Fix: XSS injection
This commit is contained in:
Regis Houssin
parent
5807db9a22
commit
263cfa1100
@ -40,7 +40,7 @@ $showbirthday = GETPOST("showbirthday","int")?GETPOST("showbirthday","int"):0;
|
|||||||
|
|
||||||
$sortfield = GETPOST("sortfield");
|
$sortfield = GETPOST("sortfield");
|
||||||
$sortorder = GETPOST("sortorder");
|
$sortorder = GETPOST("sortorder");
|
||||||
$page = GETPOST("page");
|
$page = GETPOST("page","int");
|
||||||
if ($page == -1) { $page = 0 ; }
|
if ($page == -1) { $page = 0 ; }
|
||||||
$limit = $conf->liste_limit;
|
$limit = $conf->liste_limit;
|
||||||
$offset = $limit * $page ;
|
$offset = $limit * $page ;
|
||||||
@ -48,14 +48,14 @@ if (! $sortorder) $sortorder="ASC";
|
|||||||
if (! $sortfield) $sortfield="a.datec";
|
if (! $sortfield) $sortfield="a.datec";
|
||||||
|
|
||||||
// Security check
|
// Security check
|
||||||
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
|
$socid = GETPOST("socid","int",1);
|
||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
|
$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
|
||||||
|
|
||||||
$canedit=1;
|
$canedit=1;
|
||||||
if (! $user->rights->agenda->myactions->read) accessforbidden();
|
if (! $user->rights->agenda->myactions->read) accessforbidden();
|
||||||
if (! $user->rights->agenda->allactions->read) $canedit=0;
|
if (! $user->rights->agenda->allactions->read) $canedit=0;
|
||||||
if (! $user->rights->agenda->allactions->read || $_GET["filter"]=='mine') // If no permission to see all, we show only affected to me
|
if (! $user->rights->agenda->allactions->read || GETPOST("filter","",1)=='mine') // If no permission to see all, we show only affected to me
|
||||||
{
|
{
|
||||||
$filtera=$user->id;
|
$filtera=$user->id;
|
||||||
$filtert=$user->id;
|
$filtert=$user->id;
|
||||||
|
|||||||
@ -38,14 +38,22 @@ $orderid = isset($_GET["orderid"])?$_GET["orderid"]:'';
|
|||||||
if ($user->societe_id) $socid=$user->societe_id;
|
if ($user->societe_id) $socid=$user->societe_id;
|
||||||
$result = restrictedArea($user, 'commande',$orderid,'');
|
$result = restrictedArea($user, 'commande',$orderid,'');
|
||||||
|
|
||||||
$begin=$_GET["begin"];
|
// Assign and check variable
|
||||||
$sortorder=$_GET["sortorder"];
|
$year=GETPOST('year','int',1);
|
||||||
$sortfield=$_GET["sortfield"];
|
$month=GETPOST('month','int',1);
|
||||||
|
$status=GETPOST('status','int',1);
|
||||||
|
$onbill=GETPOST('afacturer','int',1);
|
||||||
|
$page=GETPOST('page','int',1);
|
||||||
|
$sf_ref=GETPOST('sf_ref','',2);
|
||||||
|
|
||||||
|
$begin=GETPOST('begin','',1); // TODO used ?
|
||||||
|
$sortorder=GETPOST('sortorder','',1);
|
||||||
|
$sortfield=GETPOST('sortfield','',1);
|
||||||
if (! $sortfield) $sortfield="c.rowid";
|
if (! $sortfield) $sortfield="c.rowid";
|
||||||
if (! $sortorder) $sortorder="DESC";
|
if (! $sortorder) $sortorder="DESC";
|
||||||
|
|
||||||
$limit = $conf->liste_limit;
|
$limit = $conf->liste_limit;
|
||||||
$offset = $limit * $_GET["page"] ;
|
$offset = $limit * $page ;
|
||||||
|
|
||||||
$html = new Form($db);
|
$html = new Form($db);
|
||||||
$formfile = new FormFile($db);
|
$formfile = new FormFile($db);
|
||||||
@ -69,25 +77,25 @@ $sql.= " WHERE c.fk_soc = s.rowid";
|
|||||||
$sql.= " AND s.entity = ".$conf->entity;
|
$sql.= " AND s.entity = ".$conf->entity;
|
||||||
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||||
if ($socid) $sql.= " AND s.rowid = ".$socid;
|
if ($socid) $sql.= " AND s.rowid = ".$socid;
|
||||||
if ($_GET["month"] > 0)
|
if ($month > 0)
|
||||||
{
|
{
|
||||||
$sql.= " AND date_format(c.date_commande, '%Y-%m') = '".$_GET["year"]."-".$_GET["month"]."'";
|
$sql.= " AND date_format(c.date_commande, '%Y-%m') = '".$year."-".$month."'";
|
||||||
}
|
}
|
||||||
if ($_GET["year"] > 0)
|
if ($year > 0)
|
||||||
{
|
{
|
||||||
$sql.= " AND date_format(c.date_commande, '%Y') = '".$_GET["year"]."'";
|
$sql.= " AND date_format(c.date_commande, '%Y') = '".$year."'";
|
||||||
}
|
}
|
||||||
if (isset($_GET["status"]))
|
if ($status)
|
||||||
{
|
{
|
||||||
$sql.= " AND fk_statut = ".$_GET["status"];
|
$sql.= " AND fk_statut = ".$status;
|
||||||
}
|
}
|
||||||
if (isset($_GET["afacturer"]) && $_GET['afacturer'] == 1)
|
if ($onbill == 1)
|
||||||
{
|
{
|
||||||
$sql.= " AND fk_statut >=1 AND c.facture = 0";
|
$sql.= " AND fk_statut >=1 AND c.facture = 0";
|
||||||
}
|
}
|
||||||
if (dol_strlen($_POST["sf_ref"]) > 0)
|
if (dol_strlen($sf_ref) > 0)
|
||||||
{
|
{
|
||||||
$sql.= " AND c.ref like '%".$_POST["sf_ref"] . "%'";
|
$sql.= " AND c.ref like '%".$sf_ref . "%'";
|
||||||
}
|
}
|
||||||
$sql.= " ORDER BY $sortfield $sortorder";
|
$sql.= " ORDER BY $sortfield $sortorder";
|
||||||
$sql.= $db->plimit($limit + 1,$offset);
|
$sql.= $db->plimit($limit + 1,$offset);
|
||||||
@ -109,10 +117,10 @@ if ($resql)
|
|||||||
// Si page des commandes a facturer
|
// Si page des commandes a facturer
|
||||||
$link=DOL_URL_ROOT."/compta/commande/fiche.php";
|
$link=DOL_URL_ROOT."/compta/commande/fiche.php";
|
||||||
$title.=" - ".$langs->trans("StatusOrderToBill");
|
$title.=" - ".$langs->trans("StatusOrderToBill");
|
||||||
$param="&socid=".$socid."&year=".$_GET["year"]."&month=".$_GET["month"];
|
$param="&socid=".$socid."&year=".$year."&month=".$month;
|
||||||
|
|
||||||
$num = $db->num_rows($resql);
|
$num = $db->num_rows($resql);
|
||||||
print_barre_liste($title, $_GET["page"], "liste.php",$param,$sortfield,$sortorder,'',$num);
|
print_barre_liste($title, $page, "liste.php",$param,$sortfield,$sortorder,'',$num);
|
||||||
|
|
||||||
$i = 0;
|
$i = 0;
|
||||||
print '<table class="noborder" width="100%">';
|
print '<table class="noborder" width="100%">';
|
||||||
|
|||||||
@ -41,11 +41,16 @@ if (! defined('ADODB_DATE_VERSION')) include_once(DOL_DOCUMENT_ROOT."/includes/a
|
|||||||
* Return value of a param into get or post variable
|
* Return value of a param into get or post variable
|
||||||
* @param paramname Name of parameter to found
|
* @param paramname Name of parameter to found
|
||||||
* @param check Type of check (security)
|
* @param check Type of check (security)
|
||||||
|
* @param type Type of variable (0 = get or post, 1 = only get, 2 = only post)
|
||||||
* @return string Value found
|
* @return string Value found
|
||||||
*/
|
*/
|
||||||
function GETPOST($paramname,$check='')
|
function GETPOST($paramname,$check='',$type=0)
|
||||||
{
|
{
|
||||||
$out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
|
if ($type=1) $out = isset($_GET[$paramname])?$_GET[$paramname]:'';
|
||||||
|
else if ($type=2) isset($_POST[$paramname])?$_POST[$paramname]:'';
|
||||||
|
else $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
|
||||||
|
|
||||||
|
// Clean value
|
||||||
$out = trim($out);
|
$out = trim($out);
|
||||||
|
|
||||||
if (!empty($check))
|
if (!empty($check))
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user