- Security fix: Do not show the reason for a failed login (i.e. "no …

…such user")

 - Security fix: Escape HTML characters in category name.
 - Security fix: Check all passed in fields (either via HTML form or via
   URL parameter) for certain malicious tags (script, embed, etc.) and
   generate fatal error if found.

ChangeLog

@@ -1,5 +1,13 @@
 $Id$
 
+Version 1.2.7 (?? ??? 2013)
+ - Security fix: Do not show the reason for a failed login (i.e. "no such user")
+ - Security fix: Escape HTML characters in category name.
+ - Security fix: Check all passed in fields (either via HTML form or via
+   URL parameter) for certain malicious tags (script, embed, etc.) and
+   generate fatal error if found.
+
+
 Version 1.2.6 (07 Jan 2013)
  - Fixed bug [ 3577712 ] - typo in upcoming.php
  - Bug fix: ajax.php error on undefined function require_valide_referring_url

category.php

@@ -129,7 +129,7 @@
       $catIcon = $icon_path . 'cat-' . $K . '.gif';
       $catStr = '<span style="color: '
        . ( ! empty ( $V['cat_color'] ) ? $V['cat_color'] : '#000000' )
-       . ';">' . $V['cat_name'] . '</span>';
+       . ';">' . htmlentities ( $V['cat_name'] ) . '</span>';
       echo '
       <li>' . ( $V['cat_owner'] == $login || $is_admin
         ? '<a href="category.php?id=' . $K . '">' . $catStr . '</a>' : $catStr );

category_handler.php

@@ -20,6 +20,8 @@ function renameIcon ( $id ) {
 $is_my_event = false;
 $id = getValue ( 'id' );
 $catname = getValue ( 'catname' );
+// prohibit any html in category name (including <script>)
+$catname = strip_tags ( $catname );
 $catcolor = getValue ( 'catcolor' );
 $isglobal = getValue ( 'isglobal' );
 $delIcon = getPostValue ( 'delIcon' );

catsel.php

@@ -49,7 +49,9 @@
     // None is index -1 and needs to be ignored
     if ( $K > 0 && ( $V['cat_owner'] == $login || $is_admin ||
         substr ( $form, 0, 4 ) == 'edit' ) ) {
-      $tmpStr = $K . '" name="' . $V['cat_name'] . '">' . $V['cat_name'];
+      $tmpStr = $K .
+        '" name="' . htmlentities ( $V['cat_name'] ) .
+        '">' . htmlentities ( $V['cat_name'] );
       echo '
             <option value="' . ( empty ( $V['cat_owner'] )
         ? "-$tmpStr" . '<sup>*</sup>' : $tmpStr ) . '</option>';
@@ -77,7 +79,7 @@
     }
     echo '
             <option value="' . "$K\" $disabled>"
-     . $categories[abs ( $K )]['cat_name'] . $show_ast . '</option>';
+     . htmlentities ( $categories[abs ( $K )]['cat_name'] ) . $show_ast . '</option>';
   }
 }
 

edit_report.php

@@ -313,7 +313,7 @@ function print_options ( $textarea, $option ) {
   while ( list ( $K, $V ) = each ( $categories ) ) {
     echo '
               <option value="' . $K . '"' . ( $report_cat_id == $K ? $selected : '' )
-     . '>' . $V['cat_name'] . '</option>';
+     . '>' . htmlentities ( $V['cat_name'] ) . '</option>';
   }
 
   echo '

export.php

@@ -49,7 +49,7 @@
   foreach ( $categories as $K => $V ) {
     if ( $K > 0 )
       echo '
-              <option value="' . $K . '">' . $V['cat_name'] . '</option>';
+              <option value="' . $K . '">' . htmlentities ( $V['cat_name'] ) . '</option>';
   }
 
   echo '

includes/formvars.php

@@ -11,6 +11,53 @@
  * @package WebCalendar
  */
 
+
+
+/**
+  * This function examines the data for a form POST or GET to check
+  * for malicious hacks.  If one is found, we just exit since this
+  * should not happen with normal use.
+  */
+function preventHacking ( $name, $instr ) {
+  $bannedTags = array (
+    'APPLET', 'BODY', 'EMBED', 'FORM', 'HEAD',
+    'HTML', 'IFRAME', 'LINK', 'META', 'NOEMBED',
+    'NOFRAMES', 'NOSCRIPT', 'OBJECT', 'SCRIPT',
+    );
+  $failed = false;
+
+  if ( is_array ( $instr ) ) {
+    for ( $j = 0; $j < count ( $instr ); $j++ ) {
+      for ( $i = 0; $i < count ( $bannedTags ) && ! $failed; $i++ ) {
+        // First, replace any escape characters like '\x3c'
+        $teststr = preg_replace ( "#(\\\x[0-9A-F]{2})#e",
+          "chr(hexdec('\\1'))", $instr[$j] );
+        if ( preg_match ( "/<\s*$bannedTags[$i]/i", $teststr ) ) {
+          $failed = true;
+        }
+      }
+    }
+    if ( $failed ) {
+      die_miserable_death ( translate ( 'Fatal Error' ) . ': '
+         . translate ( 'Invalid data format for' ) . ' ' . $name );
+    }
+  } else {
+    // Not an array
+    // First, replace any escape characters like '\x3c'
+    $teststr = preg_replace ( "#(\\\x[0-9A-F]{2})#e",
+      "chr(hexdec('\\1'))", $instr );
+    for ( $i = 0; $i < count ( $bannedTags ) && ! $failed; $i++ ) {
+      if ( preg_match ( "/<\s*$bannedTags[$i]/i", $teststr ) ) {
+        $failed = true;
+      }
+    }
+    if ( $failed ) {
+      die_miserable_death ( translate ( 'Fatal Error' ) . ': '
+         . translate ( 'Invalid data format for' ) . ' ' . $name );
+    }
+  }
+}
+
 /* Gets the value resulting from an HTTP POST method.
  *
  * <b>Note:</b> The return value will be affected by the value of
@@ -29,6 +76,8 @@ function getPostValue ( $name ) {
       ? $_POST[$name] : (is_array ( $_POST[$name] ) 
 			? array_map ( 'addslashes',  
 			$_POST[$name] ): addslashes ( $_POST[$name] ) ) );
+
+  preventHacking ( $name, $postName );
   return $postName;
 }
 
@@ -54,6 +103,7 @@ function getGetValue ( $name ) {
   if ( isset ( $_GET ) && is_array ( $_GET ) && isset ( $_GET[$name] ) )
     $getName = ( get_magic_quotes_gpc () != 0
       ? $_GET[$name] : addslashes ( $_GET[$name] ) );
+  preventHacking ( $name, $getName );
   return $getName;
 }
 
@@ -106,6 +156,7 @@ function getValue ( $name, $format = '', $fatal = false ) {
     // ignore value
     return '';
   }
+  preventHacking ( $name, $val );
   return $val;
 }
 

login.php

@@ -35,7 +35,7 @@
 
 // Change this to true to show "no such user" or "invalid password" on
 // login failures.
-$showLoginFailureReason = true;
+$showLoginFailureReason = false;
 
 if ( ! empty ( $last_login ) ) {
   $login = '';

pref.php

@@ -556,7 +556,7 @@ function save_pref( $prefs, $src) {
    echo "<option value=\"$K\"";
    if ( ! empty ( $prefarray['CATEGORY_VIEW'] ) &&
     $prefarray['CATEGORY_VIEW'] == $K ) echo $selected;
-   echo ">{$V['cat_name']}</option>\n";
+   echo ">{" . htmlentities ( $V['cat_name'] ) . "}</option>\n";
   }
  }
 ?>

search.php

@@ -66,7 +66,7 @@
   foreach ( $categories as $K => $V ) {
     if ( $K > 0 )
       echo '
-              <option value="' . $K . '">' . $V['cat_name'] . '</option>';
+              <option value="' . $K . '">' . htmlentities ( $V['cat_name'] ) . '</option>';
   }
 
   echo '

set_entry_cat.php

@@ -44,7 +44,7 @@
 $globals_found = false;
 $categories = get_categories_by_id ( $id, $login, true );
 if ( ! empty ( $categories ) ) {
-  $catNames = implode ( ', ', $categories );
+  $catNames = htmlentities ( implode ( ', ', $categories ) );
   $keys = array_keys ( $categories );
   $catList = implode ( ',', $keys );
   sort ( $keys );

upcoming.php

@@ -219,7 +219,7 @@ function print_upcoming_event ( $e, $date ) {
     $categories = get_categories_by_id ( $e->getId (), $username );
     $category = implode ( ', ', $categories);
     if ( strlen ( $category  ) > 0 )
-      echo '<span class="categories">' . $category . "</span>\n";
+      echo '<span class="categories">' . htmlentities ( $category ) . "</span>\n";
     if ( strlen ( $e->getUrl () ) > 0 )
       echo '<span class="url">' . $e->getUrl () . "</span>\n";
     $rrule = export_recurrence_ical( $e->getId () );

view_entry.php

@@ -510,7 +510,7 @@
       </tr>' : '' ) . ( $CATEGORIES_ENABLED == 'Y' && ! empty ( $category ) ? '
       <tr>
         <td class="aligntop bold">' . translate ( 'Category' ) . ':</td>
-        <td>' . $category . '</td>
+        <td>' . htmlentities ( $category ) . '</td>
       </tr>' : '' );
 
 // Display who originally created event