Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
I
intranet-helpdesk
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
project-open
intranet-helpdesk
Commits
366289b2
Commit
366289b2
authored
Jun 11, 2020
by
Frank Bergmann
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
- Improving security by added -limit_to xxx to all im_opt_val calls
parent
af67e4f3
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
10 additions
and
13 deletions
+10
-13
intranet-helpdesk-procs.tcl
tcl/intranet-helpdesk-procs.tcl
+1
-4
index.tcl
www/index.tcl
+2
-2
new.tcl
www/new.tcl
+7
-7
No files found.
tcl/intranet-helpdesk-procs.tcl
View file @
366289b2
...
...
@@ -1842,13 +1842,10 @@ ad_proc im_helpdesk_member_add_queue_component {
set passthrough
{
object_id return_url also_add_to_object_id limit_to_users_in_group_id
}
foreach var
$passthrough
{
if
{
!
[
info
exists
$var
]}
{
set
$var
[
im_opt_val
$var
]
}
if
{
!
[
info
exists
$var
]}
{
set
$var
[
im_opt_val
-limit_to nohtml
$var
]
}
}
set role_id
[
im_biz_object_role_full_member
]
# !!!
set result
"
<form method=GET action=/intranet/member-add-2>
[
export_vars -form
{
passthrough
{
notify_asignee 0
}}]
...
...
www/index.tcl
View file @
366289b2
...
...
@@ -142,7 +142,7 @@ db_foreach column_list_sql $column_sql {
UNION select 'end_date'
"
db_foreach pass_through_vars
$dynfield
_sql
{
set value
[
im_opt_val
$attribute
_name
]
set value
[
im_opt_val
-limit_to nohtml
$attribute
_name
]
if
{
""
!=
$value
}
{
append col_url
"&
$attribute
_name=
$value
"
}
...
...
@@ -741,7 +741,7 @@ ad_form \
-form
$ticket
_elements
template::element::set_value
$form
_id ticket_nr
[
im_ticket::next_ticket_nr
]
template::element::set_value
$form
_id ticket_sla_id
[
im_opt_val ticket_sla_id
]
template::element::set_value
$form
_id ticket_sla_id
[
im_opt_val
-limit_to integer
ticket_sla_id
]
if
{
$edit
_ticket_status_p
}
{
template::element::set_value
$form
_id ticket_status_id
[
im_ticket_status_open
]
...
...
www/new.tcl
View file @
366289b2
...
...
@@ -407,7 +407,7 @@ if {(![info exists ticket_customer_id] || $ticket_customer_id eq "") && ([info e
# Fetch variable values from the HTTP session and write to local variables
set
url_vars_set
[
ns_conn form
]
foreach
var_from_url
$vars
_from_url
{
ad_set_element_value -element
$var
_from_url
[
im_opt_val
$var
_from_url
]
ad_set_element_value -element
$var
_from_url
[
im_opt_val
-limit_to nohtml
$var
_from_url
]
}
if
{
"new"
==
$ticket
_sla_id &&
$add
_projects_p
}
{
...
...
@@ -431,7 +431,7 @@ if {"new" == $ticket_sla_id && $add_projects_p} {
# calculate the vars for _this_ form
set export_vars_varlist
[
list
]
foreach form_var
$form
_vars
{
lappend export_vars_varlist
[
list
$form
_var
[
im_opt_val
$form
_var
]]
lappend export_vars_varlist
[
list
$form
_var
[
im_opt_val
-limit_to nohtml
$form
_var
]]
}
# Add the
"vars_from_url"
to tell this form to set from values for these vars when we're back again.
...
...
@@ -473,7 +473,7 @@ if {"new" == $ticket_customer_contact_id && $user_can_create_new_customer_contac
if
{
$var
in
{
"ticket_id"
"ticket_customer_contact_id"
"object_type"
}}
{
continue
}
if
{[
regexp
{
^__
}
$var
match
]}
{
continue
}
;
# Exclude __* system form vars
if
{[
regexp
{[
\:\.
]}
$var
match
]}
{
continue
}
;
# Exclude vars with ":", "." ...
set val
[
im_opt_val
$var
]
set val
[
im_opt_val
-limit_to nohtml
$var
]
if
{
""
eq
$val
}
{
continue
}
set form_vars_hash
(
$var
)
$var
}
...
...
@@ -482,7 +482,7 @@ if {"new" == $ticket_customer_contact_id && $user_can_create_new_customer_contac
# calculate the vars for _this_ form
set export_vars_varlist
[
list
]
foreach form_var
$form
_vars
{
lappend export_vars_varlist
[
list
$form
_var
[
im_opt_val
$form
_var
]]
lappend export_vars_varlist
[
list
$form
_var
[
im_opt_val
-limit_to nohtml
$form
_var
]]
}
# Add the
"vars_from_url"
to tell this form to set from values for these vars when we're back again.
...
...
@@ -1061,9 +1061,9 @@ if {$view_tickets_all_p} {
{
ticket_sla_id:text
(
select
)
,optional
{
label
"
[
lang::message::lookup
{}
intranet-helpdesk.SLA SLA
]
"
}
{
options
$ticket
_sla_options
}}
}
template::element::set_value
$form
_id ticket_status_id
[
im_opt_val ticket_status_id
]
template::element::set_value
$form
_id ticket_type_id
[
im_opt_val ticket_type_id
]
template::element::set_value
$form
_id ticket_queue_id
[
im_opt_val ticket_queue_id
]
template::element::set_value
$form
_id ticket_status_id
[
im_opt_val
-limit_to integer
ticket_status_id
]
template::element::set_value
$form
_id ticket_type_id
[
im_opt_val
-limit_to integer
ticket_type_id
]
template::element::set_value
$form
_id ticket_queue_id
[
im_opt_val
-limit_to integer
ticket_queue_id
]
}
template::element::set_value
$form
_id mine_p
$mine
_p
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment