From 0ef507ae7fd609ef90af4cf035c2e3fe4c27e21e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Jun 2017 21:52:51 +0200 Subject: [PATCH 1/4] Fix rename of file to remove .noexe extension. --- htdocs/comm/propal/document.php | 39 +++++++++++++------------ htdocs/core/actions_linkedfiles.inc.php | 19 ++++++++---- htdocs/core/lib/files.lib.php | 6 ++-- 3 files changed, 37 insertions(+), 27 deletions(-) diff --git a/htdocs/comm/propal/document.php b/htdocs/comm/propal/document.php index 9b875e434f7..aef0ade7c84 100644 --- a/htdocs/comm/propal/document.php +++ b/htdocs/comm/propal/document.php @@ -1,6 +1,6 @@ - * Copyright (C) 2004-2009 Laurent Destailleur + * Copyright (C) 2004-2017 Laurent Destailleur * Copyright (C) 2005 Marc Barilley / Ocebo * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2013 Cédric Salvador @@ -63,17 +63,18 @@ if (! $sortfield) $sortfield="name"; $object = new Propal($db); $object->fetch($id,$ref); -if ($object->id > 0) -{ - $object->fetch_thirdparty(); - $upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref); - include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php'; -} + /* * Actions */ +if ($object->id > 0) +{ + $object->fetch_thirdparty(); + $upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref); + include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php'; +} /* @@ -101,10 +102,10 @@ if ($object->id > 0) // Proposal card - + $linkback = '' . $langs->trans("BackToList") . ''; - - + + $morehtmlref='
'; // Ref customer $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1); @@ -145,24 +146,24 @@ if ($object->id > 0) } } $morehtmlref.='
'; - + dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); - - + + print '
'; print '
'; - + print ''; - + // Files infos print ''; print ''; - + print "
'.$langs->trans("NbOfAttachedFiles").''.count($filearray).'
'.$langs->trans("TotalSizeOfAttachedFiles").''.$totalsize.' '.$langs->trans("bytes").'
\n"; - + print '
'; - - + + dol_fiche_end(); $modulepart = 'propal'; diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 672da011a79..fb9f44edcfb 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -71,7 +71,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') $ret = dol_delete_file($file, 0, 0, 0, $object); if (! empty($fileold)) dol_delete_file($fileold, 0, 0, 0, $object); // Delete file using old path - + // Si elle existe, on efface la vignette if (preg_match('/(\.jpg|\.jpeg|\.bmp|\.gif|\.png|\.tiff)$/i',$file,$regs)) { @@ -150,19 +150,28 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave')) { $filenamefrom=dol_sanitizeFileName(GETPOST('renamefilefrom')); $filenameto=dol_sanitizeFileName(GETPOST('renamefileto')); + + // Security: + // Disallow file with some extensions. We rename them. + // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. + if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) + { + $filenameto.= '.noexe'; + } + if ($filenamefrom && $filenameto) { $srcpath = $upload_dir.'/'.$filenamefrom; $destpath = $upload_dir.'/'.$filenameto; - + $result = dol_move($srcpath, $destpath); - if ($result) + if ($result) { $object->addThumbs($destpath); - + // TODO Add revert function of addThumbs //$object->delThumbs($srcpath); - + setEventMessages($langs->trans("FileRenamed"), null); } else setEventMessages($langs->trans("ErrorFailToRenameFile", $filenamefrom, $filenameto), null, 'errors'); diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index a4680ca81e2..29706e15341 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -634,9 +634,9 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable } } - // Security: - // Disallow file with some extensions. We renamed them. - // Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande. + // Security: + // Disallow file with some extensions. We rename them. + // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) { $file_name.= '.noexe'; From 8debefa8ad6404ec434a6d77efa85d275fa33eb9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Jun 2017 21:53:06 +0200 Subject: [PATCH 2/4] Fix php sanitazing --- htdocs/don/card.php | 87 ++++++++++------------------------------- htdocs/holiday/list.php | 8 ++-- 2 files changed, 24 insertions(+), 71 deletions(-) diff --git a/htdocs/don/card.php b/htdocs/don/card.php index 0ace5c88e76..f2e7ade706d 100644 --- a/htdocs/don/card.php +++ b/htdocs/don/card.php @@ -50,7 +50,7 @@ $cancel=GETPOST('cancel'); $amount=GETPOST('amount'); $donation_date=dol_mktime(12, 0, 0, GETPOST('remonth'), GETPOST('reday'), GETPOST('reyear')); $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0); - + $object = new Don($db); $extrafields = new ExtraFields($db); @@ -316,17 +316,17 @@ if ($action == 'create') print ''; // Amount - print "".''.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).''; + print "".''.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).''; print ''.$langs->trans("PublicDonation").""; print $form->selectyesno("public",isset($_POST["public"])?$_POST["public"]:1,1); print "\n"; - print "".''.$langs->trans("Company").''; - print "".''.$langs->trans("Lastname").''; - print "".''.$langs->trans("Firstname").''; + print "".''.$langs->trans("Company").''; + print "".''.$langs->trans("Lastname").''; + print "".''.$langs->trans("Firstname").''; print "".''.$langs->trans("Address").''; - print ''; + print ''; // Zip / Town print ''.$langs->trans("Zip").' / '.$langs->trans("Town").''; @@ -341,7 +341,7 @@ if ($action == 'create') if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print ''; - print "".''.$langs->trans("EMail").''; + print "".''.$langs->trans("EMail").''; // Public note print ''; @@ -384,9 +384,9 @@ if ($action == 'create') dol_fiche_end(); print '
'; - print ''; + print ''; print '     '; - print ''; + print ''; print '
'; print "\n"; @@ -438,7 +438,7 @@ if (! empty($id) && $action == 'edit') // Amount if ($object->statut == 0) { - print "".''.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).''; + print "".''.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).''; } else { @@ -453,11 +453,11 @@ if (! empty($id) && $action == 'edit') print "\n"; $langs->load("companies"); - print ''.$langs->trans("Company").''; - print ''.$langs->trans("Lastname").''; - print ''.$langs->trans("Firstname").''; + print ''.$langs->trans("Company").''; + print ''.$langs->trans("Lastname").''; + print ''.$langs->trans("Firstname").''; print ''.$langs->trans("Address").''; - print ''; + print ''; // Zip / Town print ''.$langs->trans("Zip").' / '.$langs->trans("Town").''; @@ -472,7 +472,7 @@ if (! empty($id) && $action == 'edit') if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print ''; - print "".''.$langs->trans("EMail").''; + print "".''.$langs->trans("EMail").''; print "".$langs->trans("PaymentMode")."\n"; @@ -544,9 +544,9 @@ if (! empty($id) && $action != 'edit') // Print form confirm print $formconfirm; - + $linkback = ''.$langs->trans("BackToList").''; - + $morehtmlref='
'; // Project if (! empty($conf->projet->enabled)) @@ -581,8 +581,8 @@ if (! empty($id) && $action != 'edit') } } $morehtmlref.='
'; - - + + dol_banner_tab($object, 'rowid', $linkback, 1, 'rowid', 'ref', $morehtmlref); @@ -592,13 +592,6 @@ if (! empty($id) && $action != 'edit') print ''; - // Ref - /* - print ''; - print ''; - */ // Date print ''; print ''; print ''; - /*print ''; - // Zip / Town - print ''; - - // Country - print ''; - - // EMail - print "".''; - */ - // Payment mode print "\n"; - - //print "".''; - - // Project - /* - if (! empty($conf->projet->enabled)) - { - print ''; - print ''; - print ''; - print ''; - }*/ - + // Other attributes $cols = 2; include DOL_DOCUMENT_ROOT . '/core/tpl/extrafields_view.tpl.php'; diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 9523d489256..90db40fd2e7 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -138,7 +138,7 @@ if($year_start > 0) { } } else { if($month_start > 0) { - $filter.= " AND date_format(cp.date_debut, '%m') = '$month_start'"; + $filter.= " AND date_format(cp.date_debut, '%m') = '".$db->escape($month_start)."'"; } } @@ -153,7 +153,7 @@ if($year_end > 0) { } } else { if($month_end > 0) { - $filter.= " AND date_format(cp.date_fin, '%m') = '$month_end'"; + $filter.= " AND date_format(cp.date_fin, '%m') = '".$db->escape($month_end)."'"; } } @@ -368,13 +368,13 @@ print ''; // DATE DEBUT print ''; // DATE FIN print ''; From f3a5975cf861ef4bf315d71e197db97cece1f36e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Jun 2017 21:58:56 +0200 Subject: [PATCH 3/4] Fix sql injection --- htdocs/comm/propal/list.php | 122 ++++++++++++++++++------------------ 1 file changed, 61 insertions(+), 61 deletions(-) diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index efb72afb7b7..b8267feb5bc 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -161,7 +161,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab } } -$object = new Propal($db); // To be passed as parameter of executeHooks that need +$object = new Propal($db); // To be passed as parameter of executeHooks that need /* @@ -273,25 +273,25 @@ if (! $user->rights->societe->client->voir && ! $socid) //restriction $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; } if ($search_town) $sql.= natural_search('s.town', $search_town); -if ($search_zip) $sql.= natural_search("s.zip",$search_zip); -if ($search_state) $sql.= natural_search("state.nom",$search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$search_country.')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; -if ($search_ref) $sql .= natural_search('p.ref', $search_ref); +if ($search_zip) $sql.= natural_search("s.zip", $search_zip); +if ($search_state) $sql.= natural_search("state.nom", $search_state); +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_ref) $sql .= natural_search('p.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer); -if ($search_societe) $sql .= natural_search('s.nom', $search_societe); -if ($search_login) $sql.= " AND u.login LIKE '%".$db->escape(trim($search_login))."%'"; +if ($search_societe) $sql .= natural_search('s.nom', $search_societe); +if ($search_login) $sql .= natural_search("u.login", $search_login); if ($search_montant_ht != '') $sql.= natural_search("p.total_ht", $search_montant_ht, 1); if ($search_montant_vat != '') $sql.= natural_search("p.tva", $search_montant_vat, 1); if ($search_montant_ttc != '') $sql.= natural_search("p.total", $search_montant_ttc, 1); if ($sall) { $sql .= natural_search(array_keys($fieldstosearchall), $sall); } -if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$search_product_category; +if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$db->escape($search_product_category); if ($socid > 0) $sql.= ' AND s.rowid = '.$socid; if ($viewstatut != '' && $viewstatut != '-1') { - $sql.= ' AND p.fk_statut IN ('.$viewstatut.')'; + $sql.= ' AND p.fk_statut IN ('.$db->escape($viewstatut).')'; } if ($month > 0) { @@ -300,16 +300,16 @@ if ($month > 0) else if ($year > 0 && ! empty($day)) $sql.= " AND p.datep BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'"; else - $sql.= " AND date_format(p.datep, '%m') = '".$month."'"; + $sql.= " AND date_format(p.datep, '%m') = '".$db->escape($month)."'"; } else if ($year > 0) { $sql.= " AND p.datep BETWEEN '".$db->idate(dol_get_first_day($year,1,false))."' AND '".$db->idate(dol_get_last_day($year,12,false))."'"; } -if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$search_sale; +if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$db->escape($search_sale); if ($search_user > 0) { - $sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$search_user; + $sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$db->escape($search_user); } // Add where from extra fields foreach ($search_array_options as $key => $val) @@ -357,12 +357,12 @@ if ($resql) else { $title = $langs->trans('ListOfProposals'); - } + } $num = $db->num_rows($resql); - + $arrayofselected=is_array($toselect)?$toselect:array(); - + $param='&viewstatut='.$viewstatut; if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage; if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit; @@ -386,7 +386,7 @@ if ($resql) $tmpkey=preg_replace('/search_options_/','',$key); if ($val != '') $param.='&search_options_'.$tmpkey.'='.urlencode($val); } - + // List of mass actions available $arrayofmassactions = array( 'presend'=>$langs->trans("SendByMail"), @@ -395,7 +395,7 @@ if ($resql) if ($user->rights->propal->supprimer) $arrayofmassactions['delete']=$langs->trans("Delete"); if ($massaction == 'presend') $arrayofmassactions=array(); $massactionbutton=$form->selectMassAction('', $arrayofmassactions); - + // Lignes des champs de filtre print '
'; if ($optioncss != '') print ''; @@ -406,11 +406,11 @@ if ($resql) print ''; print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'title_commercial.png', 0, '', '', $limit); - + if ($massaction == 'presend') { $langs->load("mails"); - + if (! GETPOST('cancel')) { $objecttmp=new Propal($db); @@ -429,17 +429,17 @@ if ($resql) } } } - + print ''; - + include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; $formmail = new FormMail($db); - + dol_fiche_head(null, '', ''); - + $topicmail="SendSupplierProposalRef"; $modelmail="supplier_proposal_send"; - + // Cree l'objet formulaire mail include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; $formmail = new FormMail($db); @@ -492,25 +492,25 @@ if ($resql) $formmail->substit['__REFCLIENT__']='__REFCLIENT__'; // We want to keep the tag $formmail->substit['__PERSONALIZED__']=''; $formmail->substit['__CONTACTCIVNAME__']=''; - + // Tableau des parametres complementaires du post $formmail->param['action']=$action; $formmail->param['models']=$modelmail; $formmail->param['models_id']=GETPOST('modelmailselected','int'); $formmail->param['id']=join(',',$arrayofselected); //$formmail->param['returnurl']=$_SERVER["PHP_SELF"].'?id='.$object->id; - + print $formmail->get_form(); - + dol_fiche_end(); } - + if ($sall) { foreach($fieldstosearchall as $key => $val) $fieldstosearchall[$key]=$langs->trans($val); print $langs->trans("FilterOnInto", $sall) . join(', ',$fieldstosearchall); } - + $i = 0; $moreforfilter=''; @@ -546,7 +546,7 @@ if ($resql) $reshook=$hookmanager->executeHooks('printFieldPreListTitle',$parameters); // Note that $action and $object may have been modified by hook if (empty($reshook)) $moreforfilter .= $hookmanager->resPrint; else $moreforfilter = $hookmanager->resPrint; - + if (! empty($moreforfilter)) { print '
'; @@ -556,10 +556,10 @@ if ($resql) $varpage=empty($contextpage)?$_SERVER["PHP_SELF"]:$contextpage; $selectedfields=$form->multiSelectArrayWithCheckbox('selectedfields', $arrayfields, $varpage); // This also change content of $arrayfields - + print '
'; print '
'.$langs->trans("Ref").''; - print $form->showrefnav($object, 'rowid', $linkback, 1, 'rowid', 'ref', ''); - print '
'.$langs->trans("Date").''; print dol_print_date($object->date,"day"); @@ -615,52 +608,12 @@ if (! empty($id) && $action != 'edit') print '
'.$langs->trans("Company").''.$object->societe.'
'.$langs->trans("Lastname").''.$object->lastname.'
'.$langs->trans("Firstname").''.$object->firstname.'
'.$langs->trans("Address").''.dol_nl2br($object->address).'
'.$langs->trans("Zip").' / '.$langs->trans("Town").''; - print $object->zip.($object->zip && $object->town?' / ':'').$object->town.'
'.$langs->trans('Country').''; - if (! empty($object->country_code)) - { - $img=picto_from_langcode($object->country_code); - print ($img?$img.' ':''); - print $object->country; - } - else - { - print $object->country_olddata; - } - print '
'.$langs->trans("EMail").''.dol_print_email($object->email).'
".$langs->trans("PaymentMode").""; $form->form_modes_reglement(null, $object->modepaymentid,'none'); print "
'.$langs->trans("Status").''.$object->getLibStatut(4).'
'.$langs->trans("Project").''; - $projettmp=new Project($db); - $projettmp->id=$object->fk_projet; - $projettmp->ref=$object->project; - if(! empty($object->fk_projet)) print $projettmp->getNomUrl(1); - print '
 '; -print ''; +print ''; $formother->select_year($year_start,'year_start',1, $min_year, $max_year); print ''; -print ''; +print ''; $formother->select_year($year_end,'year_end',1, $min_year, $max_year); print '
'."\n"; - + // Fields title print ''; if (! empty($arrayfields['p.ref']['checked'])) print_liste_field_titre($arrayfields['p.ref']['label'],$_SERVER["PHP_SELF"],'p.ref','',$param,'',$sortfield,$sortorder); @@ -579,9 +579,9 @@ if ($resql) // Extra fields if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label)) { - foreach($extrafields->attribute_label as $key => $val) + foreach($extrafields->attribute_label as $key => $val) { - if (! empty($arrayfields["ef.".$key]['checked'])) + if (! empty($arrayfields["ef.".$key]['checked'])) { $align=$extrafields->getAlignFlag($key); print_liste_field_titre($extralabels[$key],$_SERVER["PHP_SELF"],"ef.".$key,"",$param,($align?'align="'.$align.'"':''),$sortfield,$sortorder); @@ -597,9 +597,9 @@ if ($resql) if (! empty($arrayfields['p.fk_statut']['checked'])) print_liste_field_titre($arrayfields['p.fk_statut']['label'],$_SERVER["PHP_SELF"],"p.fk_statut","",$param,'align="right"',$sortfield,$sortorder); print_liste_field_titre($selectedfields, $_SERVER["PHP_SELF"],"",'','','align="right"',$sortfield,$sortorder,'maxwidthsearch '); print ''."\n"; - + print ''; - if (! empty($arrayfields['p.ref']['checked'])) + if (! empty($arrayfields['p.ref']['checked'])) { print ''; } // Date - if (! empty($arrayfields['p.date']['checked'])) + if (! empty($arrayfields['p.date']['checked'])) { print ''; } // Date end - if (! empty($arrayfields['p.fin_validite']['checked'])) + if (! empty($arrayfields['p.fin_validite']['checked'])) { print ''; } @@ -736,7 +736,7 @@ if ($resql) $searchpitco=$form->showFilterAndCheckAddButtons($massactionbutton?1:0, 'checkforselect', 1); print $searchpitco; print ''; - + print "\n"; $now = dol_now(); @@ -747,16 +747,16 @@ if ($resql) { $obj = $db->fetch_object($resql); $var=!$var; - + $objectstatic->id=$obj->rowid; $objectstatic->ref=$obj->ref; - + print ''; - + if (! empty($arrayfields['p.ref']['checked'])) { print '\n"; if (! $i) $totalarray['nbfield']++; } - + if (! empty($arrayfields['p.ref_client']['checked'])) { // Customer ref @@ -798,12 +798,12 @@ if ($resql) print ''; if (! $i) $totalarray['nbfield']++; } - + $companystatic->id=$obj->socid; $companystatic->name=$obj->name; $companystatic->client=$obj->client; $companystatic->code_client=$obj->code_client; - + // Thirdparty if (! empty($arrayfields['s.nom']['checked'])) { @@ -812,7 +812,7 @@ if ($resql) print ''; if (! $i) $totalarray['nbfield']++; } - + // Town if (! empty($arrayfields['s.town']['checked'])) { @@ -853,7 +853,7 @@ if ($resql) print ''; if (! $i) $totalarray['nbfield']++; } - + // Date proposal if (! empty($arrayfields['p.date']['checked'])) { @@ -862,7 +862,7 @@ if ($resql) print "\n"; if (! $i) $totalarray['nbfield']++; } - + // Date end validity if (! empty($arrayfields['p.fin_validite']['checked'])) { @@ -877,7 +877,7 @@ if ($resql) } if (! $i) $totalarray['nbfield']++; } - + // Amount HT if (! empty($arrayfields['p.total_ht']['checked'])) { @@ -902,7 +902,7 @@ if ($resql) if (! $i) $totalarray['totalttcfield']=$totalarray['nbfield']; $totalarray['totalttc'] += $obj->total_ttc; } - + $userstatic->id=$obj->fk_user_author; $userstatic->login=$obj->login; @@ -915,7 +915,7 @@ if ($resql) print "\n"; if (! $i) $totalarray['nbfield']++; } - + // Extra fields if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label)) { @@ -1000,20 +1000,20 @@ if ($resql) else print ''; } print ''; - + } $db->free($resql); - + $parameters=array('arrayfields'=>$arrayfields, 'sql'=>$sql); $reshook=$hookmanager->executeHooks('printFieldListFooter',$parameters); // Note that $action and $object may have been modified by hook print $hookmanager->resPrint; - + print '
'; print ''; @@ -641,7 +641,7 @@ if ($resql) print ''; //print $langs->trans('Month').': '; @@ -653,7 +653,7 @@ if ($resql) print ' 
'; - + print ''; // Picto + Ref print '
'; @@ -785,11 +785,11 @@ if ($resql) $urlsource=$_SERVER['PHP_SELF'].'?id='.$obj->rowid; print $formfile->getDocumentsLink($objectstatic->element, $filename, $filedir); print '
'; - + print "
'."\n"; print ''."\n"; print ''."\n"; - + if ($massaction == 'builddoc' || $action == 'remove_file' || $show_files) { /* @@ -1021,18 +1021,18 @@ if ($resql) */ $urlsource=$_SERVER['PHP_SELF'].'?sortfield='.$sortfield.'&sortorder='.$sortorder; $urlsource.=str_replace('&','&',$param); - + $filedir=$diroutputmassaction; $genallowed=$user->rights->propal->lire; $delallowed=$user->rights->propal->lire; - + print $formfile->showdocuments('massfilesarea_proposals','',$filedir,$urlsource,0,$delallowed,'',1,1,0,48,1,$param,'',''); } else { print '
'.$langs->trans("ShowTempMassFilesArea").''; } - + } else { From 317ab64d7c4be7a090ec0de70f816c4392798622 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Jun 2017 22:03:25 +0200 Subject: [PATCH 4/4] Fix escapement --- htdocs/comm/propal/list.php | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index b8267feb5bc..93c93850652 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -363,22 +363,22 @@ if ($resql) $arrayofselected=is_array($toselect)?$toselect:array(); - $param='&viewstatut='.$viewstatut; - if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage; - if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit; - if ($sall) $param.='&sall='.$sall; - if ($month) $param.='&month='.$month; - if ($year) $param.='&year='.$year; - if ($search_ref) $param.='&search_ref=' .$search_ref; - if ($search_refcustomer) $param.='&search_refcustomer=' .$search_refcustomer; - if ($search_societe) $param.='&search_societe=' .$search_societe; - if ($search_user > 0) $param.='&search_user='.$search_user; - if ($search_sale > 0) $param.='&search_sale='.$search_sale; - if ($search_montant_ht) $param.='&search_montant_ht='.$search_montant_ht; - if ($search_login) $param.='&search_login='.$search_login; - if ($search_town) $param.='&search_town='.$search_town; - if ($socid > 0) $param.='&socid='.$socid; - if ($optioncss != '') $param.='&optioncss='.$optioncss; + $param='&viewstatut='.urlencode($viewstatut); + if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage); + if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.urlencode($limit); + if ($sall) $param.='&sall='.urlencode($sall); + if ($month) $param.='&month='.urlencode($month); + if ($year) $param.='&year='.urlencode($year); + if ($search_ref) $param.='&search_ref='.urlencode($search_ref); + if ($search_refcustomer) $param.='&search_refcustomer='.urlencode($search_refcustomer); + if ($search_societe) $param.='&search_societe='.urlencode($search_societe); + if ($search_user > 0) $param.='&search_user='.urlencode($search_user); + if ($search_sale > 0) $param.='&search_sale='.urlencode($search_sale); + if ($search_montant_ht) $param.='&search_montant_ht='.urlencode($search_montant_ht); + if ($search_login) $param.='&search_login='.urlencode($search_login); + if ($search_town) $param.='&search_town='.urlencode($search_town); + if ($socid > 0) $param.='&socid='.urlencode($socid); + if ($optioncss != '') $param.='&optioncss='.urlencode($optioncss); // Add $param from extra fields foreach ($search_array_options as $key => $val) {