From dc00877d940da8326216e51263a85b0a4a418f22 Mon Sep 17 00:00:00 2001 From: ldestailleur Date: Tue, 2 Sep 2025 12:08:27 +0200 Subject: [PATCH 1/4] Fix position in changelog --- ChangeLog | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 20af764f941..19677501f47 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,12 +2,6 @@ English Dolibarr ChangeLog -------------------------------------------------------------- -***** ChangeLog for 21.0.4 compared to 21.0.3 ***** -FIX: #35147 SQL Error on Beluga Export when ExpenseReport is enabled (#35149) -FIX: error when using a code too large in dictionary -FIX: Security when using feature Advanced Target of emailing (hidden in v21, default in v22+). Possible - SQL injection by users with permission to make and send mass emailing. - ***** ChangeLog for 22.0.1 compared to 22.0.0 ***** @@ -192,6 +186,12 @@ The following changes may create regressions for some external modules, but were * The property ->price_ht of an object line that was a duplicate of ->subprice has been standardized. Use ->subprice everywhere now. +***** ChangeLog for 21.0.4 compared to 21.0.3 ***** +FIX: #35147 SQL Error on Beluga Export when ExpenseReport is enabled (#35149) +FIX: error when using a code too large in dictionary +FIX: Security when using feature Advanced Target of emailing (hidden in v21, default in v22+). Possible + SQL injection by users with permission to make and send mass emailing. + ***** ChangeLog for 21.0.3 compared to 21.0.2 ***** FIX: #34843 (#34875) From 5e38d0134e5aca484c241dfa455e3c4be6df7af2 Mon Sep 17 00:00:00 2001 From: ldestailleur Date: Tue, 2 Sep 2025 12:51:51 +0200 Subject: [PATCH 2/4] Trans --- htdocs/langs/en_US/admin.lang | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index a7ded6881e3..981e10ad99b 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -639,7 +639,7 @@ Module240Desc=Tool to export Dolibarr data (with assistance) Module250Name=Data imports Module250Desc=Tool to import data into Dolibarr (with assistance) Module310Name=Members -Module310Desc=Foundation members management +Module310Desc=Management of association members and their membership Module320Name=RSS Feed Module320Desc=Add a RSS feed to Dolibarr pages Module330Name=Bookmarks & Shortcuts From 0350e2687c45849953b58bf03aebf62ca160ada1 Mon Sep 17 00:00:00 2001 From: ldestailleur Date: Tue, 2 Sep 2025 13:47:01 +0200 Subject: [PATCH 3/4] FIX fallback of "from" email when sending email in member module --- htdocs/adherents/card.php | 12 ++++++------ htdocs/adherents/class/adherent.class.php | 9 +++------ htdocs/adherents/subscription.php | 2 +- htdocs/public/members/new.php | 6 +++--- 4 files changed, 13 insertions(+), 16 deletions(-) diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index 511badb9b1d..2f5bf2343e5 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -1615,10 +1615,10 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { $texttosend = make_substitutions(dol_concatdesc($msg, $adht->getMailOnValid()), $substitutionarray, $outputlangs); $tmp = $langs->trans("SendingAnEMailToMember"); - $tmp .= '
'.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM').', '; + $tmp .= '
'.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from).', '; $tmp .= '
'.$langs->trans("MailRecipient").': '.$object->email.''; $helpcontent = ''; - $helpcontent .= ''.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM').'
'."\n"; + $helpcontent .= ''.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from).'
'."\n"; $helpcontent .= ''.$langs->trans("MailRecipient").': '.$object->email.'
'."\n"; $helpcontent .= ''.$langs->trans("Subject").':
'."\n"; $helpcontent .= $subjecttosend."\n"; @@ -1679,10 +1679,10 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { $texttosend = make_substitutions(dol_concatdesc($msg, $adht->getMailOnResiliate()), $substitutionarray, $outputlangs); $tmp = $langs->trans("SendingAnEMailToMember"); - $tmp .= '
('.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM').', '; + $tmp .= '
('.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from).', '; $tmp .= $langs->trans("MailRecipient").': '.$object->email.')'; $helpcontent = ''; - $helpcontent .= ''.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM').'
'."\n"; + $helpcontent .= ''.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from).'
'."\n"; $helpcontent .= ''.$langs->trans("MailRecipient").': '.$object->email.'
'."\n"; $helpcontent .= ''.$langs->trans("Subject").':
'."\n"; $helpcontent .= $subjecttosend."\n"; @@ -1740,10 +1740,10 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { $texttosend = make_substitutions(dol_concatdesc($msg, $adht->getMailOnExclude()), $substitutionarray, $outputlangs); $tmp = $langs->trans("SendingAnEMailToMember"); - $tmp .= '
('.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM').', '; + $tmp .= '
('.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from).', '; $tmp .= $langs->trans("MailRecipient").': '.$object->email.')'; $helpcontent = ''; - $helpcontent .= ''.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM').'
'."\n"; + $helpcontent .= ''.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from).'
'."\n"; $helpcontent .= ''.$langs->trans("MailRecipient").': '.$object->email.'
'."\n"; $helpcontent .= ''.$langs->trans("Subject").':
'."\n"; $helpcontent .= $subjecttosend."\n"; diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index 0ee2bde89fa..e458ee2ab44 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -505,11 +505,8 @@ class Adherent extends CommonObject $texttosend = dol_htmlentitiesbr($texttosend); } - // Envoi mail confirmation - $from = $conf->email_from; - if (getDolGlobalString('ADHERENT_MAIL_FROM')) { - $from = getDolGlobalString('ADHERENT_MAIL_FROM'); - } + // Send mail confirmation + $from = getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from); $trackid = 'mem'.$this->id; @@ -3186,7 +3183,7 @@ class Adherent extends CommonObject $subject = make_substitutions($arraydefaultmessage->topic, $substitutionarray, $outputlangs); $msg = make_substitutions($arraydefaultmessage->content, $substitutionarray, $outputlangs); - $from = getDolGlobalString('ADHERENT_MAIL_FROM'); + $from = getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from); $to = $adherent->email; $cc = getDolGlobalString('ADHERENT_CC_MAIL_FROM'); diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 56c2f7e9639..ca0ee7abd29 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -1187,7 +1187,7 @@ if (($action == 'addsubscription' || $action == 'create_thirdparty') && $user->h $tmp = ''; $helpcontent = ''; - $helpcontent .= ''.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM').'
'."\n"; + $helpcontent .= ''.$langs->trans("MailFrom").': '.getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from).'
'."\n"; $helpcontent .= ''.$langs->trans("MailRecipient").': '.$object->email.'
'."\n"; $helpcontent .= ''.$langs->trans("MailTopic").':
'."\n"; if ($subjecttosend) { diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index a4e4ade43ad..9d3ea1bebfd 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -412,13 +412,13 @@ if (empty($reshook) && $action == 'add') { // Test on permission not required he $appli .= " ".DOL_VERSION; } - $to = $adh->makeSubstitution($conf->global->MAIN_INFO_SOCIETE_MAIL); - $from = getDolGlobalString('ADHERENT_MAIL_FROM'); + $to = $adh->makeSubstitution(getDolGlobalString('MAIN_INFO_SOCIETE_MAIL')); + $from = getDolGlobalString('ADHERENT_MAIL_FROM', $conf->email_from); $mailfile = new CMailFile( '['.$appli.'] ' . getDolGlobalString('ADHERENT_AUTOREGISTER_NOTIF_MAIL_SUBJECT'), $to, $from, - $adh->makeSubstitution($conf->global->ADHERENT_AUTOREGISTER_NOTIF_MAIL), + $adh->makeSubstitution(getDolGlobalString('ADHERENT_AUTOREGISTER_NOTIF_MAIL')), array(), array(), array(), From 5a8aff9e7915513a23f4d8474dd1b6c407866f09 Mon Sep 17 00:00:00 2001 From: ldestailleur Date: Tue, 2 Sep 2025 22:37:08 +0200 Subject: [PATCH 4/4] Sec: Update doc to trigger alert of vulnerability fix in commit bb0974add9cb746c2f1723a239bbaf50561251c6 --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4e5b1b12de4..a0988a8e5c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,7 +5,7 @@ English Dolibarr ChangeLog ***** ChangeLog for 21.0.4 compared to 21.0.3 ***** FIX: #35147 SQL Error on Beluga Export when ExpenseReport is enabled (#35149) FIX: error when using a code too large in dictionary -FIX: Security when using feature Advanced Target of emailing (hidden in v21, default in v22+). Possible +FIX: Security when using Advanced Target page of emailing (feature hidden in v21, default in v22+). Possible SQL injection by users with permission to make and send mass emailing.