From 762ca96203f6bd92050ca547a9dbe48c3324f2a3 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 May 2020 18:28:15 +0200 Subject: [PATCH 1/9] FIX #13841 --- htdocs/admin/dict.php | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 2ad521f79a2..b7f65ddf91f 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -644,6 +644,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) if ($value == 'localtax2' && empty($_POST['localtax2_type'])) continue; if ($value == 'color' && empty($_POST['color'])) continue; if ($value == 'formula' && empty($_POST['formula'])) continue; + if ($value == 'dayrule' && empty($_POST['dayrule'])) continue; if ($value == 'sortorder') continue; // For a column name 'sortorder', we use the field name 'position' if ((!isset($_POST[$value]) || $_POST[$value] == '') && (!in_array($listfield[$f], array('decalage', 'module', 'accountancy_code', 'accountancy_code_sell', 'accountancy_code_buy', 'tracking')) // Fields that are not mandatory From 8b79b7f074335f2cc3ea77a8b936121cd0b93fd6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 May 2020 20:00:59 +0200 Subject: [PATCH 2/9] Update changelog --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index bcbfb1a959c..67cf9513a4a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,7 +78,7 @@ FIX: we must export company mail address on contact vcard only if contact email FIX: when we filter a list on a view status, we want this filter to be on bookmark that we create FIX: Wrong Sql on getListOfTowns api method FIX: wrong user right's name to top menu "commercial" -FIX: XSS Vulnerability +FIX: XSS Vulnerability reported by Mehmet Kelepçe / Gais Cyber Security ***** ChangeLog for 11.0.3 compared to 11.0.2 ***** FIX: unit price for selected supplier products not set. NaN was used. From 54af917afb333d91300fc2203914d3231896dd08 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Sat, 16 May 2020 20:04:07 +0200 Subject: [PATCH 3/9] Fix cron globals reload, missing mysoc and langs --- scripts/cron/cron_run_jobs.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/cron/cron_run_jobs.php b/scripts/cron/cron_run_jobs.php index 635c128a89f..104443feba1 100755 --- a/scripts/cron/cron_run_jobs.php +++ b/scripts/cron/cron_run_jobs.php @@ -191,11 +191,12 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs)>0)) // Force reload of setup for the current entity if ($line->entity != $conf->entity) { - dol_syslog("cron_run_jobs.php we work on another entity so we reload user and conf", LOG_DEBUG); - echo " -> we change entity so we reload user and conf"; + dol_syslog("cron_run_jobs.php we work on another entity so we reload mysoc, langs, user and conf", LOG_DEBUG); + echo " -> we change entity so we reload mysoc, langs, user and conf"; $conf->entity = (empty($line->entity)?1:$line->entity); $conf->setValues($db); // This make also the $mc->setValues($conf); that reload $mc->sharings + $mysoc->setMysoc($conf); // Force recheck that user is ok for the entity to process and reload permission for entity if ($conf->entity != $user->entity && $user->entity != 0) @@ -218,6 +219,11 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs)>0)) } $user->getrights(); } + + // Reload langs + $langcode = (empty($conf->global->MAIN_LANG_DEFAULT)?'auto':$conf->global->MAIN_LANG_DEFAULT); + if (! empty($user->conf->MAIN_LANG_DEFAULT)) $langcode = $user->conf->MAIN_LANG_DEFAULT; + if($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode); } //If date_next_jobs is less of current date, execute the program, and store the execution time of the next execution in database From cf96383bf92b93b6492ba89172c00b0f8caf4262 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Mon, 18 May 2020 10:44:55 +0200 Subject: [PATCH 4/9] Fix : entity was missing in actioncomm fetch --- htdocs/comm/action/class/actioncomm.class.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 98b910fdfca..1d86f1eba08 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -572,6 +572,7 @@ class ActionComm extends CommonObject $sql = "SELECT a.id,"; $sql.= " a.id as ref,"; + $sql.= " a.entity,"; $sql.= " a.ref_ext,"; $sql.= " a.datep,"; $sql.= " a.datep2,"; @@ -608,6 +609,7 @@ class ActionComm extends CommonObject $obj = $this->db->fetch_object($resql); $this->id = $obj->id; + $this->entity = $obj->entity; $this->ref = $obj->ref; $this->ref_ext = $obj->ref_ext; From baa502a224c92fb795abf3599f08fb67e783d835 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Mon, 18 May 2020 10:54:25 +0200 Subject: [PATCH 5/9] Fix third merge issue with contact roles --- htdocs/contact/class/contact.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index a2235097811..8a1b26e9d33 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1576,7 +1576,7 @@ class Contact extends CommonObject public static function replaceThirdparty(DoliDB $db, $origin_id, $dest_id) { $tables = array( - 'socpeople' + 'socpeople', 'societe_contacts' ); return CommonObject::commonReplaceThirdparty($db, $origin_id, $dest_id, $tables); From 3d9d5d0ad522a76a65d8a9daaf35b2b693c5a138 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Mon, 18 May 2020 11:03:32 +0200 Subject: [PATCH 6/9] Fix : entity was missing in expedition fetch --- htdocs/expedition/class/expedition.class.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 70e3683b22c..838cbd87152 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -527,7 +527,7 @@ class Expedition extends CommonObject // Check parameters if (empty($id) && empty($ref) && empty($ref_ext) && empty($ref_int)) return -1; - $sql = "SELECT e.rowid, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet, e.billed"; + $sql = "SELECT e.rowid, e.entity, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet, e.billed"; $sql.= ", e.weight, e.weight_units, e.size, e.size_units, e.width, e.height"; $sql.= ", e.date_expedition as date_expedition, e.model_pdf, e.fk_address, e.date_delivery"; $sql.= ", e.fk_shipping_method, e.tracking_number"; @@ -555,6 +555,7 @@ class Expedition extends CommonObject $obj = $this->db->fetch_object($result); $this->id = $obj->rowid; + $this->entity = $obj->entity; $this->ref = $obj->ref; $this->socid = $obj->socid; $this->ref_customer = $obj->ref_customer; From a9d1519f966163a092a6d994fe6cbb13f472090d Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Mon, 18 May 2020 14:52:33 +0200 Subject: [PATCH 7/9] FIX php error if multicompany disabled --- htdocs/compta/paiement/card.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/compta/paiement/card.php b/htdocs/compta/paiement/card.php index 848cc20d483..27086713b07 100644 --- a/htdocs/compta/paiement/card.php +++ b/htdocs/compta/paiement/card.php @@ -342,7 +342,7 @@ if ($resql) print ''; print ''.$langs->trans('Bill').''; print ''.$langs->trans('Company').''; - if($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED )print ''.$langs->trans('Entity').''; + if (!empty($conf->multicompany->enabled) && $conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED ) print ''.$langs->trans('Entity').''; print ''.$langs->trans('ExpectedToPay').''; print ''.$langs->trans('PayedByThisPayment').''; print ''.$langs->trans('RemainderToPay').''; @@ -379,7 +379,7 @@ if ($resql) print ''; // Expected to pay - if($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED ){ + if(!empty($conf->multicompany->enabled) && $conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED ){ print ''; $mc->getInfo($objp->entity); print $mc->label; From 18a19dafe513942a8a099cac13e60303a7eb3dc1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 18 May 2020 15:01:29 +0200 Subject: [PATCH 8/9] Update cron_run_jobs.php --- scripts/cron/cron_run_jobs.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/cron/cron_run_jobs.php b/scripts/cron/cron_run_jobs.php index 104443feba1..6438b13e884 100755 --- a/scripts/cron/cron_run_jobs.php +++ b/scripts/cron/cron_run_jobs.php @@ -223,7 +223,7 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs)>0)) // Reload langs $langcode = (empty($conf->global->MAIN_LANG_DEFAULT)?'auto':$conf->global->MAIN_LANG_DEFAULT); if (! empty($user->conf->MAIN_LANG_DEFAULT)) $langcode = $user->conf->MAIN_LANG_DEFAULT; - if($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode); + if ($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode); } //If date_next_jobs is less of current date, execute the program, and store the execution time of the next execution in database From 756c1fd73d4f9993379b7c63018f19f67699f63d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 18 May 2020 15:26:04 +0200 Subject: [PATCH 9/9] Fix tooltip message --- htdocs/admin/security_other.php | 7 +++++-- htdocs/langs/en_US/admin.lang | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index f0ad4352b60..f642cd64182 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -177,7 +177,11 @@ $sessiontimeout = ini_get("session.gc_maxlifetime"); if (empty($conf->global->MAIN_SESSION_TIMEOUT)) $conf->global->MAIN_SESSION_TIMEOUT = $sessiontimeout; print ''; print ''.$langs->trans("SessionTimeOut").''; -print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"))); +if (ini_get("session.gc_probability") == 0) { + print $form->textwithpicto('', $langs->trans("SessionsPurgedByExternalSystem", ini_get("session.gc_maxlifetime"))); +} else { + print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"), ini_get("session.gc_maxlifetime"))); +} print ''; print ''; print ' '.strtolower($langs->trans("Seconds")); @@ -185,7 +189,6 @@ print ''; print ''; -$sessiontimeout = ini_get("session.gc_maxlifetime"); if (empty($conf->global->MAIN_APPLICATION_TITLE)) $conf->global->MAIN_APPLICATION_TITLE = ""; print ''; print ''.$langs->trans("MAIN_APPLICATION_TITLE").''; diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index 5e485c86dbc..84c64a23615 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -1145,6 +1145,7 @@ AvailableModules=Available app/modules ToActivateModule=To activate modules, go on setup Area (Home->Setup->Modules). SessionTimeOut=Time out for session SessionExplanation=This number guarantees that the session will never expire before this delay, if the session cleaner is done by Internal PHP session cleaner (and nothing else). Internal PHP session cleaner does not guarantee that the session will expire after this delay. It will expire, after this delay, and when the session cleaner is run, so every %s/%s access, but only during access made by other sessions (if value is 0, it means clearing of session is done only by an external process).
Note: on some servers with an external session cleaning mechanism (cron under debian, ubuntu ...), the sessions can be destroyed after a period defined by an external setup, no matter what the value entered here is. +SessionsPurgedByExternalSystem=Sessions on this server seems to be cleaned by an external mechanism (cron under debian, ubuntu ...), probably every %s seconds (= value of parameter session.gc_maxlifetime), so changing the value here has no effect. You must ask the server administrator to change session delay. TriggersAvailable=Available triggers TriggersDesc=Triggers are files that will modify the behavior of Dolibarr workflow once copied into the directory htdocs/core/triggers. They realize new actions, activated on Dolibarr events (new company creation, invoice validation, ...). TriggerDisabledByName=Triggers in this file are disabled by the -NORUN suffix in their name.