X-Git-Url: http://git.cyclocoop.org/?p=lhc%2Fweb%2Fclavette_www.git;a=blobdiff_plain;f=www%2Fecrire%2Fexec%2Fvalider_xml.php;h=b6a8fbef01fbe8373ef29b6b4167536c0c1e2081;hp=db3ee92089530ba71a580c97112fbd76d7bf7d28;hb=cc641eb476987612f6d6df1a5417c1c5582a8ab8;hpb=7d84a490677fb716a1fd4df260f8eab35f6a8506
diff --git a/www/ecrire/exec/valider_xml.php b/www/ecrire/exec/valider_xml.php
index db3ee92..b6a8fbe 100644
--- a/www/ecrire/exec/valider_xml.php
+++ b/www/ecrire/exec/valider_xml.php
@@ -3,7 +3,7 @@
/***************************************************************************\
* SPIP, Systeme de publication pour l'internet *
* *
- * Copyright (c) 2001-2014 *
+ * Copyright (c) 2001-2016 *
* Arnaud Martin, Antoine Pitrou, Philippe Riviere, Emmanuel Saint-James *
* *
* Ce programme est un logiciel libre distribue sous licence GNU/GPL. *
@@ -27,23 +27,60 @@ include_spip('public/debusquer');
// http://doc.spip.org/@exec_valider_xml_dist
function exec_valider_xml_dist()
{
- if (!autoriser('sauvegarder')) {
+ if (!autoriser('webmestre')) {
include_spip('inc/minipres');
echo minipres();
- } else valider_xml_ok(_request('var_url'), _request('ext'), intval(_request('limit')), _request('recur'));
+ } else {
+ $erreur = "";
+ // verifier que les var de l'URL sont conformes avant d'appeler la fonction
+ $url = trim(_request('var_url'));
+ if (strncmp($url,'/',1)==0) $erreur = 'Chemin absolu interdit pour var_url';
+ // on a pas le droit de remonter plus de 1 fois dans le path (pas 2 occurences de ../ ou ..\ (win))
+ if (($p=strpos($url,'..'))!==false AND strpos($url,'..',$p+3)!==false) $erreur = 'Interdit de remonter en dehors de la racine';
+ if (strpos($url,'://')!==false or strpos($url,':\\')!==false) $erreur = 'URL absolue interdite pour var_url';
+
+ $ext = trim(_request('ext'));
+ $ext = ltrim($ext,'.'); // precaution
+ if (preg_match('/\W/',$ext)) $erreur = 'Extension invalide';
+
+ // en GET var_url doit etre signee, en POST seule l'action est signee
+ // CSRF safe
+ $process = true;
+ if ($url){
+ include_spip('inc/securiser_action');
+ if ($_SERVER["REQUEST_METHOD"]=='POST'){
+ if (!$token = _request('var_token')
+ or !verifier_cle_action("valider_xml",$token)){
+ $process = false;
+ }
+ }
+ if ($_SERVER["REQUEST_METHOD"]!='POST'){
+ if (!$token = _request('var_token')
+ or !verifier_cle_action("valider_xml&var_url=$url",$token)){
+ $process = false;
+ }
+ }
+ }
+
+ if ($erreur){
+ include_spip('inc/minipres');
+ echo minipres($erreur);
+ }
+ else {
+ valider_xml_ok($url, $ext, intval(_request('limit')), _request('recur'), $process);
+ }
+ }
}
// http://doc.spip.org/@valider_xml_ok
-function valider_xml_ok($url, $req_ext, $limit, $rec)
-{
+function valider_xml_ok($url, $req_ext, $limit, $rec, $process = true) {
$url = urldecode($url);
$rec = !$rec ? false : array();
if (!$limit) $limit = 200;
$titre = _T('analyse_xml');
if (!$url) {
- $url_aff = 'http://';
- $onfocus = "this.value='';";
- $texte = $bandeau = $err = '';
+ $url_aff = '';
+ $bandeau = $err = '';
} else {
include_spip('inc/distant');
@@ -78,24 +115,28 @@ function valider_xml_ok($url, $req_ext, $limit, $rec)
}
} else { $dir = 'exec'; $script = $url; $args = true;}
- $transformer_xml = charger_fonction('valider', 'xml');
- $onfocus = "this.value='" . addslashes($url) . "';";
- if (preg_match(',^[a-z][0-9a-z_]*$,i', $url)) {
- $res = $transformer_xml(charger_fonction($url, $dir), $args);
- $url_aff = valider_pseudo_url($dir, $script);
- } else {
- $res = $transformer_xml(recuperer_page($url));
- $url_aff = entites_html($url);
- }
- list($texte, $err) = emboite_texte($res);
- if (!$err) {
- $err = '' . _T('spip_conforme_dtd') . '
';
+ $url_aff = entites_html($url);
+ $bandeau = "";
+ $res = "";
+ if ($process) {
+ $transformer_xml = charger_fonction('valider', 'xml');
+ if (preg_match(',^[a-z][0-9a-z_]*$,i', $url)) {
+ $res = $transformer_xml(charger_fonction($url, $dir), $args);
+ $url_aff = valider_pseudo_url($dir, $script);
+ } else {
+ $res = $transformer_xml(recuperer_page($url));
+ $url_aff = entites_html($url);
+ }
+ list($texte, $err) = emboite_texte($res);
+ if (!$err) {
+ $err = '' . _T('spip_conforme_dtd') . '
';
+ }
+ $res =
+ "" . $err . "
" .
+ "" . $texte . '
';
+ $bandeau = "".$url_aff."";
}
- $res =
- "" . $err . "
" .
- "" . $texte . '
';
- $bandeau = "$url";
}
}
@@ -103,19 +144,34 @@ function valider_xml_ok($url, $req_ext, $limit, $rec)
$debut = $commencer_page($titre);
$jq = http_script("", 'jquery.js');
+
echo str_replace('', "$jq", $debut);
- $onfocus = '';
- $onfocus = generer_form_ecrire('valider_xml', $onfocus, " method='get'");
+ include_spip('inc/securiser_action');
+ $token = calculer_cle_action("valider_xml");
+ $texte = '';
+ $texte .= '';
+ $texte .= '';
+ $texte .= '';
+ $texte = generer_form_ecrire('valider_xml', $texte, " method='post'");
+
+ $self = generer_url_ecrire('valider_xml');
+ $self = parametre_url($self, 'var_url', $url);
+ $self = parametre_url($self, 'ext', $req_ext);
+ $self = parametre_url($self, 'limit', $limit);
+ $self = parametre_url($self, 'rec', $rec);
+ $self = "$self";
- echo "", $titre, '
', $bandeau, '
',
- "", $onfocus, "
",
+ echo "", $titre, " $bandeau", '
',
+ "", $texte, "
",
$res,
+ "
$self
",
fin_page();
}
// http://doc.spip.org/@valider_resultats
function valider_resultats($res, $mode)
{
+ include_spip('inc/securiser_action');
$i = $j = 0;
$table = '';
rsort($res);
@@ -132,10 +188,14 @@ function valider_resultats($res, $mode)
($erreurs[0][0] . ' ' . _T('ligne') . ' ' .
$erreurs[0][1] .($nb==1? '': ' ...'));
if ($err) $j++;
- $h = $mode
- ? ($appel . '&var_mode=debug&var_mode_affiche=validation')
- : generer_url_ecrire('valider_xml', "var_url=" . urlencode($appel));
-
+ if ($mode) {
+ $h = $appel . '&var_mode=debug&var_mode_affiche=validation';
+ }
+ else {
+ $h = generer_url_ecrire('valider_xml', "var_url=" . urlencode($appel));
+ $h = parametre_url($h,'var_token', calculer_cle_action("valider_xml&var_url=$appel"));
+ }
+
$table .= ""
. "| $nb | "
. "$texte | "