From d21e5571007d2052a6b5f80a67b6f4cac693584a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 16 Aug 2019 16:41:53 +0200 Subject: [PATCH 1/3] FIX #11671 CVE-2019-15062 --- htdocs/core/actions_linkedfiles.inc.php | 8 +++----- htdocs/core/class/html.formfile.class.php | 4 ++-- htdocs/user/card.php | 4 ++-- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 25ef74127bf..463795b66e9 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -125,8 +125,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') { require_once DOL_DOCUMENT_ROOT . '/core/class/link.class.php'; $link = new Link($db); - $link->id = $linkid; - $link->fetch(); + $link->fetch($linkid); $res = $link->delete($user); $langs->load('link'); @@ -160,8 +159,7 @@ elseif ($action == 'confirm_updateline' && GETPOST('save','alpha') && GETPOST('l require_once DOL_DOCUMENT_ROOT . '/core/class/link.class.php'; $langs->load('link'); $link = new Link($db); - $link->id = GETPOST('linkid', 'int'); - $f = $link->fetch(); + $f = $link->fetch(GETPOST('linkid', 'int')); if ($f) { $link->url = GETPOST('link', 'alpha'); @@ -169,7 +167,7 @@ elseif ($action == 'confirm_updateline' && GETPOST('save','alpha') && GETPOST('l { $link->url = 'http://' . $link->url; } - $link->label = GETPOST('label', 'alpha'); + $link->label = GETPOST('label', 'alphanohtml'); $res = $link->update($user); if (!$res) { diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 679989a75a0..05708691fab 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -1758,7 +1758,7 @@ class FormFile print $langs->trans('Link') . ': '; print ''; print ''; - print $langs->trans('Label') . ': '; + print $langs->trans('Label') . ': '; print ''; print '' . dol_print_date(dol_now(), "dayhour", "tzuser") . ''; print ''; @@ -1772,7 +1772,7 @@ class FormFile print ''; print img_picto('', 'object_globe').' '; print ''; - print $link->label; + print dol_escape_htmltag($link->label); print ''; print ''."\n"; print ''; diff --git a/htdocs/user/card.php b/htdocs/user/card.php index 9a39518dfb4..072d7f287a3 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -318,12 +318,12 @@ if (empty($reshook)) { { $error = 0; - if (!$_POST["lastname"]) { + if (! GETPOST("lastname", 'alpha')) { setEventMessages($langs->trans("NameNotDefined"), null, 'errors'); $action = "edit"; // Go back to create page $error ++; } - if (!$_POST["login"]) { + if (! GETPOST("login", 'alpha')) { setEventMessages($langs->trans("LoginNotDefined"), null, 'errors'); $action = "edit"; // Go back to create page $error ++; From b1be6bf4f237089f34264568782a7406670cfae4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Aug 2019 01:24:54 +0200 Subject: [PATCH 2/3] FIX #11422 Can't edit his own events with standard rights --- htdocs/comm/action/class/actioncomm.class.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index fd91864af04..392cd9255d9 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1262,10 +1262,12 @@ class ActionComm extends CommonObject if (! empty($conf->dol_no_mouse_hover)) $notooltip=1; // Force disable tooltips - if ((!$user->rights->agenda->allactions->read && $this->author->id != $user->id) || (!$user->rights->agenda->myactions->read && $this->author->id == $user->id)) - $option = 'nolink'; + if ((!$user->rights->agenda->allactions->read && $this->authorid != $user->id) || (!$user->rights->agenda->myactions->read && $this->authorid == $user->id)) + { + $option = 'nolink'; + } - $label = $this->label; + $label = $this->label; if (empty($label)) $label=$this->libelle; // For backward compatibility $result=''; From 3a0057f6a30b9e0c62dfaf75e94f30ad91e8edf5 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Aug 2019 23:59:24 +0200 Subject: [PATCH 3/3] FIX too many record in sql request. Whena criteria is a filter, we must use an inner join. --- htdocs/core/lib/company.lib.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 3f1efad3bce..6230f2a545f 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -1317,7 +1317,7 @@ function show_actions_done($conf, $langs, $db, $filterobj, $objcon='', $noprint= if (! empty($conf->agenda->enabled)) { // Recherche histo sur actioncomm - if (is_object($objcon) && $objcon->id) { + if (is_object($objcon) && $objcon->id > 0) { $sql = "SELECT DISTINCT a.id, a.label,"; } else @@ -1340,7 +1340,7 @@ function show_actions_done($conf, $langs, $db, $filterobj, $objcon='', $noprint= $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."c_actioncomm as c ON a.fk_action = c.id"; if (is_object($objcon) && $objcon->id) { - $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."actioncomm_resources as r ON a.id = r.fk_actioncomm"; + $sql.= " INNER JOIN ".MAIN_DB_PREFIX."actioncomm_resources as r ON a.id = r.fk_actioncomm"; $sql.= " AND r.element_type = '" . $db->escape($objcon->table_element) . "' AND r.fk_element = " . $objcon->id; }