diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-06-10 18:46:53 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-06-10 18:46:53 +0000 |
| commit | e16a87cf4d9bc9b9953638dbf3e68fc496b4a809 (patch) | |
| tree | 51bd7dd58c95416fcde7526bbe33c882a8d46630 /pki/base/ra/forms/ee | |
| parent | 9b418853f5c6a7d5f10388f4b69c409f2976ad5e (diff) | |
| download | pki-e16a87cf4d9bc9b9953638dbf3e68fc496b4a809.tar.gz pki-e16a87cf4d9bc9b9953638dbf3e68fc496b4a809.tar.xz pki-e16a87cf4d9bc9b9953638dbf3e68fc496b4a809.zip | |
Bugzilla Bug #471916 - RA: input validation
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@579 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/ra/forms/ee')
| -rwxr-xr-x | pki/base/ra/forms/ee/agent/enroll.cgi | 6 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/agent/submit.cgi | 2 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/error.cgi | 2 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/request/getcert.cgi | 10 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/request/importcert.cgi | 2 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/request/status.cgi | 12 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/scep/enroll.cgi | 2 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/scep/pkiclient.cgi | 2 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/scep/submit.cgi | 2 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/server/submit.cgi | 2 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/user/renew.cgi | 12 | ||||
| -rwxr-xr-x | pki/base/ra/forms/ee/user/submit.cgi | 4 |
12 files changed, 29 insertions, 29 deletions
diff --git a/pki/base/ra/forms/ee/agent/enroll.cgi b/pki/base/ra/forms/ee/agent/enroll.cgi index 9ca3dafef..4f1af8f16 100755 --- a/pki/base/ra/forms/ee/agent/enroll.cgi +++ b/pki/base/ra/forms/ee/agent/enroll.cgi @@ -60,7 +60,7 @@ sub process() $self->debug_params($cfg, $q); my $uid = $util->get_val($q->param('uid')); - my $pin = $util->get_val($q->param('pin')); + my $pin = $util->get_alphanum_val($q->param('pin')); my $csr = $util->get_val($q->param('csr')); $csr = $util->normalize_csr($csr); @@ -106,8 +106,8 @@ sub process() my %context; $context{cert} = $encoded; - $context{rid} = $rid; - $context{subject_dn} = $req->{'subject_dn'}; + $context{rid} = $util->html_encode($rid); + $context{subject_dn} = $util->html_encode($req->{'subject_dn'}); $queue->close(); my $result = $parser->execute_file_with_context("ee/agent/enroll.vm", diff --git a/pki/base/ra/forms/ee/agent/submit.cgi b/pki/base/ra/forms/ee/agent/submit.cgi index faf13d4d4..a68242114 100755 --- a/pki/base/ra/forms/ee/agent/submit.cgi +++ b/pki/base/ra/forms/ee/agent/submit.cgi @@ -67,7 +67,7 @@ sub process() "0", $email); my %context; - $context{request_id} = $request_id; + $context{request_id} = $util->html_encode($request_id); $self->debug_log($cfg, "request $request_id created"); $queue->close(); diff --git a/pki/base/ra/forms/ee/error.cgi b/pki/base/ra/forms/ee/error.cgi index 05e1b0ca8..1417d4b61 100755 --- a/pki/base/ra/forms/ee/error.cgi +++ b/pki/base/ra/forms/ee/error.cgi @@ -62,7 +62,7 @@ sub process() my $error = $util->get_val($q->param('error')); if ($error ne "") { $context{has_error} = 1; - $context{'error'} = $error; + $context{'error'} = $util->html_encode($error); } my $result = $parser->execute_file_with_context("ee/error.vm", \%context); diff --git a/pki/base/ra/forms/ee/request/getcert.cgi b/pki/base/ra/forms/ee/request/getcert.cgi index 264899ab0..411d66a9f 100755 --- a/pki/base/ra/forms/ee/request/getcert.cgi +++ b/pki/base/ra/forms/ee/request/getcert.cgi @@ -53,7 +53,7 @@ sub process() my $util = PKI::Base::Util->new(); - my $id = $util->get_val($q->param('id')); + my $id = $util->get_alphanum_val($q->param('id')); my $docroot = PKI::Base::Registry->get_docroot(); my $parser = PKI::Base::Registry->get_parser(); @@ -67,13 +67,13 @@ sub process() $queue->close(); my %context; - $context{id} = $req->{'rowid'}; - $context{serialno} = $req->{'serialno'}; - $context{subject_dn} = $req->{'subject_dn'}; + $context{id} = $util->html_encode($req->{'rowid'}); + $context{serialno} = $util->html_encode($req->{'serialno'}); + $context{subject_dn} = $util->html_encode($req->{'subject_dn'}); if ($req->{'serialno'} eq "unavailable") { $context{output} = ""; } else { - $context{output} = "-----BEGIN CERTIFICATE-----\n".$util->breakline($req->{'output'}, 40)."\n-----END CERTIFICATE-----"; + $context{output} = "-----BEGIN CERTIFICATE-----\n".$util->breakline($util->html_encode($req->{'output'}), 40)."\n-----END CERTIFICATE-----"; } my $result = $parser->execute_file_with_context("ee/request/getcert.vm", \%context); diff --git a/pki/base/ra/forms/ee/request/importcert.cgi b/pki/base/ra/forms/ee/request/importcert.cgi index 20ef4040e..fdc309746 100755 --- a/pki/base/ra/forms/ee/request/importcert.cgi +++ b/pki/base/ra/forms/ee/request/importcert.cgi @@ -53,7 +53,7 @@ sub process() my $util = PKI::Base::Util->new(); - my $id = $util->get_val($q->param('id')); + my $id = $util->get_alphanum_val($q->param('id')); my $docroot = PKI::Base::Registry->get_docroot(); my $parser = PKI::Base::Registry->get_parser(); diff --git a/pki/base/ra/forms/ee/request/status.cgi b/pki/base/ra/forms/ee/request/status.cgi index 9cbf8c483..6a3154716 100755 --- a/pki/base/ra/forms/ee/request/status.cgi +++ b/pki/base/ra/forms/ee/request/status.cgi @@ -53,7 +53,7 @@ sub process() my $util = PKI::Base::Util->new(); - my $id = $util->get_val($q->param('id')); + my $id = $util->get_alphanum_val($q->param('id')); my $docroot = PKI::Base::Registry->get_docroot(); my $parser = PKI::Base::Registry->get_parser(); @@ -71,11 +71,11 @@ sub process() } my %context; - $context{id} = $req->{'rowid'}; - $context{type} = $req->{'type'}; - $context{status} = $req->{'status'}; - $context{serialno} = $req->{'serialno'}; - $context{errorString} = $req->{'errorString'}; + $context{id} = $util->html_encode($req->{'rowid'}); + $context{type} =$util->html_encode($req->{'type'}); + $context{status} = $util->html_encode($req->{'status'}); + $context{serialno} = $util->html_encode($req->{'serialno'}); + $context{errorString} = $util->html_encode($req->{'errorString'}); my $result = $parser->execute_file_with_context("ee/request/status.vm", \%context); diff --git a/pki/base/ra/forms/ee/scep/enroll.cgi b/pki/base/ra/forms/ee/scep/enroll.cgi index c48c7026a..53291636a 100755 --- a/pki/base/ra/forms/ee/scep/enroll.cgi +++ b/pki/base/ra/forms/ee/scep/enroll.cgi @@ -64,7 +64,7 @@ sub process() my $client_id = $util->get_val($q->param('client_id')); my $site_id = $util->get_val($q->param('site_id')); - my $pin = $util->get_val($q->param('pin')); + my $pin = $util->get_alphanum_val($q->param('pin')); my $csr = $util->get_val($q->param('csr')); my $key = $client_id . "/" . $site_id; diff --git a/pki/base/ra/forms/ee/scep/pkiclient.cgi b/pki/base/ra/forms/ee/scep/pkiclient.cgi index 70cfcfbc3..a54558f37 100755 --- a/pki/base/ra/forms/ee/scep/pkiclient.cgi +++ b/pki/base/ra/forms/ee/scep/pkiclient.cgi @@ -62,7 +62,7 @@ sub process() $self->debug_params($cfg, $q); - my $operation = $util->get_val($q->param('operation')); + my $operation = $util->get_alphanum_val($q->param('operation')); my $message = $util->get_val($q->param('message')); $message = uri_escape($message); diff --git a/pki/base/ra/forms/ee/scep/submit.cgi b/pki/base/ra/forms/ee/scep/submit.cgi index 61e36f278..b3dfd7a5d 100755 --- a/pki/base/ra/forms/ee/scep/submit.cgi +++ b/pki/base/ra/forms/ee/scep/submit.cgi @@ -70,7 +70,7 @@ sub process() "0", $email); my %context; - $context{request_id} = $request_id; + $context{request_id} = $util->html_encode($request_id); $self->debug_log($cfg, "request $request_id created"); $queue->close(); diff --git a/pki/base/ra/forms/ee/server/submit.cgi b/pki/base/ra/forms/ee/server/submit.cgi index 258eb462b..4916033ee 100755 --- a/pki/base/ra/forms/ee/server/submit.cgi +++ b/pki/base/ra/forms/ee/server/submit.cgi @@ -72,7 +72,7 @@ sub process() "0", $email); my %context; - $context{request_id} = $request_id; + $context{request_id} = $util->html_encode($request_id); $self->debug_log($cfg, "request $request_id created"); $queue->close(); diff --git a/pki/base/ra/forms/ee/user/renew.cgi b/pki/base/ra/forms/ee/user/renew.cgi index 682904854..63d646ec9 100755 --- a/pki/base/ra/forms/ee/user/renew.cgi +++ b/pki/base/ra/forms/ee/user/renew.cgi @@ -136,16 +136,16 @@ sub process() } my %context; - $context{request_id} = $new_request; + $context{request_id} = $util->html_encode($new_request); $self->debug_log($cfg, "request $new_request created"); $queue->close(); $self->debug_log( $cfg, "after renewl read/create request $new_request"); - $context{data} = $util->breakline($ref->{'data'}, 40); - $context{output} = $util->breakline($ref->{'output'}, 40); - $context{serialno} = $ref->{'serialno'}; - $context{host} = $host; - $context{port} = $port; + $context{data} = $util->breakline($util->html_encode($ref->{'data'}), 40); + $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40); + $context{serialno} = $util->html_encode($ref->{'serialno'}); + $context{host} = $util->html_encode($host); + $context{port} = $util->html_encode($port); #print $q->redirect("/ee/request/getcert.cgi?id=$new_request"); my $result = $parser->execute_file_with_context("ee/user/renew.vm", diff --git a/pki/base/ra/forms/ee/user/submit.cgi b/pki/base/ra/forms/ee/user/submit.cgi index 09f8f45a0..26c900e00 100755 --- a/pki/base/ra/forms/ee/user/submit.cgi +++ b/pki/base/ra/forms/ee/user/submit.cgi @@ -58,7 +58,7 @@ sub process() my $fullname = $util->get_val($q->param('cn')); my $site_id = $util->get_val($q->param('site_id')); my $email = $util->get_val($q->param('email')); - my $csr_type = $util->get_val($q->param('csr_type')); + my $csr_type = $util->get_alphanum_val($q->param('csr_type')); my $csr = $util->get_val($q->param('csr')); $csr = $util->normalize_csr($csr); @@ -81,7 +81,7 @@ sub process() "0", $email); my %context; - $context{request_id} = $request_id; + $context{request_id} = $util->html_encode($request_id); $self->debug_log($cfg, "request $request_id created"); $queue->close(); my $db_et = new Benchmark; |