From 85ed828ba21c6181b2fdb3e0a2afb9489b5f8d83 Mon Sep 17 00:00:00 2001 From: Brady Miller Date: Wed, 28 Oct 2020 21:15:14 -0700 Subject: [PATCH] sql upgrade stuff (#3998) --- library/ajax/sql_server_status.php | 17 +++++++++-------- sql_upgrade.php | 11 ++++++++--- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/library/ajax/sql_server_status.php b/library/ajax/sql_server_status.php index c6d5c3a70..edec97d01 100644 --- a/library/ajax/sql_server_status.php +++ b/library/ajax/sql_server_status.php @@ -13,8 +13,7 @@ /* * I wrote this mainly to show server activity for transaction intensive upgrades * where the user can know we are still working though no activity from upgrade sequence. - * Not sure I can do csrf here! - * */ + */ $ignoreAuth = true; $GLOBALS['connection_pooling_off'] = true; // force off database connection pooling @@ -22,10 +21,9 @@ require_once(__DIR__ . '/../../interface/globals.php'); use OpenEMR\Common\Csrf\CsrfUtils; -if (!empty($_POST)) { - if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) { - CsrfUtils::csrfNotVerified(); - } +// this will ensure that the only script that can use this ajax call is the sql_upgrade.php script +if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"], 'sqlupgrade')) { + CsrfUtils::csrfNotVerified(); } $trans_query = <<< strQuery @@ -41,9 +39,12 @@ if (isset($_POST['poll'])) { $stat_result = sqlStatementNoLog($trans_query, array($db_in_question)); $q_msg = ''; while ($stat_row = sqlFetchArray($stat_result)) { - $stat_row['INFO'] = preg_replace('![a-z]+!', '*', $stat_row['INFO']); + // Convert binary characters to a ? character + $stat_row['INFO'] = mb_convert_encoding($stat_row['INFO'], 'UTF-8', 'UTF-8'); + // Several preg replaces to ensure no data is passed + $stat_row['INFO'] = preg_replace(['!`.*?`!', '!\'.*?\'!', '!".*?"!', '![^A-Z]+!'], ['', '', '', ' * '], $stat_row['INFO']); $q_msg .= "
  • "; - $q_msg .= $cur_date . " " . $_GET['poll'] . " " . $stat_row['INFO']; + $q_msg .= text($cur_date) . " " . text($_GET['poll']) . " " . text($stat_row['INFO']); $q_msg .= "
    • "; } diff --git a/sql_upgrade.php b/sql_upgrade.php index 55e756958..46b7089f4 100644 --- a/sql_upgrade.php +++ b/sql_upgrade.php @@ -106,7 +106,8 @@ header('Content-type: text/html; charset=utf-8'); let serverPaused = 0; // recursive long polling where ending is based // on global doPoll true or false. - async function serverStatus(version = '', start = 0) { + // added a forcePollOff parameter to avoid polling from staying on indefinitely when updating from patch.sql + async function serverStatus(version = '', start = 0, forcePollOff = 0) { let updateMsg = ""; let endMsg = "
  • " + + " " + currentVersion + "
    • "; @@ -119,7 +120,7 @@ header('Content-type: text/html; charset=utf-8'); // start polling let url = "library/ajax/sql_server_status.php?poll=" + encodeURIComponent(currentVersion); let data = new FormData; - data.append("csrf_token_form", ); + data.append("csrf_token_form", ); data.append("poll", currentVersion); let response = await fetch(url, { @@ -163,6 +164,9 @@ header('Content-type: text/html; charset=utf-8'); if (start === 1) { doPoll = 1; } + if (forcePollOff === 1) { + doPoll = 0; + } // display to screen div if (status > "") { progressStatus(status); @@ -307,6 +311,7 @@ function pausePoll(othis) { flush_echo(""); upgradeFromSqlFile($filename); // end polling + sleep(2); // fixes odd bug, where if the sql upgrade goes to fast, then the polling does not stop flush_echo(""); } @@ -317,7 +322,7 @@ function pausePoll(othis) { if ((!empty($v_realpatch)) && ($v_realpatch != "") && ($v_realpatch > 0)) { // This release contains a patch file, so process it. - echo ""; + echo ""; upgradeFromSqlFile('patch.sql'); } flush(); -- 2.11.4.GIT