From 3b0d1d881162c5bcc1a18e8a43c807cc1fe52bc3 Mon Sep 17 00:00:00 2001 From: Michael Andreen Date: Mon, 29 Jun 2020 21:17:07 +0200 Subject: [PATCH] Be more paranoid with param in list context --- lib/NDWeb/Controller/Calls.pm | 9 ++++++--- lib/NDWeb/Controller/Forum.pm | 14 +++++++++----- lib/NDWeb/Controller/Members.pm | 25 ++++++++++++++++--------- lib/NDWeb/Controller/Raids.pm | 22 ++++++++++++++-------- lib/NDWeb/Controller/Root.pm | 12 ++++++++---- lib/NDWeb/Controller/Settings.pm | 14 +++++++++----- lib/NDWeb/Controller/Users.pm | 16 ++++++++++------ lib/NDWeb/Controller/Wiki.pm | 22 ++++++++++++++-------- 8 files changed, 86 insertions(+), 48 deletions(-) diff --git a/lib/NDWeb/Controller/Calls.pm b/lib/NDWeb/Controller/Calls.pm index dac7f32..48eac7e 100644 --- a/lib/NDWeb/Controller/Calls.pm +++ b/lib/NDWeb/Controller/Calls.pm @@ -268,13 +268,15 @@ sub postcallupdate : Local { if ($c->req->param('cmd') eq 'Submit'){ my $logmess = ''; if ($c->req->param('ctick')){ + my $tick = $c->req->param('tick'); $dbh->do(q{UPDATE calls SET landing_tick = ? WHERE call = ?} - ,undef,$c->req->param('tick'),$call->{call}); + ,undef,$tick,$call->{call}); $logmess .= "Updated landing tick from [B] $call->{landing_tick} [/B]\n"; } if ($c->req->param('cinfo')){ + my $info = $c->req->param('info'); $dbh->do(q{UPDATE calls SET info = ? WHERE call = ?} - ,undef,$c->req->param('info'),$call->{call}); + ,undef,$info,$call->{call}); $logmess .= "Updated info\n"; } if ($c->req->param('ccalc')){ @@ -284,8 +286,9 @@ sub postcallupdate : Local { $logmess .= html_escape('Updated calc to: [URL]'.$calc."[/URL]\n"); } if ($c->req->param('cstatus')){ + my $status = $c->req->param('status'); $dbh->do(q{UPDATE calls SET status = $1, dc = $2 WHERE call = $3} - ,undef,$c->req->param('status'),$c->user->id,$call->{call}); + ,undef,$status,$c->user->id,$call->{call}); $logmess .= "Changed status to: ".$c->req->param('status')."\n"; } $log->execute($c->user->id,$call->{ftid},$logmess) if $log; diff --git a/lib/NDWeb/Controller/Forum.pm b/lib/NDWeb/Controller/Forum.pm index f06848d..a0cb01a 100644 --- a/lib/NDWeb/Controller/Forum.pm +++ b/lib/NDWeb/Controller/Forum.pm @@ -329,7 +329,8 @@ sub moveThreads : Local { my ( $self, $c, $board ) = @_; my $dbh = $c->model; - $c->forward('findBoard',[$c->req->param('board')]); + my $b = $c->req->param('board'); + $c->forward('findBoard',[$b]); my $toboard = $c->stash->{board}; unless ($toboard->{moderate}){ $c->acl_access_denied('test',$c->action,'No moderator access for target board.') @@ -381,10 +382,11 @@ sub insertThread : Private { my ( $self, $c, $board ) = @_; my $dbh = $c->model; + my $subject = html_escape($c->req->param('subject')); my $insert = $dbh->prepare(q{INSERT INTO forum_threads (ftid,fbid,subject,uid) VALUES(DEFAULT,$1,$2,$3) RETURNING (ftid); }); - $insert->execute($board,html_escape($c->req->param('subject')),$c->stash->{UID}); + $insert->execute($board,$subject,$c->stash->{UID}); $c->stash(thread => $insert->fetchrow); $insert->finish; } @@ -549,21 +551,23 @@ sub findBoard : Private { sub previewPost : Private { my ( $self, $c) = @_; + my $message = html_escape $c->req->param('message'); push @{$c->stash->{posts}}, { unread => 1, username => 'PREVIEW', - message => parseMarkup(html_escape $c->req->param('message')), + message => parseMarkup($message), }; - $c->stash(previewMessage => html_escape $c->req->param('message')); + $c->stash(previewMessage => $message); } sub insertPost : Private { my ( $self, $c, $thread ) = @_; my $dbh = $c->model; + my $message = html_escape($c->req->param('message')); my $insert = $dbh->prepare(q{INSERT INTO forum_posts (ftid,message,uid) VALUES($1,$2,$3)}); - $insert->execute($thread,html_escape($c->req->param('message')),$c->stash->{UID}); + $insert->execute($thread,$message,$c->stash->{UID}); } sub listModeratorBoards : Private { diff --git a/lib/NDWeb/Controller/Members.pm b/lib/NDWeb/Controller/Members.pm index 33fdc5c..6afbb65 100644 --- a/lib/NDWeb/Controller/Members.pm +++ b/lib/NDWeb/Controller/Members.pm @@ -95,8 +95,9 @@ sub posthostupdate : Local { my ( $self, $c ) = @_; my $dbh = $c->model; + my $hostname = html_escape $c->req->param('hostname'); $dbh->do(q{UPDATE users SET hostmask = ? WHERE uid = ? - },undef, html_escape $c->req->param('hostname'), $c->user->id); + },undef, $hostname, $c->user->id); $c->res->redirect($c->uri_for('')); } @@ -123,10 +124,11 @@ sub postsmsupdate : Local { my $dbh = $c->model; my $callme = $c->req->param('callme') || 0; + my $sms = html_escape $c->req->param('sms'); + my $smsnote = $c->req->param('smsnote'); $dbh->do(q{ UPDATE users SET sms = $1, call_if_needed = $2, sms_note = $3 WHERE uid = $4 - },undef, html_escape $c->req->param('sms'),$callme - ,$c->req->param('smsnote'), $c->user->id); + },undef, $sms, $callme, $smsnote, $c->user->id); $c->res->redirect($c->uri_for('')); } @@ -160,7 +162,8 @@ sub postowncoords : Local { $c->flash(error => "No planet at coords: $x:$y:$z"); } }else{ - $c->flash(error => $c->req->param('planet') . " are not valid coords."); + my $error = $c->req->param('planet') . " are not valid coords."; + $c->flash(error => $error); } $c->res->redirect($c->uri_for('/'.$c->session->{referrer})); @@ -215,17 +218,19 @@ sub postircrequest : Local { my ( $self, $c ) = @_; my $dbh = $c->model; + my $message = $c->req->param('message'); if ($c->req->param('channel')){ my $query = $dbh->prepare(q{ INSERT INTO irc_requests (uid,channel,message) VALUES($1,$2,$3) }); - $query->execute($c->user->id,$c->req->param('channel'),$c->req->param('message')); + my $channel = $c->user->id,$c->req->param('channel'); + $query->execute($channel, $message); $c->signal_bots; - $c->flash(reply => "Msg sent to: ".$c->req->param('channel')); + $c->flash(reply => "Msg sent to: ".$channel); $c->res->redirect($c->uri_for('ircrequest')); }else{ - $c->stash(ircmessage => $c->req->param('message')); + $c->stash(ircmessage => $message); $c->go('ircrequest'); } } @@ -327,7 +332,8 @@ sub postintelmessage : Local { SELECT coords(x,y,z), tick() FROM current_planet_stats WHERE pid = $1 }, undef, $c->user->planet); - $c->req->param(message => "[i]Posted by $coords at tick $tick [/i]\n\n" . $c->req->param('message')); + my $message = "[i]Posted by $coords at tick $tick [/i]\n\n" . $c->req->param('message'); + $c->req->param(message => $message); $c->forward('/forum/insertThread',[12]); $c->forward('/forum/insertPost',[$c->stash->{thread}]); $c->flash(intelmessage => 1); @@ -507,7 +513,8 @@ WHERE uid = $1 AND num = $2 AND back > tick() my $fullfleet = $dbh->prepare(q{INSERT INTO full_fleets (fid,uid) VALUES (?,?)}); $dbh->begin_work; - my @missions = parseconfirmations($c->req->param('mission'), $c->stash->{TICK}); + my $mission = $c->req->param('mission'); + my @missions = parseconfirmations($mission, $c->stash->{TICK}); for my $m (@missions){ if ($m->{mission} eq 'Return'){ $c->forward("addReturnFleet", [$m]); diff --git a/lib/NDWeb/Controller/Raids.pm b/lib/NDWeb/Controller/Raids.pm index 1b13352..61956b2 100644 --- a/lib/NDWeb/Controller/Raids.pm +++ b/lib/NDWeb/Controller/Raids.pm @@ -311,10 +311,11 @@ sub postraidupdate : Local { my $dbh = $c->model; $dbh->begin_work; + my $tick = $c->req->param('tick'); + my $waves = $c->req->param('waves'); $dbh->do(q{UPDATE raids SET message = ?, tick = ?, waves = ? WHERE id = ?} ,undef,html_escape $c->req->param('message') - ,$c->req->param('tick'),$c->req->param('waves') - ,$raid); + ,$tick,$waves,$raid); $c->forward('log',[$raid, 'BC updated raid']); @@ -516,10 +517,12 @@ sub postcreate : Local { $dbh->begin_work; my $query = $dbh->prepare(q{INSERT INTO raids (tick,waves,message) VALUES(?,?,?) RETURNING (id)}); - $query->execute($c->req->param('tick'),$c->req->param('waves') - ,html_escape $c->req->param('message')); + my $tick = $c->req->param('tick'); + my $waves = $c->req->param('waves'); + my $message = html_escape $c->req->param('message'); + $query->execute($tick,$waves,$message); my $raid = $query->fetchrow_array; - $c->forward('log',[$raid,"Created raid landing at tick: ".$c->req->param('tick')]); + $c->forward('log',[$raid,"Created raid landing at tick: ".$tick]); if ($c->req->param('gal') || $c->req->param('target')) { my @gals = $c->req->param('gal'); @@ -533,7 +536,8 @@ sub postcreate : Local { ) ) }); - $addtarget->execute($raid,\@targets,\@gals,$c->req->param('sizelimit')); + my $sizelimit = $c->req->param('sizelimit'); + $addtarget->execute($raid,\@targets,\@gals,$sizelimit); $c->forward('log',[$raid,"BC added planets (@targets) and the gals for (@gals)"]); } $dbh->do(q{INSERT INTO raid_access (raid,gid) VALUES(?,'M')} @@ -722,9 +726,11 @@ sub postcreateretal : Local { my $dbh = $c->model; $dbh->begin_work; + my $tick = $c->req->param('tick'); + my $waves = $c->req->param('waves'); + my $message = html_escape $c->req->param('message'); my $query = $dbh->prepare(q{INSERT INTO raids (tick,waves,message) VALUES(?,?,?) RETURNING (id)}); - $query->execute($c->req->param('tick'),$c->req->param('waves') - ,html_escape $c->req->param('message')); + $query->execute($tick, $waves, $message); my $raid = $query->fetchrow_array; $c->forward('log',[$raid,"Created retal raid landing at tick: ".$c->req->param('tick')]); diff --git a/lib/NDWeb/Controller/Root.pm b/lib/NDWeb/Controller/Root.pm index 7878500..f1b020a 100644 --- a/lib/NDWeb/Controller/Root.pm +++ b/lib/NDWeb/Controller/Root.pm @@ -105,10 +105,14 @@ UPDATE sms SET status = $2, cost = $3 WHERE msgid = $1 }); - $sms->execute($c->req->param('apiMsgId') - ,$clickatellstatus{$c->req->param('status')} - ,$c->req->param('charge') - ,$c->req->param('timestamp')); + my $apiMsgId = $c->req->param('apiMsgId'); + my $status = $c->req->param('status'); + my $charge = $c->req->param('charge'); + my $timestamp = $c->req->param('timestamp'); + $sms->execute($apiMsgId + ,$clickatellstatus{$status} + ,$charge + ,$timestamp); } diff --git a/lib/NDWeb/Controller/Settings.pm b/lib/NDWeb/Controller/Settings.pm index 1635844..03dc782 100644 --- a/lib/NDWeb/Controller/Settings.pm +++ b/lib/NDWeb/Controller/Settings.pm @@ -68,7 +68,8 @@ sub changeStylesheet : Local { my $query = $dbh->prepare(q{UPDATE users SET css = NULLIF($2,'Default') WHERE uid = $1 }); - $query->execute($c->user->id,html_escape $c->req->param('stylesheet')); + my $css = html_escape $c->req->param('stylesheet'); + $query->execute($c->user->id,$css); $c->res->redirect($c->uri_for('')); } @@ -81,7 +82,8 @@ sub changeBirthday : Local { WHERE uid = $1 }); eval{ - $query->execute($c->user->id,html_escape $c->req->param('birthday')); + my $birthday = html_escape $c->req->param('birthday'); + $query->execute($c->user->id,$birthday); }; if ($@){ if ($@ =~ /invalid input syntax for type date/){ @@ -113,13 +115,15 @@ sub changePassword : Local { my ( $self, $c ) = @_; my $dbh = $c->model; - if (length $c->req->param('pass') < 4) { + my $pass = $c->req->param('pass'); + if (length $pass < 4) { $c->flash(error => "Your password need to be at least 4 characters"); } else { my $query = $dbh->prepare(q{UPDATE users SET password = $1 WHERE password = crypt($2,password) AND uid = $3 }); - $query->execute($c->req->param('pass'),$c->req->param('oldpass'),$c->user->id); + my $oldpass = $c->req->param('oldpass'); + $query->execute($pass,$oldpass,$c->user->id); $c->flash(error => "Old password was invalid") unless $query->rows; } @@ -133,7 +137,7 @@ sub changeEmail : Local { my $email = $c->req->param('email'); - if ($email =~ /^s?$/) { + if ($email =~ /^\s*$/) { my $update = $dbh->prepare(q{ UPDATE users SET email = NULL WHERE uid = $1; }); diff --git a/lib/NDWeb/Controller/Users.pm b/lib/NDWeb/Controller/Users.pm index 117f1bd..13b79c7 100644 --- a/lib/NDWeb/Controller/Users.pm +++ b/lib/NDWeb/Controller/Users.pm @@ -159,30 +159,33 @@ sub postmail : Local { my ( $self, $c ) = @_; my $dbh = $c->model; + my $group = $c->req->param('group'); my $emails = $dbh->prepare(q{SELECT email FROM users WHERE uid IN (SELECT uid FROM groupmembers WHERE gid = $1) AND email is not null}); - $emails->execute($c->req->param('group')); + $emails->execute($group); my @emails; while (my $email = $emails->fetchrow_hashref){ push @emails,$email->{email}; } + my $subject = $c->req->param('subject'); + my $message = $c->req->param('message'); my %mail = ( smtp => 'localhost', BCC => (join ',',@emails), From => 'NewDawn Command ', 'Content-type' => 'text/plain; charset="UTF-8"', - Subject => $c->req->param('subject'), - Message => $c->req->param('message'), + Subject => $subject, + Message => $message, ); if (sendmail %mail) { $c->flash(ok => \@emails); }else { $c->flash(error => $Mail::Sendmail::error); - $c->flash(subject => $c->req->param('subject')); - $c->flash(message => $c->req->param('message')); + $c->flash(subject => $subject); + $c->flash(message => $message); } $c->res->redirect($c->uri_for('mail')); @@ -226,11 +229,12 @@ sub postsms : Local { $c->req->parameters->{uid} = [$c->req->parameters->{uid}] unless ref $c->req->parameters->{uid} eq 'ARRAY'; + my $message = $c->req->param('message'); my $query = $dbh->prepare(q{INSERT INTO sms (uid,message,number) (SELECT $1,$2, trim(leading '+' FROM sms) FROM users u WHERE uid = ANY ($3) AND sms SIMILAR TO '\+\d+' )}); - $query->execute($c->user->id,$c->req->param('message'),$c->req->parameters->{uid}); + $query->execute($c->user->id,$message,$c->req->parameters->{uid}); $c->res->redirect($c->uri_for('sms')); } diff --git a/lib/NDWeb/Controller/Wiki.pm b/lib/NDWeb/Controller/Wiki.pm index 2e54d48..60f210d 100644 --- a/lib/NDWeb/Controller/Wiki.pm +++ b/lib/NDWeb/Controller/Wiki.pm @@ -103,6 +103,9 @@ sub postedit : Local { my ( $self, $c, $p ) = @_; my $dbh = $c->model; + my $ns = $c->req->param('namespace'); + my $name = $c->req->param('name'); + my $text = $c->req->param('text'); eval { $dbh->begin_work; @@ -114,10 +117,10 @@ sub postedit : Local { my $namespace = $dbh->selectrow_array(q{SELECT namespace FROM wiki_namespace_access WHERE namespace = $1 AND post AND gid IN (SELECT groups($2)) - },undef,$c->req->param('namespace'), $c->stash->{UID}); + },undef,$ns, $c->stash->{UID}); my $query = $dbh->prepare(q{INSERT INTO wiki_pages (namespace,name) VALUES($1,$2) RETURNING wpid}); - $query->execute($namespace,$c->req->param('name')); + $query->execute($namespace,$name); $wpid = $query->fetchrow; } $c->forward('findPage',[$wpid]); @@ -129,8 +132,10 @@ sub postedit : Local { RETURNING wprev }); $c->req->params->{parent}||= undef; - $query->execute($wpid,$c->req->param('parent'),$c->req->param('text') - ,$c->req->param('comment'),$c->stash->{UID}); + my $parent = $c->req->param('parent'); + my $comment = $c->req->param('comment'); + $query->execute($wpid,$parent,$text + ,$comment,$c->stash->{UID}); my $rev = $query->fetchrow; $dbh->do(q{UPDATE wiki_pages SET wprev = $1 WHERE wpid = $2} ,undef,$rev,$wpid); @@ -154,10 +159,10 @@ sub postedit : Local { $c->forward('findPage') if $p; $c->forward('findNamespaces'); - $c->stash->{page}->{namespace} = $c->req->param('namespace'); - $c->stash->{page}->{name} = $c->req->param('name'); + $c->stash->{page}->{namespace} = $ns; + $c->stash->{page}->{name} = $name; - $c->stash(text => $c->req->param('text')); + $c->stash(text => $text); $c->stash(template => 'wiki/edit.tt2'); } @@ -181,7 +186,8 @@ sub search : Local { ORDER BY rank DESC }); eval { - $posts->execute($c->stash->{UID},$c->req->param('search')); + my $search = $c->req->param('search'); + $posts->execute($c->stash->{UID},$search); my @posts; while (my $post = $posts->fetchrow_hashref){ push @posts,$post; -- 2.39.2