From 8f09d9c4b8b41899b5b6492d0af3f996886545b4 Mon Sep 17 00:00:00 2001
From: nilsteampassnet <nils@teampass.net>
Date: Mon, 8 Jan 2024 14:30:38 +0100
Subject: [PATCH] 3.1.1

Several code fixes
---
 .dcignore                   |  9 +++++++++
 includes/config/include.php |  2 +-
 includes/core/login.php     | 16 ++++++++--------
 index.php                   | 33 ++++++++++++++++++---------------
 pages/items.js.php          |  5 ++++-
 sources/core.php            |  9 ++++-----
 sources/find.queries.php    |  6 +++---
 sources/identify.php        |  4 ++--
 sources/items.queries.php   |  1 +
 sources/main.functions.php  |  4 ++--
 10 files changed, 52 insertions(+), 37 deletions(-)
 create mode 100644 .dcignore

diff --git a/.dcignore b/.dcignore
new file mode 100644
index 000000000..a7ad9bf47
--- /dev/null
+++ b/.dcignore
@@ -0,0 +1,9 @@
+vendor/
+includes/libraries/cryptojs
+includes/libraries/csrfp
+includes/libraries/ezimuel
+includes/libraries/plupload
+includes/libraries/yubico
+/install1/
+/install/
+/plugins/
\ No newline at end of file
diff --git a/includes/config/include.php b/includes/config/include.php
index b40439c9c..2c8db5cb0 100755
--- a/includes/config/include.php
+++ b/includes/config/include.php
@@ -17,7 +17,7 @@
  */
 define('TP_VERSION', '3.1.1');
 define("UPGRADE_MIN_DATE", "1702452416");
-define('TP_VERSION_MINOR', '22');
+define('TP_VERSION_MINOR', '23');
 define('TP_TOOL_NAME', 'Teampass');
 define('TP_ONE_DAY_SECONDS', 86400);
 define('TP_ONE_WEEK_SECONDS', 604800);
diff --git a/includes/core/login.php b/includes/core/login.php
index a27353cc2..8ee0ff65e 100755
--- a/includes/core/login.php
+++ b/includes/core/login.php
@@ -77,16 +77,16 @@
 if (
     isset($SETTINGS['enable_http_request_login']) === true
     && (int) $SETTINGS['enable_http_request_login'] === 1
-    && $request->server->get('PHP_AUTH_USER') !== null
+    && $request->getUser() !== null
     && ! (isset($SETTINGS['maintenance_mode']) === true
         && (int) $SETTINGS['maintenance_mode'] === 1)
 ) {
-    if (strpos($request->server->get('PHP_AUTH_USER'), '@') !== false) {
-        $username = explode('@', $request->server->get('PHP_AUTH_USER'))[0];
-    } elseif (strpos($request->server->get('PHP_AUTH_USER'), '\\') !== false) {
-        $username = explode('\\', $request->server->get('PHP_AUTH_USER'))[1];
+    if (strpos($request->getUser(), '@') !== false) {
+        $username = explode('@', $request->getUser())[0];
+    } elseif (strpos($request->getUser(), '\\') !== false) {
+        $username = explode('\\', $request->getUser())[1];
     } else {
-        $username = $request->server->get('PHP_AUTH_USER');
+        $username = $request->getUser();
     }
     echo '
             <input type="text" id="login" class="form-control" placeholder="', filter_var($username, FILTER_SANITIZE_FULL_SPECIAL_CHARS), '" readonly>';
@@ -99,7 +99,7 @@
         </div>';
 if (! (isset($SETTINGS['enable_http_request_login']) === true
     && (int) $SETTINGS['enable_http_request_login'] === 1
-    && $request->server->get('PHP_AUTH_USER') !== null
+    && $request->getUser() !== null
     && ! (isset($SETTINGS['maintenance_mode']) === true
         && (int) $SETTINGS['maintenance_mode'] === 1))) {
     echo '
@@ -178,7 +178,7 @@
 
 if (isset($SETTINGS['enable_http_request_login']) === true
     && (int) $SETTINGS['enable_http_request_login'] === 1
-    && $request->server->get('PHP_AUTH_USER') !== null
+    && $request->getUser() !== null
     && (isset($SETTINGS['maintenance_mode']) === false
     && (int) $SETTINGS['maintenance_mode'] === 1)
 ) {
diff --git a/index.php b/index.php
index 9af465520..526042708 100755
--- a/index.php
+++ b/index.php
@@ -24,6 +24,7 @@
  * @see       https://www.teampass.net
  */
 
+use voku\helper\AntiXSS;
 use TeampassClasses\SessionManager\SessionManager;
 use Symfony\Component\HttpFoundation\Request as SymfonyRequest;
 use TeampassClasses\Language\Language;
@@ -85,6 +86,7 @@
 $session = SessionManager::getSession();
 $request = SymfonyRequest::createFromGlobals();
 $session->set('key', SessionManager::getCookieValue('PHPSESSID'));
+$antiXss = new AntiXSS();
 
 // Quick major version check -> upgrade needed?
 if (isset($SETTINGS['teampass_version']) === true && version_compare(TP_VERSION, $SETTINGS['teampass_version']) > 0) {
@@ -99,9 +101,11 @@
 }
 
 if (isset($SETTINGS['cpassman_url']) === false || $SETTINGS['cpassman_url'] === '') {
-    $SETTINGS['cpassman_url'] = $request->server->get('REQUEST_URI');
+    $SETTINGS['cpassman_url'] = $request->getRequestUri();
 }
 
+$SETTINGS = $antiXss->xss_clean($SETTINGS);
+
 // Load Core library
 require_once $SETTINGS['cpassman_dir'] . '/sources/core.php';
 // Prepare POST variables
@@ -117,12 +121,12 @@
 $session_auth_type = $session->get('user-auth_type');
 
 $server = [];
-$server['request_uri'] = (string) $request->server->get('REQUEST_URI');
+$server['request_uri'] = (string) $request->getRequestUri();
 $server['request_time'] = (int) $request->server->get('REQUEST_TIME');
 
 $get = [];
-$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
-$get['otv'] = $request->query->get('otv') === null ? '' : $request->query->get('otv');
+$get['page'] = $request->query->get('page') === null ? '' : $antiXss->xss_clean($request->query->get('page'));
+$get['otv'] = $request->query->get('otv') === null ? '' : $antiXss->xss_clean($request->query->get('otv'));
 
 /* DEFINE WHAT LANGUAGE TO USE */
 if (null === $session->get('user-validite_pw') && $post_language === null && $session_user_language === null) {
@@ -948,13 +952,11 @@
                     } elseif (in_array($get['page'], array_keys($mngPages)) === true) {
                         // Define if user is allowed to see management pages
                         if ($session_user_admin === 1) {
-                            include $SETTINGS['cpassman_dir'] . '/pages/' . $mngPages[$get['page']];
+                            // deepcode ignore FileInclusion: $get['page'] is secured through usage of array_keys test bellow
+                            include $SETTINGS['cpassman_dir'] . '/pages/' . basename($mngPages[$get['page']]);
                         } elseif ($session_user_manager === 1 || $session_user_human_resources === 1) {
-                            if ($get['page'] !== 'manage_main'
-                                && $get['page'] !== 'manage_settings'
+                            if ($get['page'] === 'manage_main' || $get['page'] === 'manage_settings'
                             ) {
-                                //include $SETTINGS['cpassman_dir'] . '/pages/' . $mngPages[$_GET['page']];
-                            } else {
                                 $session->set('system-error_code', ERR_NOT_ALLOWED);
                                 //not allowed page
                                 include $SETTINGS['cpassman_dir'] . '/error.php';
@@ -964,8 +966,9 @@
                             //not allowed page
                             include $SETTINGS['cpassman_dir'] . '/error.php';
                         }
-                    } elseif (empty($get['page']) === false) {
-                        include $SETTINGS['cpassman_dir'] . '/pages/' . $get['page'] . '.php';
+                    } elseif (empty($get['page']) === false && file_exists($SETTINGS['cpassman_dir'] . '/pages/' . $get['page'] . '.php') === true) {
+                        // deepcode ignore FileInclusion: $get['page'] is tested against file_exists just below
+                        include $SETTINGS['cpassman_dir'] . '/pages/' . basename($get['page'] . '.php');
                     } else {
                         $session->set('system-array_roles', ERR_NOT_EXIST);
                         //page doesn't exist
@@ -1147,8 +1150,8 @@ function(teampassSettings) {}
     <script type="text/javascript" src="plugins/DOMPurify/purify.min.js"></script>
 
     <?php
-    $get = [];
-    $get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
+    //$get = [];
+    //$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
     if ($menuAdmin === true) {
         ?>
         <link rel="stylesheet" href="./plugins/toggles/css/toggles.css" />
@@ -1279,8 +1282,8 @@ function(teampassSettings) {}
 
 
 <?php
-$get = [];
-$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
+//$get = [];
+//$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
 
 // Load links, css and javascripts
 if (isset($SETTINGS['cpassman_dir']) === true) {
diff --git a/pages/items.js.php b/pages/items.js.php
index 74c485f71..f348d86bb 100755
--- a/pages/items.js.php
+++ b/pages/items.js.php
@@ -3358,7 +3358,10 @@ function(data) {
                     icon_favorite;
 
                 data = prepareExchangedData(data, 'decode', '<?php echo $session->get('key'); ?>', 'find.queries.php', type);
-                if (debugJavascript === true) console.log(data);
+                if (debugJavascript === true) {
+                    console.log('CE que nous avons trouvé');
+                    console.log(data);
+                }
 
                 // Ensure correct div is not hidden
                 $('#info_teampass_items_list').addClass('hidden');
diff --git a/sources/core.php b/sources/core.php
index 6df1b32ce..ce809bd93 100755
--- a/sources/core.php
+++ b/sources/core.php
@@ -70,9 +70,9 @@ function teampassRedirect($url)
 
 // Prepare GET variables
 $server = [];
-$server['https'] = $request->server->get('HTTPS');
-$server['request_uri'] = $request->server->get('REQUEST_URI');
-$server['http_host'] = $request->server->get('HTTP_HOST');
+$server['https'] = $request->isSecure();
+$server['request_uri'] = $request->getRequestUri();
+$server['http_host'] = $request->getHttpHost();
 $server['ssl_server_cert'] = $request->server->get('ssl_server_cert');
 $server['remote_addr'] = $request->server->get('remote_addr');
 $server['http_user_agent'] = $request->server->get('http_user_agent');
@@ -204,7 +204,6 @@ function delTree($dir)
     || (filter_input(INPUT_POST, 'session', FILTER_SANITIZE_FULL_SPECIAL_CHARS) !== null
         && filter_input(INPUT_POST, 'session', FILTER_SANITIZE_FULL_SPECIAL_CHARS) === 'expired')
 ) {
-    error_log('EXPIRED SESSION');
     // Clear User tempo key
     if ($session->has('user-id') && null !== $session->get('user-id')) {
         DB::update(
@@ -374,7 +373,7 @@ function() {
         }
     }
     if (isset($cert_name) === true && empty($cert_name) === false && $cert_name !== $cert_issuer) {
-        if (isset($server['HTTPS'])) {
+        if (isset($server['https'])) {
             header('Strict-Transport-Security: max-age=500');
             $session->set('system-error_sts', 0);
         }
diff --git a/sources/find.queries.php b/sources/find.queries.php
index edba0f53e..22ed6e7a7 100755
--- a/sources/find.queries.php
+++ b/sources/find.queries.php
@@ -175,9 +175,9 @@
 // Define criteria
 $search_criteria = '';
 $searchParam = $request->query->all()['search'] ?? null;
-if (isset($searchParam) && is_array($searchParam)) {
-    if (empty($searchParam['value']) === false) {
-        $search_criteria = filter_var($searchParam['value'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+if (isset($searchParam)) {
+    if (empty($searchParam) === false) {
+        $search_criteria = filter_var($searchParam, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
     }
 }
 
diff --git a/sources/identify.php b/sources/identify.php
index f4b9a8b7a..2da8731bb 100755
--- a/sources/identify.php
+++ b/sources/identify.php
@@ -234,8 +234,8 @@ function identifyUser(string $sentData, array $SETTINGS): bool
     $sessionPwdAttempts = $session->get('pwd_attempts');
     $sessionUrl = $session->get('user-initial_url');
     $server = [];
-    $server['PHP_AUTH_USER'] =  $request->server->get('PHP_AUTH_USER');
-    $server['PHP_AUTH_PW'] = $request->server->get('PHP_AUTH_PW');
+    $server['PHP_AUTH_USER'] =  $request->getUser();
+    $server['PHP_AUTH_PW'] = $request->getPassword();
     
     // decrypt and retreive data in JSON format
     if ($session->get('key') === null) {
diff --git a/sources/items.queries.php b/sources/items.queries.php
index d3727c7fd..5d905050f 100755
--- a/sources/items.queries.php
+++ b/sources/items.queries.php
@@ -2220,6 +2220,7 @@
                 // Check if file still exists
                 if (file_exists($SETTINGS['path_to_upload_folder'] . DIRECTORY_SEPARATOR . TP_FILE_PREFIX . base64_decode($record['file'])) === true) {
                     // Step1 - decrypt the file
+                    // deepcode ignore PT: path is sanitized inside decryptFile()
                     $fileContent = decryptFile(
                         $record['file'],
                         $SETTINGS['path_to_upload_folder'],
diff --git a/sources/main.functions.php b/sources/main.functions.php
index 16b3adfd2..67d4ddacc 100755
--- a/sources/main.functions.php
+++ b/sources/main.functions.php
@@ -4220,8 +4220,8 @@ function getCurrectPage($SETTINGS)
     // Parse the url
     parse_str(
         substr(
-            (string) $request->server->get('REQUEST_URI'),
-            strpos((string) $request->server->get('REQUEST_URI'), '?') + 1
+            (string) $request->getRequestUri(),
+            strpos((string) $request->getRequestUri(), '?') + 1
         ),
         $result
     );