Security update for /core/default_settings

core/default_settings/default_setting_edit.php

@@ -17,7 +17,7 @@
 
  The Initial Developer of the Original Code is
  Mark J Crane <[email protected]>
- Portions created by the Initial Developer are Copyright (C) 2008-2020
+ Portions created by the Initial Developer are Copyright (C) 2008-2021
  the Initial Developer. All Rights Reserved.
 
  Contributor(s):
@@ -255,7 +255,7 @@
 	}
 	echo "	</div>\n";
 	echo "	<div class='actions'>\n";
-	echo button::create(['type'=>'button','label'=>$text['button-back'],'icon'=>$_SESSION['theme']['button_icon_back'],'id'=>'btn_back','style'=>'margin-right: 15px;','link'=>'default_settings.php'.($search != '' ? "?search=".$search : null)]);
+	echo button::create(['type'=>'button','label'=>$text['button-back'],'icon'=>$_SESSION['theme']['button_icon_back'],'id'=>'btn_back','style'=>'margin-right: 15px;','link'=>'default_settings.php'.($search != '' ? "?search=".urlencode($search) : null)]);
 	echo button::create(['type'=>'button','label'=>$text['button-save'],'icon'=>$_SESSION['theme']['button_icon_save'],'id'=>'btn_save','onclick'=>'submit_form();']);
 	echo "	</div>\n";
 	echo "	<div style='clear: both;'></div>\n";
@@ -276,7 +276,7 @@
 	echo "	".$text['label-category']."\n";
 	echo "</td>\n";
 	echo "<td width='70%' class='vtable' align='left'>\n";
-	echo "	<input class='formfld' type='text' name='default_setting_category' maxlength='255' value=\"$default_setting_category\">\n";
+	echo "	<input class='formfld' type='text' name='default_setting_category' maxlength='255' value=\"".escape($default_setting_category)."\">\n";
 	echo "<br />\n";
 	echo $text['description-category']."\n";
 	echo "</td>\n";
@@ -287,7 +287,7 @@
 	echo "	".$text['label-subcategory']."\n";
 	echo "</td>\n";
 	echo "<td class='vtable' align='left'>\n";
-	echo "	<input class='formfld lowercase' type='text' name='default_setting_subcategory' id='default_setting_subcategory' maxlength='255' value=\"$default_setting_subcategory\">\n";
+	echo "	<input class='formfld lowercase' type='text' name='default_setting_subcategory' id='default_setting_subcategory' maxlength='255' value=\"".escape($default_setting_subcategory)."\">\n";
 	echo "<br />\n";
 	echo $text['description-subcategory']."\n";
 	echo "</td>\n";
@@ -298,7 +298,7 @@
 	echo "	".$text['label-type']."\n";
 	echo "</td>\n";
 	echo "<td class='vtable' align='left'>\n";
-	echo "	<input class='formfld lowercase' type='text' name='default_setting_name' id='default_setting_name' maxlength='255' value=\"$default_setting_name\">\n";
+	echo "	<input class='formfld lowercase' type='text' name='default_setting_name' id='default_setting_name' maxlength='255' value=\"".escape($default_setting_name)."\">\n";
 	echo "<br />\n";
 	echo $text['description-type']."\n";
 	echo "</td>\n";
@@ -369,10 +369,10 @@
 					$dir_label = str_replace('_', ' ', $dir_name);
 					$dir_label = str_replace('-', ' ', $dir_label);
 					if ($dir_name == $default_setting_value) {
-						echo "		<option value='$dir_name' selected='selected'>".ucwords($dir_label)."</option>\n";
+						echo "		<option value='".escape($dir_name)."' selected='selected'>".ucwords(escape($dir_label))."</option>\n";
 					}
 					else {
-						echo "		<option value='$dir_name'>".ucwords($dir_label)."</option>\n";
+						echo "		<option value='".escape($dir_name)."'>".ucwords(escape($dir_label))."</option>\n";
 					}
 				}
 			}
@@ -384,10 +384,10 @@
 		echo "		<select class='formfld' id='default_setting_value' name='default_setting_value' style=''>\n";
 		foreach ($_SESSION['app']['languages'] as $key => $value) {
 			if ($default_setting_value == $value) {
-				echo "		<option value='$value' selected='selected'>$value</option>\n";
+				echo "		<option value='".escape($value)."' selected='selected'>".escape($value)."</option>\n";
 			}
 			else {
-				echo "		<option value='$value'>$value</option>\n";
+				echo "		<option value='".escape($value)."'>".escape($value)."</option>\n";
 			}
 		}
 		echo "		</select>\n";
@@ -461,10 +461,10 @@
 				}
 			}
 			if ($val == $default_setting_value) {
-				echo "			<option value='".$val."' selected='selected'>(UTC ".$time_zone_offset_hours.":".$time_zone_offset_minutes.") ".$val."</option>\n";
+				echo "			<option value='".escape($val)."' selected='selected'>(UTC ".$time_zone_offset_hours.":".$time_zone_offset_minutes.") ".escape($val)."</option>\n";
 			}
 			else {
-				echo "			<option value='".$val."'>(UTC ".$time_zone_offset_hours.":".$time_zone_offset_minutes.") ".$val."</option>\n";
+				echo "			<option value='".escape($val)."'>(UTC ".$time_zone_offset_hours.":".$time_zone_offset_minutes.") ".escape($val)."</option>\n";
 			}
 			$previous_category = $category;
 			$x++;
@@ -478,10 +478,10 @@
 		echo "	</select>\n";
 	}
 	elseif ($subcategory == 'password' || substr_count($subcategory, '_password') > 0 || $category == "login" && $subcategory == "password_reset_key" && $name == "text") {
-		echo "	<input class='formfld' type='password' id='default_setting_value' name='default_setting_value' onmouseover=\"this.type='text';\" onfocus=\"this.type='text';\" onmouseout=\"if (!$(this).is(':focus')) { this.type='password'; }\" onblur=\"this.type='password';\" maxlength='255' value=\"".$default_setting_value."\">\n";
+		echo "	<input class='formfld' type='password' id='default_setting_value' name='default_setting_value' onmouseover=\"this.type='text';\" onfocus=\"this.type='text';\" onmouseout=\"if (!$(this).is(':focus')) { this.type='password'; }\" onblur=\"this.type='password';\" maxlength='255' value=\"".escape($default_setting_value)."\">\n";
 	}
 	elseif ($category == "theme" && substr_count($subcategory, "_color") > 0 && ($name == "text" || $name == 'array')) {
-		echo "	<input type='text' class='formfld colorpicker' id='default_setting_value' name='default_setting_value' value=\"".$default_setting_value."\">\n";
+		echo "	<input type='text' class='formfld colorpicker' id='default_setting_value' name='default_setting_value' value=\"".escape($default_setting_value)."\">\n";
 	}
 	elseif ($category == "theme" && substr_count($subcategory, "_font") > 0 && $name == "text") {
 		$default_setting_value = str_replace('"', "'", $default_setting_value);
@@ -504,7 +504,7 @@
 			echo "		<option value='' disabled='disabled'></option>\n";
 			echo "		<option value='' ".(($default_setting_value != '' && $option_found == false) ? 'selected' : null).">".$text['label-other']."...</option>\n";
 			echo "	</select>";
-			echo "	<input type='text' class='formfld' ".(($default_setting_value == '' || $option_found) ? "style='display: none;'" : null)." id='txt_default_setting_value' name='default_setting_value' value=\"".$default_setting_value."\">\n";
+			echo "	<input type='text' class='formfld' ".(($default_setting_value == '' || $option_found) ? "style='display: none;'" : null)." id='txt_default_setting_value' name='default_setting_value' value=\"".escape($default_setting_value)."\">\n";
 		}
 		else {
 			echo "	<input type='text' class='formfld' id='default_setting_value' name='default_setting_value' value=\"".$default_setting_value."\">\n";
@@ -605,7 +605,7 @@
 		echo "    </select>\n";
 	}
 	elseif ($category == "theme" && $subcategory == "custom_css_code" && $name == "text" ) {
-		echo "	<textarea class='formfld' style='min-width: 100%; height: 300px; font-family: courier, monospace; overflow: auto; resize: vertical' id='default_setting_value' name='default_setting_value' wrap='off'>".$default_setting_value."</textarea>\n";
+		echo "	<textarea class='formfld' style='min-width: 100%; height: 300px; font-family: courier, monospace; overflow: auto; resize: vertical' id='default_setting_value' name='default_setting_value' wrap='off'>".escape($default_setting_value)."</textarea>\n";
 	}
 	elseif ($category == "theme" && $subcategory == "button_icons" && $name == "text" ) {
 		echo "    <select class='formfld' id='default_setting_value' name='default_setting_value'>\n";
@@ -693,10 +693,10 @@
 		echo "	</select>\n";
 	}
 	elseif (is_json($default_setting_value)) {
-		echo "	<textarea class='formfld' style='width: 100%; height: 80px; font-family: courier, monospace; overflow: auto;' id='default_setting_value' name='default_setting_value' wrap='off'>".$default_setting_value."</textarea>\n";
+		echo "	<textarea class='formfld' style='width: 100%; height: 80px; font-family: courier, monospace; overflow: auto;' id='default_setting_value' name='default_setting_value' wrap='off'>".escape($default_setting_value)."</textarea>\n";
 	}
 	else {
-		echo "	<input class='formfld' type='text' id='default_setting_value' name='default_setting_value' value=\"".htmlspecialchars($default_setting_value)."\">\n";
+		echo "	<input class='formfld' type='text' id='default_setting_value' name='default_setting_value' value=\"".escape($default_setting_value)."\">\n";
 	}
 	echo "<br />\n";
 	echo $text['description-value']."\n";

core/default_settings/default_setting_toggle.php

@@ -17,22 +17,26 @@
 
  The Initial Developer of the Original Code is
  Mark J Crane <[email protected]>
- Portions created by the Initial Developer are Copyright (C) 2008-2016
+ Portions created by the Initial Developer are Copyright (C) 2008-2021
  the Initial Developer. All Rights Reserved.
 
  Contributor(s):
  Mark J Crane <[email protected]>
 */
-require_once "root.php";
-require_once "resources/require.php";
-require_once "resources/check_auth.php";
-if (permission_exists('default_setting_edit')) {
-	//access granted
-}
-else {
-	echo "access denied";
-	exit;
-}
+
+//includes
+	require_once "root.php";
+	require_once "resources/require.php";
+	require_once "resources/check_auth.php";
+
+//check permissions
+	if (permission_exists('default_setting_edit')) {
+		//access granted
+	}
+	else {
+		echo "access denied";
+		exit;
+	}
 
 //add multi-lingual support
 	$language = new text;
@@ -54,6 +58,7 @@ else {
 					$default_setting_enabled = $database->select($sql, $parameters, 'column');
 					$new_status = ($default_setting_enabled == 'true') ? 'false' : 'true';
 					unset($sql, $parameters);
+
 				//set new status
 					$array['default_settings'][0]['default_setting_uuid'] = $default_setting_uuid;
 					$array['default_settings'][0]['default_setting_enabled'] = $new_status;
@@ -63,6 +68,7 @@ else {
 					$database->save($array);
 					$message = $database->message;
 					unset($array);
+
 				//increment toggle total
 					$toggled++;
 			}
@@ -73,6 +79,7 @@ else {
 	}
 
 //redirect the user
+	$search = preg_replace('#[^a-zA-Z0-9_\-\.]# ', '', $search);
 	header("Location: default_settings.php".($search != '' ? '?search='.$search : null));
 
 ?>

core/default_settings/default_settings.php

@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <[email protected]>
-	Portions created by the Initial Developer are Copyright (C) 2008 - 2020
+	Portions created by the Initial Developer are Copyright (C) 2008 - 2021
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -51,6 +51,11 @@
 		$default_settings = $_POST['default_settings'];
 	}
 
+//sanitize the variables
+	$action = preg_replace('#[^a-zA-Z0-9_\-\.]#', '', $action);
+	$search = preg_replace('#[^a-zA-Z0-9_\-\. ]#', '', $search);
+	$default_setting_category = preg_replace('#[^a-zA-Z0-9_\-\.]#', '', $default_setting_category);
+
 //process the http post data by action
 	if ($action != '' && is_array($default_settings) && @sizeof($default_settings) != 0) {
 		switch ($action) {
@@ -279,8 +284,11 @@
 		$x = 0;
 		foreach ($default_settings as $row) {
 			$default_setting_category = strtolower($row['default_setting_category']);
-
+			$default_setting_category = preg_replace('#[^a-zA-Z0-9_\-\.]#', '', $default_setting_category);
+	
 			$label_default_setting_category = $row['default_setting_category'];
+			$label_default_setting_category = preg_replace('#[^a-zA-Z0-9_\-\. ]#', '', $label_default_setting_category);
+
 			switch (strtolower($label_default_setting_category)) {
 				case "api" : $label_default_setting_category = "API"; break;
 				case "cdr" : $label_default_setting_category = "CDR"; break;
@@ -451,4 +459,4 @@
 //include the footer
 	require_once "resources/footer.php";
 
-?>
+?>

core/default_settings/default_settings_reload.php

@@ -17,15 +17,19 @@
 
  The Initial Developer of the Original Code is
  Mark J Crane <[email protected]>
- Portions created by the Initial Developer are Copyright (C) 2008-2014
+ Portions created by the Initial Developer are Copyright (C) 2008-2021
  the Initial Developer. All Rights Reserved.
 
  Contributor(s):
  Mark J Crane <[email protected]>
 */
+
+//includes
 require_once "root.php";
 require_once "resources/require.php";
 require_once "resources/check_auth.php";
+
+//check permissions
 if (permission_exists('default_setting_view')) {
 	//access granted
 }
@@ -35,24 +39,30 @@ else {
 }
 
 //add multi-lingual support
-	$language = new text;
-	$text = $language->get();
+$language = new text;
+$text = $language->get();
 
+//set the variables
 $search = $_REQUEST['search'];
 $domain_uuid = $_GET['id'];
 
+//reload default settings
 require "resources/classes/domains.php";
 $domain = new domains();
 $domain->db = $db;
 $domain->set();
 
+//add a message
 message::add($text['message-settings_reloaded']);
+
+//redirect the browser
 if (is_uuid($domain_uuid)) {
 	$location = PROJECT_PATH.'/core/domains/domain_edit.php?id='.$domain_uuid;
 }
 else {
+	$search = preg_replace('#[^a-zA-Z0-9_\-\.]# ', '', $search);
 	$location = 'default_settings.php'.($search != '' ? "?search=".$search : null);
 }
 header("Location: ".$location);
 
-?>
+?>