# Workaround patch file for Open XDMoD versions 10.5.0 through 10.5.1 # Patches the following vulnerabilities: # - https://github.com/ubccr/xdmod/security/advisories/GHSA-29qm-7w4v-43fw # - https://github.com/ubccr/xdmod/security/advisories/GHSA-3hfh-m242-8rmh # - https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527 diff --git a/libraries/charting.php b/libraries/charting.php index 777c3e3b80..b022e5fc01 100644 --- a/libraries/charting.php +++ b/libraries/charting.php @@ -145,17 +145,17 @@ function getSvgViaChromiumHelper($html, $width, $height){ */ function convertSvg($svgData, $format, $width, $height, $docmeta){ - $author = isset($docmeta['author']) ? addcslashes($docmeta['author'], "()\n\\") : 'XDMoD'; - $subject = isset($docmeta['subject']) ? addcslashes($docmeta['subject'], "()\n\\") : 'XDMoD chart'; - $title = isset($docmeta['title']) ? addcslashes($docmeta['title'], "()\n\\") :'XDMoD PDF chart export'; - $creator = addcslashes('XDMoD ' . OPEN_XDMOD_VERSION, "()\n\\"); + $author = isset($docmeta['author']) ? escapeshellarg($docmeta['author']) : "'XDMoD'"; + $subject = isset($docmeta['subject']) ? escapeshellarg($docmeta['subject']) : "'XDMoD chart'"; + $title = isset($docmeta['title']) ? escapeshellarg($docmeta['title']) : "'XDMoD PDF chart export'"; + $creator = escapeshellarg('XDMoD ' . OPEN_XDMOD_VERSION); switch($format){ case 'png': - $exifArgs = "-Title='$title' -Author='$author' -Description='$subject' -Source='$creator'"; + $exifArgs = "-Title=$title -Author=$author -Description=$subject -Source=$creator"; break; case 'pdf': - $exifArgs = "-Title='$title' -Author='$author' -Subject='$subject' -Creator='$creator'"; + $exifArgs = "-Title=$title -Author=$author -Subject=$subject -Creator=$creator"; break; default: return $svgData; diff --git a/html/controllers/sab_user.php b/html/controllers/sab_user.php index 5821a70760..8b6331b996 100644 --- a/html/controllers/sab_user.php +++ b/html/controllers/sab_user.php @@ -4,19 +4,15 @@ * * operation: params ----- * enum_tg_users: start, limit, [query], pi_only - * assign_assumed_person: person_id - * get_mapping: use_default */ require_once __DIR__ . '/../../configuration/linker.php'; \xd_security\start_session(); -$controller = new XDController(array(STATUS_LOGGED_IN)); +$controller = new XDController(array(STATUS_LOGGED_IN, STATUS_MANAGER_ROLE)); $controller->registerOperation('enum_tg_users'); -$controller->registerOperation('assign_assumed_person'); -$controller->registerOperation('get_mapping'); $session_variable = (isset($_POST['dashboard_mode'])) diff --git a/html/controllers/sab_user/assign_assumed_person.php b/html/controllers/sab_user/assign_assumed_person.php deleted file mode 100644 index 3a63c7a88d..0000000000 --- a/html/controllers/sab_user/assign_assumed_person.php +++ /dev/null @@ -1,38 +0,0 @@ -assign_assumed_person - -$params = array('person_id' => RESTRICTION_ASSIGNMENT); - -$isValid = xd_security\secureCheck($params, 'POST'); - -if (!$isValid) { - $returnData = array( - 'success' => false, - 'status' => 'invalid_id_specified', - 'message' => 'invalid_id_specified', - ); - xd_controller\returnJSON($returnData); -}; - -$xdw = new XDWarehouse(); - -if ($xdw->resolveName($_POST['person_id']) == NO_MAPPING) { - $returnData = array( - 'success' => false, - 'status' => 'no_person_mapping', - 'message' => 'no_person_mapping', - ); - xd_controller\returnJSON($returnData); -} - -$_SESSION['assumed_person_id'] = $_POST['person_id']; - -$returnData = array( - 'success' => true, - 'status' => 'success', - 'message' => 'success', -); - -xd_controller\returnJSON($returnData); - diff --git a/html/controllers/sab_user/get_mapping.php b/html/controllers/sab_user/get_mapping.php deleted file mode 100644 index 27b174f7fc..0000000000 --- a/html/controllers/sab_user/get_mapping.php +++ /dev/null @@ -1,36 +0,0 @@ -get_mapping - -$params = array( - 'use_default' => RESTRICTION_YES_NO -); - -$isValid = xd_security\secureCheck($params, 'POST'); - -if (!$isValid) { - $returnData = array( - 'success' => false, - 'status' => 'invalid_params_specified', - 'message' => 'invalid_params_specified', - ); - xd_controller\returnJSON($returnData); -}; - -$logged_in_user = \xd_security\getLoggedInUser(); - -$mapped_person_id = $logged_in_user->getPersonID($_POST['use_default'] == 'y'); - -$xdw = new XDWarehouse(); -$mapped_person_name = $xdw->resolveName($mapped_person_id); - -$returnData = array( - 'success' => true, - 'status' => 'success', - 'message' => 'success', - 'mapped_person_id' => $mapped_person_id, - 'mapped_person_name' => $mapped_person_name, -); - -xd_controller\returnJSON($returnData); - diff --git a/html/password_reset.php b/html/password_reset.php index d87fae054c..1bbd8acd37 100644 --- a/html/password_reset.php +++ b/html/password_reset.php @@ -75,7 +75,7 @@ }//if (INVALID) - $first_name = $validationCheck['user_first_name']; + $first_name = htmlspecialchars($validationCheck['user_first_name'], ENT_QUOTES, 'UTF-8'); $mode = ( isset($_GET['mode']) && ($_GET['mode'] == 'new') ) ? 'create' : 'reset';