Merge branch 'preprod' into 'master'

Escape all values interpolated in SQL queries in the Perso controller See merge request !154

Merge branch 'preprod' into 'master'
Escape all values interpolated in SQL queries in the Perso controller See merge request !154
695de17a · nono · 1470fadd · bfef3d43 · 695de17a · 695de17a
Commit 695de17a authored Feb 03, 2022 by nono 💻
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,6 @@ tests/_output/*
 !/var/log/.gitkeep
 /.php_cs.cache
 tests/*/_generated/*
+
+# Vagrant machines for testing
+.vagrant/
--- a/Vagrantfile
+++ b/Vagrantfile
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box = "debian/bullseye64"
+
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  config.vm.network "forwarded_port", guest: 8000, host: 8383
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+  config.vm.network "private_network", ip: "192.168.56.1"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  # config.vm.provider "virtualbox" do |vb|
+  #   # Display the VirtualBox GUI when booting the machine
+  #   vb.gui = true
+  #
+  #   # Customize the amount of memory on the VM:
+  #   vb.memory = "1024"
+  # end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+  # config.vm.provision "shell", inline: <<-SHELL
+  #   apt-get update
+  #   apt-get install -y apache2
+  # SHELL
+end
--- a/app/controller/perso.php
+++ b/app/controller/perso.php
@@ -46,7 +46,7 @@ class Perso extends Controller
        $db = $f3->get('DB');
        $user = $f3->get('container')['user_finder']->findById($f3->get('SESSION.id'));
        $f3->set('infos', $user);
-        $result = $db->query("SELECT id, pdf, decimale FROM dons WHERE user_id='".$user['id']."' and pdf!='' ");
+        $result = $db->query("SELECT id, pdf, decimale FROM dons WHERE user_id='".\Utils::asl($user['id'])."' and pdf!='' ");
        $pdfs = array();
        foreach ($result->fetchAll(\PDO::FETCH_ASSOC) as $row) {
            $pdfs[$row['pdf']] = $row;
@@ -220,7 +220,7 @@ class Perso extends Controller
                $hash = hash('sha256', $f3->get('password'));
                // On recherche le montant cumulé jusqu'à présent. On fait la somme depuis le
                // premier janvier 2013 en se basant sur l'adresse mail
-                $res = $db->query("SELECT sum(dons.somme) as somme FROM dons INNER JOIN users WHERE dons.user_id = users.id AND users.email='".$f3->get('email')."' and dons.status in (1, 4, 102) and dons.datec>'2013-01-01';");
+                $res = $db->query("SELECT sum(dons.somme) as somme FROM dons INNER JOIN users WHERE dons.user_id = users.id AND users.email='".\Utils::asl($f3->get('email'))."' and dons.status in (1, 4, 102) and dons.datec>'2013-01-01';");
                $total = $res->fetch(\PDO::FETCH_ASSOC);
                $total = (int) $total['somme'];
                // Création de l'utilisateur
@@ -250,7 +250,7 @@ class Perso extends Controller
                    $hash = hash('sha256', $f3->get('password'));
                    $sql .= ", hash='".$hash."'";
                }
-                $sql .= " WHERE id='".$f3->get('SESSION.id')."'";
+                $sql .= " WHERE id='".\Utils::asl($f3->get('SESSION.id'))."'";
                $db->query($sql);
            }
        } else {
@@ -390,7 +390,7 @@ class Perso extends Controller
        $db = $f3->get('DB');
        $id = $params['id'];
        $command = "pdftk ";
-        $args = " ../www/receipt.pdf fill_form ../tmp/".$id.".xfdf output ../tmp/".$id.".pdf flatten dont_ask";
+        $args = " ../www/receipt.pdf fill_form ../tmp/".escapeshellarg($id).".xfdf output ../tmp/".escapeshellarg($id).".pdf flatten dont_ask";
        $logger->write($command . " " .$args);

        // Vérification que le don appartient bien à l'utilisateur connecté
@@ -405,7 +405,7 @@ class Perso extends Controller
            FROM dons
            INNER JOIN users ON users.id = dons.user_id
            LEFT OUTER JOIN adresses ON adresses.user_id = users.id
-            WHERE users.id=".$f3->get('SESSION.id')." AND dons.id=".\Utils::asl($id).";";
+            WHERE users.id='".\Utils::asl($f3->get('SESSION.id'))."' AND dons.id='".\Utils::asl($id)."';";
        $result = $db->query($query);
        $logger->write($query);
        $don = $result->fetch(\PDO::FETCH_ASSOC);
@@ -490,8 +490,11 @@ class Perso extends Controller

    public function cancel($f3, $params)
    {
+        if (!$f3->exists('SESSION.user')) {
+            $f3->reroute('/login');
+        }
        $db = $f3->get('DB');
-        $result = $db->query("SELECT identifier, user_id from identifiers where identifier like '".$params['id']."'");
+        $result = $db->query("SELECT identifier, user_id from identifiers where identifier like '".\Utils::asl($params['id'])."' and user_id='".\Utils::asl($f3->get('SESSION.id'))."'");
        $result = $result->fetch(\PDO::FETCH_ASSOC);
        if ($result) {
            $identifier = $result['identifier'];
@@ -523,8 +526,8 @@ class Perso extends Controller
            status = '103',
            datec = NOW(),
            somme = 0,
-            user_id = '".$user_id."',
-            identifier = '".$identifier."',
+            user_id = '".\Utils::asl($user_id)."',
+            identifier = '".\Utils::asl($identifier)."',
            cumul = 0;");
        $f3->push('SESSION.message', _("Don récurrent supprimé."));
        $f3->reroute('/perso');