lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX security report DIGITEMIS CYBERSECURITY & PRIVACY

Browse Source
This commit is contained in:
Laurent Destailleur 2018-03-10 15:52:11 +01:00
parent 31f36f4028
commit 241b5e9a93
2 changed files with 62 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
htdocs/expensereport/card.php
View File

@ -52,22 +52,15 @@ $action=GETPOST('action','aZ09');
$cancel=GETPOST('cancel','alpha');
$confirm = GETPOST('confirm', 'alpha');
$date_start = dol_mktime(0, 0, 0, GETPOST('date_debutmonth'), GETPOST('date_debutday'), GETPOST('date_debutyear'));
$date_end = dol_mktime(0, 0, 0, GETPOST('date_finmonth'), GETPOST('date_finday'), GETPOST('date_finyear'));
$date = dol_mktime(0, 0, 0, GETPOST('datemonth'), GETPOST('dateday'), GETPOST('dateyear'));
$fk_projet=GETPOST('fk_projet');
$vatrate=GETPOST('vatrate');
$date_start = dol_mktime(0, 0, 0, GETPOST('date_debutmonth','int'), GETPOST('date_debutday','int'), GETPOST('date_debutyear','int'));
$date_end = dol_mktime(0, 0, 0, GETPOST('date_finmonth','int'), GETPOST('date_finday','int'), GETPOST('date_finyear','int'));
$date = dol_mktime(0, 0, 0, GETPOST('datemonth','int'), GETPOST('dateday','int'), GETPOST('dateyear','int'));
$fk_projet=GETPOST('fk_projet','int');
$vatrate=GETPOST('vatrate','alpha');
$ref=GETPOST("ref",'alpha');
$comments=GETPOST('comments');
$comments=GETPOST('comments','none');
$fk_c_type_fees=GETPOST('fk_c_type_fees','int');
// If socid provided by ajax company selector
if (! empty($_REQUEST['socid_id']))
{
$_GET['socid'] = $_GET['socid_id'];
$_POST['socid'] = $_POST['socid_id'];
$_REQUEST['socid'] = $_REQUEST['socid_id'];
}
$socid = GETPOST('socid','int')?GETPOST('socid','int'):GETPOST('socid_id','int');
// Security check
$id=GETPOST("id",'int');
@ -154,7 +147,7 @@ if (empty($reshook))
// Action clone object
if ($action == 'confirm_clone' && $confirm == 'yes' && $user->rights->expensereport->creer)
{
if (1==0 && ! GETPOST('clone_content') && ! GETPOST('clone_receivers'))
if (1==0 && ! GETPOST('clone_content','alpha') && ! GETPOST('clone_receivers','alpha'))
{
setEventMessages($langs->trans("NoCloneOptionsSpecified"), null, 'errors');
}
@ -181,7 +174,7 @@ if (empty($reshook))
}
}
if ($action == 'confirm_delete' && GETPOST("confirm") == "yes" && $id > 0 && $user->rights->expensereport->supprimer)
if ($action == 'confirm_delete' && GETPOST("confirm",'alpha') == "yes" && $id > 0 && $user->rights->expensereport->supprimer)
{
$object = new ExpenseReport($db);
$result = $object->fetch($id);
@ -288,7 +281,7 @@ if (empty($reshook))
{
// Fill array 'array_options' with data from update form
$extralabels = $extrafields->fetch_name_optionals_label($object->table_element);
$ret = $extrafields->setOptionalsFromPost($extralabels, $object, GETPOST('attribute'));
$ret = $extrafields->setOptionalsFromPost($extralabels, $object, GETPOST('attribute', 'alpha'));
if ($ret < 0) $error++;
if (! $error)
@ -313,7 +306,7 @@ if (empty($reshook))
$action = 'edit_extras';
}
if ($action == "confirm_validate" && GETPOST("confirm") == "yes" && $id > 0 && $user->rights->expensereport->creer)
if ($action == "confirm_validate" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $user->rights->expensereport->creer)
{
$error = 0;
@ -439,7 +432,7 @@ if (empty($reshook))
}
}
if ($action == "confirm_save_from_refuse" && GETPOST("confirm") == "yes" && $id > 0 && $user->rights->expensereport->creer)
if ($action == "confirm_save_from_refuse" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $user->rights->expensereport->creer)
{
$object = new ExpenseReport($db);
$object->fetch($id);
@ -556,7 +549,7 @@ if (empty($reshook))
}
// Approve
if ($action == "confirm_approve" && GETPOST("confirm") == "yes" && $id > 0 && $user->rights->expensereport->approve)
if ($action == "confirm_approve" && GETPOST("confirm", 'alpha') == "yes" && $id > 0 && $user->rights->expensereport->approve)
{
$object = new ExpenseReport($db);
$object->fetch($id);
@ -679,12 +672,12 @@ if (empty($reshook))
setEventMessages($object->error, $object->errors, 'errors');
}
if ($action == "confirm_refuse" && GETPOST('confirm')=="yes" && $id > 0 && $user->rights->expensereport->approve)
if ($action == "confirm_refuse" && GETPOST('confirm', 'alpha')=="yes" && $id > 0 && $user->rights->expensereport->approve)
{
$object = new ExpenseReport($db);
$object->fetch($id);
$result = $object->setDeny($user,GETPOST('detail_refuse'));
$result = $object->setDeny($user, GETPOST('detail_refuse', 'alpha'));
if ($result > 0)
{
@ -800,14 +793,14 @@ if (empty($reshook))
}
//var_dump($user->id == $object->fk_user_validator);exit;
if ($action == "confirm_cancel" && GETPOST('confirm')=="yes" && GETPOST('detail_cancel') && $id > 0 && $user->rights->expensereport->creer)
if ($action == "confirm_cancel" && GETPOST('confirm', 'alpha')=="yes" && GETPOST('detail_cancel', 'alpha') && $id > 0 && $user->rights->expensereport->creer)
{
$object = new ExpenseReport($db);
$object->fetch($id);
if ($user->id == $object->fk_user_valid || $user->id == $object->fk_user_author)
{
$result = $object->set_cancel($user,GETPOST('detail_cancel'));
$result = $object->set_cancel($user, GETPOST('detail_cancel', 'alpha'));
if ($result > 0)
{
@ -923,7 +916,7 @@ if (empty($reshook))
}
}
if ($action == "confirm_brouillonner" && GETPOST('confirm')=="yes" && $id > 0 && $user->rights->expensereport->creer)
if ($action == "confirm_brouillonner" && GETPOST('confirm', 'alpha')=="yes" && $id > 0 && $user->rights->expensereport->creer)
{
$object = new ExpenseReport($db);
$object->fetch($id);
@ -1091,10 +1084,10 @@ if (empty($reshook))
if (empty($vatrate)) $vatrate = "0.000";
$vatrate = price2num($vatrate);
$value_unit=price2num(GETPOST('value_unit'),'MU');
$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat');
$value_unit=price2num(GETPOST('value_unit', 'alpha'),'MU');
$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat', 'int');
$qty = GETPOST('qty','int');
$qty = GETPOST('qty','int');
if (empty($qty)) $qty=1;
if (! $fk_c_type_fees > 0)
@ -1128,7 +1121,7 @@ if (empty($reshook))
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Date")), null, 'errors');
}
// Si aucun prix n'est rentré
if($value_unit==0)
if ($value_unit==0)
{
$error++;
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("PriceUTTC")), null, 'errors');
@ -1175,17 +1168,17 @@ if (empty($reshook))
$action='';
}
if ($action == 'confirm_delete_line' && GETPOST("confirm") == "yes" && $user->rights->expensereport->creer)
if ($action == 'confirm_delete_line' && GETPOST("confirm", 'alpha') == "yes" && $user->rights->expensereport->creer)
{
$object = new ExpenseReport($db);
$object->fetch($id);
$object_ligne = new ExpenseReportLine($db);
$object_ligne->fetch(GETPOST("rowid"));
$object_ligne->fetch(GETPOST("rowid", 'int'));
$total_ht = $object_ligne->total_ht;
$total_tva = $object_ligne->total_tva;
$result=$object->deleteline(GETPOST("rowid"), $user);
$result=$object->deleteline(GETPOST("rowid", 'int'), $user);
if ($result >= 0)
{
if ($result > 0)
@ -1224,19 +1217,19 @@ if (empty($reshook))
$object->fetch($id);
$rowid = $_POST['rowid'];
$type_fees_id = GETPOST('fk_c_type_fees');
$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat');
$type_fees_id = GETPOST('fk_c_type_fees', 'int');
$fk_c_exp_tax_cat = GETPOST('fk_c_exp_tax_cat', 'int');
$projet_id = $fk_projet;
$comments = GETPOST('comments');
$qty = GETPOST('qty');
$value_unit = GETPOST('value_unit');
$vatrate = GETPOST('vatrate');
$comments = GETPOST('comments', 'none');
$qty = GETPOST('qty', 'int');
$value_unit = price2num(GETPOST('value_unit', 'alpha'), 'MU');
$vatrate = GETPOST('vatrate', 'alpha');
// if VAT is not used in Dolibarr, set VAT rate to 0 because VAT rate is necessary.
if (empty($vatrate)) $vatrate = "0.000";
$vatrate = price2num($vatrate);
if (! GETPOST('fk_c_type_fees') > 0)
if (! GETPOST('fk_c_type_fees', 'int') > 0)
{
$error++;
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Type")), null, 'errors');
@ -1352,7 +1345,7 @@ if ($action == 'create')
print '<td class="fieldrequired">'.$langs->trans("User").'</td>';
print '<td>';
$defaultselectuser=$user->id;
if (GETPOST('fk_user_author') > 0) $defaultselectuser=GETPOST('fk_user_author');
if (GETPOST('fk_user_author', 'int') > 0) $defaultselectuser=GETPOST('fk_user_author', 'int');
$include_users = 'hierarchyme';
if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->expensereport->writeall_advance)) $include_users=array();
$s=$form->select_dolusers($defaultselectuser, "fk_user_author", 0, "", 0, $include_users);
@ -1370,7 +1363,7 @@ if ($action == 'create')
{
$defaultselectuser=$user->fk_user; // Will work only if supervisor has permission to approve so is inside include_users
if (! empty($conf->global->EXPENSEREPORT_DEFAULT_VALIDATOR)) $defaultselectuser=$conf->global->EXPENSEREPORT_DEFAULT_VALIDATOR; // Can force default approver
if (GETPOST('fk_user_validator') > 0) $defaultselectuser=GETPOST('fk_user_validator');
if (GETPOST('fk_user_validator', 'int') > 0) $defaultselectuser=GETPOST('fk_user_validator', 'int');
$s=$form->select_dolusers($defaultselectuser, "fk_user_validator", 1, "", 0, $include_users);
print $form->textwithpicto($s, $langs->trans("AnyOtherInThisListCanValidate"));
}
@ -1628,7 +1621,7 @@ else
if ($action == 'delete_line')
{
$formconfirm=$form->form_confirm($_SERVER["PHP_SELF"]."?id=".$id."&rowid=".GETPOST('rowid'),$langs->trans("DeleteLine"),$langs->trans("ConfirmDeleteLine"),"confirm_delete_line",'','yes',1);
$formconfirm=$form->form_confirm($_SERVER["PHP_SELF"]."?id=".$id."&rowid=".GETPOST('rowid','int'),$langs->trans("DeleteLine"),$langs->trans("ConfirmDeleteLine"),"confirm_delete_line",'','yes',1);
}
// Print form confirm
@ -2004,7 +1997,7 @@ else
{
$numline = $i + 1;
if ($action != 'editline' || $line->rowid != GETPOST('rowid'))
if ($action != 'editline' || $line->rowid != GETPOST('rowid', 'int'))
{
print '<tr class="oddeven">';
@ -2069,7 +2062,7 @@ else
print '</tr>';
}
if ($action == 'editline' && $line->rowid == GETPOST('rowid'))
if ($action == 'editline' && $line->rowid == GETPOST('rowid', 'int'))
{
print '<tr class="oddeven">';
@ -2113,12 +2106,12 @@ else
// Unit price
print '<td style="text-align:right;">';
print '<input type="text" min="0" class="maxwidth100" name="value_unit" value="'.$line->value_unit.'" />';
print '<input type="text" min="0" class="maxwidth100" name="value_unit" value="'.dol_escape_htmltag($line->value_unit).'" />';
print '</td>';
// Quantity
print '<td style="text-align:right;">';
print '<input type="number" min="0" class="maxwidth100" name="qty" value="'.$line->qty.'" />';
print '<input type="number" min="0" class="maxwidth100" name="qty" value="'.dol_escape_htmltag($line->qty).'" />';
print '</td>';
if ($action != 'editline')
@ -2198,12 +2191,12 @@ else
// Unit price
print '<td align="right">';
print '<input type="text" class="right maxwidth50" name="value_unit" value="'.$value_unit.'">';
print '<input type="text" class="right maxwidth50" name="value_unit" value="'.dol_escape_htmltag($value_unit).'">';
print '</td>';
// Quantity
print '<td align="right">';
print '<input type="text" min="0" class="right maxwidth50" name="qty" value="'.($qty?$qty:1).'">'; // We must be able to enter decimal qty
print '<input type="text" min="0" class="right maxwidth50" name="qty" value="'.dol_escape_htmltag($qty?$qty:1).'">'; // We must be able to enter decimal qty
print '</td>';
if ($action != 'editline')
@ -2409,7 +2402,7 @@ print '</div>';
// Select mail models is same action as presend
if (GETPOST('modelselected')) {
if (GETPOST('modelselected', 'alpha')) {
$action = 'presend';
}

42
htdocs/expensereport/class/expensereport.class.php
View File

@ -2482,24 +2482,22 @@ class ExpenseReportLine
$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'expensereport_det';
$sql.= ' (fk_expensereport, fk_c_type_fees, fk_projet,';
$sql.= ' tva_tx, vat_src_code, comments, qty, value_unit, total_ht, total_tva, total_ttc, date, rule_warning_message, fk_c_exp_tax_cat)';
$sql.= " VALUES (".$this->fk_expensereport.",";
$sql.= " ".$this->fk_c_type_fees.",";
$sql.= " ".($this->fk_projet>0?$this->fk_projet:'null').",";
$sql.= " ".$this->vatrate.",";
$sql.= " VALUES (".$this->db->escape($this->fk_expensereport).",";
$sql.= " ".$this->db->escape($this->fk_c_type_fees).",";
$sql.= " ".$this->db->escape($this->fk_projet>0?$this->fk_projet:'null').",";
$sql.= " ".$this->db->escape($this->vatrate).",";
$sql.= " '".$this->db->escape($this->vat_src_code)."',";
$sql.= " '".$this->db->escape($this->comments)."',";
$sql.= " ".$this->qty.",";
$sql.= " ".$this->value_unit.",";
$sql.= " ".$this->total_ht.",";
$sql.= " ".$this->total_tva.",";
$sql.= " ".$this->total_ttc.",";
$sql.= " ".$this->db->escape($this->qty).",";
$sql.= " ".$this->db->escape($this->value_unit).",";
$sql.= " ".$this->db->escape($this->total_ht).",";
$sql.= " ".$this->db->escape($this->total_tva).",";
$sql.= " ".$this->db->escape($this->total_ttc).",";
$sql.= "'".$this->db->idate($this->date)."',";
$sql.= " '".$this->db->escape($this->rule_warning_message)."',";
$sql.= " ".$this->fk_c_exp_tax_cat;
$sql.= " ".$this->db->escape($this->fk_c_exp_tax_cat);
$sql.= ")";
dol_syslog("ExpenseReportLine::insert sql=".$sql);
$resql=$this->db->query($sql);
if ($resql)
{
@ -2603,21 +2601,21 @@ class ExpenseReportLine
// Update line in database
$sql = "UPDATE ".MAIN_DB_PREFIX."expensereport_det SET";
$sql.= " comments='".$this->db->escape($this->comments)."'";
$sql.= ",value_unit=".$this->value_unit;
$sql.= ",qty=".$this->qty;
$sql.= ",value_unit=".$this->db->escape($this->value_unit);
$sql.= ",qty=".$this->db->escape($this->qty);
$sql.= ",date='".$this->db->idate($this->date)."'";
$sql.= ",total_ht=".$this->total_ht."";
$sql.= ",total_tva=".$this->total_tva."";
$sql.= ",total_ttc=".$this->total_ttc."";
$sql.= ",tva_tx=".$this->vatrate;
$sql.= ",total_ht=".$this->db->escape($this->total_ht)."";
$sql.= ",total_tva=".$this->db->escape($this->total_tva)."";
$sql.= ",total_ttc=".$this->db->escape($this->total_ttc)."";
$sql.= ",tva_tx=".$this->db->escape($this->vatrate);
$sql.= ",vat_src_code='".$this->db->escape($this->vat_src_code)."'";
$sql.= ",rule_warning_message='".$this->db->escape($this->rule_warning_message)."'";
$sql.= ",fk_c_exp_tax_cat=".$this->fk_c_exp_tax_cat;
if ($this->fk_c_type_fees) $sql.= ",fk_c_type_fees=".$this->fk_c_type_fees;
$sql.= ",fk_c_exp_tax_cat=".$this->db->escape($this->fk_c_exp_tax_cat);
if ($this->fk_c_type_fees) $sql.= ",fk_c_type_fees=".$this->db->escape($this->fk_c_type_fees);
else $sql.= ",fk_c_type_fees=null";
if ($this->fk_projet) $sql.= ",fk_projet=".$this->fk_projet;
if ($this->fk_projet) $sql.= ",fk_projet=".$this->db->escape($this->fk_projet);
else $sql.= ",fk_projet=null";
$sql.= " WHERE rowid = ".$this->rowid;
$sql.= " WHERE rowid = ".$this->db->escape($this->rowid);
dol_syslog("ExpenseReportLine::update sql=".$sql);