From 4ace3df5cb094d79425c04f1ae57fc017d15fc95 Mon Sep 17 00:00:00 2001 From: Adrien Morais Date: Mon, 18 Jan 2021 15:27:54 +0100 Subject: [PATCH 1/3] fix(secu): sanitize host dashboard --- .../reporting/dashboard/common-Func.php | 61 ++++++++++++++----- 1 file changed, 45 insertions(+), 16 deletions(-) diff --git a/www/include/reporting/dashboard/common-Func.php b/www/include/reporting/dashboard/common-Func.php index 3ae71b4e8d1..fc264a9fb6b 100644 --- a/www/include/reporting/dashboard/common-Func.php +++ b/www/include/reporting/dashboard/common-Func.php @@ -38,29 +38,58 @@ */ function getPeriodToReport() { - $period = (isset($_POST["period"])) ? $_POST["period"] : ""; - $period = (isset($_GET["period"])) ? $_GET["period"] : $period; - $period_choice = (isset($_POST["period_choice"])) ? $_POST["period_choice"] : ""; - $end_date = 0; - $start_date = 0; - $start_date = (isset($_POST["StartDate"])) ? $_POST["StartDate"] : ""; - $start_date = (isset($_GET["start"])) ? $_GET["start"] : $start_date; - $end_date = (isset($_POST["EndDate"])) ? $_POST["EndDate"] : ""; - $end_date = (isset($_GET["end"])) ? $_GET["end"] : $end_date; + $period = ''; + $start_date = ''; + $end_date = ''; + $period_choice = ''; + + if (isset($_POST['period'])) { + $period = filter_var($_POST['period'], FILTER_SANITIZE_STRING); + } elseif (isset($_GET['period'])) { + $period = filter_var($_GET['period'], FILTER_SANITIZE_STRING); + } + + if (isset($_POST['period_choice'])) { + $period_choice = filter_var($_POST['period_choice'], FILTER_SANITIZE_STRING); + } + + if (isset($_POST['StartDate'])) { + $start_date = filter_var($_POST['StartDate'], FILTER_SANITIZE_STRING); + } elseif (isset($_GET['StartDate'])) { + $start_date = filter_var($_GET['StartDate'], FILTER_SANITIZE_STRING); + } + + if (isset($_POST['EndDate'])) { + $end_date = filter_var($_POST['EndDate'], FILTER_SANITIZE_STRING); + } elseif (isset($_GET['EndDate'])) { + $end_date = filter_var($_GET['EndDate'], FILTER_SANITIZE_STRING); + } + $interval = array(0, 0); - if ($period_choice == "custom" && $start_date != "" && $end_date != "") { - $period = ""; + + if ( + $period_choice == 'custom' && + $start_date != '' && + $end_date != '' + ) { + $period = ''; } - if ($period == "" && $start_date == "" && $end_date == "") { - $period = "yesterday"; + + if ($period == '' && + $start_date == '' && + $end_date == '' + ) { + $period = 'yesterday'; } - if ($period == "" && $start_date != "") { + + if ($period == '' && $start_date != '') { $interval = getDateSelectCustomized($start_date, $end_date); } else { $interval = getDateSelectPredefined($period); } - $start_date = $interval[0]; - $end_date = $interval[1]; + + list($start_date, $end_date) = $interval; + return(array($start_date, $end_date)); } From 7f1c952e01a0d15cc763e5c0a53352483dc1cace Mon Sep 17 00:00:00 2001 From: Adrien Morais Date: Mon, 18 Jan 2021 15:46:25 +0100 Subject: [PATCH 2/3] code-review: take feedbacks into account #1 --- .../reporting/dashboard/common-Func.php | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/www/include/reporting/dashboard/common-Func.php b/www/include/reporting/dashboard/common-Func.php index fc264a9fb6b..718aea2b4ad 100644 --- a/www/include/reporting/dashboard/common-Func.php +++ b/www/include/reporting/dashboard/common-Func.php @@ -39,9 +39,9 @@ function getPeriodToReport() { $period = ''; - $start_date = ''; - $end_date = ''; - $period_choice = ''; + $startDate = ''; + $endDate = ''; + $periodChoice = ''; if (isset($_POST['period'])) { $period = filter_var($_POST['period'], FILTER_SANITIZE_STRING); @@ -50,47 +50,47 @@ function getPeriodToReport() } if (isset($_POST['period_choice'])) { - $period_choice = filter_var($_POST['period_choice'], FILTER_SANITIZE_STRING); + $periodChoice = filter_var($_POST['period_choice'], FILTER_SANITIZE_STRING); } if (isset($_POST['StartDate'])) { - $start_date = filter_var($_POST['StartDate'], FILTER_SANITIZE_STRING); + $startDate = filter_var($_POST['StartDate'], FILTER_SANITIZE_STRING); } elseif (isset($_GET['StartDate'])) { - $start_date = filter_var($_GET['StartDate'], FILTER_SANITIZE_STRING); + $startDate = filter_var($_GET['StartDate'], FILTER_SANITIZE_STRING); } if (isset($_POST['EndDate'])) { - $end_date = filter_var($_POST['EndDate'], FILTER_SANITIZE_STRING); + $endDate = filter_var($_POST['EndDate'], FILTER_SANITIZE_STRING); } elseif (isset($_GET['EndDate'])) { - $end_date = filter_var($_GET['EndDate'], FILTER_SANITIZE_STRING); + $endDate = filter_var($_GET['EndDate'], FILTER_SANITIZE_STRING); } $interval = array(0, 0); if ( - $period_choice == 'custom' && - $start_date != '' && - $end_date != '' + $periodChoice == 'custom' && + $startDate != '' && + $endDate != '' ) { $period = ''; } if ($period == '' && - $start_date == '' && - $end_date == '' + $startDate == '' && + $endDate == '' ) { $period = 'yesterday'; } - if ($period == '' && $start_date != '') { - $interval = getDateSelectCustomized($start_date, $end_date); + if ($period == '' && $startDate != '') { + $interval = getDateSelectCustomized($startDate, $endDate); } else { $interval = getDateSelectPredefined($period); } - list($start_date, $end_date) = $interval; + list($startDate, $endDate) = $interval; - return(array($start_date, $end_date)); + return(array($startDate, $endDate)); } /* From eb935213121b533f45c4c8a5129425913c922efd Mon Sep 17 00:00:00 2001 From: Adrien Morais Date: Mon, 18 Jan 2021 15:49:43 +0100 Subject: [PATCH 3/3] code-review: take feedbacks into account #2 --- www/include/reporting/dashboard/common-Func.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/www/include/reporting/dashboard/common-Func.php b/www/include/reporting/dashboard/common-Func.php index 718aea2b4ad..d354e054346 100644 --- a/www/include/reporting/dashboard/common-Func.php +++ b/www/include/reporting/dashboard/common-Func.php @@ -67,8 +67,7 @@ function getPeriodToReport() $interval = array(0, 0); - if ( - $periodChoice == 'custom' && + if ($periodChoice == 'custom' && $startDate != '' && $endDate != '' ) {