From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty

---
 interface/web/admin/software_update_list.php |   65 +++++++++++---------------------
 1 files changed, 23 insertions(+), 42 deletions(-)

diff --git a/interface/web/admin/software_update_list.php b/interface/web/admin/software_update_list.php
index 9a1df8a..c987e9e 100644
--- a/interface/web/admin/software_update_list.php
+++ b/interface/web/admin/software_update_list.php
@@ -33,6 +33,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
 
 //* This is only allowed for administrators
 if(!$app->auth->is_admin()) die('only allowed for administrators.');
@@ -71,23 +72,23 @@
 						$v3 = $app->functions->intval($version_array[2]);
 						$v4 = $app->functions->intval($version_array[3]);
 
-						$package_name = $app->db->quote($u['package_name']);
+						$package_name = $u['package_name'];
 						$software_repo_id = $app->functions->intval($repo['software_repo_id']);
-						$update_url = $app->db->quote($u['url']);
-						$update_md5 = $app->db->quote($u['md5']);
-						$update_dependencies = (isset($u['dependencies']))?$app->db->quote($u['dependencies']):'';
-						$update_title = $app->db->quote($u['title']);
-						$type = $app->db->quote($u['type']);
+						$update_url = $u['url'];
+						$update_md5 = $u['md5'];
+						$update_dependencies = (isset($u['dependencies']))?$u['dependencies']:'';
+						$update_title = $u['title'];
+						$type = $u['type'];
 
 						// Check that we do not have this update in the database yet
-						$sql = "SELECT * FROM software_update WHERE package_name = '$package_name' and v1 = '$v1' and v2 = '$v2' and v3 = '$v3' and v4 = '$v4'";
-						$tmp = $app->db->queryOneRecord($sql);
+						$sql = "SELECT * FROM software_update WHERE package_name = ? and v1 = ? and v2 = ? and v3 = ? and v4 = ?";
+						$tmp = $app->db->queryOneRecord($sql, $package_name, $v1, $v2, $v3, $v4);
 						if(!isset($tmp['software_update_id'])) {
 							// Insert the update in the datbase
 							$sql = "INSERT INTO software_update (software_repo_id, package_name, update_url, update_md5, update_dependencies, update_title, v1, v2, v3, v4, type)
-							VALUES ($software_repo_id, '$package_name', '$update_url', '$update_md5', '$update_dependencies', '$update_title', '$v1', '$v2', '$v3', '$v4', '$type')";
+							VALUES ($software_repo_id, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
 							//die($sql);
-							$app->db->query($sql);
+							$app->db->query($sql, $package_name, $update_url, $update_md5, $update_dependencies, $update_title, $v1, $v2, $v3, $v4, $type);
 						}
 
 					}
@@ -100,12 +101,16 @@
 
 //* Install packages, if GET Request
 if(isset($_GET['action']) && $_GET['action'] == 'install' && $_GET['package'] != '' && $_GET['server_id'] > 0) {
-	$package_name = $app->db->quote($_GET['package']);
+	$package_name = $_GET['package'];
 	$server_id = $app->functions->intval($_GET['server_id']);
 	$software_update_id = $app->functions->intval($_GET['id']);
 
-	$insert_data = "(package_name, server_id, software_update_id, status) VALUES ('$package_name', '$server_id', '$software_update_id','installing')";
-	// $insert_data = "(package_name, server_id, software_update_id, status) VALUES ('$package_name', '$server_id', '$software_update_id','installed')";
+	$insert_data = array(
+		"package_name" => $package_name,
+		"server_id" => $server_id,
+		"software_update_id" => $software_update_id,
+		"status" => 'installing'
+	);
 	$app->db->datalogInsert('software_update_inst', $insert_data, 'software_update_inst_id');
 
 }
@@ -161,12 +166,12 @@
 	foreach($installed_packages as $ip) {
 
 		// Get version number of the latest installed version
-		$sql = "SELECT v1, v2, v3, v4 FROM software_update, software_update_inst WHERE software_update.software_update_id = software_update_inst.software_update_id AND server_id = ".$server_id." ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC LIMIT 0,1";
-		$lu = $app->db->queryOneRecord($sql);
+		$sql = "SELECT v1, v2, v3, v4 FROM software_update, software_update_inst WHERE software_update.software_update_id = software_update_inst.software_update_id AND server_id = ? ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC LIMIT 0,1";
+		$lu = $app->db->queryOneRecord($sql, $server_id);
 
 		// Get all installable updates
-		$sql = "SELECT * FROM software_update WHERE v1 >= $lu[v1] AND v2 >= $lu[v2] AND v3 >= $lu[v3] AND v4 >= $lu[v4] AND package_name = '$ip[package_name]' ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC";
-		$updates = $app->db->queryAllRecords($sql);
+		$sql = "SELECT * FROM software_update WHERE v1 >= ? AND v2 >= ? AND v3 >= ? AND v4 >= ? AND package_name = ? ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC";
+		$updates = $app->db->queryAllRecords($sql, $lu['v1'], $lu['v2'], $lu['v3'], $lu['v4'], $ip['package_name']);
 		//die($sql);
 
 		if(is_array($updates)) {
@@ -175,37 +180,13 @@
 
 			foreach($updates as $key => $u) {
 				$version = $u['v1'].'.'.$u['v2'].'.'.$u['v3'].'.'.$u['v4'];
-				$installed_txt = "<a href=\"#\" onclick=\"loadContent('admin/software_update_list.php?action=install&package=".$u["package_name"]."&id=".$u["software_update_id"]."&server_id=".$server_id."');\">Install Update</a><br />";
+				$installed_txt = "<a href=\"#\" data-load-content=\"admin/software_update_list.php?action=install&package=".$u["package_name"]."&id=".$u["software_update_id"]."&server_id=".$server_id."\">Install Update</a><br />";
 				$records_out[] = array('version' => $version, 'update_title' => $u["update_title"], 'installed' => $installed_txt);
 
 			}
 		}
 	}
 }
-
-/*
-$updates = $app->db->queryAllRecords('SELECT software_update.update_title, software_update.software_update_id, software_update.package_name, v1, v2, v3, v4, software_update_inst.status
-		FROM software_update LEFT JOIN software_update_inst ON ( software_update.software_update_id = software_update_inst.software_update_id )
-		WHERE server_id = '.$server_id.'
-		GROUP BY software_update.package_name
-		ORDER BY software_update.package_name ASC, v1 DESC , v2 DESC , v3 DESC , v4 DESC');
-
-if(is_array($updates)) {
-	foreach($updates as $key => $u) {
-		$installed_txt = '';
-
-		$version = $u['v1'].'.'.$u['v2'].'.'.$u['v3'].'.'.$u['v4'];
-		$updates[$key]['version'] = $version;
-		if($u['status'] == 'installed' || $u['status'] == 'installing' || $u['status'] == 'deleting') {
-			$installed_txt .= "Installed version $version<br />";
-		} else {
-			$installed_txt .= "<a href=\"#\" onclick=\"loadContent('admin/software_update_list.php?action=install&package=".$u["package_name"]."&id=".$u["software_update_id"]."&server_id=".$server_id."');\">Install now</a><br />";
-		}
-		$updates[$key]['installed'] = $installed_txt;
-
-	}
-}
-*/
 
 
 

--
Gitblit v1.9.1