Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-16 22:41:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: bug #232

Browse Source 
Multiple Cross-Site-Scripting vulnerabilities
This commit is contained in:
Regis Houssin
2011-11-08 15:04:10 +01:00
parent f0c327c070
commit e8fcda3303
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/lib/security.lib.php
View File

@@ -237,7 +237,7 @@ function dol_loginfunction($langs,$conf,$mysoc)
} }
// Login // Login
$login = (!empty($lastuser)?$lastuser:(GETPOST("username")?GETPOST("username"):$demologin)); $login = (!empty($lastuser)?$lastuser:(GETPOST("username","alpha",2)?GETPOST("username","alpha",2):$demologin));
$password = $demopassword; $password = $demopassword;
// Show logo (search in order: small company logo, large company logo, theme logo, common logo) // Show logo (search in order: small company logo, large company logo, theme logo, common logo)

12
htdocs/main.inc.php
View File

@@ -338,7 +338,7 @@ if (! defined('NOLOGIN'))
} }
// Verification security graphic code // Verification security graphic code
if (isset($_POST["username"]) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA)) if (GETPOST("username","alpha",2) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
{ {
require_once(ARTICHOW_PATH.'Artichow.cfg.php'); require_once(ARTICHOW_PATH.'Artichow.cfg.php');
require_once(ARTICHOW.'/AntiSpam.class.php'); require_once(ARTICHOW.'/AntiSpam.class.php');
@@ -352,7 +352,7 @@ if (! defined('NOLOGIN'))
$langs->load('main'); $langs->load('main');
$langs->load('errors'); $langs->load('errors');
$user->trigger_mesg='ErrorBadValueForCode - login='.$_POST["username"]; $user->trigger_mesg='ErrorBadValueForCode - login='.GETPOST("username","alpha",2);
$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadValueForCode"); $_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadValueForCode");
$test=false; $test=false;
@@ -365,7 +365,7 @@ if (! defined('NOLOGIN'))
} }
} }
$usertotest = (! empty($_COOKIE['login_dolibarr']) ? $_COOKIE['login_dolibarr'] : $_POST["username"]); $usertotest = (! empty($_COOKIE['login_dolibarr']) ? $_COOKIE['login_dolibarr'] : GETPOST("username","alpha",2));
$passwordtotest = (! empty($_COOKIE['password_dolibarr']) ? $_COOKIE['password_dolibarr'] : $_POST["password"]); $passwordtotest = (! empty($_COOKIE['password_dolibarr']) ? $_COOKIE['password_dolibarr'] : $_POST["password"]);
$entitytotest = (! empty($_POST["entity"]) ? $_POST["entity"] : 1); $entitytotest = (! empty($_POST["entity"]) ? $_POST["entity"] : 1);
@@ -374,7 +374,7 @@ if (! defined('NOLOGIN'))
// If error, we will put error message in session under the name dol_loginmesg // If error, we will put error message in session under the name dol_loginmesg
$goontestloop=false; $goontestloop=false;
if (isset($_SERVER["REMOTE_USER"]) && in_array('http',$authmode)) $goontestloop=true; if (isset($_SERVER["REMOTE_USER"]) && in_array('http',$authmode)) $goontestloop=true;
if (isset($_POST["username"]) || ! empty($_COOKIE['login_dolibarr']) || GETPOST('openid_mode','alpha',1)) $goontestloop=true; if (GETPOST("username","alpha",2) || ! empty($_COOKIE['login_dolibarr']) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
if ($test && $goontestloop) if ($test && $goontestloop)
{ {
@@ -406,13 +406,13 @@ if (! defined('NOLOGIN'))
$langs->load('errors'); $langs->load('errors');
// Bad password. No authmode has found a good password. // Bad password. No authmode has found a good password.
$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.$_POST["username"]; $user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.GETPOST("username","alpha",2);
$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword"); $_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
// Appel des triggers // Appel des triggers
include_once(DOL_DOCUMENT_ROOT . "/core/class/interfaces.class.php"); include_once(DOL_DOCUMENT_ROOT . "/core/class/interfaces.class.php");
$interface=new Interfaces($db); $interface=new Interfaces($db);
$result=$interface->run_triggers('USER_LOGIN_FAILED',$user,$user,$langs,$conf,$_POST["entity"]); $result=$interface->run_triggers('USER_LOGIN_FAILED',$user,$user,$langs,$conf,GETPOST("username","alpha",2));
if ($result < 0) { $error++; } if ($result < 0) { $error++; }
// Fin appel triggers // Fin appel triggers
} }