diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-06-10 18:46:53 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-06-10 18:46:53 +0000 |
| commit | e16a87cf4d9bc9b9953638dbf3e68fc496b4a809 (patch) | |
| tree | 51bd7dd58c95416fcde7526bbe33c882a8d46630 | |
| parent | 9b418853f5c6a7d5f10388f4b69c409f2976ad5e (diff) | |
| download | pki-e16a87cf4d9bc9b9953638dbf3e68fc496b4a809.tar.gz pki-e16a87cf4d9bc9b9953638dbf3e68fc496b4a809.tar.xz pki-e16a87cf4d9bc9b9953638dbf3e68fc496b4a809.zip | |
Bugzilla Bug #471916 - RA: input validation
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@579 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
33 files changed, 163 insertions, 143 deletions
diff --git a/pki/base/ra/forms/admin/group/add.cgi b/pki/base/ra/forms/admin/group/add.cgi index 756eef3c7..212330d0d 100755 --- a/pki/base/ra/forms/admin/group/add.cgi +++ b/pki/base/ra/forms/admin/group/add.cgi @@ -63,7 +63,7 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my $gid = $util->get_val($q->param('gid')); my $name = $util->get_val($q->param('name')); diff --git a/pki/base/ra/forms/admin/group/add_member.cgi b/pki/base/ra/forms/admin/group/add_member.cgi index 711e254d8..d60fe965e 100755 --- a/pki/base/ra/forms/admin/group/add_member.cgi +++ b/pki/base/ra/forms/admin/group/add_member.cgi @@ -63,7 +63,7 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my $gid = $util->get_val($q->param('gid')); my $userid = $util->get_val($q->param('uid')); diff --git a/pki/base/ra/forms/admin/group/add_new.cgi b/pki/base/ra/forms/admin/group/add_new.cgi index b0a6004f0..5a1ca7eda 100755 --- a/pki/base/ra/forms/admin/group/add_new.cgi +++ b/pki/base/ra/forms/admin/group/add_new.cgi @@ -65,9 +65,9 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my $error = $q->param('error'); - $context{error} = $error; + $context{error} = $util->html_encode($error); my $result = $parser->execute_file_with_context("admin/group/add_new.vm", \%context); diff --git a/pki/base/ra/forms/admin/group/delete.cgi b/pki/base/ra/forms/admin/group/delete.cgi index dbccc20c9..5fb1f22ce 100755 --- a/pki/base/ra/forms/admin/group/delete.cgi +++ b/pki/base/ra/forms/admin/group/delete.cgi @@ -63,7 +63,7 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my $gid = $util->get_val($q->param('gid')); diff --git a/pki/base/ra/forms/admin/group/delete_member.cgi b/pki/base/ra/forms/admin/group/delete_member.cgi index 0efe72d5e..2e516eeee 100755 --- a/pki/base/ra/forms/admin/group/delete_member.cgi +++ b/pki/base/ra/forms/admin/group/delete_member.cgi @@ -62,7 +62,7 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my $gid = $util->get_val($q->param('gid')); my $userid = $util->get_val($q->param('uid')); diff --git a/pki/base/ra/forms/admin/group/index.cgi b/pki/base/ra/forms/admin/group/index.cgi index f41a633f0..a00427f93 100755 --- a/pki/base/ra/forms/admin/group/index.cgi +++ b/pki/base/ra/forms/admin/group/index.cgi @@ -66,14 +66,14 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); - my $sp = $util->get_val($q->param('sp')); + my $sp = $util->get_alphanum_val($q->param('sp')); if ($sp eq "") { $sp = "0"; } $context{sp} = $sp; - my $mc = $util->get_val($q->param('mc')); + my $mc = $util->get_alphanum_val($q->param('mc')); if ($mc eq "") { $mc = "20"; } @@ -90,8 +90,8 @@ sub process() my $i = 0; foreach my $group (@groups) { $r[$i] = new PKI::RA::GlobalVar( - getGID => sub { return $group->{'gid'} }, - getName => sub { return $group->{'name'} }, + getGID => sub { return $util->html_encode($group->{'gid'}) }, + getName => sub { return $util->html_encode($group->{'name'}) }, ); $i++; } diff --git a/pki/base/ra/forms/admin/group/read.cgi b/pki/base/ra/forms/admin/group/read.cgi index 0191c3912..5a044f826 100755 --- a/pki/base/ra/forms/admin/group/read.cgi +++ b/pki/base/ra/forms/admin/group/read.cgi @@ -65,7 +65,7 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my $gid = $util->get_val($q->param('gid')); @@ -73,8 +73,8 @@ sub process() $store->open($cfg); my $ref = $store->read_group($gid); - $context{gid} = $ref->{'gid'}; - $context{name} = $ref->{'name'}; + $context{gid} = $util->html_encode($ref->{'gid'}); + $context{name} = $util->html_encode($ref->{'name'}); my @members = $store->list_all_members($gid); my @users = $store->list_all_non_members($gid); @@ -85,7 +85,7 @@ sub process() my $i = 0; foreach my $member (@members) { $r[$i] = new PKI::RA::GlobalVar( - getUID => sub { return $member->{'uid'} }, + getUID => sub { return $util->html_encode($member->{'uid'}) }, ); $i++; } @@ -96,7 +96,7 @@ sub process() $i = 0; foreach my $user (@users) { $u[$i] = new PKI::RA::GlobalVar( - getUID => sub { return $user->{'uid'} }, + getUID => sub { return $util->html_encode($user->{'uid'}) }, ); $i++; } diff --git a/pki/base/ra/forms/admin/user/index.cgi b/pki/base/ra/forms/admin/user/index.cgi index d8ec414c9..9751ee03f 100755 --- a/pki/base/ra/forms/admin/user/index.cgi +++ b/pki/base/ra/forms/admin/user/index.cgi @@ -67,15 +67,15 @@ sub process() my %context; $context{uid} = $uid; - my $status = $util->get_val($q->param('status')); + my $status = $util->get_alphanum_val($q->param('status')); $context{status} = $status; - my $sp = $util->get_val($q->param('sp')); + my $sp = $util->get_alphanum_val($q->param('sp')); if ($sp eq "") { $sp = "0"; } $context{sp} = $sp; - my $mc = $util->get_val($q->param('mc')); + my $mc = $util->get_alphanum_val($q->param('mc')); if ($mc eq "") { $mc = "20"; } @@ -92,9 +92,9 @@ sub process() my $i = 0; foreach my $user (@users) { $r[$i] = new PKI::RA::GlobalVar( - getUID => sub { return $user->{'uid'} }, - getName => sub { return $user->{'name'} }, - getEmail => sub { return $user->{'email'} }, + getUID => sub { return $util->html_encode($user->{'uid'}) }, + getName => sub { return $util->html_encode($user->{'name'}) }, + getEmail => sub { return $util->html_encode($user->{'email'}) }, ); $i++; } diff --git a/pki/base/ra/forms/admin/user/read.cgi b/pki/base/ra/forms/admin/user/read.cgi index 2fd9f2c29..9e57b7868 100755 --- a/pki/base/ra/forms/admin/user/read.cgi +++ b/pki/base/ra/forms/admin/user/read.cgi @@ -74,10 +74,10 @@ sub process() my $ref = $store->read_user($userid); $store->close(); - $context{userid} = $ref->{'uid'}; - $context{name} = $ref->{'name'}; - $context{email} = $ref->{'email'}; - $context{certificate} = $util->breakline($ref->{'certificate'},40); + $context{userid} = $util->html_encode($ref->{'uid'}); + $context{name} = $util->html_encode($ref->{'name'}); + $context{email} = $util=>html_encode($ref->{'email'}); + $context{certificate} = $util->breakline($util->html_encode($ref->{'certificate'}),40); my $result = $parser->execute_file_with_context("admin/user/read.vm", \%context); diff --git a/pki/base/ra/forms/agent/cert/index.cgi b/pki/base/ra/forms/agent/cert/index.cgi index 8c39e445f..46e5b8c2c 100755 --- a/pki/base/ra/forms/agent/cert/index.cgi +++ b/pki/base/ra/forms/agent/cert/index.cgi @@ -64,17 +64,17 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my @roles = $self->get_current_roles($cfg); my $r = join(",",@roles); - my $sp = $util->get_val($q->param('sp')); + my $sp = $util->get_alphanum_val($q->param('sp')); if ($sp eq "") { $sp = "0"; } $context{sp} = $sp; - my $mc = $util->get_val($q->param('mc')); + my $mc = $util->get_alphanum_val($q->param('mc')); if ($mc eq "") { $mc = "20"; } @@ -91,12 +91,12 @@ sub process() my $i = 0; foreach my $cert (@certs) { $r[$i] = new PKI::RA::GlobalVar( - getReqId => sub { return $cert->{'rid'} }, - getSerialno => sub { return $cert->{'serialno'} }, - getSubjectDN => sub { return $cert->{'subject_dn'} }, - getCertificate => sub { return $cert->{'certificate'} }, - getApprovedBy => sub { return $cert->{'approved_by'} }, - getCreatedAt => sub { return $cert->{'created_at'}; }, + getReqId => sub { return $util->html_encode($cert->{'rid'}) }, + getSerialno => sub { return $util->html_encode($cert->{'serialno'}) }, + getSubjectDN => sub { return $util->html_encode($cert->{'subject_dn'}) }, + getCertificate => sub { return $util->html_encode($cert->{'certificate'}) }, + getApprovedBy => sub { return $util->html_encode($cert->{'approved_by'}) }, + getCreatedAt => sub { return $util->html_encode($cert->{'created_at'}); }, ); $i++; } diff --git a/pki/base/ra/forms/agent/cert/read.cgi b/pki/base/ra/forms/agent/cert/read.cgi index 038b062c5..43a21eca1 100755 --- a/pki/base/ra/forms/agent/cert/read.cgi +++ b/pki/base/ra/forms/agent/cert/read.cgi @@ -62,9 +62,9 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); - my $serialno = $util->get_val($q->param('serialno')); + my $serialno = $util->get_alphanum_val($q->param('serialno')); my $cs = PKI::Base::CertStore->new(); $cs->open($cfg); @@ -77,14 +77,14 @@ sub process() $ca->close(); - $context{certificate} = $util->breakline($ref->{'certificate'}, 40); + $context{certificate} = $util->breakline($util->html_encode($ref->{'certificate'}), 40); - $context{serialno} = $ref->{'serialno'}; - $context{subject_dn} = $ref->{'subject_dn'}; - $context{created_at} = $ref->{'created_at'}; - $context{approved_by} = $ref->{'approved_by'}; - $context{rid} = $ref->{'rid'}; - $context{certStatus} = $certStatus; + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{subject_dn} = $util->html_encode($ref->{'subject_dn'}); + $context{created_at} = $util->html_encode($ref->{'created_at'}); + $context{approved_by} = $util->html_encode($ref->{'approved_by'}); + $context{rid} = $util->html_encode($ref->{'rid'}); + $context{certStatus} = $util->html_encode($certStatus); my $result = $parser->execute_file_with_context("agent/cert/read.vm", \%context); diff --git a/pki/base/ra/forms/agent/cert/revoke.cgi b/pki/base/ra/forms/agent/cert/revoke.cgi index c437d4414..cfe0dc719 100755 --- a/pki/base/ra/forms/agent/cert/revoke.cgi +++ b/pki/base/ra/forms/agent/cert/revoke.cgi @@ -61,15 +61,15 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); - my $serialno = $util->get_val($q->param('serialno')); + my $serialno = $util->get_alphanum_val($q->param('serialno')); my $subject_dn = $util->get_val($q->param('subject_dn')); - my $rid = $util->get_val($q->param('rid')); + my $rid = $util->get_alphanum_val($q->param('rid')); - $context{serialno} = $serialno; - $context{subject_dn} = $subject_dn; - $context{rid} = $rid; + $context{serialno} = $util->html_encode($serialno); + $context{subject_dn} = $util->html_encode($subject_dn); + $context{rid} = $util->html_encode($rid); my $result = $parser->execute_file_with_context("agent/cert/revoke.vm", \%context); diff --git a/pki/base/ra/forms/agent/cert/submit.cgi b/pki/base/ra/forms/agent/cert/submit.cgi index 64ecf02a8..21179c95b 100755 --- a/pki/base/ra/forms/agent/cert/submit.cgi +++ b/pki/base/ra/forms/agent/cert/submit.cgi @@ -63,12 +63,12 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); - my $serialno = $util->get_val($q->param('serialno')); + my $serialno = $util->get_alphanum_val($q->param('serialno')); my $subject_dn = $util->get_val($q->param('subject_dn')); - my $reason = $util->get_val($q->param('reason')); - my $rid = $util->get_val($q->param('rid')); + my $reason = $util->get_alphanum_val($q->param('reason')); + my $rid = $util->get_alphanum_val($q->param('rid')); my $ca = PKI::Conn::CA->new(); $ca->open($cfg); @@ -79,12 +79,12 @@ sub process() $queue->open($cfg); my $ref = $queue->read_request($rid); - $context{errorString} = $ref->{'errorString'}; + $context{errorString} = $util->html_encode($ref->{'errorString'}); $queue->close(); - $context{rid} = $rid; - $context{serialno} = $serialno; - $context{subject_dn} = $subject_dn; + $context{rid} = $util->html_encode($rid); + $context{serialno} = $util->html_encode($serialno); + $context{subject_dn} = $util->html_encode($subject_dn); my $result = $parser->execute_file_with_context("agent/cert/submit.vm", \%context); diff --git a/pki/base/ra/forms/agent/error.cgi b/pki/base/ra/forms/agent/error.cgi index 724492c48..fa13365a7 100755 --- a/pki/base/ra/forms/agent/error.cgi +++ b/pki/base/ra/forms/agent/error.cgi @@ -62,7 +62,7 @@ sub process() my %context; if ($error ne "") { $context{has_error} = 1; - $context{'error'} = $error; + $context{'error'} = $util->html_encode($error); } my $result = $parser->execute_file_with_context("agent/error.vm", \%context); diff --git a/pki/base/ra/forms/agent/index.cgi b/pki/base/ra/forms/agent/index.cgi index ae786618a..c8f2040fe 100755 --- a/pki/base/ra/forms/agent/index.cgi +++ b/pki/base/ra/forms/agent/index.cgi @@ -31,6 +31,7 @@ use Template::Velocity; use PKI::Base::Conf; use PKI::Base::UserStore; use PKI::Base::Registry; +use PKI::Base::Util; use vars qw (@ISA); use PKI::Service::Op; @@ -48,6 +49,8 @@ sub process() my $q = CGI->new(); + my $util = PKI::Base::Util->new(); + my $docroot = PKI::Base::Registry->get_docroot(); my $parser = PKI::Base::Registry->get_parser(); my $cfg = PKI::Base::Registry->get_config(); @@ -61,7 +64,7 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my $result = $parser->execute_file_with_context("agent/index.vm", \%context); diff --git a/pki/base/ra/forms/agent/request/add_note.cgi b/pki/base/ra/forms/agent/request/add_note.cgi index 92469ba51..0ffac91c7 100755 --- a/pki/base/ra/forms/agent/request/add_note.cgi +++ b/pki/base/ra/forms/agent/request/add_note.cgi @@ -64,9 +64,9 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); - my $id = $util->get_val($q->param('id')); + my $id = $util->get_alphanum_val($q->param('id')); my $note = $util->get_val($q->param('note')); if ($note eq "") { diff --git a/pki/base/ra/forms/agent/request/index.cgi b/pki/base/ra/forms/agent/request/index.cgi index 4f5a5987e..81b25977a 100755 --- a/pki/base/ra/forms/agent/request/index.cgi +++ b/pki/base/ra/forms/agent/request/index.cgi @@ -66,24 +66,24 @@ sub process() $self->debug_log( $cfg, "in request/index.cgi, uid == $uid"); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my @roles = $self->get_current_roles($cfg); # my $r = join(",",@roles); - my $status = $util->get_val($q->param('status')); + my $status = $util->get_alphanum_val($q->param('status')); if ($status eq "") { $context{status} = ""; } else { - $context{status} = $status; + $context{status} = $util->html_encode($status); } - my $sp = $util->get_val($q->param('sp')); + my $sp = $util->get_alphanum_val($q->param('sp')); if ($sp eq "") { $sp = "0"; } $context{sp} = $sp; - my $mc = $util->get_val($q->param('mc')); + my $mc = $util->get_alphanum_val($q->param('mc')); if ($mc eq "") { $mc = "20"; } @@ -94,7 +94,7 @@ sub process() my $queue = PKI::Request::Queue->new(); $queue->open($cfg); my $total = $queue->count_requests_by_roles(\@roles, $status); - $context{total} = $total; + $context{total} = $util->html_encode($total); my @reqs = $queue->list_requests_by_roles(\@roles, $status, $sp, $mc); # my @reqs = $queue->list_requests_by_roles($r, $status, $sp, $mc); @@ -104,14 +104,14 @@ sub process() my $i = 0; foreach my $req (@reqs) { $r[$i] = new PKI::RA::GlobalVar( - getId => sub { return $req->{'rowid'} }, - getType => sub { return $req->{'type'} }, - getStatus => sub { return $req->{'status'} }, - getError => sub { return $req->{'errorString'} }, - getAssignedTo => sub { return $req->{'assigned_to'} }, - getData => sub { return $req->{'data'}; }, - getCreatedBy => sub { return $req->{'created_by'}; }, - getCreatedAt => sub { return $req->{'created_at'}; }, + getId => sub { return $util->html_encode($req->{'rowid'}) }, + getType => sub { return $util->html_encode($req->{'type'}) }, + getStatus => sub { return $util->html_encode($req->{'status'}) }, + getError => sub { return $util->html_encode($req->{'errorString'}) }, + getAssignedTo => sub { return $util->html_encode($req->{'assigned_to'}) }, + getData => sub { return $util->html_encode($req->{'data'}); }, + getCreatedBy => sub { return $util->html_encode($req->{'created_by'}); }, + getCreatedAt => sub { return $util->html_encode($req->{'created_at'}); }, ); $i++; } diff --git a/pki/base/ra/forms/agent/request/op.cgi b/pki/base/ra/forms/agent/request/op.cgi index a475c0d80..b09ac3952 100755 --- a/pki/base/ra/forms/agent/request/op.cgi +++ b/pki/base/ra/forms/agent/request/op.cgi @@ -66,10 +66,10 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); - my $type = $util->get_val($q->param('type')); - my $id = $util->get_val($q->param('id')); + my $type = $util->get_alphanum_val($q->param('type')); + my $id = $util->get_alphanum_val($q->param('id')); my $db_st = new Benchmark; my $queue = PKI::Request::Queue->new(); @@ -109,21 +109,21 @@ sub process() $queue->close(); my $db_et = new Benchmark; - $context{data} = $util->breakline($ref->{'data'}, 40); - $context{output} = $util->breakline($ref->{'output'}, 40); - $context{serialno} = $ref->{'serialno'}; - $context{type} = $ref->{'type'}; - $context{ip} = $ref->{'ip'}; - $context{note} = $ref->{'note'}; + $context{data} = $util->breakline($util->html_encode($ref->{'data'}), 40); + $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40); + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{type} = $util->html_encode($ref->{'type'}); + $context{ip} = $util->html_encode($ref->{'ip'}); + $context{note} = $util->html_encode($ref->{'note'}); $context{note} =~ s/\n/<br\/>/g; - $context{created_at} = $ref->{'created_at'}; - $context{updated_at} = $ref->{'updated_at'}; - $context{assigned_to} = $ref->{'assigned_to'}; - $context{processed_by} = $ref->{'processed_by'}; - $context{created_by} = $ref->{'created_by'}; - $context{status} = $ref->{'status'}; - $context{errorString} = $ref->{'errorString'}; - $context{id} = $ref->{'rowid'}; + $context{created_at} = $util->html_encode($ref->{'created_at'}); + $context{updated_at} = $util->html_encode($ref->{'updated_at'}); + $context{assigned_to} = $util->html_encode($ref->{'assigned_to'}); + $context{processed_by} = $util->html_encode($ref->{'processed_by'}); + $context{created_by} = $util->html_encode($ref->{'created_by'}); + $context{status} = $util->html_encode($ref->{'status'}); + $context{errorString} = $util->html_encode($ref->{'errorString'}); + $context{id} = $util->html_encode($ref->{'rowid'}); my $t_st = new Benchmark; my $result = $parser->execute_file_with_context("agent/request/op.vm", diff --git a/pki/base/ra/forms/agent/request/read.cgi b/pki/base/ra/forms/agent/request/read.cgi index 29c41925f..ed95d5d98 100755 --- a/pki/base/ra/forms/agent/request/read.cgi +++ b/pki/base/ra/forms/agent/request/read.cgi @@ -63,43 +63,43 @@ sub process() my $uid = $self->get_current_uid($cfg); my %context; - $context{uid} = $uid; + $context{uid} = $util->html_encode($uid); my @roles = $self->get_current_roles($cfg); # my $r = join(",",@roles); - my $id = $util->get_val($q->param('id')); + my $id = $util->get_alphanum_val($q->param('id')); my $queue = PKI::Request::Queue->new(); $queue->open($cfg); my $ref = $queue->read_request_by_roles(\@roles, $id); $queue->close(); - $context{data} = $util->breakline($ref->{'data'}, 40); - $context{output} = $util->breakline($ref->{'output'}, 40); - $context{meta_info} = $util->breakline($ref->{'meta_info'}, 40); - - $context{serialno} = $ref->{'serialno'}; - $context{subject_dn} = $ref->{'subject_dn'}; - $context{type} = $ref->{'type'}; - $context{created_at} = $ref->{'created_at'}; - $context{created_by} = $ref->{'created_by'}; - $context{updated_at} = $ref->{'updated_at'}; - $context{ip} = $ref->{'ip'}; - $context{processed_by} = $ref->{'processed_by'}; - $context{note} = $ref->{'note'}; + $context{data} = $util->breakline($util->html_encode($ref->{'data'}), 40); + $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40); + $context{meta_info} = $util->breakline($util->html_encode($ref->{'meta_info'}), 40); + + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{subject_dn} = $util->html_encode($ref->{'subject_dn'}); + $context{type} = $util->html_encode($ref->{'type'}); + $context{created_at} = $util->html_encode($ref->{'created_at'}); + $context{created_by} = $util->html_encode($ref->{'created_by'}); + $context{updated_at} = $util->html_encode($ref->{'updated_at'}); + $context{ip} = $util->html_encode($ref->{'ip'}); + $context{processed_by} = $util->html_encode($ref->{'processed_by'}); + $context{note} = $util->html_encode($ref->{'note'}); $context{note} =~ s/\n/<br\/>/g; - $context{assigned_to} = $ref->{'assigned_to'}; - $context{status} = $ref->{'status'}; + $context{assigned_to} = $util->html_encode($ref->{'assigned_to'}); + $context{status} = $util->html_encode($ref->{'status'}); if ($ref->{'status'} eq "OPEN") { $context{is_open} = 1; } if ($ref->{'status'} eq "ERROR") { $context{is_error} = 1; } - $context{errorString} = $ref->{'errorString'}; - $context{id} = $ref->{'rowid'}; + $context{errorString} = $util->html_encode($ref->{'errorString'}); + $context{id} = $util->html_encode($ref->{'rowid'}); my $result = $parser->execute_file_with_context("agent/request/read.vm", \%context); diff --git a/pki/base/ra/forms/ee/agent/enroll.cgi b/pki/base/ra/forms/ee/agent/enroll.cgi index 9ca3dafef..4f1af8f16 100755 --- a/pki/base/ra/forms/ee/agent/enroll.cgi +++ b/pki/base/ra/forms/ee/agent/enroll.cgi @@ -60,7 +60,7 @@ sub process() $self->debug_params($cfg, $q); my $uid = $util->get_val($q->param('uid')); - my $pin = $util->get_val($q->param('pin')); + my $pin = $util->get_alphanum_val($q->param('pin')); my $csr = $util->get_val($q->param('csr')); $csr = $util->normalize_csr($csr); @@ -106,8 +106,8 @@ sub process() my %context; $context{cert} = $encoded; - $context{rid} = $rid; - $context{subject_dn} = $req->{'subject_dn'}; + $context{rid} = $util->html_encode($rid); + $context{subject_dn} = $util->html_encode($req->{'subject_dn'}); $queue->close(); my $result = $parser->execute_file_with_context("ee/agent/enroll.vm", diff --git a/pki/base/ra/forms/ee/agent/submit.cgi b/pki/base/ra/forms/ee/agent/submit.cgi index faf13d4d4..a68242114 100755 --- a/pki/base/ra/forms/ee/agent/submit.cgi +++ b/pki/base/ra/forms/ee/agent/submit.cgi @@ -67,7 +67,7 @@ sub process() "0", $email); my %context; - $context{request_id} = $request_id; + $context{request_id} = $util->html_encode($request_id); $self->debug_log($cfg, "request $request_id created"); $queue->close(); diff --git a/pki/base/ra/forms/ee/error.cgi b/pki/base/ra/forms/ee/error.cgi index 05e1b0ca8..1417d4b61 100755 --- a/pki/base/ra/forms/ee/error.cgi +++ b/pki/base/ra/forms/ee/error.cgi @@ -62,7 +62,7 @@ sub process() my $error = $util->get_val($q->param('error')); if ($error ne "") { $context{has_error} = 1; - $context{'error'} = $error; + $context{'error'} = $util->html_encode($error); } my $result = $parser->execute_file_with_context("ee/error.vm", \%context); diff --git a/pki/base/ra/forms/ee/request/getcert.cgi b/pki/base/ra/forms/ee/request/getcert.cgi index 264899ab0..411d66a9f 100755 --- a/pki/base/ra/forms/ee/request/getcert.cgi +++ b/pki/base/ra/forms/ee/request/getcert.cgi @@ -53,7 +53,7 @@ sub process() my $util = PKI::Base::Util->new(); - my $id = $util->get_val($q->param('id')); + my $id = $util->get_alphanum_val($q->param('id')); my $docroot = PKI::Base::Registry->get_docroot(); my $parser = PKI::Base::Registry->get_parser(); @@ -67,13 +67,13 @@ sub process() $queue->close(); my %context; - $context{id} = $req->{'rowid'}; - $context{serialno} = $req->{'serialno'}; - $context{subject_dn} = $req->{'subject_dn'}; + $context{id} = $util->html_encode($req->{'rowid'}); + $context{serialno} = $util->html_encode($req->{'serialno'}); + $context{subject_dn} = $util->html_encode($req->{'subject_dn'}); if ($req->{'serialno'} eq "unavailable") { $context{output} = ""; } else { - $context{output} = "-----BEGIN CERTIFICATE-----\n".$util->breakline($req->{'output'}, 40)."\n-----END CERTIFICATE-----"; + $context{output} = "-----BEGIN CERTIFICATE-----\n".$util->breakline($util->html_encode($req->{'output'}), 40)."\n-----END CERTIFICATE-----"; } my $result = $parser->execute_file_with_context("ee/request/getcert.vm", \%context); diff --git a/pki/base/ra/forms/ee/request/importcert.cgi b/pki/base/ra/forms/ee/request/importcert.cgi index 20ef4040e..fdc309746 100755 --- a/pki/base/ra/forms/ee/request/importcert.cgi +++ b/pki/base/ra/forms/ee/request/importcert.cgi @@ -53,7 +53,7 @@ sub process() my $util = PKI::Base::Util->new(); - my $id = $util->get_val($q->param('id')); + my $id = $util->get_alphanum_val($q->param('id')); my $docroot = PKI::Base::Registry->get_docroot(); my $parser = PKI::Base::Registry->get_parser(); diff --git a/pki/base/ra/forms/ee/request/status.cgi b/pki/base/ra/forms/ee/request/status.cgi index 9cbf8c483..6a3154716 100755 --- a/pki/base/ra/forms/ee/request/status.cgi +++ b/pki/base/ra/forms/ee/request/status.cgi @@ -53,7 +53,7 @@ sub process() my $util = PKI::Base::Util->new(); - my $id = $util->get_val($q->param('id')); + my $id = $util->get_alphanum_val($q->param('id')); my $docroot = PKI::Base::Registry->get_docroot(); my $parser = PKI::Base::Registry->get_parser(); @@ -71,11 +71,11 @@ sub process() } my %context; - $context{id} = $req->{'rowid'}; - $context{type} = $req->{'type'}; - $context{status} = $req->{'status'}; - $context{serialno} = $req->{'serialno'}; - $context{errorString} = $req->{'errorString'}; + $context{id} = $util->html_encode($req->{'rowid'}); + $context{type} =$util->html_encode($req->{'type'}); + $context{status} = $util->html_encode($req->{'status'}); + $context{serialno} = $util->html_encode($req->{'serialno'}); + $context{errorString} = $util->html_encode($req->{'errorString'}); my $result = $parser->execute_file_with_context("ee/request/status.vm", \%context); diff --git a/pki/base/ra/forms/ee/scep/enroll.cgi b/pki/base/ra/forms/ee/scep/enroll.cgi index c48c7026a..53291636a 100755 --- a/pki/base/ra/forms/ee/scep/enroll.cgi +++ b/pki/base/ra/forms/ee/scep/enroll.cgi @@ -64,7 +64,7 @@ sub process() my $client_id = $util->get_val($q->param('client_id')); my $site_id = $util->get_val($q->param('site_id')); - my $pin = $util->get_val($q->param('pin')); + my $pin = $util->get_alphanum_val($q->param('pin')); my $csr = $util->get_val($q->param('csr')); my $key = $client_id . "/" . $site_id; diff --git a/pki/base/ra/forms/ee/scep/pkiclient.cgi b/pki/base/ra/forms/ee/scep/pkiclient.cgi index 70cfcfbc3..a54558f37 100755 --- a/pki/base/ra/forms/ee/scep/pkiclient.cgi +++ b/pki/base/ra/forms/ee/scep/pkiclient.cgi @@ -62,7 +62,7 @@ sub process() $self->debug_params($cfg, $q); - my $operation = $util->get_val($q->param('operation')); + my $operation = $util->get_alphanum_val($q->param('operation')); my $message = $util->get_val($q->param('message')); $message = uri_escape($message); diff --git a/pki/base/ra/forms/ee/scep/submit.cgi b/pki/base/ra/forms/ee/scep/submit.cgi index 61e36f278..b3dfd7a5d 100755 --- a/pki/base/ra/forms/ee/scep/submit.cgi +++ b/pki/base/ra/forms/ee/scep/submit.cgi @@ -70,7 +70,7 @@ sub process() "0", $email); my %context; - $context{request_id} = $request_id; + $context{request_id} = $util->html_encode($request_id); $self->debug_log($cfg, "request $request_id created"); $queue->close(); diff --git a/pki/base/ra/forms/ee/server/submit.cgi b/pki/base/ra/forms/ee/server/submit.cgi index 258eb462b..4916033ee 100755 --- a/pki/base/ra/forms/ee/server/submit.cgi +++ b/pki/base/ra/forms/ee/server/submit.cgi @@ -72,7 +72,7 @@ sub process() "0", $email); my %context; - $context{request_id} = $request_id; + $context{request_id} = $util->html_encode($request_id); $self->debug_log($cfg, "request $request_id created"); $queue->close(); diff --git a/pki/base/ra/forms/ee/user/renew.cgi b/pki/base/ra/forms/ee/user/renew.cgi index 682904854..63d646ec9 100755 --- a/pki/base/ra/forms/ee/user/renew.cgi +++ b/pki/base/ra/forms/ee/user/renew.cgi @@ -136,16 +136,16 @@ sub process() } my %context; - $context{request_id} = $new_request; + $context{request_id} = $util->html_encode($new_request); $self->debug_log($cfg, "request $new_request created"); $queue->close(); $self->debug_log( $cfg, "after renewl read/create request $new_request"); - $context{data} = $util->breakline($ref->{'data'}, 40); - $context{output} = $util->breakline($ref->{'output'}, 40); - $context{serialno} = $ref->{'serialno'}; - $context{host} = $host; - $context{port} = $port; + $context{data} = $util->breakline($util->html_encode($ref->{'data'}), 40); + $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40); + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{host} = $util->html_encode($host); + $context{port} = $util->html_encode($port); #print $q->redirect("/ee/request/getcert.cgi?id=$new_request"); my $result = $parser->execute_file_with_context("ee/user/renew.vm", diff --git a/pki/base/ra/forms/ee/user/submit.cgi b/pki/base/ra/forms/ee/user/submit.cgi index 09f8f45a0..26c900e00 100755 --- a/pki/base/ra/forms/ee/user/submit.cgi +++ b/pki/base/ra/forms/ee/user/submit.cgi @@ -58,7 +58,7 @@ sub process() my $fullname = $util->get_val($q->param('cn')); my $site_id = $util->get_val($q->param('site_id')); my $email = $util->get_val($q->param('email')); - my $csr_type = $util->get_val($q->param('csr_type')); + my $csr_type = $util->get_alphanum_val($q->param('csr_type')); my $csr = $util->get_val($q->param('csr')); $csr = $util->normalize_csr($csr); @@ -81,7 +81,7 @@ sub process() "0", $email); my %context; - $context{request_id} = $request_id; + $context{request_id} = $util->html_encode($request_id); $self->debug_log($cfg, "request $request_id created"); $queue->close(); my $db_et = new Benchmark; diff --git a/pki/base/ra/lib/perl/PKI/Base/Util.pm b/pki/base/ra/lib/perl/PKI/Base/Util.pm index 2cf6abfaa..c4b0cb1e9 100755 --- a/pki/base/ra/lib/perl/PKI/Base/Util.pm +++ b/pki/base/ra/lib/perl/PKI/Base/Util.pm @@ -26,6 +26,7 @@ package PKI::Base::Util; use Time::Local; use DBI; +use HTML::Entities; ####################################### # Constructs a util @@ -54,6 +55,13 @@ sub get_string_val() return $s; } +sub get_alphanum_val() +{ + my ($self, $s) = @_; + $s =~ s/[^A-Za-z0-9 ]*//g; + return $s; +} + sub normalize_csr() { my ($self, $s) = @_; @@ -120,4 +128,11 @@ sub test() print $o->to_str($o->to_hash("5=1;c=2")) . "\n"; } +sub html_encode() +{ + my ($self, $s) = @_; + return HTML::Entities::encode($s); +} + + 1; diff --git a/pki/base/ra/lib/perl/PKI/Conn/CA.pm b/pki/base/ra/lib/perl/PKI/Conn/CA.pm index b8cd7813b..01de23222 100644 --- a/pki/base/ra/lib/perl/PKI/Conn/CA.pm +++ b/pki/base/ra/lib/perl/PKI/Conn/CA.pm @@ -77,9 +77,11 @@ sub enroll { my $tmpfile = "/tmp/tmp-$rid-$$"; my $params = "profileId=" . $profile_id . "&" . - "requestor_name=" . $requestor_name . "&" . + "requestor_name=" . + URI::Escape::uri_escape("$requestor_name") . "&" . "cert_request_type=" . $cert_request_type . "&" . - "subject=" . $subject . "&" . + "subject=" . + URI::Escape::uri_escape("$subject") . "&" . "cert_request=" . URI::Escape::uri_escape("$cert_request") . "&" . "xmlOutput=true"; |