From f904c46a103d32057e220bab61e44c6a13d5c6e6 Mon Sep 17 00:00:00 2001 From: Philippe GRAND Date: Mon, 30 Oct 2017 14:22:34 +0100 Subject: [PATCH 1/2] Warning: trim() expects parameter 1 to be string, array given in /httpdocs/core/lib/functions.lib.php on line 520 --- htdocs/core/lib/functions.lib.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 85ea597644d..a376661829c 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -517,6 +517,8 @@ function GETPOST($paramname, $check='alpha', $method=0, $filter=NULL, $options=N if (preg_match('/[^0-9,]+/i',$out)) $out=''; break; case 'alpha': + if (!is_string($out)) + return $out; $out=trim($out); // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals From 6ea558b63996c1dcaddb96c3f041df35afc387cc Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 2 Nov 2017 09:58:22 +0100 Subject: [PATCH 2/2] Update functions.lib.php --- htdocs/core/lib/functions.lib.php | 44 +++++++++++++++++++------------ 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index a376661829c..93b0a810abb 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -517,24 +517,31 @@ function GETPOST($paramname, $check='alpha', $method=0, $filter=NULL, $options=N if (preg_match('/[^0-9,]+/i',$out)) $out=''; break; case 'alpha': - if (!is_string($out)) - return $out; - $out=trim($out); - // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - // '../' is dangerous because it allows dir transversals - if (preg_match('/"/',$out)) $out=''; - else if (preg_match('/\.\.\//',$out)) $out=''; + if (! is_array($out)) + { + $out=trim($out); + // '"' is dangerous because param in url can close the href= or src= and add javascript functions. + // '../' is dangerous because it allows dir transversals + if (preg_match('/"/',$out)) $out=''; + else if (preg_match('/\.\.\//',$out)) $out=''; + } break; case 'san_alpha': $out=filter_var($out,FILTER_SANITIZE_STRING); break; case 'aZ': - $out=trim($out); - if (preg_match('/[^a-z]+/i',$out)) $out=''; + if (! is_array($out)) + { + $out=trim($out); + if (preg_match('/[^a-z]+/i',$out)) $out=''; + } break; case 'aZ09': - $out=trim($out); - if (preg_match('/[^a-z0-9_\-\.]+/i',$out)) $out=''; + if (! is_array($out)) + { + $out=trim($out); + if (preg_match('/[^a-z0-9_\-\.]+/i',$out)) $out=''; + } break; case 'array': if (! is_array($out) || empty($out)) $out=array(); @@ -543,12 +550,15 @@ function GETPOST($paramname, $check='alpha', $method=0, $filter=NULL, $options=N $out=dol_string_nohtmltag($out); break; case 'alphanohtml': // Recommended for search params - $out=trim($out); - // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - // '../' is dangerous because it allows dir transversals - if (preg_match('/"/',$out)) $out=''; - else if (preg_match('/\.\.\//',$out)) $out=''; - $out=dol_string_nohtmltag($out); + if (! is_array($out)) + { + $out=trim($out); + // '"' is dangerous because param in url can close the href= or src= and add javascript functions. + // '../' is dangerous because it allows dir transversals + if (preg_match('/"/',$out)) $out=''; + else if (preg_match('/\.\.\//',$out)) $out=''; + $out=dol_string_nohtmltag($out); + } break; case 'custom': if (empty($filter)) return 'BadFourthParameterForGETPOST';