fix returning unsanitized user-input

2025-01-03 04:29:28 +01:00 · 2023-06-16 09:38:19 +02:00 · 2023-06-16 09:38:19 +02:00 · 0386a463ec
commit 0386a463ec
parent 9b6a14f2d8
3 changed files with 43 additions and 14 deletions
--- a/api/src/Exception/AuthenticationRequired/Admin.php
+++ b/api/src/Exception/AuthenticationRequired/Admin.php
@ -0,0 +1,26 @@
 <?php
 /**
 * EGroupware API - Authentication Required Exceptions
 *
 * @link https://www.egroupware.org
 * @author Ralf Becker <rb@egroupware.org>
 * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
 * @package api
 * @subpackage exception
 * @access public
 */
 namespace EGroupware\Api\Exception\NoPermission;
 use EGroupware\Api\Exception\NoPermission;
 /**
 * User is not authenticated
 */
 class AuthenticationRequired extends NoPermission
 {
 	function __construct($msg=null, $code=401)
 	{
 		parent::__construct($msg,$code);
 	}
 }
--- a/api/src/loader/exception.php
+++ b/api/src/loader/exception.php
@ -53,7 +53,11 @@ function try_lang($key,$vars=null)
 function _egw_log_exception($e,&$headline=null)
 {
 	$trace = explode("\n", $e->getTraceAsString());
-	if ($e instanceof Api\Exception\NoPermission)
+	if ($e instanceof Api\Exception\NoPermission\AuthenticationRequired)
 	{
 		$headline = try_lang('Unauthorized: Authentication required!');
 	}
 	elseif ($e instanceof Api\Exception\NoPermission)
 	{
 		$headline = try_lang('Permission denied!');
 	}
@ -105,6 +109,14 @@ function egw_exception_handler($e)
 	{
 		Api\Egw::redirect($e->url, $e->app);
 	}
 	elseif ($e instanceof Api\Exception\NoPermission\AuthenticationRequired)
 	{
 		header('WWW-Authenticate: Basic realm="'.$GLOBALS['egw_info']['flags']['auth_realm'] ?? 'EGroupware'.'"');
 		http_response_code(401);
 		echo "<html>\n<head>\n<title>401 Unauthorized</title>\n<body>\nAuthorization failed.\n</body>\n</html>\n";
 		_egw_log_exception($e);
 		exit;
 	}
 	// logging all exceptions to the error_log (if not cli) and get headline
 	$headline = null;
 	_egw_log_exception($e,$headline);
--- a/calendar/freebusy.php
+++ b/calendar/freebusy.php
@ -25,6 +25,7 @@ $GLOBALS['egw_info'] = array(
 		'currentapp' => 'calendar',
 		'noheader'   => True,
 		'nofooter'   => True,
 		'no_exception_handler' => 'basic_auth',	// we use a basic auth exception handler (sends exception message as basic auth realm)
 	),
 );
 // check if we are already logged in
@ -45,16 +46,6 @@ if (!($logged_in = !empty(Api\Session::get_sessionid())))
 }
 include ('../header.inc.php');
 function fail_exit($msg)
 {
 	echo "<html>\n<head>\n<title>$msg</title>\n<meta http-equiv=\"content-type\" content=\"text/html; charset=".
 		Api\Translation::charset()."\" />\n</head>\n<body><h1>$msg</h1>\n</body>\n</html>\n";
 	header('WWW-Authenticate: Basic realm="'.($GLOBALS['egw_info']['flags']['auth_realm'] ?: 'EGroupware').'"');
 	http_response_code(401);
 	exit;
 }
 if (!$logged_in)
 {
 	include ('../api/src/loader.php');
@ -84,7 +75,7 @@ elseif (isset($_GET['email']))
 }
 if ($user === false || !($username = $GLOBALS['egw']->accounts->id2name($user)))
 {
-	fail_exit(lang("freebusy: unknown user '%1', wrong password or not available to not logged in users !!!"." $username($user)",$_GET['user']));
+	throw new Api\Exception\NoPermission\AuthenticationRequired(lang("freebusy: unknown user '%1', wrong password or not available to not logged in users !!!"." $username($user)", $_GET['user']));
 }
 if (!$logged_in)
 {
@ -126,7 +117,7 @@ if (!$logged_in)
 	}
 	if (!$logged_in)
 	{
-		fail_exit(lang("freebusy: unknown user '%1', or not available for unauthenticated users!", $_GET['user']));
+		throw new Api\Exception\NoPermission\AuthenticationRequired(lang("freebusy: unknown user '%1', or not available for unauthenticated users!", $_GET['user']));
 	}
 }
 if ($_GET['debug'])