aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Gapczynski <mtgap@owncloud.com>2012-07-07 16:54:07 -0400
committerMichael Gapczynski <mtgap@owncloud.com>2012-07-07 16:54:07 -0400
commit7de97ed20003d1f5ab9e2bfde9386bba07d0eff8 (patch)
tree4a2fe49932183c152ff1acd742e787c2bbfe4969
parente8657c51ba8499fe0f0f46eaa1a8503bff2d2b2a (diff)
downloadnextcloud-server-7de97ed20003d1f5ab9e2bfde9386bba07d0eff8.tar.gz
nextcloud-server-7de97ed20003d1f5ab9e2bfde9386bba07d0eff8.zip
Make readData() exit with a 400 Bad Request for not provided required parameters, and sanitize text
-rw-r--r--lib/ocs.php95
1 files changed, 41 insertions, 54 deletions
diff --git a/lib/ocs.php b/lib/ocs.php
index 309e3bb0647..5e697b48304 100644
--- a/lib/ocs.php
+++ b/lib/ocs.php
@@ -4,7 +4,9 @@
* ownCloud
*
* @author Frank Karlitschek
+* @author Michael Gapczynski
* @copyright 2012 Frank Karlitschek frank@owncloud.org
+* @copyright 2012 Michael Gapczynski mtgap@owncloud.com
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
@@ -32,49 +34,44 @@ class OC_OCS {
/**
* reads input date from get/post/cookies and converts the date to a special data-type
*
- * @param variable $key
- * @param variable-type $type
- * @param priority $getpriority
- * @param default $default
- * @return data
+ * @param string HTTP method to read the key from
+ * @param string Parameter to read
+ * @param string Variable type to format data
+ * @param mixed Default value to return if the key is not found
+ * @return mixed Data or if the key is not found and no default is set it will exit with a 400 Bad request
*/
- public static function readData($key,$type='raw',$getpriority=false,$default='') {
- if($getpriority) {
- if(isset($_GET[$key])) {
- $data=$_GET[$key];
- } elseif(isset($_POST[$key])) {
- $data=$_POST[$key];
- } else {
- if($default=='') {
- if(($type=='int') or ($type=='float')) $data=0; else $data='';
+ public static function readData($method, $key, $type = 'raw', $default = null) {
+ if ($method == 'get') {
+ if (isset($_GET[$key])) {
+ $data = $_GET[$key];
+ } else if (isset($default)) {
+ return $default;
} else {
- $data=$default;
+ $data = false;
}
- }
- } else {
- if(isset($_POST[$key])) {
- $data=$_POST[$key];
- } elseif(isset($_GET[$key])) {
- $data=$_GET[$key];
- } elseif(isset($_COOKIE[$key])) {
- $data=$_COOKIE[$key];
- } else {
- if($default=='') {
- if(($type=='int') or ($type=='float')) $data=0; else $data='';
+ } else if ($method == 'post') {
+ if (isset($_POST[$key])) {
+ $data = $_POST[$key];
+ } else if (isset($default)) {
+ return $default;
} else {
- $data=$default;
+ $data = false;
}
}
+ if ($data === false) {
+ echo self::generateXml('', 'fail', 400, 'Bad request. Please provide a valid '.$key);
+ exit();
+ } else {
+ // NOTE: Is the raw type necessary? It might be a little risky without sanitization
+ if ($type == 'raw') return $data;
+ elseif ($type == 'text') return OC_Util::sanitizeHTML($data);
+ elseif ($type == 'int') return (int) $data;
+ elseif ($type == 'float') return (float) $data;
+ elseif ($type == 'array') return OC_Util::sanitizeHTML($data);
+ else return OC_Util::sanitizeHTML($data);
}
-
- if($type=='raw') return($data);
- elseif($type=='text') return(addslashes(strip_tags($data)));
- elseif($type=='int') { $data = (int) $data; return($data); }
- elseif($type=='float') { $data = (float) $data; return($data); }
- elseif($type=='array') { $data = $data; return($data); }
}
-
/**
main function to handle the REST request
**/
@@ -100,26 +97,23 @@ class OC_OCS {
if(substr($url,(strlen($url)-1))<>'/') $url.='/';
$ex=explode('/',$url);
$paracount=count($ex);
-
+ $format = self::readData($method, 'format', 'text', '');
// eventhandler
// CONFIG
// apiconfig - GET - CONFIG
if(($method=='get') and ($ex[$paracount-3] == 'v1.php') and ($ex[$paracount-2] == 'config')){
- $format=OC_OCS::readdata('format','text');
OC_OCS::apiconfig($format);
// PERSON
// personcheck - POST - PERSON/CHECK
}elseif(($method=='post') and ($ex[$paracount-4] == 'v1.php') and ($ex[$paracount-3]=='person') and ($ex[$paracount-2] == 'check')){
- $format=OC_OCS::readdata('format','text');
- $login=OC_OCS::readdata('login','text');
- $passwd=OC_OCS::readdata('password','text');
+ $login = self::readData($method, 'login', 'text');
+ $passwd = self::readData($method, 'password', 'text');
OC_OCS::personcheck($format,$login,$passwd);
} else if ($method == 'post' && $ex[$paracount - 4] == 'v1.php' && $ex[$paracount - 3] == 'person' && $ex[$paracount - 2] == 'add') {
- $format = self::readData('format', 'text');
if (OC_Group::inGroup(self::checkPassword(), 'admin')) {
- $login = self::readData('login', 'text');
- $password = self::readData('password', 'text');
+ $login = self::readData($method, 'login', 'text');
+ $password = self::readData($method, 'password', 'text');
try {
OC_User::createUser($login, $password);
echo self::generateXml($format, 'ok', 201, '');
@@ -132,50 +126,43 @@ class OC_OCS {
// ACTIVITY
// activityget - GET ACTIVITY page,pagesize als urlparameter
}elseif(($method=='get') and ($ex[$paracount-3] == 'v1.php') and ($ex[$paracount-2] == 'activity')){
- $format=OC_OCS::readdata('format','text');
- $page=OC_OCS::readdata('page','int');
- $pagesize=OC_OCS::readdata('pagesize','int');
+ $page = self::readData($method, 'page', 'int', 0);
+ $pagesize = self::readData($method, 'pagesize','int', 10);
if($pagesize<1 or $pagesize>100) $pagesize=10;
OC_OCS::activityget($format,$page,$pagesize);
// activityput - POST ACTIVITY
}elseif(($method=='post') and ($ex[$paracount-3] == 'v1.php') and ($ex[$paracount-2] == 'activity')){
- $format=OC_OCS::readdata('format','text');
- $message=OC_OCS::readdata('message','text');
+ $message = self::readData($method, 'message', 'text');
OC_OCS::activityput($format,$message);
// PRIVATEDATA
// get - GET DATA
}elseif(($method=='get') and ($ex[$paracount-4] == 'v1.php') and ($ex[$paracount-2] == 'getattribute')){
- $format=OC_OCS::readdata('format','text');
OC_OCS::privateDataGet($format);
}elseif(($method=='get') and ($ex[$paracount-5] == 'v1.php') and ($ex[$paracount-3] == 'getattribute')){
- $format=OC_OCS::readdata('format','text');
$app=$ex[$paracount-2];
OC_OCS::privateDataGet($format, $app);
}elseif(($method=='get') and ($ex[$paracount-6] == 'v1.php') and ($ex[$paracount-4] == 'getattribute')){
- $format=OC_OCS::readdata('format','text');
+
$key=$ex[$paracount-2];
$app=$ex[$paracount-3];
OC_OCS::privateDataGet($format, $app,$key);
// set - POST DATA
}elseif(($method=='post') and ($ex[$paracount-6] == 'v1.php') and ($ex[$paracount-4] == 'setattribute')){
- $format=OC_OCS::readdata('format','text');
$key=$ex[$paracount-2];
$app=$ex[$paracount-3];
- $value=OC_OCS::readdata('value','text');
+ $value = self::readData($method, 'value', 'text');
OC_OCS::privatedataset($format, $app, $key, $value);
// delete - POST DATA
}elseif(($method=='post') and ($ex[$paracount-6] =='v1.php') and ($ex[$paracount-4] == 'deleteattribute')){
- $format=OC_OCS::readdata('format','text');
$key=$ex[$paracount-2];
$app=$ex[$paracount-3];
OC_OCS::privatedatadelete($format, $app, $key);
}else{
- $format=OC_OCS::readdata('format','text');
$txt='Invalid query, please check the syntax. API specifications are here: http://www.freedesktop.org/wiki/Specifications/open-collaboration-services. DEBUG OUTPUT:'."\n";
$txt.=OC_OCS::getdebugoutput();
echo(OC_OCS::generatexml($format,'failed',999,$txt));