Merge branch '12.0' of git@github.com:Dolibarr/dolibarr.git into develop

2025-12-21 17:01:19 +01:00 · 2020-05-18 15:57:29 +02:00
parent 514009ca6d ff8d22a80d
commit 88c40633d5
9 changed files with 23 additions and 9 deletions
--- a/2
+++ b/2
@@ -78,7 +78,7 @@ FIX: we must export company mail address on contact vcard only if contact email
 FIX: when we filter a list on a view status, we want this filter to be on bookmark that we create
 FIX: Wrong Sql on getListOfTowns api method
 FIX: wrong user right's name to top menu "commercial"
-FIX: XSS Vulnerability
+FIX: XSS Vulnerability reported by Mehmet Kelepçe / Gais Cyber Security

 ***** ChangeLog for 12.0.0 compared to 11.0.0 *****
 For Users:
--- a/htdocs/admin/dict.php
+++ b/htdocs/admin/dict.php
@@ -644,6 +644,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify'))
        if ($value == 'localtax2' && empty($_POST['localtax2_type'])) continue;
        if ($value == 'color' && empty($_POST['color'])) continue;
 		if ($value == 'formula' && empty($_POST['formula'])) continue;
+		if ($value == 'dayrule' && empty($_POST['dayrule'])) continue;
 		if ($value == 'sortorder') continue; // For a column name 'sortorder', we use the field name 'position'
 		if ((!isset($_POST[$value]) || $_POST[$value] == '')
        	&& (!in_array($listfield[$f], array('decalage', 'module', 'accountancy_code', 'accountancy_code_sell', 'accountancy_code_buy', 'tracking'))  // Fields that are not mandatory
--- a/htdocs/admin/security_other.php
+++ b/htdocs/admin/security_other.php
@@ -177,7 +177,11 @@ $sessiontimeout = ini_get("session.gc_maxlifetime");
 if (empty($conf->global->MAIN_SESSION_TIMEOUT)) $conf->global->MAIN_SESSION_TIMEOUT = $sessiontimeout;
 print '<tr class="oddeven">';
 print '<td>'.$langs->trans("SessionTimeOut").'</td><td class="right">';
-print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor")));
+if (ini_get("session.gc_probability") == 0) {
+	print $form->textwithpicto('', $langs->trans("SessionsPurgedByExternalSystem", ini_get("session.gc_maxlifetime")));
+} else {
+	print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"), ini_get("session.gc_maxlifetime")));
+}
 print '</td>';
 print '<td class="nowrap">';
 print '<input class="flat" name="MAIN_SESSION_TIMEOUT" type="text" size="6" value="'.htmlentities($conf->global->MAIN_SESSION_TIMEOUT).'"> '.strtolower($langs->trans("Seconds"));
@@ -185,7 +189,6 @@ print '</td>';
 print '</tr>';


-$sessiontimeout = ini_get("session.gc_maxlifetime");
 if (empty($conf->global->MAIN_APPLICATION_TITLE)) $conf->global->MAIN_APPLICATION_TITLE = "";
 print '<tr class="oddeven">';
 print '<td>'.$langs->trans("MAIN_APPLICATION_TITLE").'</td><td class="right">';
--- a/htdocs/comm/action/class/actioncomm.class.php
+++ b/htdocs/comm/action/class/actioncomm.class.php
@@ -679,6 +679,7 @@ class ActionComm extends CommonObject

        $sql = "SELECT a.id,";
        $sql .= " a.id as ref,";
+        $sql .= " a.entity,";
        $sql .= " a.ref_ext,";
        $sql .= " a.datep,";
        $sql .= " a.datep2,";
@@ -715,6 +716,7 @@ class ActionComm extends CommonObject
                $obj = $this->db->fetch_object($resql);

                $this->id         = $obj->id;
+				$this->entity     = $obj->entity;
                $this->ref        = $obj->ref;
                $this->ref_ext    = $obj->ref_ext;

--- a/htdocs/compta/paiement/card.php
+++ b/htdocs/compta/paiement/card.php
@@ -342,7 +342,7 @@ if ($resql)
 	print '<tr class="liste_titre">';
 	print '<td>'.$langs->trans('Bill').'</td>';
 	print '<td>'.$langs->trans('Company').'</td>';
-	if ($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)print '<td>'.$langs->trans('Entity').'</td>';
+	if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)) print '<td>'.$langs->trans('Entity').'</td>';
 	print '<td class="right">'.$langs->trans('ExpectedToPay').'</td>';
    print '<td class="right">'.$langs->trans('PayedByThisPayment').'</td>';
    print '<td class="right">'.$langs->trans('RemainderToPay').'</td>';
@@ -379,7 +379,7 @@ if ($resql)
 			print '</td>';

 			// Expected to pay
-			if ($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED) {
+			if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)) {
 				print '<td>';
 				$mc->getInfo($objp->entity);
 				print $mc->label;
--- a/htdocs/contact/class/contact.class.php
+++ b/htdocs/contact/class/contact.class.php
@@ -1590,7 +1590,7 @@ class Contact extends CommonObject
 	public static function replaceThirdparty(DoliDB $db, $origin_id, $dest_id)
 	{
 		$tables = array(
-			'socpeople'
+			'socpeople', 'societe_contacts'
 		);

 		return CommonObject::commonReplaceThirdparty($db, $origin_id, $dest_id, $tables);
--- a/htdocs/expedition/class/expedition.class.php
+++ b/htdocs/expedition/class/expedition.class.php
@@ -539,7 +539,7 @@ class Expedition extends CommonObject
 		// Check parameters
 		if (empty($id) && empty($ref) && empty($ref_ext)) return -1;

-		$sql = "SELECT e.rowid, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet as fk_project, e.billed";
+		$sql = "SELECT e.rowid, e.entity, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet as fk_project, e.billed";
        $sql .= ", e.date_valid";
 		$sql .= ", e.weight, e.weight_units, e.size, e.size_units, e.width, e.height";
 		$sql .= ", e.date_expedition as date_expedition, e.model_pdf, e.fk_address, e.date_delivery";
@@ -568,6 +568,7 @@ class Expedition extends CommonObject
 				$obj = $this->db->fetch_object($result);

 				$this->id                   = $obj->rowid;
+				$this->entity               = $obj->entity;
 				$this->ref                  = $obj->ref;
 				$this->socid                = $obj->socid;
 				$this->ref_customer = $obj->ref_customer;
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -1145,6 +1145,7 @@ AvailableModules=Available app/modules
 ToActivateModule=To activate modules, go on setup Area (Home->Setup->Modules).
 SessionTimeOut=Time out for session
 SessionExplanation=This number guarantees that the session will never expire before this delay, if the session cleaner is done by Internal PHP session cleaner (and nothing else). Internal PHP session cleaner does not guarantee that the session will expire after this delay. It will expire, after this delay, and when the session cleaner is run, so every <b>%s/%s</b> access, but only during access made by other sessions (if value is 0, it means clearing of session is done only by an external process).<br>Note: on some servers with an external session cleaning mechanism (cron under debian, ubuntu ...), the sessions can be destroyed after a period defined by an external setup, no matter what the value entered here is.
+SessionsPurgedByExternalSystem=Sessions on this server seems to be cleaned by an external mechanism (cron under debian, ubuntu ...), probably every <b>%s</b> seconds (= value of parameter <b>session.gc_maxlifetime</b>), so changing the value here has no effect. You must ask the server administrator to change session delay.
 TriggersAvailable=Available triggers
 TriggersDesc=Triggers are files that will modify the behavior of Dolibarr workflow once copied into the directory <b>htdocs/core/triggers</b>. They realize new actions, activated on Dolibarr events (new company creation, invoice validation, ...).
 TriggerDisabledByName=Triggers in this file are disabled by the <b>-NORUN</b> suffix in their name.
--- a/scripts/cron/cron_run_jobs.php
+++ b/scripts/cron/cron_run_jobs.php
@@ -176,11 +176,12 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs) > 0)) {
 		// Force reload of setup for the current entity
 		if ((empty($line->entity) ? 1 : $line->entity) != $conf->entity)
 		{
-			dol_syslog("cron_run_jobs.php we work on another entity conf than ".$conf->entity." so we reload user and conf", LOG_DEBUG);
-		    echo " -> we change entity so we reload user and conf";
+			dol_syslog("cron_run_jobs.php we work on another entity conf than ".$conf->entity." so we reload mysoc, langs, user and conf", LOG_DEBUG);
+			echo " -> we change entity so we reload mysoc, langs, user and conf";

 		    $conf->entity = (empty($line->entity) ? 1 : $line->entity);
 		    $conf->setValues($db); // This make also the $mc->setValues($conf); that reload $mc->sharings
+		    $mysoc->setMysoc($conf);

 		    // Force recheck that user is ok for the entity to process and reload permission for entity
 		    if ($conf->entity != $user->entity && $user->entity != 0)
@@ -203,6 +204,11 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs) > 0)) {
    		    }
    		    $user->getrights();
 		    }
+
+		    // Reload langs
+		    $langcode = (empty($conf->global->MAIN_LANG_DEFAULT)?'auto':$conf->global->MAIN_LANG_DEFAULT);
+		    if (! empty($user->conf->MAIN_LANG_DEFAULT)) $langcode = $user->conf->MAIN_LANG_DEFAULT;
+		    if ($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode);
 		}

 		//If date_next_jobs is less of current date, execute the program, and store the execution time of the next execution in database