From fb3cae9ad36816326ebd10c90a775dd9ccb2d0bc Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 18 Apr 2018 11:36:44 +0200 Subject: [PATCH 01/13] Fix translation of country for GB --- htdocs/langs/en_US/dict.lang | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/langs/en_US/dict.lang b/htdocs/langs/en_US/dict.lang index f0fa27bcbf8..81f62469896 100644 --- a/htdocs/langs/en_US/dict.lang +++ b/htdocs/langs/en_US/dict.lang @@ -5,7 +5,8 @@ CountryIT=Italy CountryES=Spain CountryDE=Germany CountryCH=Switzerland -CountryGB=Great Britain +# Warning, country code GB is for United Kingdom. UK Does not exists as country code in ISO standard. +CountryGB=United Kingdom CountryUK=United Kingdom CountryIE=Ireland CountryCN=China From 5d121b2d3ae2a95abebc9dc31e4782cbc61a1f39 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 18 Apr 2018 11:55:25 +0200 Subject: [PATCH 02/13] FIX CVE-2018-10092 --- htdocs/admin/security_file.php | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index 1053658b191..143cc17e46f 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -82,10 +82,15 @@ else if (preg_match('/del_(.*)/',$action,$reg)) else if ($action == 'updateform') { + $antivircommand = GETPOST('MAIN_ANTIVIRUS_COMMAND','none'); // Use GETPOST none because we must accept ". Example c:\Progra~1\ClamWin\bin\clamscan.exe + $antivirparam = GETPOST('MAIN_ANTIVIRUS_PARAM','none'); // Use GETPOST none because we must accept ". Example --database="C:\Program Files (x86)\ClamWin\lib" + $antivircommand = dol_string_nospecial($antivircommand, '', array("|", ";", "<", ">", "&")); // Sanitize command + $antivirparam = dol_string_nospecial($antivirparam, '', array("|", ";", "<", ">", "&")); // Sanitize params + $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',GETPOST('MAIN_UPLOAD_DOC','alpha'),'chaine',0,'',$conf->entity); $res4=dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK','alpha'),'chaine',0,'',$conf->entity); - $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim(GETPOST('MAIN_ANTIVIRUS_COMMAND','none')),'chaine',0,'',$conf->entity); // Use GETPOST none because we must accept " - $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim(GETPOST('MAIN_ANTIVIRUS_PARAM','none')),'chaine',0,'',$conf->entity); // Use GETPOST none because we must accept " + $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim($antivircommand),'chaine',0,'',$conf->entity); + $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim($antivirparam),'chaine',0,'',$conf->entity); if ($res3 && $res4 && $res5 && $res6) setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); } @@ -95,10 +100,10 @@ else if ($action == 'updateform') else if ($action == 'delete') { $langs->load("other"); - $file = $conf->admin->dir_temp . '/' . GETPOST('urlfile'); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). + $file = $conf->admin->dir_temp . '/' . GETPOST('urlfile','alpha'); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). $ret=dol_delete_file($file); - if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile')), null, 'mesgs'); - else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile')), null, 'errors'); + if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile','alpha')), null, 'mesgs'); + else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile','alpha')), null, 'errors'); Header('Location: '.$_SERVER["PHP_SELF"]); exit; } From 6b3e5e208592bb9eaa30bac338976a01e3f79ccd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 18 Apr 2018 12:19:23 +0200 Subject: [PATCH 03/13] FIX sanitize setup params --- htdocs/admin/agenda.php | 34 +++++---------------------- htdocs/admin/agenda_other.php | 6 ++--- htdocs/admin/agenda_reminder.php | 6 ++--- htdocs/admin/ecm.php | 4 ++-- htdocs/admin/multicurrency.php | 7 +++--- htdocs/admin/security_file.php | 31 +----------------------- htdocs/admin/security_other.php | 6 ++--- htdocs/admin/user.php | 4 ++-- htdocs/admin/usergroup.php | 4 ++-- htdocs/categories/admin/categorie.php | 4 ++-- htdocs/margin/admin/margin.php | 4 ++-- 11 files changed, 30 insertions(+), 80 deletions(-) diff --git a/htdocs/admin/agenda.php b/htdocs/admin/agenda.php index 2c90c0ed99b..748fc7a0309 100644 --- a/htdocs/admin/agenda.php +++ b/htdocs/admin/agenda.php @@ -75,6 +75,12 @@ else if (GETPOST('button_removefilter_x','alpha') || GETPOST('button_removefilter.x','alpha') ||GETPOST('button_removefilter','alpha')) // All tests are required to be compatible with all browsers { $search_event = ''; + $action = ''; +} + +if (GETPOST('button_search_x','alpha') || GETPOST('button_search.x','alpha') ||GETPOST('button_search','alpha')) // To avoid the save when we click on search +{ + $action = ''; } if ($action == "save" && empty($cancel)) @@ -106,34 +112,6 @@ if ($action == "save" && empty($cancel)) } } -if (preg_match('/set_(.*)/',$action,$reg)) -{ - $code=$reg[1]; - $value=(GETPOST($code) ? GETPOST($code) : 1); - if (dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity) > 0) - { - Header("Location: ".$_SERVER["PHP_SELF"]); - exit; - } - else - { - dol_print_error($db); - } -} - -if (preg_match('/del_(.*)/',$action,$reg)) -{ - $code=$reg[1]; - if (dolibarr_del_const($db, $code, $conf->entity) > 0) - { - Header("Location: ".$_SERVER["PHP_SELF"]); - exit; - } - else - { - dol_print_error($db); - } -} /** diff --git a/htdocs/admin/agenda_other.php b/htdocs/admin/agenda_other.php index 54414e094d3..b6b332a4b99 100644 --- a/htdocs/admin/agenda_other.php +++ b/htdocs/admin/agenda_other.php @@ -52,10 +52,10 @@ $type = 'action'; include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php'; -if (preg_match('/set_(.*)/',$action,$reg)) +if (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; - $value=(GETPOST($code) ? GETPOST($code) : 1); + $value=(GETPOST($code, 'alpha') ? GETPOST($code, 'alpha') : 1); if (dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity) > 0) { Header("Location: ".$_SERVER["PHP_SELF"]); @@ -67,7 +67,7 @@ if (preg_match('/set_(.*)/',$action,$reg)) } } -if (preg_match('/del_(.*)/',$action,$reg)) +if (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, $conf->entity) > 0) diff --git a/htdocs/admin/agenda_reminder.php b/htdocs/admin/agenda_reminder.php index 3e946dd8e60..fac49dcfcde 100644 --- a/htdocs/admin/agenda_reminder.php +++ b/htdocs/admin/agenda_reminder.php @@ -47,10 +47,10 @@ $type = 'action'; include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php'; -if (preg_match('/set_(.*)/',$action,$reg)) +if (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; - $value=(GETPOST($code) ? GETPOST($code) : 1); + $value=(GETPOST($code, 'alpha') ? GETPOST($code, 'alpha') : 1); if (dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity) > 0) { Header("Location: ".$_SERVER["PHP_SELF"]); @@ -62,7 +62,7 @@ if (preg_match('/set_(.*)/',$action,$reg)) } } -if (preg_match('/del_(.*)/',$action,$reg)) +if (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, $conf->entity) > 0) diff --git a/htdocs/admin/ecm.php b/htdocs/admin/ecm.php index dd9e748de02..2d8bd936b50 100644 --- a/htdocs/admin/ecm.php +++ b/htdocs/admin/ecm.php @@ -33,7 +33,7 @@ if (! $user->admin) accessforbidden(); /* * Action */ -if (preg_match('/set_(.*)/',$action,$reg)) +if (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_set_const($db, $code, 1, 'chaine', 0, '', $conf->entity) > 0) @@ -47,7 +47,7 @@ if (preg_match('/set_(.*)/',$action,$reg)) } } -if (preg_match('/del_(.*)/',$action,$reg)) +if (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, $conf->entity) > 0) diff --git a/htdocs/admin/multicurrency.php b/htdocs/admin/multicurrency.php index 25feceda0d1..467ffffeb41 100644 --- a/htdocs/admin/multicurrency.php +++ b/htdocs/admin/multicurrency.php @@ -48,10 +48,11 @@ $action = GETPOST('action', 'alpha'); */ -if (preg_match('/set_(.*)/',$action,$reg)) +if (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; - if (dolibarr_set_const($db, $code, GETPOST($code), 'chaine', 0, '', $conf->entity) > 0) + $value=(GETPOST($code, 'alpha') ? GETPOST($code, 'alpha') : 1); + if (dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity) > 0) { header("Location: ".$_SERVER["PHP_SELF"]); exit; @@ -62,7 +63,7 @@ if (preg_match('/set_(.*)/',$action,$reg)) } } -if (preg_match('/del_(.*)/',$action,$reg)) +if (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, 0) > 0) diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index 143cc17e46f..7ce087ead6f 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -51,36 +51,7 @@ if (GETPOST('sendit') && ! empty($conf->global->MAIN_UPLOAD_DOC)) dol_add_file_process($upload_dir, 0, 0, 'userfile'); } -if (preg_match('/set_(.*)/',$action,$reg)) -{ - $code=$reg[1]; - $value=(GETPOST($code, 'alpha') ? GETPOST($code, 'alpha') : 1); - if (dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity) > 0) - { - Header("Location: ".$_SERVER["PHP_SELF"]); - exit; - } - else - { - dol_print_error($db); - } -} - -else if (preg_match('/del_(.*)/',$action,$reg)) -{ - $code=$reg[1]; - if (dolibarr_del_const($db, $code, $conf->entity) > 0) - { - Header("Location: ".$_SERVER["PHP_SELF"]); - exit; - } - else - { - dol_print_error($db); - } -} - -else if ($action == 'updateform') +if ($action == 'updateform') { $antivircommand = GETPOST('MAIN_ANTIVIRUS_COMMAND','none'); // Use GETPOST none because we must accept ". Example c:\Progra~1\ClamWin\bin\clamscan.exe $antivirparam = GETPOST('MAIN_ANTIVIRUS_PARAM','none'); // Use GETPOST none because we must accept ". Example --database="C:\Program Files (x86)\ClamWin\lib" diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index e5c66d9e24b..60d0888ed91 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -43,10 +43,10 @@ $action=GETPOST('action','alpha'); * Actions */ -if (preg_match('/set_(.*)/',$action,$reg)) +if (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; - $value=(GETPOST($code) ? GETPOST($code) : 1); + $value=(GETPOST($code, 'alpha') ? GETPOST($code, 'alpha') : 1); if (dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity) > 0) { Header("Location: ".$_SERVER["PHP_SELF"]); @@ -58,7 +58,7 @@ if (preg_match('/set_(.*)/',$action,$reg)) } } -else if (preg_match('/del_(.*)/',$action,$reg)) +else if (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, $conf->entity) > 0) diff --git a/htdocs/admin/user.php b/htdocs/admin/user.php index ee5faefeaee..a7b1c5b9373 100644 --- a/htdocs/admin/user.php +++ b/htdocs/admin/user.php @@ -86,7 +86,7 @@ elseif ($action == 'setdoc') } $res = true; } -elseif (preg_match('/set_(.*)/',$action,$reg)) +elseif (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_set_const($db, $code, 1, 'chaine', 0, '', $conf->entity) > 0) @@ -100,7 +100,7 @@ elseif (preg_match('/set_(.*)/',$action,$reg)) } } -elseif (preg_match('/del_(.*)/',$action,$reg)) +elseif (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, $conf->entity) > 0) diff --git a/htdocs/admin/usergroup.php b/htdocs/admin/usergroup.php index 5a1cf94e59f..75497e9d19d 100644 --- a/htdocs/admin/usergroup.php +++ b/htdocs/admin/usergroup.php @@ -83,7 +83,7 @@ elseif ($action == 'setdoc') } $res = true; } -elseif (preg_match('/set_(.*)/',$action,$reg)) +elseif (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_set_const($db, $code, 1, 'chaine', 0, '', $conf->entity) > 0) @@ -97,7 +97,7 @@ elseif (preg_match('/set_(.*)/',$action,$reg)) } } -elseif (preg_match('/del_(.*)/',$action,$reg)) +elseif (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, $conf->entity) > 0) diff --git a/htdocs/categories/admin/categorie.php b/htdocs/categories/admin/categorie.php index c1564e1b892..518d8903edd 100644 --- a/htdocs/categories/admin/categorie.php +++ b/htdocs/categories/admin/categorie.php @@ -38,7 +38,7 @@ $action=GETPOST('action','aZ09'); * Actions */ -if (preg_match('/set_(.*)/',$action,$reg)) +if (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_set_const($db, $code, 1, 'chaine', 0, '', $conf->entity) > 0) @@ -52,7 +52,7 @@ if (preg_match('/set_(.*)/',$action,$reg)) } } -if (preg_match('/del_(.*)/',$action,$reg)) +if (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, $conf->entity) > 0) diff --git a/htdocs/margin/admin/margin.php b/htdocs/margin/admin/margin.php index 559b5b13564..d37dfe0c83b 100644 --- a/htdocs/margin/admin/margin.php +++ b/htdocs/margin/admin/margin.php @@ -42,7 +42,7 @@ $action=GETPOST('action','alpha'); /* * Action */ -if (preg_match('/set_(.*)/',$action,$reg)) +if (preg_match('/set_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_set_const($db, $code, 1, 'yesno', 0, '', $conf->entity) > 0) @@ -56,7 +56,7 @@ if (preg_match('/set_(.*)/',$action,$reg)) } } -if (preg_match('/del_(.*)/',$action,$reg)) +if (preg_match('/del_([a-z0-9_\-]+)/i',$action,$reg)) { $code=$reg[1]; if (dolibarr_del_const($db, $code, $conf->entity) > 0) From 7ade4e37f24d6859987bb9f6232f604325633fdd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 18 Apr 2018 12:23:49 +0200 Subject: [PATCH 04/13] FIX CVE-2018-10094 --- htdocs/adherents/list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index cae878829b7..68062b895a0 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -43,7 +43,7 @@ $toselect = GETPOST('toselect', 'array'); $result=restrictedArea($user,'adherent'); $filter=GETPOST("filter",'alpha'); -$statut=GETPOST("statut",'alpha'); +$statut=GETPOST("statut",'intcomma'); $search=GETPOST("search",'alpha'); $search_ref=GETPOST("search_ref",'alpha'); $search_lastname=GETPOST("search_lastname",'alpha'); From 1dc466e1fb687cfe647de4af891720419823ed56 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 18 Apr 2018 12:32:19 +0200 Subject: [PATCH 05/13] FIX CVE-2018-10095 --- htdocs/adherents/cartes/carte.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/htdocs/adherents/cartes/carte.php b/htdocs/adherents/cartes/carte.php index 59713e20573..05b71ba1360 100644 --- a/htdocs/adherents/cartes/carte.php +++ b/htdocs/adherents/cartes/carte.php @@ -29,19 +29,18 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/modules/member/modules_cards.php'; require_once DOL_DOCUMENT_ROOT.'/core/modules/printsheet/modules_labels.php'; -$langs->load("members"); -$langs->load("errors"); +$langs->loadLangs(array("members","errors")); // Choix de l'annee d'impression ou annee courante. $now = dol_now(); $year=dol_print_date($now,'%Y'); $month=dol_print_date($now,'%m'); $day=dol_print_date($now,'%d'); -$foruserid=GETPOST('foruserid'); -$foruserlogin=GETPOST('foruserlogin'); -$mode=GETPOST('mode'); -$model=GETPOST("model"); // Doc template to use for business cards -$modellabel=GETPOST("modellabel"); // Doc template to use for address sheet +$foruserid=GETPOST('foruserid','alphanohtml'); +$foruserlogin=GETPOST('foruserlogin','alphanohtml'); +$mode=GETPOST('mode','aZ09'); +$model=GETPOST("model",'aZ09'); // Doc template to use for business cards +$modellabel=GETPOST("modellabel",'aZ09'); // Doc template to use for address sheet $mesg=''; $adherentstatic=new Adherent($db); From 41be1c3d3d3f8e2413b504ed10788434307dbee0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Apr 2018 10:22:08 +0200 Subject: [PATCH 06/13] Removed deprecated class (method setCookie already exists for that) --- htdocs/core/class/cookie.class.php | 142 ----------------------------- 1 file changed, 142 deletions(-) delete mode 100644 htdocs/core/class/cookie.class.php diff --git a/htdocs/core/class/cookie.class.php b/htdocs/core/class/cookie.class.php deleted file mode 100644 index c41077f76fb..00000000000 --- a/htdocs/core/class/cookie.class.php +++ /dev/null @@ -1,142 +0,0 @@ - - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -/** - * \file htdocs/core/class/cookie.class.php - * \ingroup core - * \brief File of class to manage cookies - */ - - -/** - * Class to manage cookies. - * This class is used by external module multicompany but will be removed soon only and must not be used by - * - * @deprecated PHP already provide function to read/store a cookie. No need to use a dedicated class. Also storing sensitive information into cookie is forbidden, so encryption is useless. - * If a data is sensitive, it must be stored into database (if we need a long term retention) or into session. - */ -class DolCookie -{ - private $_myKey; - private $_iv; - - var $myCookie; - var $myValue; - var $myExpire; - var $myPath; - var $myDomain; - var $mySecure; - var $cookie; - - /** - * Constructor - * - * @param string $key Personnal key - * @deprecated - */ - function __construct($key = '') - { - $this->_myKey = hash('sha256', $key, true); - $this->_iv = md5(md5($this->_myKey)); - $this->cookie = ""; - $this->myCookie = ""; - $this->myValue = ""; - } - - - /** - * Encrypt en create the cookie - * - * @return void - */ - private function _cryptCookie() - { - if (!empty($this->_myKey) && !empty($this->_iv)) - { - $valuecrypt = base64_encode($this->myValue); - $this->cookie = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->_myKey, $valuecrypt, MCRYPT_MODE_CBC, $this->_iv)); - } - else - { - $this->cookie = $this->myValue; - } - - setcookie($this->myCookie, $this->cookie, $this->myExpire, $this->myPath, $this->myDomain, $this->mySecure); - } - - /** - * Decrypt the cookie - * - * @return string - */ - private function _decryptCookie() - { - if (!empty($this->_myKey) && !empty($this->_iv)) - { - $this->cookie = $_COOKIE[$this->myCookie]; - $this->myValue = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->_myKey, base64_decode($this->cookie), MCRYPT_MODE_CBC, $this->_iv)); - - return(base64_decode($this->myValue)); - } - else - { - return($_COOKIE[$this->myCookie]); - } - } - - /** - * Set and create the cookie - * - * @param string $cookie Cookie name - * @param string $value Cookie value - * @param integer $expire Expiration - * @param string $path Path of cookie - * @param string $domain Domain name - * @param int $secure 0 or 1 - * @return void - */ - public function setCookie($cookie, $value, $expire=0, $path="/", $domain="", $secure=0) - { - $this->myCookie = $cookie; - $this->myValue = $value; - $this->myExpire = $expire; - $this->myPath = $path; - $this->myDomain = $domain; - $this->mySecure = $secure; - - //print 'key='.$this->myKey.' name='.$this->myCookie.' value='.$this->myValue.' expire='.$this->myExpire; - - $this->_cryptCookie(); - } - - /** - * Get the cookie - * - * @param string $cookie Cookie name - * @return string Decrypted value - */ - public function getCookie($cookie) - { - $this->myCookie = $cookie; - - $decryptValue = $this->_decryptCookie(); - - return $decryptValue; - } - -} - From 0f16ccbc4add2587dd7e907f102ff7f822251251 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Apr 2018 12:03:42 +0200 Subject: [PATCH 07/13] Enhance dol_encode/dol_decode function --- htdocs/core/lib/security.lib.php | 63 ++++++++++++++++++++++++-------- test/phpunit/SecurityTest.php | 9 ++++- 2 files changed, 54 insertions(+), 18 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index a367579e1cd..d7de2ea9a92 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -27,44 +27,75 @@ /** - * Encode a string with base 64 algorithm + specific change - * Code of this function is useless and we should use base64_encode only instead + * Encode a string with base 64 algorithm + specific delta change. * * @param string $chain string to encode + * @param string $key rule to use for delta ('0', '1' or 'myownkey') * @return string encoded string + * @see dol_decode */ -function dol_encode($chain) +function dol_encode($chain, $key='1') { - $strlength=dol_strlen($chain); - for ($i=0; $i < $strlength; $i++) + if (is_numeric($key) && $key == '1') // rule 1 is offset of 17 for char { - $output_tab[$i] = chr(ord(substr($chain,$i,1))+17); + $strlength=dol_strlen($chain); + for ($i=0; $i < $strlength; $i++) + { + $output_tab[$i] = chr(ord(substr($chain,$i,1))+17); + } + $chain = implode("",$output_tab); + } + elseif ($key) + { + $result=''; + $strlength=dol_strlen($chain); + for ($i=0; $i < $strlength; $i++) + { + $keychar = substr($key, ($i % strlen($key))-1, 1); + $result.= chr(ord(substr($chain,$i,1))+(ord($keychar)-65)); + } + $chain=$result; } - $string_coded = base64_encode(implode("",$output_tab)); - return $string_coded; + return base64_encode($chain); } /** - * Decode a base 64 encoded + specific string. + * Decode a base 64 encoded + specific delta change. * This function is called by filefunc.inc.php at each page call. - * Code of this function is useless and we should use base64_decode only instead * * @param string $chain string to decode + * @param string $key rule to use for delta ('0', '1' or 'myownkey') * @return string decoded string + * @see dol_encode */ -function dol_decode($chain) +function dol_decode($chain, $key='1') { $chain = base64_decode($chain); - $strlength=dol_strlen($chain); - for($i=0; $i < $strlength;$i++) + if (is_numeric($key) && $key == '1') // rule 1 is offset of 17 for char { - $output_tab[$i] = chr(ord(substr($chain,$i,1))-17); + $strlength=dol_strlen($chain); + for ($i=0; $i < $strlength;$i++) + { + $output_tab[$i] = chr(ord(substr($chain,$i,1))-17); + } + + $chain = implode("",$output_tab); + } + elseif ($key) + { + $result=''; + $strlength=dol_strlen($chain); + for ($i=0; $i < $strlength; $i++) + { + $keychar = substr($key, ($i % strlen($key))-1, 1); + $result.= chr(ord(substr($chain, $i, 1))-(ord($keychar)-65)); + } + $chain=$result; } - $string_decoded = implode("",$output_tab); - return $string_decoded; + return $chain; } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 87a5fdeb905..7fe65f101de 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -234,12 +234,17 @@ class SecurityTest extends PHPUnit_Framework_TestCase */ public function testEncodeDecode() { - $stringtotest="This is a string to test encode/decode"; + $stringtotest="This is a string to test encode/decode. This is a string to test encode/decode. This is a string to test encode/decode."; $encodedstring=dol_encode($stringtotest); $decodedstring=dol_decode($encodedstring); print __METHOD__." encodedstring=".$encodedstring." ".base64_encode($stringtotest)."\n"; - $this->assertEquals($stringtotest,$decodedstring); + $this->assertEquals($stringtotest,$decodedstring, 'Use dol_encode/decode with no parameter'); + + $encodedstring=dol_encode($stringtotest, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); + $decodedstring=dol_decode($encodedstring, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); + print __METHOD__." encodedstring=".$encodedstring." ".base64_encode($stringtotest)."\n"; + $this->assertEquals($stringtotest,$decodedstring, 'Use dol_encode/decode with a key parameter'); return 0; } From d8e05c90f7303fa1f0bae1d1289fac8d2f70c847 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 19 Apr 2018 12:12:19 +0200 Subject: [PATCH 08/13] Can set email in dol_print_error_email --- htdocs/core/lib/functions.lib.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 5033b6ba24c..bfab7e4a4b6 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -3908,14 +3908,17 @@ function dol_print_error($db='',$error='',$errors=null) * @param string $morecss More css * @return void */ -function dol_print_error_email($prefixcode, $errormessage='', $errormessages=array(), $morecss='error') +function dol_print_error_email($prefixcode, $errormessage='', $errormessages=array(), $morecss='error', $email='') { global $langs,$conf; + if (empty($email)) $email=$conf->global->MAIN_INFO_SOCIETE_MAIL; + $langs->load("errors"); $now=dol_now(); + print '