Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-07 18:18:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: XSS injection

Browse Source
This commit is contained in:
Regis Houssin
2010-11-10 20:16:31 +00:00
parent e0d9bd0836
commit 61272f0699
3 changed files with 23 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
htdocs/comm/action/index.php
View File

@@ -33,14 +33,14 @@ require_once(DOL_DOCUMENT_ROOT."/lib/date.lib.php");
require_once(DOL_DOCUMENT_ROOT."/lib/agenda.lib.php"); require_once(DOL_DOCUMENT_ROOT."/lib/agenda.lib.php");
if ($conf->projet->enabled) require_once(DOL_DOCUMENT_ROOT."/lib/project.lib.php"); if ($conf->projet->enabled) require_once(DOL_DOCUMENT_ROOT."/lib/project.lib.php");
$filtera = isset($_REQUEST["userasked"])?$_REQUEST["userasked"]:(isset($_REQUEST["filtera"])?$_REQUEST["filtera"]:''); $filtera = GETPOST("userasked","int")?GETPOST("userasked","int"):GETPOST("filtera","int");
$filtert = isset($_REQUEST["usertodo"])?$_REQUEST["usertodo"]:(isset($_REQUEST["filtert"])?$_REQUEST["filtert"]:''); $filtert = GETPOST("usertodo","int")?GETPOST("usertodo","int"):GETPOST("filtert","int");
$filterd = isset($_REQUEST["userdone"])?$_REQUEST["userdone"]:(isset($_REQUEST["filterd"])?$_REQUEST["filterd"]:''); $filterd = GETPOST("userdone","int")?GETPOST("userdone","int"):GETPOST("filterd","int");
$showbirthday = isset($_REQUEST["showbirthday"])?$_REQUEST["showbirthday"]:0; $showbirthday = GETPOST("showbirthday","int")?GETPOST("showbirthday","int"):0;
$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"]; $sortfield = GETPOST("sortfield");
$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"]; $sortorder = GETPOST("sortorder");
$page = isset($_GET["page"])?$_GET["page"]:$_POST["page"]; $page = GETPOST("page","int");
if ($page == -1) { $page = 0 ; } if ($page == -1) { $page = 0 ; }
$limit = $conf->liste_limit; $limit = $conf->liste_limit;
$offset = $limit * $page ; $offset = $limit * $page ;
@@ -62,12 +62,12 @@ if (! $user->rights->agenda->allactions->read || $_GET["filter"]=='mine') // If
$filterd=$user->id; $filterd=$user->id;
} }
$action=! empty($_REQUEST['action'])?$_REQUEST['action']:''; $action=GETPOST('action');
$year=! empty($_REQUEST["year"])?$_REQUEST["year"]:date("Y"); $year=GETPOST("year","int")?GETPOST("year","int"):date("Y");
$month=! empty($_REQUEST["month"])?$_REQUEST["month"]:date("m"); $month=GETPOST("month","int")?GETPOST("month","int"):date("m");
$day=! empty($_REQUEST["day"])?$_REQUEST["day"]:0; $day=GETPOST("day","int")?GETPOST("day","int"):0;
$pid=! empty($_REQUEST["projectid"])?$_REQUEST["projectid"]:0; $pid=GETPOST("projectid","int")?GETPOST("projectid","int"):0;
$status=isset($_GET["status"])?$_GET["status"]:$_POST["status"]; $status=GETPOST("status","int");
$langs->load("other"); $langs->load("other");
$langs->load("commercial"); $langs->load("commercial");

12
htdocs/lib/functions.lib.php
View File

@@ -40,14 +40,20 @@ if (! defined('ADODB_DATE_VERSION')) include_once(DOL_DOCUMENT_ROOT."/includes/a
/** /**
* Return value of a param into get or post variable * Return value of a param into get or post variable
* @param paramname Name of parameter to found * @param paramname Name of parameter to found
* @param length Length of string (security) * @param check Type of check (security)
* @return string Value found * @return string Value found
*/ */
function GETPOST($paramname,$length=0) function GETPOST($paramname,$check='')
{ {
$out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:''); $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
$out = trim($out); $out = trim($out);
if ($length > 0 && strlen($out) > $length) $out='';
if (!empty($check))
{
// Check if integer
if ($check = 'int' && is_int($out)) $out='';
}
return $out; return $out;
} }

2
htdocs/product/liste.php
View File

@@ -37,7 +37,7 @@ $sref=GETPOST("sref");
$sbarcode=GETPOST("sbarcode"); $sbarcode=GETPOST("sbarcode");
$snom=GETPOST("snom"); $snom=GETPOST("snom");
$sall=GETPOST("sall"); $sall=GETPOST("sall");
$type=GETPOST("type",1); $type=GETPOST("type","int");
$sortfield = GETPOST("sortfield"); $sortfield = GETPOST("sortfield");