From 7cdd334995a855982c936f7e0ead519f8afa7573 Mon Sep 17 00:00:00 2001 From: VESSILLER Date: Tue, 28 Jan 2020 11:37:23 +0100 Subject: [PATCH 1/3] FIX require category class in extrafield --- htdocs/core/class/extrafields.class.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index c2c7752e994..9400c64de85 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -1321,6 +1321,7 @@ class ExtraFields print 'Error in request ' . $sql . ' ' . $this->db->lasterror() . '. Check setup of extra parameters.
'; } } else { + require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php'; $data = $form->select_all_categories(Categorie::$MAP_ID_TO_CODE[$InfoFieldList[5]], '', 'parent', 64, $InfoFieldList[6], 1, 1); $out .= ''; foreach ($data as $data_key => $data_value) { @@ -1548,6 +1549,7 @@ class ExtraFields print 'Error in request ' . $sql . ' ' . $this->db->lasterror() . '. Check setup of extra parameters.
'; } } else { + require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php'; $data = $form->select_all_categories(Categorie::$MAP_ID_TO_CODE[$InfoFieldList[5]], '', 'parent', 64, $InfoFieldList[6], 1, 1); $out = $form->multiselectarray($keyprefix . $key . $keysuffix, $data, $value_arr, '', 0, '', 0, '100%'); } @@ -1628,7 +1630,7 @@ class ExtraFields if ($hidden) return ''; // This is a protection. If field is hidden, we should just not call this method. //if ($computed) $value = // $value is already calculated into $value before calling this method - + $showsize=0; if ($type == 'date') { From 8af5d87e80e1bfda9acf71f44ac7433da55b59e6 Mon Sep 17 00:00:00 2001 From: VESSILLER Date: Tue, 28 Jan 2020 17:13:09 +0100 Subject: [PATCH 2/3] FIX regex for include or exclude categories in full arbo --- htdocs/categories/class/categorie.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index f31e8f9b048..6edb069ef6e 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1080,7 +1080,7 @@ class Categorie extends CommonObject // Include or exclude leaf including $markafterid from tree if (count($markafterid) > 0) { - $keyfiltercatid = implode('|', $markafterid); + $keyfiltercatid = '(' . implode('|', $markafterid) . ')'; //print "Look to discard category ".$markafterid."\n"; $keyfilter1 = '^' . $keyfiltercatid . '$'; From 5d2130a5aec3ae306d3f323c977b656fa20c18ca Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 29 Jan 2020 11:38:06 +0100 Subject: [PATCH 3/3] Fix SQL injection --- htdocs/resource/class/dolresource.class.php | 6 +++--- htdocs/resource/list.php | 14 ++++++-------- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/htdocs/resource/class/dolresource.class.php b/htdocs/resource/class/dolresource.class.php index 13cbf37c34a..9abbf297370 100644 --- a/htdocs/resource/class/dolresource.class.php +++ b/htdocs/resource/class/dolresource.class.php @@ -533,7 +533,7 @@ class Dolresource extends CommonObject $sql.= $value; } else { - $sql.= ' AND '.$key.' LIKE \'%'.$value.'%\''; + $sql.= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\''; } } } @@ -617,7 +617,7 @@ class Dolresource extends CommonObject $sql.= ' AND '.$key.' = \''.$this->db->idate($value).'\''; } else { - $sql.= ' AND '.$key.' LIKE \'%'.$value.'%\''; + $sql.= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\''; } } } @@ -699,7 +699,7 @@ class Dolresource extends CommonObject $sql.= ' AND '.$key.' = \''.$this->db->idate($value).'\''; } else { - $sql.= ' AND '.$key.' LIKE \'%'.$value.'%\''; + $sql.= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\''; } } } diff --git a/htdocs/resource/list.php b/htdocs/resource/list.php index d9547ad441b..7490bd42a51 100644 --- a/htdocs/resource/list.php +++ b/htdocs/resource/list.php @@ -18,7 +18,7 @@ */ /** - * \file resource/index.php + * \file resource/list.php * \ingroup resource * \brief Page to manage resource objects */ @@ -52,20 +52,19 @@ $extrafields = new ExtraFields($db); $extralabels=$extrafields->fetch_name_optionals_label($object->table_element); $search_array_options=$extrafields->getOptionalsFromPost($object->table_element, '', 'search_'); if (! is_array($search_array_options)) $search_array_options = array(); -$search_ref=GETPOST("search_ref"); -$search_type=GETPOST("search_type"); +$search_ref = GETPOST("search_ref", 'alpha'); +$search_type = GETPOST("search_type", 'alpha'); $filter=array(); if ($search_ref != ''){ - $param.='&search_ref='.$search_ref; + $param.='&search_ref='.urlencode($search_ref); $filter['t.ref']=$search_ref; } if ($search_type != ''){ - $param.='&search_type='.$search_type; + $param.='&search_type='.urlencode($search_type); $filter['ty.label']=$search_type; } -if ($search_label != '') $param.='&search_label='.$search_label; // Add $param from extra fields foreach ($search_array_options as $key => $val) { @@ -83,7 +82,7 @@ foreach ($search_array_options as $key => $val) $filter['ef.'.$tmpkey] = natural_search('ef.'.$tmpkey, $crit, $mode_search); } } -if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage; +if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage); $hookmanager->initHooks(array('resourcelist')); @@ -133,7 +132,6 @@ include DOL_DOCUMENT_ROOT.'/core/actions_changeselectedfields.inc.php'; if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) // Both test are required to be compatible with all browsers { $search_ref=""; - $search_label=""; $search_type=""; $search_array_options=array(); $filter=array();