From 22da450a966d7f2961bce37a385ca608331549aa Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 29 Mar 2021 15:49:34 +0200 Subject: [PATCH] FIX #yogosha5755 --- htdocs/asterisk/wrapper.php | 15 ++++++++------- htdocs/main.inc.php | 4 ++-- htdocs/user/note.php | 2 +- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/htdocs/asterisk/wrapper.php b/htdocs/asterisk/wrapper.php index 77a00aed302..7313fdfd2d5 100644 --- a/htdocs/asterisk/wrapper.php +++ b/htdocs/asterisk/wrapper.php @@ -75,6 +75,7 @@ function llxFooter() print "\n".''."\n"; } + require_once '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/functions.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; @@ -117,10 +118,10 @@ if (!isset($conf->global->ASTERISK_MAX_RETRY)) { } -$login = GETPOST('login'); -$password = GETPOST('password'); -$caller = GETPOST('caller'); -$called = GETPOST('called'); +$login = GETPOST('login', 'alphanohtml'); +$password = GETPOST('password', 'none'); +$caller = GETPOST('caller', 'alphanohtml'); +$called = GETPOST('called', 'alphanohtml'); // IP address of Asterisk server $strHost = $conf->global->ASTERISK_HOST; @@ -163,7 +164,7 @@ if ($resql) { if ($obj) { $found = $obj->name; } else { - $found = $notfound; + $found = 'Not found'; } $db->free($resql); } else { @@ -177,7 +178,7 @@ if (!empty($number)) { if ($pos === false) { $errno = 0; $errstr = 0; - $strCallerId = "Dolibarr call $found <".strtolower($number).">"; + $strCallerId = "Dolibarr caller $found <".strtolower($number).">"; $oSocket = @fsockopen($strHost, $port, $errno, $errstr, 10); if (!$oSocket) { print ''."\n"; @@ -211,7 +212,7 @@ if (!empty($number)) { } } } else { - print 'Bad parameters in URL. Must be '.$_SERVER['PHP_SELF'].'?caller=99999&called=99999&login=xxxxx&password=xxxxx'; + print 'Bad parameters in URL. Must be '.dol_escape_htmltag($_SERVER['PHP_SELF']).'?caller=99999&called=99999&login=xxxxx&password=xxxxx'; } // End of page diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 436870a20c3..dd9662d4ceb 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -55,7 +55,7 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) { * only be guaranted by escaping data during output. * * @param string $val Value brut found int $_GET, $_POST or PHP_SELF - * @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) + * @param string $type 0=POST, 1=GET, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) * @return int >0 if there is an injection, 0 if none */ function testSqlAndScriptInject($val, $type) @@ -149,7 +149,7 @@ function testSqlAndScriptInject($val, $type) $inj += preg_match('/"/i', $val); // We refused " in GET parameters value. } if ($type == 2) { - $inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces. + $inj += preg_match('/[;"<>]/', $val); // PHP_SELF is a file system (or url path without parameters). It can contains spaces. } return $inj; diff --git a/htdocs/user/note.php b/htdocs/user/note.php index 1a375343e05..1ce397626e6 100644 --- a/htdocs/user/note.php +++ b/htdocs/user/note.php @@ -105,7 +105,7 @@ if ($id) { print '
'; - print "
"; + print ''; print ''; print '
';