Security: A lot of security fixes

2011-11-02 20:17:55 +01:00 · 2011-11-02 20:17:55 +01:00 · 074939b4ff
commit 074939b4ff
parent 5b5ac9cbe2
10 changed files with 36 additions and 35 deletions
--- a/htdocs/core/db/mssql.class.php
+++ b/htdocs/core/db/mssql.class.php
@ -528,8 +528,8 @@ class DoliDBMssql
 				if (! $return) $return.=' ORDER BY ';
 				else $return.=',';

-				$return.=$val;
-				if ($sortorder) $return.=' '.$sortorder;
+				$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
+				if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
 			}
 			return $return;
 		}
--- a/htdocs/core/db/mysql.class.php
+++ b/htdocs/core/db/mysql.class.php
@ -509,8 +509,8 @@ class DoliDBMysql
 				if (! $return) $return.=' ORDER BY ';
 				else $return.=',';

-				$return.=$val;
-				if ($sortorder) $return.=' '.$sortorder;
+				$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
+                if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
 			}
 			return $return;
 		}
--- a/htdocs/core/db/mysqli.class.php
+++ b/htdocs/core/db/mysqli.class.php
@ -522,8 +522,8 @@ class DoliDBMysqli
                if (! $return) $return.=' ORDER BY ';
                else $return.=',';

-                $return.=$val;
-                if ($sortorder) $return.=' '.$sortorder;
+				$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
+                if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
            }
            return $return;
        }
--- a/htdocs/core/db/pgsql.class.php
+++ b/htdocs/core/db/pgsql.class.php
@ -666,8 +666,8 @@ class DoliDBPgsql
 				if (! $return) $return.=' ORDER BY ';
 				else $return.=',';

-				$return.=$val;
-				if ($sortorder) $return.=' '.$sortorder;
+				$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
+                if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
 			}
 			return $return;
 		}
--- a/htdocs/user/fiche.php
+++ b/htdocs/user/fiche.php
@ -36,6 +36,11 @@ if ($conf->ldap->enabled) require_once(DOL_DOCUMENT_ROOT."/core/class/ldap.class
 if ($conf->adherent->enabled) require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php");
 if (! empty($conf->multicompany->enabled)) dol_include_once("/multicompany/class/actions_multicompany.class.php");

+$id			= GETPOST('id','int');
+$action		= GETPOST("action");
+$group		= GETPOST("group","int",3);
+$confirm	= GETPOST("confirm");
+
 // Define value to know what current user can do on users
 $canadduser=($user->admin || $user->rights->user->user->creer);
 $canreaduser=($user->admin || $user->rights->user->user->lire);
@ -48,18 +53,6 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
    $canreadgroup=($user->admin || $user->rights->user->group_advance->read);
    $caneditgroup=($user->admin || $user->rights->user->group_advance->write);
 }
-
-//Multicompany in mode transversal
-if(! empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->global->MULTICOMPANY_TRANSVERSE_MODE)
-{
-    accessforbidden();
-}
-
-$id			= GETPOST("id");
-$action		= GETPOST("action");
-$group		= GETPOST("group","int",3);
-$confirm	= GETPOST("confirm");
-
 // Define value to know what current user can do on properties of edited user
 if ($id)
 {
@ -70,6 +63,12 @@ if ($id)
    || (($user->id != $id) && $user->rights->user->user->password) );
 }

+//Multicompany in mode transversal
+if(! empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->global->MULTICOMPANY_TRANSVERSE_MODE)
+{
+    accessforbidden();
+}
+
 // Security check
 $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
--- a/htdocs/user/index.php
+++ b/htdocs/user/index.php
@ -36,7 +36,7 @@ $langs->load("companies");
 $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;

-$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
+$sall=GETPOST("sall");

 $sortfield = GETPOST("sortfield",'alpha');
 $sortorder = GETPOST("sortorder",'alpha');
@ -52,6 +52,7 @@ if (! $sortorder) $sortorder="ASC";
 $userstatic=new User($db);
 $companystatic = new Societe($db);

+
 /*
 * View
 */
@ -81,8 +82,8 @@ if ($_POST["search_user"])
 {
    $sql.= " AND (u.login like '%".$_POST["search_user"]."%' OR u.name like '%".$_POST["search_user"]."%' OR u.firstname like '%".$_POST["search_user"]."%')";
 }
-if ($sall) $sql.= " AND (u.login like '%".$sall."%' OR u.name like '%".$sall."%' OR u.firstname like '%".$sall."%' OR u.email like '%".$sall."%' OR u.note like '%".$sall."%')";
-if ($sortfield) $sql.=" ORDER BY $sortfield $sortorder";
+if ($sall) $sql.= " AND (u.login like '%".$db->escape($sall)."%' OR u.name like '%".$db->escape($sall)."%' OR u.firstname like '%".$db->escape($sall)."%' OR u.email like '%".$db->escape($sall)."%' OR u.note like '%".$db->escape($sall)."%')";
+$sql.=$db->order($sortfield,$sortorder);

 $result = $db->query($sql);
 if ($result)
--- a/htdocs/user/info.php
+++ b/htdocs/user/info.php
@ -29,7 +29,7 @@ require_once(DOL_DOCUMENT_ROOT."/user/class/user.class.php");
 $langs->load("users");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = GETPOST('id','int');
 $fuser = new User($db);
 $fuser->fetch($id);

--- a/htdocs/user/note.php
+++ b/htdocs/user/note.php
@ -26,8 +26,8 @@ require("../main.inc.php");
 require_once(DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php');
 require_once(DOL_DOCUMENT_ROOT.'/user/class/user.class.php');

-$action=isset($_GET["action"])?$_GET["action"]:(isset($_POST["action"])?$_POST["action"]:"");
-$id=isset($_GET["id"])?$_GET["id"]:(isset($_POST["id"])?$_POST["id"]:"");
+$action=GETPOST('action');
+$id=GETPOST('id','int');

 $langs->load("companies");
 $langs->load("members");
--- a/htdocs/user/param_ihm.php
+++ b/htdocs/user/param_ihm.php
@ -32,30 +32,31 @@ $langs->load("admin");
 $langs->load("users");
 $langs->load("languages");

+$id=GETPOST('id','int');
+
 // Defini si peux lire/modifier permisssions
 $canreaduser=($user->admin || $user->rights->user->user->lire);

-if ($_REQUEST["id"])
+if ($id)
 {
-    // $user est le user qui edite, $_REQUEST["id"] est l'id de l'utilisateur edite
-    $caneditfield=( (($user->id == $_REQUEST["id"]) && $user->rights->user->self->creer)
-    || (($user->id != $_REQUEST["id"]) && $user->rights->user->user->creer));
+    // $user est le user qui edite, $id est l'id de l'utilisateur edite
+    $caneditfield=( (($user->id == $id) && $user->rights->user->self->creer)
+    || (($user->id != $id) && $user->rights->user->user->creer));
 }

 // Security check
 $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
-if ($user->id == $_REQUEST["id"])	// A user can always read its own card
+if ($user->id == $id)	// A user can always read its own card
 {
    $feature2='';
    $canreaduser=1;
 }
-$result = restrictedArea($user, 'user', $_REQUEST["id"], '', $feature2);
-if ($user->id <> $_REQUEST["id"] && ! $canreaduser) accessforbidden();
+$result = restrictedArea($user, 'user', $id, '', $feature2);
+if ($user->id <> $id && ! $canreaduser) accessforbidden();


-$id=! empty($_GET["id"])?$_GET["id"]:$_POST["id"];
 $dirtop = "../core/menus/standard";
 $dirleft = "../core/menus/standard";

--- a/htdocs/user/perms.php
+++ b/htdocs/user/perms.php
@ -30,7 +30,7 @@ require_once(DOL_DOCUMENT_ROOT."/core/lib/usergroups.lib.php");
 $langs->load("users");
 $langs->load("admin");

-$id=GETPOST("id");
+$id=GETPOST('id','int');
 $action=GETPOST("action");
 $confirm=GETPOST("confirm");
 $module=GETPOST("module");