From 3dc5ffa871226cf4a263aa6923a124e4a6711707 Mon Sep 17 00:00:00 2001 From: Alexis Algoud Date: Wed, 13 May 2015 18:05:26 +0200 Subject: [PATCH 01/10] FIX send mail, copy sendto don't read the list of contact --- htdocs/comm/propal.php | 5 ++++- htdocs/compta/facture.php | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/htdocs/comm/propal.php b/htdocs/comm/propal.php index 3a6f3a7ceff..ce86b84a846 100644 --- a/htdocs/comm/propal.php +++ b/htdocs/comm/propal.php @@ -434,7 +434,10 @@ if (empty($reshook)) { $from = $_POST ['fromname'] . ' <' . $_POST ['frommail'] . '>'; $replyto = $_POST ['replytoname'] . ' <' . $_POST ['replytomail'] . '>'; $message = $_POST ['message']; - $sendtocc = $_POST ['sendtocc']; + + $receivercc = GETPOST('receivercc'); + $sendtocc = ($receivercc!=='') ? $receivercc : $_POST ['sendtocc']; + $deliveryreceipt = $_POST ['deliveryreceipt']; if (dol_strlen($_POST ['subject'])) diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php index 4a2b13b0069..b9805822149 100644 --- a/htdocs/compta/facture.php +++ b/htdocs/compta/facture.php @@ -1571,7 +1571,8 @@ if (empty($reshook)) { $from = $_POST['fromname'] . ' <' . $_POST['frommail'] . '>'; $replyto = $_POST['replytoname'] . ' <' . $_POST['replytomail'] . '>'; $message = $_POST['message']; - $sendtocc = $_POST['sendtocc']; + $receivercc = GETPOST('receivercc'); + $sendtocc = ($receivercc!=='') ? $receivercc : $_POST ['sendtocc']; $deliveryreceipt = $_POST['deliveryreceipt']; if ($action == 'send') { From a4df49f6c889716217027c218fd5a9dbc04c64d5 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 16 May 2015 17:04:36 +0200 Subject: [PATCH 02/10] Prepare packaging --- build/exe/doliwamp/doliwamp.iss | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/build/exe/doliwamp/doliwamp.iss b/build/exe/doliwamp/doliwamp.iss index 8d465cc4cbf..a837450f077 100644 --- a/build/exe/doliwamp/doliwamp.iss +++ b/build/exe/doliwamp/doliwamp.iss @@ -108,11 +108,7 @@ Source: "C:\Program Files\Wamp\bin\mysql\mysql5.0.45\*.*"; DestDir: "{app}\bin\m ; Mysql data files (does not overwrite if exists) Source: "build\exe\doliwamp\mysql\*.*"; DestDir: "{app}\bin\mysql\data\mysql"; Flags: onlyifdoesntexist ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db" ; Dolibarr -<<<<<<< HEAD -Source: "htdocs\*.*"; DestDir: "{app}\www\dolibarr\htdocs"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,custom\*,custom2\*,documents\*,nltechno*\*,includes\ckeditor\_source\*,includes\savant\*,includes\phpmailer\*,jquery\plugins\template\*,PHPExcel\Shared\PDF\*,PHPExcel\Shared\PCLZip\*,tcpdf\fonts\dejavu-fonts-ttf-2.33\*,tcpdf\fonts\freefont-20100919\*,tcpdf\fonts\utils\*,*\conf.php,*\conf.php.mysql,*\conf.php.old,*\conf.php.postgres,*\conf.php.sav,*\install.forced.php" -======= -Source: "htdocs\*.*"; DestDir: "{app}\www\dolibarr\htdocs"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,custom\*,custom2\*,documents\*,includes\ckeditor\_source\*,includes\savant\*,includes\phpmailer\*,jquery\plugins\template\*,nltechno*,PHPExcel\Shared\PDF\*,PHPExcel\Shared\PCLZip\*,tcpdf\fonts\dejavu-fonts-ttf-2.33\*,tcpdf\fonts\freefont-20100919\*,tcpdf\fonts\utils\*,*\conf.php,*\conf.php.mysql,*\conf.php.old,*\conf.php.postgres,*\conf.php.sav,*\install.forced.php" ->>>>>>> refs/remotes/origin/3.5 +Source: "htdocs\*.*"; DestDir: "{app}\www\dolibarr\htdocs"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,custom\*,custom2\*,documents\*,includes\ckeditor\_source\*,includes\savant\*,includes\phpmailer\*,jquery\plugins\template\*,nltechno*\*,PHPExcel\Shared\PDF\*,PHPExcel\Shared\PCLZip\*,tcpdf\fonts\dejavu-fonts-ttf-2.33\*,tcpdf\fonts\freefont-20100919\*,tcpdf\fonts\utils\*,*\conf.php,*\conf.php.mysql,*\conf.php.old,*\conf.php.postgres,*\conf.php.sav,*\install.forced.php" Source: "dev\*.*"; DestDir: "{app}\www\dolibarr\dev"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,dbmodel\*,fpdf\*,initdata\*,iso-normes\*,licence\*,phpcheckstyle\*,phpunit\*,samples\*,test\*,uml\*,vagrant\*,xdebug\*" Source: "doc\*.*"; DestDir: "{app}\www\dolibarr\doc"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,wiki\*,plaquette\*,dev\*,images\dolibarr_screenshot2.png,images\dolibarr_screenshot3.png,images\dolibarr_screenshot4.png,images\dolibarr_screenshot5.png,images\dolibarr_screenshot6.png,images\dolibarr_screenshot7.png,images\dolibarr_screenshot8.png,images\dolibarr_screenshot9.png,images\dolibarr_screenshot10.png,images\dolibarr_screenshot11.png,images\dolibarr_screenshot12.png" Source: "scripts\*.*"; DestDir: "{app}\www\dolibarr\scripts"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,product\materiel.net.php,product\import-product.php" From a4031a3680241275ac3404ba3d4835a3c6ba3701 Mon Sep 17 00:00:00 2001 From: Alexis Algoud Date: Mon, 18 May 2015 18:33:17 +0200 Subject: [PATCH 03/10] if contact in sellist, it's an Id --- htdocs/comm/propal.php | 8 +++++++- htdocs/compta/facture.php | 9 ++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/htdocs/comm/propal.php b/htdocs/comm/propal.php index ce86b84a846..99119414971 100644 --- a/htdocs/comm/propal.php +++ b/htdocs/comm/propal.php @@ -436,7 +436,13 @@ if (empty($reshook)) { $message = $_POST ['message']; $receivercc = GETPOST('receivercc'); - $sendtocc = ($receivercc!=='') ? $receivercc : $_POST ['sendtocc']; + if($_POST ['sendtocc']!=='') { + $sendtocc = $_POST ['sendtocc'] ; + } + elseif($receivercc!=-1) { + $sendtocc = $object->client->contact_get_property($receivercc, 'email'); + } + $deliveryreceipt = $_POST ['deliveryreceipt']; diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php index b9805822149..af28d80b9e9 100644 --- a/htdocs/compta/facture.php +++ b/htdocs/compta/facture.php @@ -1571,8 +1571,15 @@ if (empty($reshook)) { $from = $_POST['fromname'] . ' <' . $_POST['frommail'] . '>'; $replyto = $_POST['replytoname'] . ' <' . $_POST['replytomail'] . '>'; $message = $_POST['message']; + $receivercc = GETPOST('receivercc'); - $sendtocc = ($receivercc!=='') ? $receivercc : $_POST ['sendtocc']; + if($_POST ['sendtocc']!=='') { + $sendtocc = $_POST ['sendtocc'] ; + } + elseif($receivercc!=-1) { + $sendtocc = $object->client->contact_get_property($receivercc, 'email'); + } + $deliveryreceipt = $_POST['deliveryreceipt']; if ($action == 'send') { From 40ef5737fcb25bcfefb0c5f25ff348c88c7fb321 Mon Sep 17 00:00:00 2001 From: Francis Appels Date: Tue, 19 May 2015 16:34:21 +0200 Subject: [PATCH 04/10] Fix: SQL error in facturestats on no view rights table alias sc must be available when user has no rights to view customers. see where defenition line 80 --- htdocs/compta/facture/class/facturestats.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/facture/class/facturestats.class.php b/htdocs/compta/facture/class/facturestats.class.php index 4028849b5fa..d1b39da15ce 100644 --- a/htdocs/compta/facture/class/facturestats.class.php +++ b/htdocs/compta/facture/class/facturestats.class.php @@ -206,7 +206,7 @@ class FactureStats extends Stats $sql = "SELECT product.ref, COUNT(product.ref) as nb, SUM(tl.".$this->field_line.") as total, AVG(tl.".$this->field_line.") as avg"; $sql.= " FROM ".$this->from.", ".$this->from_line.", ".MAIN_DB_PREFIX."product as product"; - //if (!$user->rights->societe->client->voir && !$user->societe_id) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; + if (!$user->rights->societe->client->voir && !$this->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE ".$this->where; $sql.= " AND f.rowid = tl.fk_facture AND tl.fk_product = product.rowid"; $sql.= " AND f.datef BETWEEN '".$this->db->idate(dol_get_first_day($year,1,false))."' AND '".$this->db->idate(dol_get_last_day($year,12,false))."'"; From a7f6bbd316e9b96216e9b2c7a065c9251c9a8907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Doursenaud?= Date: Wed, 20 May 2015 17:32:34 +0200 Subject: [PATCH 05/10] Properly escape untrusted data to prevent HTML injection. First pass for #2857 --- htdocs/adherents/liste.php | 36 ++++++++++++++++++------------------ htdocs/contact/list.php | 36 ++++++++++++++++++------------------ htdocs/contrat/liste.php | 12 ++++++------ htdocs/product/liste.php | 18 +++++++++--------- htdocs/societe/societe.php | 36 ++++++++++++++++++------------------ 5 files changed, 69 insertions(+), 69 deletions(-) diff --git a/htdocs/adherents/liste.php b/htdocs/adherents/liste.php index 1d80c82a713..13bd3aee736 100644 --- a/htdocs/adherents/liste.php +++ b/htdocs/adherents/liste.php @@ -2,7 +2,7 @@ /* Copyright (C) 2001-2003 Rodolphe Quiedeville * Copyright (C) 2002-2003 Jean-Louis Bergamo * Copyright (C) 2004-2014 Laurent Destailleur - * Copyright (C) 2013 Raphaël Doursenaud + * Copyright (C) 2013-2015 Raphaël Doursenaud * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -97,7 +97,7 @@ $sql.= ", ".MAIN_DB_PREFIX."adherent_type as t"; $sql.= " WHERE d.fk_adherent_type = t.rowid "; if ($catid > 0) $sql.= " AND cm.fk_categorie = ".$catid; if ($catid == -2) $sql.= " AND cm.fk_categorie IS NULL"; -if ($search_categ > 0) $sql.= " AND cm.fk_categorie = ".$search_categ; +if ($search_categ > 0) $sql.= " AND cm.fk_categorie = ".$db->escape($search_categ); if ($search_categ == -2) $sql.= " AND cm.fk_categorie IS NULL"; $sql.= " AND d.entity = ".$conf->entity; if ($sall) @@ -106,15 +106,15 @@ if ($sall) $scrit = explode(' ', $sall); foreach ($scrit as $crit) { $sql.=" AND ("; - if (is_numeric($sall)) $sql.= "d.rowid = ".$sall." OR "; - $sql.=" d.firstname LIKE '%".$sall."%' OR d.lastname LIKE '%".$sall."%' OR d.societe LIKE '%".$sall."%'"; - $sql.=" OR d.email LIKE '%".$sall."%' OR d.login LIKE '%".$sall."%' OR d.address LIKE '%".$sall."%'"; - $sql.=" OR d.town LIKE '%".$sall."%' OR d.note LIKE '%".$sall."%')"; + if (is_numeric($sall)) $sql.= "d.rowid = ".$db->escape($sall)." OR "; + $sql.=" d.firstname LIKE '%".$db->escape($sall)."%' OR d.lastname LIKE '%".$db->escape($sall)."%' OR d.societe LIKE '%".$db->escape($sall)."%'"; + $sql.=" OR d.email LIKE '%".$db->escape($sall)."%' OR d.login LIKE '%".$db->escape($sall)."%' OR d.address LIKE '%".$db->escape($sall)."%'"; + $sql.=" OR d.town LIKE '%".$db->escape($sall)."%' OR d.note LIKE '%".$db->escape($sall)."%')"; } } if ($type > 0) { - $sql.=" AND t.rowid=".$type; + $sql.=" AND t.rowid=".$db->escape($type); } if (isset($_GET["statut"]) || isset($_POST["statut"])) { @@ -188,17 +188,17 @@ if ($resql) } $param=""; - if ($statut != "") $param.="&statut=".$statut; - if ($search_nom) $param.="&search_nom=".$search_nom; - if ($search_login) $param.="&search_login=".$search_login; - if ($search_email) $param.="&search_email=".$search_email; - if ($filter) $param.="&filter=".$filter; - if ($type > 0) $param.="&type=".$type; + if ($statut != "") $param.="&statut=".htmlspecialchars($statut); + if ($search_nom) $param.="&search_nom=".htmlspecialchars($search_nom); + if ($search_login) $param.="&search_login=".htmlspecialchars($search_login); + if ($search_email) $param.="&search_email=".htmlspecialchars($search_email); + if ($filter) $param.="&filter=".htmlspecialchars($filter); + if ($type > 0) $param.="&type=".htmlspecialchars($type); print_barre_liste($titre,$page,$_SERVER["PHP_SELF"],$param,$sortfield,$sortorder,'',$num,$nbtotalofrecords); if ($sall) { - print $langs->trans("Filter")." (".$langs->trans("Ref").", ".$langs->trans("Lastname").", ".$langs->trans("Firstname").", ".$langs->trans("EMail").", ".$langs->trans("Address")." ".$langs->trans("or")." ".$langs->trans("Town")."): ".$sall; + print $langs->trans("Filter")." (".$langs->trans("Ref").", ".$langs->trans("Lastname").", ".$langs->trans("Firstname").", ".$langs->trans("EMail").", ".$langs->trans("Address")." ".$langs->trans("or")." ".$langs->trans("Town")."): ".htmlspecialchars($sall); } print '
'; @@ -236,13 +236,13 @@ if ($resql) print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; $listetype=$membertypestatic->liste_array(); @@ -252,7 +252,7 @@ if ($resql) print ' '; print ''; - print ''; + print ''; print ' '; diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 234dff307a6..6a2e2a55fe8 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -3,7 +3,7 @@ * Copyright (C) 2003 Eric Seigne * Copyright (C) 2004-2012 Laurent Destailleur * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2013 Raphaël Doursenaud + * Copyright (C) 2013-2015 Raphaël Doursenaud * Copyright (C) 2013 Cédric Salvador * Copyright (C) 2013 Alexandre Spangaro * @@ -151,7 +151,7 @@ else if ($search_priv == '1') $sql .= " AND (p.priv='1' AND p.fk_user_creat=".$user->id.")"; } -if ($search_categ > 0) $sql.= " AND cs.fk_categorie = ".$search_categ; +if ($search_categ > 0) $sql.= " AND cs.fk_categorie = ".$db->escape($search_categ); if ($search_categ == -2) $sql.= " AND cs.fk_categorie IS NULL"; if ($search_lastname) { // filter on lastname @@ -245,11 +245,11 @@ if ($result) { $contactstatic=new Contact($db); - $param ='&begin='.urlencode($begin).'&view='.urlencode($view).'&userid='.urlencode($userid).'&contactname='.urlencode($sall); - $param.='&type='.urlencode($type).'&view='.urlencode($view).'&search_lastname='.urlencode($search_lastname).'&search_firstname='.urlencode($search_firstname).'&search_societe='.urlencode($search_societe).'&search_email='.urlencode($search_email); - if (!empty($search_categ)) $param.='&search_categ='.$search_categ; - if ($search_status != '') $param.='&search_status='.$search_status; - if ($search_priv == '0' || $search_priv == '1') $param.="&search_priv=".urlencode($search_priv); + $param ='&begin='.htmlspecialchars($begin).'&view='.htmlspecialchars($view).'&userid='.htmlspecialchars($userid).'&contactname='.htmlspecialchars($sall); + $param.='&type='.htmlspecialchars($type).'&view='.htmlspecialchars($view).'&search_lastname='.htmlspecialchars($search_lastname).'&search_firstname='.htmlspecialchars($search_firstname).'&search_societe='.htmlspecialchars($search_societe).'&search_email='.htmlspecialchars($search_email); + if (!empty($search_categ)) $param.='&search_categ='.htmlspecialchars($search_categ); + if ($search_status != '') $param.='&search_status='.htmlspecialchars($search_status); + if ($search_priv == '0' || $search_priv == '1') $param.="&search_priv=".htmlspecialchars($search_priv); $num = $db->num_rows($result); $i = 0; @@ -258,7 +258,7 @@ if ($result) print ''; print ''; - print ''; + print ''; print ''; print ''; @@ -277,7 +277,7 @@ if ($result) if ($sall) { - print $langs->trans("Filter")." (".$langs->trans("Lastname").", ".$langs->trans("Firstname")." ".$langs->trans("or")." ".$langs->trans("EMail")."): ".$sall; + print $langs->trans("Filter")." (".$langs->trans("Lastname").", ".$langs->trans("Firstname")." ".$langs->trans("or")." ".$langs->trans("EMail")."): ".htmlspecialchars($sall); } print ''; @@ -302,36 +302,36 @@ if ($result) // Ligne des champs de filtres print ''; print ''; print ''; print ''; if (empty($conf->global->SOCIETE_DISABLE_CONTACTS)) { print ''; } print ''; print ''; print ''; print ''; if (! empty($conf->skype->enabled)) { print ''; } print ''; diff --git a/htdocs/contrat/liste.php b/htdocs/contrat/liste.php index 38576f7e764..3c350d0de03 100644 --- a/htdocs/contrat/liste.php +++ b/htdocs/contrat/liste.php @@ -78,7 +78,7 @@ $sql.= ", ".MAIN_DB_PREFIX."contrat as c"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."contratdet as cd ON c.rowid = cd.fk_contrat"; $sql.= " WHERE c.fk_soc = s.rowid "; $sql.= " AND c.entity = ".$conf->entity; -if ($socid) $sql.= " AND s.rowid = ".$socid; +if ($socid) $sql.= " AND s.rowid = ".$db->escape($socid); if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; if ($search_nom) { $sql .= natural_search('s.nom', $search_nom); @@ -100,13 +100,13 @@ if ($resql) $num = $db->num_rows($resql); $i = 0; - print_barre_liste($langs->trans("ListOfContracts"), $page, $_SERVER["PHP_SELF"], '&search_contract='.$search_contract.'&search_nom='.$search_nom, $sortfield, $sortorder,'',$num); + print_barre_liste($langs->trans("ListOfContracts"), $page, $_SERVER["PHP_SELF"], '&search_contract='.htmlspecialchars($search_contract).'&search_nom='.htmlspecialchars($search_nom), $sortfield, $sortorder,'',$num); print '
'; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ' 
'; print ''; - $param='&search_contract='.$search_contract; - $param.='&search_nom='.$search_nom; + $param='&search_contract='.htmlspecialchars($search_contract); + $param.='&search_nom='.htmlspecialchars($search_nom); print_liste_field_titre($langs->trans("Ref"), $_SERVER["PHP_SELF"], "c.rowid","","$param",'',$sortfield,$sortorder); print_liste_field_titre($langs->trans("Company"), $_SERVER["PHP_SELF"], "s.nom","","$param",'',$sortfield,$sortorder); //print_liste_field_titre($langs->trans("DateCreation"), $_SERVER["PHP_SELF"], "c.datec","","$param",'align="center"',$sortfield,$sortorder); @@ -122,10 +122,10 @@ if ($resql) print ''; print ''; print ''; print ''; print ''; //print ''; diff --git a/htdocs/product/liste.php b/htdocs/product/liste.php index 923b19e3daa..28563edc5eb 100644 --- a/htdocs/product/liste.php +++ b/htdocs/product/liste.php @@ -4,7 +4,7 @@ * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2012-2013 Marcos García * Copyright (C) 2013 Juanjo Menent - * Copyright (C) 2013 Raphaël Doursenaud + * Copyright (C) 2013-2015 Raphaël Doursenaud * Copyright (C) 2013 Jean Heimburger * Copyright (C) 2013 Cédric Salvador * Copyright (C) 2013 Florian Henry @@ -181,7 +181,7 @@ else if (dol_strlen($canvas) > 0) $sql.= " AND p.canvas = '".$db->escape($canvas)."'"; if ($catid > 0) $sql.= " AND cp.fk_categorie = ".$catid; if ($catid == -2) $sql.= " AND cp.fk_categorie IS NULL"; - if ($search_categ > 0) $sql.= " AND cp.fk_categorie = ".$search_categ; + if ($search_categ > 0) $sql.= " AND cp.fk_categorie = ".$db->escape($search_categ); if ($search_categ == -2) $sql.= " AND cp.fk_categorie IS NULL"; if ($fourn_id > 0) $sql.= " AND pfp.fk_soc = ".$fourn_id; $sql.= " GROUP BY p.rowid, p.ref, p.label, p.barcode, p.price, p.price_ttc, p.price_base_type,"; @@ -233,9 +233,9 @@ else // Displays product removal confirmation if (GETPOST('delprod')) dol_htmloutput_mesg($langs->trans("ProductDeleted",GETPOST('delprod'))); - $param="&sref=".$sref.($sbarcode?"&sbarcode=".$sbarcode:"")."&snom=".$snom."&sall=".$sall."&tosell=".$tosell."&tobuy=".$tobuy; + $param="&sref=".htmlspecialchars($sref).($sbarcode?"&sbarcode=".htmlspecialchars($sbarcode):"")."&snom=".htmlspecialchars($snom)."&sall=".htmlspecialchars($sall)."&tosell=".htmlspecialchars($tosell)."&tobuy=".htmlspecialchars($tobuy); $param.=($fourn_id?"&fourn_id=".$fourn_id:""); - $param.=($search_categ?"&search_categ=".$search_categ:""); + $param.=($search_categ?"&search_categ=".htmlspecialchars($search_categ):""); $param.=isset($type)?"&type=".$type:""; print_barre_liste($texte, $page, "liste.php", $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords); @@ -320,15 +320,15 @@ else // Lignes des champs de filtre print ''; print ''; print ''; if (! empty($conf->barcode->enabled)) { print ''; } print ''; // Barcode if (! empty($conf->barcode->enabled)) { - print ''; + print ''; } // Town print ''; // IdProf1 print ''; // IdProf2 print ''; // IdProf3 print ''; // IdProf4 print ''; // Type (customer/prospect/supplier) print '
'; - print ''; + print ''; print ''; - print ''; + print ''; print '  
'; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; @@ -510,9 +510,9 @@ else $i++; } - $param="&sref=".$sref.($sbarcode?"&sbarcode=".$sbarcode:"")."&snom=".$snom."&sall=".$sall."&tosell=".$tosell."&tobuy=".$tobuy; + $param="&sref=".htmlspecialchars($sref).($sbarcode?"&sbarcode=".htmlspecialchars($sbarcode):"")."&snom=".htmlspecialchars($snom)."&sall=".htmlspecialchars($sall)."&tosell=".htmlspecialchars($tosell)."&tobuy=".htmlspecialchars($tobuy); $param.=($fourn_id?"&fourn_id=".$fourn_id:""); - $param.=($search_categ?"&search_categ=".$search_categ:""); + $param.=($search_categ?"&search_categ=".htmlspecialchars($search_categ):""); $param.=isset($type)?"&type=".$type:""; print_barre_liste('', $page, "liste.php", $param, $sortfield, $sortorder,'',$num,$nbtotalofrecords); diff --git a/htdocs/societe/societe.php b/htdocs/societe/societe.php index 7d3e2e1a78d..8957b72581c 100644 --- a/htdocs/societe/societe.php +++ b/htdocs/societe/societe.php @@ -3,7 +3,7 @@ * Copyright (C) 2004-2013 Laurent Destailleur * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2012 Marcos García - * Copyright (C) 2013 Raphaël Doursenaud + * Copyright (C) 2013-2015 Raphaël Doursenaud * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -210,12 +210,12 @@ if (! $user->rights->fournisseur->lire) $sql.=" AND (s.fournisseur <> 1 OR s.cli // Insert sale filter if ($search_sale) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".$db->escape($search_sale); } // Insert categ filter if ($search_categ) { - $sql .= " AND cs.fk_categorie = ".$search_categ; + $sql .= " AND cs.fk_categorie = ".$db->escape($search_categ); } if ($search_nom_only) { @@ -272,12 +272,12 @@ if ($resql) $num = $db->num_rows($resql); $i = 0; - $params = "&socname=".$socname."&search_nom=".$search_nom."&search_town=".$search_town; - $params.= ($sbarcode?"&sbarcode=".$sbarcode:""); - $params.= '&search_idprof1='.$search_idprof1; - $params.= '&search_idprof2='.$search_idprof2; - $params.= '&search_idprof3='.$search_idprof3; - $params.= '&search_idprof4='.$search_idprof4; + $params = "&socname=".htmlspecialchars($socname)."&search_nom=".htmlspecialchars($search_nom)."&search_town=".htmlspecialchars($search_town); + $params.= ($sbarcode?"&sbarcode=".htmlspecialchars($sbarcode):""); + $params.= '&search_idprof1='.htmlspecialchars($search_idprof1); + $params.= '&search_idprof2='.htmlspecialchars($search_idprof2); + $params.= '&search_idprof3='.htmlspecialchars($search_idprof3); + $params.= '&search_idprof4='.htmlspecialchars($search_idprof4); print_barre_liste($title, $page, $_SERVER["PHP_SELF"],$params,$sortfield,$sortorder,'',$num,$nbtotalofrecords); @@ -348,34 +348,34 @@ if ($resql) print ''; print ''; if (! empty($search_nom_only) && empty($search_nom)) $search_nom=$search_nom_only; - print ''; + print ''; print ''; - print ''; - print ''; + print ''; + print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; From bc672c2c2365a1dd682505983d7e7ad40cd9e66b Mon Sep 17 00:00:00 2001 From: Alexis Algoud Date: Thu, 21 May 2015 11:49:10 +0200 Subject: [PATCH 06/10] FIX event for restricted user was restricted if company null --- htdocs/core/lib/security.lib.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 7416d564a1a..dd8c88162a5 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -446,15 +446,15 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature else if (! empty($conf->societe->enabled) && ($user->rights->societe->lire && ! $user->rights->societe->client->voir)) { if (empty($dbt_keyfield)) dol_print_error('','Param dbt_keyfield is required but not defined'); - $sql = "SELECT sc.fk_soc"; + + + $sql = "SELECT dbt.id"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql.= ", ".MAIN_DB_PREFIX."societe as s"; - $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; + $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON (dbt.".$dbt_keyfield." = s.rowid)"; + $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON (sc.fk_soc = dbt.".$dbt_keyfield.")"; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; - $sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield; - $sql.= " AND dbt.".$dbt_keyfield." = s.rowid"; - $sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")"; - $sql.= " AND sc.fk_user = ".$user->id; + $sql.= " AND ((s.entity IN (".getEntity($sharedelement, 1).")"; + $sql.= " AND sc.fk_user = ".$user->id." ) OR dbt.fk_soc IS NULL)"; } // If multicompany and internal users with all permissions, check user is in correct entity else if (! empty($conf->multicompany->enabled)) From 9184b08f94a7e9eaa7032ec8a1b33c4a62df68f0 Mon Sep 17 00:00:00 2001 From: Alexis Algoud Date: Thu, 21 May 2015 16:51:21 +0200 Subject: [PATCH 07/10] FIX button create payment hide if tax amount is less than 1 --- htdocs/compta/sociales/charges.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/sociales/charges.php b/htdocs/compta/sociales/charges.php index 4ea2af2c20f..b3b29026323 100644 --- a/htdocs/compta/sociales/charges.php +++ b/htdocs/compta/sociales/charges.php @@ -422,7 +422,7 @@ if ($id > 0) } // Emettre paiement - if ($object->paye == 0 && ((price2num($object->amount) < 0 && round($resteapayer) < 0) || (price2num($object->amount) > 0 && round($resteapayer) > 0)) && $user->rights->tax->charges->creer) + if ($object->paye == 0 && ((price2num($object->amount) < 0 && round($resteapayer) < 0) || (price2num($object->amount) > 0 && round($resteapayer,2) > 0)) && $user->rights->tax->charges->creer) { print "id&action=create\">".$langs->trans("DoPayment").""; } From 81a919e8a3c5f66e8856bfb952abf457bbee2e9c Mon Sep 17 00:00:00 2001 From: Alexis Algoud Date: Fri, 22 May 2015 09:05:38 +0200 Subject: [PATCH 08/10] round to price2num --- htdocs/compta/sociales/charges.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/sociales/charges.php b/htdocs/compta/sociales/charges.php index b3b29026323..06788131dd1 100644 --- a/htdocs/compta/sociales/charges.php +++ b/htdocs/compta/sociales/charges.php @@ -422,7 +422,7 @@ if ($id > 0) } // Emettre paiement - if ($object->paye == 0 && ((price2num($object->amount) < 0 && round($resteapayer) < 0) || (price2num($object->amount) > 0 && round($resteapayer,2) > 0)) && $user->rights->tax->charges->creer) + if ($object->paye == 0 && ((price2num($object->amount) < 0 && price2num($resteapayer, 'MT') < 0) || (price2num($object->amount) > 0 && price2num($resteapayer, 'MT') > 0)) && $user->rights->tax->charges->creer) { print "id&action=create\">".$langs->trans("DoPayment").""; } From ff6708840ddd8c30deade00ed72d7c27c5a3813a Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Fri, 22 May 2015 09:23:28 +0200 Subject: [PATCH 09/10] Fix : facturestats was not filtering on invoice type --- htdocs/compta/facture/class/facturestats.class.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/compta/facture/class/facturestats.class.php b/htdocs/compta/facture/class/facturestats.class.php index d1b39da15ce..5d8d22cfa9d 100644 --- a/htdocs/compta/facture/class/facturestats.class.php +++ b/htdocs/compta/facture/class/facturestats.class.php @@ -84,6 +84,8 @@ class FactureStats extends Stats $this->where.=" AND f.fk_soc = ".$this->socid; } if ($this->userid > 0) $this->where.=' AND f.fk_user_author = '.$this->userid; + if (! empty($conf->global->FACTURE_DEPOSITS_ARE_JUST_PAYMENTS)) $this->where.= " AND f.type IN (0,1,2)"; + else $this->where.= " AND f.type IN (0,1,2,3)"; } From dcc197eb6be63a5ab5fdb9cb5fd4a2ac651e51b9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 22 May 2015 17:13:32 +0200 Subject: [PATCH 10/10] Fix bug debian 786479 --- htdocs/comm/propal.php | 22 +++++++++++++++++++++- htdocs/compta/facture.php | 28 ++++++++++++++++++++++++---- 2 files changed, 45 insertions(+), 5 deletions(-) diff --git a/htdocs/comm/propal.php b/htdocs/comm/propal.php index beaa24be32e..39bd54a21ac 100644 --- a/htdocs/comm/propal.php +++ b/htdocs/comm/propal.php @@ -494,6 +494,27 @@ if ($action == 'send' && ! GETPOST('addfile') && ! GETPOST('removedfile') && ! G } } + if ($_POST['sendtocc']) + { + // Le destinataire a ete fourni via le champ libre + $sendtocc = $_POST['sendtocc']; + $sendtoccid = 0; + } + elseif ($_POST['receivercc'] != '-1') + { + // Recipient was provided from combo list + if ($_POST['receivercc'] == 'thirdparty') // Id of third party + { + $sendtocc = $object->client->email; + $sendtoccid = 0; + } + else // Id du contact + { + $sendtocc = $object->client->contact_get_property($_POST['receivercc'],'email'); + $sendtoccid = $_POST['receivercc']; + } + } + if (dol_strlen($sendto)) { $langs->load("commercial"); @@ -501,7 +522,6 @@ if ($action == 'send' && ! GETPOST('addfile') && ! GETPOST('removedfile') && ! G $from = $_POST['fromname'] . ' <' . $_POST['frommail'] .'>'; $replyto = $_POST['replytoname']. ' <' . $_POST['replytomail'].'>'; $message = $_POST['message']; - $sendtocc = $_POST['sendtocc']; $deliveryreceipt = $_POST['deliveryreceipt']; if (dol_strlen($_POST['subject'])) $subject = $_POST['subject']; diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php index 11a920877cd..6aa81ff4270 100644 --- a/htdocs/compta/facture.php +++ b/htdocs/compta/facture.php @@ -283,12 +283,12 @@ else if ($action == 'setinvoicedate' && $user->rights->facture->creer) $object->fetch($id); $old_date_lim_reglement=$object->date_lim_reglement; $date=dol_mktime(12,0,0,$_POST['invoicedatemonth'],$_POST['invoicedateday'],$_POST['invoicedateyear']); - if (empty($date)) + if (empty($date)) { setEventMessage($langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("Date")),'errors'); header('Location: '.$_SERVER["PHP_SELF"].'?facid='.$id.'&action=editinvoicedate'); exit; - + } $object->date=$date; $new_date_lim_reglement=$object->calculate_date_lim_reglement(); @@ -1712,6 +1712,27 @@ if (($action == 'send' || $action == 'relance') && ! $_POST['addfile'] && ! $_PO } } + if ($_POST['sendtocc']) + { + // Le destinataire a ete fourni via le champ libre + $sendtocc = $_POST['sendtocc']; + $sendtoccid = 0; + } + elseif ($_POST['receivercc'] != '-1') + { + // Recipient was provided from combo list + if ($_POST['receivercc'] == 'thirdparty') // Id of third party + { + $sendtocc = $object->client->email; + $sendtoccid = 0; + } + else // Id du contact + { + $sendtocc = $object->client->contact_get_property($_POST['receivercc'],'email'); + $sendtoccid = $_POST['receivercc']; + } + } + if (dol_strlen($sendto)) { $langs->load("commercial"); @@ -1719,7 +1740,6 @@ if (($action == 'send' || $action == 'relance') && ! $_POST['addfile'] && ! $_PO $from = $_POST['fromname'] . ' <' . $_POST['frommail'] .'>'; $replyto = $_POST['replytoname']. ' <' . $_POST['replytomail'].'>'; $message = $_POST['message']; - $sendtocc = $_POST['sendtocc']; $deliveryreceipt = $_POST['deliveryreceipt']; if ($action == 'send') @@ -3810,7 +3830,7 @@ else if ($id > 0 || ! empty($ref)) // Linked object block $somethingshown=$object->showLinkedObjectBlock(); - if (empty($somethingshown) && ! empty($conf->commande->enabled)) + if (empty($somethingshown) && ! empty($conf->commande->enabled)) { print '
' . $langs->trans('LinkedOrder') . '';