Merge branch '15.0' of git@github.com:Dolibarr/dolibarr.git into develop

Conflicts:
	htdocs/comm/propal/card.php

htdocs/compta/prelevement/class/bonprelevement.class.php

@@ -1908,14 +1908,14 @@ class BonPrelevement extends CommonObject
 			$XML_CREDITOR .= '					<InstdAmt Ccy="EUR">'.round($row_somme, 2).'</InstdAmt>'.$CrLf;
 			$XML_CREDITOR .= '				</Amt>'.$CrLf;
 			/*
-			$XML_CREDITOR .= '				<DrctDbtTx>'.$CrLf;
+			 $XML_CREDITOR .= '				<DrctDbtTx>'.$CrLf;
-			$XML_CREDITOR .= '					<MndtRltdInf>'.$CrLf;
+			 $XML_CREDITOR .= '					<MndtRltdInf>'.$CrLf;
-			$XML_CREDITOR .= '						<MndtId>'.$Rum.'</MndtId>'.$CrLf;
+			 $XML_CREDITOR .= '						<MndtId>'.$Rum.'</MndtId>'.$CrLf;
-			$XML_CREDITOR .= '						<DtOfSgntr>'.$DtOfSgntr.'</DtOfSgntr>'.$CrLf;
+			 $XML_CREDITOR .= '						<DtOfSgntr>'.$DtOfSgntr.'</DtOfSgntr>'.$CrLf;
-			$XML_CREDITOR .= '						<AmdmntInd>false</AmdmntInd>'.$CrLf;
+			 $XML_CREDITOR .= '						<AmdmntInd>false</AmdmntInd>'.$CrLf;
-			$XML_CREDITOR .= '					</MndtRltdInf>'.$CrLf;
+			 $XML_CREDITOR .= '					</MndtRltdInf>'.$CrLf;
-			$XML_CREDITOR .= '				</DrctDbtTx>'.$CrLf;
+			 $XML_CREDITOR .= '				</DrctDbtTx>'.$CrLf;
-			*/
+			 */
 			//$XML_CREDITOR .= '				<ChrgBr>SLEV</ChrgBr>'.$CrLf;
 			$XML_CREDITOR .= '				<CdtrAgt>'.$CrLf;
 			$XML_CREDITOR .= '					<FinInstnId>'.$CrLf;
@@ -2195,17 +2195,17 @@ class BonPrelevement extends CommonObject
 				 $XML_SEPA_INFO .= '			</UltmtCdtr>'.$CrLf;*/
 				$XML_SEPA_INFO .= '			<ChrgBr>SLEV</ChrgBr>'.$CrLf; // Field "Responsible of fees". Must be SLEV
 				/*$XML_SEPA_INFO .= '			<CdtrSchmeId>'.$CrLf;
-				$XML_SEPA_INFO .= '				<Id>'.$CrLf;
+				 $XML_SEPA_INFO .= '				<Id>'.$CrLf;
-				$XML_SEPA_INFO .= '					<PrvtId>'.$CrLf;
+				 $XML_SEPA_INFO .= '					<PrvtId>'.$CrLf;
-				$XML_SEPA_INFO .= '						<Othr>'.$CrLf;
+				 $XML_SEPA_INFO .= '						<Othr>'.$CrLf;
-				$XML_SEPA_INFO .= '							<Id>'.$this->emetteur_ics.'</Id>'.$CrLf;
+				 $XML_SEPA_INFO .= '							<Id>'.$this->emetteur_ics.'</Id>'.$CrLf;
-				$XML_SEPA_INFO .= '							<SchmeNm>'.$CrLf;
+				 $XML_SEPA_INFO .= '							<SchmeNm>'.$CrLf;
-				$XML_SEPA_INFO .= '								<Prtry>SEPA</Prtry>'.$CrLf;
+				 $XML_SEPA_INFO .= '								<Prtry>SEPA</Prtry>'.$CrLf;
-				$XML_SEPA_INFO .= '							</SchmeNm>'.$CrLf;
+				 $XML_SEPA_INFO .= '							</SchmeNm>'.$CrLf;
-				$XML_SEPA_INFO .= '						</Othr>'.$CrLf;
+				 $XML_SEPA_INFO .= '						</Othr>'.$CrLf;
-				$XML_SEPA_INFO .= '					</PrvtId>'.$CrLf;
+				 $XML_SEPA_INFO .= '					</PrvtId>'.$CrLf;
-				$XML_SEPA_INFO .= '				</Id>'.$CrLf;
+				 $XML_SEPA_INFO .= '				</Id>'.$CrLf;
-				$XML_SEPA_INFO .= '			</CdtrSchmeId>'.$CrLf;*/
+				 $XML_SEPA_INFO .= '			</CdtrSchmeId>'.$CrLf;*/
 			}
 		} else {
 			fputs($this->file, 'INCORRECT EMETTEUR '.$XML_SEPA_INFO.$CrLf);
@@ -2343,59 +2343,59 @@ class BonPrelevement extends CommonObject
 		}
 
 		/*
-		if ($mode == 'direct_debit') {
+		 if ($mode == 'direct_debit') {
-			$sql = "SELECT b.rowid, f.datedue as datefin";
+		 $sql = "SELECT b.rowid, f.datedue as datefin";
-			$sql .= " FROM ".MAIN_DB_PREFIX."facture as f";
+		 $sql .= " FROM ".MAIN_DB_PREFIX."facture as f";
-			$sql .= " WHERE f.entity IN (".getEntity('facture').")";
+		 $sql .= " WHERE f.entity IN (".getEntity('facture').")";
-			$sql .= " AND f.total_ttc > 0";
+		 $sql .= " AND f.total_ttc > 0";
-		} else {
+		 } else {
-			$sql = "SELECT b.rowid, f.datedue as datefin";
+		 $sql = "SELECT b.rowid, f.datedue as datefin";
-			$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f";
+		 $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f";
-			$sql .= " WHERE f.entity IN (".getEntity('facture_fourn').")";
+		 $sql .= " WHERE f.entity IN (".getEntity('facture_fourn').")";
-			$sql .= " AND f.total_ttc > 0";
+		 $sql .= " AND f.total_ttc > 0";
-		}
+		 }
 
-		$resql = $this->db->query($sql);
+		 $resql = $this->db->query($sql);
-		if ($resql) {
+		 if ($resql) {
-			$langs->load("banks");
+		 $langs->load("banks");
-			$now = dol_now();
+		 $now = dol_now();
 
-			$response = new WorkboardResponse();
+		 $response = new WorkboardResponse();
-			if ($mode == 'direct_debit') {
+		 if ($mode == 'direct_debit') {
-				$response->warning_delay = $conf->prelevement->warning_delay / 60 / 60 / 24;
+		 $response->warning_delay = $conf->prelevement->warning_delay / 60 / 60 / 24;
-				$response->label = $langs->trans("PendingDirectDebitToComplete");
+		 $response->label = $langs->trans("PendingDirectDebitToComplete");
-				$response->labelShort = $langs->trans("PendingDirectDebitToCompleteShort");
+		 $response->labelShort = $langs->trans("PendingDirectDebitToCompleteShort");
-				$response->url = DOL_URL_ROOT.'/compta/prelevement/index.php?leftmenu=checks&mainmenu=bank';
+		 $response->url = DOL_URL_ROOT.'/compta/prelevement/index.php?leftmenu=checks&mainmenu=bank';
-			} else {
+		 } else {
-				$response->warning_delay = $conf->paymentbybanktransfer->warning_delay / 60 / 60 / 24;
+		 $response->warning_delay = $conf->paymentbybanktransfer->warning_delay / 60 / 60 / 24;
-				$response->label = $langs->trans("PendingCreditTransferToComplete");
+		 $response->label = $langs->trans("PendingCreditTransferToComplete");
-				$response->labelShort = $langs->trans("PendingCreditTransferToCompleteShort");
+		 $response->labelShort = $langs->trans("PendingCreditTransferToCompleteShort");
-				$response->url = DOL_URL_ROOT.'/compta/paymentbybanktransfer/index.php?leftmenu=checks&mainmenu=bank';
+		 $response->url = DOL_URL_ROOT.'/compta/paymentbybanktransfer/index.php?leftmenu=checks&mainmenu=bank';
-			}
+		 }
-			$response->img = img_object('', "payment");
+		 $response->img = img_object('', "payment");
 
-			while ($obj = $this->db->fetch_object($resql)) {
+		 while ($obj = $this->db->fetch_object($resql)) {
-				$response->nbtodo++;
+		 $response->nbtodo++;
 
-				if ($this->db->jdate($obj->datefin) < ($now - $conf->withdraw->warning_delay)) {
+		 if ($this->db->jdate($obj->datefin) < ($now - $conf->withdraw->warning_delay)) {
-					$response->nbtodolate++;
+		 $response->nbtodolate++;
-				}
+		 }
-			}
+		 }
 
-			$response->nbtodo = 0;
+		 $response->nbtodo = 0;
-			$response->nbtodolate = 0;
+		 $response->nbtodolate = 0;
-			// Return workboard only if quantity is not 0
+		 // Return workboard only if quantity is not 0
-			if ($response->nbtodo) {
+		 if ($response->nbtodo) {
-				return $response;
+		 return $response;
-			} else {
+		 } else {
-				return 0;
+		 return 0;
-			}
+		 }
-		} else {
+		 } else {
-			dol_print_error($this->db);
+		 dol_print_error($this->db);
-			$this->error = $this->db->error();
+		 $this->error = $this->db->error();
-			return -1;
+		 return -1;
-		}
+		 }
-		*/
+		 */
 		return 0;
 	}
 }

htdocs/main.inc.php

@@ -131,7 +131,7 @@ function testSqlAndScriptInject($val, $type)
 		$inj += preg_match('/user\s*\(/i', $val); // avoid to use function user() or mysql_user() that return current database login
 		$inj += preg_match('/information_schema/i', $val); // avoid to use request that read information_schema database
 		$inj += preg_match('/<svg/i', $val); // <svg can be allowed in POST
-		$inj += preg_match('/update.+set.+=/i', $val);
+		$inj += preg_match('/update[^&].*set.+=/i', $val);	// the [^&] test is to avoir error when request is like action=update&...set...
 		$inj += preg_match('/union.+select/i', $val);
 	}
 	if ($type == 3) {

test/phpunit/SecurityTest.php

@@ -217,9 +217,17 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		$result=testSqlAndScriptInject($test, 1);
 		$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL1b. Should find an attack on GET param and did not.');
 
+		$test = '... update ... set ... =';
+		$result=testSqlAndScriptInject($test, 1);
+		$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2a. Should find an attack on GET param and did not.');
+
+		$test = 'action=update& ... set ... =';
+		$result=testSqlAndScriptInject($test, 1);
+		$this->assertEquals(0, $result, 'Error on testSqlAndScriptInject for SQL2b. Should not find an attack on GET param and did.');
+
 		$test = '... union ... selection ';
 		$result=testSqlAndScriptInject($test, 1);
-		$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2. Should find an attack on GET param and did not.');
+		$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2c. Should find an attack on GET param and did not.');
 
 		$test = 'javascript:';
 		$result=testSqlAndScriptInject($test, 0);