mirror of https://github.com/MISP/MISP
Quick fix to the sanitization
- the double sanitization needed a quick fix until the development branch gets merged in the futurepull/195/head
parent
7cc15743c1
commit
6e9b19ce51
|
@ -103,16 +103,8 @@ class AttributesController extends AppController {
|
|||
public function index() {
|
||||
$this->Attribute->recursive = 0;
|
||||
$this->set('isSearch', 0);
|
||||
|
||||
// Sanitize::clean
|
||||
$paginated = $this->paginate();
|
||||
foreach ($paginated as &$attribute) {
|
||||
$attribute['Attribute']['value'] = $this->beforeSanitizeClean($attribute['Attribute']['value']); // TODO generic
|
||||
}
|
||||
$attributes = Sanitize::clean($paginated, array('remove' => true, 'remove_html' => true, 'encode' => true, 'newline' => true));
|
||||
foreach ($attributes as &$attribute) {
|
||||
$attribute['Attribute']['value'] = $this->counterSanitizeClean($attribute['Attribute']['value']); // TODO generic
|
||||
}
|
||||
$attributes = $paginated;
|
||||
$this->set('attributes', $attributes);
|
||||
|
||||
$this->set('attrDescriptions', $this->Attribute->fieldDescriptions);
|
||||
|
@ -170,7 +162,7 @@ class AttributesController extends AppController {
|
|||
continue; // don't do anything for empty lines
|
||||
|
||||
$this->Attribute->create();
|
||||
$this->request->data['Attribute']['value'] = Sanitize::clean($attribute); // set the value as the content of the single line
|
||||
$this->request->data['Attribute']['value'] = $attribute; // set the value as the content of the single line
|
||||
$this->request->data = $this->Attribute->massageData($this->request->data);
|
||||
// TODO loop-holes,
|
||||
// there seems to be a loop-hole in misp here
|
||||
|
@ -305,11 +297,11 @@ class AttributesController extends AppController {
|
|||
$file = $this->Attribute->data['Attribute']['id'];
|
||||
$filename = '';
|
||||
if ('attachment' == $this->Attribute->data['Attribute']['type']) {
|
||||
$filename = Sanitize::clean($this->Attribute->data['Attribute']['value']);
|
||||
$filename = $this->Attribute->data['Attribute']['value'];
|
||||
$fileExt = pathinfo($filename, PATHINFO_EXTENSION);
|
||||
$filename = substr($filename, 0, strlen($filename) - strlen($fileExt) - 1);
|
||||
} elseif ('malware-sample' == $this->Attribute->data['Attribute']['type']) {
|
||||
$filenameHash = explode('|', Sanitize::clean($this->Attribute->data['Attribute']['value']));
|
||||
$filenameHash = explode('|', $this->Attribute->data['Attribute']['value']);
|
||||
$filename = $filenameHash[0];
|
||||
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
|
||||
$fileExt = "zip";
|
||||
|
@ -591,7 +583,7 @@ class AttributesController extends AppController {
|
|||
$this->request->data = $this->Attribute->read(null, $id);
|
||||
}
|
||||
|
||||
$this->set('attribute', Sanitize::clean($this->request->data));
|
||||
$this->set('attribute', $this->request->data);
|
||||
|
||||
// enabling / disabling the distribution field in the edit view based on whether user's org == orgc in the event
|
||||
$this->loadModel('Event');
|
||||
|
@ -866,7 +858,7 @@ class AttributesController extends AppController {
|
|||
// re-get pagination
|
||||
$this->Attribute->recursive = 0;
|
||||
$this->paginate = $this->Session->read('paginate_conditions');
|
||||
$attributes = Sanitize::clean($this->paginate(), array('remove' => true, 'remove_html' => true, 'encode' => true, 'newline' => true));
|
||||
$attributes = $this->paginate();
|
||||
foreach ($attributes as &$attribute) {
|
||||
$attribute['Attribute']['value'] = str_replace('\n', chr(10), $attribute['Attribute']['value']);
|
||||
}
|
||||
|
|
|
@ -114,16 +114,8 @@ class EventsController extends AppController {
|
|||
public function index() {
|
||||
// list the events
|
||||
$this->Event->recursive = 0;
|
||||
|
||||
// Sanitize::clean
|
||||
$paginated = $this->paginate();
|
||||
foreach ($paginated as &$event) {
|
||||
$event['Event']['info'] = $this->beforeSanitizeClean($event['Event']['info']); // TODO generic
|
||||
}
|
||||
$events = Sanitize::clean($paginated, array('remove' => true, 'remove_html' => true, 'encode' => true, 'newline' => true));
|
||||
foreach ($events as &$event) {
|
||||
$event['Event']['info'] = $this->counterSanitizeClean($event['Event']['info']); // TODO generic
|
||||
}
|
||||
$events = $paginated;
|
||||
$this->set('events', $events);
|
||||
|
||||
if (!$this->Auth->user('gpgkey')) {
|
||||
|
@ -269,20 +261,7 @@ class EventsController extends AppController {
|
|||
$this->set('eventDescriptions', $this->Event->fieldDescriptions);
|
||||
$this->set('attrDescriptions', $this->Attribute->fieldDescriptions);
|
||||
|
||||
// Sanitize::clean
|
||||
$this->Event->data['Event']['info'] = $this->beforeSanitizeClean($this->Event->data['Event']['info']);
|
||||
if (isset($this->Event->data['Attribute'])) {
|
||||
foreach ($this->Event->data['Attribute'] as &$attribute) {
|
||||
$attribute['value'] = $this->beforeSanitizeClean($attribute['value']);
|
||||
}
|
||||
}
|
||||
$event = Sanitize::clean($this->Event->data, array('remove' => true, 'remove_html' => true, 'encode' => true, 'newline' => true));
|
||||
$event['Event']['info'] = $this->counterSanitizeClean($event['Event']['info']);
|
||||
if (isset($event['Attribute'])) {
|
||||
foreach ($event['Attribute'] as &$attribute) {
|
||||
$attribute['value'] = $this->counterSanitizeClean($attribute['value']);
|
||||
}
|
||||
}
|
||||
$event = $this->Event->data;
|
||||
$this->set('event', $event);
|
||||
$this->set('relatedEvents', $relatedEvents);
|
||||
|
||||
|
@ -572,7 +551,7 @@ class EventsController extends AppController {
|
|||
|
||||
$message = 'Saved';
|
||||
|
||||
$this->set('event', Sanitize::clean($this->Event->data));
|
||||
$this->set('event', $this->Event->data);
|
||||
//if published -> do the actual publishing
|
||||
if ((!empty($this->request->data['Event']['published']) && 1 == $this->request->data['Event']['published'])) {
|
||||
// do the necessary actions to publish the event (email, upload,...)
|
||||
|
@ -600,7 +579,7 @@ class EventsController extends AppController {
|
|||
// always force the org, but do not force it for admins
|
||||
if (!$this->_isSiteAdmin()) {
|
||||
// set the same org as existed before
|
||||
$this->request->data['Event']['org'] = Sanitize::clean($this->Event->data['Event']['org']);
|
||||
$this->request->data['Event']['org'] = $this->Event->data['Event']['org'];
|
||||
}
|
||||
// we probably also want to remove the published flag
|
||||
$this->request->data['Event']['published'] = 0;
|
||||
|
@ -944,7 +923,7 @@ class EventsController extends AppController {
|
|||
// prepare the the unencrypted email
|
||||
$this->Email->from = Configure::read('CyDefSIG.email');
|
||||
//$this->Email->to = "CyDefSIG <sig@cyber-defence.be>"; TODO check if it doesn't break things to not set a to , like being spammed away
|
||||
$this->Email->bcc = Sanitize::clean($alertEmails);
|
||||
$this->Email->bcc = $alertEmails;
|
||||
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Event " . $id . " - " . $event['Event']['risk'] . " - TLP Amber";
|
||||
$this->Email->template = 'body';
|
||||
$this->Email->sendAs = 'text'; // both text or html
|
||||
|
@ -973,7 +952,7 @@ class EventsController extends AppController {
|
|||
foreach ($alertUsers as &$user) {
|
||||
// send the email
|
||||
$this->Email->from = Configure::read('CyDefSIG.email');
|
||||
$this->Email->to = Sanitize::clean($user['User']['email']);
|
||||
$this->Email->to = $user['User']['email'];
|
||||
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Event " . $id . " - " . $event['Event']['risk'] . " - TLP Amber";
|
||||
$this->Email->template = 'body';
|
||||
$this->Email->sendAs = 'text'; // both text or html
|
||||
|
@ -1036,7 +1015,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
// User didn't see the contact form yet. Present it to him.
|
||||
if (empty($this->data)) {
|
||||
$this->data = Sanitize::clean($this->Event->read(null, $id));
|
||||
$this->data = $this->Event->read(null, $id);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1168,7 +1147,7 @@ class EventsController extends AppController {
|
|||
|
||||
// prepare the email
|
||||
$this->Email->from = Configure::read('CyDefSIG.email');
|
||||
$this->Email->to = Sanitize::clean($reporter['User']['email']);
|
||||
$this->Email->to = $reporter['User']['email'];
|
||||
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Need info about event " . $id . " - TLP Amber";
|
||||
//$this->Email->delivery = 'debug'; // do not really send out mails, only display it on the screen
|
||||
$this->Email->template = 'body';
|
||||
|
@ -1275,7 +1254,7 @@ class EventsController extends AppController {
|
|||
)
|
||||
);
|
||||
$results = $this->Event->find('all', $params);
|
||||
$this->set('results', Sanitize::clean($results));
|
||||
$this->set('results', $results);
|
||||
}
|
||||
|
||||
public function nids($key) {
|
||||
|
@ -1325,7 +1304,7 @@ class EventsController extends AppController {
|
|||
print $rule . "\n";
|
||||
print "#</pre>\n";
|
||||
|
||||
$this->set('rules', Sanitize::clean($rules));
|
||||
$this->set('rules', $rules);
|
||||
}
|
||||
|
||||
public function hids_md5($key) {
|
||||
|
@ -1376,7 +1355,7 @@ class EventsController extends AppController {
|
|||
print $rule . "\n";
|
||||
print "#</pre>\n";
|
||||
|
||||
$this->set('rules', Sanitize::clean($rules));
|
||||
$this->set('rules', $rules);
|
||||
} else {
|
||||
print "Not any MD5 found to export\n";
|
||||
}
|
||||
|
@ -1432,7 +1411,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
print "#</pre>\n";
|
||||
|
||||
$this->set('rules', Sanitize::clean($rules));
|
||||
$this->set('rules', $rules);
|
||||
} else {
|
||||
print "No SHA-1 found to export\n";
|
||||
}
|
||||
|
@ -1477,7 +1456,7 @@ class EventsController extends AppController {
|
|||
);
|
||||
$attributes = $this->Attribute->find('all', $params);
|
||||
|
||||
$this->set('attributes', Sanitize::clean($attributes));
|
||||
$this->set('attributes', $attributes);
|
||||
}
|
||||
|
||||
//public function dot($key) {
|
||||
|
@ -1911,7 +1890,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
print "#</pre>\n";
|
||||
|
||||
$this->set('rules', Sanitize::clean($rules));
|
||||
$this->set('rules', $rules);
|
||||
} else {
|
||||
print "No SHA-1 found to export\n";
|
||||
}
|
||||
|
|
|
@ -44,14 +44,14 @@ foreach ($attributes as $attribute):
|
|||
<?php echo h($attribute['Attribute']['type']); ?> </td>
|
||||
<td onclick="document.location ='<?php echo $this->Html->url(array('controller' => 'events', 'action' => 'view', $attribute['Attribute']['event_id']), true);?>';">
|
||||
<?php
|
||||
$sigDisplay = nl2br($attribute['Attribute']['value']);
|
||||
$sigDisplay = nl2br(h($attribute['Attribute']['value']));
|
||||
if ('attachment' == $attribute['Attribute']['type'] || 'malware-sample' == $attribute['Attribute']['type']) {
|
||||
echo $this->Html->link($sigDisplay, array('controller' => 'attributes', 'action' => 'download', $attribute['Attribute']['id']), array('escape' => FALSE));
|
||||
} elseif ('link' == $attribute['Attribute']['type']) {
|
||||
if (isset($attribute['Attribute']['ValueNoScript'])) {
|
||||
echo $this->Html->link($sigDisplay, nl2br($attribute['Attribute']['valueNoScript']), array('escape' => FALSE));
|
||||
echo $this->Html->link($sigDisplay, nl2br(h($attribute['Attribute']['valueNoScript'])), array('escape' => FALSE));
|
||||
} else {
|
||||
echo $this->Html->link($sigDisplay, nl2br($attribute['Attribute']['value']), array('escape' => FALSE));
|
||||
echo $this->Html->link($sigDisplay, nl2br(h($attribute['Attribute']['value'])), array('escape' => FALSE));
|
||||
}
|
||||
} else {
|
||||
echo $sigDisplay;
|
||||
|
|
|
@ -91,7 +91,7 @@ endif; ?>
|
|||
</dd -->
|
||||
<dt>Info</dt>
|
||||
<dd>
|
||||
<?php echo nl2br($event['Event']['info']); ?>
|
||||
<?php echo nl2br(h($event['Event']['info'])); ?>
|
||||
|
||||
</dd>
|
||||
</dl><br />
|
||||
|
@ -104,7 +104,7 @@ if (!empty($relatedEvents)):?>
|
|||
foreach ($relatedEvents as $relatedEvent): ?>
|
||||
<li><?php
|
||||
$linkText = $relatedEvent['Event']['date'] . ' (' . $relatedEvent['Event']['id'] . ')';
|
||||
echo "<div \" title = \"".$relatedEvent['Event']['info']."\">";
|
||||
echo "<div \" title = \"".h($relatedEvent['Event']['info'])."\">";
|
||||
if ($relatedEvent['Event']['org'] == $me['org']) {
|
||||
echo $this->Html->link($linkText, array('controller' => 'events', 'action' => 'view', $relatedEvent['Event']['id']), array('class' => 'SameOrgLink'));
|
||||
} else {
|
||||
|
@ -152,9 +152,9 @@ if (!empty($event['Attribute'])):?>
|
|||
echo $typeDefinitions[$attribute['type']]['desc'];?>"><?php
|
||||
echo $attribute['type'];?></td>
|
||||
<td><?php
|
||||
$sigDisplay = nl2br($attribute['value']);
|
||||
$sigDisplay = nl2br(h($attribute['value']));
|
||||
if ('attachment' == $attribute['type'] || 'malware-sample' == $attribute['type'] ) {
|
||||
$filenameHash = explode('|', $attribute['value']);
|
||||
$filenameHash = explode('|', nl2br(h($attribute['value'])));
|
||||
if (strrpos($filenameHash[0], '\\')) {
|
||||
$filepath = substr($filenameHash[0], 0, strrpos($filenameHash[0], '\\'));
|
||||
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
|
||||
|
@ -181,7 +181,7 @@ if (!empty($event['Attribute'])):?>
|
|||
$first = 0;
|
||||
if (isset($relatedAttributes[$attribute['id']]) && (null != $relatedAttributes[$attribute['id']])) {
|
||||
foreach ($relatedAttributes[$attribute['id']] as $relatedAttribute) {
|
||||
echo "<span title = \"".$relatedAttribute['Attribute']['event_info']."\">";
|
||||
echo "<span title = \"".h($relatedAttribute['Attribute']['event_info'])."\">";
|
||||
if ($relatedAttribute['Attribute']['relatedOrg'] == $me['org']) {
|
||||
echo $this->Html->link($relatedAttribute['Attribute']['event_id'], array('controller' => 'events', 'action' => 'view', $relatedAttribute['Attribute']['event_id']), array ('class' => 'SameOrgLink'));
|
||||
} else {
|
||||
|
|
Loading…
Reference in New Issue