web: fix various vulnerabilities

- Send all cookies as HttpOnly (don't let Javascript see them)
- If page sending cookie is HTTPS, make the cookie secure
- Often we have something like:
        $name = get_str('name');
        if (!lookup($name)) {
            error_page("can't find $name");
        }
    Can't do this; it can be exploited for XSS attacks.
    Just say 'Can't find file' or whatever
- Don't show database error messages

Author: davidpanderson

html/inc/consent.inc

@@ -48,7 +48,9 @@ function consent_to_a_policy(
 function check_user_consent($user, $consent_name) {
     list($checkct, $ctid) = check_consent_type($consent_name);
     if ($checkct) {
-        $consent_result = BoincLatestConsent::lookup("userid={$user->id} AND consent_type_id=$ctid AND consent_flag=1");
+        $consent_result = BoincLatestConsent::lookup(
+            "userid=$user->id AND consent_type_id=$ctid AND consent_flag=1"
+        );
         if ($consent_result) {
             return TRUE;
         }
@@ -64,7 +66,8 @@ function check_user_consent($user, $consent_name) {
 // If the boolean is FALSE, the integer returned is -1.
 //
 function check_consent_type($name, $checkenabled=TRUE) {
-    $ct = BoincConsentType::lookup("shortname = '{$name}'");
+    $name = BoincDb::escape_string($name);
+    $ct = BoincConsentType::lookup("shortname = '$name'");
     if ($ct and ( !$checkenabled or ($ct->enabled)) ) {
         return array(TRUE, $ct->id);
     }

html/inc/prefs_util.inc

@@ -32,13 +32,13 @@ function check_venue($x) {
     if ($x == "home") return;
     if ($x == "work") return;
     if ($x == "school") return;
-    error_page(tra("bad venue: %1", $x));
+    error_page("bad venue");
 }
 
 function check_subset($x) {
     if ($x == "global") return;
     if ($x == "project") return;
-    error_page(tra("bad subset: %1", $x));
+    error_page("bad subset");
 }
 
 abstract class PREF {
@@ -271,7 +271,7 @@ class PREF_CONSENT extends PREF {
              (!$cr) ) {
             $rc = consent_to_a_policy($user, $consent_type_id, $flag, 0, 'Webform', time());
             if (!$rc) {
-                error_page(tra("Database error:").BoincDb::error());
+                error_page("Database error");
             }
         }
     }
@@ -288,7 +288,7 @@ class PREF_CONSENT extends PREF {
 
         $rc = consent_to_a_policy($user, $consent_type_id, $this->default, 0, 'Webform');
         if (!$rc) {
-            error_page(tra("Database error:").BoincDb::error());
+            error_page("Database error");
         }
     }
 

html/inc/user_util.inc

@@ -206,7 +206,7 @@ function validate_post_make_user() {
         $team = BoincTeam::lookup_id($teamid);
         $clone_user = BoincUser::lookup_id($team->userid);
         if (!$clone_user) {
-            error_page("User $userid not found");
+            error_page("User $team->userid not found");
         }
         $project_prefs = $clone_user->project_prefs;
     } else {

html/inc/util.inc

@@ -157,7 +157,11 @@ function send_cookie($name, $value, $permanent, $ops=false) {
         $path .= "_ops/";
     }
     $expire = $permanent?time()+3600*24*365:0;
-    setcookie($name, $value, $expire, $path);
+    setcookie($name, $value, $expire, $path,
+        '',
+        is_https(),     // if this page is secure, make cookie secure
+        true            // httponly; no JS access
+    );
 }
 
 function clear_cookie($name, $ops=false) {
@@ -878,10 +882,7 @@ function strip_bbcode($string){
 }
 
 function current_url() {
-    $url = "http";
-    if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
-        $url .= "s";
-    }
+    $url = is_https()?'https':'http';
     $url .= "://";
     $url .= $_SERVER['SERVER_NAME'];
     $url .= ":".$_SERVER['SERVER_PORT'];
@@ -1098,7 +1099,7 @@ function do_download($path,$name="") {
 function redirect_to_secure_url() {
     if (defined('SECURE_URL_BASE')
         && strstr(SECURE_URL_BASE, "https://")
-        && empty($_SERVER['HTTPS'])
+        && !is_https()
     ) {
         Header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
         exit;

html/inc/util_basic.inc

@@ -185,4 +185,12 @@ function dtime() {
     return microtime(true);
 }
 
+// is $x a valid file (or dir) name?
+//
+function is_valid_filename($x) {
+    if (htmlspecialchars($x) != $x) return false;
+    if (strstr($x, '/')) return false;
+    return true;
+}
+
 ?>

html/user/am_set_host_info.php

@@ -16,6 +16,8 @@
 // You should have received a copy of the GNU Lesser General Public License
 // along with BOINC.  If not, see <http://www.gnu.org/licenses/>.
 
+// Handler for RPC to change the venue of a host
+
 require_once("../inc/boinc_db.inc");
 require_once("../inc/xml.inc");
 

html/user/manage_app.php

@@ -226,6 +226,6 @@ function batches_action($app) {
 case "batches_action":
     batches_action($app); break;
 default:
-    error_page("unknown action $action");
+    error_page("unknown action");
 }
 ?>

html/user/manage_project.php

@@ -208,7 +208,7 @@ function handle_add_action() {
 case 'edit_action':
     handle_edit_action(); break;
 default:
-    error_page("unknown action: $action");
+    error_page("unknown action");
 }
 
 ?>

html/user/sandbox.php

@@ -53,8 +53,32 @@ function list_files($user, $err_msg) {
         </form>
         <hr>
     ";
-    if (strcmp($err_msg,"")!=0){
-        echo "<p>$err_msg<hr>";
+
+    form_start('sandbox.php', 'post');
+    form_input_hidden('action', 'add_file');
+    form_input_text('Name', 'name');
+    form_input_textarea('Contents', 'contents');
+    form_submit('OK');
+    form_end();
+    echo "
+        <hr>
+        <h3>Get web file</h3>
+    ";
+    form_start('sandbox.php', 'post');
+    form_input_hidden('action', 'get_file');
+    form_input_text('URL', 'url');
+    form_submit('OK');
+    form_end();
+    page_tail();
+}
+
+function list_files($user) {
+    $dir = sandbox_dir($user);
+    if (!is_dir($dir)) error_page("Can't open sandbox directory");
+    page_head("File sandbox");
+    $notice = htmlspecialchars(get_str('notice', true));
+    if ($notice) {
+        echo "<p>$notice<hr>";
     }
     $files = array();
     while (($f = readdir($d)) !== false) {
@@ -138,8 +162,53 @@ function upload_file($user) {
     list_files($user, $notice);
 }
 
+<<<<<<< HEAD
+=======
+function add_file($user) {
+    $dir = sandbox_dir($user);
+    $name = post_str('name');
+    if (!is_valid_filename($name)) {
+        error_page('bad filename');
+    }
+    if (!$name) error_page('No name given');
+    if (file_exists("$dir/$name")) {
+        error_page("file $name exists");
+    }
+    $contents = post_str('contents');
+    $contents = str_replace("\r\n", "\n", $contents);
+    file_put_contents("$dir/$name", $contents);
+
+    [$md5, $size] = get_file_info("$dir/$name");
+    write_info_file("$dir/.md5/$name", $md5, $size);
+
+    $notice = "Added file <strong>$name</strong> ($size bytes)";
+    header(sprintf('Location: sandbox.php?notice=%s', urlencode($notice)));
+}
+
+function get_file($user) {
+    $dir = sandbox_dir($user);
+    $url = post_str('url');
+    if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) {
+        error_page('Not a valid URL');
+    }
+    $fname = basename($url);
+    $path = "$dir/$fname";
+    if (file_exists($path)) {
+        error_page("File $fname exists; delete it first.");
+    }
+    copy($url, $path);
+    $notice = "Fetched file from <strong>$url</strong><br/>";
+    header(sprintf('Location: sandbox.php?notice=%s', urlencode($notice)));
+}
+
+// delete a sandbox file.
+//
+>>>>>>> c2defb6df6 (web: fix various vulnerabilities)
 function delete_file($user) {
     $name = get_str('name');
+    if (!is_valid_filename($name)) {
+        error_page('bad filename');
+    }
     $dir = sandbox_dir($user);
     list($error, $size, $md5) = sandbox_parse_link_file("$dir/$name");
     if ($error) {
@@ -163,6 +232,9 @@ function delete_file($user) {
 }
 function download_file($user) {
     $name = get_str('name');
+    if (!is_valid_filename($name)) {
+        error_page('bad filename');
+    }
     $dir = sandbox_dir($user);
     list($err, $size, $md5) = sandbox_parse_link_file("$dir/$name");
     if ($err) {
@@ -176,11 +248,21 @@ function download_file($user) {
 }
 function view_file($user) {
     $name = get_str('name');
+    if (!is_valid_filename($name)) {
+        error_page('bad filename');
+    }
     $dir = sandbox_dir($user);
+<<<<<<< HEAD
     list($error, $size, $md5) = sandbox_parse_link_file("$dir/$name");
     if ($error) error_page("no such link file");
     $p = sandbox_physical_path($user, $md5);
     if (!is_file($p)) error_page("no such physical file");
+=======
+    $path = "$dir/$name";
+    if (!is_file($path)) {
+        error_page("no such file");
+    }
+>>>>>>> c2defb6df6 (web: fix various vulnerabilities)
     echo "<pre>\n";
     readfile($p);
     echo "</pre>\n";
@@ -198,7 +280,12 @@ function view_file($user) {
 case 'delete_file': delete_file($user); break;
 case 'download_file': download_file($user); break;
 case 'view_file': view_file($user); break;
+<<<<<<< HEAD
 default: error_page("no such action: $action");
+=======
+case 'add_form': add_form($user); break;
+default: error_page("no such action: ".htmlspecialchars($action));
+>>>>>>> c2defb6df6 (web: fix various vulnerabilities)
 }
 
 ?>

html/user/team_forum.php

@@ -205,7 +205,7 @@ function show_forum($team) {
     require_founder_login($user, $team);
     remove($team);
 } else if ($cmd != "") {
-    error_page("unknown command $cmd");
+    error_page("unknown command ".htmlspecialchars($cmd));
 } else {
     show_forum($team);
 }