# Workaround patch file for Open XDMoD versions 7.5.0 through 7.5.1 # Patches the following vulnerabilities: # - https://github.com/ubccr/xdmod/security/advisories/GHSA-3hfh-m242-8rmh # - https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527 # - https://github.com/ubccr/xdmod/security/advisories/GHSA-r33r-6g3c-r992 diff --git a/html/controllers/sab_user.php b/html/controllers/sab_user.php index 5821a70760..8b6331b996 100644 --- a/html/controllers/sab_user.php +++ b/html/controllers/sab_user.php @@ -4,19 +4,15 @@ * * operation: params ----- * enum_tg_users: start, limit, [query], pi_only - * assign_assumed_person: person_id - * get_mapping: use_default */ require_once __DIR__ . '/../../configuration/linker.php'; \xd_security\start_session(); -$controller = new XDController(array(STATUS_LOGGED_IN)); +$controller = new XDController(array(STATUS_LOGGED_IN, STATUS_MANAGER_ROLE)); $controller->registerOperation('enum_tg_users'); -$controller->registerOperation('assign_assumed_person'); -$controller->registerOperation('get_mapping'); $session_variable = (isset($_POST['dashboard_mode'])) diff --git a/html/controllers/sab_user/assign_assumed_person.php b/html/controllers/sab_user/assign_assumed_person.php deleted file mode 100644 index 3a63c7a88d..0000000000 --- a/html/controllers/sab_user/assign_assumed_person.php +++ /dev/null @@ -1,38 +0,0 @@ -assign_assumed_person - -$params = array('person_id' => RESTRICTION_ASSIGNMENT); - -$isValid = xd_security\secureCheck($params, 'POST'); - -if (!$isValid) { - $returnData = array( - 'success' => false, - 'status' => 'invalid_id_specified', - 'message' => 'invalid_id_specified', - ); - xd_controller\returnJSON($returnData); -}; - -$xdw = new XDWarehouse(); - -if ($xdw->resolveName($_POST['person_id']) == NO_MAPPING) { - $returnData = array( - 'success' => false, - 'status' => 'no_person_mapping', - 'message' => 'no_person_mapping', - ); - xd_controller\returnJSON($returnData); -} - -$_SESSION['assumed_person_id'] = $_POST['person_id']; - -$returnData = array( - 'success' => true, - 'status' => 'success', - 'message' => 'success', -); - -xd_controller\returnJSON($returnData); - diff --git a/html/controllers/sab_user/get_mapping.php b/html/controllers/sab_user/get_mapping.php deleted file mode 100644 index 27b174f7fc..0000000000 --- a/html/controllers/sab_user/get_mapping.php +++ /dev/null @@ -1,36 +0,0 @@ -get_mapping - -$params = array( - 'use_default' => RESTRICTION_YES_NO -); - -$isValid = xd_security\secureCheck($params, 'POST'); - -if (!$isValid) { - $returnData = array( - 'success' => false, - 'status' => 'invalid_params_specified', - 'message' => 'invalid_params_specified', - ); - xd_controller\returnJSON($returnData); -}; - -$logged_in_user = \xd_security\getLoggedInUser(); - -$mapped_person_id = $logged_in_user->getPersonID($_POST['use_default'] == 'y'); - -$xdw = new XDWarehouse(); -$mapped_person_name = $xdw->resolveName($mapped_person_id); - -$returnData = array( - 'success' => true, - 'status' => 'success', - 'message' => 'success', - 'mapped_person_id' => $mapped_person_id, - 'mapped_person_name' => $mapped_person_name, -); - -xd_controller\returnJSON($returnData); - diff --git a/html/password_reset.php b/html/password_reset.php index d87fae054c..1bbd8acd37 100644 --- a/html/password_reset.php +++ b/html/password_reset.php @@ -75,7 +75,7 @@ }//if (INVALID) - $first_name = $validationCheck['user_first_name']; + $first_name = htmlspecialchars($validationCheck['user_first_name'], ENT_QUOTES, 'UTF-8'); $mode = ( isset($_GET['mode']) && ($_GET['mode'] == 'new') ) ? 'create' : 'reset'; diff --git a/classes/DataWarehouse/Query/GroupBy.php b/classes/DataWarehouse/Query/GroupBy.php index 68277c6bf3..b3b72dfca7 100644 --- a/classes/DataWarehouse/Query/GroupBy.php +++ b/classes/DataWarehouse/Query/GroupBy.php @@ -182,19 +182,23 @@ public function pullQueryParameterDescriptions(&$request) } public function pullQueryParameters2(&$request, $filter_query, $id_column) { + $db = \CCR\DB::factory('datawarehouse'); $parameters = array(); $filterItems = array(); if (isset($request[$this->getName().'_filter']) && $request[$this->getName().'_filter'] != '') { $filterString = $request[$this->getName().'_filter']; - $filterItems = array_merge($filterItems, explode(',', $filterString)); + $items = explode(',', $filterString); + foreach ($items as $filterItem) { + $filterItems[] = $db->quote($filterItem); + } } if (isset($request[$this->getName()])) { - $filterItems[] = $request[$this->getName()]; + $filterItems[] = $db->quote($request[$this->getName()]); } $filterCount = count($filterItems); if ($filterCount > 0) { - $fieldIdQuery = str_replace('_filter_', "'".implode("','", $filterItems)."'", $filter_query); + $fieldIdQuery = str_replace('_filter_', implode(",", $filterItems), $filter_query); $parameters[] = new \DataWarehouse\Query\Model\Parameter($id_column, 'in', "($fieldIdQuery)"); } @@ -203,20 +207,24 @@ public function pullQueryParameters2(&$request, $filter_query, $id_column) } public function pullQueryParameterDescriptions2(&$request, $filter_query) { + $db = \CCR\DB::factory('datawarehouse'); $parameters = array(); $filterItems = array(); if (isset($request[$this->getName().'_filter']) && $request[$this->getName().'_filter'] != '') { $filterString = $request[$this->getName().'_filter']; - $filterItems = array_merge($filterItems, explode(',', $filterString)); + $items = explode(',', $filterString); + foreach ($items as $filterItem) { + $filterItems[] = $db->quote($filterItem); + } } if (isset($request[$this->getName()])) { - $filterItems[] = $request[$this->getName()]; + $filterItems[] = $db->quote($request[$this->getName()]); } $filterCount = count($filterItems); if ($filterCount > 0) { - $fieldLabelQuery = str_replace('_filter_', "'".implode("','", $filterItems)."'", $filter_query); + $fieldLabelQuery = str_replace('_filter_', implode(',', $filterItems), $filter_query); $fieldLabelResults = \DataWarehouse::connect()->query($fieldLabelQuery); $label = $this->getLabel();