8.7.20rc

.gitignore

@@ -0,0 +1,9 @@
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+Icon?
+ehthumbs.db
+Thumbs.db
+

DocDB/cgi/AddFiles

@@ -8,7 +8,7 @@
 #      Author: Eric Vaandering ([email protected])
 #    Modified:
 
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
 
 #    This file is part of DocDB.
 
@@ -27,6 +27,7 @@
 
 use Benchmark;
 use CGI;
+use CGI::Untaint;
 use DBI;
 
 $StartTime = new Benchmark;
@@ -40,6 +41,7 @@ require "MiscSQL.pm";
 require "FSUtilities.pm";
 require "WebUtilities.pm";
 require "HTMLUtilities.pm";
+require "UntaintInput.pm";
 require "FileUtilities.pm";
 require "Security.pm";
 
@@ -61,7 +63,7 @@ $dbh   = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rwuser,$db_rwpass
 
 ### Set up, give user initial information
 
-%params = $query -> Vars;
+my $Untaint = CGI::Untaint -> new($query -> Vars);
 
 print $query -> header( -charset => $HTTP_ENCODING );
 &DocDBHeader("$Project File Addition Results","File Addition Results");
@@ -73,33 +75,30 @@ print $query -> header( -charset => $HTTP_ENCODING );
 
 ### Get document and revision ID
 
-my $DocumentID   = $params{docid};
-my $Version      = $params{version};
-my $Replace      = $params{replace};
-my $MaxFiles     = $params{maxfiles};
-my $SubmitAgree  = $params{submitagree};
-my $PreserveSigs = $params{preservesigs};
+my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0;
+my $Version = $Untaint -> extract(-as_integer => "version") || 0;
+my $Replace = $Untaint -> extract(-as_printable => "replace") || "";
+my $MaxFiles = $Untaint -> extract(-as_integer => "maxfiles") || 0;
+my $SubmitAgree = $Untaint -> extract(-as_printable => "submitagree") || "";
+my $PreserveSigs = $Untaint -> extract(-as_printable => "preservesigs") || "";
 
 my $DocRevID;
 
 ### Check for user errors
 
 if ($DocumentID && $Version) {
   $DocRevID = &FetchRevisionByDocumentAndVersion($DocumentID,$Version);
-  unless ($DocRevID) {
-    push @ErrorStack,"No such document exists.";
-  }
-  unless (&CanModify($DocumentID,$Version)) {
-    push @ErrorStack,"You are not authorized to modify this document.";
+  unless ($DocRevID && CanModify($DocumentID,$Version)) {
+    push @ErrorStack,"You are not authorized to modify this document or it does not exist.";
   }
 } else {
   push @ErrorStack,"You must supply document and version numbers to add files.";
 }
 
 if ($Preferences{Options}{SubmitAgree} && !$SubmitAgree) {
-  push @ErrorStack,'You must check the box near with this statement: <br/>'.
+  push @ErrorStack,'You must check the box near with this statement: \n'.
                    $Preferences{Options}{SubmitAgree}.
-                   '<br/>to add files to the document.';
+                   '\nto add files to the document.';
 }
 
 if ($PreserveSigs && !CanPreserveSigs()) {
@@ -110,16 +109,22 @@ if ($PreserveSigs && !CanPreserveSigs()) {
 my $UpdateLink = $DocumentAddForm."?mode=update&docid=$DocumentID";
 
 # Fill in file hash
+my $HttpUser = $Untaint -> extract(-as_printable => "http_user") || "";
+my $HttpPass = $Untaint -> extract(-as_printable => "http_pass") || "";
 
 my %Files = ();
 my $NeedURLs   = 0;
 my $AddNewFile = 0;
 
 for (my $i = 1; $i<= $MaxFiles; ++$i) {
   my $Key = $i; # Probably something better later
-  if ($params{"upload$i"}) {
+  my $UploadI = $query -> param("upload$i");
+  my $UrlI = $Untaint -> extract(-as_printable => "url$i") || "";
+  my $MainI = $Untaint -> extract(-as_printable => "main$i") || "";
+  my $DescriptionI = $Untaint -> extract(-as_safehtml => "filedesc$i") || "";
+  if ($UploadI) {
     $AddNewFile = 1;
-    $Files{$Key}{File} = $query ->  param("upload$i");
+    $Files{$Key}{File} = $UploadI;
     if (&ExistsUpload($DocRevID,$Files{$Key}{File})) {
       if ($Replace) {
         push @WarnStack,"The file $short_file already existed and has been
@@ -131,12 +136,12 @@ for (my $i = 1; $i<= $MaxFiles; ++$i) {
              document,  not add files.";
       }
     }
-  } elsif ($params{"url$i"}) {
+  } elsif ($UrlI) {
     $NeedURLs = 1;
     $AddNewFile = 1;
-    $Files{$Key}{URL}  = $params{"url$i"};
-    $Files{$Key}{User} = $params{http_user};
-    $Files{$Key}{Pass} = $params{http_pass};
+    $Files{$Key}{URL}  = $UrlI;
+    $Files{$Key}{User} = $HttpUser;
+    $Files{$Key}{Pass} = $HttpPass;
     if (&ExistsURL($DocRevID,$Files{$Key}{URL})) {
       if ($Replace) {
         push @WarnStack,"The file $short_file already existed and has been
@@ -150,13 +155,13 @@ for (my $i = 1; $i<= $MaxFiles; ++$i) {
     }
   }
 
-  if ($params{"main$i"}) {
+  if ($MainI) {
     $Files{$Key}{Main} = 1;
   } else {
     $Files{$Key}{Main} = 0;
   }
 
-  $Files{$Key}{Description} = $params{"filedesc$i"};
+  $Files{$Key}{Description} = $DescriptionI;
 }
 
 unless ($AddNewFile) {

DocDB/cgi/AddFilesForm

@@ -9,7 +9,7 @@
 #      Author: Eric Vaandering ([email protected])
 #    Modified:
 
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
 
 #    This file is part of DocDB.
 
@@ -27,6 +27,7 @@
 #    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 use CGI qw(-nosticky);
+use CGI::Untaint;
 use DBI;
 
 require "DocDBGlobals.pm";
@@ -45,20 +46,21 @@ require "FileHTML.pm";
 require "Cookies.pm";
 require "Defaults.pm";
 require "HTMLUtilities.pm";
+require "UntaintInput.pm";
 require "Scripts.pm";
 
 $query = new CGI;  # Global for subroutines
+$query -> autoEscape(0);
+my $Untaint = CGI::Untaint -> new($query -> Vars);
 $dbh   = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
 
 &GetSecurityGroups;
 &GetPrefsCookie;
 
-%params = $query -> Vars;
-
-$DocumentID    = $params{docid};
-$Upload        = $params{upload};
-$NumberUploads = $params{numfile};
-#$Version done later
+my $DocumentID = $Untaint -> extract(-as_integer => "docid") || 0;
+my $Upload = $Untaint -> extract(-as_safehtml => "upload") || undef;
+my $NumberUploads = $Untaint -> extract(-as_integer => "numfile") || 0; # Global since not passed (oversight)
+my $InputVersion = $Untaint -> extract(-as_integer => "version") || undef;
 
 # Set defaults
 
@@ -76,11 +78,11 @@ unless ($DocumentID) {
 
 &FetchDocument($DocumentID);
 
-if ($params{version} eq "0") {
+if ($InputVersion eq "0") {
   $Version = 0;
 } else {
-  if ($params{version}) {
-    $Version = $params{version};
+  if ($InputVersion) {
+    $Version = $InputVersion;
   } else {
     $Version = $Documents{$DocumentID}{NVersions};
   }

DocDB/cgi/AdministerElements.pm

@@ -1,13 +1,13 @@
 #        Name: $RCSfile$
-# Description: Various routines which supply input forms for adminstrative
+# Description: Various routines which supply input forms for administrative
 #              functions
 #
 #    Revision: $Revision$
 #    Modified: $Author$ on $Date$
 #
 #      Author: Eric Vaandering ([email protected])
 
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
 
 #    This file is part of DocDB.
 

DocDB/cgi/AdministerForm

@@ -9,7 +9,7 @@
 #
 #      Author: Eric Vaandering ([email protected])
 
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
 
 #    This file is part of DocDB.
 
@@ -49,9 +49,11 @@ require "MiscSQL.pm";
 require "ResponseElements.pm";
 
 require "HTMLUtilities.pm";
+require "UntaintInput.pm";
 require "Sorts.pm";
 
 $query = new CGI;  # Global for subroutines
+$query -> autoEscape(0);
 $dbh   = DBI -> connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
 
 &GetSecurityGroups;

DocDB/cgi/AdministerHome

@@ -1,9 +1,12 @@
 #! /usr/bin/env perl
 #
+#        Name: AdministerHome
+# Description: A "home page" for the various administration pages 
+#
 #      Author: Lynn Garren ([email protected])
 #    Modified: Eric Vaandering ([email protected])
 
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
 
 #    This file is part of DocDB.
 
@@ -30,13 +33,12 @@ require "Scripts.pm";
 require "ResponseElements.pm";
 require "FormElements.pm";
 require "Messages.pm";
-#require "Cookies.pm";
 require "Security.pm";
 require "SecuritySQL.pm";
 require "SecurityHTML.pm";
-#require "MeetingSecurityUtilities.pm";
 
 $query = new CGI;  # Global for subroutines
+$query -> autoEscape(0);
 $dbh   = DBI->connect('DBI:mysql:'.$db_name.':'.$db_host,$db_rouser,$db_ropass);
 
 GetSecurityGroups();

DocDB/cgi/AdministerIntructions.pm

@@ -6,7 +6,7 @@
 #      Author: Eric Vaandering ([email protected])
 #    Modified: 
 
-# Copyright 2001-2009 Eric Vaandering, Lynn Garren, Adam Bryant
+# Copyright 2001-2013 Eric Vaandering, Lynn Garren, Adam Bryant
 
 #    This file is part of DocDB.