From 793468498223420aec78ae6c3fe7ab34615665f6 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Thu, 9 May 2024 16:03:46 +0200
Subject: [PATCH] use Request-wrapper-class for every access to $_GET
 superglobal

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 admin_customers.php     |  2 +-
 admin_index.php         |  4 ++--
 admin_message.php       |  2 +-
 admin_settings.php      | 10 +++++-----
 admin_templates.php     |  2 +-
 customer_index.php      |  2 +-
 dns_editor.php          |  2 +-
 index.php               |  8 ++++----
 lib/Froxlor/UI/HTML.php | 24 +++++++++++++++---------
 9 files changed, 31 insertions(+), 25 deletions(-)

diff --git a/admin_customers.php b/admin_customers.php
index 2b348d9e..785145f9 100644
--- a/admin_customers.php
+++ b/admin_customers.php
@@ -98,7 +98,7 @@ if (($page == 'customers' || $page == 'overview') && $userinfo['customers'] != '
 
 			$log->logAction(FroxlorLogger::ADM_ACTION, LOG_INFO, "switched user and is now '" . $destination_user . "'");
 
-			$target = (isset($_GET['target']) ? $_GET['target'] : 'index');
+			$target = Request::get('target', 'index');
 			$redirect = "customer_" . $target . ".php";
 			if (!file_exists(Froxlor::getInstallDir() . "/" . $redirect)) {
 				$redirect = "customer_index.php";
diff --git a/admin_index.php b/admin_index.php
index 8a3b4262..4a2d3d4f 100644
--- a/admin_index.php
+++ b/admin_index.php
@@ -55,7 +55,7 @@ if ($action == 'logout') {
 		$result = $result['switched_user'];
 		session_regenerate_id(true);
 		CurrentUser::setData($result);
-		$target = (isset($_GET['target']) ? $_GET['target'] : 'index');
+		$target = Request::get('target', 'index');
 		$redirect = "admin_" . $target . ".php";
 		if (!file_exists(\Froxlor\Froxlor::getInstallDir() . "/" . $redirect)) {
 			$redirect = "admin_index.php";
@@ -111,7 +111,7 @@ if ($page == 'overview') {
 
 	$overview['number_domains'] = $number_domains['number_domains'];
 
-	if ((isset($_GET['lookfornewversion']) && $_GET['lookfornewversion'] == 'yes') || (isset($lookfornewversion) && $lookfornewversion == 'yes')) {
+	if (Request::get('lookfornewversion') == 'yes' || (isset($lookfornewversion) && $lookfornewversion == 'yes')) {
 		try {
 			$json_result = Froxlor::getLocal($userinfo)->checkUpdate();
 		} catch (Exception $e) {
diff --git a/admin_message.php b/admin_message.php
index c5d9913b..44823455 100644
--- a/admin_message.php
+++ b/admin_message.php
@@ -107,7 +107,7 @@ if ($page == 'message') {
 			}
 		}
 	} elseif ($action == 'showsuccess') {
-		$sentitems = isset($_GET['sentitems']) ? (int)$_GET['sentitems'] : 0;
+		$sentitems = Request::get('sentitems', 0);
 
 		if ($sentitems == 0) {
 			$note_type = 'info';
diff --git a/admin_settings.php b/admin_settings.php
index 057ff9d9..f0c359b3 100644
--- a/admin_settings.php
+++ b/admin_settings.php
@@ -48,7 +48,7 @@ if ($page == 'overview' && $userinfo['change_serversettings'] == '1') {
 	Settings::loadSettingsInto($settings_data);
 
 	if (Request::post('send') == 'send') {
-		$_part = isset($_GET['part']) ? $_GET['part'] : '';
+		$_part = Request::get('part', '');
 		if ($_part == '') {
 			$_part = Request::post('part', '');
 		}
@@ -97,7 +97,7 @@ if ($page == 'overview' && $userinfo['change_serversettings'] == '1') {
 			Response::dynamicError($e->getMessage(), $e->getCode());
 		}
 	} else {
-		$_part = isset($_GET['part']) ? $_GET['part'] : '';
+		$_part = Request::get('part', '');
 		if ($_part == '') {
 			$_part = Request::post('part', '');
 		}
@@ -235,7 +235,7 @@ if ($page == 'overview' && $userinfo['change_serversettings'] == '1') {
 	$integrity = new IntegrityCheck();
 	if (Request::post('send') == 'send') {
 		$integrity->fixAll();
-	} elseif (isset($_GET['action']) && $_GET['action'] == "fix") {
+	} elseif (Request::get('action') == "fix") {
 		HTML::askYesNo('admin_integritycheck_reallyfix', $filename, [
 			'page' => $page
 		]);
@@ -273,7 +273,7 @@ if ($page == 'overview' && $userinfo['change_serversettings'] == '1') {
 		Response::standardError('jsonextensionnotfound');
 	}
 
-	if (isset($_GET['action']) && $_GET['action'] == "export") {
+	if (Request::get('action') == "export") {
 		// export
 		try {
 			$json_result = Froxlor::getLocal($userinfo)->exportSettings();
@@ -285,7 +285,7 @@ if ($page == 'overview' && $userinfo['change_serversettings'] == '1') {
 		header('Content-type: application/json');
 		echo $json_export;
 		exit();
-	} elseif (isset($_GET['action']) && $_GET['action'] == "import") {
+	} elseif (Request::get('action') == "import") {
 		// import
 		if (Request::post('send') == 'send') {
 			// get uploaded file
diff --git a/admin_templates.php b/admin_templates.php
index 1f535c3f..07def60c 100644
--- a/admin_templates.php
+++ b/admin_templates.php
@@ -371,7 +371,7 @@ if ($action == '') {
 		Response::redirectTo($filename, [
 			'page' => $page
 		]);
-	} elseif (!isset($_GET['files'])) {
+	} elseif (empty(Request::get('files'))) {
 		// email templates
 		$add = false;
 		$language_options = [];
diff --git a/customer_index.php b/customer_index.php
index 1e369090..f052cef6 100644
--- a/customer_index.php
+++ b/customer_index.php
@@ -56,7 +56,7 @@ if ($action == 'logout') {
 		$result = $result['switched_user'];
 		session_regenerate_id(true);
 		CurrentUser::setData($result);
-		$target = (isset($_GET['target']) ? $_GET['target'] : 'index');
+		$target = Request::get('target', 'index');
 		$redirect = "admin_" . $target . ".php";
 		if (!file_exists(Froxlor::getInstallDir() . "/" . $redirect)) {
 			$redirect = "admin_index.php";
diff --git a/dns_editor.php b/dns_editor.php
index 6d3d9c52..03aaf6a5 100644
--- a/dns_editor.php
+++ b/dns_editor.php
@@ -72,7 +72,7 @@ if ($action == 'add_record' && !empty($_POST)) {
 		$errors = str_replace("\n", "<br>", $e->getMessage());
 	}
 } elseif ($action == 'delete') {
-	$entry_id = isset($_GET['id']) ? (int)$_GET['id'] : 0;
+	$entry_id = (int)Request::get('id', 0);
 	HTML::askYesNo('dnsentry_reallydelete', $filename, [
 		'id' => $entry_id,
 		'domain_id' => $domain_id,
diff --git a/index.php b/index.php
index 34599367..d36b5ac6 100644
--- a/index.php
+++ b/index.php
@@ -54,7 +54,7 @@ if ($action == '2fa_entercode') {
 		Response::redirectTo('index.php');
 		exit();
 	}
-	$smessage = isset($_GET['showmessage']) ? (int)$_GET['showmessage'] : 0;
+	$smessage = (int)Request::get('showmessage', 0);
 	$message = "";
 	if ($smessage > 0) {
 		$message = lng('error.2fa_wrongcode');
@@ -412,7 +412,7 @@ if ($action == '2fa_entercode') {
 		}
 		exit();
 	} else {
-		$smessage = isset($_GET['showmessage']) ? (int)$_GET['showmessage'] : 0;
+		$smessage = (int)Request::get('showmessage', 0);
 		$message = '';
 		$successmessage = '';
 
@@ -683,9 +683,9 @@ if ($action == 'resetpwd') {
 		"oldest" => time() - 86400
 	]);
 
-	if (isset($_GET['resetcode']) && strlen($_GET['resetcode']) == 50) {
+	$activationcode = Request::get('resetcode');
+	if (!empty($activationcode) && strlen($activationcode) == 50) {
 		// Check if activation code is valid
-		$activationcode = $_GET['resetcode'];
 		$timestamp = substr($activationcode, 15, 10);
 		$third = substr($activationcode, 25, 15);
 		$check = substr($activationcode, 40, 10);
diff --git a/lib/Froxlor/UI/HTML.php b/lib/Froxlor/UI/HTML.php
index 181399b1..d0e878f9 100644
--- a/lib/Froxlor/UI/HTML.php
+++ b/lib/Froxlor/UI/HTML.php
@@ -33,10 +33,9 @@ class HTML
 	/**
 	 * Build Navigation Sidebar
 	 *
-	 * @param
-	 *            array navigation data
-	 * @param
-	 *            array userinfo the userinfo of the user
+	 * @param array $navigation data
+	 * @param array $userinfo the userinfo of the user
+	 *
 	 * @return array the content of the navigation bar according to user-permissions
 	 */
 	public static function buildNavigation(array $navigation, array $userinfo)
@@ -44,12 +43,19 @@ class HTML
 		$returnvalue = [];
 
 		// sanitize user-given input (url-manipulation)
-		if (isset($_GET['page']) && is_array($_GET['page'])) {
-			$_GET['page'] = (string)$_GET['page'][0];
+		$req_page = Request::get('page');
+		if (!empty($req_page) && is_array($req_page)) {
+			$req_page = (string)array_shift($req_page);
 		}
-		if (isset($_GET['action']) && is_array($_GET['action'])) {
-			$_GET['action'] = (string)$_GET['action'][0];
+		// need to preserve this
+		$_GET['page'] = $req_page;
+
+		$req_action = Request::get('action');
+		if (!empty($req_action) && is_array($req_action)) {
+			$req_action = (string)array_shift($req_action);
 		}
+		// need to preserve this
+		$_GET['action'] = $req_action;
 
 		foreach ($navigation as $box) {
 			if ((!isset($box['show_element']) || $box['show_element'] === true) && (!isset($box['required_resources']) || $box['required_resources'] == '' || (isset($userinfo[$box['required_resources']]) && ((int)$userinfo[$box['required_resources']] > 0 || $userinfo[$box['required_resources']] == '-1')))) {
@@ -69,7 +75,7 @@ class HTML
 							}
 
 							if (
-								((empty($_GET['page']) && substr_count($element['url'], "page=") == 0) || (isset($_GET['page']) && substr_count($element['url'], "page=" . $_GET['page']) > 0))
+								((empty($req_page) && substr_count($element['url'], "page=") == 0) || (!empty($req_page) && substr_count($element['url'], "page=" . $req_page) > 0))
 								&& substr_count($element['url'], basename($_SERVER["SCRIPT_FILENAME"])) > 0
 							) {
 								$active = true;