OleKEH · csware · Aug 5, 2014 · Aug 7, 2014 · Aug 7, 2014 · Aug 7, 2014
diff --git a/prairie/.htaccess b/prairie/.htaccess
@@ -24,4 +24,4 @@ IndexIgnore */*
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
-RewriteRule . index.php
+RewriteRule ^(.*) index.php/$1
diff --git a/prairie/account.php b/prairie/account.php
@@ -40,7 +40,7 @@
 		SET 
 		user_email_notify=" . $email_notify . " 
 		WHERE
-		user_id=" . $_SESSION['user_id']
+		user_id=" . (int)$_SESSION['user_id']
 	;
 
 	$db->Execute($query);
@@ -75,7 +75,7 @@
 			user_language=" . $db->qstr($_POST['user_language']) . ",
 			user_timezone=" . $db->qstr($_POST['user_timezone']) . ",
 			user_birthdate=" . $db->qstr($_POST['user_birthdate']) . "
-			WHERE user_id=" . $_SESSION['user_id'].";";
+			WHERE user_id=" . (int)$_SESSION['user_id'].";";
 
 		$db->Execute($query);
 
@@ -133,7 +133,7 @@
 		$query = "
 			UPDATE " . $db->prefix . "_user
 			SET user_email=" . $db->qstr(trim($_POST['user_email1'])) . " 
-			WHERE user_id=" . $_SESSION['user_id']
+			WHERE user_id=" . (int)$_SESSION['user_id']
 		;
 
 		$db->Execute($query);
@@ -159,7 +159,7 @@
 		$query = "
 			SELECT user_id
 			FROM " . $db->prefix . "_user
-			WHERE user_id=" . $_SESSION['user_id'] . "
+			WHERE user_id=" . (int)$_SESSION['user_id'] . "
 			AND user_password=" . $db->qstr(md5($_POST['user_password_old']))
 		;
 
@@ -175,7 +175,7 @@
 			UPDATE " . $db->prefix . "_user
 			SET user_password=" . $db->qstr(md5($_POST['user_password1'])) . "
 			WHERE
-			user_id=" . $_SESSION['user_id'] . " AND
+			user_id=" . (int)$_SESSION['user_id'] . " AND
 			user_password=" . $db->qstr(md5($_POST['user_password_old']))
 		;
 
@@ -188,7 +188,7 @@
 
 
 // CHECK TO DISPLAY AVATAR DELETE BUTTON ------
-$av = glob($core_config['file']['dir'] . "avatars/" . $_SESSION['user_id'] . "/100*");
+$av = glob($core_config['file']['dir'] . "avatars/" . (int)$_SESSION['user_id'] . "/100*");
 
 if (isset($av[0])) {
 	$body->set('display_avatar_delete_button', 1);

diff --git a/prairie/class/Db.class.php b/prairie/class/Db.class.php
@@ -114,7 +114,7 @@ function Execute($query, $rows=null, $offset=null) {
 	function qstr($s) {
 
 		if (!get_magic_quotes_gpc()) {
- 			$s = addslashes($s);
+ 			$s =  mysql_real_escape_string($s);
 		}
 		return "'" . $s . "'";
 	}

diff --git a/prairie/class/Openid.class.php b/prairie/class/Openid.class.php
@@ -387,7 +387,7 @@ function checkid_setup($type = null) {
 			$openid_return_to = GetFromURL("openid_return_to"); 
 
 			if ($openid_identity == 'http://specs.openid.net/auth/2.0/identifier_select'){
-				$openid_identity='http://'.$_SERVER['SERVER_NAME'].'/'; 
+				$openid_identity='http'.(isset($_SERVER['HTTPS'])&& (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == 1) ? 's' : '').'://'.$_SERVER['SERVER_NAME'].'/'; 
 			}
 
 			$openIDns=GetFromURL("openid_ns"); 
@@ -469,7 +469,7 @@ function checkid_immediate() {
 		$openid_return_to = GetFromURL("openid_return_to"); 
 
 		if ($openid_identity == 'http://specs.openid.net/auth/2.0/identifier_select'){
-			$openid_identity='http://'.$_SERVER['SERVER_NAME'].'/'; 
+			$openid_identity='http'.(isset($_SERVER['HTTPS'])&& (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == 1) ? 's' : '').'://'.$_SERVER['SERVER_NAME'].'/'; 
 		}	
 
 		if (!empty($_SESSION['user_id'])) {

diff --git a/prairie/editor.php b/prairie/editor.php
@@ -30,7 +30,7 @@
 if (isset($_POST['save_profile'])) {
 	$title = trim($_POST['webspace_title']);
 
-	if (is_file('theme/' . $_POST['theme_name'] . '/thumb.png')) {
+	if (in_array($_POST['theme_name'], barnraiser_scandir('theme/')) && is_file('theme/' . $_POST['theme_name'] . '/thumb.png')) {
 		$theme_name = $_POST['theme_name'];
 	}
 	else {
@@ -40,7 +40,7 @@
 	$query = "
 		SELECT user_id
 		FROM " . $db->prefix . "_webspace
-		WHERE user_id=" . $_SESSION['user_id']
+		WHERE user_id=" . (int)$_SESSION['user_id']
 	;
 
 	$result = $db->Execute($query);
@@ -63,17 +63,17 @@
 			webspace_title=" . $db->qstr($title) . ",
 			webspace_theme=" . $db->qstr($theme_name) . "
 			WHERE 
-			user_id=" . $_SESSION['user_id']
+			user_id=" . (int)$_SESSION['user_id']
 		;
 
 		$db->Execute($query);
 	}
 
 	if (!empty($title)) {
-		makeThemeHeader($core_config['file']['dir'], $_SESSION['user_id'], $theme_name, $title);
+		makeThemeHeader($core_config['file']['dir'], (int)$_SESSION['user_id'], $theme_name, $title);
 	}
 	else {
-		unlink($core_config['file']['dir'] . "/titles/" . $_SESSION['user_id'] . ".png");
+		unlink($core_config['file']['dir'] . "/titles/" . (int)$_SESSION['user_id'] . ".png");
 	}
 
 	header('location: /editor');
@@ -89,7 +89,7 @@
 	$query = "
 		SELECT user_id
 		FROM " . $db->prefix . "_webspace
-		WHERE user_id=" . $_SESSION['user_id']
+		WHERE user_id=" . (int)$_SESSION['user_id']
 	;
 
 	$result = $db->Execute($query);
@@ -111,7 +111,7 @@
 			SET 
 			webspace_html=" . $db->qstr($html) . " 
 			WHERE 
-			user_id=" . $_SESSION['user_id']
+			user_id=" . (int)$_SESSION['user_id']
 		;
 		$db->Execute($query);
 	}
@@ -123,7 +123,7 @@
 $query = "
 	SELECT *
 	FROM " . $db->prefix . "_webspace
-	WHERE user_id=" . $_SESSION['user_id']
+	WHERE user_id=" . (int)$_SESSION['user_id']
 ;
 
 $result = $db->Execute($query);

diff --git a/prairie/get_file.php b/prairie/get_file.php
@@ -47,17 +47,17 @@
 		$_REQUEST['width'] = 100;
 	}
 
-	$av = glob($core_config['file']['dir'] . 'avatars/' . $_REQUEST['avatar'] . '/' . $_REQUEST['width'] . '*');
+	$av = glob($core_config['file']['dir'] . 'avatars/' . (int)$_REQUEST['avatar'] . '/' . (int)$_REQUEST['width'] . '*');
 
 	if (isset($av[0])) {
 		$file = $av[0];
 	}
 	else {
-		$file = 'template/silver/img/no_avatar_' . $_REQUEST['width'] . '.png';
+		$file = 'template/silver/img/no_avatar_' . (int)$_REQUEST['width'] . '.png';
 	}
 }
 elseif (isset($_REQUEST['title'])) { // ?title=file = webpage title image
-	$file = $core_config['file']['dir'] . 'titles/' . $_REQUEST['title'] . '.png';
+	$file = $core_config['file']['dir'] . 'titles/' . (int)$_REQUEST['title'] . '.png';
 
 	if (!is_file($file)) {
 		$file = $core_config['file']['dir'] . 'titles/0.png';

diff --git a/prairie/inc/functions.inc.php b/prairie/inc/functions.inc.php
@@ -135,7 +135,7 @@ function labeltextarea_($name, $label, $value="") {
 function input_($name,  $defval="", $type="text", $size=45, $maxlength=0, $style=""){
 	$html='<input'; 
 	if ($style)$html.=' class="'.$style.'"'; 
-	$html .=' name="'.$name.'" type="'.$type.'" value="'.$defval.'"'; 
+	$html .=' name="'.$name.'" type="'.$type.'" value="'.htmlspecialchars($defval).'"'; 
 	$html .= ' id="'.$name.'" size="'.$size.'"'; 
 	if ($maxlength!=0) $html.=' maxlength="'.$maxlength.'"'; 
 	$html.="/>\n"; 
@@ -151,16 +151,10 @@ function textarea_($name, $content="", $cols=60, $rows=4, $style="" ) {
 
 // URL routing into array
 function routeURL ($webspace_name=null) {
-
-	$document_root = trim(dirname($_SERVER['PHP_SELF']), '/');
-	$script_name = $_SERVER['PHP_SELF'];
-
-	$request_uri = substr($_SERVER['REQUEST_URI'], strlen($document_root) + 1);
-
-	$tmp = strpos($request_uri, '?');
-
-	if ($tmp) {
-		$request_uri = substr($request_uri, 0, $tmp);
+	if (isset($_SERVER['ORIG_PATH_INFO'])) {
+		$request_uri = substr($_SERVER['ORIG_PATH_INFO'], 1);
+	} else {
+		$request_uri = substr($_SERVER['PATH_INFO'], 1);
 	}
 
 	$request_arr = explode('/', $request_uri);

diff --git a/prairie/index.php b/prairie/index.php
@@ -157,9 +157,15 @@
 						$data_to_send = Array ();
 						$data_to_send['openid.ns'] = 'http://specs.openid.net/auth/2.0';
 						$data_to_send['openid.mode'] = 'setup_needed';
-						$data_to_send['openid.user_setup_url'] = 'http://'.$_SERVER['SERVER_NAME'] . '/login';
+						$data_to_send['openid.user_setup_url'] = 'http'.(isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == 1) ? 's' : '').'://'.$_SERVER['SERVER_NAME'] . '/login';
 
-						header('location: ' . $openid_return_to . $s . http_build_query($data_to_send));
+						$redirurl = $openid_return_to . $s . http_build_query($data_to_send);
+						if (strpos($redirurl, '\n') !== FALSE || (strpos($redirurl, 'http://')!==0 && strpos($redirurl, 'https://')!==0)) {
+							header("Status: 500");
+							echo "Invalid return URL found.";
+							exit;
+						}
+						header('location: ' . $redirurl);
 						exit;
 					}
 

diff --git a/prairie/login.php b/prairie/login.php
@@ -127,7 +127,7 @@
 			$query = "
 				UPDATE " . $db->prefix . "_user
 				SET user_password=" . $db->qstr(md5($new_password)) . "
-				WHERE user_id=" . $result[0]['user_id']
+				WHERE user_id=" . (int)$result[0]['user_id']
 			;
 
 			$db->Execute($query);

diff --git a/prairie/maintain.php b/prairie/maintain.php
@@ -41,7 +41,7 @@
 		user_email=" . $db->qstr($_POST['user_email']) . ",
 		user_dob=" . $db->qstr($dob) . " 
 		WHERE
-		user_id=" . $_POST['user_id']
+		user_id=" . (int)$_POST['user_id']
 	;
 
 	$db->Execute($query);
@@ -52,7 +52,7 @@
 		SELECT user_id
 		FROM " . $db->prefix . "_user
 		WHERE
-		user_id=" . $_POST['user_id']
+		user_id=" . (int)$_POST['user_id']
 	;
 
 	$result = $db->Execute($query, 1);
@@ -65,7 +65,7 @@
 		$query = "
 			UPDATE " . $db->prefix . "_user
 			SET user_password=" . $db->qstr(md5($new_password)) . "
-			WHERE user_id=" . $result[0]['user_id']
+			WHERE user_id=" . (int)$result[0]['user_id']
 		;
 
 		$db->Execute($query);
@@ -107,7 +107,7 @@
 	$query = "
 		UPDATE " . $db->prefix . "_user
 		SET user_registration_key=" . $db->qstr($key) . "
-		WHERE user_id=" . $_POST['user_id']
+		WHERE user_id=" . (int)$_POST['user_id']
 	;
 
 	$db->Execute($query);
@@ -215,7 +215,7 @@
 		SELECT user_id, openid_name, user_name, user_email, user_dob, user_live 
 		FROM " . $db->prefix . "_user 
 		WHERE 
-		user_id=".$uri_routing[2]
+		user_id=".(int)$uri_routing[2]
 	;
 
 	$result = $db->Execute($query, 1);

diff --git a/prairie/profile.php b/prairie/profile.php
@@ -50,11 +50,11 @@
 
 		require_once('class/Mail/class.phpmailer.php');
 
-		$email_subject = stripslashes(htmlspecialchars($_POST['contact_subject']));
+		$email_subject = htmlspecialchars($_POST['contact_subject']);
 
 		$mail->Subject = $email_subject;
 
-		$email_message = stripslashes(htmlspecialchars($_POST['contact_message']));
+		$email_message = htmlspecialchars($_POST['contact_message']);
 
 		if (!empty($_POST['contact_email'])) {
 			$email_message .= "\n\n";

diff --git a/prairie/register.php b/prairie/register.php
@@ -44,7 +44,7 @@
 			user_registration_key=NULL,
 			user_live=1 
 			WHERE 
-			user_id=" . $result[0]['user_id']
+			user_id=" . (int)$result[0]['user_id']
 		;
 
 		$db->Execute($query);

diff --git a/prairie/template/account.tpl.php b/prairie/template/account.tpl.php
@@ -35,7 +35,7 @@
 		<div class="box_body">
 			<p>
 				<label for="id_user_name"><?php echo _("Name");?></label>
-				<input type="text" name="user_name" id="id_user_name" value="<?php if (isset($_SESSION['user_name'])) { echo $_SESSION['user_name']; }?>" />
+				<input type="text" name="user_name" id="id_user_name" value="<?php if (isset($_SESSION['user_name'])) { echo htmlspecialchars($_SESSION['user_name']); }?>" />
 			</p>
 
 			<p>
@@ -114,7 +114,7 @@
 
 			<p>
 				<label for="id_user_location"><?php echo _("Location");?></label>
-				<input type="text" name="user_location" id="id_user_location" value="<?php if (isset($_SESSION['user_location'])) echo $_SESSION['user_location']; ?>" />
+				<input type="text" name="user_location" id="id_user_location" value="<?php if (isset($_SESSION['user_location'])) echo htmlspecialchars($_SESSION['user_location']); ?>" />
 			</p>
 
 			<p class="warning">
@@ -123,37 +123,37 @@
 
 			<p>
 				<label for="id_user_nick"><?php echo _("Nickname");?></label>
-				<input type="text" name="user_nick" id="id_user_nick" value="<?php if (isset($_SESSION['user_nick'])) echo $_SESSION['user_nick']; ?>" />
+				<input type="text" name="user_nick" id="id_user_nick" value="<?php if (isset($_SESSION['user_nick'])) echo htmlspecialchars($_SESSION['user_nick']); ?>" />
 			</p>
 			<p>
 				<label for="id_user_gender"><?php echo _("Gender (M/F)");?></label>
-				<input type="text" name="user_gender" id="id_user_gender" value="<?php if (isset($_SESSION['user_gender'])) echo $_SESSION['user_gender']; ?>" />
+				<input type="text" name="user_gender" id="id_user_gender" value="<?php if (isset($_SESSION['user_gender'])) echo htmlspecialchars($_SESSION['user_gender']); ?>" />
 			</p>
 
 			<p>
 				<label for="id_user_postcode"><?php echo _("Postcode");?></label>
-				<input type="text" name="user_postcode" id="id_user_postcode" value="<?php if (isset($_SESSION['user_postcode'])) echo $_SESSION['user_postcode']; ?>" />
+				<input type="text" name="user_postcode" id="id_user_postcode" value="<?php if (isset($_SESSION['user_postcode'])) echo htmlspecialchars($_SESSION['user_postcode']); ?>" />
 			</p>
 
 			<p>
 				<label for="id_user_country"><?php echo _("Country code");?></label>
-				<input type="text" name="user_country" id="id_user_country" value="<?php if (isset($_SESSION['user_country'])) echo $_SESSION['user_country']; ?>" />
+				<input type="text" name="user_country" id="id_user_country" value="<?php if (isset($_SESSION['user_country'])) echo htmlspecialchars($_SESSION['user_country']); ?>" />
 			</p>
 
 
 			<p>
 				<label for="id_user_language"><?php echo _("Preferred Language (EN)");?></label>
-				<input type="text" name="user_language" id="id_user_language" value="<?php if (isset($_SESSION['user_language'])) echo $_SESSION['user_language']; ?>" />
+				<input type="text" name="user_language" id="id_user_language" value="<?php if (isset($_SESSION['user_language'])) echo htmlspecialchars($_SESSION['user_language']); ?>" />
 			</p>
 
 			<p>
 				<label for="id_user_timezone"><?php echo _("Timezone (Europe/Paris)");?></label>
-				<input type="text" name="user_timezone" id="id_user_timezone" value="<?php if (isset($_SESSION['user_timezone'])) echo $_SESSION['user_timezone']; ?>" />
+				<input type="text" name="user_timezone" id="id_user_timezone" value="<?php if (isset($_SESSION['user_timezone'])) echo htmlspecialchars($_SESSION['user_timezone']); ?>" />
 			</p>
 
 			<p>
 				<label for="id_user_birthdate"><?php echo _("Birthdate (YYYY-MM-DD)");?></label>
-				<input type="text" name="user_birthdate" id="id_user_birthdate" value="<?php if (isset($_SESSION['user_birthdate'])) echo $_SESSION['user_birthdate']; ?>" />
+				<input type="text" name="user_birthdate" id="id_user_birthdate" value="<?php if (isset($_SESSION['user_birthdate'])) echo htmlspecialchars($_SESSION['user_birthdate']); ?>" />
 			</p>
 
 			<p class="buttons">
@@ -174,7 +174,7 @@
 
 		<div class="box_body">
 			<div style="text-align:center;">
-				<img src="/get_file.php?avatar=<?php echo $_SESSION['user_id'];?>&amp;width=200" width="200" class="avatar" />
+				<img src="/get_file.php?avatar=<?php echo (int)$_SESSION['user_id'];?>&amp;width=200" width="200" class="avatar" />
 			</div>
 
 			<p>
@@ -206,7 +206,7 @@
 			<p>
 				<?php 
 				$text = _("Your current email address is {1}.");
-				echo str_replace("{1}", $_SESSION['user_email'], $text);
+				echo str_replace("{1}", htmlspecialchars($_SESSION['user_email']), $text);
 				?>
 			</p>
 

diff --git a/prairie/template/editor.tpl.php b/prairie/template/editor.tpl.php
@@ -34,7 +34,7 @@
 		<div class="box_body">
 			<p>
 				<label for="id_webspace_title"><?php echo _("Title");?></label>
-				<input type="text" name="webspace_title" id="id_webspace_title" value="<?php if (isset($webspace['webspace_title'])) { echo $webspace['webspace_title']; }?>" />
+				<input type="text" name="webspace_title" id="id_webspace_title" value="<?php if (isset($webspace['webspace_title'])) { echo htmlspecialchars($webspace['webspace_title']); }?>" />
 			</p>
 
 
@@ -91,7 +91,7 @@ function selectTheme(theme) {
 		<div class="box_body">
 			<p>
 				<label for="id_html"><?php echo _("HTML");?></label>
-				<textarea id="id_html" name="html" class="mceEditor"><?php if (isset($webspace['webspace_html'])) echo $webspace['webspace_html']; ?></textarea>
+				<textarea id="id_html" name="html" class="mceEditor"><?php if (isset($webspace['webspace_html'])) echo htmlspecialchars($webspace['webspace_html']); ?></textarea>
 				<script  type="text/javascript">
 				tinyMCE.init({
 			// General options