From 7c70f9ed03f6ebb4c61a90f4d561ef8b97e12977 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 3 Apr 2018 20:23:47 +0200 Subject: [PATCH 01/16] Fix option STOCK_SUPPORTS_SERVICES --- htdocs/product/card.php | 61 ++++++++++++++++------------------------- 1 file changed, 24 insertions(+), 37 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index f65898bda68..a3e52f33cd5 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -1240,8 +1240,8 @@ else else if ($object->id > 0) { // Fiche en mode edition - if ($action == 'edit' && $usercancreate) - { + if ($action == 'edit' && $usercancreate) + { //WYSIWYG Editor require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; @@ -1302,11 +1302,15 @@ else print ''; // Batch number managment - if ($conf->productbatch->enabled) { - print ''.$langs->trans("ManageLotSerial").''; - $statutarray=array('0' => $langs->trans("ProductStatusNotOnBatch"), '1' => $langs->trans("ProductStatusOnBatch")); - print $form->selectarray('status_batch',$statutarray,$object->status_batch); - print ''; + if ($conf->productbatch->enabled) + { + if ($object->isProduct() || ! empty($conf->global->STOCK_SUPPORTS_SERVICES)) + { + print ''.$langs->trans("ManageLotSerial").''; + $statutarray=array('0' => $langs->trans("ProductStatusNotOnBatch"), '1' => $langs->trans("ProductStatusOnBatch")); + print $form->selectarray('status_batch',$statutarray,$object->status_batch); + print ''; + } } // Barcode @@ -1391,7 +1395,6 @@ else print 'duration_unit=='m'?' checked':'').'>'.$langs->trans("Month"); print '  '; print 'duration_unit=='y'?' checked':'').'>'.$langs->trans("Year"); - print ''; } else @@ -1612,7 +1615,7 @@ else { require_once DOL_DOCUMENT_ROOT.'/core/class/html.formbarcode.class.php'; $formbarcode = new FormBarCode($db); - } + } if ($action == 'editbarcodetype') { $formbarcode->form_barcode_type($_SERVER['PHP_SELF'].'?id='.$object->id,$object->barcode_type,'fk_barcode_type'); @@ -1718,35 +1721,19 @@ else } print ''; - // Status (to sell) - /* - print ''.$langs->trans("Status").' ('.$langs->trans("Sell").')'; - if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) { - print ajax_object_onoff($object, 'status', 'tosell', 'ProductStatusOnSell', 'ProductStatusNotOnSell'); - } else { - print $object->getLibStatut(2,0); - } - print ''; - - // Status (to buy) - print ''.$langs->trans("Status").' ('.$langs->trans("Buy").')'; - if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) { - print ajax_object_onoff($object, 'status_buy', 'tobuy', 'ProductStatusOnBuy', 'ProductStatusNotOnBuy'); - } else { - print $object->getLibStatut(2,1); - } - print ''; - */ - // Batch number management (to batch) - if (! empty($conf->productbatch->enabled)) { - print ''.$langs->trans("ManageLotSerial").''; - if (! empty($conf->use_javascript_ajax) && $usercancreate && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) { - print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch'); - } else { - print $object->getLibStatut(0,2); - } - print ''; + if (! empty($conf->productbatch->enabled)) + { + if ($object->isProduct() || ! empty($conf->global->STOCK_SUPPORTS_SERVICES)) + { + print ''.$langs->trans("ManageLotSerial").''; + if (! empty($conf->use_javascript_ajax) && $usercancreate && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) { + print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch'); + } else { + print $object->getLibStatut(0,2); + } + print ''; + } } // Description From 47dcc0d5c6569562155d3dde921e36846bf28874 Mon Sep 17 00:00:00 2001 From: TuxGasy Date: Wed, 4 Apr 2018 20:32:36 +0200 Subject: [PATCH 02/16] fix notrigger ignored on BILL_CREATE --- htdocs/compta/facture/class/facture.class.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 601b1d29495..b73307277c8 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -746,10 +746,16 @@ class Facture extends CommonInvoice } else if ($reshook < 0) $error++;*/ - // Call trigger - $result=$this->call_trigger('BILL_CREATE',$user); - if ($result < 0) $error++; - // End call triggers + if (! $error) + { + if (! $notrigger) + { + // Call trigger + $result=$this->call_trigger('BILL_CREATE',$user); + if ($result < 0) $error++; + // End call triggers + } + } if (! $error) { From 2207e5e470dea45ca3dcae09f1e5536f752fb4cd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 5 Apr 2018 19:23:36 +0200 Subject: [PATCH 03/16] Fix tooltip --- htdocs/comm/action/list.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/htdocs/comm/action/list.php b/htdocs/comm/action/list.php index c58c34f3d72..5ea3d2c9e0b 100644 --- a/htdocs/comm/action/list.php +++ b/htdocs/comm/action/list.php @@ -234,7 +234,7 @@ $sql.= ' a.fk_user_author,a.fk_user_action,'; $sql.= " a.fk_contact, a.note, a.percent as percent,"; $sql.= " a.fk_element, a.elementtype,"; $sql.= " c.code as type_code, c.libelle as type_label,"; -$sql.= " sp.lastname, sp.firstname"; +$sql.= " sp.lastname, sp.firstname, sp.email, sp.phone, sp.address, sp.phone as phone_pro, sp.phone_mobile, sp.phone_perso, sp.fk_pays as country_id"; // Add fields from extrafields foreach ($extrafields->attribute_label as $key => $val) $sql.=($extrafields->attribute_type[$key] != 'separate' ? ",ef.".$key.' as options_'.$key : ''); $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a"; @@ -606,9 +606,14 @@ if ($resql) print ''; if ($obj->fk_contact > 0) { + $contactstatic->id=$obj->fk_contact; + $contactstatic->email=$obj->email; $contactstatic->lastname=$obj->lastname; $contactstatic->firstname=$obj->firstname; - $contactstatic->id=$obj->fk_contact; + $contactstatic->phone_pro=$obj->phone_pro; + $contactstatic->phone_mobile=$obj->phone_mobile; + $contactstatic->phone_perso=$obj->phone_perso; + $contactstatic->country_id=$obj->country_id; print $contactstatic->getNomUrl(1,'',28); } else From 920891ba70443db5150ec0232d08b3956563067f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 6 Apr 2018 00:01:24 +0200 Subject: [PATCH 04/16] Fix edit of default opportunit percent --- htdocs/projet/card.php | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/htdocs/projet/card.php b/htdocs/projet/card.php index 5ff65eae816..bd8709affaa 100644 --- a/htdocs/projet/card.php +++ b/htdocs/projet/card.php @@ -1014,11 +1014,21 @@ elseif ($object->id > 0) jQuery("#divtocloseproject").hide(); } - /* Change percent of default percent of new status is higher */ - if (parseFloat(jQuery("#opp_percent").val()) != parseFloat(defaultpercent)) + /* Change percent with default percent (defaultpercent) if new status (defaultpercent) is higher than current (jQuery("#opp_percent").val()) */ + console.log("oldpercent="+oldpercent); + if (oldpercent != \'\' && (parseFloat(defaultpercent) < parseFloat(oldpercent))) { if (jQuery("#opp_percent").val() != \'\' && oldpercent != \'\') jQuery("#oldopppercent").text(\' - '.dol_escape_js($langs->transnoentities("PreviousValue")).': \'+oldpercent+\' %\'); - jQuery("#opp_percent").val(defaultpercent); + if (parseFloat(oldpercent) != 100) { jQuery("#opp_percent").val(oldpercent); } + else { jQuery("#opp_percent").val(defaultpercent); } + } + else + { + if ((parseFloat(jQuery("#opp_percent").val()) < parseFloat(defaultpercent))); + { + if (jQuery("#opp_percent").val() != \'\' && oldpercent != \'\') jQuery("#oldopppercent").text(\' - '.dol_escape_js($langs->transnoentities("PreviousValue")).': \'+oldpercent+\' %\'); + jQuery("#opp_percent").val(defaultpercent); + } } } From a78c064461aa9f21f5f977a73de759cf4ea7df7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20J?= Date: Wed, 4 Apr 2018 12:32:49 +0200 Subject: [PATCH 05/16] Fix CommandeFournisseur::getDispachedLines line ID & return quantity --- htdocs/fourn/class/fournisseur.commande.class.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index a58f33502aa..bdafbe6c629 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -1963,7 +1963,7 @@ class CommandeFournisseur extends CommonOrder // List of already dispatched lines $sql = "SELECT p.ref, p.label,"; $sql.= " e.rowid as warehouse_id, e.ref as entrepot,"; - $sql.= " cfd.rowid as dispatchlineid, cfd.fk_product, cfd.qty, cfd.eatby, cfd.sellby, cfd.batch, cfd.comment, cfd.status"; + $sql.= " cfd.rowid as dispatchedlineid, cfd.fk_product, cfd.qty, cfd.eatby, cfd.sellby, cfd.batch, cfd.comment, cfd.status"; $sql.= " FROM ".MAIN_DB_PREFIX."product as p,"; $sql.= " ".MAIN_DB_PREFIX."commande_fournisseur_dispatch as cfd"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e ON cfd.fk_entrepot = e.rowid"; @@ -1981,7 +1981,15 @@ class CommandeFournisseur extends CommonOrder while ($i < $num) { $objp = $this->db->fetch_object($resql); - if ($objp) $ret[]=array('id'=>$objp->dispatchedlineid, 'productid'=>$objp->fk_product, 'warehouseid'=>$objp->warehouse_id); + if ($objp) + { + $ret[] = array( + 'id' => $objp->dispatchedlineid, + 'productid' => $objp->fk_product, + 'warehouseid' => $objp->warehouse_id, + 'qty' => $objp->qty, + ); + } $i++; } From 1009a629d905beab33f0022dd371367f50d278b5 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 6 Apr 2018 13:20:09 +0200 Subject: [PATCH 06/16] Try better Fix for #8432 --- htdocs/comm/action/class/api_agendaevents.class.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 7fd76b5d1a9..b507d9c72b9 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -115,13 +115,17 @@ class AgendaEvents extends DolibarrApi // If the internal user must only see his customers, force searching by him $search_sale = 0; if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id; + if (empty($conf->societe->enabled)) $search_sale = 0; // If module thirdparty not enabled, sale representative is something that does not exists $sql = "SELECT t.id as rowid"; - if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) + if (! empty($conf->societe->enabled)) + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as t"; - if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale + if (! empty($conf->societe->enabled)) + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale $sql.= ' WHERE t.entity IN ('.getEntity('agenda').')'; - if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc"; + if (! empty($conf->societe->enabled)) + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc"; if ($user_ids) $sql.=" AND t.fk_user_action IN (".$user_ids.")"; if ($socid > 0) $sql.= " AND t.fk_soc = ".$socid; // Insert sale filter From f56438112fb5c7dd7f32cd74cf4a67627b09bce8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 6 Apr 2018 17:22:14 +0200 Subject: [PATCH 07/16] FIX CWE-89 --- htdocs/expensereport/list.php | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index caae068461a..053d293db83 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -72,7 +72,7 @@ $search_user = GETPOST('search_user','int'); $search_amount_ht = GETPOST('search_amount_ht','alpha'); $search_amount_vat = GETPOST('search_amount_vat','alpha'); $search_amount_ttc = GETPOST('search_amount_ttc','alpha'); -$search_status = (GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha')); +$search_status = (GETPOST('search_status','intcomma')!=''?GETPOST('search_status','intcomma'):GETPOST('statut','intcomma')); $month_start = GETPOST("month_start","int"); $year_start = GETPOST("year_start","int"); $month_end = GETPOST("month_end","int"); @@ -305,11 +305,7 @@ if ($search_amount_ttc != '') $sql.= natural_search('d.total_ttc', $search_amoun // User if ($search_user != '' && $search_user >= 0) $sql.= " AND u.rowid = '".$db->escape($search_user)."'"; // Status -if ($search_status != '' && $search_status >= 0) -{ - if (strstr($search_status, ',')) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")"; - else $sql.=" AND d.fk_statut = ".$search_status; -} +if ($search_status != '' && $search_status >= 0) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")"; // RESTRICT RIGHTS if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous) && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) From 1623fea6182225ecbd230312d67f38f8a391c9da Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 6 Apr 2018 17:22:14 +0200 Subject: [PATCH 08/16] FIX SQL Injection CWE-89 --- htdocs/expensereport/list.php | 8 ++------ htdocs/holiday/list.php | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index caae068461a..053d293db83 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -72,7 +72,7 @@ $search_user = GETPOST('search_user','int'); $search_amount_ht = GETPOST('search_amount_ht','alpha'); $search_amount_vat = GETPOST('search_amount_vat','alpha'); $search_amount_ttc = GETPOST('search_amount_ttc','alpha'); -$search_status = (GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha')); +$search_status = (GETPOST('search_status','intcomma')!=''?GETPOST('search_status','intcomma'):GETPOST('statut','intcomma')); $month_start = GETPOST("month_start","int"); $year_start = GETPOST("year_start","int"); $month_end = GETPOST("month_end","int"); @@ -305,11 +305,7 @@ if ($search_amount_ttc != '') $sql.= natural_search('d.total_ttc', $search_amoun // User if ($search_user != '' && $search_user >= 0) $sql.= " AND u.rowid = '".$db->escape($search_user)."'"; // Status -if ($search_status != '' && $search_status >= 0) -{ - if (strstr($search_status, ',')) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")"; - else $sql.=" AND d.fk_statut = ".$search_status; -} +if ($search_status != '' && $search_status >= 0) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")"; // RESTRICT RIGHTS if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous) && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index c7227e16472..d99afde8c3d 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -85,7 +85,7 @@ if (! $sortorder) $sortorder="DESC"; $sall = trim((GETPOST('search_all', 'alphanohtml')!='')?GETPOST('search_all', 'alphanohtml'):GETPOST('sall', 'alphanohtml')); -$search_ref = GETPOST('search_ref','alpha'); +$search_ref = GETPOST('search_ref','alphanohtml'); $search_day_create = GETPOST('search_day_create','int'); $search_month_create = GETPOST('search_month_create','int'); $search_year_create = GETPOST('search_year_create','int'); @@ -185,7 +185,7 @@ $order = $db->order($sortfield,$sortorder).$db->plimit($limit + 1, $offset); // Ref if(!empty($search_ref)) { - $filter.= " AND cp.rowid = ".$db->escape($search_ref); + $filter.= " AND cp.rowid = ".(int) $db->escape($search_ref); } // Start date From 2d1183cbb75a5c7da73a779b216668e014b9fa73 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 6 Apr 2018 17:58:30 +0200 Subject: [PATCH 09/16] FIX can bypass the CSRF protection with url with domain inside --- htdocs/filefunc.inc.php | 22 ++++++++++++++++------ htdocs/main.inc.php | 3 ++- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index fd2afa56fd1..e78d9e48508 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -151,13 +151,23 @@ if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php s // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) { - if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) - && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))) + if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])) { - //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; - print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n"; - print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; - die; + $csrfattack=false; + if (empty($_SERVER['HTTP_REFERER'])) $csrfattack=true; // An evil browser was used + else + { + $tmpa=parse_url($_SERVER['HTTP_HOST']); + $tmpb=parse_url($_SERVER['HTTP_REFERER']); + if ($tmpa['host'] != $tmpb['host']) $csrfattack=true; + } + if ($csrfattack) + { + //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; + print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n"; + print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; + die; + } } // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on. } diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 2439a9fd6e0..d6705b7832b 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -332,7 +332,8 @@ if (! defined('NOTOKENRENEWAL')) $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number $_SESSION['newtoken'] = $token; } -if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) // Check validity of token, only if option enabled (this option breaks some features sometimes) +if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) + || defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set { if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token','alpha')) // Note, offender can still send request by GET { From 417c07a6e81e68e3012864a002bf747e83d688bd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 6 Apr 2018 18:33:51 +0200 Subject: [PATCH 10/16] Fix REFLECTED XSS --- htdocs/core/actions_linkedfiles.inc.php | 2 +- htdocs/main.inc.php | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 4e9e0063dc3..affbd1ec964 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -27,7 +27,7 @@ // Submit file/link -if (GETPOST('sendit','none') && ! empty($conf->global->MAIN_UPLOAD_DOC)) +if (GETPOST('sendit','alpha') && ! empty($conf->global->MAIN_UPLOAD_DOC)) { if (! empty($_FILES)) { diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index d6705b7832b..2ff276f36f7 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -73,7 +73,7 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* deprecated in PHP * * @param string $val Value * @param string $type 1=GET, 0=POST, 2=PHP_SELF - * @return int >0 if there is an injection + * @return int >0 if there is an injection, 0 if none */ function test_sql_and_script_inject($val, $type) { @@ -128,17 +128,17 @@ function test_sql_and_script_inject($val, $type) * * @param string $var Variable name * @param string $type 1=GET, 0=POST, 2=PHP_SELF - * @return boolean||null true if there is an injection. Stop code if injection found. + * @return boolean|null true if there is no injection. Stop code if injection found. */ function analyseVarsForSqlAndScriptsInjection(&$var, $type) { if (is_array($var)) { - foreach ($var as $key => $value) + foreach ($var as $key => $value) // Warning, $key may also be used for attacks { - if (analyseVarsForSqlAndScriptsInjection($value,$type)) + if (analyseVarsForSqlAndScriptsInjection($key, $type) && analyseVarsForSqlAndScriptsInjection($value, $type)) { - $var[$key] = $value; + //$var[$key] = $value; // This is useless } else { @@ -150,7 +150,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type) } else { - return (test_sql_and_script_inject($var,$type) <= 0); + return (test_sql_and_script_inject($var, $type) <= 0); } } From 1a321e19c89183c409b1e281e77769b1887ba952 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 6 Apr 2018 19:12:13 +0200 Subject: [PATCH 11/16] FIX XSS in company setup page --- htdocs/admin/company.php | 44 +++++++++--------- htdocs/contact/card.php | 74 +++++++++++++++---------------- htdocs/core/lib/functions.lib.php | 4 +- htdocs/main.inc.php | 2 + 4 files changed, 63 insertions(+), 61 deletions(-) diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index 62c3dbd73b7..94c2cd72b40 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -78,7 +78,7 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN", GETPOST("town",'nohtml'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("zipcode",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE", GETPOST("state_id",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'aZ09'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail",'alpha'),'chaine',0,'',$conf->entity); @@ -154,26 +154,26 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } } - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'nohtml'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'nohtml'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT", GETPOST("object",'nohtml'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'int'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'aZ09'),'chaine',0,'',$conf->entity); // Local taxes - dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'aZ09'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'aZ09'),'chaine',0,'',$conf->entity); if($_POST["optionlocaltax1"]=="localtax1on") { @@ -183,9 +183,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } else { - dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','aZ09'),'chaine',0,'',$conf->entity); } - dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'aZ09'),'chaine',0,'',$conf->entity); } if($_POST["optionlocaltax2"]=="localtax2on") { @@ -195,9 +195,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } else { - dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','aZ09'),'chaine',0,'',$conf->entity); } - dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'aZ09'),'chaine',0,'',$conf->entity); } if ($action != 'updateedit' && ! $error) @@ -409,7 +409,7 @@ if ($action == 'edit' || $action == 'updateedit') // IDs of the company (country-specific) print ''; - print ''; + print ''; $langs->load("companies"); @@ -562,7 +562,7 @@ if ($action == 'edit' || $action == 'updateedit') print '
'; print '
'.$langs->trans("CompanyIds").''.$langs->trans("Value").'
'.$langs->trans("CompanyIds").''.$langs->trans("Value").'
'; print ''; - print ''; + print ''; print ''; print "\n"; @@ -595,7 +595,7 @@ if ($action == 'edit' || $action == 'updateedit') print '
'; print '
'.$langs->trans("VATManagement").''.$langs->trans("Description").''.$langs->trans("VATManagement").''.$langs->trans("Description").' 
'; print ''; - print ''; + print ''; print ''; print "\n"; diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index bc0031b5992..36152275a64 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -176,26 +176,26 @@ if (empty($reshook)) $object->entity = (GETPOSTISSET('entity')?GETPOST('entity', 'int'):$conf->entity); $object->socid = GETPOST("socid",'int'); - $object->lastname = GETPOST("lastname"); - $object->firstname = GETPOST("firstname"); - $object->civility_id = GETPOST("civility_id",'alpha'); - $object->poste = GETPOST("poste"); - $object->address = GETPOST("address"); - $object->zip = GETPOST("zipcode"); - $object->town = GETPOST("town"); + $object->lastname = GETPOST("lastname",'alpha'); + $object->firstname = GETPOST("firstname",'alpha'); + $object->civility_id = GETPOST("civility_id",'alpha'); + $object->poste = GETPOST("poste",'alpha'); + $object->address = GETPOST("address",'alpha'); + $object->zip = GETPOST("zipcode",'alpha'); + $object->town = GETPOST("town",'alpha'); $object->country_id = GETPOST("country_id",'int'); $object->state_id = GETPOST("state_id",'int'); - $object->skype = GETPOST("skype"); + $object->skype = GETPOST("skype",'alpha'); $object->email = GETPOST("email",'alpha'); - $object->phone_pro = GETPOST("phone_pro"); - $object->phone_perso = GETPOST("phone_perso"); - $object->phone_mobile = GETPOST("phone_mobile"); - $object->fax = GETPOST("fax"); + $object->phone_pro = GETPOST("phone_pro",'alpha'); + $object->phone_perso = GETPOST("phone_perso",'alpha'); + $object->phone_mobile = GETPOST("phone_mobile",'alpha'); + $object->fax = GETPOST("fax",'alpha'); $object->jabberid = GETPOST("jabberid",'alpha'); $object->no_email = GETPOST("no_email",'int'); $object->priv = GETPOST("priv",'int'); - $object->note_public = GETPOST("note_public"); - $object->note_private = GETPOST("note_private"); + $object->note_public = GETPOST("note_public",'none'); + $object->note_private = GETPOST("note_private",'none'); $object->statut = 1; //Defult status to Actif // Note: Correct date should be completed with location to have exact GM time of birth. @@ -340,33 +340,33 @@ if (empty($reshook)) $object->oldcopy = clone $object; - $object->old_lastname = GETPOST("old_lastname"); - $object->old_firstname = GETPOST("old_firstname"); + $object->old_lastname = GETPOST("old_lastname",'alpha'); + $object->old_firstname = GETPOST("old_firstname",'alpha'); $object->socid = GETPOST("socid",'int'); - $object->lastname = GETPOST("lastname"); - $object->firstname = GETPOST("firstname"); - $object->civility_id = GETPOST("civility_id",'alpha'); - $object->poste = GETPOST("poste"); + $object->lastname = GETPOST("lastname",'alpha'); + $object->firstname = GETPOST("firstname",'alpha'); + $object->civility_id = GETPOST("civility_id",'alpha'); + $object->poste = GETPOST("poste",'alpha'); - $object->address = GETPOST("address"); - $object->zip = GETPOST("zipcode"); - $object->town = GETPOST("town"); - $object->state_id = GETPOST("state_id",'int'); + $object->address = GETPOST("address",'alpha'); + $object->zip = GETPOST("zipcode",'alpha'); + $object->town = GETPOST("town",'alpha'); + $object->state_id = GETPOST("state_id",'int'); $object->fk_departement = GETPOST("state_id",'int'); // For backward compatibility $object->country_id = GETPOST("country_id",'int'); $object->email = GETPOST("email",'alpha'); $object->skype = GETPOST("skype",'alpha'); - $object->phone_pro = GETPOST("phone_pro"); - $object->phone_perso = GETPOST("phone_perso"); - $object->phone_mobile = GETPOST("phone_mobile"); - $object->fax = GETPOST("fax"); + $object->phone_pro = GETPOST("phone_pro",'alpha'); + $object->phone_perso = GETPOST("phone_perso",'alpha'); + $object->phone_mobile = GETPOST("phone_mobile",'alpha'); + $object->fax = GETPOST("fax",'alpha'); $object->jabberid = GETPOST("jabberid",'alpha'); $object->no_email = GETPOST("no_email",'int'); $object->priv = GETPOST("priv",'int'); - $object->note_public = GETPOST("note_public"); - $object->note_private = GETPOST("note_private"); + $object->note_public = GETPOST("note_public",'none'); + $object->note_private = GETPOST("note_private",'none'); // Fill array 'array_options' with data from add form $ret = $extrafields->setOptionalsFromPost($extralabels,$object); @@ -540,9 +540,9 @@ else // Name print ''; - print ''; + print ''; print ''; - print ''; + print ''; // Company if (empty($conf->global->SOCIETE_DISABLE_CONTACTS)) @@ -594,8 +594,8 @@ else if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->zip)) == 0) $object->zip = $objsoc->zip; // Predefined with third party if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->town)) == 0) $object->town = $objsoc->town; // Predefined with third party print ''; // Country @@ -635,7 +635,7 @@ else // EMail if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->email)) == 0) $object->email = $objsoc->email; // Predefined with third party print ''; - print ''; + print ''; if (! empty($conf->mailing->enabled)) { print ''; @@ -649,13 +649,13 @@ else // Instant message and no email print ''; - print ''; + print ''; // Skype if (! empty($conf->skype->enabled)) { print ''; - print ''; + print ''; } // Visibility diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 20ab5aad7a9..a75c9176893 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -549,10 +549,10 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU case 'array': if (! is_array($out) || empty($out)) $out=array(); break; - case 'nohtml': + case 'nohtml': // Recommended for most scalar parameters $out=dol_string_nohtmltag($out, 0); break; - case 'alphanohtml': // Recommended for search params + case 'alphanohtml': // Recommended for search parameters if (! is_array($out)) { $out=trim($out); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 2ff276f36f7..629e0108045 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -101,6 +101,7 @@ function test_sql_and_script_inject($val, $type) // More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet $inj += preg_match('/'; @@ -210,12 +218,12 @@ $account_to=''; $label=''; $amount=''; -if($error) +if ($error) { $account_from = GETPOST('account_from','int'); $account_to = GETPOST('account_to','int'); $label = GETPOST('label','alpha'); - $amount = GETPOST('amount','int'); + $amount = GETPOST('amount','alpha'); } print load_fiche_titre($langs->trans("MenuBankInternalTransfer"), '', 'title_bank.png'); @@ -246,9 +254,9 @@ print "\n"; print "\n"; -print ''; -print ''; -print ''; +print ''; +print ''; +print ''; print "
'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).''.$langs->trans("Description").''.$langs->transcountry("LocalTax1Management",$mysoc->country_code).''.$langs->trans("Description").' 
lastname).'" autofocus="autofocus">lastname).'" autofocus="autofocus">firstname).'">
firstname).'">
/ '; - print $formcompany->select_ziptown((GETPOST("zipcode")?GETPOST("zipcode"):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).' '; - print $formcompany->select_ziptown((GETPOST("town")?GETPOST("town"):$object->town),'town',array('zipcode','selectcountry_id','state_id')); + print $formcompany->select_ziptown((GETPOST("zipcode",'alpha')?GETPOST("zipcode",'alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).' '; + print $formcompany->select_ziptown((GETPOST("town",'alpha')?GETPOST("town",'alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id')); print '
email).'">email).'">
jabberid).'">
jabberid).'">
skype).'">
skype).'">
"; $form->select_date((! empty($dateo)?$dateo:''),'','','','','add'); print "
";