Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX Security fixes (filter onload js, less verbose error message in

Browse Source 
download and viewimage, show info to encourage dolibarr_main_prod=1)
This commit is contained in:
Laurent Destailleur
2017-09-06 11:39:30 +02:00
parent 9cc344f8cc
commit d26b2a694d
7 changed files with 215 additions and 211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
htdocs/admin/company.php
View File

@@ -49,7 +49,7 @@ $error=0;
* Actions * Actions
*/ */
if ( ($action == 'update' && empty($_POST["cancel"])) if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
|| ($action == 'updateedit') ) || ($action == 'updateedit') )
{ {
$tmparray=getCountry(GETPOST('country_id','int'),'all',$db,$langs,0); $tmparray=getCountry(GETPOST('country_id','int'),'all',$db,$langs,0);
@@ -63,18 +63,18 @@ if ( ($action == 'update' && empty($_POST["cancel"]))
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_COUNTRY", $s,'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_COUNTRY", $s,'chaine',0,'',$conf->entity);
} }
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM",$_POST["nom"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM", GETPOST("nom",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ADDRESS",$_POST["address"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ADDRESS", GETPOST("address",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN",$_POST["town"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN", GETPOST("town",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP",$_POST["zipcode"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("zipcode",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE",$_POST["state_id"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE", GETPOST("state_id",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_MONNAIE",$_POST["currency"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL",$_POST["tel"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX",$_POST["fax"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL",$_POST["mail"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB",$_POST["web"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB", GETPOST("web",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE",$_POST["note"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE", GETPOST("note",'none'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD",$_POST["barcode"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD", GETPOST("barcode",'alpha'),'chaine',0,'',$conf->entity);
$varforimage='logo'; $dirforimage=$conf->mycompany->dir_output.'/logos/'; $varforimage='logo'; $dirforimage=$conf->mycompany->dir_output.'/logos/';
if ($_FILES[$varforimage]["tmp_name"]) if ($_FILES[$varforimage]["tmp_name"])
@@ -144,26 +144,26 @@ if ( ($action == 'update' && empty($_POST["cancel"]))
} }
} }
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS",$_POST["MAIN_INFO_SOCIETE_MANAGERS"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_CAPITAL",$_POST["capital"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE",$_POST["forme_juridique_code"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIREN",$_POST["siren"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIRET",$_POST["siret"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_APE",$_POST["ape"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_RCS",$_POST["rcs"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID5",$_POST["MAIN_INFO_PROFID5"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID6",$_POST["MAIN_INFO_PROFID6"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_TVAINTRA",$_POST["tva"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT",$_POST["object"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT", GETPOST("object",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START",$_POST["fiscalmonthstart"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("fiscalmonthstart",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_TVAOPTION",$_POST["optiontva"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'alpha'),'chaine',0,'',$conf->entity);
// Local taxes // Local taxes
dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION",$_POST["optionlocaltax1"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION",$_POST["optionlocaltax2"],'chaine',0,'',$conf->entity); dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'alpha'),'chaine',0,'',$conf->entity);
if($_POST["optionlocaltax1"]=="localtax1on") if($_POST["optionlocaltax1"]=="localtax1on")
{ {
@@ -173,9 +173,9 @@ if ( ($action == 'update' && empty($_POST["cancel"]))
} }
else else
{ {
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','alpha'),'chaine',0,'',$conf->entity);
} }
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", $_POST["clt1"],'chaine',0,'',$conf->entity); dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'alpha'),'chaine',0,'',$conf->entity);
} }
if($_POST["optionlocaltax2"]=="localtax2on") if($_POST["optionlocaltax2"]=="localtax2on")
{ {
@@ -185,9 +185,9 @@ if ( ($action == 'update' && empty($_POST["cancel"]))
} }
else else
{ {
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','alpha'),'chaine',0,'',$conf->entity);
} }
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", $_POST["clt2"],'chaine',0,'',$conf->entity); dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'alpha'),'chaine',0,'',$conf->entity);
} }
if ($action != 'updateedit' && ! $error) if ($action != 'updateedit' && ! $error)
@@ -311,20 +311,20 @@ if ($action == 'edit' || $action == 'updateedit')
// Name // Name
print '<tr class="oddeven"><td class="fieldrequired"><label for="name">'.$langs->trans("CompanyName").'</label></td><td>'; print '<tr class="oddeven"><td class="fieldrequired"><label for="name">'.$langs->trans("CompanyName").'</label></td><td>';
print '<input name="nom" id="name" class="minwidth200" value="'. ($conf->global->MAIN_INFO_SOCIETE_NOM?$conf->global->MAIN_INFO_SOCIETE_NOM:$_POST["nom"]) . '" autofocus="autofocus"></td></tr>'."\n"; print '<input name="nom" id="name" class="minwidth200" value="'. ($conf->global->MAIN_INFO_SOCIETE_NOM?$conf->global->MAIN_INFO_SOCIETE_NOM: GETPOST("nom",'nohtml')) . '" autofocus="autofocus"></td></tr>'."\n";
// Addresse // Addresse
print '<tr class="oddeven"><td><label for="address">'.$langs->trans("CompanyAddress").'</label></td><td>'; print '<tr class="oddeven"><td><label for="address">'.$langs->trans("CompanyAddress").'</label></td><td>';
print '<textarea name="address" id="address" class="quatrevingtpercent" rows="'.ROWS_3.'">'. ($conf->global->MAIN_INFO_SOCIETE_ADDRESS?$conf->global->MAIN_INFO_SOCIETE_ADDRESS:$_POST["address"]) . '</textarea></td></tr>'."\n"; print '<textarea name="address" id="address" class="quatrevingtpercent" rows="'.ROWS_3.'">'. ($conf->global->MAIN_INFO_SOCIETE_ADDRESS?$conf->global->MAIN_INFO_SOCIETE_ADDRESS: GETPOST("address",'nohtml')) . '</textarea></td></tr>'."\n";
print '<tr class="oddeven"><td><label for="zipcode">'.$langs->trans("CompanyZip").'</label></td><td>'; print '<tr class="oddeven"><td><label for="zipcode">'.$langs->trans("CompanyZip").'</label></td><td>';
print '<input class="minwidth100" name="zipcode" id="zipcode" value="'. ($conf->global->MAIN_INFO_SOCIETE_ZIP?$conf->global->MAIN_INFO_SOCIETE_ZIP:$_POST["zipcode"]) . '"></td></tr>'."\n"; print '<input class="minwidth100" name="zipcode" id="zipcode" value="'. ($conf->global->MAIN_INFO_SOCIETE_ZIP?$conf->global->MAIN_INFO_SOCIETE_ZIP: GETPOST("zipcode",'alpha')) . '"></td></tr>'."\n";
print '<tr class="oddeven"><td><label for="town">'.$langs->trans("CompanyTown").'</label></td><td>'; print '<tr class="oddeven"><td><label for="town">'.$langs->trans("CompanyTown").'</label></td><td>';
print '<input name="town" class="minwidth100" id="town" value="'. ($conf->global->MAIN_INFO_SOCIETE_TOWN?$conf->global->MAIN_INFO_SOCIETE_TOWN:$_POST["town"]) . '"></td></tr>'."\n"; print '<input name="town" class="minwidth100" id="town" value="'. ($conf->global->MAIN_INFO_SOCIETE_TOWN?$conf->global->MAIN_INFO_SOCIETE_TOWN: GETPOST("town",'nohtml')) . '"></td></tr>'."\n";
// Country // Country
@@ -394,7 +394,7 @@ if ($action == 'edit' || $action == 'updateedit')
// Note // Note
print '<tr class="oddeven"><td class="tdtop"><label for="note">'.$langs->trans("Note").'</label></td><td>'; print '<tr class="oddeven"><td class="tdtop"><label for="note">'.$langs->trans("Note").'</label></td><td>';
print '<textarea class="flat quatrevingtpercent" name="note" id="note" rows="'.ROWS_5.'">'.(! empty($conf->global->MAIN_INFO_SOCIETE_NOTE) ? $conf->global->MAIN_INFO_SOCIETE_NOTE : '').'</textarea></td></tr>'; print '<textarea class="flat quatrevingtpercent" name="note" id="note" rows="'.ROWS_5.'">'.(GETPOST('note','none') ? GETPOST('note','none') : $conf->global->MAIN_INFO_SOCIETE_NOTE).'</textarea></td></tr>';
print '</td></tr>'; print '</td></tr>';
print '</table>'; print '</table>';

91
htdocs/admin/menus/edit.php
View File

@@ -85,25 +85,25 @@ if ($action == 'update')
} }
$menu = new Menubase($db); $menu = new Menubase($db);
$result=$menu->fetch($_POST['menuId']); $result=$menu->fetch(GETPOST('menuId', 'int'));
if ($result > 0) if ($result > 0)
{ {
$menu->titre=$_POST['titre']; $menu->titre=GETPOST('titre', 'alpha');
$menu->leftmenu=$_POST['leftmenu']; $menu->leftmenu=GETPOST('leftmenu', 'alpha');
$menu->url=$_POST['url']; $menu->url=GETPOST('url','alpha');
$menu->langs=$_POST['langs']; $menu->langs=GETPOST('langs','alpha');
$menu->position=$_POST['position']; $menu->position=GETPOST('position','int');
$menu->enabled=$_POST['enabled']; $menu->enabled=GETPOST('enabled','alpha');
$menu->perms=$_POST['perms']; $menu->perms=GETPOST('perms','alpha');
$menu->target=$_POST['target']; $menu->target=GETPOST('target','alpha');
$menu->user=$_POST['user']; $menu->user=GETPOST('user','alpha');
if (is_numeric($_POST['menuIdParent'])) if (is_numeric(GETPOST('menuIdParent','alpha')))
{ {
$menu->fk_menu=$_POST['menuIdParent']; $menu->fk_menu=GETPOST('menuIdParent','alpha');
} }
else else
{ {
if ($_POST['type'] == 'top') $menu->fk_menu=0; if (GETPOST('type','alpha') == 'top') $menu->fk_menu=0;
else $menu->fk_menu=-1; else $menu->fk_menu=-1;
$menu->fk_mainmenu=$mainmenu; $menu->fk_mainmenu=$mainmenu;
$menu->fk_leftmenu=$leftmenu; $menu->fk_leftmenu=$leftmenu;
@@ -123,7 +123,6 @@ if ($action == 'update')
{ {
setEventMessages($menu->error, $menu->errors, 'errors'); setEventMessages($menu->error, $menu->errors, 'errors');
} }
$_GET["menuId"] = $_POST['menuId'];
$action = "edit"; $action = "edit";
} }
else else
@@ -148,9 +147,9 @@ if ($action == 'add')
} }
$leftmenu=''; $mainmenu=''; $leftmenu=''; $mainmenu='';
if (! empty($_POST['menuId']) && ! is_numeric($_POST['menuId'])) if (GETPOST('menuId','int') && ! is_numeric(GETPOST('menuId','int')))
{ {
$tmp=explode('&',$_POST['menuId']); $tmp=explode('&',GETPOST('menuId','int'));
foreach($tmp as $s) foreach($tmp as $s)
{ {
if (preg_match('/fk_mainmenu=/',$s)) if (preg_match('/fk_mainmenu=/',$s))
@@ -197,7 +196,7 @@ if ($action == 'add')
$action = 'create'; $action = 'create';
$error++; $error++;
} }
if (! $error && empty($_POST['menuId']) && $_POST['type'] == 'left') if (! $error && ! $_POST['menuId'] && $_POST['type'] == 'left')
{ {
setEventMessages($langs->trans("ErrorLeftMenuMustHaveAParentId"), null, 'errors'); setEventMessages($langs->trans("ErrorLeftMenuMustHaveAParentId"), null, 'errors');
$action = 'create'; $action = 'create';
@@ -207,23 +206,23 @@ if ($action == 'add')
if (! $error) if (! $error)
{ {
$menu = new Menubase($db); $menu = new Menubase($db);
$menu->menu_handler=preg_replace('/_menu$/','',$_POST['menu_handler']); $menu->menu_handler=preg_replace('/_menu$/','',GETPOST('menu_handler','aZ09'));
$menu->type=$_POST['type']; $menu->type=GETPOST('type','alpha');
$menu->titre=$_POST['titre']; $menu->titre=GETPOST('titre','alpha');
$menu->url=$_POST['url']; $menu->url=GETPOST('url','alpha');
$menu->langs=$_POST['langs']; $menu->langs=GETPOST('langs','alpha');
$menu->position=$_POST['position']; $menu->position=GETPOST('position','int');
$menu->enabled=$_POST['enabled']; $menu->enabled=GETPOST('enabled','alpha');
$menu->perms=$_POST['perms']; $menu->perms=GETPOST('perms','alpha');
$menu->target=$_POST['target']; $menu->target=GETPOST('target','alpha');
$menu->user=$_POST['user']; $menu->user=GETPOST('user','alpha');
if (is_numeric($_POST['menuId'])) if (is_numeric(GETPOST('menuId','int')))
{ {
$menu->fk_menu=$_POST['menuId']; $menu->fk_menu=GETPOST('menuId','int');
} }
else else
{ {
if ($_POST['type'] == 'top') $menu->fk_menu=0; if (GETPOST('type','alpha') == 'top') $menu->fk_menu=0;
else $menu->fk_menu=-1; else $menu->fk_menu=-1;
$menu->fk_mainmenu=$mainmenu; $menu->fk_mainmenu=$mainmenu;
$menu->fk_leftmenu=$leftmenu; $menu->fk_leftmenu=$leftmenu;
@@ -232,7 +231,7 @@ if ($action == 'add')
$result=$menu->create($user); $result=$menu->create($user);
if ($result > 0) if ($result > 0)
{ {
header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$_POST['menu_handler']); header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".GETPOST('menu_handler','aZ09'));
exit; exit;
} }
else else
@@ -306,7 +305,7 @@ if ($action == 'create')
print load_fiche_titre($langs->trans("NewMenu"),'','title_setup'); print load_fiche_titre($langs->trans("NewMenu"),'','title_setup');
print '<form action="./edit.php?action=add&menuId='.$_GET['menuId'].'" method="post" name="formmenucreate">'; print '<form action="./edit.php?action=add&menuId='.GETPOST('menuId', 'int').'" method="post" name="formmenucreate">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">'; print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
dol_fiche_head(); dol_fiche_head();
@@ -314,8 +313,8 @@ if ($action == 'create')
print '<table class="border" width="100%">'; print '<table class="border" width="100%">';
// Id // Id
$parent_rowid = $_GET['menuId']; $parent_rowid = GETPOST('menuId', 'int');
if ($_GET['menuId']) if (GETPOST('menuId', 'int'))
{ {
$sql = "SELECT m.rowid, m.mainmenu, m.leftmenu, m.level, m.langs FROM ".MAIN_DB_PREFIX."menu as m WHERE m.rowid = ".GETPOST('menuId', 'int'); $sql = "SELECT m.rowid, m.mainmenu, m.leftmenu, m.level, m.langs FROM ".MAIN_DB_PREFIX."menu as m WHERE m.rowid = ".GETPOST('menuId', 'int');
$res = $db->query($sql); $res = $db->query($sql);
@@ -375,35 +374,35 @@ if ($action == 'create')
} }
else else
{ {
print '<td><input type="text" size="48" id="menuId" name="menuId" value="'.($_POST["menuId"]?$_POST["menuId"]:'').'"></td>'; print '<td><input type="text" size="48" id="menuId" name="menuId" value="'.(GETPOST("menuId", 'int')?GETPOST("menuId", 'int'):'').'"></td>';
} }
print '<td>'.$langs->trans('DetailMenuIdParent'); print '<td>'.$langs->trans('DetailMenuIdParent');
print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def'; print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def';
print '</td></tr>'; print '</td></tr>';
// Title // Title
print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" size="30" name="titre" value="'.$_POST["titre"].'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>'; print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" size="30" name="titre" value="'.dol_escape_htmltag(GETPOST("titre",'alpha')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
// URL // URL
print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" size="60" name="url" value="'.$_POST["url"].'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>'; print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" size="60" name="url" value="'.GETPOST("url",'alpha').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
// Langs // Langs
print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" size="30" name="langs" value="'.$parent_langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>'; print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" size="30" name="langs" value="'.$parent_langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>';
// Position // Position
print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" size="5" name="position" value="'.(isset($_POST["position"])?$_POST["position"]:100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>'; print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" size="5" name="position" value="'.dol_escape_htmltag(isset($_POST["position"])?$_POST["position"]:100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
// Target // Target
print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">'; print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">';
print '<option value=""'.($menu->target==""?' selected':'').'>'.$langs->trans('').'</option>'; print '<option value=""'.($menu->target==""?' selected':'').'>&nbsp;</option>';
print '<option value="_blank"'.($menu->target=="_blank"?' selected':'').'>'.$langs->trans('_blank').'</option>'; print '<option value="_blank"'.($menu->target=="_blank"?' selected':'').'>'.$langs->trans('_blank').'</option>';
print '</select></td></td><td>'.$langs->trans('DetailTarget').'</td></tr>'; print '</select></td></td><td>'.$langs->trans('DetailTarget').'</td></tr>';
// Enabled // Enabled
print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" size="60" name="enabled" value="'.$_POST["enabled"].'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>'; print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" size="60" name="enabled" value="'.GETPOST("enabled",'alpha').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>';
// Perms // Perms
print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" size="60" name="perms" value="'.$_POST["perms"].'"></td><td>'.$langs->trans('DetailRight').'</td></tr>'; print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" size="60" name="perms" value="'.GETPOST('perms','alpha').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>';
print '</table>'; print '</table>';
@@ -426,14 +425,14 @@ elseif ($action == 'edit')
print '<form action="./edit.php?action=update" method="POST" name="formmenuedit">'; print '<form action="./edit.php?action=update" method="POST" name="formmenuedit">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">'; print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="handler_origine" value="'.$menu_handler.'">'; print '<input type="hidden" name="handler_origine" value="'.$menu_handler.'">';
print '<input type="hidden" name="menuId" value="'.$_GET['menuId'].'">'; print '<input type="hidden" name="menuId" value="'.GETPOST('menuId', 'int').'">';
dol_fiche_head(); dol_fiche_head();
print '<table class="border" width="100%">'; print '<table class="border" width="100%">';
$menu = new Menubase($db); $menu = new Menubase($db);
$result=$menu->fetch($_GET['menuId']); $result=$menu->fetch(GETPOST('menuId', 'int'));
//var_dump($menu); //var_dump($menu);
// Id // Id
@@ -472,20 +471,20 @@ elseif ($action == 'edit')
//print '<tr><td>'.$langs->trans('Level').'</td><td>'.$menu->level.'</td><td>'.$langs->trans('DetailLevel').'</td></tr>'; //print '<tr><td>'.$langs->trans('Level').'</td><td>'.$menu->level.'</td><td>'.$langs->trans('DetailLevel').'</td></tr>';
// Title // Title
print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" size="30" name="titre" value="'.$menu->titre.'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>'; print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" size="30" name="titre" value="'.dol_escape_htmltag($menu->titre).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
// Url // Url
print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="quatrevingtpercent" name="url" value="'.$menu->url.'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>'; print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="quatrevingtpercent" name="url" value="'.$menu->url.'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
// Langs // Langs
print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" size="30" name="langs" value="'.$menu->langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>'; print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" size="30" name="langs" value="'.dol_escape_htmltag($menu->langs).'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>';
// Position // Position
print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" size="5" name="position" value="'.$menu->position.'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>'; print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" size="5" name="position" value="'.$menu->position.'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
// Target // Target
print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">'; print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">';
print '<option value=""'.($menu->target==""?' selected':'').'>'.$langs->trans('').'</option>'; print '<option value=""'.($menu->target==""?' selected':'').'>&nbsp;</option>';
print '<option value="_blank"'.($menu->target=="_blank"?' selected':'').'>'.$langs->trans('_blank').'</option>'; print '<option value="_blank"'.($menu->target=="_blank"?' selected':'').'>'.$langs->trans('_blank').'</option>';
print '</select></td><td>'.$langs->trans('DetailTarget').'</td></tr>'; print '</select></td><td>'.$langs->trans('DetailTarget').'</td></tr>';

7
htdocs/core/lib/functions.lib.php
View File

@@ -3251,7 +3251,12 @@ function dol_print_error($db='',$error='',$errors=null)
} }
if (empty($dolibarr_main_prod)) print $out; if (empty($dolibarr_main_prod)) print $out;
else define("MAIN_CORE_ERROR", 1); else
{
print $langs->trans("DolibarrHasDetectedError").'. ';
print $langs->trans("YouCanSetOptionDolibarrMainProdToZero");
define("MAIN_CORE_ERROR", 1);
}
//else print 'Sorry, an error occured but the parameter $dolibarr_main_prod is defined in conf file so no message is reported to your browser. Please read the log file for error message.'; //else print 'Sorry, an error occured but the parameter $dolibarr_main_prod is defined in conf file so no message is reported to your browser. Please read the log file for error message.';
dol_syslog("Error ".$syslog, LOG_ERR); dol_syslog("Error ".$syslog, LOG_ERR);
} }

29
htdocs/document.php
View File

@@ -110,7 +110,7 @@ if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
$check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname); $check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname);
$accessallowed = $check_access['accessallowed']; $accessallowed = $check_access['accessallowed'];
$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
$original_file = $check_access['original_file']; // original_file is now a full path name $fullpath_original_file = $check_access['original_file']; // $fullpath_original_file is now a full path name
// Basic protection (against external users only) // Basic protection (against external users only)
if ($user->societe_id > 0) if ($user->societe_id > 0)
@@ -137,36 +137,35 @@ if ($user->societe_id > 0)
} }
// Security: // Security:
// Limite acces si droits non corrects // Limit access if permissions are wrong
if (! $accessallowed) if (! $accessallowed)
{ {
accessforbidden(); accessforbidden();
} }
// Security: // Security:
// On interdit les remontees de repertoire ainsi que les pipe dans // On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.
// les noms de fichiers. if (preg_match('/\.\./',$fullpath_original_file) || preg_match('/[<>|]/',$fullpath_original_file))
if (preg_match('/\.\./',$original_file) || preg_match('/[<>|]/',$original_file))
{ {
dol_syslog("Refused to deliver file ".$original_file); dol_syslog("Refused to deliver file ".$fullpath_original_file);
$file=basename($original_file); // Do no show plain path of original_file in shown error message print "ErrorFileNameInvalid: ".$original_file;
dol_print_error(0,$langs->trans("ErrorFileNameInvalid",$file));
exit; exit;
} }
clearstatcache(); clearstatcache();
$filename = basename($original_file); $filename = basename($fullpath_original_file);
// Output file on browser // Output file on browser
dol_syslog("document.php download $original_file $filename content-type=$type"); dol_syslog("document.php download $fullpath_original_file filename=$filename content-type=$type");
$original_file_osencoded=dol_osencode($original_file); // New file name encoded in OS encoding charset $fullpath_original_file_osencoded=dol_osencode($fullpath_original_file); // New file name encoded in OS encoding charset
// This test if file exists should be useless. We keep it to find bug more easily // This test if file exists should be useless. We keep it to find bug more easily
if (! file_exists($original_file_osencoded)) if (! file_exists($fullpath_original_file_osencoded))
{ {
dol_print_error(0,$langs->trans("ErrorFileDoesNotExists",$original_file)); dol_syslog("ErrorFileDoesNotExists: ".$fullpath_original_file);
print "ErrorFileDoesNotExists: ".$original_file;
exit; exit;
} }
@@ -177,7 +176,7 @@ if ($encoding) header('Content-Encoding: '.$encoding);
// Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, atachment=need user action to open) // Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, atachment=need user action to open)
if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"'); if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"');
else header('Content-Disposition: inline; filename="'.$filename.'"'); else header('Content-Disposition: inline; filename="'.$filename.'"');
header('Content-Length: ' . dol_filesize($original_file)); header('Content-Length: ' . dol_filesize($fullpath_original_file));
// Ajout directives pour resoudre bug IE // Ajout directives pour resoudre bug IE
header('Cache-Control: Public, must-revalidate'); header('Cache-Control: Public, must-revalidate');
header('Pragma: public'); header('Pragma: public');
@@ -185,6 +184,6 @@ header('Pragma: public');
//ob_clean(); //ob_clean();
//flush(); //flush();
readfile($original_file_osencoded); readfile($fullpath_original_file_osencoded);
if (is_object($db)) $db->close(); if (is_object($db)) $db->close();

3
htdocs/langs/en_US/main.lang
View File

@@ -103,7 +103,8 @@ RequestLastAccessInError=Latest database access request error
ReturnCodeLastAccessInError=Return code for latest database access request error ReturnCodeLastAccessInError=Return code for latest database access request error
InformationLastAccessInError=Information for latest database access request error InformationLastAccessInError=Information for latest database access request error
DolibarrHasDetectedError=Dolibarr has detected a technical error DolibarrHasDetectedError=Dolibarr has detected a technical error
InformationToHelpDiagnose=This information can be useful for diagnostic purposes YouCanSetOptionDolibarrMainProdToZero=You can read log file or set option $dolibarr_main_prod to '0' in your config file to get more information.
InformationToHelpDiagnose=This information can be useful for diagnostic purposes (you can set option $dolibarr_main_prod to '1' to remove such notices)
MoreInformation=More information MoreInformation=More information
TechnicalInformation=Technical information TechnicalInformation=Technical information
TechnicalID=Technical ID TechnicalID=Technical ID

41
htdocs/main.inc.php
View File

@@ -77,38 +77,39 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* deprecated in PHP
*/ */
function test_sql_and_script_inject($val, $type) function test_sql_and_script_inject($val, $type)
{ {
$sql_inj = 0; $inj = 0;
// For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests) // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
if ($type != 2) if ($type != 2)
{ {
$sql_inj += preg_match('/delete\s+from/i', $val); $inj += preg_match('/delete\s+from/i', $val);
$sql_inj += preg_match('/create\s+table/i', $val); $inj += preg_match('/create\s+table/i', $val);
$sql_inj += preg_match('/update.+set.+=/i', $val); $inj += preg_match('/update.+set.+=/i', $val);
$sql_inj += preg_match('/insert\s+into/i', $val); $inj += preg_match('/insert\s+into/i', $val);
$sql_inj += preg_match('/select.+from/i', $val); $inj += preg_match('/select.+from/i', $val);
$sql_inj += preg_match('/union.+select/i', $val); $inj += preg_match('/union.+select/i', $val);
$sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val); $inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
$sql_inj += preg_match('/(\.\.%2f)+/i', $val); $inj += preg_match('/(\.\.%2f)+/i', $val);
} }
// For XSS Injection done by adding javascript with script // For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript: // This is all cases a browser consider text is javascript:
// When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers // When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers
// All examples on page: http://ha.ckers.org/xss.html#XSScalc // All examples on page: http://ha.ckers.org/xss.html#XSScalc
$sql_inj += preg_match('/<script/i', $val); $inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val); if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/si', $val); $inj += preg_match('/base[\s]+href/si', $val);
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)> $inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)> $inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
$sql_inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)> $inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
$inj += preg_match('/onload\s*=/i', $val); // onload can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
if ($type == 1) if ($type == 1)
{ {
$sql_inj += preg_match('/javascript:/i', $val); $inj += preg_match('/javascript:/i', $val);
$sql_inj += preg_match('/vbscript:/i', $val); $inj += preg_match('/vbscript:/i', $val);
} }
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param) // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($type == 1) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value if ($type == 1) $inj += preg_match('/"/i', $val); // We refused " in GET parameters value
if ($type == 2) $sql_inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces. if ($type == 2) $inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces.
return $sql_inj; return $inj;
} }
/** /**

27
htdocs/viewimage.php
View File

@@ -113,7 +113,7 @@ if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
$check_access = dol_check_secure_access_document($modulepart,$original_file,$entity,$refname); $check_access = dol_check_secure_access_document($modulepart,$original_file,$entity,$refname);
$accessallowed = $check_access['accessallowed']; $accessallowed = $check_access['accessallowed'];
$sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals'];
$original_file = $check_access['original_file']; $fullpath_original_file = $check_access['original_file'];
// Security: // Security:
// Limit access if permissions are wrong // Limit access if permissions are wrong
@@ -124,11 +124,10 @@ if (! $accessallowed)
// Security: // Security:
// On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers. // On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers.
if (preg_match('/\.\./',$original_file) || preg_match('/[<>|]/',$original_file)) if (preg_match('/\.\./',$fullpath_original_file) || preg_match('/[<>|]/',$fullpath_original_file))
{ {
dol_syslog("Refused to deliver file ".$original_file, LOG_WARNING); dol_syslog("Refused to deliver file ".$fullpath_original_file);
// Do no show plain path in shown error message print "ErrorFileNameInvalid: ".$original_file;
dol_print_error(0,'Error: File '.$_GET["file"].' does not exists');
exit; exit;
} }
@@ -143,7 +142,7 @@ if ($modulepart == 'barcode')
if (empty($generator) || empty($encoding)) if (empty($generator) || empty($encoding))
{ {
dol_print_error(0,'Error, parameter "generator" or "encoding" not defined'); print 'Error: Parameter "generator" or "encoding" not defined';
exit; exit;
} }
@@ -176,14 +175,13 @@ else // Open and return file
clearstatcache(); clearstatcache();
// Output files on browser // Output files on browser
dol_syslog("viewimage.php return file $original_file content-type=$type"); dol_syslog("viewimage.php return file $fullpath_original_file content-type=$type");
// This test is to avoid error images when image is not available (for example thumbs). // This test is to avoid error images when image is not available (for example thumbs).
if (! dol_is_file($original_file) && empty($_GET["noalt"])) if (! dol_is_file($fullpath_original_file) && empty($_GET["noalt"]))
{ {
$original_file=DOL_DOCUMENT_ROOT.'/public/theme/common/nophoto.png'; $fullpath_original_file=DOL_DOCUMENT_ROOT.'/public/theme/common/nophoto.png';
/*$error='Error: File '.$_GET["file"].' does not exists or filesystems permissions are not allowed'; /*$error='Error: File '.$_GET["file"].' does not exists or filesystems permissions are not allowed';
dol_print_error(0,$error);
print $error; print $error;
exit;*/ exit;*/
} }
@@ -192,16 +190,17 @@ else // Open and return file
if ($type) if ($type)
{ {
top_httphead($type); top_httphead($type);
header('Content-Disposition: inline; filename="'.basename($original_file).'"'); header('Content-Disposition: inline; filename="'.basename($fullpath_original_file).'"');
} }
else else
{ {
top_httphead('image/png'); top_httphead('image/png');
header('Content-Disposition: inline; filename="'.basename($original_file).'"'); header('Content-Disposition: inline; filename="'.basename($fullpath_original_file).'"');
} }
$original_file_osencoded=dol_osencode($original_file); $fullpath_original_file_osencoded=dol_osencode($fullpath_original_file);
readfile($original_file_osencoded);
readfile($fullpath_original_file_osencoded);
} }