diff --git a/htdocs/admin/emailcollector_card.php b/htdocs/admin/emailcollector_card.php index a97407c9af6..fdc44b83b7a 100644 --- a/htdocs/admin/emailcollector_card.php +++ b/htdocs/admin/emailcollector_card.php @@ -390,12 +390,10 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea $targetdir = ($object->target_directory ? $object->target_directory : ''); // Can be '[Gmail]/Trash' or 'mytag' $connection = null; - $connectstringserver = ''; + $connectstringserver = $object->getConnectStringIMAP(); // Note: $object->host has been loaded by the fetch $connectstringsource = ''; $connectstringtarget = ''; - // Note: $object->host has been loaded by the fetch - $connectstringserver = $object->getConnectStringIMAP(); if ($action == 'scan') { if (getDolGlobalString('MAIN_IMAP_USE_PHPIMAP')) { @@ -603,6 +601,16 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print '
'; print ''."\n"; + // Clean info (in view mode only) + if ($object->acces_type == 0) { + // If authent is using LOGIN and not OAUTHTOKEN, we don't need to show the OAUTH token + unset($object->fields['oauth_service']); + } + if ($object->acces_type == 1) { + // If authent is using OAUTHTOKEN, we don't need to show the password + unset($object->fields['password']); + } + // Common attributes //$keyforbreak='fieldkeytoswithonsecondcolumn'; include DOL_DOCUMENT_ROOT.'/core/tpl/commonfields_view.tpl.php'; @@ -760,7 +768,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea // Add operation print ''; print ''; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 5ed7df94c92..57b09750eb8 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -1185,8 +1185,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options $oldstringtoclean = $out; // Remove html tags $out = dol_string_nohtmltag($out, 0); - // Convert '\' used for windows path into '/' so we can use for path but not for octal syntax \999, hexa syntax \x999 and unicode syntax \u{999} - $out = str_ireplace('\\', '/', $out); + // Refuse octal syntax \999, hexa syntax \x999 and unicode syntax \u{999} by replacing the \ into / (so if it is a \ for a windows path, it is still ok). + $out = preg_replace('/\\\([0-9xu])/', '/\1', $out); // Remove also other dangerous string sequences // '../' or '..\' is dangerous because it allows dir transversals // '&', '&', '&'... is a the char '&' alone but there is no reason to accept such way to encode input char @@ -1205,8 +1205,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options $oldstringtoclean = $out; // Decode html entities $out = dol_html_entity_decode($out, ENT_COMPAT | ENT_HTML5, 'UTF-8'); - // Convert '\' used for windows path into '/' so we can use for path but not for octal syntax \999, hexa syntax \x999 and unicode syntax \u{999} - $out = str_ireplace('\\', '/', $out); + // Refuse octal syntax \999, hexa syntax \x999 and unicode syntax \u{999} by replacing the \ into / (so if it is a \ for a windows path, it is still ok). + $out = preg_replace('/\\\([0-9xu])/', '/\1', $out); // Remove also other dangerous string sequences // '../' or '..\' is dangerous because it allows dir transversals // '&', '&', '&'... is a the char '&' alone but there is no reason to accept such way to encode input char @@ -14340,6 +14340,7 @@ function show_actions_messaging($conf, $langs, $db, $filterobj, $objcon = null, */ function GETPOSTDATE($prefix, $hourTime = '', $gm = 'auto') { + $m = array(); if ($hourTime === 'getpost') { $hour = GETPOSTINT($prefix . 'hour'); $minute = GETPOSTINT($prefix . 'minute'); @@ -14363,11 +14364,11 @@ function GETPOSTDATE($prefix, $hourTime = '', $gm = 'auto') * optionally hour, minute, second) fields to return a a portion of URL reproducing the values from the current HTTP * request. * - * @param string $prefix Prefix used to build the date selector (for instance using Form::selectDate) - * @param ?int $timestamp If null, the timestamp will be created from request data - * @param string $hourTime If timestamp is null, will be passed to GETPOSTDATE to construct the timestamp - * @param string $gm If timestamp is null, will be passed to GETPOSTDATE to construct the timestamp - * @return string Portion of URL with query parameters for the specified date + * @param string $prefix Prefix used to build the date selector (for instance using Form::selectDate) + * @param ?int $timestamp If null, the timestamp will be created from request data + * @param string $hourTime If timestamp is null, will be passed to GETPOSTDATE to construct the timestamp + * @param string $gm If timestamp is null, will be passed to GETPOSTDATE to construct the timestamp + * @return string Portion of URL with query parameters for the specified date */ function buildParamDate($prefix, $timestamp = null, $hourTime = '', $gm = 'auto') { diff --git a/htdocs/emailcollector/class/emailcollector.class.php b/htdocs/emailcollector/class/emailcollector.class.php index 8c71088f1a1..892e249f6d8 100644 --- a/htdocs/emailcollector/class/emailcollector.class.php +++ b/htdocs/emailcollector/class/emailcollector.class.php @@ -3470,7 +3470,11 @@ class EmailCollector extends CommonObject $this->datelastresult = $now; $this->lastresult = $output; - $this->debuginfo .= 'IMAP search string used : '.$search; + if (getDolGlobalString('MAIN_IMAP_USE_PHPIMAP')) { + $this->debuginfo .= 'IMAP search array used : '.$search; + } else { + $this->debuginfo .= 'IMAP search string used : '.$search; + } if ($searchhead) { $this->debuginfo .= '
Then search string into email header : '.dol_escape_htmltag($searchhead); } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 5036f535367..648e5631fe6 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -309,6 +309,7 @@ class SecurityTest extends CommonClassTest $_GET["param3"] = '"na/b#e(pr)qq-rr\cc'; // Same than param2 + " and n $_GET["param4a"] = '../../dir'; $_GET["param4b"] = '..\..\dirwindows'; + $_GET["param4c"] = '\a123 \123 \u123 \x123'; $_GET["param5"] = "a_1-b"; $_POST["param6"] = "">assertEquals($result, 'a/b#e(pr)qq-rr/cc', 'Test on param2'); + $this->assertEquals('a/b#e(pr)qq-rr\cc', $result, 'Test on param2'); $result = GETPOST("param3", 'alpha'); // Must return string sanitized from char " print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, 'na/b#e(pr)qq-rr/cc', 'Test on param3'); + $this->assertEquals('na/b#e(pr)qq-rr\cc', $result, 'Test on param3'); $result = GETPOST("param4a", 'alpha'); // Must return string sanitized from ../ print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, 'dir'); + $this->assertEquals('dir', $result); $result = GETPOST("param4b", 'alpha'); // Must return string sanitized from ../ print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, 'dirwindows'); + $this->assertEquals('dirwindows', $result); + + $result = GETPOST("param4c", 'alpha'); // Must return string sanitized from ../ + print __METHOD__." result=".$result."\n"; + $this->assertEquals('\a123 /123 /u123 /x123', $result); // Test with aZ09 @@ -1185,35 +1190,6 @@ class SecurityTest extends CommonClassTest } - /** - * testCheckLoginPassEntity - * - * @return void - */ - public function testCheckLoginPassEntity() - { - $login = checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr')); - print __METHOD__." login=".$login."\n"; - $this->assertEquals($login, ''); - - $login = checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr')); - print __METHOD__." login=".$login."\n"; - $this->assertEquals($login, ''); - - $login = checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists - print __METHOD__." login=".$login."\n"; - $this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed'); - - $login = checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method - print __METHOD__." login=".$login."\n"; - $this->assertEquals($login, 'admin'); - - $login = checkLoginPassEntity('admin', 'admin', 1, array('forceuser')); - print __METHOD__." login=".$login."\n"; - $this->assertEquals('', $login, 'Error'); // Expected '' because should failed because login 'auto' does not exists - } - - /** * testRealCharforNumericEntities() * @@ -1278,4 +1254,33 @@ class SecurityTest extends CommonClassTest return 0; } + + + /** + * testCheckLoginPassEntity + * + * @return void + */ + public function testCheckLoginPassEntity() + { + $login = checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr')); + print __METHOD__." login=".$login."\n"; + $this->assertEquals($login, ''); + + $login = checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr')); + print __METHOD__." login=".$login."\n"; + $this->assertEquals($login, ''); + + $login = checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists + print __METHOD__." login=".$login."\n"; + $this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed'); + + $login = checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method + print __METHOD__." login=".$login."\n"; + $this->assertEquals($login, 'admin'); + + $login = checkLoginPassEntity('admin', 'admin', 1, array('forceuser')); + print __METHOD__." login=".$login."\n"; + $this->assertEquals('', $login, 'Error'); // Expected '' because should failed because login 'auto' does not exists + } }
'; - print $form->selectarray('operationtype', $arrayoftypes, '', 1, 0, 0, '', 1, 0, 0, '', 'minwidth150 maxwidth300', 1); + print $form->selectarray('operationtype', $arrayoftypes, '', 1, 0, 0, '', 1, 0, 0, '', 'minwidth150 maxwidth250', 1); print ''; print ''; print '