Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-15 22:11:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX #yogosha5715

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-23 03:44:50 +01:00
parent e06b8bb586
commit a1366da130
7 changed files with 47 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
htdocs/comm/action/index.php
View File

@@ -115,8 +115,8 @@ if ($dateselect > 0) {
} }
// Set actioncode (this code must be same for setting actioncode into peruser, listacton and index) // Set actioncode (this code must be same for setting actioncode into peruser, listacton and index)
if (GETPOST('search_actioncode', 'array')) { if (GETPOST('search_actioncode', 'array:aZ09')) {
$actioncode = GETPOST('search_actioncode', 'array', 3); $actioncode = GETPOST('search_actioncode', 'array:aZ09', 3);
if (!count($actioncode)) { if (!count($actioncode)) {
$actioncode = '0'; $actioncode = '0';
} }
@@ -669,18 +669,18 @@ if (!empty($actioncode)) {
$sql .= " AND ca.type = 'systemauto'"; $sql .= " AND ca.type = 'systemauto'";
} else { } else {
if (is_array($actioncode)) { if (is_array($actioncode)) {
$sql .= " AND ca.code IN ('".implode("','", $actioncode)."')"; $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", $actioncode)."'", 1).")";
} else { } else {
$sql .= " AND ca.code IN ('".implode("','", explode(',', $actioncode))."')"; $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", explode(',', $actioncode))."'", 1).")";
} }
} }
} }
} }
if ($resourceid > 0) { if ($resourceid > 0) {
$sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".$db->escape($resourceid); $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".((int) $resourceid);
} }
if ($pid) { if ($pid) {
$sql .= " AND a.fk_project=".$db->escape($pid); $sql .= " AND a.fk_project=".((int) $pid);
} }
if (!$user->rights->societe->client->voir && !$socid) { if (!$user->rights->societe->client->voir && !$socid) {
$sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")"; $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")";

16
htdocs/comm/action/list.php
View File

@@ -429,31 +429,31 @@ if (!empty($actioncode)) {
$sql .= " AND c.type = 'systemauto'"; $sql .= " AND c.type = 'systemauto'";
} else { } else {
if (is_array($actioncode)) { if (is_array($actioncode)) {
$sql .= " AND c.code IN ('".implode("','", $actioncode)."')"; $sql .= " AND c.code IN (".$db->sanitize("'".implode("','", $actioncode)."'", 1).")";
} else { } else {
$sql .= " AND c.code IN ('".implode("','", explode(',', $actioncode))."')"; $sql .= " AND c.code IN (".$db->sanitize("'".implode("','", explode(',', $actioncode))."'", 1).")";
} }
} }
} }
} }
if ($resourceid > 0) { if ($resourceid > 0) {
$sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".$db->escape($resourceid); $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".((int) $resourceid);
} }
if ($pid) { if ($pid) {
$sql .= " AND a.fk_project=".$db->escape($pid); $sql .= " AND a.fk_project=".((int) $pid);
} }
if (!$user->rights->societe->client->voir && !$socid) { if (!$user->rights->societe->client->voir && !$socid) {
$sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")"; $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")";
} }
if ($socid > 0) { if ($socid > 0) {
$sql .= " AND s.rowid = ".$socid; $sql .= " AND s.rowid = ".((int) $socid);
} }
// We must filter on assignement table // We must filter on assignement table
if ($filtert > 0 || $usergroup > 0) { if ($filtert > 0 || $usergroup > 0) {
$sql .= " AND ar.fk_actioncomm = a.id AND ar.element_type='user'"; $sql .= " AND ar.fk_actioncomm = a.id AND ar.element_type='user'";
} }
if ($type) { if ($type) {
$sql .= " AND c.id = ".(int) $type; $sql .= " AND c.id = ".((int) $type);
} }
if ($search_status == '0') { if ($search_status == '0') {
$sql .= " AND a.percent = 0"; $sql .= " AND a.percent = 0";
@@ -486,10 +486,10 @@ if ($search_note) {
if ($filtert > 0 || $usergroup > 0) { if ($filtert > 0 || $usergroup > 0) {
$sql .= " AND ("; $sql .= " AND (";
if ($filtert > 0) { if ($filtert > 0) {
$sql .= "(ar.fk_element = ".$filtert." OR (ar.fk_element IS NULL AND a.fk_user_action=".$filtert."))"; // The OR is for backward compatibility $sql .= "(ar.fk_element = ".((int) $filtert)." OR (ar.fk_element IS NULL AND a.fk_user_action = ".((int) $filtert)."))"; // The OR is for backward compatibility
} }
if ($usergroup > 0) { if ($usergroup > 0) {
$sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".$usergroup; $sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".((int) $usergroup);
} }
$sql .= ")"; $sql .= ")";
} }

10
htdocs/comm/action/pertype.php
View File

@@ -540,24 +540,24 @@ if (!empty($actioncode)) {
$sql .= " AND ca.type = 'systemauto'"; $sql .= " AND ca.type = 'systemauto'";
} else { } else {
if (is_array($actioncode)) { if (is_array($actioncode)) {
$sql .= " AND ca.code IN ('".implode("','", $actioncode)."')"; $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", $actioncode)."'", 1).")";
} else { } else {
$sql .= " AND ca.code IN ('".implode("','", explode(',', $actioncode))."')"; $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", explode(',', $actioncode))."'", 1).")";
} }
} }
} }
} }
if ($resourceid > 0) { if ($resourceid > 0) {
$sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".$db->escape($resourceid); $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".((int) $resourceid);
} }
if ($pid) { if ($pid) {
$sql .= " AND a.fk_project=".$db->escape($pid); $sql .= " AND a.fk_project=".((int) $pid);
} }
if (!$user->rights->societe->client->voir && !$socid) { if (!$user->rights->societe->client->voir && !$socid) {
$sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")"; $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")";
} }
if ($socid > 0) { if ($socid > 0) {
$sql .= ' AND a.fk_soc = '.$socid; $sql .= ' AND a.fk_soc = '.((int) $socid);
} }
// We must filter on assignement table // We must filter on assignement table
if ($filtert > 0 || $usergroup > 0) { if ($filtert > 0 || $usergroup > 0) {

14
htdocs/comm/action/peruser.php
View File

@@ -105,8 +105,8 @@ $type = GETPOST("search_type", 'alpha') ?GETPOST("search_type", 'alpha') : GETPO
$maxprint = ((GETPOST("maxprint", 'int') != '') ?GETPOST("maxprint", 'int') : $conf->global->AGENDA_MAX_EVENTS_DAY_VIEW); $maxprint = ((GETPOST("maxprint", 'int') != '') ?GETPOST("maxprint", 'int') : $conf->global->AGENDA_MAX_EVENTS_DAY_VIEW);
$optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' except when 'print') $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' except when 'print')
// Set actioncode (this code must be same for setting actioncode into peruser, listacton and index) // Set actioncode (this code must be same for setting actioncode into peruser, listacton and index)
if (GETPOST('search_actioncode', 'array')) { if (GETPOST('search_actioncode', 'array:aZ09')) {
$actioncode = GETPOST('search_actioncode', 'array', 3); $actioncode = GETPOST('search_actioncode', 'array:aZ09', 3);
if (!count($actioncode)) { if (!count($actioncode)) {
$actioncode = '0'; $actioncode = '0';
} }
@@ -562,24 +562,24 @@ if (!empty($actioncode)) {
$sql .= " AND ca.type = 'systemauto'"; $sql .= " AND ca.type = 'systemauto'";
} else { } else {
if (is_array($actioncode)) { if (is_array($actioncode)) {
$sql .= " AND ca.code IN ('".implode("','", $actioncode)."')"; $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", $actioncode)."'", 1).")";
} else { } else {
$sql .= " AND ca.code IN ('".implode("','", explode(',', $actioncode))."')"; $sql .= " AND ca.code IN (".$db->sanitize("'".implode("','", explode(',', $actioncode))."'", 1).")";
} }
} }
} }
} }
if ($resourceid > 0) { if ($resourceid > 0) {
$sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".$db->escape($resourceid); $sql .= " AND r.element_type = 'action' AND r.element_id = a.id AND r.resource_id = ".((int) $resourceid);
} }
if ($pid) { if ($pid) {
$sql .= " AND a.fk_project=".$db->escape($pid); $sql .= " AND a.fk_project = ".((int) $pid);
} }
if (!$user->rights->societe->client->voir && !$socid) { if (!$user->rights->societe->client->voir && !$socid) {
$sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")"; $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".$user->id.")";
} }
if ($socid > 0) { if ($socid > 0) {
$sql .= ' AND a.fk_soc = '.$socid; $sql .= ' AND a.fk_soc = '.((int) $socid);
} }
// We must filter on assignement table // We must filter on assignement table
if ($filtert > 0 || $usergroup > 0) { if ($filtert > 0 || $usergroup > 0) {

12
htdocs/comm/mailing/class/advtargetemailing.class.php
View File

@@ -568,7 +568,7 @@ class AdvanceTargetingMailing extends CommonObject
$sqlwhere[] = " (t.fk_stcomm IN (".$this->db->sanitize(implode(',', $arrayquery['cust_comm_status']))."))"; $sqlwhere[] = " (t.fk_stcomm IN (".$this->db->sanitize(implode(',', $arrayquery['cust_comm_status']))."))";
} }
if (!empty($arrayquery['cust_prospect_status']) && count($arrayquery['cust_prospect_status']) > 0) { if (!empty($arrayquery['cust_prospect_status']) && count($arrayquery['cust_prospect_status']) > 0) {
$sqlwhere[] = " (t.fk_prospectlevel IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_prospect_status']))."'))"; $sqlwhere[] = " (t.fk_prospectlevel IN (".$this->db->sanitize("'".implode("','", $arrayquery['cust_prospect_status'])."'", 1)."))";
} }
if (!empty($arrayquery['cust_typeent']) && count($arrayquery['cust_typeent']) > 0) { if (!empty($arrayquery['cust_typeent']) && count($arrayquery['cust_typeent']) > 0) {
$sqlwhere[] = " (t.fk_typent IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typeent']))."))"; $sqlwhere[] = " (t.fk_typent IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typeent']))."))";
@@ -586,7 +586,7 @@ class AdvanceTargetingMailing extends CommonObject
$sqlwhere[] = " (custcateg.fk_categorie IN (".$this->db->sanitize(implode(',', $arrayquery['cust_categ']))."))"; $sqlwhere[] = " (custcateg.fk_categorie IN (".$this->db->sanitize(implode(',', $arrayquery['cust_categ']))."))";
} }
if (!empty($arrayquery['cust_language']) && count($arrayquery['cust_language']) > 0) { if (!empty($arrayquery['cust_language']) && count($arrayquery['cust_language']) > 0) {
$sqlwhere[] = " (t.default_lang IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_language']))."'))"; $sqlwhere[] = " (t.default_lang IN (".$this->db->sanitize("'".implode("','", $arrayquery['cust_language'])."'", 1)."))";
} }
//Standard Extrafield feature //Standard Extrafield feature
@@ -618,7 +618,7 @@ class AdvanceTargetingMailing extends CommonObject
} }
} else { } else {
if (is_array($arrayquery['options_'.$key])) { if (is_array($arrayquery['options_'.$key])) {
$sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; $sqlwhere[] = " (te.".$key." IN (".$this->db->sanitize("'".implode("','", $arrayquery['options_'.$key])."'", 1)."))";
} elseif (!empty($arrayquery['options_'.$key])) { } elseif (!empty($arrayquery['options_'.$key])) {
$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
} }
@@ -703,7 +703,7 @@ class AdvanceTargetingMailing extends CommonObject
$sqlwhere[] = " (t.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_status'])))."))"; $sqlwhere[] = " (t.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_status'])))."))";
} }
if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility']) > 0) { if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility']) > 0) {
$sqlwhere[] = " (t.civility IN ('".$this->db->sanitize($this->db->escape(implode("','", $arrayquery['contact_civility'])))."'))"; $sqlwhere[] = " (t.civility IN (".$this->db->sanitize("'".implode("','", $arrayquery['contact_civility'])."'", 1)."))";
} }
if ($arrayquery['contact_no_email'] != '') { if ($arrayquery['contact_no_email'] != '') {
$tmpwhere = ''; $tmpwhere = '';
@@ -762,7 +762,7 @@ class AdvanceTargetingMailing extends CommonObject
} }
} else { } else {
if (is_array($arrayquery['options_'.$key.'_cnct'])) { if (is_array($arrayquery['options_'.$key.'_cnct'])) {
$sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key.'_cnct'])."'))"; $sqlwhere[] = " (te.".$key." IN (".$this->db->sanitize("'".implode("','", $arrayquery['options_'.$key.'_cnct'])."'", 1)."))";
} elseif (!empty($arrayquery['options_'.$key.'_cnct'])) { } elseif (!empty($arrayquery['options_'.$key.'_cnct'])) {
$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')";
} }
@@ -860,7 +860,7 @@ class AdvanceTargetingMailing extends CommonObject
} }
} else { } else {
if (is_array($arrayquery['options_'.$key])) { if (is_array($arrayquery['options_'.$key])) {
$sqlwhere[] = " (tse.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; $sqlwhere[] = " (tse.".$key." IN (".$this->db->sanitize("'".implode("','", $arrayquery['options_'.$key])."'", 1)."))";
} elseif (!empty($arrayquery['options_'.$key])) { } elseif (!empty($arrayquery['options_'.$key])) {
$sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
} }

2
htdocs/core/modules/mailings/thirdparties_services_expired.modules.php
View File

@@ -197,7 +197,7 @@ class mailing_thirdparties_services_expired extends MailingTargets
$sql .= " WHERE s.entity IN (".getEntity('societe').")"; $sql .= " WHERE s.entity IN (".getEntity('societe').")";
$sql .= " AND s.rowid = c.fk_soc AND cd.fk_contrat = c.rowid AND s.email != ''"; $sql .= " AND s.rowid = c.fk_soc AND cd.fk_contrat = c.rowid AND s.email != ''";
$sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid"; $sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid";
$sql .= " AND p.ref IN ('".join("','", $this->arrayofproducts)."')"; $sql .= " AND p.ref IN (".$this->db->sanitize("'".join("','", $this->arrayofproducts)."'", 1).")";
$sql .= " AND cd.date_fin_validite < '".$this->db->idate($now)."'"; $sql .= " AND cd.date_fin_validite < '".$this->db->idate($now)."'";
$a = parent::getNbOfRecipients($sql); $a = parent::getNbOfRecipients($sql);

15
test/phpunit/CodingPhpTest.php
View File

@@ -311,7 +311,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.'); $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.');
//exit; //exit;
// Check string IN (".xxx with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request. // Check string 'IN (".xxx' or 'IN (\'.xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
preg_match_all('/ IN \([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER); preg_match_all('/ IN \([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) { foreach ($matches as $key => $val) {
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) { if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) {
@@ -324,6 +324,19 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.'); $this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.');
//exit; //exit;
// Check string 'IN (\'".xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
preg_match_all('/ IN \(\'"\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) {
$ok=false;
break;
}
//if ($reg[0] != 'db') $ok=false;
}
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
$this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.');
//exit;
// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped. // Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
$ok=true; $ok=true;
$matches=array(); $matches=array();