diff --git a/htdocs/comm/action/document.php b/htdocs/comm/action/document.php index da79ff42233..88fa0f440ea 100755 --- a/htdocs/comm/action/document.php +++ b/htdocs/comm/action/document.php @@ -2,7 +2,7 @@ /* Copyright (C) 2003-2004 Rodolphe Quiedeville * Copyright (C) 2004-2010 Laurent Destailleur * Copyright (C) 2005 Marc Barilley / Ocebo - * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2005 Simon TOSSER * * This program is free software; you can redistribute it and/or modify diff --git a/htdocs/comm/action/fiche.php b/htdocs/comm/action/fiche.php index 85bb92979bd..2951f701c77 100644 --- a/htdocs/comm/action/fiche.php +++ b/htdocs/comm/action/fiche.php @@ -2,7 +2,7 @@ /* Copyright (C) 2001-2005 Rodolphe Quiedeville * Copyright (C) 2004-2012 Laurent Destailleur * Copyright (C) 2005 Simon TOSSER - * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2010 Juanjo Menent * * This program is free software; you can redistribute it and/or modify @@ -43,11 +43,12 @@ $langs->load("bills"); $langs->load("orders"); $langs->load("agenda"); -$action=GETPOST("action"); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); // Security check -$socid = GETPOST('socid'); -$id = GETPOST('id'); +$socid = GETPOST('socid','int'); +$id = GETPOST('id','int'); if ($user->societe_id) $socid=$user->societe_id; //$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id'); @@ -66,9 +67,7 @@ if ($action == 'add_action') { $error=0; - $backtopage=''; - if (! empty($_POST["backtopage"])) $backtopage=$_POST["backtopage"]; - if (! $backtopage) + if (empty($backtopage)) { if ($socid > 0) $backtopage = DOL_URL_ROOT.'/societe/agenda.php?socid='.$socid; else $backtopage=DOL_URL_ROOT.'/comm/action/index.php'; @@ -339,14 +338,9 @@ if ($action == 'update') } else { - if (! empty($_POST["from"])) // deprecated. Use backtopage instead - { - header("Location: ".$_POST["from"]); - exit; - } - if (! empty($_POST["backtopage"])) + if (! empty($backtopage)) { - header("Location: ".$_POST["backtopage"]); + header("Location: ".$backtopage); exit; } } @@ -426,7 +420,7 @@ if ($action == 'create') print '
'; print ''; print ''; - if (GETPOST("backtopage")) print ''; + print ''; if (GETPOST("actioncode") == 'AC_RDV') print_fiche_titre($langs->trans("AddActionRendezVous")); else print_fiche_titre($langs->trans("AddAnAction")); @@ -679,7 +673,7 @@ if ($id) print ''; print ''; print ''; - if (GETPOST("backtopage")) print ''; + print ''; print ''; diff --git a/htdocs/comm/remise.php b/htdocs/comm/remise.php index abfb5005972..b124a83714f 100644 --- a/htdocs/comm/remise.php +++ b/htdocs/comm/remise.php @@ -30,21 +30,23 @@ $langs->load("companies"); $langs->load("orders"); $langs->load("bills"); -$socid = GETPOST("id"); +$socid = GETPOST('id','int'); // Security check if ($user->societe_id > 0) { $socid = $user->societe_id; } +$backtopage = GETPOST('backtopage','alpha'); + /* * Actions */ -if (GETPOST('cancel') && GETPOST('backtopage')) +if (GETPOST('cancel') && ! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage")); + Header("Location: ".$backtopage); exit; } @@ -56,9 +58,9 @@ if (GETPOST("action") == 'setremise') if ($result > 0) { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else @@ -122,7 +124,7 @@ if ($socid > 0) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -138,7 +140,7 @@ if ($socid > 0) print '
'; print ''; - if (GETPOST("backtopage")) + if (! empty($backtopage)) { print '    '; print ''; diff --git a/htdocs/comm/remx.php b/htdocs/comm/remx.php index 8f26a58463e..42bac50817f 100644 --- a/htdocs/comm/remx.php +++ b/htdocs/comm/remx.php @@ -32,7 +32,8 @@ $langs->load("orders"); $langs->load("bills"); $langs->load("companies"); -$action=GETPOST('action'); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); // Security check $socid = GETPOST("id"); @@ -46,9 +47,9 @@ if ($user->societe_id > 0) * Actions */ -if (GETPOST('cancel') && GETPOST('backtopage')) +if (GETPOST('cancel') && ! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage")); + Header("Location: ".$backtopage); exit; } @@ -151,9 +152,9 @@ if ($action == 'setremise') if ($discountid > 0) { - if (GETPOST("backtopage")) + if (! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage").'&discountid='.$discountid); + Header("Location: ".$backtopage.'&discountid='.$discountid); exit; } else @@ -228,7 +229,7 @@ if ($socid > 0) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -280,7 +281,7 @@ if ($socid > 0) print '
'; print ''; - if (GETPOST("backtopage")) + if (! empty($backtopage)) { print '    '; print ''; diff --git a/htdocs/contact/fiche.php b/htdocs/contact/fiche.php index 213980d55a1..bb6ff79a06d 100644 --- a/htdocs/contact/fiche.php +++ b/htdocs/contact/fiche.php @@ -39,10 +39,11 @@ $langs->load("commercial"); $mesg=''; $error=0; $errors=array(); -$action = (GETPOST('action') ? GETPOST('action') : 'view'); -$confirm = GETPOST('confirm'); -$id = GETPOST("id"); -$socid = GETPOST("socid"); +$action = (GETPOST('action','alpha') ? GETPOST('action','alpha') : 'view'); +$confirm = GETPOST('confirm','alpha'); +$backtopage = GETPOST('backtopage','alpha'); +$id = GETPOST('id','int'); +$socid = GETPOST('socid','int'); if ($user->societe_id) $socid=$user->societe_id; $object = new Contact($db); @@ -76,9 +77,9 @@ $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); if (empty($reshook)) { // Cancel - if (GETPOST("cancel") && GETPOST('backtopage')) + if (GETPOST("cancel") && ! empty($backtopage)) { - header("Location: ".GETPOST('backtopage')); + header("Location: ".$backtopage); exit; } @@ -86,7 +87,7 @@ if (empty($reshook)) if ($action == 'confirm_create_user' && $confirm == 'yes' && $user->rights->user->user->creer) { // Recuperation contact actuel - $result = $object->fetch($_GET["id"]); + $result = $object->fetch($id); if ($result > 0) { @@ -172,7 +173,7 @@ if (empty($reshook)) if (! $error && $id > 0) { $db->commit(); - if (GETPOST('backtopage')) $url=GETPOST('backtopage'); + if (! empty($backtopage)) $url=$backtopage; else $url='fiche.php?id='.$id; Header("Location: ".$url); exit; @@ -368,7 +369,7 @@ else print ''; print ''; print ''; - print ''; + print ''; print '
'; // Name @@ -497,7 +498,7 @@ else print '
'; print ''; - if (GETPOST('backtopage')) + if (! empty($backtopage)) { print '     '; print ''; @@ -537,11 +538,11 @@ else print ''; } - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; print ''; print ''; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f9836b4165a..5dfcda5ab17 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -257,7 +257,11 @@ function GETPOST($paramname,$check='',$method=0) // Check if alpha //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out=''; // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - if ($check == 'alpha' && preg_match('/"/',trim($out))) $out=''; + if ($check == 'alpha') + { + if (preg_match('/"/',trim($out))) $out=''; + else if (preg_match('/(\.\.\/)+/',trim($out))) $out=''; + } } return $out; diff --git a/htdocs/document.php b/htdocs/document.php index 9c59f1da051..8836ebdbf97 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -2,7 +2,7 @@ /* Copyright (C) 2004-2007 Rodolphe Quiedeville * Copyright (C) 2004-2012 Laurent Destailleur * Copyright (C) 2005 Simon Tosser - * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2010 Pierre Morin * Copyright (C) 2010 Juanjo Menent * @@ -50,10 +50,10 @@ require("./main.inc.php"); // Load $user and permissions require_once(DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'); $encoding = ''; -$action = GETPOST("action"); -$original_file = GETPOST("file"); // Do not use urldecode here ($_GET are already decoded by PHP). -$modulepart = GETPOST("modulepart"); -$urlsource = GETPOST("urlsource"); +$action = GETPOST('action','alpha'); +$original_file = GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP). +$modulepart = GETPOST('modulepart','alpha'); +$urlsource = GETPOST('urlsource','alpha'); // Security check if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart'); @@ -72,7 +72,7 @@ if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart'); // Define mime type $type = 'application/octet-stream'; -if (GETPOST('type')) $type=GETPOST('type'); +if (GETPOST('type','alpha')) $type=GETPOST('type','alpha'); else $type=dol_mimetype($original_file); //print 'X'.$type.'-'.$original_file;exit; diff --git a/htdocs/projet/fiche.php b/htdocs/projet/fiche.php index 95aba87efb0..371028f02fd 100644 --- a/htdocs/projet/fiche.php +++ b/htdocs/projet/fiche.php @@ -34,8 +34,9 @@ $langs->load("projects"); $langs->load('companies'); $id=GETPOST('id','int'); -$ref = GETPOST('ref'); -$action=GETPOST('action'); +$ref = GETPOST('ref','alpha'); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && ! $_POST["cancel"])) accessforbidden(); @@ -55,9 +56,9 @@ $result = restrictedArea($user, 'projet', $id); */ // Cancel -if (GETPOST("cancel") && GETPOST('backtopage')) +if (GETPOST("cancel") && ! empty($backtopage)) { - header("Location: ".GETPOST('backtopage')); + header("Location: ".$backtopage); exit; } @@ -276,7 +277,7 @@ if ($action == 'create' && $user->rights->projet->creer) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -332,7 +333,7 @@ if ($action == 'create' && $user->rights->projet->creer) print '
'; print ''; - if (GETPOST('backtopage')) + if (! empty($backtopage)) { print '     '; print ''; diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php index c05bac91f4e..6c4ccb733fa 100644 --- a/htdocs/projet/tasks.php +++ b/htdocs/projet/tasks.php @@ -36,6 +36,7 @@ $langs->load("projects"); $action = GETPOST('action', 'alpha'); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); +$backtopage=GETPOST('backtopage','alpha'); $mode = GETPOST('mode', 'alpha'); $mine = ($mode == 'mine' ? 1 : 0); @@ -111,9 +112,9 @@ if ($action == 'createtask' && $user->rights->projet->creer) if (! $error) { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else if (empty($projectid)) @@ -125,9 +126,9 @@ if ($action == 'createtask' && $user->rights->projet->creer) } else { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else if (empty($id)) @@ -219,7 +220,7 @@ if ($action == 'create' && $user->rights->projet->creer && (empty($object->socie print ''; print ''; print ''; - print ''; + print ''; if (! empty($object->id)) print ''; if (! empty($mode)) print ''; diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index fc7feedb0ae..d1d63d0310e 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -47,8 +47,8 @@ require_once(DOL_DOCUMENT_ROOT."/core/lib/company.lib.php"); $errmsg=''; $num=0; $error=0; -$backtopage=GETPOST('backtopage'); -$action=GETPOST('action'); +$backtopage=GETPOST('backtopage','alpha'); +$action=GETPOST('action','alpha'); // Load translation files $langs->load("main"); @@ -255,7 +255,7 @@ if ($action == 'add') $result=$adh->send_an_email($conf->global->ADHERENT_AUTOREGISTER_MAIL,$conf->global->ADHERENT_AUTOREGISTER_MAIL_SUBJECT,array(),array(),array(),"","",0,-1); } - if ($backtopage) $urlback=$backtopage; + if (! empty($backtopage)) $urlback=$backtopage; else if ($conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION) { $urlback=$conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION; @@ -545,7 +545,7 @@ print "
\n"; // Save print '
'; print ''; -if ($backtopage) +if (! empty($backtopage)) { print '     '; }