From a344ae89f22bb6c9a9be0d1699a8623d5207d15b Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 16 Jul 2021 15:02:23 +0200
Subject: [PATCH 1/5] Fix changelog

---
 ChangeLog | 44 +++++++++++++++++++++++---------------------
 1 file changed, 23 insertions(+), 21 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 48ba5daa562..f439186f5ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,27 +2,6 @@
 English Dolibarr ChangeLog
 --------------------------------------------------------------
 
-***** ChangeLog for 13.0.4 compared to 13.0.2 *****
-
-FIX: Allow disabling of a module (not a dangerous action) even if there is problem with token (due to bugged modules).
-FIX: 13.0 - fatal - missing inclusion of ajax.lib.php for calling `ajax_autocompleter()`
-FIX: #17919 pictures in docs.
-FIX: #18006
-FIX: Accountancy - if we define a date start, automatic binding try to continue to solve old binding
-FIX: Accoutancy Limit date payment not registered on purchases operations
-FIX: Can't edit replacement invoice
-FIX: deposit can create credit note in payment conf
-FIX: division by zero on create
-FIX: holiday: balances not updated correctly with pgsql because of case sensitivity field
-FIX: holiday: status filter parameter has been renamed but not in links it was used
-FIX: List and Create Companies Left Menus
-FIX: method exists
-FIX: need to add payment sum to getlibstatus function in object linked block
-FIX: permission to close a proposal when using advanced permissions
-FIX: Problem of z-index with popup and top menu
-FIX: same thing on supplier orders
-FIX: Status of invoice when making a replacement invoice
-FIX: update contact birthday alert
 
 ***** ChangeLog for 14.0.0 compared to 13.0.0 *****
 
@@ -249,6 +228,29 @@ Following changes may create regressions for some external modules, but were nec
 * Removed constant MAIN_COUNTRIES_IN_EEC. You can now set if country is in Europe or not from the dictionary of countries.
 
 
+***** ChangeLog for 13.0.4 compared to 13.0.3 *****
+
+FIX: Allow disabling of a module (not a dangerous action) even if there is problem with token (due to bugged modules).
+FIX: 13.0 - fatal - missing inclusion of ajax.lib.php for calling `ajax_autocompleter()`
+FIX: #17919 pictures in docs.
+FIX: #18006
+FIX: Accountancy - if we define a date start, automatic binding try to continue to solve old binding
+FIX: Accoutancy Limit date payment not registered on purchases operations
+FIX: Can't edit replacement invoice
+FIX: deposit can create credit note in payment conf
+FIX: division by zero on create
+FIX: holiday: balances not updated correctly with pgsql because of case sensitivity field
+FIX: holiday: status filter parameter has been renamed but not in links it was used
+FIX: List and Create Companies Left Menus
+FIX: method exists
+FIX: need to add payment sum to getlibstatus function in object linked block
+FIX: permission to close a proposal when using advanced permissions
+FIX: Problem of z-index with popup and top menu
+FIX: same thing on supplier orders
+FIX: Status of invoice when making a replacement invoice
+FIX: update contact birthday alert
+
+
 ***** ChangeLog for 13.0.3 compared to 13.0.2 *****
 
 FIX: 13.0 warning - missing quotes around 'label'

From cea35bd208f6a86da65d82fa014b2c3b480fd800 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Tue, 20 Jul 2021 22:14:11 +0200
Subject: [PATCH 2/5] Fix pass was lost on error

---
 htdocs/install/default.css  |  3 +++
 htdocs/install/fileconf.php | 10 +++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/htdocs/install/default.css b/htdocs/install/default.css
index 731ac4131b4..85a2f4703c2 100644
--- a/htdocs/install/default.css
+++ b/htdocs/install/default.css
@@ -415,3 +415,6 @@ a.button:hover {
 	vertical-align: text-bottom;
 }
 
+.text-security {
+	-webkit-text-security: disc;
+}
diff --git a/htdocs/install/fileconf.php b/htdocs/install/fileconf.php
index 42c8d3459fe..6a4ddc4b79a 100644
--- a/htdocs/install/fileconf.php
+++ b/htdocs/install/fileconf.php
@@ -476,13 +476,13 @@ if (!empty($force_install_noedit)) {
 	<tr class="hidesqlite">
 		<td class="label"><label for="db_pass"><b><?php echo $langs->trans("Password"); ?></b></label></td>
 		<td class="label">
-			<input type="password"
+			<input type="password" class="text-security";
 				   id="db_pass" autocomplete="off"
 				   name="db_pass"
 				   value="<?php
 					// If $force_install_databasepass is on, we don't want to set password, we just show '***'. Real value will be extracted from the forced install file at step1.
 					$autofill = ((!empty($_SESSION['dol_save_pass'])) ? $_SESSION['dol_save_pass'] : str_pad('', strlen($force_install_databasepass), '*'));
-					if (!empty($dolibarr_main_prod)) {
+					if (!empty($dolibarr_main_prod) && empty($_SESSION['dol_save_pass'])) {    // So value can't be found if install page still accessible
 						$autofill = '';
 					}
 					print dol_escape_htmltag($autofill);
@@ -532,7 +532,7 @@ if (!empty($force_install_noedit)) {
 				   id="db_user_root"
 				   name="db_user_root"
 				   class="needroot"
-				   value="<?php print (!empty($force_install_databaserootlogin)) ? $force_install_databaserootlogin : @$db_user_root; ?>"
+				   value="<?php print (!empty($force_install_databaserootlogin)) ? $force_install_databaserootlogin : (isset($db_user_root) ? $db_user_root : ''); ?>"
 				<?php if ($force_install_noedit > 0 && !empty($force_install_databaserootlogin)) {
 					print ' disabled';
 				} ?>
@@ -556,10 +556,10 @@ if (!empty($force_install_noedit)) {
 				   autocomplete="off"
 				   id="db_pass_root"
 				   name="db_pass_root"
-				   class="needroot"
+				   class="needroot text-security"
 				   value="<?php
 					// If $force_install_databaserootpass is on, we don't want to set password here, we just show '***'. Real value will be extracted from the forced install file at step1.
-					$autofill = ((!empty($force_install_databaserootpass)) ? str_pad('', strlen($force_install_databaserootpass), '*') : @$db_pass_root);
+				    $autofill = ((!empty($force_install_databaserootpass)) ? str_pad('', strlen($force_install_databaserootpass), '*') : (isset($db_pass_root) ? $db_pass_root : ''));
 					if (!empty($dolibarr_main_prod)) {
 						$autofill = '';
 					}

From b57eb8284e830e30eefb26e3c5ede076ea24037c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Tue, 20 Jul 2021 22:42:23 +0200
Subject: [PATCH 3/5] Fix Improper Authorization Check reported by Ahsan Aziz.

---
 htdocs/user/card.php             | 4 ++--
 htdocs/user/class/user.class.php | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 152c39f79ac..996425c0694 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -314,8 +314,8 @@ if (empty($reshook)) {
 
 			$id = $object->create($user);
 			if ($id > 0) {
-				if (GETPOST('password')) {
-					$object->setPassword($user, GETPOST('password'));
+				if (GETPOST('password', 'none')) {
+					$object->setPassword($user, GETPOST('password','none'));
 				}
 				if (!empty($conf->categorie->enabled)) {
 					// Categories association
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index 74137537e74..6d8ff911feb 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -1280,6 +1280,10 @@ class User extends CommonObject
 			$langs->load("errors");
 			$this->error = $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Login"));
 			return -1;
+		} elseif (preg_match('/[,@<>"\']/', $this->login)) {
+		    $langs->load("errors");
+		    $this->error = $langs->trans("ErrorBadCharIntoLoginName");
+		    return -1;
 		}
 
 		$this->datec = dol_now();
@@ -1669,6 +1673,10 @@ class User extends CommonObject
 			$langs->load("errors");
 			$this->error = $langs->trans("ErrorFieldRequired", 'Login');
 			return -1;
+		} elseif (preg_match('/[,@<>"\']/', $this->login)) {
+		    $langs->load("errors");
+		    $this->error = $langs->trans("ErrorBadCharIntoLoginName");
+		    return -1;
 		}
 
 		$this->db->begin();

From e25171b9f545a8044dc462b66306380cc028e0fd Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Tue, 20 Jul 2021 23:03:19 +0200
Subject: [PATCH 4/5] Fix phpcs

---
 htdocs/install/fileconf.php      |  2 +-
 htdocs/user/card.php             |  2 +-
 htdocs/user/class/user.class.php | 12 ++++++------
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/htdocs/install/fileconf.php b/htdocs/install/fileconf.php
index 6a4ddc4b79a..369d2b93605 100644
--- a/htdocs/install/fileconf.php
+++ b/htdocs/install/fileconf.php
@@ -559,7 +559,7 @@ if (!empty($force_install_noedit)) {
 				   class="needroot text-security"
 				   value="<?php
 					// If $force_install_databaserootpass is on, we don't want to set password here, we just show '***'. Real value will be extracted from the forced install file at step1.
-				    $autofill = ((!empty($force_install_databaserootpass)) ? str_pad('', strlen($force_install_databaserootpass), '*') : (isset($db_pass_root) ? $db_pass_root : ''));
+                    $autofill = ((!empty($force_install_databaserootpass)) ? str_pad('', strlen($force_install_databaserootpass), '*') : (isset($db_pass_root) ? $db_pass_root : ''));
 					if (!empty($dolibarr_main_prod)) {
 						$autofill = '';
 					}
diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 996425c0694..c74a6fa729c 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -315,7 +315,7 @@ if (empty($reshook)) {
 			$id = $object->create($user);
 			if ($id > 0) {
 				if (GETPOST('password', 'none')) {
-					$object->setPassword($user, GETPOST('password','none'));
+					$object->setPassword($user, GETPOST('password', 'none'));
 				}
 				if (!empty($conf->categorie->enabled)) {
 					// Categories association
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index 6d8ff911feb..b1bc23463fb 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -1281,9 +1281,9 @@ class User extends CommonObject
 			$this->error = $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Login"));
 			return -1;
 		} elseif (preg_match('/[,@<>"\']/', $this->login)) {
-		    $langs->load("errors");
-		    $this->error = $langs->trans("ErrorBadCharIntoLoginName");
-		    return -1;
+            $langs->load("errors");
+            $this->error = $langs->trans("ErrorBadCharIntoLoginName");
+            return -1;
 		}
 
 		$this->datec = dol_now();
@@ -1674,9 +1674,9 @@ class User extends CommonObject
 			$this->error = $langs->trans("ErrorFieldRequired", 'Login');
 			return -1;
 		} elseif (preg_match('/[,@<>"\']/', $this->login)) {
-		    $langs->load("errors");
-		    $this->error = $langs->trans("ErrorBadCharIntoLoginName");
-		    return -1;
+            $langs->load("errors");
+            $this->error = $langs->trans("ErrorBadCharIntoLoginName");
+            return -1;
 		}
 
 		$this->db->begin();

From 0e18bd4be1c8debf3482a723b14c70442d564802 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Tue, 20 Jul 2021 23:15:31 +0200
Subject: [PATCH 5/5] Fix #hunter2cd3fc73-65a1-4615-9143-9e7febd81a15

---
 htdocs/main.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 99cfe360f9f..4dff3426ac9 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -461,7 +461,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
 	// Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request)
 	$arrayofactiontoforcetokencheck = array(
 		'activate', 'add', 'addtimespent', 'update', 'install',
-		'confirm_create_user', 'confirm_create_thirdparty', 'confirm_purge', 'confirm_reject_check',
+		'confirm_create_user', 'confirm_create_thirdparty', 'confirm_purge', 'confirm_reject_check', 'confirm_deletedir',
 		'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'disable',
 		'doprev', 'donext', 'dvprev', 'dvnext',
 		'enable', 'setpricelevel'