Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch '15.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/comm/propal/card.php
This commit is contained in:
Laurent Destailleur
2022-06-29 16:46:27 +02:00
parent 09449ece26 cbaa8b4304
commit 046fa77a5a
3 changed files with 77 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
htdocs/compta/prelevement/class/bonprelevement.class.php
View File

@@ -1908,14 +1908,14 @@ class BonPrelevement extends CommonObject
$XML_CREDITOR .= ' <InstdAmt Ccy="EUR">'.round($row_somme, 2).'</InstdAmt>'.$CrLf; $XML_CREDITOR .= ' <InstdAmt Ccy="EUR">'.round($row_somme, 2).'</InstdAmt>'.$CrLf;
$XML_CREDITOR .= ' </Amt>'.$CrLf; $XML_CREDITOR .= ' </Amt>'.$CrLf;
/* /*
$XML_CREDITOR .= ' <DrctDbtTx>'.$CrLf; $XML_CREDITOR .= ' <DrctDbtTx>'.$CrLf;
$XML_CREDITOR .= ' <MndtRltdInf>'.$CrLf; $XML_CREDITOR .= ' <MndtRltdInf>'.$CrLf;
$XML_CREDITOR .= ' <MndtId>'.$Rum.'</MndtId>'.$CrLf; $XML_CREDITOR .= ' <MndtId>'.$Rum.'</MndtId>'.$CrLf;
$XML_CREDITOR .= ' <DtOfSgntr>'.$DtOfSgntr.'</DtOfSgntr>'.$CrLf; $XML_CREDITOR .= ' <DtOfSgntr>'.$DtOfSgntr.'</DtOfSgntr>'.$CrLf;
$XML_CREDITOR .= ' <AmdmntInd>false</AmdmntInd>'.$CrLf; $XML_CREDITOR .= ' <AmdmntInd>false</AmdmntInd>'.$CrLf;
$XML_CREDITOR .= ' </MndtRltdInf>'.$CrLf; $XML_CREDITOR .= ' </MndtRltdInf>'.$CrLf;
$XML_CREDITOR .= ' </DrctDbtTx>'.$CrLf; $XML_CREDITOR .= ' </DrctDbtTx>'.$CrLf;
*/ */
//$XML_CREDITOR .= ' <ChrgBr>SLEV</ChrgBr>'.$CrLf; //$XML_CREDITOR .= ' <ChrgBr>SLEV</ChrgBr>'.$CrLf;
$XML_CREDITOR .= ' <CdtrAgt>'.$CrLf; $XML_CREDITOR .= ' <CdtrAgt>'.$CrLf;
$XML_CREDITOR .= ' <FinInstnId>'.$CrLf; $XML_CREDITOR .= ' <FinInstnId>'.$CrLf;
@@ -2195,17 +2195,17 @@ class BonPrelevement extends CommonObject
$XML_SEPA_INFO .= ' </UltmtCdtr>'.$CrLf;*/ $XML_SEPA_INFO .= ' </UltmtCdtr>'.$CrLf;*/
$XML_SEPA_INFO .= ' <ChrgBr>SLEV</ChrgBr>'.$CrLf; // Field "Responsible of fees". Must be SLEV $XML_SEPA_INFO .= ' <ChrgBr>SLEV</ChrgBr>'.$CrLf; // Field "Responsible of fees". Must be SLEV
/*$XML_SEPA_INFO .= ' <CdtrSchmeId>'.$CrLf; /*$XML_SEPA_INFO .= ' <CdtrSchmeId>'.$CrLf;
$XML_SEPA_INFO .= ' <Id>'.$CrLf; $XML_SEPA_INFO .= ' <Id>'.$CrLf;
$XML_SEPA_INFO .= ' <PrvtId>'.$CrLf; $XML_SEPA_INFO .= ' <PrvtId>'.$CrLf;
$XML_SEPA_INFO .= ' <Othr>'.$CrLf; $XML_SEPA_INFO .= ' <Othr>'.$CrLf;
$XML_SEPA_INFO .= ' <Id>'.$this->emetteur_ics.'</Id>'.$CrLf; $XML_SEPA_INFO .= ' <Id>'.$this->emetteur_ics.'</Id>'.$CrLf;
$XML_SEPA_INFO .= ' <SchmeNm>'.$CrLf; $XML_SEPA_INFO .= ' <SchmeNm>'.$CrLf;
$XML_SEPA_INFO .= ' <Prtry>SEPA</Prtry>'.$CrLf; $XML_SEPA_INFO .= ' <Prtry>SEPA</Prtry>'.$CrLf;
$XML_SEPA_INFO .= ' </SchmeNm>'.$CrLf; $XML_SEPA_INFO .= ' </SchmeNm>'.$CrLf;
$XML_SEPA_INFO .= ' </Othr>'.$CrLf; $XML_SEPA_INFO .= ' </Othr>'.$CrLf;
$XML_SEPA_INFO .= ' </PrvtId>'.$CrLf; $XML_SEPA_INFO .= ' </PrvtId>'.$CrLf;
$XML_SEPA_INFO .= ' </Id>'.$CrLf; $XML_SEPA_INFO .= ' </Id>'.$CrLf;
$XML_SEPA_INFO .= ' </CdtrSchmeId>'.$CrLf;*/ $XML_SEPA_INFO .= ' </CdtrSchmeId>'.$CrLf;*/
} }
} else { } else {
fputs($this->file, 'INCORRECT EMETTEUR '.$XML_SEPA_INFO.$CrLf); fputs($this->file, 'INCORRECT EMETTEUR '.$XML_SEPA_INFO.$CrLf);
@@ -2343,59 +2343,59 @@ class BonPrelevement extends CommonObject
} }
/* /*
if ($mode == 'direct_debit') { if ($mode == 'direct_debit') {
$sql = "SELECT b.rowid, f.datedue as datefin"; $sql = "SELECT b.rowid, f.datedue as datefin";
$sql .= " FROM ".MAIN_DB_PREFIX."facture as f"; $sql .= " FROM ".MAIN_DB_PREFIX."facture as f";
$sql .= " WHERE f.entity IN (".getEntity('facture').")"; $sql .= " WHERE f.entity IN (".getEntity('facture').")";
$sql .= " AND f.total_ttc > 0"; $sql .= " AND f.total_ttc > 0";
} else { } else {
$sql = "SELECT b.rowid, f.datedue as datefin"; $sql = "SELECT b.rowid, f.datedue as datefin";
$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f";
$sql .= " WHERE f.entity IN (".getEntity('facture_fourn').")"; $sql .= " WHERE f.entity IN (".getEntity('facture_fourn').")";
$sql .= " AND f.total_ttc > 0"; $sql .= " AND f.total_ttc > 0";
} }
$resql = $this->db->query($sql); $resql = $this->db->query($sql);
if ($resql) { if ($resql) {
$langs->load("banks"); $langs->load("banks");
$now = dol_now(); $now = dol_now();
$response = new WorkboardResponse(); $response = new WorkboardResponse();
if ($mode == 'direct_debit') { if ($mode == 'direct_debit') {
$response->warning_delay = $conf->prelevement->warning_delay / 60 / 60 / 24; $response->warning_delay = $conf->prelevement->warning_delay / 60 / 60 / 24;
$response->label = $langs->trans("PendingDirectDebitToComplete"); $response->label = $langs->trans("PendingDirectDebitToComplete");
$response->labelShort = $langs->trans("PendingDirectDebitToCompleteShort"); $response->labelShort = $langs->trans("PendingDirectDebitToCompleteShort");
$response->url = DOL_URL_ROOT.'/compta/prelevement/index.php?leftmenu=checks&mainmenu=bank'; $response->url = DOL_URL_ROOT.'/compta/prelevement/index.php?leftmenu=checks&mainmenu=bank';
} else { } else {
$response->warning_delay = $conf->paymentbybanktransfer->warning_delay / 60 / 60 / 24; $response->warning_delay = $conf->paymentbybanktransfer->warning_delay / 60 / 60 / 24;
$response->label = $langs->trans("PendingCreditTransferToComplete"); $response->label = $langs->trans("PendingCreditTransferToComplete");
$response->labelShort = $langs->trans("PendingCreditTransferToCompleteShort"); $response->labelShort = $langs->trans("PendingCreditTransferToCompleteShort");
$response->url = DOL_URL_ROOT.'/compta/paymentbybanktransfer/index.php?leftmenu=checks&mainmenu=bank'; $response->url = DOL_URL_ROOT.'/compta/paymentbybanktransfer/index.php?leftmenu=checks&mainmenu=bank';
} }
$response->img = img_object('', "payment"); $response->img = img_object('', "payment");
while ($obj = $this->db->fetch_object($resql)) { while ($obj = $this->db->fetch_object($resql)) {
$response->nbtodo++; $response->nbtodo++;
if ($this->db->jdate($obj->datefin) < ($now - $conf->withdraw->warning_delay)) { if ($this->db->jdate($obj->datefin) < ($now - $conf->withdraw->warning_delay)) {
$response->nbtodolate++; $response->nbtodolate++;
} }
} }
$response->nbtodo = 0; $response->nbtodo = 0;
$response->nbtodolate = 0; $response->nbtodolate = 0;
// Return workboard only if quantity is not 0 // Return workboard only if quantity is not 0
if ($response->nbtodo) { if ($response->nbtodo) {
return $response; return $response;
} else { } else {
return 0; return 0;
} }
} else { } else {
dol_print_error($this->db); dol_print_error($this->db);
$this->error = $this->db->error(); $this->error = $this->db->error();
return -1; return -1;
} }
*/ */
return 0; return 0;
} }
} }

2
htdocs/main.inc.php
View File

@@ -131,7 +131,7 @@ function testSqlAndScriptInject($val, $type)
$inj += preg_match('/user\s*\(/i', $val); // avoid to use function user() or mysql_user() that return current database login $inj += preg_match('/user\s*\(/i', $val); // avoid to use function user() or mysql_user() that return current database login
$inj += preg_match('/information_schema/i', $val); // avoid to use request that read information_schema database $inj += preg_match('/information_schema/i', $val); // avoid to use request that read information_schema database
$inj += preg_match('/<svg/i', $val); // <svg can be allowed in POST $inj += preg_match('/<svg/i', $val); // <svg can be allowed in POST
$inj += preg_match('/update.+set.+=/i', $val); $inj += preg_match('/update[^&].*set.+=/i', $val); // the [^&] test is to avoir error when request is like action=update&...set...
$inj += preg_match('/union.+select/i', $val); $inj += preg_match('/union.+select/i', $val);
} }
if ($type == 3) { if ($type == 3) {

10
test/phpunit/SecurityTest.php
View File

@@ -217,9 +217,17 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=testSqlAndScriptInject($test, 1); $result=testSqlAndScriptInject($test, 1);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL1b. Should find an attack on GET param and did not.'); $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL1b. Should find an attack on GET param and did not.');
$test = '... update ... set ... =';
$result=testSqlAndScriptInject($test, 1);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2a. Should find an attack on GET param and did not.');
$test = 'action=update& ... set ... =';
$result=testSqlAndScriptInject($test, 1);
$this->assertEquals(0, $result, 'Error on testSqlAndScriptInject for SQL2b. Should not find an attack on GET param and did.');
$test = '... union ... selection '; $test = '... union ... selection ';
$result=testSqlAndScriptInject($test, 1); $result=testSqlAndScriptInject($test, 1);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2. Should find an attack on GET param and did not.'); $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2c. Should find an attack on GET param and did not.');
$test = 'j&#x61;vascript:'; $test = 'j&#x61;vascript:';
$result=testSqlAndScriptInject($test, 0); $result=testSqlAndScriptInject($test, 0);