r50465 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r50464‎ \| r50465 \| r50466 >
Date:	00:51, 11 May 2009
Author:	laner
Status:	deferred
Tags:
Comment:	* Add width, length, and labels arguments in PlottersParser.php * Allow user defined width and length in PlottersClass.php * Closed a bunch of XSS attack vectors
Modified paths:	/trunk/extensions/Plotters/PlottersClass.php (modified) (history) /trunk/extensions/Plotters/PlottersParser.php (modified) (history)

Diff [purge]

Index: trunk/extensions/Plotters/PlottersClass.php
—	—	@@ -66,9 +66,8 @@
67	67	}
68	68
69	69	function renderPlot() {
70		~~- // TODO: allow user defined height and width~~
71	70	// TODO: allow user defined graph id
72		~~- return '<div><canvas id="graph" height="300" width="300"></canvas></div>';~~
	71	+ return '<div><canvas id="graph" height="' . $this->argumentArray["height"] . '" width="' . $this->argumentArray["width"] . '"></canvas></div>';
73	72	}
74	73
75	74	function renderFallback() {
—	—	@@ -77,19 +76,21 @@
78	77	}
79	78
80	79	function renderJavascript() {
	80	+ $output = '<script type="text/javascript">';
	81	+ // TODO: allow user defined graph id
	82	+ $output .= 'function drawGraph() {';
	83	+ $output .= 'var data = [];';
	84	+
81	85	// Prepare data
82		~~- $data = "[";~~
83		~~- foreach ( $this->dataArray as $line ) {~~
84		~~- $data .= "[" . implode( $this->argumentArray["datasep"], $line ) . "]" . ", ";~~
	86	+ for ( $i = 0; $i < count( $this->dataArray ); $i++ ) {
	87	+ $output .= "data[$i] = [];";
	88	+ $dataline = $this->dataArray[$i];
	89	+ for ( $j = 0; $j < count( $dataline ); $j++ ) {
	90	+ $output .= "data[$i][$j] = '" . $dataline[$j] . "';";
	91	+ }
85	92	}
86		~~- $data = substr( $data, 0, -2 );~~
87		~~- $data .= "]";~~
88	93
89	94	// Run preprocessors
90		~~- $output = '<script type="text/javascript">';~~
91		~~- // TODO: allow user defined graph id~~
92		~~- $output .= 'function drawGraph() {';~~
93		~~- $output .= 'var data = ' . $data . ';';~~
94	95	foreach ( $this->argumentArray["preprocessors"] as $preprocessor ) {
95	96	$output .= 'data = plotter_' . $preprocessor . '_process( data, ';
96	97	foreach ( $this->argumentArray["preprocessorarguments"] as $argument ) {
—	—	@@ -103,7 +104,7 @@
104	105	// Run script
105	106	$output .= 'plotter_' . $this->argumentArray["script"] . '_draw( data, ';
106	107	foreach ( $this->argumentArray["scriptarguments"] as $argument ) {
107		~~- $output .= $argument . ', ';~~
	108	+ $output .= "'" . $argument . "'" . ", ";
108	109	}
109	110	$output = substr( $output, 0, -2 );
110	111	$output .= " );";
Index: trunk/extensions/Plotters/PlottersParser.php
—	—	@@ -35,9 +35,10 @@
36	36	function parseArguments( $argv ) {
37	37	// Parse arguments, set defaults, and do sanity checks
38	38	$this->argumentArray = array ( "renderer" => "plotkit", "preprocessors" => array(), "preprocessorarguments" => array(),
39		~~- "script" => "", "scriptarguments" => array(), "datasep" => "," );~~
	39	+ "script" => "", "scriptarguments" => array(), "datasep" => ",", "width" => "300", "height" => "300", "labels" => array() );
40	40	if ( isset( $argv["renderer"] ) ) {
41		~~- $this->argumentArray["renderer"] = $argv["renderer"];~~
	41	+ //TODO: limit this to supported renderers
	42	+ $this->argumentArray["renderer"] = preg_replace( '/[^A-Z0-9]/i', '', $argv["renderer"] );
42	43	}
43	44	if ( isset( $argv["preprocessors"] ) ) {
44	45	// Sanitize scripts - alphanumerics only
—	—	@@ -48,16 +49,15 @@
49	50	}
50	51	if ( isset( $argv["preprocessorarguments"] ) ) {
51	52	// Replace escaped separators
52		~~- $argv["preprocessorarguments"] = preg_replace( '/\\:/', '§UNIQ§', $argv["preprocessorarguments"] );~~
53		~~- $argv["preprocessorarguments"] = preg_replace( '/\\,/', '§UNIQ2§', $argv["preprocessorarguments"] );~~
	53	+ $argv["preprocessorarguments"] = preg_replace( "/\\\:/", '§UNIQ§', $argv["preprocessorarguments"] );
	54	+ $argv["preprocessorarguments"] = preg_replace( "/\\\,/", '§UNIQ2§', $argv["preprocessorarguments"] );
54	55
55		~~- // Parse and sanitize arguments - escape single quotes and backslashes~~
	56	+ // Parse and sanitize arguments
56	57	$arguments = explode( ':', $argv["preprocessorarguments"] );
57	58	foreach ( $arguments as $argument ) {
58	59	$subargumentarr = explode( ',', $argument );
59	60	foreach ( $subargumentarr as &$singleargument ) {
60		~~- $singleargument = preg_replace( "/\\\\/", '\\\\', $singleargument );~~
61		~~- $singleargument = preg_replace( "/'/", "\\'", $singleargument );~~
	61	+ $singleargument = htmlentities( $singleargument, ENT_QUOTES );
62	62
63	63	// Fix escaped separators
64	64	$singleargument = preg_replace( "/§UNIQ§/", ":", $singleargument );
—	—	@@ -73,22 +73,42 @@
74	74	}
75	75	if ( isset( $argv["scriptarguments"] ) ) {
76	76	// Replace escaped separators
77		~~- $argv["scriptarguments"] = preg_replace( '/\\,/', '§UNIQ§', $argv["scriptarguments"] );~~
	77	+ $argv["scriptarguments"] = preg_replace( "/\\\,/", '§UNIQ§', $argv["scriptarguments"] );
78	78
79		~~- // Parse and sanitize arguments - escape single quotes and backslashes~~
	79	+ // Parse and sanitize arguments
80	80	$arguments = explode( ',', $argv["scriptarguments"] );
81	81	foreach ( $arguments as $argument ) {
82		~~- $argument = preg_replace( "/\\\\/", '\\\\', $argument );~~
83		~~- $argument = preg_replace( "/'/", "\\'", $argument );~~
	82	+ $argument = htmlentities( $argument, ENT_QUOTES );
84	83
85	84	// Fix escaped separators
86	85	$argument = preg_replace( "/§UNIQ§/", ",", $argument );
87	86	$this->argumentArray["scriptarguments"][] = $argument;
88	87	}
	88	+ Plotter::debug( 'plot script argument values: ', $this->argumentArray["scriptarguments"] );
89	89	}
90	90	if ( isset( $argv["datasep"] ) ) {
91		~~- $this->argumentArray["datasep"] = $argv["datasep"];~~
	91	+ $this->argumentArray["datasep"] = htmlentities( $argv["datasep"], ENT_QUOTES );
92	92	}
	93	+ if ( isset( $argv["width"] ) ) {
	94	+ $this->argumentArray["width"] = preg_replace( '/[^0-9]/', '', $argv["width"] );
	95	+ }
	96	+ if ( isset( $argv["height"] ) ) {
	97	+ $this->argumentArray["height"] = preg_replace( '/[^0-9]/', '', $argv["height"] );
	98	+ }
	99	+ if ( isset( $argv["labels"] ) ) {
	100	+ // Replace escaped separators
	101	+ $argv["labels"] = preg_replace( "/\\\,/", '§UNIQ§', $argv["labels"] );
	102	+
	103	+ // Parse and sanitize arguments
	104	+ $labels = explode( ',', $argv["labels"] );
	105	+ foreach ( $labels as $label ) {
	106	+ $label = htmlentities( $label, ENT_QUOTES );
	107	+
	108	+ // Fix escaped separators
	109	+ $label = preg_replace( "/§UNIQ§/", ",", $label );
	110	+ $this->argumentArray["labels"][] = $label;
	111	+ }
	112	+ }
93	113	}
94	114
95	115	function parseData( $input, $parser ) {
—	—	@@ -96,13 +116,12 @@
97	117	$sep = $this->argumentArray["datasep"];
98	118	$input = preg_replace( "/\\\\$sep/", '§UNIQ§', $input );
99	119
100		~~- // Parse and sanitize data - escape single quotes and backslashes~~
	120	+ // Parse and sanitize data
101	121	$lines = preg_split( "/\n/", $input, -1, PREG_SPLIT_NO_EMPTY );
102	122	foreach ( $lines as $line ) {
103	123	$values = explode( ',', $line );
104	124	foreach ( $values as &$value ) {
105		~~- $value = preg_replace( "/\\\\/", "\\\\", $value );~~
106		~~- $value = preg_replace( "/'/", "\\'", $value );~~
	125	+ $value = htmlentities( $value, ENT_QUOTES );
107	126
108	127	// Fix escaped separators
109	128	$value = preg_replace( "/§UNIQ§/", "\\$sep", $value );

Status & tagging log

05:03, 20 May 2009 Tim Starling (talk | contribs) changed the status of r50465 [removed: new added: deferred]
14:35, 11 May 2009 Brion VIBBER (talk | contribs) changed the status of r50465 [removed: new added: deferred]