From 19dc20c51204c21d451f22feb2cb8f574dfba624 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 26 Apr 2011 21:06:45 +0000 Subject: [PATCH] Fix: A reflected cross-site scripting vulnerability can be exploited to execute arbitrary JavaScript --- htdocs/admin/menus/menu.js.php | 4 ++-- htdocs/document.php | 19 ++++++++++--------- htdocs/externalsite/frames.php | 10 +++++----- htdocs/lib/datepicker.php | 4 ++-- htdocs/lib/security.lib.php | 2 +- htdocs/main.inc.php | 17 ++++++++--------- htdocs/support/inc.php | 2 +- htdocs/theme/auguria/style.css.php | 4 ++-- htdocs/theme/bureau2crea/style.css.php | 4 ++-- htdocs/theme/eldy/style.css.php | 4 ++-- htdocs/theme/freelug/style.css.php | 4 ++-- htdocs/theme/yellow/style.css.php | 4 ++-- 12 files changed, 39 insertions(+), 39 deletions(-) diff --git a/htdocs/admin/menus/menu.js.php b/htdocs/admin/menus/menu.js.php index 0043388efc3..135e36767d0 100644 --- a/htdocs/admin/menus/menu.js.php +++ b/htdocs/admin/menus/menu.js.php @@ -49,8 +49,8 @@ else header('Cache-Control: no-cache'); // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); } -if (! empty($_GET["lang"])) $langs->setDefaultLang($_GET["lang"]); // If language was forced on URL -if (! empty($_GET["theme"])) $conf->theme=$_GET["theme"]; // If theme was forced on URL +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL +if (GETPOST('theme')) $conf->theme=GETPOST('theme'); // If theme was forced on URL $langs->load("main",0,0); ?> diff --git a/htdocs/document.php b/htdocs/document.php index e7ddb7ad1be..61c0c49431c 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -32,12 +32,7 @@ define('NOTOKENRENEWAL',1); // Disables token renewal -// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). -$encoding = ''; -$action = isset($_GET["action"])?$_GET["action"]:''; -$original_file = isset($_GET["file"])?$_GET["file"]:''; -$modulepart = isset($_GET["modulepart"])?$_GET["modulepart"]:''; -$urlsource = isset($_GET["urlsource"])?$_GET["urlsource"]:''; +$modulepart = (!empty($_GET['modulepart'])?$_GET['modulepart']:''); // Pour autre que bittorrent, on charge environnement + info issus de logon (comme le user) if (($modulepart == 'bittorrent') && ! defined("NOLOGIN")) @@ -61,9 +56,15 @@ function llxHeader() { } require("./main.inc.php"); // Load $user and permissions require_once(DOL_DOCUMENT_ROOT.'/lib/files.lib.php'); +// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). +$encoding = ''; +$action = GETPOST('action'); +$original_file = GETPOST('file'); +$urlsource = GETPOST('urlsource'); + // Define mime type $type = 'application/octet-stream'; -if (! empty($_GET["type"])) $type=$_GET["type"]; +if (GETPOST('type')) $type=GETPOST('type'); else $type=dol_mimetype($original_file); //print 'X'.$type.'-'.$original_file;exit; @@ -478,7 +479,7 @@ if (preg_match('/\.\./',$original_file) || preg_match('/[<>|]/',$original_file)) { dol_syslog("Refused to deliver file ".$original_file); // Do no show plain path in shown error message - dol_print_error(0,$langs->trans("ErrorFileNameInvalid",$_GET["file"])); + dol_print_error(0,$langs->trans("ErrorFileNameInvalid",$original_file)); exit; } @@ -493,7 +494,7 @@ if ($action == 'remove_file') // Remove a file $original_file_osencoded=dol_osencode($original_file); // New file name encoded in OS encoding charset if (! file_exists($original_file_osencoded)) { - dol_print_error(0,$langs->trans("ErrorFileDoesNotExists",$_GET["file"])); + dol_print_error(0,$langs->trans("ErrorFileDoesNotExists",$original_file)); exit; } diff --git a/htdocs/externalsite/frames.php b/htdocs/externalsite/frames.php index 5678d8d4945..a826416cd52 100644 --- a/htdocs/externalsite/frames.php +++ b/htdocs/externalsite/frames.php @@ -36,11 +36,11 @@ if (empty($conf->global->EXTERNALSITE_URL)) llxFooter('$Date$ - $Revision$'); } -$mainmenu=isset($_GET["mainmenu"])?$_GET["mainmenu"]:""; -$leftmenu=isset($_GET["leftmenu"])?$_GET["leftmenu"]:""; -$idmenu=isset($_GET["idmenu"])?$_GET["idmenu"]:""; -$theme=isset($_GET["theme"])?$_GET["theme"]:""; -$codelang=isset($_GET["lang"])?$_GET["lang"]:""; +$mainmenu=GETPOST('mainmenu'); +$leftmenu=GETPOST('leftmenu'); +$idmenu=GETPOST('idmenu'); +$theme=GETPOST('theme'); +$codelang=GETPOST('lang'); print " diff --git a/htdocs/lib/datepicker.php b/htdocs/lib/datepicker.php index 12c651ee7a3..3988c2d4ce1 100644 --- a/htdocs/lib/datepicker.php +++ b/htdocs/lib/datepicker.php @@ -39,7 +39,7 @@ if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML',1); require_once("../main.inc.php"); -if (! empty($_GET["lang"])) $langs->setDefaultLang($_GET["lang"]); // If language was forced on URL by the main.inc.php +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL by the main.inc.php $langs->load("main"); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); @@ -53,7 +53,7 @@ $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); print ''."\n"; print ''."\n"; print ''."\n"; -if (isset($_GET["mode"]) && $_GET["mode"] == 'test') +if (GETPOST('mode') && GETPOST('mode') == 'test') { print ''."\n"; } diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php index e2a4c6940f2..9379b41ca0b 100644 --- a/htdocs/lib/security.lib.php +++ b/htdocs/lib/security.lib.php @@ -90,7 +90,7 @@ function dol_loginfunction($langs,$conf,$mysoc) global $dolibarr_main_demo,$db; global $smartphone; - $langcode=(empty($_GET["lang"])?((is_object($langs)&&$langs->defaultlang)?$langs->defaultlang:'auto'):$_GET["lang"]); + $langcode=(GETPOST('lang')?((is_object($langs)&&$langs->defaultlang)?$langs->defaultlang:'auto'):GETPOST('lang')); $langs->setDefaultLang($langcode); $langs->load("main"); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 6049738dc6d..1ef7549889e 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -261,8 +261,7 @@ if (! empty($conf->global->MAIN_SECURITY_CSRF)) // Check validity of token, only } // Disable modules (this must be after session_start and after conf has been loaded) -if (! empty($_GET["disablemodules"])) $_SESSION["disablemodules"]=$_GET["disablemodules"]; -if (! empty($_POST["disablemodules"])) $_SESSION["disablemodules"]=$_POST["disablemodules"]; +if (GETPOST('disablemodules')) $_SESSION["disablemodules"]=GETPOST('disablemodules'); if (! empty($_SESSION["disablemodules"])) { $disabled_modules=explode(',',$_SESSION["disablemodules"]); @@ -369,7 +368,7 @@ if (! defined('NOLOGIN')) // Appel des triggers include_once(DOL_DOCUMENT_ROOT . "/core/class/interfaces.class.php"); $interface=new Interfaces($db); - $result=$interface->run_triggers('USER_LOGIN_FAILED',$user,$user,$langs,$conf,$_POST["entity"]); + $result=$interface->run_triggers('USER_LOGIN_FAILED',$user,$user,$langs,$conf,GETPOST('entity')); if ($result < 0) { $error++; } // Fin appel triggers } @@ -664,7 +663,7 @@ if (! defined('NOLOGIN')) $conf->css = "/theme/".$conf->theme."/style.css.php"; } // Set javascript option - if (empty($_GET["nojs"])) // If javascript was not disabled on URL + if (! GETPOST('nojs')) // If javascript was not disabled on URL { if (! empty($user->conf->MAIN_DISABLE_JAVASCRIPT)) { @@ -677,7 +676,7 @@ if (! defined('NOLOGIN')) if (! defined('NOREQUIRETRAN')) { - if (empty($_GET["lang"])) // If language was not forced on URL + if (! GETPOST('lang')) // If language was not forced on URL { // If user has chosen its own language if (! empty($user->conf->MAIN_LANG_DEFAULT)) @@ -692,7 +691,7 @@ if (! defined('NOREQUIRETRAN')) } else // If language was forced on URL { - $langs->setDefaultLang($_GET["lang"]); + $langs->setDefaultLang(GETPOST('lang')); } } @@ -887,13 +886,13 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs // Output style sheets (optioncss='print' or '') $themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1); //print 'themepath='.$themepath;exit; - print ''."\n"; + print ''."\n"; // CSS forced by modules (relative url starting with /) if (is_array($conf->css_modules)) { foreach($conf->css_modules as $cssfile) { // cssfile is an absolute path - print ''."\n"; + print ''."\n"; } } // CSS forced by page in top_htmlhead call (relative url starting with /) @@ -901,7 +900,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs { foreach($arrayofcss as $cssfile) { - print ''."\n"; + print ''."\n"; } } diff --git a/htdocs/support/inc.php b/htdocs/support/inc.php index f04f809c587..ba4c7488a33 100644 --- a/htdocs/support/inc.php +++ b/htdocs/support/inc.php @@ -146,7 +146,7 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP6 // Defini objet langs $langs = new Translate('..',$conf); -if (isset($_GET["lang"])) $langs->setDefaultLang($_GET["lang"]); +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); else $langs->setDefaultLang('auto'); $bc[false]=' class="bg1"'; diff --git a/htdocs/theme/auguria/style.css.php b/htdocs/theme/auguria/style.css.php index 6ea249010ba..fd6c0f16fe9 100644 --- a/htdocs/theme/auguria/style.css.php +++ b/htdocs/theme/auguria/style.css.php @@ -50,8 +50,8 @@ else header('Cache-Control: no-cache'); // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); } -if (! empty($_GET["lang"])) $langs->setDefaultLang($_GET["lang"]); // If language was forced on URL -if (! empty($_GET["theme"])) $conf->theme=$_GET["theme"]; // If theme was forced on URL +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL +if (GETPOST('theme')) $conf->theme=GETPOST('theme'); // If theme was forced on URL $langs->load("main",0,1); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); diff --git a/htdocs/theme/bureau2crea/style.css.php b/htdocs/theme/bureau2crea/style.css.php index f474988aa37..bc69d263462 100644 --- a/htdocs/theme/bureau2crea/style.css.php +++ b/htdocs/theme/bureau2crea/style.css.php @@ -49,8 +49,8 @@ else header('Cache-Control: no-cache'); // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); } -if (! empty($_GET["lang"])) $langs->setDefaultLang($_GET["lang"]); // If language was forced on URL -if (! empty($_GET["theme"])) $conf->theme=$_GET["theme"]; // If theme was forced on URL +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL +if (GETPOST('theme')) $conf->theme=GETPOST('theme'); // If theme was forced on URL $langs->load("main",0,1); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); diff --git a/htdocs/theme/eldy/style.css.php b/htdocs/theme/eldy/style.css.php index b9426ea04cf..30f8441902a 100644 --- a/htdocs/theme/eldy/style.css.php +++ b/htdocs/theme/eldy/style.css.php @@ -50,8 +50,8 @@ else header('Cache-Control: no-cache'); // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); } -if (! empty($_GET["lang"])) $langs->setDefaultLang($_GET["lang"]); // If language was forced on URL -if (! empty($_GET["theme"])) $conf->theme=$_GET["theme"]; // If theme was forced on URL +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL +if (GETPOST('theme')) $conf->theme=GETPOST('theme'); // If theme was forced on URL $langs->load("main",0,1); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); diff --git a/htdocs/theme/freelug/style.css.php b/htdocs/theme/freelug/style.css.php index 2e78af9fd5c..05c00eca8f2 100644 --- a/htdocs/theme/freelug/style.css.php +++ b/htdocs/theme/freelug/style.css.php @@ -49,8 +49,8 @@ else header('Cache-Control: no-cache'); // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); } -if (! empty($_GET["lang"])) $langs->setDefaultLang($_GET["lang"]); // If language was forced on URL -if (! empty($_GET["theme"])) $conf->theme=$_GET["theme"]; // If theme was forced on URL +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL +if (GETPOST('theme')) $conf->theme=GETPOST('theme'); // If theme was forced on URL $langs->load("main",0,1); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); diff --git a/htdocs/theme/yellow/style.css.php b/htdocs/theme/yellow/style.css.php index fe1fe6ab01a..6c0bd890516 100644 --- a/htdocs/theme/yellow/style.css.php +++ b/htdocs/theme/yellow/style.css.php @@ -49,8 +49,8 @@ else header('Cache-Control: no-cache'); // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); } -if (! empty($_GET["lang"])) $langs->setDefaultLang($_GET["lang"]); // If language was forced on URL -if (! empty($_GET["theme"])) $conf->theme=$_GET["theme"]; // If theme was forced on URL +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL +if (GETPOST('theme')) $conf->theme=GETPOST('theme'); // If theme was forced on URL $langs->load("main",0,1); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left');