From 85aa9f7481ecba95bbedcf9eb0d66253a4deb7a9 Mon Sep 17 00:00:00 2001 From: Florian HENRY Date: Wed, 16 Nov 2022 09:32:14 +0100 Subject: [PATCH 1/6] FIX: base64_decode shloud be forbiden in dol_eval --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 479b8b30977..9f63a420430 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8133,7 +8133,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1) } // We block using of php exec or php file functions - $forbiddenphpstrings = array("exec(", "passthru(", "shell_exec(", "system(", "proc_open(", "popen(", "eval(", "dol_eval(", "executeCLI("); + $forbiddenphpstrings = array("exec(", "passthru(", "shell_exec(", "system(", "proc_open(", "popen(", "eval(", "dol_eval(", "executeCLI(", "base64_decode("); $forbiddenphpstrings = array_merge($forbiddenphpstrings, array("fopen(", "file_put_contents(", "fputs(", "fputscsv(", "fwrite(", "fpassthru(", "unlink(", "mkdir(", "rmdir(", "symlink(", "touch(", "umask(")); $forbiddenphpstrings = array_merge($forbiddenphpstrings, array('function(', '$$', 'call_user_func(')); $forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST')); From 19273c8da15896418880d4698dd76f58859e9775 Mon Sep 17 00:00:00 2001 From: josett225 <57623859+josett225@users.noreply.github.com> Date: Sun, 20 Nov 2022 05:33:31 +0100 Subject: [PATCH 2/6] Fix PaymentBankTransfer Line page management with Select and Input --- htdocs/compta/prelevement/list.php | 3 +++ htdocs/compta/prelevement/orders_list.php | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/htdocs/compta/prelevement/list.php b/htdocs/compta/prelevement/list.php index a7bab4281c2..6bf12933eab 100644 --- a/htdocs/compta/prelevement/list.php +++ b/htdocs/compta/prelevement/list.php @@ -191,6 +191,9 @@ if ($result) { print ''; print ''; print ''; + if ($type != '') { + print ''; + } $title = $langs->trans("WithdrawalsLines"); if ($type == 'bank-transfer') { diff --git a/htdocs/compta/prelevement/orders_list.php b/htdocs/compta/prelevement/orders_list.php index 6737ea258ea..6c614cc8a20 100644 --- a/htdocs/compta/prelevement/orders_list.php +++ b/htdocs/compta/prelevement/orders_list.php @@ -158,7 +158,9 @@ if ($result) { print ''; print ''; print ''; - + if ($type != '') { + print ''; + } $titlekey = "WithdrawalsReceipts"; $title = $langs->trans("WithdrawalsReceipts"); if ($type == 'bank-transfer') { From 7be0e0da1c41002dcec509ed0ddf91e5f699caa3 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Tue, 22 Nov 2022 13:46:42 +0100 Subject: [PATCH 3/6] Fix API right check --- htdocs/societe/class/api_thirdparties.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index 07dd2ba6031..1e37cfa1204 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -1048,7 +1048,7 @@ class Thirdparties extends DolibarrApi { global $db, $conf; - if (!DolibarrApiAccess::$user->rights->facture->lire) { + if (!DolibarrApiAccess::$user->rights->societe->lire) { throw new RestException(401); } if (empty($id)) { From 3d9b2a16768164860cb66e537e381c2a2729e40e Mon Sep 17 00:00:00 2001 From: ATM-Nicolas Date: Tue, 22 Nov 2022 15:32:37 +0100 Subject: [PATCH 4/6] FIX : SQL request parenthesis --- htdocs/core/class/translate.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php index eca41a55301..5b339fe1d81 100644 --- a/htdocs/core/class/translate.class.php +++ b/htdocs/core/class/translate.class.php @@ -468,7 +468,7 @@ class Translate if (! $found && ! empty($conf->global->MAIN_ENABLE_OVERWRITE_TRANSLATION)) { // Overwrite translation with database read - $sql ="SELECT transkey, transvalue FROM ".MAIN_DB_PREFIX."overwrite_trans where lang='".$db->escape($this->defaultlang)."' OR lang IS NULL"; + $sql ="SELECT transkey, transvalue FROM ".MAIN_DB_PREFIX."overwrite_trans where (lang='".$db->escape($this->defaultlang)."' OR lang IS NULL)"; $sql.=" AND entity IN (0, ".getEntity('overwrite_trans').")"; $sql.=$db->order("lang", "DESC"); $resql=$db->query($sql); From e38ef6bc8c598ad0e6b576fbf77e8b4fed8febb6 Mon Sep 17 00:00:00 2001 From: josett225 <57623859+josett225@users.noreply.github.com> Date: Tue, 22 Nov 2022 21:03:28 +0100 Subject: [PATCH 5/6] Update create.php --- htdocs/compta/prelevement/create.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/htdocs/compta/prelevement/create.php b/htdocs/compta/prelevement/create.php index 4cf238b65f5..3319f3ac98c 100644 --- a/htdocs/compta/prelevement/create.php +++ b/htdocs/compta/prelevement/create.php @@ -386,7 +386,10 @@ if ($resql) { if (!empty($limit)) { print ''; } - + if ($type != '') { + print ''; + } + $title = $langs->trans("InvoiceWaitingWithdraw"); if ($type == 'bank-transfer') { $title = $langs->trans("InvoiceWaitingPaymentByBankTransfer"); From 76fdf0006d75404bc3e63d5d141e45af5090fe4f Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Tue, 22 Nov 2022 20:17:37 +0000 Subject: [PATCH 6/6] Fixing style errors. --- htdocs/compta/prelevement/create.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/prelevement/create.php b/htdocs/compta/prelevement/create.php index 3319f3ac98c..9bee65b5261 100644 --- a/htdocs/compta/prelevement/create.php +++ b/htdocs/compta/prelevement/create.php @@ -389,7 +389,7 @@ if ($resql) { if ($type != '') { print ''; } - + $title = $langs->trans("InvoiceWaitingWithdraw"); if ($type == 'bank-transfer') { $title = $langs->trans("InvoiceWaitingPaymentByBankTransfer");