[LON-CAPA-cvs] cvs: loncom /interface lonsupportreq.pm
raeburn
raeburn at source.lon-capa.org
Fri Jan 4 11:57:38 EST 2013
raeburn Fri Jan 4 16:57:38 2013 EDT
Modified files:
/loncom/interface lonsupportreq.pm
Log:
- Sanity checking.
- Additional entity conversions to proof against XSS.
Index: loncom/interface/lonsupportreq.pm
diff -u loncom/interface/lonsupportreq.pm:1.69 loncom/interface/lonsupportreq.pm:1.70
--- loncom/interface/lonsupportreq.pm:1.69 Mon Aug 27 06:28:06 2012
+++ loncom/interface/lonsupportreq.pm Fri Jan 4 16:57:38 2013
@@ -1,5 +1,5 @@
#
-# $Id: lonsupportreq.pm,v 1.69 2012/08/27 06:28:06 raeburn Exp $
+# $Id: lonsupportreq.pm,v 1.70 2013/01/04 16:57:38 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -39,7 +39,7 @@
use Apache::lonauth();
use Apache::courseclassifier;
use LONCAPA qw(:DEFAULT :match);
-
+use HTML::Entities;
sub handler {
my ($r) = @_;
@@ -57,8 +57,19 @@
if ($r->uri eq '/adm/helpdesk') {
&Apache::lonacc::get_posted_cgi($r);
}
- my $function = $env{'form.function'};
+ my $function;
+ if ($env{'form.function'}) {
+ if (($env{'form.function'} eq 'norole') ||
+ ($env{'form.function'} eq 'student') ||
+ ($env{'form.function'} eq 'admin') ||
+ ($env{'form.function'} eq 'author')) {
+ $function = $env{'form.function'};
+ }
+ }
my $origurl = $env{'form.origurl'};
+ $origurl =~ s{^https?://}{};
+ $origurl =~ s/(`)//g;
+ $origurl =~ s/\$/\(\$\)/g;
my $command = $env{'form.command'};
if ($command eq 'process') {
@@ -102,13 +113,9 @@
}
$formname = 'logproblem';
my $machine = &Apache::lonnet::absolute_url();
- if ($origurl =~ m-^https?://-) {
- $server = $origurl;
- } else {
- $server = $machine.$origurl;
- }
- my $showserver = $server;
- $showserver =~ s/\?.*$//;
+ my $sourceurl = $machine.$origurl;
+ $server = $machine.&cleanup_html($origurl);
+ $server =~ s/\?.*$//;
my %lt = &Apache::lonlocal::texthash (
email => 'The e-mail address you entered',
notv => 'is not a valid e-mail address',
@@ -358,8 +365,8 @@
$num ++;
$i = $num%2;
$output .= &Apache::lonhtmlcommon::row_title("$lt{'urlp'}",undef,$css[$i]).
- $showserver."\n".'<input type="hidden" name="sourceurl" value="'.
- &HTML::Entities::encode($server,'"<>&').'" />'."\n".
+ $server."\n".'<input type="hidden" name="sourceurl" value="'.
+ &HTML::Entities::encode($sourceurl,'"<>&').'" />'."\n".
&Apache::lonhtmlcommon::row_closure().
&Apache::lonhtmlcommon::row_title("$lt{'phon'}",undef,'LC_evenrow_value').
'<input type="text" size="15" name="phone" /><br />'."\n".
@@ -951,8 +958,11 @@
} else {
$reviewtext = &mt('Please review the information in "Log-in help" if you are unable to log-in.');
}
+ my $linkback;
if ($origurl eq '') {
- $origurl = 'javascript:history.go(-1)';
+ $linkback = 'javascript:history.go(-1)';
+ } else {
+ $linkback = &HTML::Entities::encode($origurl,'"<>&');
}
my $loginhelp = &Apache::lonauth::loginhelpdisplay();
if ($loginhelp eq '') {
@@ -972,7 +982,7 @@
<tr>
<td align="center"><span class="LC_nobreak"><img src="$location/help/help.png" border="0" alt="($lt{'login'})" style="vertical-align:middle" /> <b><a href="$loginhelp">$lt{'login'}</a></b> </span></td>
<td align="center"><span class="LC_nobreak"> <b>$helpdesk_link<img src="$location/lonIcons/helpdesk.gif" border="0" alt="($lt{'ask'})" style="vertical-align:middle" /> $lt{'ask'}</a></b> </span></td>$getstartlink
- <td align="center"><span class="LC_nobreak"> <b><a href="$origurl" target="_top"><img src="$location/lonIcons/move_up.gif" border="0" alt="($lt{'back'})" style="vertical-align:middle" /> $lt{'back'}</a></b> </span></td>
+ <td align="center"><span class="LC_nobreak"> <b><a href="$linkback" target="_top"><img src="$location/lonIcons/move_up.gif" border="0" alt="($lt{'back'})" style="vertical-align:middle" /> $lt{'back'}</a></b> </span></td>
</tr>
</table>
</fieldset>
@@ -1005,8 +1015,11 @@
sub get_domain {
my $codedom;
if (exists($env{'form.codedom'})) {
- $codedom = $env{'form.codedom'};
- } elsif ($env{'request.course.id'}) {
+ if (&Apache::lonnet::domain($env{'form.codedom'}) ne '') {
+ return $env{'form.codedom'};
+ }
+ }
+ if ($env{'request.course.id'}) {
$codedom = $env{'course.'.$env{'request.course.id'}.'.domain'};
} elsif ($env{'request.role.domain'}) {
$codedom = $env{'request.role.domain'};
@@ -1021,6 +1034,7 @@
my $outgoing;
if ($incoming ne '') {
$outgoing = $incoming;
+ $outgoing =~ s/;/;/g;
$outgoing =~ s/\#/#/g;
$outgoing =~ s/\&/&/g;
$outgoing =~ s/</</g;
@@ -1030,6 +1044,9 @@
$outgoing =~ s/"/"/g;
$outgoing =~ s/'/'/g;
$outgoing =~ s/\$/$/g;
+ $outgoing =~ s{/}{/}g;
+ $outgoing =~ s/=/=/g;
+ $outgoing =~ s/\\/\/g
}
return $outgoing;
}
More information about the LON-CAPA-cvs
mailing list