[serversetup-bwlp-ipxe/statistics] Sanitize strings from clients

Some string from the clients might not be well suited for utf-8
representation. Add wrapper functions that clean utf-8 strings, or
convert ANSI strings to UTF-8 while removing problematic chars.

3 files changed, 8 insertions, 7 deletions

diff --git a/modules-available/serversetup-bwlp-ipxe/api.inc.php b/modules-available/serversetup-bwlp-ipxe/api.inc.php
index dd559efa..dcfa7774 100644
--- a/modules-available/serversetup-bwlp-ipxe/api.inc.php
+++ b/modules-available/serversetup-bwlp-ipxe/api.inc.php
@@ -7,7 +7,7 @@
 	} else {
 		$builder = new ScriptBuilderIpxe();
 	}
-	$bootEntryId = Request::get('beid', false, 'string');
+	$bootEntryId = Util::cleanUtf8(Request::get('beid', false, 'string'));
 	$entryId = Request::get('entryid', false, 'int');
 	if ($bootEntryId !== false) {
 		$entry = BootEntry::fromDatabaseId($bootEntryId);
diff --git a/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderbase.inc.php b/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderbase.inc.php
index b9867ed9..7bf9e2a3 100644
--- a/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderbase.inc.php
+++ b/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderbase.inc.php
@@ -59,6 +59,9 @@ abstract class ScriptBuilderBase
 		}
 		$this->hasExtension = $slxExtensions ?? (bool)Request::any('slx-extensions', false, 'int');
 		$this->uuid = Request::any('uuid', false, 'string');
+		if (!preg_match('/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i', $this->uuid)) {
+			$this->uuid = false;
+		}
 	}
 
 	/**
diff --git a/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php b/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php
index 1b33a1ac..a6376b0e 100644
--- a/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php
+++ b/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php
@@ -126,10 +126,8 @@ HERE;
 	{
 		if ($this->hasExtension) {
 			$slxConsoleUpdate = '--update';
-			$slxPasswordOnly = '--nouser';
 		} else {
 			$slxConsoleUpdate = '';
-			$slxPasswordOnly = '';
 		}
 
 		$serverIp = $this->serverIp;
@@ -258,19 +256,18 @@ HERE;
 		if ($special === 'localboot') {
 			// Get preferred localboot method, depending on system model
 			// Check if required arguments are given; if not, spit out according script and chain to self
-			$uuid = Request::any('uuid', false, 'string');
 			// Get platform - EFI or PCBIOS
 			$manuf = Request::any('manuf', false, 'string');
 			$product = Request::any('product', false, 'string');
-			if ($uuid === false && $manuf === false && $product === false) {
+			if ($this->uuid === false && $manuf === false && $product === false) {
 				return $this->redirect('special', 'localboot');
 			}
 			$BOOT_METHODS = Localboot::BOOT_METHODS[$this->platform];
 			$localboot = false;
 			$model = false;
-			if ($uuid !== false && Module::get('statistics') !== false) {
+			if ($this->uuid !== false && Module::get('statistics') !== false) {
 				// If we have the machine table, we rather try to look up the system model from there, using the UUID
-				$row = Database::queryFirst('SELECT systemmodel FROM machine WHERE machineuuid = :uuid', ['uuid' => $uuid]);
+				$row = Database::queryFirst('SELECT systemmodel FROM machine WHERE machineuuid = :uuid', ['uuid' => $this->uuid]);
 				if ($row !== false && !empty($row['systemmodel'])) {
 					$model = $row['systemmodel'];
 				}
@@ -284,6 +281,7 @@ HERE;
 					if (!empty($manuf)) {
 						$model .= " ($manuf)";
 					}
+					$model = Util::ansiToUtf8($model);
 				}
 			}
 			// Query