Merge pull request #99 from ericvaandering/cern_1904_hotfix

Fix possible XSS
ericvaandering · Dec 29, 2020 · 1c2c482 · 1c2c482
2 parents c7400c5 + 76f8de1
commit 1c2c482
Show file tree

Hide file tree

Showing 9 changed files with 68 additions and 56 deletions.
diff --git a/DocDB/cgi/DisplayMeeting b/DocDB/cgi/DisplayMeeting
@@ -85,7 +85,7 @@ if (!$dbh) {
 }
 
 my @Scripts = ("PopUps");
-push @Scripts,"jquery/jquery-3.0.0.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets";
+push @Scripts,"jquery/jquery-3.5.1.slim.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets";
 @JQueryElements = ("tablesorter");
 push @Scripts,"JQueryReady";
 

diff --git a/DocDB/cgi/DocDBVersion.pm b/DocDB/cgi/DocDBVersion.pm
@@ -21,6 +21,6 @@
 #    along with DocDB; if not, write to the Free Software
 #    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
-$DocDBVersion = "8.8.9p2";
+$DocDBVersion = "8.8.10b1";
 
 1;
diff --git a/DocDB/cgi/DocumentDatabase b/DocDB/cgi/DocumentDatabase
@@ -56,7 +56,7 @@ if ($UserValidation eq "certificate") {
 }
 
 my @Scripts = ("PopUps");
-push @Scripts,"jquery/jquery-3.0.0.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets";
+push @Scripts,"jquery/jquery-3.5.1.slim.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets";
 @JQueryElements = ("tablesorter");
 push @Scripts,"JQueryReady";
 

diff --git a/DocDB/cgi/ListBy b/DocDB/cgi/ListBy
@@ -40,7 +40,7 @@ require "UntaintInput.pm";
 require "DocumentUtilities.pm";
 
 my @Scripts = ("PopUps");
-push @Scripts,"jquery/jquery-3.0.0.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets";
+push @Scripts,"jquery/jquery-3.5.1.slim.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets";
 @JQueryElements = ("tablesorter");
 push @Scripts,"JQueryReady";
 

diff --git a/DocDB/cgi/Search b/DocDB/cgi/Search
@@ -27,13 +27,15 @@
 
 use Benchmark;
 use CGI;
+use CGI::Untaint;
 use DBI;
 
 $StartTime = new Benchmark;
 
 require "DocDBGlobals.pm";
 require "HTMLUtilities.pm";
 require "Search.pm";
+require "UntaintInput.pm";
 
 $query = new CGI;  # Global for subroutines
 $query -> autoEscape(0);
@@ -42,12 +44,14 @@ $dbh   = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
 
 # Need these unsanitized to perform searches. Never printed anyhow.
 my %CGIParams = $query -> Vars;
+my $Untaint = CGI::Untaint -> new($query -> Vars);
 
 ### Pull info out of params into local variables
 
-my $OutFormat = $CGIParams{outformat} || "HTML";
+my $OutFormat = $Untaint -> extract(-as_printable => "outformat") || "HTML";
    $OutFormat =~ tr/[a-z]/[A-Z]/;
 
+$query -> delete_all();
 LocalSearch( {-cgiparams => \%CGIParams} );
 
 ### Print footers

diff --git a/DocDB/cgi/Search.pm b/DocDB/cgi/Search.pm
@@ -35,6 +35,9 @@ sub LocalSearch ($) {
   my %params    = exists $ArgRef->{-cgiparams} ? %{$ArgRef->{-cgiparams}} : ();
   my $NoXMLHead = exists $ArgRef->{-noxmlhead} ?   $ArgRef->{-noxmlhead}  : $FALSE;
 
+  use CGI::Untaint;
+  require "UntaintInput.pm";
+
   require "FSUtilities.pm";
   require "WebUtilities.pm";
   require "Utilities.pm";
@@ -58,58 +61,61 @@ sub LocalSearch ($) {
 
   ### Pull info out of params into local variables
 
-  my $OutFormat = $params{outformat} || "HTML";
-
-  $InnerLogic  = $params{innerlogic} || "OR";
-  $OuterLogic  = $params{outerlogic} || "AND";
-
-  $TitleSearch            = $params{titlesearch};
-  $TitleSearchMode        = $params{titlesearchmode};
-  $AbstractSearch         = $params{abstractsearch};
-  $AbstractSearchMode     = $params{abstractsearchmode};
-  $KeywordSearch          = $params{keywordsearch};
-  $KeywordSearchMode      = $params{keywordsearchmode};
-  $RevisionNoteSearch     = $params{revisionnotesearch};
-  $RevisionNoteSearchMode = $params{revisionnotesearchmode};
-  $PubInfoSearch          = $params{pubinfosearch};
-  $PubInfoSearchMode      = $params{pubinfosearchmode};
-  $FileSearch             = $params{filesearch};
-  $FileSearchMode         = $params{filesearchmode};
-  $FileDescSearch         = $params{filedescsearch};
-  $FileDescSearchMode     = $params{filedescsearchmode};
-  $FileContSearch         = $params{filecontsearch};
-  $FileContSearchMode     = $params{filecontsearchmode};
-
-  my $AuthorManual        = $params{authormanual};
-     @RequesterSearchIDs  = split /\0/,$params{requestersearch};
-     @AuthorSearchIDs     = split /\0/,$params{authors};
-     @TypeSearchIDs       = split /\0/,$params{doctypemulti};
-
-  my @TopicSearchIDs      = split /\0/,$params{topics};
-  my $IncludeSubTopics    = $params{includesubtopics};
+  my $Untaint = CGI::Untaint -> new(%params);
+
+  my $OutFormat = $Untaint -> extract(-as_printable => "outformat") || "HTML";
+
+  $InnerLogic = $Untaint -> extract(-as_printable => "innerlogic") || "OR";
+  $OuterLogic = $Untaint -> extract(-as_printable => "outerlogic") || "AND";
+
+  $TitleSearch = $Untaint -> extract(-as_printable => "titlesearch");
+  $TitleSearchMode = $Untaint -> extract(-as_printable => "titlesearchmode");
+  $AbstractSearch = $Untaint -> extract(-as_printable => "abstractsearch");
+  $AbstractSearchMode = $Untaint -> extract(-as_printable => "abstractsearchmode");
+  $KeywordSearch = $Untaint -> extract(-as_printable => "keywordsearch");
+  $KeywordSearchMode = $Untaint -> extract(-as_printable => "keywordsearchmode");
+  $RevisionNoteSearch = $Untaint -> extract(-as_printable => "revisionnotesearch");
+  $RevisionNoteSearchMode = $Untaint -> extract(-as_printable => "revisionnotesearchmode");
+  $PubInfoSearch = $Untaint -> extract(-as_printable => "pubinfosearch");
+  $PubInfoSearchMode = $Untaint -> extract(-as_printable => "pubinfosearchmode");
+  $FileSearch = $Untaint -> extract(-as_printable => "filesearch");
+  $FileSearchMode = $Untaint -> extract(-as_printable => "filesearchmode");
+  $FileDescSearch = $Untaint -> extract(-as_printable => "filedescsearch");
+  $FileDescSearchMode = $Untaint -> extract(-as_printable => "filedescsearchmode");
+  $FileContSearch = $Untaint -> extract(-as_printable => "filecontsearch");
+  $FileContSearchMode = $Untaint -> extract(-as_printable => "filecontsearchmode");
+
+  my $AuthorManual = $Untaint -> extract(-as_printable => "authormanual");
+
+  @RequesterSearchIDs = @{ $Untaint -> extract(-as_listofint => "requestersearch") || undef };
+  @AuthorSearchIDs = @{ $Untaint -> extract(-as_listofint => "authors") || undef };
+  @TypeSearchIDs = @{ $Untaint -> extract(-as_listofint => "doctypemulti") || undef };
+
+  my @TopicSearchIDs = @{ $Untaint -> extract(-as_listofint => "topics") || undef };
+  my $IncludeSubTopics = $Untaint -> extract(-as_printable => "includesubtopics");
   if ($IncludeSubTopics) {
     $IncludeSubTopics = $TRUE;
   }
 
   push @DebugStack,"Searching for topics ".join ', ',@TopicSearchIDs;
-  my @EventSearchIDs      = split /\0/,$params{events};
-  my @EventGroupSearchIDs = split /\0/,$params{eventgroups};
+  my @EventSearchIDs = @{ $Untaint -> extract(-as_listofint => "events") || undef };
+  my @EventGroupSearchIDs = @{ $Untaint -> extract(-as_listofint => "eventgroups") || undef };
 
   ### Parameters for simple search
 
-  my $Simple     = $params{simple};
-  my $SimpleText = $params{simpletext};
+  my $Simple = $Untaint -> extract(-as_integer => "simple");
+  my $SimpleText = $Untaint -> extract(-as_printable => "simpletext");
 
   ### Purify input (remove punctuation)
 
-#  $SimpleText         =~ s/[^\s\w+-\.]//go;
-#  $TitleSearch        =~ s/[^\s\w+-\.]//go;
-#  $AbstractSearch     =~ s/[^\s\w+-\.]//go;
-#  $KeywordSearch      =~ s/[^\s\w+-\.]//go;
-#  $RevisionNoteSearch =~ s/[^\s\w+-\.]//go;
-#  $PubInfoSearch      =~ s/[^\s\w+-\.]//go;
-#  $FileSearch         =~ s/[^\s\w+-\.]//go;
-#  $FileDescSearch     =~ s/[^\s\w+-\.]//go;
+  $SimpleText         =~ s/[^\s\w+-\.]//go;
+  $TitleSearch        =~ s/[^\s\w+-\.]//go;
+  $AbstractSearch     =~ s/[^\s\w+-\.]//go;
+  $KeywordSearch      =~ s/[^\s\w+-\.]//go;
+  $RevisionNoteSearch =~ s/[^\s\w+-\.]//go;
+  $PubInfoSearch      =~ s/[^\s\w+-\.]//go;
+  $FileSearch         =~ s/[^\s\w+-\.]//go;
+  $FileDescSearch     =~ s/[^\s\w+-\.]//go;
   $FileContSearch     =~ s/[^\s\w+-\.]//go;  # No idea what they'd do with special characters, best to remove
 
   GetTopics();
@@ -122,7 +128,7 @@ sub LocalSearch ($) {
     }
     NewXMLOutput();
   } else {
-    my @Scripts = ("jquery/jquery-3.0.0.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets");
+    my @Scripts = ("jquery/jquery-3.5.1.slim.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets");
     @JQueryElements = ("tablesorter");
     push @Scripts,"JQueryReady";
 
@@ -180,25 +186,25 @@ sub LocalSearch ($) {
     }
   }
 
-  $Afterday   = $params{afterday};
-  $Aftermonth = $params{aftermonth};
-  $Afteryear  = $params{afteryear};
+  $Afterday = $Untaint -> extract(-as_printable => "afterday");
+  $Aftermonth = $Untaint -> extract(-as_printable => "aftermonth");
+  $Afteryear = $Untaint -> extract(-as_printable => "afteryear");
   if ($Afteryear && $Afteryear ne "----") {
     if ($Aftermonth eq "---") {$Aftermonth = "Jan";}
     if ($Afterday   eq "--")  {$Afterday   = "1";}
     $SQLBegin   = "$Afteryear-$ReverseAbrvMonth{$Aftermonth}-$Afterday";
   }
 
-  $Beforeday   = $params{beforeday};
-  $Beforemonth = $params{beforemonth};
-  $Beforeyear  = $params{beforeyear};
+  $Beforeday = $Untaint -> extract(-as_printable => "beforeday");
+  $Beforemonth = $Untaint -> extract(-as_printable => "beforemonth");
+  $Beforeyear = $Untaint -> extract(-as_printable => "beforeyear");
   if ($Beforeyear && $Beforeyear ne "----") {
     if ($Beforemonth eq "---") {$Beforemonth = "Dec";}
     if ($Beforeday   eq "--")  {$Beforeday   = DaysInMonth($ReverseAbrvMonth{$Beforemonth},$Beforeyear);}
     $SQLEnd     = "$Beforeyear-$ReverseAbrvMonth{$Beforemonth}-$Beforeday";
   }
 
-  my $Mode    = $params{mode};
+  my $Mode = $Untaint -> extract(-as_printable => "mode");
   unless ($Mode eq "date" or $Mode eq "meeting" or $Mode eq "conference" or $Mode eq "title") {
     $Mode = "date";
   }

diff --git a/DocDB/cgi/SelectEmailPrefs b/DocDB/cgi/SelectEmailPrefs
@@ -153,7 +153,7 @@ if ($Mode eq "newuser") {
 }
 
 my @Scripts = ("PopUps");
-push @Scripts,"jquery/jquery-3.0.0.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets";
+push @Scripts,"jquery/jquery-3.5.1.slim.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets";
 @JQueryElements = ("tablesorter");
 push @Scripts,"JQueryReady";
 

diff --git a/DocDB/cgi/SignatureReport b/DocDB/cgi/SignatureReport
@@ -63,7 +63,7 @@ $dbh   = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
 
 &FetchEmailUser($EmailUserID);
 
-my @Scripts = ("jquery/jquery-3.0.0.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets");
+my @Scripts = ("jquery/jquery-3.5.1.slim.min","jquery/jquery.tablesorter.min","jquery/jquery.tablesorter.widgets");
 @JQueryElements = ("tablesorter");
 push @Scripts,"JQueryReady";
 

diff --git a/DocDB/html/js/jquery/jquery-3.5.1.slim.min.js b/DocDB/html/js/jquery/jquery-3.5.1.slim.min.js