lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX #yogosha5755

Browse Source
This commit is contained in:
Laurent Destailleur 2021-03-29 15:49:34 +02:00
parent 3a4bb69c05
commit 22da450a96
3 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
htdocs/asterisk/wrapper.php
View File

@ -75,6 +75,7 @@ function llxFooter()
print "\n".'</html>'."\n";
}
require_once '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
@ -117,10 +118,10 @@ if (!isset($conf->global->ASTERISK_MAX_RETRY)) {
}
$login = GETPOST('login');
$password = GETPOST('password');
$caller = GETPOST('caller');
$called = GETPOST('called');
$login = GETPOST('login', 'alphanohtml');
$password = GETPOST('password', 'none');
$caller = GETPOST('caller', 'alphanohtml');
$called = GETPOST('called', 'alphanohtml');
// IP address of Asterisk server
$strHost = $conf->global->ASTERISK_HOST;
@ -163,7 +164,7 @@ if ($resql) {
if ($obj) {
$found = $obj->name;
} else {
$found = $notfound;
$found = 'Not found';
}
$db->free($resql);
} else {
@ -177,7 +178,7 @@ if (!empty($number)) {
if ($pos === false) {
$errno = 0;
$errstr = 0;
$strCallerId = "Dolibarr call $found <".strtolower($number).">";
$strCallerId = "Dolibarr caller $found <".strtolower($number).">";
$oSocket = @fsockopen($strHost, $port, $errno, $errstr, 10);
if (!$oSocket) {
print '<body>'."\n";
@ -211,7 +212,7 @@ if (!empty($number)) {
}
}
} else {
print 'Bad parameters in URL. Must be '.$_SERVER['PHP_SELF'].'?caller=99999&called=99999&login=xxxxx&password=xxxxx';
print 'Bad parameters in URL. Must be '.dol_escape_htmltag($_SERVER['PHP_SELF']).'?caller=99999&called=99999&login=xxxxx&password=xxxxx';
}
// End of page

4
htdocs/main.inc.php
View File

@ -55,7 +55,7 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) {
* only be guaranted by escaping data during output.
*
* @param string $val Value brut found int $_GET, $_POST or PHP_SELF
* @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test)
* @param string $type 0=POST, 1=GET, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test)
* @return int >0 if there is an injection, 0 if none
*/
function testSqlAndScriptInject($val, $type)
@ -149,7 +149,7 @@ function testSqlAndScriptInject($val, $type)
$inj += preg_match('/"/i', $val); // We refused " in GET parameters value.
}
if ($type == 2) {
$inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces.
$inj += preg_match('/[;"<>]/', $val); // PHP_SELF is a file system (or url path without parameters). It can contains spaces.
}
return $inj;

2
htdocs/user/note.php
View File

@ -105,7 +105,7 @@ if ($id) {
print '<div class="underbanner clearboth"></div>';
print "<form method=\"post\" action=\"".$_SERVER['PHP_SELF']."\">";
print '<form method="POST" action="'.$_SERVER['PHP_SELF'].'">';
print '<input type="hidden" name="token" value="'.newToken().'">';
print '<div class="fichecenter">';