Userdata

* replace input filter FILTER_UNSAFE_RAW (+ STRIP flags) with regex checks to preserve \n and utf8 chars
2025-11-29 15:58:16 +08:00 · 2023-03-16 17:59:09 +01:00
parent ffa4cf5b29
commit 0c47f262ea
13 changed files with 75 additions and 53 deletions
--- a/includes/ajaxHandler/account.class.php
+++ b/includes/ajaxHandler/account.class.php
@@ -171,7 +171,7 @@ class AjaxAccount extends AjaxHandler
    {
        $var = trim(urldecode($val));

-        return filter_var($var, FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_AOWOW);
+        return filter_var($var, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_LOW);
    }
 }

--- a/includes/ajaxHandler/admin.class.php
+++ b/includes/ajaxHandler/admin.class.php
@@ -7,25 +7,25 @@ class AjaxAdmin extends AjaxHandler
 {
    protected $validParams = ['screenshots', 'siteconfig', 'weight-presets', 'spawn-override', 'guide', 'comment'];
    protected $_get        = array(
-        'action' => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW           ],
+        'action' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'      ],
        'id'     => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkIdListUnsigned'],
        'key'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxAdmin::checkKey'             ],
-        'all'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkFulltext'      ],
+        'all'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkEmptySet'      ],
        'type'   => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'           ],
        'typeid' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'           ],
        'user'   => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxAdmin::checkUser'            ],
-        'val'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkFulltext'      ],
+        'val'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob'      ],
        'guid'   => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'           ],
        'area'   => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'           ],
        'floor'  => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'           ]
    );
    protected $_post       = array(
-        'alt'    => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'id'     => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'],
-        'scale'  => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxAdmin::checkScale'],
-        '__icon' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxAdmin::checkKey'  ],
-        'status' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'],
-        'msg'    => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW]
+        'alt'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob'],
+        'id'     => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'     ],
+        'scale'  => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxAdmin::checkScale'     ],
+        '__icon' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxAdmin::checkKey'       ],
+        'status' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'     ],
+        'msg'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob']
    );

    public function __construct(array $params)
--- a/includes/ajaxHandler/comment.class.php
+++ b/includes/ajaxHandler/comment.class.php
@@ -12,22 +12,22 @@ class AjaxComment extends AjaxHandler

    protected $_post = array(
        'id'          => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkIdListUnsigned'],
-        'body'        => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkFulltext'      ],
-        'commentbody' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkFulltext'      ],
-        'response'    => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW ],
-        'reason'      => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW ],
-        'remove'      => ['filter' => FILTER_SANITIZE_NUMBER_INT],
-        'commentId'   => ['filter' => FILTER_SANITIZE_NUMBER_INT],
-        'replyId'     => ['filter' => FILTER_SANITIZE_NUMBER_INT],
-        'sticky'      => ['filter' => FILTER_SANITIZE_NUMBER_INT],
-     // 'username'    => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW ]
+        'body'        => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob'      ],
+        'commentbody' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob'      ],
+        'response'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob'      ],
+        'reason'      => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob'      ],
+        'remove'      => ['filter' => FILTER_SANITIZE_NUMBER_INT                                      ],
+        'commentId'   => ['filter' => FILTER_SANITIZE_NUMBER_INT                                      ],
+        'replyId'     => ['filter' => FILTER_SANITIZE_NUMBER_INT                                      ],
+        'sticky'      => ['filter' => FILTER_SANITIZE_NUMBER_INT                                      ],
+     // 'username'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'      ]
    );

    protected $_get  = array(
        'id'     => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'],
        'type'   => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'],
        'typeid' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkInt'],
-        'rating' => ['filter' => FILTER_SANITIZE_NUMBER_INT]
+        'rating' => ['filter' => FILTER_SANITIZE_NUMBER_INT                           ]
    );

    public function __construct(array $params)
--- a/includes/ajaxHandler/contactus.class.php
+++ b/includes/ajaxHandler/contactus.class.php
@@ -6,13 +6,13 @@ if (!defined('AOWOW_REVISION'))
 class AjaxContactus extends AjaxHandler
 {
    protected $_post = array(
-        'mode'       => ['filter' => FILTER_CALLBACK,      'options' => 'AjaxHandler::checkInt'],
-        'reason'     => ['filter' => FILTER_CALLBACK,      'options' => 'AjaxHandler::checkInt'],
-        'ua'         => ['filter' => FILTER_UNSAFE_RAW,      'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'appname'    => ['filter' => FILTER_UNSAFE_RAW,      'flags' => FILTER_FLAG_STRIP_AOWOW],
+        'mode'       => ['filter' => FILTER_SANITIZE_NUMBER_INT                                ],
+        'reason'     => ['filter' => FILTER_SANITIZE_NUMBER_INT                                ],
+        'ua'         => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'],
+        'appname'    => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'],
        'page'       => ['filter' => FILTER_SANITIZE_URL                                       ],
-        'desc'       => ['filter' => FILTER_UNSAFE_RAW,      'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'id'         => ['filter' => FILTER_CALLBACK,      'options' => 'AjaxHandler::checkInt'],
+        'desc'       => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob'],
+        'id'         => ['filter' => FILTER_SANITIZE_NUMBER_INT                                ],
        'relatedurl' => ['filter' => FILTER_SANITIZE_URL                                       ],
        'email'      => ['filter' => FILTER_SANITIZE_EMAIL                                     ]
    );
--- a/includes/ajaxHandler/cookie.class.php
+++ b/includes/ajaxHandler/cookie.class.php
@@ -12,7 +12,7 @@ class AjaxCookie extends AjaxHandler
            return;

        $this->_get = array(
-            $params[0] => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
+            $params[0] => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'],
        );

        // NOW we know, what to expect and sanitize
--- a/includes/ajaxHandler/data.class.php
+++ b/includes/ajaxHandler/data.class.php
@@ -6,12 +6,12 @@ if (!defined('AOWOW_REVISION'))
 class AjaxData extends AjaxHandler
 {
    protected $_get = array(
-        'locale'    => ['filter' => FILTER_CALLBACK,             'options' => 'AjaxHandler::checkLocale'],
-        't'         => ['filter' => FILTER_UNSAFE_RAW,           'flags'   => FILTER_FLAG_STRIP_AOWOW   ],
+        'locale'    => ['filter' => FILTER_CALLBACK,           'options' => 'AjaxHandler::checkLocale'  ],
+        't'         => ['filter' => FILTER_CALLBACK,           'options' => 'AjaxHandler::checkTextLine'],
        'catg'      => ['filter' => FILTER_SANITIZE_NUMBER_INT                                          ],
-        'skill'     => ['filter' => FILTER_CALLBACK,             'options' => 'AjaxData::checkSkill'    ],
+        'skill'     => ['filter' => FILTER_CALLBACK,           'options' => 'AjaxData::checkSkill'      ],
        'class'     => ['filter' => FILTER_SANITIZE_NUMBER_INT                                          ],
-        'callback'  => ['filter' => FILTER_CALLBACK,             'options' => 'AjaxData::checkCallback' ]
+        'callback'  => ['filter' => FILTER_CALLBACK,           'options' => 'AjaxData::checkCallback'   ]
    );

    public function __construct(array $params)
--- a/includes/ajaxHandler/edit.class.php
+++ b/includes/ajaxHandler/edit.class.php
@@ -6,8 +6,8 @@ if (!defined('AOWOW_REVISION'))
 class AjaxEdit extends AjaxHandler
 {
    protected $_get = array(
-        'qqfile' => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'guide'  => ['filter' => FILTER_SANITIZE_NUMBER_INT]
+        'qqfile' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'],
+        'guide'  => ['filter' => FILTER_SANITIZE_NUMBER_INT                                ]
    );

    public function __construct(array $params)
--- a/includes/ajaxHandler/getdescription.class.php
+++ b/includes/ajaxHandler/getdescription.class.php
@@ -6,7 +6,7 @@ if (!defined('AOWOW_REVISION'))
 class AjaxGetdescription extends AjaxHandler
 {
    protected $_post = array(
-        'description' => [FILTER_CALLBACK, ['options' => 'AjaxHandler::checkFulltext']]
+        'description' => [FILTER_CALLBACK, ['options' => 'AjaxHandler::checkTextBlob']]
    );

    public function __construct(array $params)
--- a/includes/ajaxHandler/profile.class.php
+++ b/includes/ajaxHandler/profile.class.php
@@ -11,14 +11,14 @@ class AjaxProfile extends AjaxHandler
    protected $_get        = array(
        'id'         => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkIdList'  ],
        'items'      => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxProfile::checkItemList'],
-        'size'       => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW     ],
+        'size'       => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'],
        'guild'      => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkEmptySet'],
        'arena-team' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkEmptySet'],
        'user'       => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxProfile::checkUser'    ]
    );

    protected $_post        = array(
-        'name'         => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkFulltext'],
+        'name'         => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'],
        'level'        => ['filter' => FILTER_SANITIZE_NUMBER_INT],
        'class'        => ['filter' => FILTER_SANITIZE_NUMBER_INT],
        'race'         => ['filter' => FILTER_SANITIZE_NUMBER_INT],
@@ -28,12 +28,12 @@ class AjaxProfile extends AjaxHandler
        'talenttree2'  => ['filter' => FILTER_SANITIZE_NUMBER_INT],
        'talenttree3'  => ['filter' => FILTER_SANITIZE_NUMBER_INT],
        'activespec'   => ['filter' => FILTER_SANITIZE_NUMBER_INT],
-        'talentbuild1' => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'glyphs1'      => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'talentbuild2' => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'glyphs2'      => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'icon'         => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'description'  => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkFulltext'],
+        'talentbuild1' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxProfile::checkTalentString'],
+        'glyphs1'      => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxProfile::checkGlyphString' ],
+        'talentbuild2' => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxProfile::checkTalentString'],
+        'glyphs2'      => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxProfile::checkGlyphString' ],
+        'icon'         => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextLine'    ],
+        'description'  => ['filter' => FILTER_CALLBACK, 'options' => 'AjaxHandler::checkTextBlob'    ],
        'source'       => ['filter' => FILTER_SANITIZE_NUMBER_INT],
        'copy'         => ['filter' => FILTER_SANITIZE_NUMBER_INT],
        'public'       => ['filter' => FILTER_SANITIZE_NUMBER_INT],
@@ -762,6 +762,22 @@ class AjaxProfile extends AjaxHandler

        return '';
    }
+
+    protected static function checkTalentString(string $val) : string
+    {
+        if (preg_match('/^\d+$/', $val))
+            return $val;
+
+        return '';
+    }
+
+    protected static function checkGlyphString(string $val) : string
+    {
+        if (preg_match('/^\d+(:\d+)*$/', $val))
+            return $val;
+
+        return '';
+    }
 }

 ?>
--- a/includes/utilities.php
+++ b/includes/utilities.php
@@ -109,10 +109,16 @@ trait TrRequestData
        return [];
    }

-    private static function checkFulltext(string $val) : string
+    private static function checkTextLine(string $val) : string
    {
        // trim non-printable chars
-        return preg_replace('/[\p{Cf}\p{Co}\p{Cs}\p{Cn}]/ui', '', $val);
+        return preg_replace('/[\p{Cc}\p{Cf}\p{Co}\p{Cs}\p{Cn}]/ui', '', $val);
+    }
+
+    private static function checkTextBlob(string $val) : string
+    {
+        // trim non-printable chars
+        return preg_replace('/[\x00-\x09\x0B-\x1F\p{Cf}\p{Co}\p{Cs}\p{Cn}]/ui', '', $val);
    }
 }

--- a/pages/account.php
+++ b/pages/account.php
@@ -34,9 +34,9 @@ class AccountPage extends GenericPage

    protected $_post     = array(
        'username'    => ['filter' => FILTER_SANITIZE_SPECIAL_CHARS, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'password'    => ['filter' => FILTER_UNSAFE_RAW],
-        'c_password'  => ['filter' => FILTER_UNSAFE_RAW],
-        'token'       => ['filter' => FILTER_UNSAFE_RAW],
+        'password'    => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkTextLine'],
+        'c_password'  => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkTextLine'],
+        'token'       => ['filter' => FILTER_SANITIZE_SPECIAL_CHARS, 'flags' => FILTER_FLAG_STRIP_AOWOW],
        'remember_me' => ['filter' => FILTER_CALLBACK, 'options' => 'AccountPage::rememberCallback'],
        'email'       => ['filter' => FILTER_SANITIZE_EMAIL]
    );
--- a/pages/guide.php
+++ b/pages/guide.php
@@ -42,11 +42,11 @@ class GuidePage extends GenericPage
    protected /* array */ $_post = array(
        'save'        => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkEmptySet'],
        'submit'      => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkEmptySet'],
-        'title'       => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'name'        => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'description' => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'changelog'   => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW],
-        'body'        => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkFulltext'],
+        'title'       => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkTextLine'],
+        'name'        => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkTextLine'],
+        'description' => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkTextBlob'],
+        'changelog'   => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkTextBlob'],
+        'body'        => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkTextBlob'],
        'locale'      => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkInt'],
        'category'    => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkInt'],
        'specId'      => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkInt'],
--- a/pages/screenshot.php
+++ b/pages/screenshot.php
@@ -29,7 +29,7 @@ class ScreenshotPage extends GenericPage

    protected $_post       = array(
        'coords'        => ['filter' => FILTER_CALLBACK, 'options' => 'ScreenshotPage::checkCoords'],
-        'screenshotalt' => ['filter' => FILTER_UNSAFE_RAW, 'flags' => FILTER_FLAG_STRIP_AOWOW]
+        'screenshotalt' => ['filter' => FILTER_CALLBACK, 'options' => 'GenericPage::checkTextBlob']
    );

    public function __construct($pageCall, $pageParam)