Skip to content

I
intranet-rest
Commit 8f7c9ea6 authored by Frank Bergmann's avatar Frank Bergmann
Browse files
Options

- Improving security by added -limit_to xxx to all im_opt_val calls

parent 998f1026
Hide whitespace changes
Inline Side-by-side
Showing with 5 additions and 5 deletions
tcl/intranet-rest-authentication-procs.tcl
View file @ 8f7c9ea6
...@@ -161,7 +161,7 @@ ad_proc -private im_rest_authenticate { ...@@ -161,7 +161,7 @@ ad_proc -private im_rest_authenticate {
# internal debugging: Try to track down issue #42853 # internal debugging: Try to track down issue #42853
if {[im_table_exists crm_online_interactions]} { if {[im_table_exists crm_online_interactions]} {
set user_system_id [im_opt_val system_id] set user_system_id [im_opt_val -limit_to nohtml system_id]
if {"" ne $user_system_id} { if {"" ne $user_system_id} {
crm_basic_interaction -interaction_type_id 3235 -system_id $user_system_id -message [im_url_with_query] crm_basic_interaction -interaction_type_id 3235 -system_id $user_system_id -message [im_url_with_query]
} }
......
tcl/intranet-rest-create-procs.tcl
View file @ 8f7c9ea6
...@@ -591,10 +591,10 @@ ad_proc -private im_rest_post_object_type_im_company { ...@@ -591,10 +591,10 @@ ad_proc -private im_rest_post_object_type_im_company {
ns_log Notice "im_rest_post_object_type_$rest_otype: Create new main_office_id for company" ns_log Notice "im_rest_post_object_type_$rest_otype: Create new main_office_id for company"
# Make sure all important fields are somehow defined # Make sure all important fields are somehow defined
if {![info exists office_name] || "" == $office_name} { set office_name "[im_opt_val company_name] Main Office" } if {![info exists office_name] || "" == $office_name} { set office_name "[im_opt_val -limit_to nohtml company_name] Main Office" }
if {![info exists office_path] || "" == $office_path} { if {![info exists office_path] || "" == $office_path} {
# Take company_name, make it lower and replace any strange chars with "_" # Take company_name, make it lower and replace any strange chars with "_"
set office_path [string tolower [im_opt_val company_name]] set office_path [string tolower [im_opt_val -limit_to nohtml company_name]]
regsub -all {[^a-z0-9]} $office_path "_" office_path regsub -all {[^a-z0-9]} $office_path "_" office_path
} }
if {![info exists office_status_id] || "" == $office_status_id} { set office_status_id [im_office_status_active] } if {![info exists office_status_id] || "" == $office_status_id} { set office_status_id [im_office_status_active] }
...@@ -1389,12 +1389,12 @@ ad_proc -private im_rest_post_object_type_im_hour_interval { ...@@ -1389,12 +1389,12 @@ ad_proc -private im_rest_post_object_type_im_hour_interval {
if {![info exists $var]} { if {![info exists $var]} {
return [im_rest_error -format $format -http_status 406 -message "Variable '$var' not specified. The following variables are required: $required_vars"] return [im_rest_error -format $format -http_status 406 -message "Variable '$var' not specified. The following variables are required: $required_vars"]
} }
# Fix timestamp format between JavaScript and PostgreSQL 8.4/9.x # Fix timestamp format between JavaScript and PostgreSQL 8.4/9.x
# Wed Jul 23 2014 19:23:26 GMT+0200 (Romance Daylight Time) # Wed Jul 23 2014 19:23:26 GMT+0200 (Romance Daylight Time)
switch $var { switch $var {
interval_start - interval_end { interval_start - interval_end {
set val [im_rest_normalize_timestamp [im_opt_val $var]] set val [im_rest_normalize_timestamp [im_opt_val -limit_to nohtml $var]]
set $var $val set $var $val
set hash_array($var) $val set hash_array($var) $val
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment