diff --git a/ChangeLog b/ChangeLog index dafa90b9632..20a1748af6b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,7 +78,7 @@ FIX: we must export company mail address on contact vcard only if contact email FIX: when we filter a list on a view status, we want this filter to be on bookmark that we create FIX: Wrong Sql on getListOfTowns api method FIX: wrong user right's name to top menu "commercial" -FIX: XSS Vulnerability +FIX: XSS Vulnerability reported by Mehmet Kelepçe / Gais Cyber Security ***** ChangeLog for 12.0.0 compared to 11.0.0 ***** For Users: diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 15cfd9ed9db..cce441c4052 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -644,6 +644,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) if ($value == 'localtax2' && empty($_POST['localtax2_type'])) continue; if ($value == 'color' && empty($_POST['color'])) continue; if ($value == 'formula' && empty($_POST['formula'])) continue; + if ($value == 'dayrule' && empty($_POST['dayrule'])) continue; if ($value == 'sortorder') continue; // For a column name 'sortorder', we use the field name 'position' if ((!isset($_POST[$value]) || $_POST[$value] == '') && (!in_array($listfield[$f], array('decalage', 'module', 'accountancy_code', 'accountancy_code_sell', 'accountancy_code_buy', 'tracking')) // Fields that are not mandatory diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index f0ad4352b60..f642cd64182 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -177,7 +177,11 @@ $sessiontimeout = ini_get("session.gc_maxlifetime"); if (empty($conf->global->MAIN_SESSION_TIMEOUT)) $conf->global->MAIN_SESSION_TIMEOUT = $sessiontimeout; print ''; print ''.$langs->trans("SessionTimeOut").''; -print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"))); +if (ini_get("session.gc_probability") == 0) { + print $form->textwithpicto('', $langs->trans("SessionsPurgedByExternalSystem", ini_get("session.gc_maxlifetime"))); +} else { + print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"), ini_get("session.gc_maxlifetime"))); +} print ''; print ''; print ' '.strtolower($langs->trans("Seconds")); @@ -185,7 +189,6 @@ print ''; print ''; -$sessiontimeout = ini_get("session.gc_maxlifetime"); if (empty($conf->global->MAIN_APPLICATION_TITLE)) $conf->global->MAIN_APPLICATION_TITLE = ""; print ''; print ''.$langs->trans("MAIN_APPLICATION_TITLE").''; diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 7141d875567..bf906989d16 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -679,6 +679,7 @@ class ActionComm extends CommonObject $sql = "SELECT a.id,"; $sql .= " a.id as ref,"; + $sql .= " a.entity,"; $sql .= " a.ref_ext,"; $sql .= " a.datep,"; $sql .= " a.datep2,"; @@ -715,6 +716,7 @@ class ActionComm extends CommonObject $obj = $this->db->fetch_object($resql); $this->id = $obj->id; + $this->entity = $obj->entity; $this->ref = $obj->ref; $this->ref_ext = $obj->ref_ext; diff --git a/htdocs/compta/paiement/card.php b/htdocs/compta/paiement/card.php index 29d6f982d59..e14581f6531 100644 --- a/htdocs/compta/paiement/card.php +++ b/htdocs/compta/paiement/card.php @@ -342,7 +342,7 @@ if ($resql) print ''; print ''.$langs->trans('Bill').''; print ''.$langs->trans('Company').''; - if ($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)print ''.$langs->trans('Entity').''; + if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)) print ''.$langs->trans('Entity').''; print ''.$langs->trans('ExpectedToPay').''; print ''.$langs->trans('PayedByThisPayment').''; print ''.$langs->trans('RemainderToPay').''; @@ -379,7 +379,7 @@ if ($resql) print ''; // Expected to pay - if ($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED) { + if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)) { print ''; $mc->getInfo($objp->entity); print $mc->label; diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index a3cdb1747a0..d9753001db2 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1590,7 +1590,7 @@ class Contact extends CommonObject public static function replaceThirdparty(DoliDB $db, $origin_id, $dest_id) { $tables = array( - 'socpeople' + 'socpeople', 'societe_contacts' ); return CommonObject::commonReplaceThirdparty($db, $origin_id, $dest_id, $tables); diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 52ec6048506..1ccfe9944f7 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -539,7 +539,7 @@ class Expedition extends CommonObject // Check parameters if (empty($id) && empty($ref) && empty($ref_ext)) return -1; - $sql = "SELECT e.rowid, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet as fk_project, e.billed"; + $sql = "SELECT e.rowid, e.entity, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet as fk_project, e.billed"; $sql .= ", e.date_valid"; $sql .= ", e.weight, e.weight_units, e.size, e.size_units, e.width, e.height"; $sql .= ", e.date_expedition as date_expedition, e.model_pdf, e.fk_address, e.date_delivery"; @@ -568,6 +568,7 @@ class Expedition extends CommonObject $obj = $this->db->fetch_object($result); $this->id = $obj->rowid; + $this->entity = $obj->entity; $this->ref = $obj->ref; $this->socid = $obj->socid; $this->ref_customer = $obj->ref_customer; diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index 5e485c86dbc..84c64a23615 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -1145,6 +1145,7 @@ AvailableModules=Available app/modules ToActivateModule=To activate modules, go on setup Area (Home->Setup->Modules). SessionTimeOut=Time out for session SessionExplanation=This number guarantees that the session will never expire before this delay, if the session cleaner is done by Internal PHP session cleaner (and nothing else). Internal PHP session cleaner does not guarantee that the session will expire after this delay. It will expire, after this delay, and when the session cleaner is run, so every %s/%s access, but only during access made by other sessions (if value is 0, it means clearing of session is done only by an external process).
Note: on some servers with an external session cleaning mechanism (cron under debian, ubuntu ...), the sessions can be destroyed after a period defined by an external setup, no matter what the value entered here is. +SessionsPurgedByExternalSystem=Sessions on this server seems to be cleaned by an external mechanism (cron under debian, ubuntu ...), probably every %s seconds (= value of parameter session.gc_maxlifetime), so changing the value here has no effect. You must ask the server administrator to change session delay. TriggersAvailable=Available triggers TriggersDesc=Triggers are files that will modify the behavior of Dolibarr workflow once copied into the directory htdocs/core/triggers. They realize new actions, activated on Dolibarr events (new company creation, invoice validation, ...). TriggerDisabledByName=Triggers in this file are disabled by the -NORUN suffix in their name. diff --git a/scripts/cron/cron_run_jobs.php b/scripts/cron/cron_run_jobs.php index 79d52c49445..40421c3853e 100755 --- a/scripts/cron/cron_run_jobs.php +++ b/scripts/cron/cron_run_jobs.php @@ -176,11 +176,12 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs) > 0)) { // Force reload of setup for the current entity if ((empty($line->entity) ? 1 : $line->entity) != $conf->entity) { - dol_syslog("cron_run_jobs.php we work on another entity conf than ".$conf->entity." so we reload user and conf", LOG_DEBUG); - echo " -> we change entity so we reload user and conf"; + dol_syslog("cron_run_jobs.php we work on another entity conf than ".$conf->entity." so we reload mysoc, langs, user and conf", LOG_DEBUG); + echo " -> we change entity so we reload mysoc, langs, user and conf"; $conf->entity = (empty($line->entity) ? 1 : $line->entity); $conf->setValues($db); // This make also the $mc->setValues($conf); that reload $mc->sharings + $mysoc->setMysoc($conf); // Force recheck that user is ok for the entity to process and reload permission for entity if ($conf->entity != $user->entity && $user->entity != 0) @@ -203,6 +204,11 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs) > 0)) { } $user->getrights(); } + + // Reload langs + $langcode = (empty($conf->global->MAIN_LANG_DEFAULT)?'auto':$conf->global->MAIN_LANG_DEFAULT); + if (! empty($user->conf->MAIN_LANG_DEFAULT)) $langcode = $user->conf->MAIN_LANG_DEFAULT; + if ($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode); } //If date_next_jobs is less of current date, execute the program, and store the execution time of the next execution in database