Security: Reduce XSS/CSRF probability as admin user - refs BT#21289

Author: [email protected]

Author: christianbeeznest

main/admin/add_courses_to_usergroup.php

@@ -46,8 +46,8 @@ function remove_item(origin) {
 
 $errorMsg = '';
 if (isset($_POST['form_sent']) && $_POST['form_sent']) {
-    $form_sent = $_POST['form_sent'];
-    $elements_posted = $_POST['elements_in_name'];
+    $form_sent = (int) $_POST['form_sent'];
+    $elements_posted = Security::remove_XSS($_POST['elements_in_name']);
     if (!is_array($elements_posted)) {
         $elements_posted = [];
     }
@@ -187,7 +187,7 @@ function search($needle, $type)
 $searchForm->display();
 echo '</div>';
 ?>
-<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($_GET['add'])) {
+<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($add)) {
     echo '&add=true';
 } ?>" style="margin:0px;" <?php if ($ajax_search) {
     echo ' onsubmit="valide();"';

main/admin/add_sessions_to_usergroup.php

@@ -73,8 +73,8 @@ function validate_filter() {
 
 $errorMsg = '';
 if (isset($_POST['form_sent']) && $_POST['form_sent']) {
-    $form_sent = $_POST['form_sent'];
-    $elements_posted = $_POST['elements_in_name'];
+    $form_sent = (int) $_POST['form_sent'];
+    $elements_posted = Security::remove_XSS($_POST['elements_in_name']);
     if (!is_array($elements_posted)) {
         $elements_posted = [];
     }
@@ -168,7 +168,7 @@ function search_usergroup_sessions($needle, $type)
 echo '<div id="advancedSearch" style="display: none">'.get_lang('SearchSessions'); ?> :
      <input name="SearchSession" onchange = "xajax_search_usergroup_sessions(this.value,'searchbox')" onkeyup="this.onchange()">
      </div>
-<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($_GET['add'])) {
+<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($add)) {
     echo '&add=true';
 } ?>" style="margin:0px;" <?php if ($ajax_search) {
     echo ' onsubmit="valide();"';

main/admin/dashboard_add_sessions_to_user.php

@@ -29,7 +29,7 @@
 $tbl_session_rel_access_url = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_SESSION);
 
 // Initializing variables
-$user_id = isset($_GET['user']) ? intval($_GET['user']) : null;
+$user_id = isset($_GET['user']) ? (int) $_GET['user'] : null;
 $user_info = api_get_user_info($user_id);
 $user_anonymous = api_get_anonymous_id();
 $current_user_id = api_get_user_id();
@@ -72,10 +72,10 @@ function search_sessions($needle, $type)
 
         if (api_is_multiple_url_enabled()) {
             $sql = " SELECT s.id, s.name FROM $tbl_session s
-                     LEFT JOIN $tbl_session_rel_access_url a 
+                     LEFT JOIN $tbl_session_rel_access_url a
                      ON (s.id = a.session_id)
-                     WHERE  
-                        s.name LIKE '$needle%' $without_assigned_sessions AND 
+                     WHERE
+                        s.name LIKE '$needle%' $without_assigned_sessions AND
                         access_url_id = ".api_get_current_access_url_id();
         } else {
             $sql = "SELECT s.id, s.name FROM $tbl_session s
@@ -150,12 +150,12 @@ function remove_item(origin) {
 </script>';
 
 $formSent = 0;
-$firstLetterSession = isset($_POST['firstLetterSession']) ? $_POST['firstLetterSession'] : null;
+$firstLetterSession = isset($_POST['firstLetterSession']) ? Security::remove_XSS($_POST['firstLetterSession']) : null;
 $errorMsg = '';
 $UserList = [];
 
-if (isset($_POST['formSent']) && intval($_POST['formSent']) == 1) {
-    $sessions_list = $_POST['SessionsList'];
+if (isset($_POST['formSent']) && 1 == (int) $_POST['formSent']) {
+    $sessions_list = Security::remove_XSS($_POST['SessionsList']);
     $userInfo = api_get_user_info($user_id);
     $affected_rows = SessionManager::subscribeSessionsToDrh(
         $userInfo,

main/admin/dashboard_add_users_to_user.php

@@ -37,7 +37,7 @@
 
 $userStatus = api_get_user_status($user_id);
 
-$firstLetterUser = isset($_POST['firstLetterUser']) ? $_POST['firstLetterUser'] : null;
+$firstLetterUser = isset($_POST['firstLetterUser']) ? Security::remove_XSS($_POST['firstLetterUser']) : null;
 
 // setting the name of the tool
 $isAdmin = UserManager::is_admin($user_id);
@@ -287,7 +287,7 @@ function remove_item(origin) {
 }
 
 if (isset($_POST['formSent']) && intval($_POST['formSent']) == 1) {
-    $user_list = isset($_POST['UsersList']) ? $_POST['UsersList'] : null;
+    $user_list = isset($_POST['UsersList']) ? Security::remove_XSS($_POST['UsersList']) : null;
     switch ($userStatus) {
         case DRH:
         case PLATFORM_ADMIN:

main/auth/sort_my_courses.php

@@ -12,7 +12,7 @@
 $user_course_categories = CourseManager::get_user_course_categories(api_get_user_id());
 $courses_in_category = $auth->getCoursesInCategory(false);
 
-$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
+$action = isset($_REQUEST['action']) ? Security::remove_XSS($_REQUEST['action']) : '';
 $currentUrl = api_get_self();
 
 $interbreadcrumb[] = [
@@ -22,7 +22,9 @@
 
 // We are moving the course of the user to a different user defined course category (=Sort My Courses).
 if (isset($_POST['submit_change_course_category'])) {
-    $result = $auth->updateCourseCategory($_POST['course_2_edit_category'], $_POST['course_categories']);
+    $course2EditCategory = Security::remove_XSS($_POST['course_2_edit_category']);
+    $courseCategories = Security::remove_XSS($_POST['course_categories']);
+    $result = $auth->updateCourseCategory($course2EditCategory, $courseCategories);
     if ($result) {
         Display::addFlash(
             Display::return_message(get_lang('EditCourseCategorySucces'))
@@ -36,7 +38,9 @@
 if (isset($_POST['submit_edit_course_category']) &&
     isset($_POST['title_course_category'])
 ) {
-    $result = $auth->store_edit_course_category($_POST['title_course_category'], $_POST['category_id']);
+    $titleCourseCategory = Security::remove_XSS($_POST['title_course_category']);
+    $categoryId = Security::remove_XSS($_POST['category_id']);
+    $result = $auth->store_edit_course_category($titleCourseCategory, $categoryId);
     if ($result) {
         Display::addFlash(
             Display::return_message(get_lang('CourseCategoryEditStored'))
@@ -52,7 +56,8 @@
     isset($_POST['title_course_category']) &&
     strlen(trim($_POST['title_course_category'])) > 0
 ) {
-    $result = $auth->store_course_category($_POST['title_course_category']);
+    $titleCourseCategory = Security::remove_XSS($_POST['title_course_category']);
+    $result = $auth->store_course_category($titleCourseCategory);
     if ($result) {
         Display::addFlash(
             Display::return_message(get_lang('CourseCategoryStored'))
@@ -71,16 +76,19 @@
 
 // We are moving a course or category of the user up/down the list (=Sort My Courses).
 if (isset($_GET['move'])) {
-    if (isset($_GET['course'])) {
-        $result = $auth->move_course($_GET['move'], $_GET['course'], $_GET['category']);
+    $getCourse = isset($_GET['course']) ? Security::remove_XSS($_GET['course']) : '';
+    $getMove = Security::remove_XSS($_GET['move']);
+    $getCategory = isset($_GET['category']) ? Security::remove_XSS($_GET['category']) : '';
+    if (!empty($getCourse)) {
+        $result = $auth->move_course($getMove, $getCourse, $getCategory);
         if ($result) {
             Display::addFlash(
                 Display::return_message(get_lang('CourseSortingDone'))
             );
         }
     }
-    if (isset($_GET['category']) && !isset($_GET['course'])) {
-        $result = $auth->move_category($_GET['move'], $_GET['category']);
+    if (!empty($getCategory) && empty($getCourse)) {
+        $result = $auth->move_category($getMove, $getCategory);
         if ($result) {
             Display::addFlash(
                 Display::return_message(get_lang('CategorySortingDone'))
@@ -152,7 +160,8 @@
         // we are deleting a course category
         if (isset($_GET['id'])) {
             if (Security::check_token('get')) {
-                $result = $auth->delete_course_category($_GET['id']);
+                $getId = Security::remove_XSS($_GET['id']);
+                $result = $auth->delete_course_category($getId);
                 if ($result) {
                     Display::addFlash(
                         Display::return_message(get_lang('CourseCategoryDeleted'))
@@ -182,7 +191,7 @@
         $userId = api_get_user_id();
         $categoryId = isset($_REQUEST['categoryid']) ? (int) $_REQUEST['categoryid'] : 0;
         $option = isset($_REQUEST['option']) ? (int) $_REQUEST['option'] : 0;
-        $redirect = isset($_REQUEST['redirect']) ? $_REQUEST['redirect'] : 0;
+        $redirect = isset($_REQUEST['redirect']) ? Security::remove_XSS($_REQUEST['redirect']) : 0;
 
         if (empty($userId) || empty($categoryId)) {
             api_not_allowed(true);

main/session/session_add.php

@@ -115,8 +115,8 @@ function emptyDuration() {
 }
 </script>";
 
-if (isset($_POST['formSent']) && $_POST['formSent']) {
-    $formSent = 1;
+if (isset($_POST['formSent'])) {
+    $formSent = (int) $_POST['formSent'];
 }
 
 $tool_name = get_lang('AddSession');