aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/fanswer.php4
-rw-r--r--src/fclar.php4
-rw-r--r--src/fcontest.php18
-rw-r--r--src/fextdata.php11
-rw-r--r--src/flanguage.php6
-rw-r--r--src/fproblem.php11
-rw-r--r--src/frun.php8
-rw-r--r--src/ftask.php8
-rwxr-xr-xsrc/globals.php11
-rwxr-xr-xsrc/private/autojudging.php4
10 files changed, 52 insertions, 33 deletions
diff --git a/src/fanswer.php b/src/fanswer.php
index c53843d..8f2c95b 100644
--- a/src/fanswer.php
+++ b/src/fanswer.php
@@ -63,7 +63,7 @@ function DBDeleteAnswer($contest,$param,$c=null) {
$ac=array('number');
foreach($ac as $key) {
if(!isset($param[$key])) return false;
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
}
$cw = false;
@@ -106,7 +106,7 @@ function DBNewAnswer($contest, $param, $c=null) {
MSGError("DBNewAnswer param error: $key is not set");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBNewAnswer param error: $key is not numeric");
return false;
diff --git a/src/fclar.php b/src/fclar.php
index 39084bc..fd99c53 100644
--- a/src/fclar.php
+++ b/src/fclar.php
@@ -255,7 +255,7 @@ function DBNewClar($param,$c=null) {
MSGError("DBNewClar param error: $key is not numeric");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
}
$t = time();
$clarnumber=-1;
@@ -269,7 +269,7 @@ function DBNewClar($param,$c=null) {
$clarstatus='openclar';
foreach($ac1 as $key) {
if(isset($param[$key])) {
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBNewClar param error: $key is not numeric");
return false;
diff --git a/src/fcontest.php b/src/fcontest.php
index d286763..b34658f 100644
--- a/src/fcontest.php
+++ b/src/fcontest.php
@@ -558,7 +558,7 @@ function DBUpdateSiteTime($contest,$param,$dodelete=false,$c=null) {
LOGError("DBUpdateSiteTime param error: $key is not set");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
LOGError("DBUpdateSiteTime param error: $key is not numeric");
return false;
@@ -601,7 +601,7 @@ function DBUpdateSite ($param,$c=null) {
MSGError("DBUpdateSite param error: $key is not set");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBUpdateSite param error: $key is not numeric");
return false;
@@ -626,7 +626,7 @@ function DBUpdateSite ($param,$c=null) {
$siteactive='f';
foreach($ac1 as $key) {
if(isset($param[$key])) {
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBUpdateSite param error: $key is not numeric");
return false;
@@ -757,7 +757,7 @@ function DBUpdateContest ($param, $c=null) {
MSGError("DBUpdateContest param error: $key is not set");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBUpdateContest param error: $key is not numeric");
return false;
@@ -780,7 +780,7 @@ function DBUpdateContest ($param, $c=null) {
$updatetime=-1;
foreach($ac1 as $key) {
if(isset($param[$key])) {
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBUpdateContest param error: $key is not numeric");
return false;
@@ -990,7 +990,7 @@ function DBNewContest ($param=array(), $c=null) {
$unlockkey='';
foreach($ac as $key) {
if(isset($param[$key]) && (!isset($type[$key]) || is_numeric($param[$key])))
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
else
$$key = "";
}
@@ -1084,7 +1084,7 @@ function DBNewSite ($contest, $c=null, $param=array()) {
$type['updatetime']=1;
foreach($ac as $key) {
if(isset($param[$key]) && (!isset($type[$key]) || is_numeric($param[$key])))
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
else
$$key = "";
}
@@ -1218,7 +1218,7 @@ function DBNewUser($param, $c=null) {
MSGError("DBNewUser param error: $key is not numeric");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
}
$username= "team" . $user;
$updatetime=-1;
@@ -1238,7 +1238,7 @@ function DBNewUser($param, $c=null) {
$userlastlogout=null;
foreach($ac1 as $key) {
if(isset($param[$key])) {
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($typei[$key]) && !is_numeric($param[$key])) {
MSGError("DBNewUser param error: $key is not numeric");
return false;
diff --git a/src/fextdata.php b/src/fextdata.php
index 209ec2c..fd2c0be 100644
--- a/src/fextdata.php
+++ b/src/fextdata.php
@@ -333,7 +333,8 @@ function importFromXML($ar,$contest,$site,$tomain=false,$uptime=0) {
for($i=$v; $i < $val[$k+1]; $i++) {
$p = strtolower($values[$i]["tag"]);
if($values[$i]["type"]=="complete" && isset($values[$i]["value"])) {
- $tmp = sanitizeText(trim(implode('',explode('\n',$values[$i]["value"]))));
+ // $tmp = sanitizeText(base64_decode(trim(implode('',explode('\n',$values[$i]["value"])))),false);
+ $tmp = base64_decode($values[$i]["value"]);
$param[$p] = $tmp;
}
}
@@ -401,8 +402,10 @@ function importFromXML($ar,$contest,$site,$tomain=false,$uptime=0) {
if(isset($param['usersitenumber']) && !isset($param['sitenumber'])) $param['sitenumber']=$param['usersitenumber'];
if(isset($param['clarsitenumber']) && !isset($param['sitenumber'])) $param['sitenumber']=$param['clarsitenumber'];
if(isset($param['runsitenumber']) && !isset($param['sitenumber'])) $param['sitenumber']=$param['runsitenumber'];
- if(!isset($param['sitenumber']) || $param['sitenumber'] != $site) continue;
-
+ if(!isset($param['sitenumber']) || $param['sitenumber'] != $site) {
+ LOGError("importFromXML: site mismatch $site " . $param['sitenumber']);
+ continue;
+ }
if($tomain && $table == "sitetable") {
if(!DBNewSite($contest, $conn, $param)) {
LOGError("importFromXML: error to update $table");
@@ -528,7 +531,7 @@ function generateSiteXML($contest,$site,$updatetime) {
LOGError("large object ($key,$val) not readable");
}
} else {
- $str .= " <" . $key . ">" . $val . "</" . $key . ">\n";
+ $str .= " <" . $key . ">" . base64_encode($val) . "</" . $key . ">\n";
}
}
$str .= "</" . $kk . ">\n";
diff --git a/src/flanguage.php b/src/flanguage.php
index 363e7e4..fe3d3ff 100644
--- a/src/flanguage.php
+++ b/src/flanguage.php
@@ -64,7 +64,7 @@ function DBDeleteLanguage($contestnumber, $param, $c=null) {
MSGError("DBDeleteLanguage param error: $key not found");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = sanitizeFilename($param[$key]);
}
$cw = false;
if($c == null) {
@@ -116,12 +116,12 @@ function DBNewLanguage($contestnumber, $param, $c=null) {
MSGError("DBNewLanguage param error: $key is not numeric");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = sanitizeFilename($param[$key]);
}
$updatetime=-1;
foreach($ac1 as $key) {
if(isset($param[$key])) {
- $$key = sanitizeText($param[$key]);
+ $$key = sanitizeFilename($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBNewLanguage param error: $key is not numeric");
return false;
diff --git a/src/fproblem.php b/src/fproblem.php
index c3eed4a..6954836 100644
--- a/src/fproblem.php
+++ b/src/fproblem.php
@@ -168,8 +168,8 @@ function DBGetFullProblemData($contestnumber,$freeproblems=false) {
if(!$failed) {
$descfile='';
if(isset($info['descfile']))
- $descfile=trim(sanitizeText($info['descfile']));
- $basename=trim(sanitizeText($info['basename']));
+ $descfile=trim(sanitizeFilename($info['descfile']));
+ $basename=trim(sanitizeFilename($info['basename']));
$fullname=trim(sanitizeText($info['fullname']));
if($basename=='' || $fullname=='')
$failed=3;
@@ -229,7 +229,7 @@ function DBDeleteProblem($contestnumber, $param, $c=null) {
$ac=array('number','inputfilename');
foreach($ac as $key) {
if(!isset($param[$key])) return false;
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
}
$sql = "select * from problemtable where problemnumber=$number and contestnumber=$contestnumber and fake='f'";
@@ -289,6 +289,7 @@ function DBNewProblem($contestnumber, $param, $c=null) {
if(isset($param['problemcolor']) && !isset($param['color'])) $param['color']=$param['problemcolor'];
if(isset($param['probleminputfile']) && !isset($param['inputfilepath'])) $param['inputfilepath']=$param['probleminputfile'];
if(isset($param['probleminputfilename']) && !isset($param['inputfilename'])) $param['inputfilename']=$param['probleminputfilename'];
+ $param['basename'] = sanitizeFilename($param['basename']);
$ac=array('number','name');
$type['number']=1;
@@ -307,7 +308,7 @@ function DBNewProblem($contestnumber, $param, $c=null) {
MSGError("DBNewProblem param error: $key is not numeric");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
}
$basename='';
$inputfilename='';
@@ -320,7 +321,7 @@ function DBNewProblem($contestnumber, $param, $c=null) {
MSGError("DBNewProblem param error: $key is not numeric");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
}
}
$t = time();
diff --git a/src/frun.php b/src/frun.php
index 923fbf8..359b395 100644
--- a/src/frun.php
+++ b/src/frun.php
@@ -620,7 +620,9 @@ function DBNewRun($param,$c=null) {
if(isset($param['runproblem']) && !isset($param['problem'])) $param['problem']=$param['runproblem'];
if(isset($param['runfilename']) && !isset($param['filename'])) $param['filename']=$param['runfilename'];
if(isset($param['rundata']) && !isset($param['filepath'])) $param['filepath']=$param['rundata'];
-
+ $param['filename']=sanitizeFilename($param['filename']);
+ $param['filepath']=sanitizeFilename($param['filepath']);
+
$ac=array('contest','site','user','problem','lang','filename','filepath');
$ac1=array('runnumber','rundate','rundatediff','rundatediffans','runanswer','runstatus','runjudge','runjudgesite',
'runjudge1','runjudgesite1','runanswer1','runjudge2','runjudgesite2','runanswer2',
@@ -654,7 +656,7 @@ function DBNewRun($param,$c=null) {
MSGError("DBNewRun param error: $key is not numeric");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
}
$t = time();
$autoip='';
@@ -680,7 +682,7 @@ function DBNewRun($param,$c=null) {
$runstatus='openrun';
foreach($ac1 as $key) {
if(isset($param[$key])) {
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBNewRun param error: $key is not numeric");
return false;
diff --git a/src/ftask.php b/src/ftask.php
index fc2cd48..a080db3 100644
--- a/src/ftask.php
+++ b/src/ftask.php
@@ -293,7 +293,9 @@ function DBNewTask($param, $c=null, $autotask=false) {
if(isset($param['taskstatus']) && !isset($param['status'])) $param['status']=$param['taskstatus'];
if(isset($param['taskdesc']) && !isset($param['desc'])) $param['desc']=$param['taskdesc'];
if(isset($param['tasksystem']) && !isset($param['sys'])) $param['sys']=$param['tasksystem'];
-
+ $param['filepath']=sanitizeFilename($param['filepath']);
+ $param['filename']=sanitizeFilename($param['filename']);
+
$ac=array('contest','site','user','desc');
$ac1=array('color','colorname','updatetime','filename','filepath','sys','tasknumber','status',
'taskdate','taskdatediff','taskdatediffans','taskstaffnumber','taskstaffsite');
@@ -316,7 +318,7 @@ function DBNewTask($param, $c=null, $autotask=false) {
MSGError("DBNewTask param error: $key is not numeric");
return false;
}
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
}
$taskstaffnumber=-1;
$taskstaffsite=-1;
@@ -334,7 +336,7 @@ function DBNewTask($param, $c=null, $autotask=false) {
$taskdatediff=-1;
foreach($ac1 as $key) {
if(isset($param[$key])) {
- $$key = sanitizeText($param[$key]);
+ $$key = myhtmlspecialchars($param[$key]);
if(isset($type[$key]) && !is_numeric($param[$key])) {
MSGError("DBNewTask param error: $key is not numeric");
return false;
diff --git a/src/globals.php b/src/globals.php
index ded3ba2..8b7bfb0 100755
--- a/src/globals.php
+++ b/src/globals.php
@@ -107,6 +107,17 @@ function sanitizeText($text, $doamp=true)
$text = addslashes($text);
return $text;
}
+function sanitizeFilename($text)
+{
+ $text = str_replace("&", "", $text);
+ $text = str_replace("<", "", $text);
+ $text = str_replace(">", "", $text);
+ $text = str_replace("\"", "", $text);
+ $text = str_replace("'", "", $text);
+ $text = str_replace("`", "", $text);
+ $text = addslashes($text);
+ return $text;
+}
function unsanitizeText($text) {
$text = str_replace("&amp;", "&", $text);
diff --git a/src/private/autojudging.php b/src/private/autojudging.php
index cbdc1ec..2c5fdfc 100755
--- a/src/private/autojudging.php
+++ b/src/private/autojudging.php
@@ -195,8 +195,8 @@ if(is_readable($cache . $ds . $run["inputoid"] . "." . $run["inputname"])) {
continue;
}
if(isset($info['descfile']))
- $descfile=trim(sanitizeText($info['descfile']));
- $basename=trim(sanitizeText($info['basename']));
+ $descfile=trim(sanitizeFilename($info['descfile']));
+ $basename=trim(sanitizeFilename($info['basename']));
$fullname=trim(sanitizeText($info['fullname']));
if($basename=='') {
echo "Problem content missing (description/problem.info) -- please check the problem package\n";
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-24 07:22:22 +0000