanitize($webvar{circid});
     830  $webvar{circid} = $q->escapeHTML($webvar{circid});
    831831  $html =~ s|\$\$CIRCID\$\$|$webvar{circid}|g;
    832   $webvar{desc} = desanitize($webvar{desc});
     832  $webvar{desc} = $q->escapeHTML($webvar{desc});
    833833  $html =~ s|\$\$DESC\$\$|$webvar{desc}|g;
    834   $webvar{notes} = desanitize($webvar{notes});
     834  $webvar{notes} = $q->escapeHTML($webvar{notes});
    835835  $html =~ s|\$\$NOTES\$\$|$webvar{notes}|g;
    836836  $html =~ s|\$\$ACTION\$\$|insert|g;
     
    841841  if ($IPDBacl{$authuser} =~ /s/) {
    842842    $privdata = qq(<tr class="color).($i%2).qq("><td>Restricted data:</td>).
    843         qq(<td class=regular>$webvar{privdata}).
    844         qq(<input type=hidden name=privdata value="$webvar{privdata}"></td></tr>\n);
     843        "<td class=regular>".$q->escapeHTML($webvar{privdata}).
     844        qq(<input type=hidden name=privdata value=").$q->escapeHTML($webvar{privdata}).
     845        qq("></td></tr>\n);
    845846    $i++;
    846847  }
     
    11801181    # Relatively simple SQL transaction here.
    11811182    my $sql;
     1183##fixme:  SQL parameters (#34)
     1184# need to make sure we log roughly the same info
    11821185    if (my $pooltype = ($webvar{alloctype} =~ /^(.)i$/) ) {
    11831186      $sql = "update poolips set custid='$webvar{custid}',notes='$webvar{notes}',".
     
    12441247my $swiptmp = ($webvar{swip} eq 'on' ? 'Yes' : 'No');
    12451248  $html =~ s/\$\$BLOCK\$\$/$webvar{block}/g;
    1246   $webvar{city} = desanitize($webvar{city});
     1249  $webvar{city} = $q->escapeHTML($webvar{city});
    12471250  $html =~ s/\$\$CITY\$\$/$webvar{city}/g;
    12481251  $html =~ s/\$\$ALLOCTYPE\$\$/$webvar{alloctype}/g;
     
    12501253  $html =~ s/\$\$CUSTID\$\$/$webvar{custid}/g;
    12511254  $html =~ s/\$\$SWIP\$\$/$swiptmp/g;
    1252   $webvar{circid} = desanitize($webvar{circid});
     1255  $webvar{circid} = $q->escapeHTML($webvar{circid});
    12531256  $html =~ s/\$\$CIRCID\$\$/$webvar{circid}/g;
    1254   $webvar{desc} = desanitize($webvar{desc});
     1257  $webvar{desc} = $q->escapeHTML($webvar{desc});
    12551258  $html =~ s/\$\$DESC\$\$/$webvar{desc}/g;
    1256   $webvar{notes} = desanitize($webvar{notes});
     1259  $webvar{notes} = $q->escapeHTML($webvar{notes});
    12571260  $html =~ s/\$\$NOTES\$\$/$webvar{notes}/g;
    12581261  $html =~ s/\$\$BACKLINK\$\$/$backlink/g;
     
    12611264  if ($IPDBacl{$authuser} =~ /s/) {
    12621265    $privdata = qq(<tr class="color2"><td valign="top">Restricted data:</td>).
    1263         qq(<td class="regular">).desanitize($webvar{privdata}).qq(</td></tr>\n);
     1266        qq(<td class="regular">).$q->escapeHTML($webvar{privdata}).qq(</td></tr>\n);
    12641267  }
    12651268  $html =~ s/\$\$PRIVDATA\$\$/$privdata/g;
Note: See TracChangeset for help on using the changeset viewer.