From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Fri, 29 Apr 2022 13:37:45 +0000 (+0200)
Subject: brute-force changed access to $_GET['key'] to use get_array instead
X-Git-Tag: plewww-5.3-0~8
X-Git-Url: http://git.onelab.eu/?p=plewww.git;a=commitdiff_plain;h=f8c3df6c7afdeed9564c9efec42baaf97fc5ba2a

brute-force changed access to $_GET['key'] to use get_array instead
---

diff --git a/planetlab/common/adminsearch.php b/planetlab/common/adminsearch.php
index cf57e9e..9ac05b0 100644
--- a/planetlab/common/adminsearch.php
+++ b/planetlab/common/adminsearch.php
@@ -31,8 +31,8 @@ if ( ! plc_is_admin()) {
  }
 
 $pattern="";
-if (isset($_GET['pattern'])) { $pattern=$_GET['pattern']; }
-if (isset($_POST['pattern'])) { $pattern=$_POST['pattern']; }
+if (get_array($_GET,  'pattern')) { $pattern=$_GET['pattern']; }
+if (get_array($_POST, 'pattern')) { $pattern=$_POST['pattern']; }
 
 $tokens=explode(" ",$pattern);
 function token_filter ($t) { $t = trim($t); if (empty($t)) return false; return true; }
diff --git a/planetlab/events/events.php b/planetlab/events/events.php
index 5ca8182..1cb854c 100644
--- a/planetlab/events/events.php
+++ b/planetlab/events/events.php
@@ -25,9 +25,9 @@ ini_set("memory_limit","256M");
 drupal_set_title('Events');
 
 // as per index.php, we get here if _GET['type'] is set
-$type = $_GET['type'];
-$from_date = $_GET['from_date'];
-$until_date = $_GET['until_date'];
+$type = get_array($_GET, 'type');
+$from_date = get_array($_GET, 'from_date');
+$until_date = get_array($_GET, 'until_date');
 
 $messages=array();
 
@@ -147,7 +147,7 @@ $filter['[time']=$until_time;
 if ($type == 'Event') {
 
   // and the filter applied for fetching events using GetEvent
-  $user_desc=$_GET['event'];
+  $user_desc=get_array($_GET, 'event');
   if ( ! empty($user_desc)) {
     // should parse stuff like 45-90,230-3000 - some other day
     $filter['event_id']=intval($user_desc);
diff --git a/planetlab/events/index.php b/planetlab/events/index.php
index 6eae410..6727914 100644
--- a/planetlab/events/index.php
+++ b/planetlab/events/index.php
@@ -6,7 +6,7 @@
 require_once 'plc_login.php';
 
 // the choser form is expected to set _GET['type'] among other stuff
-if ($_GET['type']) require ('events.php') ;
+if (get_array($_GET, 'type')) require ('events.php') ;
 else             require ('events_choser.php');
 
 ?>
diff --git a/planetlab/nodes/comon.php b/planetlab/nodes/comon.php
index 743ee02..75cde10 100644
--- a/planetlab/nodes/comon.php
+++ b/planetlab/nodes/comon.php
@@ -46,18 +46,18 @@ function plc_comon_url_from_ips($comon_server_url, $ips) {
 
 $fields=array("hostname","node_id","peer_id", "interface_ids");
 
-if ($_GET['node_id']) {
+if (get_array($_GET, 'node_id')) {
   $node_id=intval($_GET['node_id']);
   $nodes=$api->GetNodes(array("node_id"=>array($node_id)),$fields);
- } else if ($_GET['site_id']) {
+ } else if (get_array($_GET, 'site_id')) {
   $site_id=intval($_GET['site_id']);
   $nodes=$api->GetNodes(array("node_type"=>"regular","site_id"=>array($site_id)),$fields);
- } else if ($_GET['slice_id']) {
+ } else if (get_array($_GET, 'slice_id')) {
   $slice_id=intval($_GET['slice_id']);
   $return=$api->GetSlices(array("slice_id"=>array($slice_id)),array("node_ids"));
   $node_ids=$return[0]['node_ids'];
   $nodes=$api->GetNodes(array("node_type"=>"regular","node_id"=>$node_ids),$fields);
- } else if (isset($_GET['peer_id'])) {
+ } else if (get_array($_GET, 'peer_id'))) {
   $peer_id=intval($_GET['peer_id']);
   if ( ($peer_id == 0) || ($peer_id == "") )
     $peer_id=NULL;
diff --git a/planetlab/nodes/interface.php b/planetlab/nodes/interface.php
index 744ce3f..f8b5940 100644
--- a/planetlab/nodes/interface.php
+++ b/planetlab/nodes/interface.php
@@ -28,14 +28,14 @@ include 'plc_header.php';
 // adding: _GET['node_id']: 
 //	otherwise, node_id is needed and the form only allows to add
 
-if ( isset ($_GET['id'])) {
+if ( get_array($_GET, 'id')) {
   $mode='update';
   $interface_id=intval($_GET['id']);
   $interfaces=$api->GetInterfaces(array('interface_id'=>$interface_id));
   $interface=$interfaces[0];
   $node_id=$interface['node_id'];
   $title=('Updating interface ' . $interface['ip']);
- } else if (isset ($_GET['node_id'])) {
+ } else if (get_array($_GET, 'node_id')) {
   $mode='add';
   $interface=array();
   $node_id=$_GET['node_id'];
diff --git a/planetlab/nodes/node.php b/planetlab/nodes/node.php
index 220f508..61c9db4 100644
--- a/planetlab/nodes/node.php
+++ b/planetlab/nodes/node.php
@@ -23,7 +23,7 @@ require_once 'plc_objects.php';
 
 // -------------------- 
 // recognized URL arguments
-$node_id=intval($_GET['id']);
+$node_id=intval(get_array($_GET, 'id'));
 if ( ! $node_id ) { plc_error('Malformed URL - id not set'); return; }
 
 ////////////////////
diff --git a/planetlab/nodes/nodes.php b/planetlab/nodes/nodes.php
index 5fbbe0e..dc4768a 100644
--- a/planetlab/nodes/nodes.php
+++ b/planetlab/nodes/nodes.php
@@ -215,7 +215,7 @@ if ($pattern) {
  }
 
 // server-side selection on peerscope
-$peerscope=new PeerScope($api,$_GET['peerscope']);
+$peerscope=new PeerScope($api,get_array($_GET, 'peerscope'));
 $node_filter=array_merge($node_filter,$peerscope->filter());
 $title .= ' - ' . $peerscope->label();
 
diff --git a/planetlab/nodes/slivers.php b/planetlab/nodes/slivers.php
index 7310eb5..d146c08 100644
--- a/planetlab/nodes/slivers.php
+++ b/planetlab/nodes/slivers.php
@@ -20,7 +20,7 @@ require_once 'form.php';
 
 
 // if slice and node ids are passed display slivers and tags
-if( $_GET['slice_id'] && $_GET['node_id'] ) {
+if( get_array($_GET, 'slice_id') && get_array($_GET, 'node_id') ) {
     $slice_id = $_GET['slice_id'];
     $node_id = $_GET['node_id'];
 
diff --git a/planetlab/nodes/test.php b/planetlab/nodes/test.php
index 4bc7df9..6327eb8 100644
--- a/planetlab/nodes/test.php
+++ b/planetlab/nodes/test.php
@@ -7,7 +7,7 @@ require_once 'plc_session.php';
 global $plc, $api, $adm;
 
 // input 
-$input = strtolower( $_GET['input'] );
+$input = strtolower( get_array($_GET, 'input') );
 $len = strlen($input);
 
 // init result
diff --git a/planetlab/peers/index.php b/planetlab/peers/index.php
index 0d3f284..aef4e59 100644
--- a/planetlab/peers/index.php
+++ b/planetlab/peers/index.php
@@ -5,7 +5,7 @@
 // Require login
 require_once 'plc_login.php';
 
-if ($_GET['id']) require ('peer.php') ;
+if (get_array($_GET, 'id')) require ('peer.php') ;
 else             require ('peers.php');
 
 ?>
diff --git a/planetlab/peers/peer.php b/planetlab/peers/peer.php
index 014af46..69a7394 100644
--- a/planetlab/peers/peer.php
+++ b/planetlab/peers/peer.php
@@ -22,13 +22,13 @@ plekit_linetabs ($tabs);
 
 // -------------------- 
 // recognized URL arguments
-if ( $_GET['peername'] ) {
+if ( get_array($_GET, 'peername') ) {
   $peername= $_GET['peername'];
   $peers = $api->GetPeers( array( $peername ), array( "peer_id" ) );
   $peer_id=$peers[0]['peer_id'];
 
  } else {
-  $peer_id=intval($_GET['id']);
+  $peer_id=intval(get_array($_GET, 'id'));
  }
 
 if ( ! $peer_id ) { plc_error('Malformed URL - id not set'); return; }
diff --git a/planetlab/persons/person.php b/planetlab/persons/person.php
index 663608c..24e5cfb 100644
--- a/planetlab/persons/person.php
+++ b/planetlab/persons/person.php
@@ -22,7 +22,7 @@ require_once 'toggle.php';
 
 // -------------------- 
 // recognized URL arguments
-$person_id=intval($_GET['id']);
+$person_id=intval(get_array($_GET, 'id'));
 if ( ! $person_id ) { 
   plc_error('Malformed URL - id not set'); 
   return;
diff --git a/planetlab/persons/test.php b/planetlab/persons/test.php
index 7956093..cb036dc 100644
--- a/planetlab/persons/test.php
+++ b/planetlab/persons/test.php
@@ -7,7 +7,7 @@ require_once 'plc_session.php';
 global $plc, $api, $adm;
 
 // input 
-$input = strtolower( $_GET['input'] );
+$input = strtolower( get_array($_GET, 'input') );
 $len = strlen($input);
 
 // init result
diff --git a/planetlab/persons/update.php b/planetlab/persons/update.php
index 96d626b..7dbb11e 100644
--- a/planetlab/persons/update.php
+++ b/planetlab/persons/update.php
@@ -18,7 +18,7 @@ $_roles= $_person['role_ids'];
 $is_submitted= isset($_POST['submitted']) ? $_POST['submitted'] : 0;
 
 // show details for the current user.
-if( isset($_GET['id']) && is_numeric($_GET['id']) ) {
+if( get_array($_GET, 'id') && is_numeric($_GET['id']) ) {
   $person_id= intval($_GET['id']);
  } else {
   plc_redirect (l_sites());
diff --git a/planetlab/sites/delete_site.php b/planetlab/sites/delete_site.php
index 39fb31d..88eb351 100644
--- a/planetlab/sites/delete_site.php
+++ b/planetlab/sites/delete_site.php
@@ -23,7 +23,7 @@ $_roles= $_person['role_ids'];
 
 
 // if no id redirect
-if( !$_GET['id'] ) 
+if( !get_array($_GET, 'id') ) 
   plc_redirect (l_sites());
 
 // set the site_id
diff --git a/planetlab/sites/join_request.php b/planetlab/sites/join_request.php
index 717711f..2c37107 100644
--- a/planetlab/sites/join_request.php
+++ b/planetlab/sites/join_request.php
@@ -186,20 +186,12 @@ $_roles= $_person['role_ids'];
 
 // only admins are allowed to view this page
 if( !in_array( '10', $_roles ) ) {
-
     print("<p> not allowed to view this page </p>");
-}
-else if (get_array($_GET, 'review'))
-{
-
+} else if (get_array($_GET, 'review')) {
     //print review page
     drupal_set_title('Join Request - Review');
-    render_join_request_review($api, $_GET['site_id']);
-
-}
-else if (get_array($_POST, 'submitted'))
-{
-
+    render_join_request_review($api, get_array($_GET, 'site_id'));
+} else if (get_array($_POST, 'submitted')) {
   // parse the form
   $site_form = build_site_form(FALSE);
   $input = parse_form ($site_form, $_REQUEST, $input);
diff --git a/planetlab/sites/pcu.php b/planetlab/sites/pcu.php
index 1ec3089..f7005ec 100644
--- a/planetlab/sites/pcu.php
+++ b/planetlab/sites/pcu.php
@@ -22,7 +22,7 @@ $_roles= $_person['role_ids'];
 
 
 // if no id: add, else: display(update)
-if( !$_GET['id'] ) {
+if( !get_array($_GET, 'id') ) {
   if( $_POST['submitted'] ) {
     // get person's site id
     $site_id= $_person['site_ids'][0];
@@ -58,11 +58,11 @@ if( !$_GET['id'] ) {
 <br /><p><input type=submit name='submitted' value='Add New PCU'>\n";
 } else {
   // get PCU info
-  $pcu_id= intval( $_GET['id'] );
+  $pcu_id= intval( get_array($_GET, 'id') );
   $pcu_info= $api->GetPCUs( array( intval( $pcu_id ) ) );
   
   // if remove is set remove the node from the pcu
-  if( $_GET['remove'] ) {
+  if( get_array($_GET, 'remove') ) {
     $rem_id= $_GET['remove'];
     
     $api->DeleteNodeFromPCU( intval( $rem_id ), $pcu_id );
diff --git a/planetlab/sites/site.php b/planetlab/sites/site.php
index 3212291..e6aa096 100644
--- a/planetlab/sites/site.php
+++ b/planetlab/sites/site.php
@@ -24,7 +24,7 @@ require_once 'toggle.php';
 
 // --------------------
 // recognized URL arguments
-$site_id = intval($_GET['id']);
+$site_id = intval(get_array($_GET, 'id'));
 if ( ! $site_id ) { plc_error('Malformed URL - id not set'); return; }
 
 ////////////////////
diff --git a/planetlab/slices/slice_add.php b/planetlab/slices/slice_add.php
index 29071a9..fec117a 100644
--- a/planetlab/slices/slice_add.php
+++ b/planetlab/slices/slice_add.php
@@ -25,13 +25,13 @@ if ( ! $has_privileges ) {
 
 // find out which site the slice should be added to
 // without site_id set in GET, we use the first site that this user is in
-if (isset($_GET['site_id'])) {
+if (get_array($_GET['site_id'])) {
   $site_id=intval($_GET['site_id']);
- } else if (isset ($_POST['site_id'])) {
+} else if (get_array($_POST, 'site_id')) {
   $site_id=intval($_POST['site_id']);
- } else {
+} else {
   $site_id=plc_my_site_id();
- }
+}
 
 //////////////////// action
 if ( $_POST['add-slice'] ) {
diff --git a/planetlab/slices/test.php b/planetlab/slices/test.php
index 7be5879..39f8bf4 100644
--- a/planetlab/slices/test.php
+++ b/planetlab/slices/test.php
@@ -42,7 +42,7 @@ foreach( $arr as $slices ) {
 }
 
 
-$input = strtolower( $_GET['input'] );
+$input = strtolower( get_array($_GET, 'input') );
 $len = strlen($input);
 
 $aResults = array();
diff --git a/planetlab/tags/index.php b/planetlab/tags/index.php
index 0f9ba17..1d2b02e 100644
--- a/planetlab/tags/index.php
+++ b/planetlab/tags/index.php
@@ -5,7 +5,7 @@
 // Require login
 require_once 'plc_login.php';
 
-if ($_GET['id']) require ('tag.php') ;
+if (get_array($_GET, 'id')) require ('tag.php') ;
 else             require ('tags.php');
 
 ?>
diff --git a/planetlab/tags/nodegroup.php b/planetlab/tags/nodegroup.php
index b29545a..fddba94 100644
--- a/planetlab/tags/nodegroup.php
+++ b/planetlab/tags/nodegroup.php
@@ -22,7 +22,7 @@ require_once 'toggle.php';
 
 // -------------------- 
 // recognized URL arguments
-$nodegroup_id=intval($_GET['id']);
+$nodegroup_id=intval(get_array($_GET, 'id'));
 if ( ! $nodegroup_id ) { plc_error('Malformed URL - id not set'); return; }
 
 ////////////////////
diff --git a/planetlab/tags/nodegroups.php b/planetlab/tags/nodegroups.php
index feb56a5..3f2b5d0 100644
--- a/planetlab/tags/nodegroups.php
+++ b/planetlab/tags/nodegroups.php
@@ -21,7 +21,7 @@ require_once 'form.php';
 
 // -------------------- 
 // recognized URL arguments
-$pattern=$_GET['pattern'];
+$pattern=get_array($_GET, 'pattern');
 
 // --- decoration
 $title="Nodegroups";
diff --git a/planetlab/tags/tag.php b/planetlab/tags/tag.php
index dc228fe..4f881fb 100644
--- a/planetlab/tags/tag.php
+++ b/planetlab/tags/tag.php
@@ -21,7 +21,7 @@ require_once 'toggle.php';
 
 // -------------------- 
 // recognized URL arguments
-$tag_type_id=intval($_GET['id']);
+$tag_type_id=intval(get_array($_GET, 'id'));
 if ( ! $tag_type_id ) { 
   plc_error('Malformed URL - id not set'); 
   return;
diff --git a/planetlab/tags/tag_action.php b/planetlab/tags/tag_action.php
index 9084451..247ffb3 100644
--- a/planetlab/tags/tag_action.php
+++ b/planetlab/tags/tag_action.php
@@ -29,9 +29,9 @@ return;
 // TAGS -------------------------------------------------
 
 // tag deletion
-if( $_GET['rem_id'] ) {
+if( get_array($_GET, 'rem_id') ) {
   // get the id of the tag to remove from GET
-  $tag_id= intval( $_GET['rem_id'] );
+  $tag_id= intval( get_array($_GET, 'rem_id') );
 
   // get slice_id 
   $tag_info= $api->GetSliceTags( array( $tag_id ), array( "slice_id" ) );
diff --git a/planetlab/tags/tag_set.php b/planetlab/tags/tag_set.php
index 095ac62..e6f15dd 100644
--- a/planetlab/tags/tag_set.php
+++ b/planetlab/tags/tag_set.php
@@ -23,7 +23,7 @@ return;
 
 
   // get slice id from GET
-  $slice_id= intval( $_GET['add'] );
+  $slice_id= intval( get_array($_GET, 'add') );
   
   // get all tag types 
   $tag_types= $api->GetTagTypes( $tag_type_filter , array( "tag_type_id", "tagname" ) );
@@ -63,7 +63,7 @@ return;
   
 }
 else {
-  $tag_id= intval( $_GET['id'] );
+  $tag_id= intval( get_array($_GET, 'id') );
   
   // get tag
   $slice_tag= $api->GetSliceTags( array( $tag_id ), array( "slice_id", "slice_tag_id", "tag_type_id", "value", "description", "min_role_id" ) );
diff --git a/planetlab/tags/tags.php b/planetlab/tags/tags.php
index 75b89dd..c17df62 100644
--- a/planetlab/tags/tags.php
+++ b/planetlab/tags/tags.php
@@ -19,7 +19,7 @@ require_once 'form.php';
 
 // -------------------- 
 // recognized URL arguments
-$pattern=$_GET['pattern'];
+$pattern=get_array($_GET, 'pattern');
 
 // --- decoration
 $title="Tag Types";
diff --git a/plekit/php/logSorting.php b/plekit/php/logSorting.php
index 55d30e5..e3c6877 100644
--- a/plekit/php/logSorting.php
+++ b/plekit/php/logSorting.php
@@ -13,9 +13,9 @@ require_once 'plc_drupal.php';
 // Common functions
 require_once 'plc_functions.php';
 
-$value=$_GET["value"];
-$person_id=$_GET["person_id"];
-$slice_id=$_GET["slice_id"];
+$value=get_array($_GET, "value");
+$person_id=get_array($_GET, "person_id");
+$slice_id=get_array($_GET, "slice_id");
 
 $myFile = "/var/log/myslice/myslice.log";
 $fh = fopen($myFile, 'a') or die("can't open file");
diff --git a/plekit/php/updateColumn.php b/plekit/php/updateColumn.php
index 153b655..4e28bde 100644
--- a/plekit/php/updateColumn.php
+++ b/plekit/php/updateColumn.php
@@ -17,10 +17,10 @@ require_once 'plc_functions.php';
 require_once 'columns.php';
 
 
-$slice_id=$_GET["slice_id"];
-$tagN=$_GET["tagName"];
-$data_source=$_GET["data_source"];
-$data_type=$_GET["data_type"];
+$slice_id=get_array($_GET, "slice_id");
+$tagN=get_array($_GET, "tagName");
+$data_source=get_array($_GET, "data_source");
+$data_type=get_array($_GET, "data_type");
 
 //print "getting column data for ".$slice_id." with ".$tagN." - ".$data_source." - ".$data_type;
 $nodetags = array('node_id');
diff --git a/plekit/php/updateConfiguration.php b/plekit/php/updateConfiguration.php
index 79a38bb..97c12d9 100644
--- a/plekit/php/updateConfiguration.php
+++ b/plekit/php/updateConfiguration.php
@@ -13,11 +13,11 @@ require_once 'plc_drupal.php';
 // Common functions
 require_once 'plc_functions.php';
 
-$value=$_GET["value"];
-$person_id=intval($_GET["person_id"]);
-$slice_id=$_GET["slice_id"];
-$tag_id=intval($_GET["tag_id"]);
-$tag_name=$_GET["tag_name"];
+$value=get_array($_GET, "value");
+$person_id=intval(get_array($_GET, "person_id"));
+$slice_id=get_array($_GET, "slice_id");
+$tag_id=intval(get_array($_GET, "tag_id"));
+$tag_name=get_array($_GET, "tag_name");
 
 #$res = $api->UpdatePersonTag( $tag_id, $value );
 if ($tag_name == "columnconf")