ZP-1102 Add folder origin constants to the allowed characters in the

incoming data filter. Released under the Affero GNU General Public License (AGPL) version 3.

ZP-1102 Add folder origin constants to the allowed characters in the
incoming data filter. Released under the Affero GNU General Public License (AGPL) version 3.
7a888d38 · Sebastian Kummer · 622f9323 · 7a888d38 · 7a888d38
Commit 7a888d38 authored Nov 24, 2016 by Sebastian Kummer
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 6 deletions

devicemanager.php src/lib/core/devicemanager.php +1 -0

request.php src/lib/request/request.php +8 -6

No files found.
--- a/src/lib/core/devicemanager.php
+++ b/src/lib/core/devicemanager.php
@@ -37,6 +37,7 @@ class DeviceManager {
    const FLD_SYNC_INPROGRESS = 2;
    const FLD_SYNC_COMPLETED = 4;
+    // new types need to be added to Request::HEX_EXTENDED2 filter
    const FLD_ORIGIN_USER = "U";
    const FLD_ORIGIN_CONFIG = "C";
    const FLD_ORIGIN_SHARED = "S";

--- a/src/lib/request/request.php
+++ b/src/lib/request/request.php
@@ -37,6 +37,7 @@ class Request {
    const NUMBERSDOT_ONLY = 5;
    const HEX_EXTENDED = 6;
    const ISO8601 = 7;
+    const HEX_EXTENDED2 = 8;
    /**
     * Command parameters for base64 encoded requests (AS >= 12.1)
@@ -108,11 +109,11 @@ class Request {
        if(isset($_GET["DeviceType"]))
            self::$devtype = self::filterEvilInput($_GET["DeviceType"], self::LETTERS_ONLY);
        if (isset($_GET["AttachmentName"]))
-            self::$attachmentName = self::filterEvilInput($_GET["AttachmentName"], self::HEX_EXTENDED);
+            self::$attachmentName = self::filterEvilInput($_GET["AttachmentName"], self::HEX_EXTENDED2);
        if (isset($_GET["CollectionId"]))
-            self::$collectionId = self::filterEvilInput($_GET["CollectionId"], self::HEX_ONLY);
+            self::$collectionId = self::filterEvilInput($_GET["CollectionId"], self::HEX_EXTENDED2);
        if (isset($_GET["ItemId"]))
-            self::$itemId = self::filterEvilInput($_GET["ItemId"], self::HEX_ONLY);
+            self::$itemId = self::filterEvilInput($_GET["ItemId"], self::HEX_EXTENDED2);
        if (isset($_GET["SaveInSent"]) && $_GET["SaveInSent"] == "T")
            self::$saveInSent = true;
@@ -148,13 +149,13 @@ class Request {
                self::$asProtocolVersion = self::filterEvilInput($query['ProtVer'], self::NUMBERS_ONLY) / 10;
            if (isset($query[self::COMMANDPARAM_ATTACHMENTNAME]))
-                self::$attachmentName = self::filterEvilInput($query[self::COMMANDPARAM_ATTACHMENTNAME], self::HEX_EXTENDED);
+                self::$attachmentName = self::filterEvilInput($query[self::COMMANDPARAM_ATTACHMENTNAME], self::HEX_EXTENDED2);
            if (isset($query[self::COMMANDPARAM_COLLECTIONID]))
-                self::$collectionId = self::filterEvilInput($query[self::COMMANDPARAM_COLLECTIONID], self::HEX_ONLY);
+                self::$collectionId = self::filterEvilInput($query[self::COMMANDPARAM_COLLECTIONID], self::HEX_EXTENDED2);
            if (isset($query[self::COMMANDPARAM_ITEMID]))
-                self::$itemId = self::filterEvilInput($query[self::COMMANDPARAM_ITEMID], self::HEX_ONLY);
+                self::$itemId = self::filterEvilInput($query[self::COMMANDPARAM_ITEMID], self::HEX_EXTENDED2);
            if (isset($query[self::COMMANDPARAM_OPTIONS]) && (ord($query[self::COMMANDPARAM_OPTIONS]) & self::COMMANDPARAM_OPTIONS_SAVEINSENT))
                self::$saveInSent = true;
@@ -669,6 +670,7 @@ class Request {
        else if ($filter == self::NUMBERS_ONLY)       $re = "/[^0-9]/";
        else if ($filter == self::NUMBERSDOT_ONLY)    $re = "/[^0-9\.]/";
        else if ($filter == self::HEX_EXTENDED)       $re = "/[^A-Fa-f0-9\:]/";
+        else if ($filter == self::HEX_EXTENDED2)      $re = "/[^A-Fa-f0-9\:USG]/"; // Folder origin constants from DeviceManager::FLD_ORIGIN_* (C already hex)
        else if ($filter == self::ISO8601)            $re = "/[^\d{8}T\d{6}Z]/";
        return ($re) ? preg_replace($re, $replacevalue, $input) : '';