Merge pull request #1787 from xibosignage/develop

Release 3.3.5

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+Xibo supports and maintains the current and prior major releases, with updates being provided to the latest minor
+release within that.
+
+A full list of support is available on our website: https://xibosignage.com/docs/setup/supported-versions-and-environments
+
+## Reporting a Vulnerability
+Please report (suspected) security vulnerabilities using the Security tab in this repository. 
+
+You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as
+possible depending on complexity but historically within a few days.

lib/Controller/Base.php

@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2022 Xibo Signage Ltd
+ * Copyright (C) 2023 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - http://www.xibo.org.uk
  *
@@ -319,7 +319,8 @@ public function render(Request $request, Response $response)
             try {
                 $response = $this->getView()->render($response, $state->template . '.twig', $data);
             } catch (LoaderError | RuntimeError | SyntaxError $e) {
-                throw new GeneralException(__('Twig Error ') . $e->getMessage());
+                $this->getLog()->error('Twig Error' . $e->getMessage());
+                throw new GeneralException(__('Unable to view this page'));
             }
         }
         $this->rendered = true;
@@ -345,7 +346,8 @@ public function renderTwigAjaxReturn(Request $request, Response $response)
         try {
             $view = $this->getView()->render($response, $state->template . '.twig', $data);
         } catch (LoaderError | RuntimeError | SyntaxError $e) {
-            throw new GeneralException(__('Twig Error ') . $e->getMessage());
+            $this->getLog()->error('Twig Error' . $e->getMessage());
+            throw new GeneralException(__('Unable to view this page'));
         }
 
         $view = $view->getBody();

lib/Controller/Display.php

@@ -728,7 +728,7 @@ function grid(Request $request, Response $response)
             }
 
             $display->teamViewerLink = (!empty($display->teamViewerSerial)) ? 'https://start.teamviewer.com/' . $display->teamViewerSerial : '';
-            $display->webkeyLink = (!empty($display->webkeySerial)) ? 'https://webkeyapp.com/mgm?publicid=' . $display->webkeySerial : '';
+            $display->webkeyLink = (!empty($display->webkeySerial)) ? 'https://device.webkeyapp.com/phone?publicid=' . $display->webkeySerial : '';
 
             // Is a transfer to another CMS in progress?
             $display->isCmsTransferInProgress = (!empty($display->newCmsAddress));

lib/Entity/DataSet.php

@@ -525,7 +525,7 @@ public function getData($filterBy = [], $options = [])
                     continue;
                 }
 
-                $formula = str_replace($this->blackList, '', htmlspecialchars_decode($column->formula, ENT_QUOTES));
+                $formula = str_ireplace($this->blackList, '', htmlspecialchars_decode($column->formula, ENT_QUOTES));
                 $formula = str_replace('[DisplayId]', $displayId, $formula);
 
                 $heading = str_replace('[DisplayGeoLocation]', $displayGeoLocation, $formula) . ' AS `' . $column->heading . '`';
@@ -544,7 +544,7 @@ public function getData($filterBy = [], $options = [])
         if ($filter != '') {
             // Support display filtering.
             $filter = str_replace('[DisplayId]', $displayId, $filter);
-            $filter = str_replace($this->blackList, '', $filter);
+            $filter = str_ireplace($this->blackList, '', $filter);
 
             $body .= ' AND ' . $filter;
         }

lib/Factory/BaseFactory.php

@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2022 Xibo Signage Ltd
+ * Copyright (C) 2023 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - http://www.xibo.org.uk
  *
@@ -389,6 +389,12 @@ public function nameFilter($tableName, $tableColumn, $terms, &$body, &$params, $
                 continue;
             }
 
+            // Validate the logical operator
+            if (!in_array($logicalOperator, ['AND', 'OR'])) {
+                $this->getLog()->error('Invalid logical operator ' . $logicalOperator);
+                return;
+            }
+
             // Not like, or like?
             if (substr($searchName, 0, 1) == '-') {
                 if ($i === 1) {

lib/Factory/DisplayFactory.php

@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (C) 2022 Xibo Signage Ltd
+ * Copyright (C) 2023 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - http://www.xibo.org.uk
  *
@@ -357,8 +357,18 @@ public function query($sortOrder = null, $filterBy = [])
         // Filter by map bound?
         if ($parsedBody->getString('bounds') !== null) {
             $coordinates = explode(',', $parsedBody->getString('bounds'));
-            $body .= ' AND IFNULL( ' . $functionPrefix . 'X(display.GeoLocation), ' . $this->config->getSetting('DEFAULT_LAT'). ')  BETWEEN ' . $coordinates['1'] . ' AND ' . $coordinates['3'] .
-                ' AND IFNULL( ' . $functionPrefix . 'Y(display.GeoLocation), ' . $this->config->getSetting('DEFAULT_LONG'). ')  BETWEEN  ' . $coordinates['0'] . ' AND ' . $coordinates['2'] . ' ';
+            $defaultLat = $this->config->getSetting('DEFAULT_LAT');
+            $defaultLng = $this->config->getSetting('DEFAULT_LONG');
+
+            $body .= ' AND IFNULL( ' . $functionPrefix . 'X(display.GeoLocation), ' . $defaultLat
+                . ')  BETWEEN :coordinates_1 AND :coordinates_3 '
+                . ' AND IFNULL( ' . $functionPrefix . 'Y(display.GeoLocation), ' . $defaultLng
+                . ')  BETWEEN :coordinates_0 AND :coordinates_2 ';
+
+            $params['coordinates_0'] = $coordinates[0];
+            $params['coordinates_1'] = $coordinates[1];
+            $params['coordinates_2'] = $coordinates[2];
+            $params['coordinates_3'] = $coordinates[3];
         }
 
         // Filter by Display ID?