Internal: Add security fixes from 1.11.x

public/main/admin/add_courses_to_usergroup.php

@@ -48,8 +48,8 @@ function remove_item(origin) {
 </script>';
 
 if (isset($_POST['form_sent']) && $_POST['form_sent']) {
-    $form_sent = $_POST['form_sent'];
-    $elements_posted = $_POST['elements_in_name'];
+    $form_sent = (int) $_POST['form_sent'];
+    $elements_posted = Security::remove_XSS($_POST['elements_in_name']);
     if (!is_array($elements_posted)) {
         $elements_posted = [];
     }
@@ -192,7 +192,7 @@ function search($needle, $type)
 $searchForm->display();
 echo '</div>';
 ?>
-<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($_GET['add'])) {
+<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($add)) {
     echo '&add=true';
 } ?>" style="margin:0px;" <?php if ($ajax_search) {
     echo ' onsubmit="valide();"';

public/main/admin/add_sessions_to_promotion.php

@@ -125,8 +125,7 @@ function validate_filter() {
     ]
 );
 ?>
-
-<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($_GET['add'])) {
+<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if (!empty($add)) {
     echo '&add=true';
 } ?>" style="margin:0px;" <?php if ($ajax_search) {
     echo ' onsubmit="valide();"';

public/main/admin/add_sessions_to_usergroup.php

@@ -75,8 +75,8 @@ function validate_filter() {
 </script>';
 
 if (isset($_POST['form_sent']) && $_POST['form_sent']) {
-    $form_sent = $_POST['form_sent'];
-    $elements_posted = $_POST['elements_in_name'];
+    $form_sent = (int) $_POST['form_sent'];
+    $elements_posted = Security::remove_XSS($_POST['elements_in_name']);
     if (!is_array($elements_posted)) {
         $elements_posted = [];
     }

public/main/admin/course_list.php

@@ -245,7 +245,11 @@ function get_course_data(
                 ICON_SIZE_SMALL,
                 get_lang('Delete')
             ),
-            $path.'admin/course_list.php?delete_course='.$course['col0'],
+            $path.'admin/course_list.php?'
+            .http_build_query([
+                'delete_course' => $course['col0'],
+                'sec_token' => Security::getTokenFromSession(),
+            ]),
             [
                 'onclick' => "javascript: if (!confirm('"
                     .addslashes(api_htmlentities(get_lang('Please confirm your choice'), \ENT_QUOTES))
@@ -320,7 +324,7 @@ function get_course_visibility_icon(int $visibility): string
     };
 }
 
-if (isset($_POST['action'])) {
+if (isset($_POST['action']) && Security::check_token('get')) {
     // Delete selected courses
     if ('delete_courses' == $_POST['action']) {
         if (!empty($_POST['course'])) {
@@ -393,7 +397,7 @@ function get_course_visibility_icon(int $visibility): string
     $content .= $form->returnForm();
 } else {
     $tool_name = get_lang('Course list');
-    if (isset($_GET['delete_course'])) {
+    if (isset($_GET['delete_course']) && Security::check_token('get')) {
         $result = CourseManager::delete_course($_GET['delete_course']);
         if ($result) {
             Display::addFlash(Display::return_message(get_lang('Deleted')));
@@ -504,6 +508,7 @@ function get_course_visibility_icon(int $visibility): string
     );
 
     $parameters = [];
+    $parameters['sec_token'] = Security::get_token();
     if (isset($_GET['keyword'])) {
         $parameters = ['keyword' => Security::remove_XSS($_GET['keyword'])];
     } elseif (isset($_GET['keyword_code'])) {

public/main/admin/course_list_admin.php

@@ -194,7 +194,10 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc
         );
         $actions[] = Display::url(
             Display::getMdiIcon('delete', 'ch-tool-icon', null, ICON_SIZE_SMALL, get_lang('Delete')),
-            $path.'admin/course_list_admin.php?delete_course='.$courseCode,
+            $path.'admin/course_list_admin.php?'.http_build_query([
+                'delete_course' => $courseCode,
+                'sec_token' => Security::getTokenFromSession(),
+            ]),
             [
                 'onclick' => "javascript: if (!confirm('"
                     .addslashes(api_htmlentities(get_lang('Please confirm your choice'), ENT_QUOTES))."')) return false;",
@@ -266,7 +269,7 @@ function get_course_visibility_icon($visibility)
     }
 }
 
-if (isset($_POST['action'])) {
+if (isset($_POST['action']) && Security::check_token('get')) {
     switch ($_POST['action']) {
         // Delete selected courses
         case 'delete_courses':
@@ -358,7 +361,7 @@ function get_course_visibility_icon($visibility)
         'name' => get_lang('PlatformAdmin'),
     ];
     $tool_name = get_lang('CourseList');
-    if (isset($_GET['delete_course'])) {
+    if (isset($_GET['delete_course']) && Security::check_token('get')) {
         $result = CourseManager::delete_course($_GET['delete_course']);
         if ($result) {
             Display::addFlash(Display::return_message(get_lang('Deleted')));
@@ -425,6 +428,7 @@ function get_course_visibility_icon($visibility)
     );
 
     $parameters = [];
+    $parameters['sec_token'] = Security::get_token();
     if (isset($_GET['keyword'])) {
         $parameters = ['keyword' => Security::remove_XSS($_GET['keyword'])];
     } elseif (isset($_GET['keyword_code'])) {

public/main/admin/dashboard_add_sessions_to_user.php

@@ -154,12 +154,12 @@ function remove_item(origin) {
 </script>';
 
 $formSent = 0;
-$firstLetterSession = isset($_POST['firstLetterSession']) ? $_POST['firstLetterSession'] : null;
+$firstLetterSession = isset($_POST['firstLetterSession']) ? Security::remove_XSS($_POST['firstLetterSession']) : null;
 $errorMsg = '';
 $UserList = [];
 
 if (isset($_POST['formSent']) && 1 == (int) ($_POST['formSent'])) {
-    $sessions_list = $_POST['SessionsList'];
+    $sessions_list = Security::remove_XSS($_POST['SessionsList']);
     $userInfo = api_get_user_info($user_id);
     $affected_rows = SessionManager::subscribeSessionsToDrh(
         $userInfo,

public/main/admin/dashboard_add_users_to_user.php

@@ -40,7 +40,7 @@
 
 $user = api_get_user_entity($user_id);
 $isSessionAdmin = api_is_session_admin($user);
-$firstLetterUser = $_POST['firstLetterUser'] ?? null;
+$firstLetterUser = isset($_POST['firstLetterUser']) ? Security::remove_XSS($_POST['firstLetterUser']) : null;
 
 // setting the name of the tool
 $isAdmin = UserManager::is_admin($user_id);
@@ -291,7 +291,7 @@ function remove_item(origin) {
 }
 
 if (isset($_POST['formSent']) && 1 == (int) ($_POST['formSent'])) {
-    $user_list = isset($_POST['UsersList']) ? $_POST['UsersList'] : null;
+    $user_list = isset($_POST['UsersList']) ? Security::remove_XSS($_POST['UsersList']) : null;
     switch ($userStatus) {
         case DRH:
         case PLATFORM_ADMIN:

public/main/admin/index.php

@@ -575,22 +575,6 @@
 $admin_ajax_url = api_get_path(WEB_AJAX_PATH).'admin.ajax.php';
 
 $tpl = new Template();
-
-// Display the Site Use Cookie Warning Validation
-$useCookieValidation = api_get_setting('cookie_warning');
-if ('true' === $useCookieValidation) {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
-        if (Template::isToolBarDisplayedForUser()) {
-            $tpl->assign('toolBarDisplayed', true);
-        } else {
-            $tpl->assign('toolBarDisplayed', false);
-        }
-        $tpl->assign('displayCookieUsageWarning', true);
-    }
-}
-
 $tpl->assign('web_admin_ajax_url', $admin_ajax_url);
 $tpl->assign('blocks_admin', $blocks);
 

public/main/admin/languages.php

@@ -180,13 +180,15 @@
 
 if (isset($_POST['Submit']) && $_POST['Submit']) {
     // changing the name
-    $name = Database::escape_string($_POST['txt_name']);
+    $name = html_filter($_POST['txt_name']);
     $postId = (int) $_POST['edit_id'];
-    $sql = "UPDATE $tbl_admin_languages SET original_name='$name'
-            WHERE id='$postId'";
-    $result = Database::query($sql);
+    Database::update(
+        $tbl_admin_languages,
+        ['original_name' => $name],
+        ['id = ?' => $postId]
+    );
     // changing the Platform language
-    if ($_POST['platformlanguage'] && '' != $_POST['platformlanguage']) {
+    if (isset($_POST['platformlanguage']) && '' != $_POST['platformlanguage']) {
         api_set_setting('platformLanguage', $_POST['platformlanguage'], null, null, api_get_current_access_url_id());
         header("Location: $url");
         exit;

public/main/admin/resource_sequence.php

@@ -5,6 +5,7 @@
 use Chamilo\CoreBundle\Entity\Sequence;
 use Chamilo\CoreBundle\Entity\SequenceResource;
 use ChamiloSession as Session;
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
 
 $cidReset = true;
 
@@ -14,10 +15,14 @@
 
 Session::erase('sr_vertex');
 
+$httpRequest = HttpRequest::createFromGlobals();
+
 // setting breadcrumbs
 $interbreadcrumb[] = ['url' => 'index.php', 'name' => get_lang('PlatformAdmin')];
 
-$type = isset($_REQUEST['type']) ? (int) $_REQUEST['type'] : SequenceResource::SESSION_TYPE;
+$type = $httpRequest->query->has('type')
+    ? $httpRequest->query->getInt('type', SequenceResource::SESSION_TYPE)
+    : $httpRequest->request->getInt('type', SequenceResource::SESSION_TYPE);
 
 $tpl = new Template(get_lang('ResourcesSequencing'));
 $em = Database::getManager();
@@ -27,6 +32,7 @@
 
 $formSequence = new FormValidator('sequence_form', 'post', $currentUrl, null, null, FormValidator::LAYOUT_INLINE);
 $formSequence->addText('name', get_lang('Sequence'), true, ['cols-size' => [3, 8, 1]]);
+$formSequence->applyFilter('name', 'html_filter');
 $formSequence->addButtonCreate(get_lang('AddSequence'), 'submit_sequence', false, ['cols-size' => [3, 8, 1]]);
 
 $em = Database::getManager();

public/main/admin/system_announcements.php

@@ -179,6 +179,7 @@ function showCareer() {
     $form = new FormValidator('system_announcement', 'post', $url);
     $form->addHeader($form_title);
     $form->addText('title', get_lang('Title'), true);
+    $form->applyFilter('title', 'html_filter');
 
     $extraOption = [];
     $extraOption['all'] = get_lang('All');

public/main/admin/user_add.php

@@ -153,7 +153,7 @@ function updateStatus(){
 }
 
 // Phone
-$form->addElement('text', 'phone', get_lang('Phone number'), ['autocomplete' => 'off', 'id' => 'phone']);
+$form->addText('phone', get_lang('Phone number'), false, ['autocomplete' => 'off', 'id' => 'phone']);
 // Picture
 $form->addFile(
     'picture',

public/main/admin/user_anonymize_import.php

@@ -5,6 +5,7 @@
  * This tool allows platform admins to anonymize users by uploading a text file, with one username per line.
  */
 
+use Chamilo\CoreBundle\Entity\User;
 use Doctrine\Common\Collections\Criteria;
 
 $cidReset = true;
@@ -38,23 +39,29 @@
 $step2Form->addButtonUpdate(get_lang('Anonymize'));
 
 if ($step1Form->validate() && $usernameListFile->isUploadedFile()) {
-    $filePath = $usernameListFile->getValue()['tmp_name'];
+    $usernameListFileUploaded = $usernameListFile->getValue();
+    $usernameListFileUploaded['name'] = api_htmlentities($usernameListFileUploaded['name']);
+    $filePath = $usernameListFileUploaded['tmp_name'];
     if (!file_exists($filePath)) {
         throw new Exception(get_lang('CouldNotReadFile').' '.$filePath);
     }
     $submittedUsernames = file($filePath, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
     if (false === $submittedUsernames) {
         throw new Exception(get_lang('CouldNotReadFileLines').' '.$filePath);
     }
+
+    $submittedUsernames = array_map('api_htmlentities', $submittedUsernames);
+    $submittedUsernames = array_filter($submittedUsernames);
+
     if (empty($submittedUsernames)) {
         printf(
             '<p>'.get_lang('FileXHasNoData').'</p>',
-            '<em>'.$usernameListFile->getValue()['name'].'</em>'
+            '<em>'.$usernameListFileUploaded['name'].'</em>'
         );
     } else {
         printf(
             '<p>'.get_lang('FileXHasYNonEmptyLines').'</p>',
-            '<em>'.$usernameListFile->getValue()['name'].'</em>',
+            '<em>'.$usernameListFileUploaded['name'].'</em>',
             count($submittedUsernames)
         );
         $uniqueSubmittedUsernames = array_values(array_unique($submittedUsernames));
@@ -78,6 +85,7 @@
             echo '<p>'.get_lang('NoLineMatchedAnyActualUserName').'</p>';
         } else {
             $foundUsernames = [];
+            /** @var User $user */
             foreach ($users as $user) {
                 $foundUsernames[] = $user->getUsername();
             }
@@ -112,6 +120,7 @@
         $anonymized = [];
         $errors = [];
         $tableSession = Database::get_main_table(TABLE_MAIN_SESSION);
+        /** @var User $user */
         foreach ($users as $user) {
             $username = $user->getUsername();
             $userId = $user->getId();

public/main/admin/user_edit.php

@@ -434,7 +434,11 @@ function confirmation(name) {
         $phone = $user['phone'];
         $username = $user['username'] ?? $userInfo['username'];
         $status = (int) $user['status'];
-        $platform_admin = (int) $user['platform_admin'];
+        $platform_admin = 0;
+        // Only platform admin can change user status to admin.
+        if (api_is_platform_admin()) {
+            $platform_admin = (int) $user['platform_admin'];
+        }
         $send_mail = (int) $user['send_mail'];
         $reset_password = (int) $user['reset_password'];
         $hr_dept_id = isset($user['hr_dept_id']) ? intval($user['hr_dept_id']) : null;

public/main/admin/user_list.php

@@ -225,7 +225,7 @@ function prepare_user_sql_query(bool $getCount, bool $showDeletedUsers = false):
     foreach ($keywordList as $keyword) {
         $keywordListValues[$keyword] = null;
         if (isset($_GET[$keyword]) && !empty($_GET[$keyword])) {
-            $keywordListValues[$keyword] = $_GET[$keyword];
+            $keywordListValues[$keyword] = Security::remove_XSS($_GET[$keyword]);
             $atLeastOne = true;
         }
     }

public/main/admin/user_list_consent.php

@@ -98,7 +98,7 @@ function prepare_user_sql_query($getCount)
     foreach ($keywordList as $keyword) {
         $keywordListValues[$keyword] = null;
         if (isset($_GET[$keyword]) && !empty($_GET[$keyword])) {
-            $keywordListValues[$keyword] = $_GET[$keyword];
+            $keywordListValues[$keyword] = Security::remove_XSS($_GET[$keyword]);
             $atLeastOne = true;
         }
     }

public/main/auth/profile.php

@@ -368,6 +368,7 @@ function show_image(image,width,height) {
 if ($form->validate()) {
     $wrong_current_password = false;
     $user_data = $form->getSubmitValues(1);
+    $user_data['item_id'] = api_get_user_id();
     $user = api_get_user_entity(api_get_user_id());
 
     // set password if a new one was provided
@@ -661,7 +662,7 @@ function show_image(image,width,height) {
             $actions .= '<a href="'.api_get_path(WEB_PATH).'main/messages/inbox.php">'.
                 Display::getMdiIcon(ToolIcon::MESSAGE, 'ch-tool-icon', null, ICON_SIZE_SMALL, get_lang('Messages')).'</a>';
         }
-        $show = isset($_GET['show']) ? '&amp;show='.Security::remove_XSS($_GET['show']) : '';
+        $show = isset($_GET['show']) ? '&show='.(int) $_GET['show'] : '';
 
         if (isset($_GET['type']) && 'extended' === $_GET['type']) {
             $actions .= '<a href="profile.php?type=reduced'.$show.'">'.

public/main/auth/reset.php

@@ -3,7 +3,7 @@
 
 require_once __DIR__.'/../inc/global.inc.php';
 
-$token = isset($_GET['token']) ? $_GET['token'] : '';
+$token = $_GET['token'] ?? '';
 
 if (!ctype_alnum($token)) {
     $token = '';
@@ -61,6 +61,14 @@
         Database::getManager()->persist($user);
         Database::getManager()->flush();
 
+        if ('true' === api_get_setting('platform.force_renew_password_at_first_login')) {
+            $extraFieldValue = new ExtraFieldValue('user');
+            $value = $extraFieldValue->get_values_by_handler_and_field_variable($user->getId(), 'ask_new_password');
+            if (!empty($value) && isset($value['value']) && 1 === (int) $value['value']) {
+                $extraFieldValue->delete($value['id']);
+            }
+        }
+
         Display::addFlash(Display::return_message(get_lang('Update successful')));
         header('Location: '.api_get_path(WEB_PATH));
         exit;

public/main/auth/user_mail_confirmation.php

@@ -3,7 +3,7 @@
 
 require_once __DIR__.'/../inc/global.inc.php';
 
-$token = isset($_GET['token']) ? $_GET['token'] : '';
+$token = $_GET['token'] ?? '';
 
 if (!ctype_alnum($token)) {
     $token = '';

public/main/calendar/agenda_js.php

@@ -275,7 +275,11 @@
     ];
 }
 $tpl->assign('on_hover_info', $options);
-
+if (api_is_https()) {
+    $tpl->assign('is_https', 1);
+} else {
+    $tpl->assign('is_https', 0);
+}
 $templateName = $tpl->get_template('agenda/month.tpl');
 $content = $tpl->fetch($templateName);
 $tpl->assign('content', $content);