From 83b762b681c6dfdceb809d26ce95f3667b614739 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 25 Apr 2018 16:01:06 +0200 Subject: [PATCH] FIX CVE-2018-9019 --- htdocs/accountancy/admin/accountmodel.php | 40 +++-------------- htdocs/accountancy/admin/categories.php | 2 +- htdocs/accountancy/admin/categories_list.php | 45 +++++++------------- htdocs/accountancy/admin/journals_list.php | 23 ++-------- htdocs/admin/dict.php | 14 +++--- htdocs/admin/mails_templates.php | 21 ++------- htdocs/admin/website.php | 19 +-------- htdocs/core/lib/functions.lib.php | 8 ++-- 8 files changed, 42 insertions(+), 130 deletions(-) diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index f3924f73a76..df4f5d7c3f5 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -45,7 +45,7 @@ $langs->loadLangs(array("errors","admin","companies","resource","holiday","compt $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view'; $confirm=GETPOST('confirm','alpha'); -$id=GETPOST('id','int'); +$id=31; $rowid=GETPOST('rowid','alpha'); $code=GETPOST('code','alpha'); @@ -58,8 +58,8 @@ $listoffset=GETPOST('listoffset'); $listlimit=GETPOST('listlimit')>0?GETPOST('listlimit'):1000; $active = 1; -$sortfield = GETPOST("sortfield",'alpha'); -$sortorder = GETPOST("sortorder",'alpha'); +$sortfield = GETPOST("sortfield",'aZ09comma'); +$sortorder = GETPOST("sortorder",'aZ09comma'); $page = GETPOST("page",'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $listlimit * $page ; @@ -84,59 +84,48 @@ $hookmanager->initHooks(array('admin')); $tabname=array(); $tabname[31]= MAIN_DB_PREFIX."accounting_system"; -$tabname[32]= MAIN_DB_PREFIX."c_accounting_category"; // Dictionary labels $tablib=array(); $tablib[31]= "Pcg_version"; -$tablib[32]= "DictionaryAccountancyCategory"; // Requests to extract data $tabsql=array(); $tabsql[31]= "SELECT s.rowid as rowid, pcg_version, s.label, s.fk_country as country_id, c.code as country_code, c.label as country, s.active FROM ".MAIN_DB_PREFIX."accounting_system as s, ".MAIN_DB_PREFIX."c_country as c WHERE s.fk_country=c.rowid and c.active=1"; -$tabsql[32]= "SELECT a.rowid as rowid, a.code as code, a.label, a.range_account, a.sens, a.category_type, a.formula, a.position as position, a.fk_country as country_id, c.code as country_code, c.label as country, a.active FROM ".MAIN_DB_PREFIX."c_accounting_category as a, ".MAIN_DB_PREFIX."c_country as c WHERE a.fk_country=c.rowid and c.active=1"; // Criteria to sort dictionaries $tabsqlsort=array(); $tabsqlsort[31]="pcg_version ASC"; -$tabsqlsort[32]="position ASC"; // Nom des champs en resultat de select pour affichage du dictionnaire $tabfield=array(); $tabfield[31]= "pcg_version,label,country_id,country"; -$tabfield[32]= "code,label,range_account,sens,category_type,formula,position,country_id,country"; // Nom des champs d'edition pour modification d'un enregistrement $tabfieldvalue=array(); $tabfieldvalue[31]= "pcg_version,label,country"; -$tabfieldvalue[32]= "code,label,range_account,sens,category_type,formula,position,country"; // Nom des champs dans la table pour insertion d'un enregistrement $tabfieldinsert=array(); $tabfieldinsert[31]= "pcg_version,label,fk_country"; -$tabfieldinsert[32]= "code,label,range_account,sens,category_type,formula,position,fk_country"; // Nom du rowid si le champ n'est pas de type autoincrement // Example: "" if id field is "rowid" and has autoincrement on // "nameoffield" if id field is not "rowid" or has not autoincrement on $tabrowid=array(); $tabrowid[31]= ""; -$tabrowid[32]= ""; // Condition to show dictionary in setup page $tabcond=array(); $tabcond[31]= ! empty($conf->accounting->enabled); -$tabcond[32]= ! empty($conf->accounting->enabled); // List of help for fields $tabhelp=array(); $tabhelp[31] = array('pcg_version'=>$langs->trans("EnterAnyCode")); -$tabhelp[32] = array('code'=>$langs->trans("EnterAnyCode")); // List of check for fields (NOT USED YET) $tabfieldcheck=array(); $tabfieldcheck[31] = array(); -$tabfieldcheck[32] = array(); // Define elementList and sourceList (used for dictionary type of contacts "llx_c_type_contact") @@ -484,7 +473,7 @@ print "
\n"; // Confirmation de la suppression de la ligne if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); + print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.urlencode($page).'&':'').'sortfield='.urlencode($sortfield).'&sortorder='.urlencode($sortorder).'&rowid='.urlencode($rowid).'&code='.urlencode($code).'&id='.urlencode($id), $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); } //var_dump($elementList); @@ -503,24 +492,9 @@ if ($id) $sql.= " c.rowid = ".$search_country_id; } - if ($sortfield) - { - // If sort order is "country", we use country_code instead - if ($sortfield == 'country') $sortfield='country_code'; - $sql.= " ORDER BY ".$sortfield; - if ($sortorder) - { - $sql.=" ".strtoupper($sortorder); - } - $sql.=", "; - // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]); - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]); - } - else { - $sql.=" ORDER BY "; - } - $sql.=$tabsqlsort[$id]; + // If sort order is "country", we use country_code instead + if ($sortfield == 'country') $sortfield='country_code'; + $sql.=$db->order($sortfield,$sortorder); $sql.=$db->plimit($listlimit+1,$offset); //print $sql; diff --git a/htdocs/accountancy/admin/categories.php b/htdocs/accountancy/admin/categories.php index 7ab463e3179..9c40802c925 100644 --- a/htdocs/accountancy/admin/categories.php +++ b/htdocs/accountancy/admin/categories.php @@ -88,7 +88,7 @@ $formaccounting = new FormAccounting($db); llxheader('', $langs->trans('AccountingCategory')); -$linkback = ''.$langs->trans("BackToList").''; +$linkback = ''.$langs->trans("BackToList").''; print load_fiche_titre($langs->trans('AccountingCategory'), $linkback); diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php index fb7561dda94..40ea103a12f 100644 --- a/htdocs/accountancy/admin/categories_list.php +++ b/htdocs/accountancy/admin/categories_list.php @@ -54,8 +54,8 @@ $listoffset=GETPOST('listoffset'); $listlimit=GETPOST('listlimit')>0?GETPOST('listlimit'):1000; $active = 1; -$sortfield = GETPOST("sortfield",'alpha'); -$sortorder = GETPOST("sortorder",'alpha'); +$sortfield = GETPOST("sortfield",'aZ09comma'); +$sortorder = GETPOST("sortorder",'aZ09comma'); $page = GETPOST("page",'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $listlimit * $page ; @@ -300,7 +300,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete if ($tabrowid[$id]) { $rowidcol=$tabrowid[$id]; } else { $rowidcol="rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -324,10 +324,10 @@ if ($action == $acts[0]) else { $rowidcol="rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$this->db->escape($code)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'"; } $result = $db->query($sql); @@ -344,10 +344,10 @@ if ($action == $acts[1]) else { $rowidcol="rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$this->db->escape($code)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'"; } $result = $db->query($sql); @@ -364,10 +364,10 @@ if ($action == 'activate_favorite') else { $rowidcol="rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$this->db->escape($code)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'"; } $result = $db->query($sql); @@ -384,10 +384,10 @@ if ($action == 'disable_favorite') else { $rowidcol="rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$this->db->escape($code)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'"; } $result = $db->query($sql); @@ -437,24 +437,9 @@ if ($id) $sql.= " (a.fk_country = ".$search_country_id." OR a.fk_country = 0)"; } - if ($sortfield) - { - // If sort order is "country", we use country_code instead - if ($sortfield == 'country') $sortfield='country_code'; - $sql.= " ORDER BY ".$sortfield; - if ($sortorder) - { - $sql.=" ".strtoupper($sortorder); - } - $sql.=", "; - // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]); - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]); - } - else { - $sql.=" ORDER BY "; - } - $sql.=$tabsqlsort[$id]; + // If sort order is "country", we use country_code instead + if ($sortfield == 'country') $sortfield='country_code'; + $sql.=$db->order($sortfield,$sortorder); $sql.=$db->plimit($listlimit+1,$offset); //print $sql; @@ -793,7 +778,7 @@ if ($id) print ''; if (empty($obj->formula)) { - print ''; + print ''; print $langs->trans("ListOfAccounts"); print ''; } diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php index 7612e7b261a..971fdc20811 100644 --- a/htdocs/accountancy/admin/journals_list.php +++ b/htdocs/accountancy/admin/journals_list.php @@ -36,7 +36,7 @@ $langs->load("accountancy"); $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view'; $confirm=GETPOST('confirm','alpha'); -$id=GETPOST('id','int'); +$id=35; $rowid=GETPOST('rowid','alpha'); $code=GETPOST('code','alpha'); @@ -400,24 +400,9 @@ if ($id) $sql=$tabsql[$id]; $sql.= " WHERE a.entity = ".$conf->entity; - if ($sortfield) - { - // If sort order is "country", we use country_code instead - if ($sortfield == 'country') $sortfield='country_code'; - $sql.= " ORDER BY ".$sortfield; - if ($sortorder) - { - $sql.=" ".strtoupper($sortorder); - } - $sql.=", "; - // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]); - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]); - } - else { - $sql.=" ORDER BY "; - } - $sql.=$tabsqlsort[$id]; + // If sort order is "country", we use country_code instead + if ($sortfield == 'country') $sortfield='country_code'; + $sql.=$db->order($sortfield,$sortorder); $sql.=$db->plimit($listlimit+1,$offset); $fieldlist=explode(',',$tabfield[$id]); diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 438c7cd5227..72ac51e1799 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -965,14 +965,14 @@ if (empty($id)) print "
\n"; -$param = '&id='.$id; -if ($search_country_id > 0) $param.= '&search_country_id='.$search_country_id; +$param = '&id='.urlencode($id); +if ($search_country_id > 0) $param.= '&search_country_id='.urlencode($search_country_id); if ($search_code != '') $param.= '&search_code='.urlencode($search_country_id); if ($entity != '') $param.= '&entity=' . (int) $entity; $paramwithsearch = $param; -if ($sortorder) $paramwithsearch.= '&sortorder='.$sortorder; -if ($sortfield) $paramwithsearch.= '&sortfield='.$sortfield; -if (GETPOST('from')) $paramwithsearch.= '&from='.GETPOST('from','alpha'); +if ($sortorder) $paramwithsearch.= '&sortorder='.urlencode($sortorder); +if ($sortfield) $paramwithsearch.= '&sortfield='.urlencode($sortfield); +if (GETPOST('from')) $paramwithsearch.= '&from='.urlencode(GETPOST('from','alpha')); // Confirmation de la suppression de la ligne @@ -999,10 +999,10 @@ if ($id) { // If sort order is "country", we use country_code instead if ($sortfield == 'country') $sortfield='country_code'; - $sql.= " ORDER BY ".$sortfield; + $sql.= " ORDER BY ".$db->escape($sortfield); if ($sortorder) { - $sql.=" ".strtoupper($sortorder); + $sql.=" ".strtoupper($db->escape($sortorder)); } $sql.=", "; // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index fb2729bb77b..24bd6a7b8fe 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -430,24 +430,9 @@ if ($search_type_template != '' && $search_type_template != '-1') $sql.=natural_ if ($search_lang) $sql.=natural_search('lang', $search_lang); if ($search_fk_user != '' && $search_fk_user != '-1') $sql.=natural_search('fk_user', $search_fk_user, 2); if ($search_topic) $sql.=natural_search('topic', $search_topic); -if ($sortfield) -{ - // If sort order is "country", we use country_code instead - if ($sortfield == 'country') $sortfield='country_code'; - $sql.= " ORDER BY ".$sortfield; - if ($sortorder) - { - $sql.=" ".strtoupper($sortorder); - } - $sql.=", "; - // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]); - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]); -} -else { - $sql.=" ORDER BY "; -} -$sql.=$tabsqlsort[$id]; +// If sort order is "country", we use country_code instead +if ($sortfield == 'country') $sortfield='country_code'; +$sql.=$db->order($sortfield,$sortorder); $sql.=$db->plimit($listlimit+1,$offset); //print $sql; diff --git a/htdocs/admin/website.php b/htdocs/admin/website.php index 9811052509a..e13bd4a2312 100644 --- a/htdocs/admin/website.php +++ b/htdocs/admin/website.php @@ -419,24 +419,7 @@ if ($id) { // Complete requete recherche valeurs avec critere de tri $sql=$tabsql[$id]; - - if ($sortfield) - { - // If sort order is "country", we use country_code instead - $sql.= " ORDER BY ".$sortfield; - if ($sortorder) - { - $sql.=" ".strtoupper($sortorder); - } - $sql.=", "; - // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]); - $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]); - } - else { - $sql.=" ORDER BY "; - } - $sql.=$tabsqlsort[$id]; + $sql.=$db->order($sortfield,$sortorder); $sql.=$db->plimit($limit+1, $offset); //print $sql; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 37e957c868c..a22a9675ff6 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -578,12 +578,12 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU { //var_dump($paramname.' - '.$out.' '.$user->default_values[$relativepathstring]['filters'][$paramname]); - // We save search key only if: - // - not empty, or - // - if value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not). + // We save search key only if $out not empty that means: + // - posted value not empty, or + // - if posted value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not). //if (! empty($out) || ! empty($user->default_values[$relativepathstring]['filters'][$paramname])) - if (! empty($out)) + if ($out != '') // $out = '0' like 'abc' is a search criteria to keep { $user->lastsearch_values_tmp[$relativepathstring][$paramname]=$out; }