From 55bd7a33a4484b5ce4bc7be713416e0719ab26c0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 24 Sep 2024 16:29:53 +0200 Subject: [PATCH 1/7] Fix migration 12-13 --- htdocs/install/mysql/migration/12.0.0-13.0.0.sql | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql index e89b5ade7ba..d0636d8afa0 100644 --- a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql +++ b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql @@ -370,6 +370,7 @@ ALTER TABLE llx_actioncomm_reminder ADD UNIQUE uk_actioncomm_reminder_unique (fk ALTER TABLE llx_actioncomm_reminder ADD INDEX idx_actioncomm_reminder_status (status); ALTER TABLE llx_inventorydet ADD COLUMN fk_warehouse integer DEFAULT 0; +ALTER TABLE llx_inventorydet ADD COLUMN batch varchar(128) DEFAULT NULL; ALTER TABLE llx_inventorydet ADD UNIQUE uk_inventorydet(fk_inventory, fk_warehouse, fk_product, batch); ALTER TABLE llx_commandedet ADD COLUMN ref_ext varchar(255) AFTER label; From ef5f56ddf47096fe5c60adb2e109e629e4eb2587 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 25 Sep 2024 01:10:45 +0200 Subject: [PATCH 2/7] Fix avoid sql error --- htdocs/accountancy/closure/index.php | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/htdocs/accountancy/closure/index.php b/htdocs/accountancy/closure/index.php index 772d1672542..0b6739bf742 100644 --- a/htdocs/accountancy/closure/index.php +++ b/htdocs/accountancy/closure/index.php @@ -123,14 +123,28 @@ if (empty($reshook)) { $separate_auxiliary_account = GETPOST('separate_auxiliary_account', 'aZ09'); $generate_bookkeeping_records = GETPOST('generate_bookkeeping_records', 'aZ09'); - $result = $object->closeFiscalPeriod($current_fiscal_period['id'], $new_fiscal_period_id, $separate_auxiliary_account, $generate_bookkeeping_records); - if ($result < 0) { - setEventMessages($object->error, $object->errors, 'errors'); - } else { - setEventMessages($langs->trans("AccountancyClosureCloseSuccessfully"), null, 'mesgs'); + $error = 0; + if ($generate_bookkeeping_records) { + if (!getDolGlobalString('ACCOUNTING_CLOSURE_ACCOUNTING_GROUPS_USED_FOR_BALANCE_SHEET_ACCOUNT')) { + $error++; + setEventMessages($langs->trans("ErrorSetupNotComplete"), null, 'errors'); + } + if (!getDolGlobalString('ACCOUNTING_CLOSURE_ACCOUNTING_GROUPS_USED_FOR_INCOME_STATEMENT')) { + $error++; + setEventMessages($langs->trans("ErrorSetupNotComplete"), null, 'errors'); + } + } - header("Location: " . $_SERVER['PHP_SELF'] . (isset($current_fiscal_period) ? '?fiscal_period_id=' . $current_fiscal_period['id'] : '')); - exit; + if (!$error) { + $result = $object->closeFiscalPeriod($current_fiscal_period['id'], $new_fiscal_period_id, $separate_auxiliary_account, $generate_bookkeeping_records); + if ($result < 0) { + setEventMessages($object->error, $object->errors, 'errors'); + } else { + setEventMessages($langs->trans("AccountancyClosureCloseSuccessfully"), null, 'mesgs'); + + header("Location: " . $_SERVER['PHP_SELF'] . (isset($current_fiscal_period) ? '?fiscal_period_id=' . $current_fiscal_period['id'] : '')); + exit; + } } } elseif ($action == 'confirm_step_3' && $confirm == "yes") { $inventory_journal_id = GETPOST('inventory_journal_id', 'int'); From 6de574bf5cc2632128e230ef25a9dfab9dc54c9c Mon Sep 17 00:00:00 2001 From: MaximilienR-easya <122890855+MaximilienR-easya@users.noreply.github.com> Date: Wed, 25 Sep 2024 22:18:26 +0200 Subject: [PATCH 3/7] Fix a problem when we have an extrafield on the line (#31104) --- htdocs/contrat/card.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/contrat/card.php b/htdocs/contrat/card.php index 8e21569ec5e..4366be5b604 100644 --- a/htdocs/contrat/card.php +++ b/htdocs/contrat/card.php @@ -1713,7 +1713,7 @@ if ($action == 'create') { $line = new ContratLigne($db); $line->id = $objp->rowid; $line->fetch_optionals(); - print $line->showOptionals($extrafields, 'view', array('class'=>'oddeven', 'style'=>$moreparam, 'colspan'=>$colspan), '', '', 1); + print $line->showOptionals($extrafields, 'view', array('class'=>'oddeven', 'style'=>$moreparam, 'colspan'=>$colspan, 'tdclass' => 'notitlefieldcreate'), '', '', 1); } } else { // Line in mode update @@ -1817,7 +1817,7 @@ if ($action == 'create') { $line = new ContratLigne($db); $line->id = $objp->rowid; $line->fetch_optionals(); - print $line->showOptionals($extrafields, 'edit', array('style'=>'class="oddeven"', 'colspan'=>$colspan), '', '', 1); + print $line->showOptionals($extrafields, 'edit', array('style'=>'class="oddeven"', 'colspan'=>$colspan, 'tdclass' => 'notitlefieldcreate'), '', '', 1); } } From 28df02f039d4aec2ec2e9215734e0595eb13b256 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Wed, 25 Sep 2024 22:52:25 +0200 Subject: [PATCH 4/7] FIX avoid odt errors (#31126) --- htdocs/core/class/commondocgenerator.class.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/htdocs/core/class/commondocgenerator.class.php b/htdocs/core/class/commondocgenerator.class.php index bb344ac7d8a..37700574114 100644 --- a/htdocs/core/class/commondocgenerator.class.php +++ b/htdocs/core/class/commondocgenerator.class.php @@ -346,6 +346,10 @@ abstract class CommonDocGenerator // phpcs:enable global $extrafields; + if (!is_object($object)) { + return array(); + } + if (empty($object->country) && !empty($object->country_code)) { $object->country = $outputlangs->transnoentitiesnoconv("Country".$object->country_code); } @@ -954,7 +958,7 @@ abstract class CommonDocGenerator // phpcs:enable global $conf; - if (is_array($extrafields->attributes[$object->table_element]['label'])) { + if (isset($extrafields->attributes[$object->table_element]) && is_array($extrafields->attributes[$object->table_element]) && is_array($extrafields->attributes[$object->table_element]['label'])) { foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $label) { $formatedarrayoption = $object->array_options; From e4a93da82ed2da43f9ee5ed05e0d4bbfa581a53a Mon Sep 17 00:00:00 2001 From: lvessiller-opendsi Date: Wed, 25 Sep 2024 22:54:31 +0200 Subject: [PATCH 5/7] FIX mysql error during dump for enable sandbox M999999 (#31116) --- htdocs/core/class/utils.class.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/core/class/utils.class.php b/htdocs/core/class/utils.class.php index 6f75db0b150..e78cf55d344 100644 --- a/htdocs/core/class/utils.class.php +++ b/htdocs/core/class/utils.class.php @@ -532,13 +532,13 @@ class Utils } elseif ($compression == 'zstd') { fclose($handle); } - if ($ok && preg_match('/^-- (MySql|MariaDB)/i', $errormsg)) { // No error + if ($ok && preg_match('/^-- (MySql|MariaDB)/i', $errormsg) || preg_match('/^\/\*M?!999999/', $errormsg)) { // Start of file is ok, NOT an error $errormsg = ''; } else { - // Renommer fichier sortie en fichier erreur + // Rename file out into a file error //print "$outputfile -> $outputerror"; @dol_delete_file($outputerror, 1, 0, 0, null, false, 0); - @rename($outputfile, $outputerror); + @dol_move($outputfile, $outputerror, '0', 1, 0, 0); // Si safe_mode on et command hors du parametre exec, on a un fichier out vide donc errormsg vide if (!$errormsg) { $langs->load("errors"); From bb40a43c5fa4c70ff158a9ba75686bb228700fb4 Mon Sep 17 00:00:00 2001 From: thomas-Ngr Date: Thu, 26 Sep 2024 03:13:34 +0200 Subject: [PATCH 6/7] FIX Add same security test whe nuploading files from API than from GUI (#31114) Co-authored-by: Laurent Destailleur --- htdocs/api/class/api_documents.class.php | 45 +++++++++++++++++++++++- htdocs/core/lib/files.lib.php | 2 +- 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/htdocs/api/class/api_documents.class.php b/htdocs/api/class/api_documents.class.php index 197ca42469d..f80b9f69666 100644 --- a/htdocs/api/class/api_documents.class.php +++ b/htdocs/api/class/api_documents.class.php @@ -693,7 +693,50 @@ class Documents extends DolibarrApi throw new RestException(500, "Failed to open file '".$destfiletmp."' for write"); } - $result = dol_move($destfiletmp, $destfile, 0, $overwriteifexists, 1); + $disablevirusscan = 0; + $src_file = $destfiletmp; + $dest_file = $destfile; + + // Security: + // If we need to make a virus scan + if (empty($disablevirusscan) && file_exists($src_file)) { + $checkvirusarray = dolCheckVirus($src_file); + if (count($checkvirusarray)) { + dol_syslog('Files.lib::dol_move_uploaded_file File "'.$src_file.'" (target name "'.$dest_file.'") KO with antivirus: errors='.join(',', $checkvirusarray), LOG_WARNING); + throw new RestException(500, 'ErrorFileIsInfectedWithAVirus: '.join(',', $checkvirusarray)); + } + } + + // Security: + // Disallow file with some extensions. We rename them. + // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. + if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) { + // $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too. + $publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity]; + if (!preg_match('/\/$/', $publicmediasdirwithslash)) { + $publicmediasdirwithslash .= '/'; + } + + if (strpos($upload_dir, $publicmediasdirwithslash) !== 0 || !getDolGlobalInt("MAIN_DOCUMENT_DISABLE_NOEXE_IN_MEDIAS_DIR")) { // We never add .noexe on files into media directory + $dest_file .= '.noexe'; + } + } + + // Security: + // We refuse cache files/dirs, upload using .. and pipes into filenames. + if (preg_match('/^\./', basename($src_file)) || preg_match('/\.\./', $src_file) || preg_match('/[<>|]/', $src_file)) { + dol_syslog("Refused to deliver file ".$src_file, LOG_WARNING); + throw new RestException(500, "Refused to deliver file ".$src_file); + } + + // Security: + // We refuse cache files/dirs, upload using .. and pipes into filenames. + if (preg_match('/^\./', basename($dest_file)) || preg_match('/\.\./', $dest_file) || preg_match('/[<>|]/', $dest_file)) { + dol_syslog("Refused to deliver file ".$dest_file, LOG_WARNING); + throw new RestException(500, "Refused to deliver file ".$dest_file); + } + + $result = dol_move($destfiletmp, $dest_file, 0, $overwriteifexists, 1, 1); if (!$result) { throw new RestException(500, "Failed to move file into '".$destfile."'"); } diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 2fab41a2a03..36be91901bb 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1081,7 +1081,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable $publicmediasdirwithslash .= '/'; } - if (strpos($upload_dir, $publicmediasdirwithslash) !== 0) { // We never add .noexe on files into media directory + if (strpos($upload_dir, $publicmediasdirwithslash) !== 0 || !getDolGlobalInt("MAIN_DOCUMENT_DISABLE_NOEXE_IN_MEDIAS_DIR")) { // We never add .noexe on files into media directory $file_name .= '.noexe'; $successcode = 2; } From a8cb076bbda27284ed68d82b14b6913070250556 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 26 Sep 2024 03:34:32 +0200 Subject: [PATCH 7/7] Fix move --- htdocs/api/class/api_documents.class.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/htdocs/api/class/api_documents.class.php b/htdocs/api/class/api_documents.class.php index 4bd54f158af..0c79e261f38 100644 --- a/htdocs/api/class/api_documents.class.php +++ b/htdocs/api/class/api_documents.class.php @@ -805,10 +805,9 @@ class Documents extends DolibarrApi throw new RestException(500, "Refused to deliver file ".$dest_file); } - $result = dol_move($destfiletmp, $destfile, 0, $overwriteifexists, 1, 1); - + $result = dol_move($destfiletmp, $dest_file, 0, $overwriteifexists, 1, 1); if (!$result) { - throw new RestException(500, "Failed to move file into '".$destfile."'"); + throw new RestException(500, "Failed to move file into '".$dest_file."'"); } return dol_basename($destfile);