diff --git a/htdocs/core/class/rssparser.class.php b/htdocs/core/class/rssparser.class.php
index 93224b9f04d..4d62f9139b3 100644
--- a/htdocs/core/class/rssparser.class.php
+++ b/htdocs/core/class/rssparser.class.php
@@ -49,6 +49,8 @@ class RssParser
private $_lastfetchdate; // Last successful fetch
private $_rssarray = array();
+ private $current_namespace;
+
// For parsing with xmlparser
public $stack = array(); // parser stack
private $_CONTENT_CONSTRUCTS = array('content', 'summary', 'info', 'title', 'tagline', 'copyright');
diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php
index 17a8b7c1231..d281d85efae 100644
--- a/htdocs/core/lib/admin.lib.php
+++ b/htdocs/core/lib/admin.lib.php
@@ -324,10 +324,11 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
$keyforsql = md5($sqlfile);
foreach ($arraysql as $i => $sql) {
if ($sql) {
- // Test if sql is allowed
+ // Test if th SQL is allowed SQL
if ($onlysqltoimportwebsite) {
- $newsql = str_replace(array("\'"), '__BACKSLASHQUOTE__', $sql);
- // Remove all strings contents
+ $newsql = str_replace(array("\'"), '__BACKSLASHQUOTE__', $sql); // Replace the \' seque,ce
+
+ // Remove all strings contents including the ' so we can analyse SQL instruction only later
$l = strlen($newsql);
$is = 0;
$quoteopen = 0;
@@ -348,11 +349,12 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
$newsqlclean = str_replace(array("null"), '__000__', $newsqlclean);
//print $newsqlclean."
\n";
- // A very small control. This can still by bypassed by adding a second SQL request concatenated
$qualified = 0;
+
+ // A very small control. This can still by bypassed by adding a second SQL request concatenated
if (preg_match('/^--/', $newsqlclean)) {
$qualified = 1;
- } elseif (preg_match('/^UPDATE llx_website SET fk_default_home = \d+\+\d+ WHERE rowid = \d+;$/', $newsqlclean)) {
+ } elseif (preg_match('/^UPDATE llx_website SET \w+ = \d+\+\d+ WHERE rowid = \d+;$/', $newsqlclean)) {
$qualified = 1;
} elseif (preg_match('/^INSERT INTO llx_website_page\([a-z0-9_\s,]+\) VALUES\([0-9_\s,\+]+\);$/', $newsqlclean)) {
// Insert must match
@@ -360,11 +362,18 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
$qualified = 1;
}
+ // Another check to allow some legitimate original urls
+ if (!$qualified) {
+ if (preg_match('/^UPDATE llx_website SET \w+ = \'[a-zA-Z,\s]*\' WHERE rowid = \d+;$/', $sql)) {
+ $qualified = 1;
+ }
+ }
+
if (!$qualified) {
$error++;
//print 'Request '.($i + 1)." contains non allowed instructions.
\n";
//print "newsqlclean = ".$newsqlclean."
\n";
- dol_syslog('Admin.lib::run_sql Request '.($i + 1)." contains non allowed instructions.", LOG_DEBUG);
+ dol_syslog('Admin.lib::run_sql Request '.($i + 1)." contains non allowed instructions.", LOG_WARNING);
dol_syslog('$newsqlclean='.$newsqlclean, LOG_DEBUG);
break;
}
@@ -424,6 +433,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
$error++;
break;
}
+
$from = '__'.$cursor.'__';
$to = $listofinsertedrowid[$cursor];
$newsql = str_replace($from, $to, $newsql);
diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php
index 0a342d1ad62..3cfc585519c 100644
--- a/htdocs/website/class/website.class.php
+++ b/htdocs/website/class/website.class.php
@@ -1103,7 +1103,7 @@ class Website extends CommonObject
}
$line = "\n-- For Dolibarr v14+ --;\n";
- $line .= "UPDATE llx_website SET lang = '".$this->db->escape($this->fk_default_lang)."' WHERE rowid = __WEBSITE_ID__;\n";
+ $line .= "UPDATE llx_website SET lang = '".$this->db->escape($this->lang)."' WHERE rowid = __WEBSITE_ID__;\n";
$line .= "UPDATE llx_website SET otherlang = '".$this->db->escape($this->otherlang)."' WHERE rowid = __WEBSITE_ID__;\n";
$line .= "\n";
fputs($fp, $line);
@@ -1146,7 +1146,7 @@ class Website extends CommonObject
$object = $this;
if (empty($object->ref)) {
$this->error = 'Function importWebSite called on object not loaded (object->ref is empty)';
- return -1;
+ return -2;
}
dol_delete_dir_recursive($conf->website->dir_temp."/".$object->ref);
@@ -1155,14 +1155,14 @@ class Website extends CommonObject
$filename = basename($pathtofile);
if (!preg_match('/^website_(.*)-(.*)$/', $filename, $reg)) {
$this->errors[] = 'Bad format for filename '.$filename.'. Must be website_XXX-VERSION.';
- return -1;
+ return -3;
}
$result = dol_uncompress($pathtofile, $conf->website->dir_temp.'/'.$object->ref);
if (!empty($result['error'])) {
$this->errors[] = 'Failed to unzip file '.$pathtofile.'.';
- return -1;
+ return -4;
}
$arrayreplacement = array();
@@ -1211,7 +1211,7 @@ class Website extends CommonObject
// Load sql record
$runsql = run_sql($sqlfile, 1, '', 0, '', 'none', 0, 1, 0, 0, 1); // The maxrowid of table is searched into this function two
if ($runsql <= 0) {
- $this->errors[] = 'Failed to load sql file '.$sqlfile;
+ $this->errors[] = 'Failed to load sql file '.$sqlfile.' (ret='.$runsql.')';
$error++;
}
diff --git a/htdocs/website/class/websitepage.class.php b/htdocs/website/class/websitepage.class.php
index 5e611053f9b..51ea6998d59 100644
--- a/htdocs/website/class/websitepage.class.php
+++ b/htdocs/website/class/websitepage.class.php
@@ -612,6 +612,8 @@ class WebsitePage extends CommonObject
*/
public function delete(User $user, $notrigger = false)
{
+ global $conf;
+
$error = 0;
// Delete all child tables
@@ -630,7 +632,7 @@ class WebsitePage extends CommonObject
}
if (!$error) {
- $result = $this->deleteCommon($user, $trigger);
+ $result = $this->deleteCommon($user, $notrigger);
if ($result <= 0) {
$error++;
}
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index 1d5d0a35be1..c4e13f6f956 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -2307,6 +2307,7 @@ if ($action == 'importsiteconfirm' && $usercanedit) {
if (!$error) {
$result = $object->importWebSite($fileofzip);
+
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
$action = 'importsite';
@@ -4688,7 +4689,7 @@ if ($action == 'preview' || $action == 'createfromclone' || $action == 'createpa
try {
$res = include $filephp;
if (empty($res)) {
- print "ERROR: Failed to include file '".$filephp."'. Try to edit and save page.";
+ print "ERROR: Failed to include file '".$filephp."'. Try to edit and re-save page ith this ID.";
}
} catch (Exception $e) {
print $e->getMessage();