- Dropped check_input(); use check_query() instead. - Made the statistics module use referer_uri() for security's sake.

aa38097c · Dries · 47ba929c · aa38097c · aa38097c · aa38097c
Commit aa38097c authored Jun 06, 2003 by Dries
8 changed files
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -496,10 +496,6 @@ function check_query($text) {
  return addslashes($text);
 }

-function check_input($text) {
-  return addslashes($text);
-}
-
 function filter($text) {

  $modules = module_list();

--- a/modules/statistics.module
+++ b/modules/statistics.module
@@ -53,7 +53,7 @@ function statistics_exit() {

  if ((variable_get("statistics_enable_access_log", 0)) && (throttle_status() < 5)) {
    // statistical logs are enabled
-    $referrer = getenv("HTTP_REFERER");
+    $referrer = referer_uri();
    $hostname = getenv("REMOTE_ADDR");
    // log this page access
    if ((arg(0) == "node") && (arg(1) == "view") && arg(2)) {
@@ -333,11 +333,11 @@ function statistics_recent_refer() {
    $query = "SELECT url,timestamp FROM accesslog WHERE url <> '' ORDER BY timestamp DESC";
  }
  elseif ($view == "internal") {
-    $query = "SELECT url,timestamp FROM accesslog WHERE url LIKE '%". check_input($_SERVER["HTTP_HOST"]) ."%' ORDER BY timestamp DESC";
+    $query = "SELECT url,timestamp FROM accesslog WHERE url LIKE '%". check_query($_SERVER["HTTP_HOST"]) ."%' ORDER BY timestamp DESC";
    $describe = "internal ";
  }
  else {
-    $query = "SELECT url,timestamp FROM accesslog WHERE url NOT LIKE '%". check_input($_SERVER["HTTP_HOST"]) ."%' AND url <> '' ORDER BY timestamp DESC";
+    $query = "SELECT url,timestamp FROM accesslog WHERE url NOT LIKE '%". check_query($_SERVER["HTTP_HOST"]) ."%' AND url <> '' ORDER BY timestamp DESC";
    $describe = "external ";
  }

@@ -363,12 +363,12 @@ function statistics_top_refer() {
    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url <> '' GROUP BY url ORDER BY count DESC";
  }
  elseif ($view == "internal") {
-    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url LIKE '%". check_input($_SERVER["HTTP_HOST"]) ."%' GROUP BY url ORDER BY count DESC";
+    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url LIKE '%". check_query($_SERVER["HTTP_HOST"]) ."%' GROUP BY url ORDER BY count DESC";
    $describe = "internal ";
  }
  else {
    /* default to external */
-    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url NOT LIKE '%". check_input($_SERVER["HTTP_HOST"]) ."%' AND url <> '' GROUP BY url ORDER BY count DESC";
+    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url NOT LIKE '%". check_query($_SERVER["HTTP_HOST"]) ."%' AND url <> '' GROUP BY url ORDER BY count DESC";
    $describe = "external ";
  }


--- a/modules/statistics/statistics.module
+++ b/modules/statistics/statistics.module
@@ -53,7 +53,7 @@ function statistics_exit() {

  if ((variable_get("statistics_enable_access_log", 0)) && (throttle_status() < 5)) {
    // statistical logs are enabled
-    $referrer = getenv("HTTP_REFERER");
+    $referrer = referer_uri();
    $hostname = getenv("REMOTE_ADDR");
    // log this page access
    if ((arg(0) == "node") && (arg(1) == "view") && arg(2)) {
@@ -333,11 +333,11 @@ function statistics_recent_refer() {
    $query = "SELECT url,timestamp FROM accesslog WHERE url <> '' ORDER BY timestamp DESC";
  }
  elseif ($view == "internal") {
-    $query = "SELECT url,timestamp FROM accesslog WHERE url LIKE '%". check_input($_SERVER["HTTP_HOST"]) ."%' ORDER BY timestamp DESC";
+    $query = "SELECT url,timestamp FROM accesslog WHERE url LIKE '%". check_query($_SERVER["HTTP_HOST"]) ."%' ORDER BY timestamp DESC";
    $describe = "internal ";
  }
  else {
-    $query = "SELECT url,timestamp FROM accesslog WHERE url NOT LIKE '%". check_input($_SERVER["HTTP_HOST"]) ."%' AND url <> '' ORDER BY timestamp DESC";
+    $query = "SELECT url,timestamp FROM accesslog WHERE url NOT LIKE '%". check_query($_SERVER["HTTP_HOST"]) ."%' AND url <> '' ORDER BY timestamp DESC";
    $describe = "external ";
  }

@@ -363,12 +363,12 @@ function statistics_top_refer() {
    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url <> '' GROUP BY url ORDER BY count DESC";
  }
  elseif ($view == "internal") {
-    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url LIKE '%". check_input($_SERVER["HTTP_HOST"]) ."%' GROUP BY url ORDER BY count DESC";
+    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url LIKE '%". check_query($_SERVER["HTTP_HOST"]) ."%' GROUP BY url ORDER BY count DESC";
    $describe = "internal ";
  }
  else {
    /* default to external */
-    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url NOT LIKE '%". check_input($_SERVER["HTTP_HOST"]) ."%' AND url <> '' GROUP BY url ORDER BY count DESC";
+    $query = "SELECT url, COUNT(url) AS count FROM accesslog WHERE url NOT LIKE '%". check_query($_SERVER["HTTP_HOST"]) ."%' AND url <> '' GROUP BY url ORDER BY count DESC";
    $describe = "external ";
  }


--- a/modules/user.module
+++ b/modules/user.module
@@ -547,7 +547,7 @@ function user_login($edit = array(), $msg = "") {
      $server = substr($server, 1);
      $pass = $edit["pass"];
    }
-    
+
    /*
    ** When possible, determine corrosponding external auth source. Invoke source, and login user if successful:
    */

--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -547,7 +547,7 @@ function user_login($edit = array(), $msg = "") {
      $server = substr($server, 1);
      $pass = $edit["pass"];
    }
-    
+
    /*
    ** When possible, determine corrosponding external auth source. Invoke source, and login user if successful:
    */

--- a/modules/watchdog.module
+++ b/modules/watchdog.module
@@ -96,7 +96,7 @@ function watchdog_admin() {
        watchdog_help();
        break;
      case "view":
-        print watchdog_view(check_input(arg(3)));
+        print watchdog_view(arg(3));
        break;
      default:
        print watchdog_overview(arg(2));

--- a/modules/watchdog/watchdog.module
+++ b/modules/watchdog/watchdog.module
@@ -96,7 +96,7 @@ function watchdog_admin() {
        watchdog_help();
        break;
      case "view":
-        print watchdog_view(check_input(arg(3)));
+        print watchdog_view(arg(3));
        break;
      default:
        print watchdog_overview(arg(2));

--- a/scripts/code-style.pl
+++ b/scripts/code-style.pl
@@ -69,6 +69,16 @@ while (<>) {
  elsif (/<br>/i) {
    $msg = "'<br>' -> '<br />'";
  }
+  elsif (/HTTP_REFERER/i) {
+    $msg = "the use of HTTP_REFERER is prone to XSS exploits; use referer_uri() instead";
+  }
+  elsif (/QUERY_STRING/i) {
+    $msg = "the use of HTTP_REFERER is prone to XSS exploits; use referer_uri() instead";
+  }
+  elsif (/REQUEST_URI/i) {
+    $msg = "the use of HTTP_REFERER is prone to XSS exploits and does not work on IIS; use request_uri() instead";
+  }
+
  # XHTML compatibility mode suggests a blank before /
  # i.e. <br />
  elsif (/<[a-z][^>]*[^ >]\/>/i) {