Browse code

Security

Bernd Wurst authored on20/01/2018 12:09:53
Showing8 changed files
... ...
@@ -42,9 +42,11 @@ function filter_input_general( $input )
42 42
 
43 43
 function verify_input_general( $input )
44 44
 {
45
-  if (filter_input_general($input) != $input) {
45
+  if (filter_input_general($input) !== $input) {
46 46
     system_failure("Ihre Daten enthielten ungültige Zeichen!");
47 47
     logger(LOG_WARNING, 'inc/security', 'verify_input_general', 'Ungültige Daten: '.$input);
48
+  } else {
49
+      return $input;
48 50
   }
49 51
 }
50 52
 
... ...
@@ -49,6 +49,9 @@ function upload_contact($c)
49 49
         // Update
50 50
         $data = array("contact" => $ac);
51 51
         $result = api_request('contactUpdate', $data);
52
+        if ($result['status'] != 'success') {
53
+            system_failure("Es gab ein Problem beim Hochladen der Adresse zum Domainregistrar. Das sollte nicht sein!");
54
+        }
52 55
     } else {
53 56
         // create
54 57
         $data = array("contact" => $ac);
... ...
@@ -16,6 +16,7 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r
16 16
 
17 17
 require_once('inc/debug.php');
18 18
 require_role(array(ROLE_CUSTOMER));
19
+require_once('class/domain.php');
19 20
 
20 21
 require_once('contactapi.php');
21 22
 
... ...
@@ -241,3 +242,14 @@ function delete_contact($id) {
241 242
     db_query("UPDATE kundendaten.contacts SET state='deleted' WHERE id=?", array($c['id']));
242 243
 }
243 244
 
245
+
246
+function domainlist_by_contact($c) {
247
+    $result = db_query("SELECT id FROM kundendaten.domains WHERE owner=? OR admin_c=?", array($c['id'], $c['id']));
248
+    $ret = array();
249
+    while ($domain = $result->fetch()) {
250
+        $ret[] = new Domain( (int) $domain['id'] );
251
+    }
252
+    return $ret;
253
+}
254
+
255
+
... ...
@@ -31,19 +31,29 @@ $kundenkontakte = get_kundenkontakte();
31 31
 
32 32
 output('<p>Sie haben aktuell diese Adressen gespeichert:</p>
33 33
 <div class="contact-list">');
34
-foreach ($contacts as $id => $contact) {
35
-    $adresse = nl2br("\n".$contact['address']."\n".$contact['country'].'-'.$contact['zip'].' '.$contact['city']);
34
+
35
+$liste = array_merge(array($kundenkontakte['kunde']), array_keys($contacts));
36
+$kundenadresse_displayed = false;
37
+foreach ($liste as $id) {
38
+    if ($kundenadresse_displayed && $id == $kundenkontakte['kunde']) {
39
+        continue;
40
+    }
41
+    $cssclass = '';
42
+    $contact = $contacts[$id];
43
+    $adresse = nl2br("\n".filter_input_general($contact['address'])."\n".filter_input_general($contact['country']).'-'.filter_input_general($contact['zip']).' '.filter_input_general($contact['city']));
36 44
     if (! $contact['city']) {
37 45
         $adresse = '';
38 46
     }
39 47
     $usage = array();
40 48
     if ($id == $kundenkontakte['kunde']) {
49
+        $cssclass='mainaddress';
50
+        $kundenadresse_displayed = true;
41 51
         $usage[] = 'Stamm-Adresse';
42 52
     }
43 53
     if ($id == $kundenkontakte['extern']) {
44 54
         $usage[] = 'Ersatz-Adresse';
45 55
     }
46
-    if ($id == $kundenkontakte['rechnung']) {
56
+    if ($id == $kundenkontakte['rechnung'] || ($id == $kundenkontakte['kunde'] && $kundenkontakte['rechnung'] == NULL)) {
47 57
         $usage[] = 'Rechnungs-Adresse';
48 58
     }
49 59
     if ($contact['nic_handle']) {
... ...
@@ -51,8 +61,8 @@ foreach ($contacts as $id => $contact) {
51 61
     }
52 62
     $usage = join(', ', $usage);
53 63
     $name = $contact['name'];
54
-    if ($contact['company']) {
55
-        $name = $contact['company']."<br />".$contact['name'];
64
+    if (nl2br(filter_input_general($contact['company']))) {
65
+        $name = filter_input_general($contact['company'])."<br />".nl2br(filter_input_general($contact['name']));
56 66
     }
57 67
     $email = $contact['email'];
58 68
     $new_email = update_pending($id);
... ...
@@ -69,10 +79,10 @@ foreach ($contacts as $id => $contact) {
69 79
     $actions[] = internal_link('useas', other_icon('attach.png')." Benutzen als...", 'id='.$contact['id']);
70 80
         
71 81
     $email = implode("<br>\n", array_filter(array($email, $contact['phone'], $contact['fax'], $contact['mobile'])));
72
-    output("<div class=\"contact\" id=\"contact-{$contact['id']}\"><p class=\"contact-id\">#{$contact['id']}</p><p class=\"contact-address\"><strong>$name</strong>$adresse</p><p class=\"contact-contact\">$email</p><p class=\"contact-usage\">Verwendung als $usage</p><p class=\"contact-actions\">".implode("<br>\n", $actions)."</p></div>");
82
+    output("<div class=\"contact {$cssclass}\" id=\"contact-{$contact['id']}\"><p class=\"contact-id\">#{$contact['id']}</p><p class=\"contact-address\"><strong>$name</strong>$adresse</p><p class=\"contact-contact\">$email</p><p class=\"contact-usage\">Verwendung als $usage</p><p class=\"contact-actions\">".implode("<br>\n", $actions)."</p></div>");
73 83
 }
74 84
 output("</div><br />");
75
-addnew('edit', 'Neuen Kontakt erstellen', 'id=new');
85
+addnew('edit', 'Neue Adresse erstellen', 'id=new');
76 86
 
77 87
 
78 88
 ?>
... ...
@@ -27,13 +27,13 @@ $section = 'contacts_list';
27 27
 if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
28 28
     $contact = get_contact($_REQUEST['id']);
29 29
     
30
-    $adresse = nl2br("\n".$contact['address']."\n".$contact['country'].'-'.$contact['zip'].' '.$contact['city']);
30
+    $adresse = nl2br("\n".filter_input_general($contact['address'])."\n".filter_input_general($contact['country']).'-'.filter_input_general($contact['zip']).' '.filter_input_general($contact['city']));
31 31
     if (! $contact['city']) {
32 32
         $adresse = '';
33 33
     }
34
-    $name = $contact['name'];
34
+    $name = filter_input_general($contact['name']);
35 35
     if ($contact['company']) {
36
-        $name = $contact['company']."<br />".$contact['name'];
36
+        $name = filter_input_general($contact['company'])."<br />".filter_input_general($contact['name']);
37 37
     }
38 38
     $email = implode("<br>\n", array_filter(array($contact['email'], $contact['phone'], $contact['fax'], $contact['mobile'])));
39 39
  
... ...
@@ -91,17 +91,17 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
91 91
     }
92 92
 
93 93
 
94
-    $c['company'] = maybe_null($_REQUEST['firma']);
95
-    $c['name'] = maybe_null($_REQUEST['name']);
96
-    $c['address'] = maybe_null($_REQUEST['adresse']);
97
-    $c['country'] = maybe_null(strtoupper($_REQUEST['land']));
98
-    $c['zip'] = maybe_null($_REQUEST['plz']);
99
-    $c['city'] = maybe_null($_REQUEST['ort']);
94
+    $c['company'] = verify_input_general(maybe_null($_REQUEST['firma']));
95
+    $c['name'] = verify_input_general(maybe_null($_REQUEST['name']));
96
+    $c['address'] = verify_input_general(maybe_null($_REQUEST['adresse']));
97
+    $c['country'] = verify_input_general(maybe_null(strtoupper($_REQUEST['land'])));
98
+    $c['zip'] = verify_input_general(maybe_null($_REQUEST['plz']));
99
+    $c['city'] = verify_input_general(maybe_null($_REQUEST['ort']));
100 100
 
101 101
         
102 102
 
103 103
     if ($_REQUEST['telefon']) {
104
-        $num = format_number($_REQUEST['telefon'], $_REQUEST['land']);
104
+        $num = format_number(verify_input_general($_REQUEST['telefon']), $_REQUEST['land']);
105 105
         if ($num) {
106 106
             $c['phone'] = $num;
107 107
         } else {
... ...
@@ -111,7 +111,7 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
111 111
         $c['phone'] = NULL;
112 112
     }
113 113
     if ($_REQUEST['mobile']) {
114
-        $num = format_number($_REQUEST['mobile'], $_REQUEST['land']);
114
+        $num = format_number(verify_input_general($_REQUEST['mobile']), $_REQUEST['land']);
115 115
         if ($num) {
116 116
             $c['mobile'] = $num;
117 117
         } else {
... ...
@@ -121,7 +121,7 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
121 121
         $c['mobile'] = NULL;
122 122
     }
123 123
     if ($_REQUEST['telefax']) {
124
-        $num = format_number($_REQUEST['telefax'], $_REQUEST['land']);
124
+        $num = format_number(verify_input_general($_REQUEST['telefax']), $_REQUEST['land']);
125 125
         if ($num) {
126 126
             $c['fax'] = $num;
127 127
         } else {
... ...
@@ -143,7 +143,7 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
143 143
 
144 144
     if ($c['email'] != $_REQUEST['email']) {
145 145
         if (have_mailaddress($_REQUEST['email'])) {
146
-            save_emailaddress($c['id'], $_REQUEST['email']);
146
+            save_emailaddress($c['id'], verify_input_general($_REQUEST['email']));
147 147
         } else {
148 148
             send_emailchange_token($c['id'], $_REQUEST['email']);
149 149
         }
... ...
@@ -32,7 +32,11 @@ div.contact {
32 32
     border: 1px solid black;
33 33
     width: 18em;
34 34
     margin: 1em;
35
-    padding: 0.1em 1em;    
35
+    padding: 3px 10px;    
36
+}
37
+div.contact.mainaddress {
38
+    border: 2px solid red;
39
+    padding: 2px 9px;
36 40
 }
37 41
 
38 42
 p.contact-id {
... ...
@@ -64,13 +64,13 @@ if (isset($_REQUEST['useas'])) {
64 64
         }
65 65
     }
66 66
 } else {
67
-    $adresse = nl2br("\n".$contact['address']."\n".$contact['country'].'-'.$contact['zip'].' '.$contact['city']);
67
+    $adresse = nl2br("\n".filter_input_general($contact['address'])."\n".filter_input_general($contact['country']).'-'.filter_input_general($contact['zip']).' '.filter_input_general($contact['city']));
68 68
     if (! $contact['city']) {
69 69
         $adresse = '';
70 70
     }
71
-    $name = $contact['name'];
71
+    $name = filter_input_general($contact['name']);
72 72
     if ($contact['company']) {
73
-        $name = $contact['company']."<br />".$contact['name'];
73
+        $name = filter_input_general($contact['company'])."<br />".filter_input_general($contact['name']);
74 74
     }
75 75
     $email = implode("<br>\n", array_filter(array($contact['email'], $contact['phone'], $contact['fax'], $contact['mobile'])));
76 76
 
... ...
@@ -86,7 +86,7 @@ if (isset($_REQUEST['useas'])) {
86 86
             addnew('useas', 'Diese Adresse als Haupt-Adresse des Kontoinhabers festlegen.', 'id='.$_REQUEST['id'].'&useas=kunde');
87 87
         }
88 88
         if ($id == $kundenkontakte['extern']) {
89
-            output("<p>Diese Adresse ist die Ersatz-Adresse bei Störungen! ".icon_delete().internal_link('useas', "Zuordnung löschen", 'id='.$_REQUEST['id'].'&useas=extern&action=delete')."</p>");
89
+            output("<p>Diese Adresse ist die Ersatz-Adresse bei Störungen. ".icon_delete().internal_link('useas', "Zuordnung löschen", 'id='.$_REQUEST['id'].'&useas=extern&action=delete')."</p>");
90 90
         } else {
91 91
             addnew('useas', 'Diese Adresse als Ersatz-Adresse des Kontoinhabers für Störungen festlegen.', 'id='.$_REQUEST['id'].'&useas=extern');
92 92
         }
... ...
@@ -98,10 +98,25 @@ if (isset($_REQUEST['useas'])) {
98 98
     }
99 99
 
100 100
 
101
+    output("<h4>Verwendung als Domaininhaber bzw. -Verwalter</h4>");
101 102
     if (possible_domainholder($contact)) {
102
-        output("<h4>Verwendung als Domaininhaber bzw. -Verwalter</h4>");
103
+        $domains = domainlist_by_contact($contact);
104
+        foreach ($domains as $d) {
105
+            $funktion = array();
106
+            if ($contact['id'] == $d->owner) {
107
+                $funktion[] = 'Inhaber';
108
+            }
109
+            if ($contact['id'] == $d->admin_c) {
110
+                $funktion[] = 'Verwalter';
111
+            }
112
+            $funktion = implode(' und ', $funktion);
113
+
114
+            output('<p>Ist <strong>'.$funktion.'</strong> bei der Domain <strong>'.$d->fqdn.'</strong>.</p>');
115
+        }
116
+
103 117
 
104
-        output("<p>Kann als Domaininhaber verwendet werden!</p>");
118
+    } else {
119
+        output("<p>Zur Verwendung als Domaininhaber müssen Name, vollständige Adresse, E-Mail-Adresse sowie Telefonnummer angegeben sein.</p>");
105 120
     }
106 121
 
107 122
 
... ...
@@ -14,6 +14,7 @@ https://creativecommons.org/publicdomain/zero/1.0/
14 14
 Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
15 15
 */
16 16
 
17
+require_once('contacts.php');
17 18
 require_once('verify.php');
18 19
 require_once('inc/security.php');
19 20