[Mapbender-commits] r8928 - trunk/mapbender/http/geoportal

Wed Jun 25 00:31:49 PDT 2014

Author: armin11
Date: 2014-06-25 00:31:49 -0700 (Wed, 25 Jun 2014)
New Revision: 8928

Modified:
   trunk/mapbender/http/geoportal/mod_readCSWResultsDetail.php
Log:
Fix XSS vulnerability by using whitelists for request params

Modified: trunk/mapbender/http/geoportal/mod_readCSWResultsDetail.php
===================================================================

--- trunk/mapbender/http/geoportal/mod_readCSWResultsDetail.php	2014-06-25 06:58:36 UTC (rev 8927)
+++ trunk/mapbender/http/geoportal/mod_readCSWResultsDetail.php	2014-06-25 07:31:49 UTC (rev 8928)
@@ -7,6 +7,7 @@
 require_once(dirname(__FILE__)."/../php/mod_validateInspire.php");
 require_once(dirname(__FILE__) . "/../../tools/wms_extent/extent_service.conf");
 require_once(dirname(__FILE__) . "/../classes/class_iso19139.php");
+require_once(dirname(__FILE__) . "/../classes/class_Uuid.php");
 //INSPIRE Mapping
 require_once(dirname(__FILE__)."/../../conf/isoMetadata.conf");
 $languageCode = "de";
@@ -24,12 +25,55 @@
 	//validate to csv integer list
 	$testMatch = $_REQUEST["languageCode"];
 	if (!($testMatch == 'de' or $testMatch == 'fr' or $testMatch == 'en')){ 
-		echo 'languageCode: <b>'.$testMatch.'</b> is not valid.<br/>'; 
+		echo 'languageCode is not valid - it should be de, fr, or en.<br/>'; 
 		die(); 		
  	}
 	$languageCode = $testMatch;
 	$testMatch = NULL;
 }
+//validate following parameter to prohibit xss - see result pentest 03/2014
+//cat_id
+if (isset($_REQUEST["cat_id"]) & $_REQUEST["cat_id"] != "") {
+	//validate to integer
+        $testMatch = $_REQUEST["cat_id"];
+        //give max 99 entries - more will be to slow
+        $pattern = '/^[0-9]*$/';  
+        if (!preg_match($pattern,$testMatch)){
+                echo 'Parameter <b>cat_id</b> is not valid (integer).<br/>';
+                die();
+        }
+        $testMatch = NULL;
+}
+//validate
+if (isset($_REQUEST["validate"]) & $_REQUEST["validate"] != "") {
+	$testMatch = $_REQUEST["validate"];	
+ 	if (!($testMatch == 'true' or $testMatch == 'false')){ 
+		echo 'Parameter <b>validate</b> is not valid (true,false).<br/>'; 
+		die(); 		
+ 	}
+	$testMatch = NULL;
+}
+//uuid
+if (isset($_REQUEST['uuid']) & $_REQUEST['uuid'] != "") {
+	//validate cs list of uuids or other identifiers - which?
+	$testMatch = $_REQUEST["uuid"];
+	$uuid = new Uuid($testMatch);
+	$isUuid = $uuid->isValid();
+	if (!$isUuid) {
+		echo 'Parameter <b>uuid</b> is not a valid uuid (12-4-4-4-8) or a list of uuids!<br/>'; 
+		die(); 		
+	}
+	$testMatch = NULL;
+}
+//mdtype
+if (isset($_REQUEST["mdtype"]) & $_REQUEST["mdtype"] != "") {
+	$testMatch = $_REQUEST["mdtype"];	
+ 	if (!($testMatch == 'html' or $testMatch == 'iso19139' or $testMatch == 'debug' or $testMatch == 'inspire')){ 
+		echo 'Parameter <b>mdtype</b> is not valid (iso19139, html, debug, inspire).<br/>'; 
+		die(); 		
+ 	}
+	$testMatch = NULL;
+}
 
 if(!isset($_REQUEST["cat_id"])) {
 	echo "no opensearch id set";

