From d9a8afeb574597e7c8fd69147c6dcc0eb6feebf2 Mon Sep 17 00:00:00 2001
From: "Fedor A. Fetisov" <faf@ossg.ru>
Date: Fri, 13 Sep 2013 20:18:06 +0400
Subject: [PATCH] Fix regular expressions for integer IDs

---
 src/messenger/webim/b.php                        |  2 +-
 src/messenger/webim/client.php                   |  6 +++---
 src/messenger/webim/leavemessage.php             |  2 +-
 src/messenger/webim/libs/getcode.php             |  2 +-
 src/messenger/webim/mail.php                     |  4 ++--
 src/messenger/webim/operator/agent.php           |  4 ++--
 src/messenger/webim/operator/avatar.php          |  2 +-
 src/messenger/webim/operator/ban.php             |  6 +++---
 src/messenger/webim/operator/canned.php          |  2 +-
 src/messenger/webim/operator/cannededit.php      |  4 ++--
 src/messenger/webim/operator/group.php           |  4 ++--
 src/messenger/webim/operator/groupmembers.php    |  2 +-
 src/messenger/webim/operator/notification.php    |  2 +-
 src/messenger/webim/operator/operator.php        |  4 ++--
 src/messenger/webim/operator/opgroups.php        |  2 +-
 src/messenger/webim/operator/permissions.php     |  2 +-
 src/messenger/webim/operator/redirect.php        |  8 ++++----
 src/messenger/webim/operator/resetpwd.php        |  2 +-
 src/messenger/webim/operator/threadprocessor.php |  2 +-
 src/messenger/webim/operator/update.php          |  2 +-
 src/messenger/webim/thread.php                   | 10 +++++-----
 21 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/src/messenger/webim/b.php b/src/messenger/webim/b.php
index cfb18322..bbee8c83 100644
--- a/src/messenger/webim/b.php
+++ b/src/messenger/webim/b.php
@@ -37,7 +37,7 @@ if(!$lang || !locale_pattern_check($lang) || !locale_exists($lang)) {
 	$lang = $current_locale;
 }
 
-$groupid = verifyparam( "group", "/^\d{1,8}$/", "");
+$groupid = verifyparam( "group", "/^\d{1,10}$/", "");
 if($groupid) {
 	loadsettings();
 	if($settings['enablegroups'] == '1') {
diff --git a/src/messenger/webim/client.php b/src/messenger/webim/client.php
index 84f56e06..e55c50bf 100644
--- a/src/messenger/webim/client.php
+++ b/src/messenger/webim/client.php
@@ -47,7 +47,7 @@ if( !isset($_GET['token']) || !isset($_GET['thread']) ) {
 		$groupid = "";
 		$groupname = "";
 		if($settings['enablegroups'] == '1') {
-			$groupid = verifyparam( "group", "/^\d{1,8}$/", "");
+			$groupid = verifyparam( "group", "/^\d{1,10}$/", "");
 			if($groupid) {
 				$group = group_by_id($groupid);
 				if(!$group) {
@@ -155,8 +155,8 @@ if( !isset($_GET['token']) || !isset($_GET['thread']) ) {
 	exit;
 }
 
-$token = verifyparam( "token", "/^\d{1,8}$/");
-$threadid = verifyparam( "thread", "/^\d{1,8}$/");
+$token = verifyparam( "token", "/^\d{1,10}$/");
+$threadid = verifyparam( "thread", "/^\d{1,10}$/");
 $level = verifyparam( "level", "/^(ajaxed|simple|old)$/");
 
 $thread = thread_by_id($threadid);
diff --git a/src/messenger/webim/leavemessage.php b/src/messenger/webim/leavemessage.php
index 58c4dd5d..379172da 100644
--- a/src/messenger/webim/leavemessage.php
+++ b/src/messenger/webim/leavemessage.php
@@ -50,7 +50,7 @@ $groupname = "";
 $group = NULL;
 loadsettings();
 if($settings['enablegroups'] == '1') {
-	$groupid = verifyparam( "group", "/^\d{1,8}$/", "");
+	$groupid = verifyparam( "group", "/^\d{1,10}$/", "");
 	if($groupid) {
 		$group = group_by_id($groupid);
 		if(!$group) {
diff --git a/src/messenger/webim/libs/getcode.php b/src/messenger/webim/libs/getcode.php
index 0d72fca8..28830785 100644
--- a/src/messenger/webim/libs/getcode.php
+++ b/src/messenger/webim/libs/getcode.php
@@ -61,7 +61,7 @@ function verifyparam_groupid($paramid)
 	global $settings, $errors;
 	$groupid = "";
 	if ($settings['enablegroups'] == '1') {
-		$groupid = verifyparam($paramid, "/^\d{0,8}$/", "");
+		$groupid = verifyparam($paramid, "/^\d{0,10}$/", "");
 		if ($groupid) {
 			$group = group_by_id($groupid);
 			if (!$group) {
diff --git a/src/messenger/webim/mail.php b/src/messenger/webim/mail.php
index 54df50bb..5a1d5e2d 100644
--- a/src/messenger/webim/mail.php
+++ b/src/messenger/webim/mail.php
@@ -23,8 +23,8 @@ require_once('libs/notify.php');
 $errors = array();
 $page = array();
 
-$token = verifyparam( "token", "/^\d{1,8}$/");
-$threadid = verifyparam( "thread", "/^\d{1,8}$/");
+$token = verifyparam( "token", "/^\d{1,10}$/");
+$threadid = verifyparam( "thread", "/^\d{1,10}$/");
 
 $thread = thread_by_id($threadid);
 if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] ) {
diff --git a/src/messenger/webim/operator/agent.php b/src/messenger/webim/operator/agent.php
index 4b8a11b0..ef0df6c4 100644
--- a/src/messenger/webim/operator/agent.php
+++ b/src/messenger/webim/operator/agent.php
@@ -37,7 +37,7 @@ if ($settings['enablessl'] == "1" && $settings['forcessl'] == "1") {
 	}
 }
 
-$threadid = verifyparam("thread", "/^\d{1,8}$/");
+$threadid = verifyparam("thread", "/^\d{1,10}$/");
 
 if (!isset($_GET['token'])) {
 
@@ -87,7 +87,7 @@ if (!isset($_GET['token'])) {
 	exit;
 }
 
-$token = verifyparam("token", "/^\d{1,8}$/");
+$token = verifyparam("token", "/^\d{1,10}$/");
 
 $thread = thread_by_id($threadid);
 if (!$thread || !isset($thread['ltoken']) || $token != $thread['ltoken']) {
diff --git a/src/messenger/webim/operator/avatar.php b/src/messenger/webim/operator/avatar.php
index 2fb1c3af..1d100e7e 100644
--- a/src/messenger/webim/operator/avatar.php
+++ b/src/messenger/webim/operator/avatar.php
@@ -22,7 +22,7 @@ require_once('../libs/operator_settings.php');
 $operator = check_login();
 csrfchecktoken();
 
-$opId = verifyparam("op", "/^\d{1,9}$/");
+$opId = verifyparam("op", "/^\d{1,10}$/");
 $page = array('opid' => $opId, 'avatar' => '');
 $errors = array();
 
diff --git a/src/messenger/webim/operator/ban.php b/src/messenger/webim/operator/ban.php
index 68c2efef..c5a6ce7b 100644
--- a/src/messenger/webim/operator/ban.php
+++ b/src/messenger/webim/operator/ban.php
@@ -30,7 +30,7 @@ $page['threadid'] = '';
 $errors = array();
 
 if (isset($_POST['address'])) {
-	$banId = verifyparam("banId", "/^(\d{1,9})?$/", "");
+	$banId = verifyparam("banId", "/^(\d{1,10})?$/", "");
 	$address = getparam("address");
 	$days = getparam("days");
 	$comment = getparam('comment');
@@ -93,7 +93,7 @@ if (isset($_POST['address'])) {
 		$page['threadid'] = $threadid;
 	}
 } else if (isset($_GET['id'])) {
-	$banId = verifyparam('id', "/^\d{1,9}$/");
+	$banId = verifyparam('id', "/^\d{1,10}$/");
 	$link = connect();
 	$ban = select_one_row("select banid,(unix_timestamp(dtmtill)-unix_timestamp(CURRENT_TIMESTAMP)) as days,address,comment from ${mysqlprefix}chatban where banid = " . intval($banId), $link);
 	mysql_close($link);
@@ -107,7 +107,7 @@ if (isset($_POST['address'])) {
 		$errors[] = "Wrong id";
 	}
 } else if (isset($_GET['thread'])) {
-	$threadid = verifyparam('thread', "/^\d{1,9}$/");
+	$threadid = verifyparam('thread', "/^\d{1,10}$/");
 	$thread = thread_by_id($threadid);
 	if ($thread) {
 		$page['thread'] = topage($thread['userName']);
diff --git a/src/messenger/webim/operator/canned.php b/src/messenger/webim/operator/canned.php
index 71fead03..7cecd191 100644
--- a/src/messenger/webim/operator/canned.php
+++ b/src/messenger/webim/operator/canned.php
@@ -78,7 +78,7 @@ if (!$lang || !in_array($lang, $all_locales)) {
 
 $groupid = "";
 if ($settings['enablegroups'] == '1') {
-	$groupid = verifyparam("group", "/^\d{0,8}$/", "");
+	$groupid = verifyparam("group", "/^\d{0,10}$/", "");
 	if ($groupid) {
 		$group = group_by_id($groupid);
 		if (!$group) {
diff --git a/src/messenger/webim/operator/cannededit.php b/src/messenger/webim/operator/cannededit.php
index 697eb3f4..88f27b97 100644
--- a/src/messenger/webim/operator/cannededit.php
+++ b/src/messenger/webim/operator/cannededit.php
@@ -51,7 +51,7 @@ $operator = check_login();
 csrfchecktoken();
 loadsettings();
 
-$stringid = verifyparam("key", "/^\d{0,9}$/", "");
+$stringid = verifyparam("key", "/^\d{0,10}$/", "");
 
 $errors = array();
 $page = array();
@@ -67,7 +67,7 @@ if ($stringid) {
 	$page['locale'] = verifyparam("lang", "/^[\w-]{2,5}$/", "");
 	$page['groupid'] = "";
 	if ($settings['enablegroups'] == '1') {
-		$page['groupid'] = verifyparam("group", "/^\d{0,8}$/");
+		$page['groupid'] = verifyparam("group", "/^\d{0,10}$/");
 	}
 }
 
diff --git a/src/messenger/webim/operator/group.php b/src/messenger/webim/operator/group.php
index 691d2158..b1c97a20 100644
--- a/src/messenger/webim/operator/group.php
+++ b/src/messenger/webim/operator/group.php
@@ -74,7 +74,7 @@ function update_group($groupid, $name, $descr, $commonname, $commondescr, $email
 
 
 if (isset($_POST['name'])) {
-	$groupid = verifyparam("gid", "/^(\d{1,9})?$/", "");
+	$groupid = verifyparam("gid", "/^(\d{1,10})?$/", "");
 	$name = getparam('name');
 	$description = getparam('description');
 	$commonname = getparam('commonname');
@@ -112,7 +112,7 @@ if (isset($_POST['name'])) {
 	}
 
 } else if (isset($_GET['gid'])) {
-	$groupid = verifyparam('gid', "/^\d{1,9}$/");
+	$groupid = verifyparam('gid', "/^\d{1,10}$/");
 	$group = group_by_id($groupid);
 
 	if (!$group) {
diff --git a/src/messenger/webim/operator/groupmembers.php b/src/messenger/webim/operator/groupmembers.php
index a86097c2..ff9034c5 100644
--- a/src/messenger/webim/operator/groupmembers.php
+++ b/src/messenger/webim/operator/groupmembers.php
@@ -54,7 +54,7 @@ function get_operators()
 	return $result;
 }
 
-$groupid = verifyparam("gid", "/^\d{1,9}$/");
+$groupid = verifyparam("gid", "/^\d{1,10}$/");
 $page = array('groupid' => $groupid);
 $page['operators'] = get_operators();
 $errors = array();
diff --git a/src/messenger/webim/operator/notification.php b/src/messenger/webim/operator/notification.php
index da7588a2..6cb9c7f4 100644
--- a/src/messenger/webim/operator/notification.php
+++ b/src/messenger/webim/operator/notification.php
@@ -37,7 +37,7 @@ function notification_info($id)
 }
 
 
-$notificationid = verifyparam("id", "/^(\d{1,9})$/");
+$notificationid = verifyparam("id", "/^(\d{1,10})$/");
 $page['notification'] = notification_info($notificationid);
 
 prepare_menu($operator, false);
diff --git a/src/messenger/webim/operator/operator.php b/src/messenger/webim/operator/operator.php
index 82ed0154..3be44b55 100644
--- a/src/messenger/webim/operator/operator.php
+++ b/src/messenger/webim/operator/operator.php
@@ -28,7 +28,7 @@ $opId = '';
 
 loadsettings();
 if (isset($_POST['login']) && isset($_POST['password'])) {
-	$opId = verifyparam("opid", "/^(\d{1,9})?$/", "");
+	$opId = verifyparam("opid", "/^(\d{1,10})?$/", "");
 	$login = getparam('login');
 	$email = getparam('email');
 	$jabber = getparam('jabber');
@@ -111,7 +111,7 @@ if (isset($_POST['login']) && isset($_POST['password'])) {
 	}
 
 } else if (isset($_GET['op'])) {
-	$opId = verifyparam('op', "/^\d{1,9}$/");
+	$opId = verifyparam('op', "/^\d{1,10}$/");
 	$op = operator_by_id($opId);
 
 	if (!$op) {
diff --git a/src/messenger/webim/operator/opgroups.php b/src/messenger/webim/operator/opgroups.php
index 842ce0b4..47dde302 100644
--- a/src/messenger/webim/operator/opgroups.php
+++ b/src/messenger/webim/operator/opgroups.php
@@ -34,7 +34,7 @@ function update_operator_groups($operatorid, $newvalue)
 }
 
 
-$opId = verifyparam("op", "/^\d{1,9}$/");
+$opId = verifyparam("op", "/^\d{1,10}$/");
 $page = array('opid' => $opId);
 $link = connect();
 $page['groups'] = get_all_groups($link);
diff --git a/src/messenger/webim/operator/permissions.php b/src/messenger/webim/operator/permissions.php
index 39577c47..9aeb1874 100644
--- a/src/messenger/webim/operator/permissions.php
+++ b/src/messenger/webim/operator/permissions.php
@@ -31,7 +31,7 @@ function update_operator_permissions($operatorid, $newvalue)
 	mysql_close($link);
 }
 
-$opId = verifyparam("op", "/^\d{1,9}$/");
+$opId = verifyparam("op", "/^\d{1,10}$/");
 $page = array('opid' => $opId, 'canmodify' => is_capable($can_administrate, $operator) ? "1" : "");
 $errors = array();
 
diff --git a/src/messenger/webim/operator/redirect.php b/src/messenger/webim/operator/redirect.php
index 4df09a07..f9d54a04 100644
--- a/src/messenger/webim/operator/redirect.php
+++ b/src/messenger/webim/operator/redirect.php
@@ -23,8 +23,8 @@ require_once('../libs/groups.php');
 
 $operator = check_login();
 
-$threadid = verifyparam("thread", "/^\d{1,8}$/");
-$token = verifyparam("token", "/^\d{1,8}$/");
+$threadid = verifyparam("thread", "/^\d{1,10}$/");
+$token = verifyparam("token", "/^\d{1,10}$/");
 
 $thread = thread_by_id($threadid);
 if (!$thread || !isset($thread['ltoken']) || $token != $thread['ltoken']) {
@@ -35,7 +35,7 @@ $page = array();
 $errors = array();
 
 if (isset($_GET['nextGroup'])) {
-	$nextid = verifyparam("nextGroup", "/^\d{1,8}$/");
+	$nextid = verifyparam("nextGroup", "/^\d{1,10}$/");
 	$nextGroup = group_by_id($nextid);
 
 	if ($nextGroup) {
@@ -56,7 +56,7 @@ if (isset($_GET['nextGroup'])) {
 	}
 
 } else {
-	$nextid = verifyparam("nextAgent", "/^\d{1,8}$/");
+	$nextid = verifyparam("nextAgent", "/^\d{1,10}$/");
 	$nextOperator = operator_by_id($nextid);
 
 	if ($nextOperator) {
diff --git a/src/messenger/webim/operator/resetpwd.php b/src/messenger/webim/operator/resetpwd.php
index 9232639a..908c39fc 100644
--- a/src/messenger/webim/operator/resetpwd.php
+++ b/src/messenger/webim/operator/resetpwd.php
@@ -22,7 +22,7 @@ require_once('../libs/settings.php');
 $errors = array();
 $page = array('version' => $version, 'showform' => true);
 
-$opId = verifyparam("id", "/^\d{1,9}$/");
+$opId = verifyparam("id", "/^\d{1,10}$/");
 $token = verifyparam("token", "/^[\dabcdef]+$/");
 
 $operator = operator_by_id($opId);
diff --git a/src/messenger/webim/operator/threadprocessor.php b/src/messenger/webim/operator/threadprocessor.php
index b512d2fc..26c65419 100644
--- a/src/messenger/webim/operator/threadprocessor.php
+++ b/src/messenger/webim/operator/threadprocessor.php
@@ -42,7 +42,7 @@ function thread_info($id)
 
 
 if (isset($_GET['threadid'])) {
-	$threadid = verifyparam("threadid", "/^(\d{1,9})?$/", "");
+	$threadid = verifyparam("threadid", "/^(\d{1,10})?$/", "");
 	$lastid = -1;
 	$page['threadMessages'] = get_messages($threadid, "html", false, $lastid);
 	$page['thread'] = thread_info($threadid);
diff --git a/src/messenger/webim/operator/update.php b/src/messenger/webim/operator/update.php
index 9e6bfaf9..2375fc8e 100644
--- a/src/messenger/webim/operator/update.php
+++ b/src/messenger/webim/operator/update.php
@@ -167,7 +167,7 @@ function print_operators()
 	echo "</operators>";
 }
 
-$since = verifyparam("since", "/^\d{1,9}$/", 0);
+$since = verifyparam("since", "/^\d{1,10}$/", 0);
 $status = verifyparam("status", "/^\d{1,2}$/", 0);
 $showonline = verifyparam("showonline", "/^1$/", 0);
 
diff --git a/src/messenger/webim/thread.php b/src/messenger/webim/thread.php
index 01f1f23d..59ae910b 100644
--- a/src/messenger/webim/thread.php
+++ b/src/messenger/webim/thread.php
@@ -20,15 +20,15 @@ require_once('libs/chat.php');
 require_once('libs/operator.php');
 
 $act = verifyparam( "act", "/^(refresh|post|rename|close|ping)$/");
-$token = verifyparam( "token", "/^\d{1,9}$/");
-$threadid = verifyparam( "thread", "/^\d{1,9}$/");
+$token = verifyparam( "token", "/^\d{1,10}$/");
+$threadid = verifyparam( "thread", "/^\d{1,10}$/");
 $isuser = verifyparam( "user", "/^true$/", "false") == 'true';
 $outformat = ((verifyparam( "html", "/^on$/", "off") == 'on') ? "html" : "xml");
 $istyping = verifyparam( "typed", "/^1$/", "") == '1';
 
 if($threadid == 0 && ($token == 123 || $token == 124)) {
 	require_once('libs/demothread.php');
-	$lastid = verifyparam( "lastid", "/^\d{1,9}$/", 0);
+	$lastid = verifyparam( "lastid", "/^\d{1,10}$/", 0);
 	demo_process_thread($act,$outformat,$lastid,$isuser,$token == 123,$istyping,$act=="post"?getrawparam('message') : "");
 	exit;
 }
@@ -58,12 +58,12 @@ if( !$isuser && $act != "rename" ) {
 }
 
 if( $act == "refresh" ) {
-	$lastid = verifyparam( "lastid", "/^\d{1,9}$/", -1);
+	$lastid = verifyparam( "lastid", "/^\d{1,10}$/", -1);
 	print_thread_messages($thread, $token, $lastid, $isuser,$outformat, $isuser ? null : $operator['operatorid']);
 	exit;
 
 } else if( $act == "post" ) {
-	$lastid = verifyparam( "lastid", "/^\d{1,9}$/", -1);
+	$lastid = verifyparam( "lastid", "/^\d{1,10}$/", -1);
 	$message = getrawparam('message');
 
 	$kind = $isuser ? $kind_user : $kind_agent;