4.17.12

Application.php

@@ -237,7 +237,7 @@ public static function getImportHTML() {
         $str .= "<link rel='stylesheet' href='".self::link("/css/w3.css")."' />";
         $str .= "<script src='".self::link("/js/base.js")."&$version'></script>";
 
-        $baseUrl = $_SERVER['PHP_SELF'];
+        $baseUrl = $_SERVER['PHP_SELF'] ?? "";
         $isExtModPage = preg_match("/ExternalModules/", $baseUrl) || preg_match("/external_modules/", $baseUrl);
         $isPluginPage = preg_match("/\/plugins\//", $baseUrl);
         $isFTPage = $isPluginPage || $isExtModPage && (preg_match("/odules\/$/", $baseUrl) || preg_match("/odules\/index.php$/", $baseUrl));
@@ -506,7 +506,7 @@ public static function getComposerAutoloadLocation() {
     }
 
     public static function isWebBrowser() {
-        return $_SERVER['REQUEST_URI'];
+        return $_SERVER['REQUEST_URI'] ?? "";
     }
 
     public static function isLocalhost() {

CareerDev.php

@@ -40,7 +40,8 @@ public static function getUnknown() {
 	}
 
 	public static function isWrangler() {
-		return preg_match("/wrangler/", $_GET['page']);
+        $page = (isset($_GET['page']) && !is_array($_GET['page'])) ? $_GET['page'] : "";
+		return preg_match("/wrangler/", $page);
 	}
 
 	public static function filterOutCopiedRecords($records) {
@@ -164,9 +165,10 @@ public static function log($mssg, $pid = FALSE) {
         }
 	    $pid = REDCapManagement::sanitize($pid);
 	    if (self::isLocalhost()) {
+            $page = (isset($_GET['page']) && !is_array($_GET['page'])) ? $_GET['page'] : "";
 	        if (
 	            isset($_GET['test'])
-                || (isset($_GET['page']) && !preg_match('/reporting/', $_GET['page']))
+                || !preg_match('/reporting/', $page)
             ) {
                 $mssg = REDCapManagement::sanitize($mssg);
                 if ($pid) {
@@ -220,7 +222,7 @@ public static function log($mssg, $pid = FALSE) {
 	}
 
 	public static function isREDCap() {
-		$rootPage = $_SERVER['PHP_SELF'];
+		$rootPage = $_SERVER['PHP_SELF'] ?? "";
 		if (strpos($rootPage, "ExternalModules") !== FALSE) {
 			return FALSE;
 		}
@@ -258,6 +260,16 @@ public static function setPid($pid) {
 		self::$pid = $pid;
 	}
 
+    private static function constructThisURL() {
+        $isHTTPS = ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off'));
+        $serverPort = $_SERVER['SERVER_PORT'] ?? 0;
+        $isSSLPort = $serverPort == 443;
+        $protocol = ($isHTTPS || $isSSLPort) ? "https://" : "http://";
+        $host = $_SERVER['HTTP_HOST'] ?? "";
+        $uri = $_SERVER['REQUEST_URI'] ?? "";
+        return $protocol.$host.$uri;
+    }
+
 	public static function getPid($token = "") {
 		if ($token) {
 			$pid = self::getPidFromToken($token);
@@ -269,11 +281,11 @@ public static function getPid($token = "") {
 		if (self::$pid) {
 			return self::$pid;
 		}
-        $thisURL = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
-
-        if (preg_match("/project_id=\d+/", $thisURL) && preg_match("/pid=\d+/", $thisURL)) {
+        $thisUrl = self::constructThisURL();
+        if (preg_match("/project_id=\d+/", $thisUrl) && preg_match("/pid=\d+/", $thisUrl)) {
             throw new \Exception("Invalid URL");
         }
+
 		$requestedPid = FALSE;
  		if (isset($_GET['pid'])) {
 			# least reliable because REDCap can sometimes change this value in other crons
@@ -392,14 +404,13 @@ public static function getModule() {
 
 	public static function getLink($relativeUrl, $pid = "", $withWebroot = FALSE) {
 	    if ($relativeUrl == "this") {
-            $protocol = ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
-            $fullURL = $protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+            $fullURL = self::constructThisURL();
             $url = explode("?", $fullURL)[0];
             $paramKeys = ["page", "pid", "prefix", "project_id"];
             $initialSeparator = "?";
             foreach ($paramKeys as $key) {
                 if (isset($_GET[$key])) {
-                    $url .= "$initialSeparator$key=".urlencode(urldecode(REDCapManagement::sanitize($_GET[$key])));
+                    $url .= "$initialSeparator$key=".urlencode(urldecode(Sanitizer::sanitize($_GET[$key])));
                     $initialSeparator = "&";
                 }
             }
@@ -736,20 +747,20 @@ public static function getMenuBackgrounds() {
 	public static function getBackgroundCSS() {
 		$currPage = urlencode(REDCapManagement::sanitize($_GET['page']));
 		$bgs = self::getMenuBackgrounds();
-		$r = self::getREDCapDir();
 
+        $page = (isset($_GET['page']) && !is_array($_GET['page'])) ? $_GET['page'] : "";
 		if (isset($_GET['headers']) && ($_GET['headers'] == "false")) {
 			return self::link("/css/white.css");
 		}
-		if ($_GET['page'] == "index") {
+		if ($page == "index") {
 			return self::link("/css/front.css");
 		}
 
 		$default = "";
-		if (preg_match("/search\//", $_GET['page'])) {
+		if (preg_match("/search\//", $page)) {
 			$default = self::link("/css/env.css");
 		}
-        if (preg_match("/reporting\//", $_GET['page'])) {
+        if (preg_match("/reporting\//", $page)) {
             $default = self::link("/css/general.css");
         }
 

FlightTrackerExternalModule.php

@@ -915,7 +915,7 @@ function hook_every_page_top($project_id) {
             $server = $this->getProjectSetting("server", $project_id);
             if ($tokenName && $token && $server) {
                 # turn off for surveys and login pages
-                $url = $_SERVER['PHP_SELF'];
+                $url = $_SERVER['PHP_SELF'] ?? "";
                 if (
                     !preg_match("/surveys/", $url)
                     && !isset($_GET['s'])
@@ -1034,13 +1034,14 @@ public function getBrandLogo() {
 	}
 
 	public function canRedirectToInstall() {
+        $page = (isset($_GET['page']) && !is_array($_GET['page'])) ? $_GET['page'] : "";
 		$bool = (
             !self::isAJAXPage()
             && !self::isAPITokenPage()
             && !self::isUserRightsPage()
             && !self::isExternalModulePage()
-            && (!isset($_GET['page']) || ($_GET['page'] != "install"))
-            && (!isset($_GET['page']) || (preg_match("/^projects/", $_GET['page'])))
+            && (!$page || ($_GET['page'] != "install"))
+            && (!$page || preg_match("/^projects/", $page))
         );
 		if ($_GET['pid']) {
 			# project context
@@ -1050,7 +1051,7 @@ public function canRedirectToInstall() {
 	}
 
 	private static function isAJAXPage() {
-		$page = $_SERVER['PHP_SELF'];
+		$page = $_SERVER['PHP_SELF'] ?? "";
 		if (preg_match("/ajax/", $page)) {
 			return TRUE;
 		}
@@ -1061,7 +1062,7 @@ private static function isAJAXPage() {
 	}
 
 	private static function isAPITokenPage() {
-		$page = $_SERVER['PHP_SELF'];
+		$page = $_SERVER['PHP_SELF'] ?? "";
 		$tokenPages = array("project_api_ajax.php", "project_api.php");
 		if (preg_match("/API/", $page)) {
 			foreach ($tokenPages as $tokenPage) {
@@ -1077,15 +1078,15 @@ private static function isAPITokenPage() {
 	}
 
 	private static function isUserRightsPage() {
-		$page = $_SERVER['PHP_SELF'];
+		$page = $_SERVER['PHP_SELF'] ?? "";
 		if (preg_match("/\/UserRights\//", $page)) {
 			return TRUE;
 		}
 		return FALSE;
 	}
 
 	private static function isExternalModulePage() {
-		$page = $_SERVER['PHP_SELF'];
+		$page = $_SERVER['PHP_SELF'] ?? "";
 		if (preg_match("/ExternalModules\/manager\/project.php/", $page)) {
 			return TRUE;
 		}

addMentor.php

@@ -6,6 +6,7 @@
 use \Vanderbilt\CareerDevLibrary\NameMatcher;
 use \Vanderbilt\CareerDevLibrary\Upload;
 use \Vanderbilt\CareerDevLibrary\REDCapManagement;
+use \Vanderbilt\CareerDevLibrary\Sanitizer;
 
 require_once(dirname(__FILE__)."/classes/Autoload.php");
 
@@ -22,13 +23,13 @@
         $html .= makeMainForm($token, $server);
     }
     echo $html;
-} else if ($_GET['upload'] && ($_GET['upload'] == "csv")) {
+} else if ($_GET['upload'] && ($_GET['upload'] == "csv") && isset($_FILES['csv_file'])) {
     require_once(dirname(__FILE__) . "/charts/baseWeb.php");
     $html = makeUploadTable($_FILES['csv_file']['tmp_name'], $token, $server);
     echo $html;
 } else if ($_POST['mentorName']) {
     require_once(dirname(__FILE__) . "/small_base.php");
-    $mentorName = REDCapManagement::sanitize($_POST['mentorName']);
+    $mentorName = Sanitizer::sanitize($_POST['mentorName'] ?? "");
     list($mentorFirst, $mentorLast) = NameMatcher::splitName($mentorName);
     $lookup = new REDCapLookup($mentorFirst, $mentorLast);
     $uids = $lookup->getUidsAndNames();

brag.php

@@ -81,7 +81,7 @@
         $noCitationsMessage = "The widget has not yet been configured.";
     }
 
-    $url = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
+    $url = Application::link("this", $pid, TRUE);
     $url = preg_replace("/\&showHeaders[^\&]*/", "", $url);
     $url = preg_replace("/showHeaders[^\&]*\&/", "", $url);
     $url .= "&NOAUTH";

charts/makeGrantTable.php

@@ -56,7 +56,7 @@
 
 if (!empty($_POST['records']) && !empty($_POST['fields'])) {
     $fields = Sanitizer::sanitizeArray($_POST['fields']);
-    $requestedRecords = $_POST['records'];
+    $requestedRecords = is_array($_POST['records']) ? Sanitizer::sanitizeArray($_POST['records']) : [];
     $allRecords = Download::recordIds($token, $server);
     $records = [];
     foreach ($requestedRecords as $recordId) {

classes/Altmetric.php

@@ -22,11 +22,12 @@ private static function getData($doi, $pid) {
     }
 
     public static function makeClickText() {
+        $thisLink = Application::link("this");
         if (isset($_GET['altmetrics'])) {
-            $url = str_replace("&altmetrics", "", $_SERVER['REQUEST_URI']);
+            $url = str_replace("&altmetrics", "", $thisLink);
             $clickStatus = "off";
         } else {
-            $url = $_SERVER['REQUEST_URI']."&altmetrics";
+            $url = $thisLink."&altmetrics";
             $clickStatus = "on";
         }
         $title = 'Sourced from the Web, altmetrics can tell you a lot about how often journal articles and other scholarly outputs like datasets are discussed and used around the world.';

classes/Dashboard.php

@@ -141,7 +141,7 @@ private static function getPage() {
         if (isset($_GET['page'])) {
             return Sanitizer::sanitize($_GET['page']);
         } else {
-            return basename(Sanitizer::sanitize($_SERVER['SCRIPT_NAME']));
+            return basename(Sanitizer::sanitize($_SERVER['SCRIPT_NAME'] ?? ""));
         }
     }
 

classes/Download.php

@@ -385,23 +385,24 @@ public static function metadata($token, $server, $fields = array()) {
         }
 	    if (
             $pid
-	        && isset($_SESSION['metadata'.$pid])
-            && is_array($_SESSION['metadata'.$pid])
-            && !empty($_SESSION['metadata'.$pid])
             && isset($_SESSION['lastMetadata'.$pid])
             && empty($fields)
         ) {
-	        $ts = $_SESSION['lastMetadata'.$pid];
+            $metadataKey = 'metadata'.$pid;
+            $timestampKey = 'lastMetadata'.$pid;
+            $cachedMetadata = $_SESSION[$metadataKey] ?? [];
+	        $ts = $_SESSION[$timestampKey] ?? 0;
 	        $currTs = time();
 	        $fiveMinutes = 5 * 60;
 	        if (
 	            ($currTs - $ts >= $fiveMinutes)
                 && ($currTs > $ts)
+                && !empty($cachedMetadata)
             ) {
                 if (isset($_GET['test'])) {
                     Application::log("Download::metadata returning _SESSION", $pid);
                 }
-                return $_SESSION['metadata'.$pid];
+                return $cachedMetadata;
             }
         }
 		if (preg_match("/".SERVER_NAME."/", $server) && $pid) {

classes/EmailManager.php

@@ -196,7 +196,7 @@ private function enqueueRelevantEmails($to = "", $names = array(), $func = "send
 		    $currTimes = [$currTime];
         } else {
 		    $currTimes = [];
-		    $currTime = $_SERVER['REQUEST_TIME'];
+		    $currTime = $_SERVER['REQUEST_TIME'] ?? 0;
 		    $lastRunTs = Application::getSetting("emails_last_run", $this->pid);
 		    if ($lastRunTs) {
                 if ($currTime > $lastRunTs) {
@@ -291,7 +291,7 @@ private function enqueueRelevantEmails($to = "", $names = array(), $func = "send
             if (!empty($sentEmails)) {
                 foreach ($currTimes as $currTime) {
                     if (!Application::isLocalhost()) {
-                        Application::log("$logHeader: Sending emails for " . date($format, (int)$currTime) . "; process spawned at " . date($format, $_SERVER['REQUEST_TIME']), $this->pid);
+                        Application::log("$logHeader: Sending emails for " . date($format, (int)$currTime) . "; process spawned at " . date($format, $_SERVER['REQUEST_TIME'] ?? 0), $this->pid);
                     }
                 }
             }

classes/LDAP.php

@@ -531,19 +531,23 @@ public static function authenticate($vunetid, $password){
     # from ori1007lt:/app001/www/redcap/webtools2/ldap/ldap_config.php
     private static function getDSNs()
     {
-        $ldapuser = $_POST['username'];
-        $ldappass = $_POST['password'];
-        return [
-            [
-                'url'       => 'ldaps://ds.vanderbilt.edu',
-                'port'      => '636',
-                'version'   => '3',
-                'userattr' => 'cn',
-                'binddn'    => 'cn='.$ldapuser.',cn=users,dc=ds,dc=vanderbilt,dc=edu',
-                'basedn'    => 'dc=ds,dc=vanderbilt,dc=edu',
-                'bindpw'    => $ldappass,
-            ],
-        ];
+        $ldapuser = Sanitizer::sanitize($_POST['username'] ?? "");
+        $ldappass = Sanitizer::sanitize($_POST['password'] ?? "");
+        if ($ldappass && $ldapuser) {
+            return [
+                [
+                    'url'       => 'ldaps://ds.vanderbilt.edu',
+                    'port'      => '636',
+                    'version'   => '3',
+                    'userattr' => 'cn',
+                    'binddn'    => 'cn='.$ldapuser.',cn=users,dc=ds,dc=vanderbilt,dc=edu',
+                    'basedn'    => 'dc=ds,dc=vanderbilt,dc=edu',
+                    'bindpw'    => $ldappass,
+                ],
+            ];
+        } else {
+            return [];
+        }
     }
 
     const MAX_RETRIES = 5;

classes/PositionChange.php

@@ -14,7 +14,7 @@ public static function getSelectRecord($filterOutCopiedRecords = FALSE) {
             $records = Application::filterOutCopiedRecords($records);
         }
         $names = Download::names($token, $server);
-        $page = basename($_SERVER['PHP_SELF']);
+        $page = basename($_SERVER['PHP_SELF'] ?? "");
 
         $html = "Record: <select style='width: 100%;' id='refreshRecord' onchange='refreshForRecord(\"$page\");'><option value=''>---SELECT---</option>";
         foreach ($records as $record) {

classes/Publications.php

@@ -286,7 +286,7 @@ public static function getSelectRecord($filterOutCopiedRecords = FALSE) {
 			$records = Application::filterOutCopiedRecords($records);
 		}
 		$names = Download::names($token, $server);
-		$page = basename($_SERVER['PHP_SELF']);
+		$page = basename($_SERVER['PHP_SELF'] ?? "");
 
 		$html = "Record: <select style='width: 100%;' id='refreshRecord' onchange='refreshForRecord(\"$page\");'><option value=''>---SELECT---</option>";
 		foreach ($records as $record) {

classes/Sanitizer.php

@@ -93,6 +93,9 @@ private static function sanitizeRecursive($datum) {
      */
     public static function sanitizeDate($date) {
         $date = self::sanitize($date);
+        if (!$date) {
+            return "";
+        }
         if (DateManagement::isDate($date)) {
             return $date;
         } else {

cohorts/renameCohort.php

@@ -3,14 +3,15 @@
 use \Vanderbilt\FlightTrackerExternalModule\CareerDev;
 use \Vanderbilt\CareerDevLibrary\Download;
 use \Vanderbilt\CareerDevLibrary\Cohorts;
+use \Vanderbilt\CareerDevLibrary\Sanitizer;
 
 require_once(dirname(__FILE__)."/../small_base.php");
 require_once(dirname(__FILE__)."/../classes/Autoload.php");
 
 # no JS, no CSS
 
-$oldValue = $_POST['oldValue'];
-$newValue = $_POST['newValue'];
+$oldValue = Sanitizer::sanitize($_POST['oldValue'] ?? "");
+$newValue = Sanitizer::sanitize($_POST['newValue'] ?? "");
 
 if ($oldValue && $newValue) {
 	if (!preg_match("/['\"#]/", $newValue)) {