From ee92964ef75e73632b51366b3c979a5503bf4af4 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 2 Nov 2011 22:15:59 +0100
Subject: [PATCH] Security: Fix more security holes

---
 htdocs/admin/boxes.php             | 29 ++++++++++++++++++-----------
 htdocs/admin/ihm.php               |  3 +--
 htdocs/core/lib/functions.lib.php  |  3 ++-
 htdocs/core/lib/usergroups.lib.php |  2 +-
 htdocs/main.inc.php                | 11 ++++++-----
 htdocs/user/group/index.php        |  8 ++++----
 6 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php
index 45d003a6acc..8d6cdd939f3 100644
--- a/htdocs/admin/boxes.php
+++ b/htdocs/admin/boxes.php
@@ -28,17 +28,20 @@ include_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php");
 
 $langs->load("admin");
 
-if (!$user->admin)
-  accessforbidden();
+$id=GETPOST('rowid','int');
+
+if (!$user->admin) accessforbidden();
 
 // Definition des positions possibles pour les boites
 $pos_array = array(0);                             // Positions possibles pour une boite (0,1,2,...)
 $pos_name = array(0=>$langs->trans("Home"));       // Nom des positions 0=Homepage, 1=...
 $boxes = array();
 
+
 /*
  * Actions
  */
+
 if ((isset($_POST["action"]) && $_POST["action"] == 'addconst'))
 {
     dolibarr_set_const($db, "MAIN_BOXES_MAXLINES",$_POST["MAIN_BOXES_MAXLINES"],'',0,'',$conf->entity);
@@ -100,7 +103,7 @@ if ($_GET["action"] == 'delete')
 	$db->begin();
 
 	$sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes";
-	$sql.= " WHERE rowid=".$_GET["rowid"];
+	$sql.= " WHERE rowid=".$id;
 	$resql = $db->query($sql);
 
 	// Remove all personalized setup when a box is activated or disabled
@@ -145,7 +148,11 @@ if ($_GET["action"] == 'switch')
 }
 
 
-llxHeader();
+/*
+ * View
+ */
+
+llxHeader('',$langs->trans("Boxes"));
 
 print_fiche_titre($langs->trans("Boxes"),'','setup');
 
@@ -287,7 +294,7 @@ if ($resql)
 
 		dol_include_once($sourcefile);
 		$box=new $boxname($db,$obj->note);
-		
+
 		$enabled=true;
 		if ($box->depends && count($box->depends) > 0)
 		{
@@ -296,7 +303,7 @@ if ($resql)
 				if (empty($conf->$module->enabled)) $enabled=false;
 			}
 		}
-		
+
 		if ($enabled)
 		{
 			//if (in_array($obj->rowid, $actives) && $box->box_multiple <> 1)
@@ -307,7 +314,7 @@ if ($resql)
 			else
 			{
 				$var=!$var;
-	
+
 				if (preg_match('/^([^@]+)@([^@]+)$/i',$box->boximg))
 				{
 					$logo = $box->boximg;
@@ -316,14 +323,14 @@ if ($resql)
 				{
 					$logo=preg_replace("/^object_/i","",$box->boximg);
 				}
-	
+
 				print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
 				print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 				print '<tr '.$bc[$var].'>';
 				print '<td>'.img_object("",$logo).' '.$box->boxlabel.'</td>';
 				print '<td>' . ($obj->note?$obj->note:'&nbsp;') . '</td>';
 				print '<td>' . $sourcefile . '</td>';
-	
+
 				// Pour chaque position possible, on affiche un lien
 				// d'activation si boite non deja active pour cette position
 				print '<td>';
@@ -332,11 +339,11 @@ if ($resql)
 				print '<input type="hidden" name="boxid" value="'.$obj->rowid.'">';
 				print ' <input type="submit" class="button" name="button" value="'.$langs->trans("Activate").'">';
 				print '</td>';
-	
+
 				print '</tr></form>';
 			}
 		}
-		
+
 		$i++;
 	}
 
diff --git a/htdocs/admin/ihm.php b/htdocs/admin/ihm.php
index e49910e2745..00192a78d8b 100644
--- a/htdocs/admin/ihm.php
+++ b/htdocs/admin/ihm.php
@@ -37,8 +37,7 @@ $langs->load("companies");
 $langs->load("products");
 $langs->load("members");
 
-if (!$user->admin)
-  accessforbidden();
+if (!$user->admin) accessforbidden();
 
 
 if (! defined("MAIN_MOTD")) define("MAIN_MOTD","");
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 7b9cabc1123..3ec4c3933a1 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -98,7 +98,8 @@ function GETPOST($paramname,$check='',$method=0)
         if ($check == 'int' && ! preg_match('/^[\.,0-9]+$/i',trim($out))) $out='';
         // Check if alpha
         //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
-        if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';    // Only " is dangerous because param in url can close the href= or src= and add javascript functions
+        // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
+        if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
     }
 
     return $out;
diff --git a/htdocs/core/lib/usergroups.lib.php b/htdocs/core/lib/usergroups.lib.php
index d90f14fc137..ed5b6bfeed1 100644
--- a/htdocs/core/lib/usergroups.lib.php
+++ b/htdocs/core/lib/usergroups.lib.php
@@ -233,7 +233,7 @@ function show_theme($fuser,$edit=0,$foruserprofile=false)
             $url=$urltheme."/".$subdir."/thumb.png";
             if (! file_exists($file)) $url=$urltheme."/common/nophoto.jpg";
             print '<table><tr><td>';
-			print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(! empty($_GET["optioncss"])?'&optioncss='.$_GET["optioncss"]:'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
+			print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(GETPOST("optioncss")?'&optioncss='.GETPOST("optioncss",'alpha',1):'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
 			if ($subdir == $conf->global->MAIN_THEME) $title=$langs->trans("ThemeCurrentlyActive");
 			else $title=$langs->trans("ShowPreview");
             print '<img src="'.$url.'" border="0" width="80" height="60" alt="'.$title.'" title="'.$title.'">';
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 99c32fbe253..9ef7fa7db3b 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -82,8 +82,9 @@ function test_sql_and_script_inject($val, $get)
 	$sql_inj += preg_match('/union.+select/i', $val);
 	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
 	// For XSS Injection done by adding javascript with script
-	$sql_inj += preg_match('/<script/i', $val);
-	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
+    $sql_inj += preg_match('/<script/i', $val);
+	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
+    // For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
 	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value
 	return $sql_inj;
 }
@@ -867,7 +868,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
         // Output style sheets (optioncss='print' or '')
         $themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1);
         //print 'themepath='.$themepath;exit;
-		print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.'?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'').'">'."\n";
+		print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.'?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'').'">'."\n";
 		// CSS forced by modules (relative url starting with /)
 		if (is_array($conf->css_modules))
 		{
@@ -875,7 +876,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
 			{	// cssfile is an absolute path
 				print '<link rel="stylesheet" type="text/css" title="default" href="'.dol_buildpath($cssfile,1);
                 // We add params only if page is not static, because some web server setup does not return content type text/css if url has parameters and browser cache is not used.
-				if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'');
+				if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'');
 				print '">'."\n";
 			}
 		}
@@ -886,7 +887,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
 			{
 				print '<link rel="stylesheet" type="text/css" title="default" href="'.dol_buildpath($cssfile,1);
                 // We add params only if page is not static, because some web server setup does not return content type text/css if url has parameters and browser cache is not used.
-				if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'');
+				if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'');
 				print '">'."\n";
 			}
 		}
diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php
index 2817f7f832c..d6beab319eb 100644
--- a/htdocs/user/group/index.php
+++ b/htdocs/user/group/index.php
@@ -33,7 +33,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
 
 $langs->load("users");
 
-$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
+$sall=GETPOST("sall");
 
 $sortfield = GETPOST("sortfield",'alpha');
 $sortorder = GETPOST("sortorder",'alpha');
@@ -68,9 +68,9 @@ else
 }
 if ($_POST["search_group"])
 {
-    $sql .= " AND (g.nom LIKE '%".$_POST["search_group"]."%' OR g.note LIKE '%".$_POST["search_group"]."%')";
+    $sql .= " AND (g.nom LIKE '%".$db->escape($_POST["search_group"])."%' OR g.note LIKE '%".$db->escape($_POST["search_group"])."%')";
 }
-if ($sall) $sql.= " AND (g.nom LIKE '%".$sall."%' OR g.note LIKE '%".$sall."%')";
+if ($sall) $sql.= " AND (g.nom LIKE '%".$db->escape($sall)."%' OR g.note LIKE '%".$db->escape($sall)."%')";
 $sql.= " GROUP BY g.rowid, g.nom, g.entity, g.datec";
 $sql.= $db->order($sortfield,$sortorder);
 
@@ -80,7 +80,7 @@ if ($resql)
     $num = $db->num_rows($resql);
     $i = 0;
 
-    $param="search_group=$search_group&amp;sall=$sall";
+    $param="search_group=".$search_group."&amp;sall=".$sall;
     print '<table class="noborder" width="100%">';
     print '<tr class="liste_titre">';
     print_liste_field_titre($langs->trans("Group"),$_SERVER["PHP_SELF"],"g.nom",$param,"","",$sortfield,$sortorder);