okapi r686

htdocs/okapi/core.php

@@ -778,7 +778,7 @@ class Okapi
 {
 	public static $data_store;
 	public static $server;
-	public static $revision = 672; # This gets replaced in automatically deployed packages
+	public static $revision = 686; # This gets replaced in automatically deployed packages
 	private static $okapi_vars = null;
 
 	/** Get a variable stored in okapi_vars. If variable not found, return $default. */
@@ -1716,10 +1716,10 @@ class Cache
 			# just replace it with a big value.
 			$timeout = 100*365*86400;
 		}
-		$entries = array();
+		$entries_escaped = array();
 		foreach ($dict as $key => $value)
 		{
-			$entries[] = "(
+			$entries_escaped[] = "(
 				'".mysql_real_escape_string($key)."',
 				'".mysql_real_escape_string(gzdeflate(serialize($value)))."',
 				date_add(now(), interval '".mysql_real_escape_string($timeout)."' second)
@@ -1727,7 +1727,7 @@ class Cache
 		}
 		Db::execute("
 			replace into okapi_cache (`key`, value, expires)
-			values ".implode(", ", $entries)."
+			values ".implode(", ", $entries_escaped)."
 		");
 	}
 

htdocs/okapi/cronjobs.php

@@ -308,7 +308,7 @@ class CacheCleanupCronJob extends Cron5Job
 
 		Db::execute("
 			update okapi_cache
-			set score = score * $multiplier
+			set score = score * '".mysql_real_escape_string($multiplier)."'
 			where score is not null
 		");
 		Db::execute("
@@ -333,7 +333,7 @@ class CacheCleanupCronJob extends Cron5Job
 			delete from okapi_cache
 			where
 				score is not null
-				and score < $limit
+				and score < '".mysql_real_escape_string($limit)."'
 		");
 		Db::query("optimize table okapi_cache");
 
@@ -385,18 +385,18 @@ class StatsWriterCronJob extends PrerequestCronJob
 					'".mysql_real_escape_string($row['user_id'])."',
 					'".mysql_real_escape_string($row['period_start'])."',
 					'".mysql_real_escape_string($row['service_name'])."',
-					".$row['calls'].",
-					".(($row['calltype'] == 'http') ? $row['calls'] : 0).",
-					".$row['runtime'].",
-					".(($row['calltype'] == 'http') ? $row['runtime'] : 0)."
+					'".mysql_real_escape_string($row['calls'])."',
+					'".mysql_real_escape_string(($row['calltype'] == 'http') ? $row['calls'] : 0)."',
+					'".mysql_real_escape_string($row['runtime'])."',
+					'".mysql_real_escape_string(($row['calltype'] == 'http') ? $row['runtime'] : 0)."'
 				)
 				on duplicate key update
 					".(($row['calltype'] == 'http') ? "
-						http_calls = http_calls + ".$row['calls'].",
-						http_runtime = http_runtime + ".$row['runtime'].",
+						http_calls = http_calls + '".mysql_real_escape_string($row['calls'])."',
+						http_runtime = http_runtime + '".mysql_real_escape_string($row['runtime'])."',
 					" : "")."
-					total_calls = total_calls + ".$row['calls'].",
-					total_runtime = total_runtime + ".$row['runtime']."
+					total_calls = total_calls + '".mysql_real_escape_string($row['calls'])."',
+					total_runtime = total_runtime + '".mysql_real_escape_string($row['runtime'])."'
 			");
 		}
 		Db::execute("delete from okapi_stats_temp;");

htdocs/okapi/services/attrs/info.xml

@@ -2,11 +2,11 @@
 	<brief>ALPHA: Get the list of all cache attributes</brief>
 	<issue-id>194</issue-id>
 	<desc>
-		This method is in its ALPHA stage. It's signature will most probably
-		change, or it might be removed altogether. You should not use it!
+		This method is in its ALPHA stage. It's signature WILL change, or it
+		might be removed altogether. You should not use it!
 	</desc>
 	<common-format-params/>
 	<returns>
-		Not yet documented. You should not use this method.
+		Not yet documented. You should not use this method!
 	</returns>
 </xml>

htdocs/okapi/services/caches/formatters/gpx.xml

@@ -41,7 +41,7 @@
 	</opt>
 	<opt name='ns_ox' default='false'>
 		Boolean. If <b>true</b> then response will include Garmin's
-		<a href='http://www.opencaching.com/xmlschemas/opencaching/1/0/opencaching.xsd'>Opencaching.com
+		<a href='http://www.opencaching.com/xmlschemas/opencaching/1/0/opencaching.xsd'>OpenCaching.com
 		GPX extension</a>. This namespace declares an extra &lt;opencaching&gt; element
 		used by <a href='http://www.opencaching.com/'>Garmin's Opencaching.com</a>.
 		The element includes information on cache difficulty, ratings, tags and images.

htdocs/okapi/services/caches/geocache.xml

@@ -192,12 +192,14 @@
 				</ul>
 			</li>
 			<li>
-				<p><b>preview_image</b> - This is either <b>null</b> or a dictionary describing
-				an image, which has been marked by the owner as <em>preview image</em>. You are
-				encouraged to display it as a 'teaser' for this cache.
-				The structure of the dictionary is the same as in the <b>images</b> field above.</p>
-				<p>The preview image is no additional image but one of those which
-				are included in the <b>images</b> list.</p>
+				<p><b>preview_image</b> - On some installations, owners may select one of the <b>images</b>
+				(see above) as a preview image. You are encouraged to display it as a 'teaser'
+				for this cache. On other installations this functionality is disabled and you
+				will always get the <b>null</b> value here.</p>
+
+				<p>The value of <b>preview_image</b> is either <b>null</b> or a dictionary describing
+				an image. The structure of this dictionary is the same as of a single entry on
+				the <b>images</b> list described above.</p>
 			</li>
 			<li>
 				<p><b>attrnames</b> - list of names of attributes of the cache; the language will

htdocs/okapi/services/caches/geocaches.php

@@ -179,8 +179,8 @@ class WebService
 			# PL branch:
 			# - Caches have ratings.
 			# - Total numbers of found and notfounds are kept in the "caches" table.
-			# - search_time is round trip and way_length one way; both can be null;
-			#     0 or null = not specified
+			# - search_time is round trip and way_length one way or both ways (this is different on OCDE!);
+			#   both can be null; 0 or null = not specified
 
 			$rs = Db::query("
 				select
@@ -188,7 +188,7 @@ class WebService
 					c.date_created, c.type, c.status, c.date_hidden, c.size, c.difficulty,
 					c.terrain, c.wp_oc, c.logpw, c.user_id,
 					if(c.search_time=0, null, c.search_time) as trip_time,
-					if(c.way_length=0, null, 2*c.way_length) as trip_distance,
+					if(c.way_length=0, null, c.way_length) as trip_distance,
 
 					c.topratings,
 					c.founds,
@@ -850,17 +850,13 @@ class WebService
 
 		# Country and/or state.
 
-		if (Settings::get('OC_BRANCH') == 'oc.de')
-			$cache_location_state = 'adm2';
-		else
-			$cache_location_state = 'adm3';
 		if (in_array('country', $fields) || in_array('state', $fields))
 		{
 			$rs = Db::query("
 				select
 					c.wp_oc as cache_code,
 					cl.adm1 as country,
-					cl.".$cache_location_state." as state
+					cl.".((Settings::get('OC_BRANCH') == 'oc.de') ? 'adm2' : 'adm3')." as state
 				from
 					caches c,
 					cache_location cl

htdocs/okapi/services/caches/map/replicate_listener.inc.php

@@ -174,17 +174,17 @@ class ReplicateListener
 		# Most of these tiles aren't cached at all. We need to update
 		# only the cached ones.
 
-		$alternatives = array();
+		$alternatives_escaped = array();
 		foreach ($tiles_to_update as $coords)
 		{
 			list($z, $x, $y) = $coords;
-			$alternatives[] = "(
+			$alternatives_escaped[] = "(
 				z = '".mysql_real_escape_string($z)."'
 				and x = '".mysql_real_escape_string($x)."'
 				and y = '".mysql_real_escape_string($y)."'
 			)";
 		}
-		if (count($alternatives) > 0)
+		if (count($alternatives_escaped) > 0)
 		{
 			Db::execute("
 				replace into okapi_tile_caches (
@@ -197,11 +197,11 @@ class ReplicateListener
 					'".mysql_real_escape_string($row[2])."',
 					'".mysql_real_escape_string($row[3])."',
 					'".mysql_real_escape_string($row[4])."',
-					".(($row[5] === null) ? "null" : $row[5]).",
+					".(($row[5] === null) ? "null" : "'".mysql_real_escape_string($row[5])."'").",
 					'".mysql_real_escape_string($row[6])."'
 				from okapi_tile_status
 				where
-					(".implode(" or ", $alternatives).")
+					(".implode(" or ", $alternatives_escaped).")
 					and status in (1,2)
 			");
 
@@ -212,7 +212,7 @@ class ReplicateListener
 				update okapi_tile_status
 				set status=2
 				where
-					(".implode(" or ", $alternatives).")
+					(".implode(" or ", $alternatives_escaped).")
 					and status=1
 			");
 		}
@@ -231,7 +231,7 @@ class ReplicateListener
 			set
 				status = '".mysql_real_escape_string($row[3])."',
 				type = '".mysql_real_escape_string($row[4])."',
-				rating = ".(($row[5] === null) ? "null" : $row[5]).",
+				rating = ".(($row[5] === null) ? "null" : "'".mysql_real_escape_string($row[5])."'").",
 				flags = '".mysql_real_escape_string($row[6])."'
 			where
 				cache_id = '".mysql_real_escape_string($row[0])."'

htdocs/okapi/services/caches/map/tiletree.inc.php

@@ -83,27 +83,30 @@ class TileTree
 		$tile_upper_x = $x << 8;
 		$tile_leftmost_y = $y << 8;
 
+		$zoom_escaped = "'".mysql_real_escape_string($zoom)."'";
+		$tile_upper_x_escaped = "'".mysql_real_escape_string($tile_upper_x)."'";
+		$tile_leftmost_y_escaped = "'".mysql_real_escape_string($tile_leftmost_y)."'";
 		return Db::query("
 			select
 				otc.cache_id,
-				cast(otc.z21x >> (21 - $zoom) as signed) - $tile_upper_x as px,
-				cast(otc.z21y >> (21 - $zoom) as signed) - $tile_leftmost_y as py,
+				cast(otc.z21x >> (21 - $zoom_escaped) as signed) - $tile_upper_x_escaped as px,
+				cast(otc.z21y >> (21 - $zoom_escaped) as signed) - $tile_leftmost_y_escaped as py,
 				otc.status, otc.type, otc.rating, otc.flags, count(*)
 			from
 				okapi_tile_caches otc,
 				okapi_search_results osr
 			where
-				z = '".mysql_real_escape_string($zoom)."'
+				z = $zoom_escaped
 				and x = '".mysql_real_escape_string($x)."'
 				and y = '".mysql_real_escape_string($y)."'
 				and otc.cache_id = osr.cache_id
 				and osr.set_id = '".mysql_real_escape_string($set_id)."'
 			group by
-				z21x >> (3 + (21 - $zoom)),
-				z21y >> (3 + (21 - $zoom))
+				z21x >> (3 + (21 - $zoom_escaped)),
+				z21y >> (3 + (21 - $zoom_escaped))
 			order by
-				z21y >> (3 + (21 - $zoom)),
-				z21x >> (3 + (21 - $zoom))
+				z21y >> (3 + (21 - $zoom_escaped)),
+				z21x >> (3 + (21 - $zoom_escaped))
 		");
 	}
 
@@ -161,7 +164,7 @@ class TileTree
 						'".mysql_real_escape_string($row[2])."',
 						'".mysql_real_escape_string($row[3])."',
 						'".mysql_real_escape_string($row[4])."',
-						".(($row[5] === null) ? "null" : $row[5]).",
+						".(($row[5] === null) ? "null" : "'".mysql_real_escape_string($row[5])."'").",
 						'".mysql_real_escape_string($row[6])."'
 					);
 				");

htdocs/okapi/services/caches/search/save.php

@@ -80,6 +80,10 @@ class WebService
 		return Okapi::formatted_response($request, $result);
 	}
 
+	/**
+	 * Important: YOU HAVE TO make sure $tables and $where_conds don't contain
+	 * unescaped user-supplied data!
+	 */
 	public static function get_set($tables, $where_conds, $min_store, $ref_max_age)
 	{
 		# Compute the "params hash".

htdocs/okapi/services/caches/search/searching.inc.php

@@ -570,6 +570,9 @@ class SearchAssistant
 	 *    the query,
 	 *  - order_by - list or SQL clauses to be used with ORDER BY,
 	 *  - limit - maximum number of cache codes to be returned.
+	 *
+	 * Important: YOU HAVE TO make sure that all options are properly sanitized
+	 * for SQL queries! I.e. they cannot contain unescaped user-supplied data.
 	 */
 	public static function get_common_search_result($options)
 	{

htdocs/okapi/services/logs/submit.php

@@ -165,10 +165,6 @@ class WebService
 
 			if ($comment_format == 'plaintext')
 			{
-				# If we would like to be compatible with old OCDE/OC.nl installation,
-				# "$comment_format == 'auto'" should go here, too. But we must choose
-				# to resemble either old OCDE or OCPL behaviour and opt for OCPL compatibility.
-
 				$formatted_comment = htmlspecialchars($comment, ENT_QUOTES);
 				$formatted_comment = nl2br($formatted_comment);
 				$value_for_text_html_field = 0;
@@ -177,9 +173,9 @@ class WebService
 			{
 				if ($comment_format == 'auto')
 				{
-					# This does not make sense on HTML comments, but it resembles the
-					# OCPL implementation and is needed for full compatibility with existing
-					# OKAPI clients.
+					# 'Auto' is for backward compatibility. Before the "comment_format"
+					# was introduced, OKAPI used a weird format in between (it allowed
+					# HTML, but applied nl2br too).
 
 					$formatted_comment = nl2br($comment);
 				}

htdocs/okapi/services/logs/submit.xml

@@ -18,7 +18,7 @@
 	</opt>
 	<opt name='comment_format' default='auto'>
 		<p>Indicates the format of your <b>comment</b>. Three values allowed:
-		<b>auto</b>, <b>html</b> or <b>plaintext</b>. Usually, you should not
+		<b>auto</b>, <b>html</b> or <b>plaintext</b>. Usually, you should <b>not</b>
 		use the <b>auto</b> option, because its exact behavior is unspecified
 		and may depend on the installation
 		(<a href='https://code.google.com/p/opencaching-api/issues/detail?id=124'>more info</a>).</p>

htdocs/okapi/views/update.php

@@ -146,7 +146,7 @@ class View
 			where
 				sh.consumer_key = c.`key`
 				and sh.service_name in ('".implode("','", array_map('mysql_real_escape_string', $service_names))."')
-				".(($days != null) ? "and sh.period_start > date_add(now(), interval -".$days." day)" : "")."
+				".(($days != null) ? "and sh.period_start > date_add(now(), interval '".mysql_real_escape_string(-$days)."' day)" : "")."
 		");
 	}