From a7df23cebadfc0a60095ff53e4ae5e293eb02b38 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Fri, 13 Feb 2015 13:33:20 +0100 Subject: Manually type-case all AJAX files This enforces proper types on POST and GET arguments where I considered it sensible. I didn't update some as I don't know what kind of values they would support :see_no_evil: Fixes https://github.com/owncloud/core/issues/14196 for core --- core/ajax/appconfig.php | 12 ++++---- core/ajax/share.php | 76 ++++++++++++++++++++++++------------------------- 2 files changed, 44 insertions(+), 44 deletions(-) (limited to 'core') diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 7d73185dae6..4b670d8c5c3 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -11,14 +11,14 @@ OCP\JSON::callCheck(); $action=isset($_POST['action'])?$_POST['action']:$_GET['action']; if(isset($_POST['app']) || isset($_GET['app'])) { - $app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); + $app=OC_App::cleanAppId(isset($_POST['app'])? (string)$_POST['app']: (string)$_GET['app']); } // An admin should not be able to add remote and public services // on its own. This should only be possible programmatically. // This change is due the fact that an admin may not be expected // to execute arbitrary code in every environment. -if($app === 'core' && isset($_POST['key']) &&(substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { +if($app === 'core' && isset($_POST['key']) &&(substr((string)$_POST['key'],0,7) === 'remote_' || substr((string)$_POST['key'],0,7) === 'public_')) { OC_JSON::error(array('data' => array('message' => 'Unexpected error!'))); return; } @@ -27,10 +27,10 @@ $result=false; $appConfig = \OC::$server->getAppConfig(); switch($action) { case 'getValue': - $result=$appConfig->getValue($app, $_GET['key'], $_GET['defaultValue']); + $result=$appConfig->getValue($app, (string)$_GET['key'], (string)$_GET['defaultValue']); break; case 'setValue': - $result=$appConfig->setValue($app, $_POST['key'], $_POST['value']); + $result=$appConfig->setValue($app, (string)$_POST['key'], (string)$_POST['value']); break; case 'getApps': $result=$appConfig->getApps(); @@ -39,10 +39,10 @@ switch($action) { $result=$appConfig->getKeys($app); break; case 'hasKey': - $result=$appConfig->hasKey($app, $_GET['key']); + $result=$appConfig->hasKey($app, (string)$_GET['key']); break; case 'deleteKey': - $result=$appConfig->deleteKey($app, $_POST['key']); + $result=$appConfig->deleteKey($app, (string)$_POST['key']); break; case 'deleteApp': $result=$appConfig->deleteApp($app); diff --git a/core/ajax/share.php b/core/ajax/share.php index 6d0a6a4e3b9..d8aec9c6542 100644 --- a/core/ajax/share.php +++ b/core/ajax/share.php @@ -31,11 +31,11 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo try { $shareType = (int)$_POST['shareType']; $shareWith = $_POST['shareWith']; - $itemSourceName = isset($_POST['itemSourceName']) ? $_POST['itemSourceName'] : null; + $itemSourceName = isset($_POST['itemSourceName']) ? (string)$_POST['itemSourceName'] : null; if ($shareType === OCP\Share::SHARE_TYPE_LINK && $shareWith == '') { $shareWith = null; } - $itemSourceName=(isset($_POST['itemSourceName'])) ? $_POST['itemSourceName']:''; + $itemSourceName=(isset($_POST['itemSourceName'])) ? (string)$_POST['itemSourceName']:''; $token = OCP\Share::shareItem( $_POST['itemType'], @@ -44,7 +44,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo $shareWith, $_POST['permissions'], $itemSourceName, - (!empty($_POST['expirationDate']) ? new \DateTime($_POST['expirationDate']) : null) + (!empty($_POST['expirationDate']) ? new \DateTime((string)$_POST['expirationDate']) : null) ); if (is_string($token)) { @@ -62,19 +62,19 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo if ((int)$_POST['shareType'] === OCP\Share::SHARE_TYPE_LINK && $_POST['shareWith'] == '') { $shareWith = null; } else { - $shareWith = $_POST['shareWith']; + $shareWith = (string)$_POST['shareWith']; } - $return = OCP\Share::unshare($_POST['itemType'], $_POST['itemSource'], $_POST['shareType'], $shareWith); + $return = OCP\Share::unshare((string)$_POST['itemType'],(string) $_POST['itemSource'], (int)$_POST['shareType'], $shareWith); ($return) ? OC_JSON::success() : OC_JSON::error(); } break; case 'setPermissions': if (isset($_POST['shareType']) && isset($_POST['shareWith']) && isset($_POST['permissions'])) { $return = OCP\Share::setPermissions( - $_POST['itemType'], - $_POST['itemSource'], + (string)$_POST['itemType'], + (string)$_POST['itemSource'], (int)$_POST['shareType'], - $_POST['shareWith'], + (string)$_POST['shareWith'], (int)$_POST['permissions'] ); ($return) ? OC_JSON::success() : OC_JSON::error(); @@ -83,7 +83,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo case 'setExpirationDate': if (isset($_POST['date'])) { try { - $return = OCP\Share::setExpirationDate($_POST['itemType'], $_POST['itemSource'], $_POST['date']); + $return = OCP\Share::setExpirationDate((string)$_POST['itemType'], (string)$_POST['itemSource'], (string)$_POST['date']); ($return) ? OC_JSON::success() : OC_JSON::error(); } catch (\Exception $e) { OC_JSON::error(array('data' => array('message' => $e->getMessage()))); @@ -93,9 +93,9 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo case 'informRecipients': $l = \OC::$server->getL10N('core'); $shareType = (int) $_POST['shareType']; - $itemType = $_POST['itemType']; - $itemSource = $_POST['itemSource']; - $recipient = $_POST['recipient']; + $itemType = (string)$_POST['itemType']; + $itemSource = (string)$_POST['itemSource']; + $recipient = (string)$_POST['recipient']; if($shareType === \OCP\Share::SHARE_TYPE_USER) { $recipientList[] = $recipient; @@ -123,26 +123,26 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo } break; case 'informRecipientsDisabled': - $itemSource = $_POST['itemSource']; - $shareType = $_POST['shareType']; - $itemType = $_POST['itemType']; - $recipient = $_POST['recipient']; + $itemSource = (string)$_POST['itemSource']; + $shareType = (int)$_POST['shareType']; + $itemType = (string)$_POST['itemType']; + $recipient = (string)$_POST['recipient']; \OCP\Share::setSendMailStatus($itemType, $itemSource, $shareType, $recipient, false); OCP\JSON::success(); break; case 'email': // read post variables - $link = $_POST['link']; - $file = $_POST['file']; - $to_address = $_POST['toaddress']; + $link = (string)$_POST['link']; + $file = (string)$_POST['file']; + $to_address = (string)$_POST['toaddress']; $mailNotification = new \OC\Share\MailNotifications(); $expiration = null; if (isset($_POST['expiration']) && $_POST['expiration'] !== '') { try { - $date = new DateTime($_POST['expiration']); + $date = new DateTime((string)$_POST['expiration']); $expiration = $date->getTimestamp(); } catch (Exception $e) { \OCP\Util::writeLog('sharing', "Couldn't read date: " . $e->getMessage(), \OCP\Util::ERROR); @@ -170,7 +170,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo switch ($_GET['fetch']) { case 'getItemsSharedStatuses': if (isset($_GET['itemType'])) { - $return = OCP\Share::getItemsShared($_GET['itemType'], OCP\Share::FORMAT_STATUSES); + $return = OCP\Share::getItemsShared((string)$_GET['itemType'], OCP\Share::FORMAT_STATUSES); is_array($return) ? OC_JSON::success(array('data' => $return)) : OC_JSON::error(); } break; @@ -181,8 +181,8 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo && isset($_GET['checkShares'])) { if ($_GET['checkReshare'] == 'true') { $reshare = OCP\Share::getItemSharedWithBySource( - $_GET['itemType'], - $_GET['itemSource'], + (string)$_GET['itemType'], + (string)$_GET['itemSource'], OCP\Share::FORMAT_NONE, null, true @@ -192,8 +192,8 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo } if ($_GET['checkShares'] == 'true') { $shares = OCP\Share::getItemShared( - $_GET['itemType'], - $_GET['itemSource'], + (string)$_GET['itemType'], + (string)$_GET['itemSource'], OCP\Share::FORMAT_NONE, null, true @@ -209,7 +209,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo if (isset($_GET['search'])) { $cm = OC::$server->getContactsManager(); if (!is_null($cm) && $cm->isEnabled()) { - $contacts = $cm->search($_GET['search'], array('FN', 'EMAIL')); + $contacts = $cm->search((string)$_GET['search'], array('FN', 'EMAIL')); foreach ($contacts as $contact) { if (!isset($contact['EMAIL'])) { continue; @@ -236,7 +236,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo if (isset($_GET['search'])) { $shareWithinGroupOnly = OC\Share\Share::shareWithGroupMembersOnly(); $shareWith = array(); - $groups = OC_Group::getGroups($_GET['search']); + $groups = OC_Group::getGroups((string)$_GET['search']); if ($shareWithinGroupOnly) { $usergroups = OC_Group::getUserGroups(OC_User::getUser()); $groups = array_intersect($groups, $usergroups); @@ -248,15 +248,15 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo while ($count < 15 && count($users) == $limit) { $limit = 15 - $count; if ($shareWithinGroupOnly) { - $users = OC_Group::DisplayNamesInGroups($usergroups, $_GET['search'], $limit, $offset); + $users = OC_Group::DisplayNamesInGroups($usergroups, (string)$_GET['search'], $limit, $offset); } else { - $users = OC_User::getDisplayNames($_GET['search'], $limit, $offset); + $users = OC_User::getDisplayNames((string)$_GET['search'], $limit, $offset); } $offset += $limit; foreach ($users as $uid => $displayName) { if ((!isset($_GET['itemShares']) - || !is_array($_GET['itemShares'][OCP\Share::SHARE_TYPE_USER]) - || !in_array($uid, $_GET['itemShares'][OCP\Share::SHARE_TYPE_USER])) + || !is_array((string)$_GET['itemShares'][OCP\Share::SHARE_TYPE_USER]) + || !in_array($uid, (string)$_GET['itemShares'][OCP\Share::SHARE_TYPE_USER])) && $uid != OC_User::getUser()) { $shareWith[] = array( 'label' => $displayName, @@ -277,8 +277,8 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo if ($count < 15) { if (!isset($_GET['itemShares']) || !isset($_GET['itemShares'][OCP\Share::SHARE_TYPE_GROUP]) - || !is_array($_GET['itemShares'][OCP\Share::SHARE_TYPE_GROUP]) - || !in_array($group, $_GET['itemShares'][OCP\Share::SHARE_TYPE_GROUP])) { + || !is_array((string)$_GET['itemShares'][OCP\Share::SHARE_TYPE_GROUP]) + || !in_array($group, (string)$_GET['itemShares'][OCP\Share::SHARE_TYPE_GROUP])) { $shareWith[] = array( 'label' => $group, 'value' => array( @@ -294,20 +294,20 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo } // allow user to add unknown remote addresses for server-to-server share - $backend = \OCP\Share::getBackend($_GET['itemType']); + $backend = \OCP\Share::getBackend((string)$_GET['itemType']); if ($backend->isShareTypeAllowed(\OCP\Share::SHARE_TYPE_REMOTE)) { - if (substr_count($_GET['search'], '@') === 1) { + if (substr_count((string)$_GET['search'], '@') === 1) { $shareWith[] = array( - 'label' => $_GET['search'], + 'label' => (string)$_GET['search'], 'value' => array( 'shareType' => \OCP\Share::SHARE_TYPE_REMOTE, - 'shareWith' => $_GET['search'] + 'shareWith' => (string)$_GET['search'] ) ); } } - $sorter = new \OC\Share\SearchResultSorter($_GET['search'], + $sorter = new \OC\Share\SearchResultSorter((string)$_GET['search'], 'label', new \OC\Log()); usort($shareWith, array($sorter, 'sort')); -- cgit v1.2.3