# Workaround patch file for Open XDMoD version 9.0.0 # Patches the following vulnerabilities: # - https://github.com/ubccr/xdmod/security/advisories/GHSA-3hfh-m242-8rmh # - https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527 # - https://github.com/ubccr/xdmod/security/advisories/GHSA-r33r-6g3c-r992 diff --git a/html/controllers/sab_user.php b/html/controllers/sab_user.php index 5821a70760..8b6331b996 100644 --- a/html/controllers/sab_user.php +++ b/html/controllers/sab_user.php @@ -4,19 +4,15 @@ * * operation: params ----- * enum_tg_users: start, limit, [query], pi_only - * assign_assumed_person: person_id - * get_mapping: use_default */ require_once __DIR__ . '/../../configuration/linker.php'; \xd_security\start_session(); -$controller = new XDController(array(STATUS_LOGGED_IN)); +$controller = new XDController(array(STATUS_LOGGED_IN, STATUS_MANAGER_ROLE)); $controller->registerOperation('enum_tg_users'); -$controller->registerOperation('assign_assumed_person'); -$controller->registerOperation('get_mapping'); $session_variable = (isset($_POST['dashboard_mode'])) diff --git a/html/controllers/sab_user/assign_assumed_person.php b/html/controllers/sab_user/assign_assumed_person.php deleted file mode 100644 index 3a63c7a88d..0000000000 --- a/html/controllers/sab_user/assign_assumed_person.php +++ /dev/null @@ -1,38 +0,0 @@ -assign_assumed_person - -$params = array('person_id' => RESTRICTION_ASSIGNMENT); - -$isValid = xd_security\secureCheck($params, 'POST'); - -if (!$isValid) { - $returnData = array( - 'success' => false, - 'status' => 'invalid_id_specified', - 'message' => 'invalid_id_specified', - ); - xd_controller\returnJSON($returnData); -}; - -$xdw = new XDWarehouse(); - -if ($xdw->resolveName($_POST['person_id']) == NO_MAPPING) { - $returnData = array( - 'success' => false, - 'status' => 'no_person_mapping', - 'message' => 'no_person_mapping', - ); - xd_controller\returnJSON($returnData); -} - -$_SESSION['assumed_person_id'] = $_POST['person_id']; - -$returnData = array( - 'success' => true, - 'status' => 'success', - 'message' => 'success', -); - -xd_controller\returnJSON($returnData); - diff --git a/html/controllers/sab_user/get_mapping.php b/html/controllers/sab_user/get_mapping.php deleted file mode 100644 index 27b174f7fc..0000000000 --- a/html/controllers/sab_user/get_mapping.php +++ /dev/null @@ -1,36 +0,0 @@ -get_mapping - -$params = array( - 'use_default' => RESTRICTION_YES_NO -); - -$isValid = xd_security\secureCheck($params, 'POST'); - -if (!$isValid) { - $returnData = array( - 'success' => false, - 'status' => 'invalid_params_specified', - 'message' => 'invalid_params_specified', - ); - xd_controller\returnJSON($returnData); -}; - -$logged_in_user = \xd_security\getLoggedInUser(); - -$mapped_person_id = $logged_in_user->getPersonID($_POST['use_default'] == 'y'); - -$xdw = new XDWarehouse(); -$mapped_person_name = $xdw->resolveName($mapped_person_id); - -$returnData = array( - 'success' => true, - 'status' => 'success', - 'message' => 'success', - 'mapped_person_id' => $mapped_person_id, - 'mapped_person_name' => $mapped_person_name, -); - -xd_controller\returnJSON($returnData); - diff --git a/html/password_reset.php b/html/password_reset.php index d87fae054c..1bbd8acd37 100644 --- a/html/password_reset.php +++ b/html/password_reset.php @@ -75,7 +75,7 @@ }//if (INVALID) - $first_name = $validationCheck['user_first_name']; + $first_name = htmlspecialchars($validationCheck['user_first_name'], ENT_QUOTES, 'UTF-8'); $mode = ( isset($_GET['mode']) && ($_GET['mode'] == 'new') ) ? 'create' : 'reset'; diff --git a/classes/Realm/GroupBy.php b/classes/Realm/GroupBy.php index 68d17cc8ea..9bd0989746 100644 --- a/classes/Realm/GroupBy.php +++ b/classes/Realm/GroupBy.php @@ -746,10 +746,12 @@ public function generateQueryFiltersFromRequest(array $request) // for each of the key columns and align the values with the approprite aggregate key based // on the order specified in the attribute_to_aggregate_table_key_map. + $db = DB::factory('datawarehouse'); + foreach ( $requestFilters as $filterValues ) { $list = explode(self::FILTER_DELIMITER, $filterValues); foreach ( $this->attributeToAggregateKeyMap as $aggregateKey ) { - $aggregateFilters[$aggregateKey][] = array_shift($list); + $aggregateFilters[$aggregateKey][] = $db->quote(array_shift($list)); } } @@ -759,10 +761,7 @@ public function generateQueryFiltersFromRequest(array $request) // request. If no attribute filter query was specified simply use the list of values. foreach ( $aggregateFilters as $aggregateKeyColumn => $filterValues ) { - // The original code always enclosed values in quotes but this may not be desirable, - // although it is unclear if we can differentiate between strings and numerics stored as - // strings. - $substitution = sprintf("'%s'", implode("','", $filterValues)); + $substitution = implode(",", $filterValues); if ( ! isset($this->attributeFilterMapSqlList[$aggregateKeyColumn]) ) { $fieldIdQuery = $substitution; } else { @@ -802,10 +801,12 @@ public function generateQueryParameterLabelsFromRequest(array $request) // for each of the key columns and align the values with the approprite aggregate key based // on the order specified in the attribute_to_aggregate_table_key_map. + $db = DB::factory('datawarehouse'); + foreach ( $requestFilters as $filterValues ) { $list = explode(self::FILTER_DELIMITER, $filterValues); foreach ( $this->attributeToAggregateKeyMap as $attributeKey => $aggregateKey ) { - $attributeKeyFilters[$attributeKey][] = array_shift($list); + $attributeKeyFilters[$attributeKey][] = $db->quote(array_shift($list)); } } @@ -814,7 +815,7 @@ public function generateQueryParameterLabelsFromRequest(array $request) $whereConditions = array(); foreach ( $attributeKeyFilters as $attributeKey => $filterValues ) { - $whereConditions[] = sprintf("%s IN ('%s')", $attributeKey, implode("','", $filterValues)); + $whereConditions[] = sprintf("%s IN (%s)", $attributeKey, implode(",", $filterValues)); } // If the attribute description query was not specified we will use the existing @@ -847,13 +848,9 @@ public function generateQueryParameterLabelsFromRequest(array $request) } else { // Construct the where conditions for each key column and replace the placeholder in the // attribute description query. - // - // The original code always enclosed values in quotes but this may not be desirable, - // although it is unclear if we can differentiate between strings and numerics stored as - // strings. foreach ( $attributeKeyFilters as $attributeKey => $filterValues ) { - $filters = "'" . implode("','", $filterValues) . "'"; + $filters = implode(",", $filterValues); } $query = str_replace(