From 1ba03566dc20ed6851371db10fe8ec1dd426ca87 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 12 Jun 2020 02:15:02 +0200
Subject: [PATCH 1/2] Fix case of delete contact not correctly implemented.

---
 htdocs/core/class/commonobject.class.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index 0f055d457ed..e104b82642d 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -8012,7 +8012,11 @@ abstract class CommonObject
 						$error++;
 						$this->errors[] = $this->error;
 					} else {
-						$result = $this->delete($user);
+						if (get_class($this) == 'Contact') { // TODO special code because delete() for contact has not been standardized like other delete.
+							$result = $this->delete();
+						} else {
+							$result = $this->delete($user);
+						}
 						if ($result < 0) {
 							$error++;
 							$this->errors[] = $this->error;

From 40e16672e3aa4e9208ea7a4829f30507dcdfc4ba Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 15 Jun 2020 15:08:52 +0200
Subject: [PATCH 2/2] FIX BlindBoolean SQL injection reported by Christian
 Weiler <sak1.s3curity@gmail.com>

---
 htdocs/accountancy/customer/card.php          | 4 ++--
 htdocs/accountancy/expensereport/card.php     | 4 ++--
 htdocs/accountancy/supplier/card.php          | 4 ++--
 htdocs/comm/mailing/info.php                  | 2 +-
 htdocs/compta/paiement/info.php               | 2 +-
 htdocs/variants/ajax/get_attribute_values.php | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/htdocs/accountancy/customer/card.php b/htdocs/accountancy/customer/card.php
index 0a39fbc8254..591606a7e26 100644
--- a/htdocs/accountancy/customer/card.php
+++ b/htdocs/accountancy/customer/card.php
@@ -34,8 +34,8 @@ $action = GETPOST('action', 'alpha');
 $cancel = GETPOST('cancel', 'alpha');
 $backtopage = GETPOST('backtopage', 'alpha');
 
-$codeventil = GETPOST('codeventil');
-$id = GETPOST('id');
+$codeventil = GETPOST('codeventil', 'int');
+$id = GETPOST('id', 'int');
 
 // Security check
 if ($user->socid > 0)
diff --git a/htdocs/accountancy/expensereport/card.php b/htdocs/accountancy/expensereport/card.php
index 36d587e0c99..9d7c504354f 100644
--- a/htdocs/accountancy/expensereport/card.php
+++ b/htdocs/accountancy/expensereport/card.php
@@ -38,8 +38,8 @@ $action = GETPOST('action', 'alpha');
 $cancel = GETPOST('cancel', 'alpha');
 $backtopage = GETPOST('backtopage', 'alpha');
 
-$codeventil = GETPOST('codeventil');
-$id = GETPOST('id');
+$codeventil = GETPOST('codeventil', 'int');
+$id = GETPOST('id', 'int');
 
 // Security check
 if ($user->socid > 0)
diff --git a/htdocs/accountancy/supplier/card.php b/htdocs/accountancy/supplier/card.php
index 6140f90fe8d..699459ad63a 100644
--- a/htdocs/accountancy/supplier/card.php
+++ b/htdocs/accountancy/supplier/card.php
@@ -38,8 +38,8 @@ $action = GETPOST('action', 'alpha');
 $cancel = GETPOST('cancel', 'alpha');
 $backtopage = GETPOST('backtopage', 'alpha');
 
-$codeventil = GETPOST('codeventil');
-$id = GETPOST('id');
+$codeventil = GETPOST('codeventil', 'int');
+$id = GETPOST('id', 'int');
 
 // Security check
 if ($user->socid > 0)
diff --git a/htdocs/comm/mailing/info.php b/htdocs/comm/mailing/info.php
index 3dfe0c4264c..070d46f6104 100644
--- a/htdocs/comm/mailing/info.php
+++ b/htdocs/comm/mailing/info.php
@@ -27,7 +27,7 @@ require_once DOL_DOCUMENT_ROOT.'/comm/mailing/class/mailing.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/emailing.lib.php';
 
-$id = GETPOST('id');
+$id = GETPOST('id', 'int');
 
 // Load translation files required by the page
 $langs->load("mails");
diff --git a/htdocs/compta/paiement/info.php b/htdocs/compta/paiement/info.php
index 3da6a95a1e8..00c3440b868 100644
--- a/htdocs/compta/paiement/info.php
+++ b/htdocs/compta/paiement/info.php
@@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php';
 // Load translation files required by the page
 $langs->loadLangs(array('bills', 'companies'));
 
-$id = GETPOST('id');
+$id = GETPOST('id', 'int');
 $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'alpha');
 $confirm = GETPOST('confirm', 'alpha');
diff --git a/htdocs/variants/ajax/get_attribute_values.php b/htdocs/variants/ajax/get_attribute_values.php
index 866bac1ef78..ee45ad18b23 100644
--- a/htdocs/variants/ajax/get_attribute_values.php
+++ b/htdocs/variants/ajax/get_attribute_values.php
@@ -28,7 +28,7 @@ require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttributeValue.class.php'
 
 header('Content-Type: application/json');
 
-$id = GETPOST('id');
+$id = GETPOST('id', 'int');
 
 if (!$id) {
     print json_encode(array(