From b0490bf0aa9d4acdeec5b7bb7af0677cfa257945 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 27 Feb 2012 11:55:46 +0100 Subject: [PATCH 1/6] Fix: remove constraints --- htdocs/install/mysql/migration/3.1.0-3.2.0.sql | 3 --- htdocs/install/mysql/tables/llx_commande.key.sql | 1 - htdocs/install/mysql/tables/llx_facture.key.sql | 1 - htdocs/install/mysql/tables/llx_propal.key.sql | 1 - 4 files changed, 6 deletions(-) diff --git a/htdocs/install/mysql/migration/3.1.0-3.2.0.sql b/htdocs/install/mysql/migration/3.1.0-3.2.0.sql index b643467d906..21521e28bc0 100755 --- a/htdocs/install/mysql/migration/3.1.0-3.2.0.sql +++ b/htdocs/install/mysql/migration/3.1.0-3.2.0.sql @@ -209,7 +209,6 @@ ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_author FOREIGN KEY (fk_u ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_cloture FOREIGN KEY (fk_user_cloture) REFERENCES llx_user (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); ALTER TABLE llx_commande ADD COLUMN fk_account integer AFTER facture; @@ -224,14 +223,12 @@ ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_author FOREIGN KEY ( ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_cloture FOREIGN KEY (fk_user_cloture) REFERENCES llx_user (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); ALTER TABLE llx_facture ADD COLUMN fk_account integer AFTER fk_projet; ALTER TABLE llx_facture ADD COLUMN fk_currency varchar(2) AFTER fk_account; ALTER TABLE llx_facture ADD INDEX idx_facture_fk_account (fk_account); ALTER TABLE llx_facture ADD INDEX idx_facture_fk_currency (fk_currency); -ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); ALTER TABLE llx_actioncomm DROP COLUMN propalrowid; diff --git a/htdocs/install/mysql/tables/llx_commande.key.sql b/htdocs/install/mysql/tables/llx_commande.key.sql index 7a117535b47..a608b46f075 100644 --- a/htdocs/install/mysql/tables/llx_commande.key.sql +++ b/htdocs/install/mysql/tables/llx_commande.key.sql @@ -36,5 +36,4 @@ ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_author FOREIGN KEY ( ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_cloture FOREIGN KEY (fk_user_cloture) REFERENCES llx_user (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); diff --git a/htdocs/install/mysql/tables/llx_facture.key.sql b/htdocs/install/mysql/tables/llx_facture.key.sql index 328d856d76d..e4034b5e4a3 100644 --- a/htdocs/install/mysql/tables/llx_facture.key.sql +++ b/htdocs/install/mysql/tables/llx_facture.key.sql @@ -34,5 +34,4 @@ ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_user_author FOREIGN KEY ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_facture_source FOREIGN KEY (fk_facture_source) REFERENCES llx_facture (rowid); ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); \ No newline at end of file diff --git a/htdocs/install/mysql/tables/llx_propal.key.sql b/htdocs/install/mysql/tables/llx_propal.key.sql index a2de94225c1..92200fca65c 100644 --- a/htdocs/install/mysql/tables/llx_propal.key.sql +++ b/htdocs/install/mysql/tables/llx_propal.key.sql @@ -34,5 +34,4 @@ ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_author FOREIGN KEY (fk_u ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_cloture FOREIGN KEY (fk_user_cloture) REFERENCES llx_user (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); \ No newline at end of file From e999e3daadc5db77a3dd4c77c328b2fef83ad837 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 27 Feb 2012 12:04:31 +0100 Subject: [PATCH 2/6] Fix: remove constraints --- htdocs/install/mysql/migration/3.1.0-3.2.0.sql | 6 +++--- htdocs/install/mysql/tables/llx_commande.key.sql | 1 - htdocs/install/mysql/tables/llx_facture.key.sql | 1 - htdocs/install/mysql/tables/llx_propal.key.sql | 1 - 4 files changed, 3 insertions(+), 6 deletions(-) diff --git a/htdocs/install/mysql/migration/3.1.0-3.2.0.sql b/htdocs/install/mysql/migration/3.1.0-3.2.0.sql index b643467d906..bc0a4ac8223 100755 --- a/htdocs/install/mysql/migration/3.1.0-3.2.0.sql +++ b/htdocs/install/mysql/migration/3.1.0-3.2.0.sql @@ -209,8 +209,8 @@ ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_author FOREIGN KEY (fk_u ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_cloture FOREIGN KEY (fk_user_cloture) REFERENCES llx_user (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); +ALTER TABLE llx_propal DROP FOREIGN KEY fk_propal_fk_account; ALTER TABLE llx_commande ADD COLUMN fk_account integer AFTER facture; ALTER TABLE llx_commande ADD COLUMN fk_currency varchar(2) AFTER fk_account; @@ -224,15 +224,15 @@ ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_author FOREIGN KEY ( ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_cloture FOREIGN KEY (fk_user_cloture) REFERENCES llx_user (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); +ALTER TABLE llx_commande DROP FOREIGN KEY fk_commande_fk_account; ALTER TABLE llx_facture ADD COLUMN fk_account integer AFTER fk_projet; ALTER TABLE llx_facture ADD COLUMN fk_currency varchar(2) AFTER fk_account; ALTER TABLE llx_facture ADD INDEX idx_facture_fk_account (fk_account); ALTER TABLE llx_facture ADD INDEX idx_facture_fk_currency (fk_currency); -ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); +ALTER TABLE llx_facture DROP FOREIGN KEY fk_facture_fk_account; ALTER TABLE llx_actioncomm DROP COLUMN propalrowid; ALTER TABLE llx_actioncomm DROP COLUMN fk_facture; diff --git a/htdocs/install/mysql/tables/llx_commande.key.sql b/htdocs/install/mysql/tables/llx_commande.key.sql index 7a117535b47..a608b46f075 100644 --- a/htdocs/install/mysql/tables/llx_commande.key.sql +++ b/htdocs/install/mysql/tables/llx_commande.key.sql @@ -36,5 +36,4 @@ ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_author FOREIGN KEY ( ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_user_cloture FOREIGN KEY (fk_user_cloture) REFERENCES llx_user (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_commande ADD CONSTRAINT fk_commande_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); diff --git a/htdocs/install/mysql/tables/llx_facture.key.sql b/htdocs/install/mysql/tables/llx_facture.key.sql index 328d856d76d..e4034b5e4a3 100644 --- a/htdocs/install/mysql/tables/llx_facture.key.sql +++ b/htdocs/install/mysql/tables/llx_facture.key.sql @@ -34,5 +34,4 @@ ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_user_author FOREIGN KEY ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_facture_source FOREIGN KEY (fk_facture_source) REFERENCES llx_facture (rowid); ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_facture ADD CONSTRAINT fk_facture_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); \ No newline at end of file diff --git a/htdocs/install/mysql/tables/llx_propal.key.sql b/htdocs/install/mysql/tables/llx_propal.key.sql index a2de94225c1..92200fca65c 100644 --- a/htdocs/install/mysql/tables/llx_propal.key.sql +++ b/htdocs/install/mysql/tables/llx_propal.key.sql @@ -34,5 +34,4 @@ ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_author FOREIGN KEY (fk_u ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_valid FOREIGN KEY (fk_user_valid) REFERENCES llx_user (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_user_cloture FOREIGN KEY (fk_user_cloture) REFERENCES llx_user (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_projet FOREIGN KEY (fk_projet) REFERENCES llx_projet (rowid); -ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_account FOREIGN KEY (fk_account) REFERENCES llx_bank_account (rowid); ALTER TABLE llx_propal ADD CONSTRAINT fk_propal_fk_currency FOREIGN KEY (fk_currency) REFERENCES llx_c_currencies (code); \ No newline at end of file From 5381986e50dd6055f2b3b63281eaacffa0449da2 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 27 Feb 2012 16:49:41 +0100 Subject: [PATCH 3/6] Fix: Multiple directory traversal vulnerabilities with backtopage --- htdocs/comm/action/fiche.php | 26 ++++++++++---------------- htdocs/comm/remise.php | 16 +++++++++------- htdocs/comm/remx.php | 15 ++++++++------- htdocs/contact/fiche.php | 27 ++++++++++++++------------- htdocs/core/lib/functions.lib.php | 6 +++++- htdocs/projet/fiche.php | 13 +++++++------ htdocs/projet/tasks.php | 11 ++++++----- htdocs/public/members/new.php | 8 ++++---- 8 files changed, 63 insertions(+), 59 deletions(-) diff --git a/htdocs/comm/action/fiche.php b/htdocs/comm/action/fiche.php index 85bb92979bd..2951f701c77 100644 --- a/htdocs/comm/action/fiche.php +++ b/htdocs/comm/action/fiche.php @@ -2,7 +2,7 @@ /* Copyright (C) 2001-2005 Rodolphe Quiedeville * Copyright (C) 2004-2012 Laurent Destailleur * Copyright (C) 2005 Simon TOSSER - * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2010 Juanjo Menent * * This program is free software; you can redistribute it and/or modify @@ -43,11 +43,12 @@ $langs->load("bills"); $langs->load("orders"); $langs->load("agenda"); -$action=GETPOST("action"); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); // Security check -$socid = GETPOST('socid'); -$id = GETPOST('id'); +$socid = GETPOST('socid','int'); +$id = GETPOST('id','int'); if ($user->societe_id) $socid=$user->societe_id; //$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id'); @@ -66,9 +67,7 @@ if ($action == 'add_action') { $error=0; - $backtopage=''; - if (! empty($_POST["backtopage"])) $backtopage=$_POST["backtopage"]; - if (! $backtopage) + if (empty($backtopage)) { if ($socid > 0) $backtopage = DOL_URL_ROOT.'/societe/agenda.php?socid='.$socid; else $backtopage=DOL_URL_ROOT.'/comm/action/index.php'; @@ -339,14 +338,9 @@ if ($action == 'update') } else { - if (! empty($_POST["from"])) // deprecated. Use backtopage instead - { - header("Location: ".$_POST["from"]); - exit; - } - if (! empty($_POST["backtopage"])) + if (! empty($backtopage)) { - header("Location: ".$_POST["backtopage"]); + header("Location: ".$backtopage); exit; } } @@ -426,7 +420,7 @@ if ($action == 'create') print '
'; print ''; print ''; - if (GETPOST("backtopage")) print ''; + print ''; if (GETPOST("actioncode") == 'AC_RDV') print_fiche_titre($langs->trans("AddActionRendezVous")); else print_fiche_titre($langs->trans("AddAnAction")); @@ -679,7 +673,7 @@ if ($id) print ''; print ''; print ''; - if (GETPOST("backtopage")) print ''; + print ''; print ''; diff --git a/htdocs/comm/remise.php b/htdocs/comm/remise.php index abfb5005972..b124a83714f 100644 --- a/htdocs/comm/remise.php +++ b/htdocs/comm/remise.php @@ -30,21 +30,23 @@ $langs->load("companies"); $langs->load("orders"); $langs->load("bills"); -$socid = GETPOST("id"); +$socid = GETPOST('id','int'); // Security check if ($user->societe_id > 0) { $socid = $user->societe_id; } +$backtopage = GETPOST('backtopage','alpha'); + /* * Actions */ -if (GETPOST('cancel') && GETPOST('backtopage')) +if (GETPOST('cancel') && ! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage")); + Header("Location: ".$backtopage); exit; } @@ -56,9 +58,9 @@ if (GETPOST("action") == 'setremise') if ($result > 0) { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else @@ -122,7 +124,7 @@ if ($socid > 0) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -138,7 +140,7 @@ if ($socid > 0) print '
'; print ''; - if (GETPOST("backtopage")) + if (! empty($backtopage)) { print '    '; print ''; diff --git a/htdocs/comm/remx.php b/htdocs/comm/remx.php index 8f26a58463e..42bac50817f 100644 --- a/htdocs/comm/remx.php +++ b/htdocs/comm/remx.php @@ -32,7 +32,8 @@ $langs->load("orders"); $langs->load("bills"); $langs->load("companies"); -$action=GETPOST('action'); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); // Security check $socid = GETPOST("id"); @@ -46,9 +47,9 @@ if ($user->societe_id > 0) * Actions */ -if (GETPOST('cancel') && GETPOST('backtopage')) +if (GETPOST('cancel') && ! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage")); + Header("Location: ".$backtopage); exit; } @@ -151,9 +152,9 @@ if ($action == 'setremise') if ($discountid > 0) { - if (GETPOST("backtopage")) + if (! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage").'&discountid='.$discountid); + Header("Location: ".$backtopage.'&discountid='.$discountid); exit; } else @@ -228,7 +229,7 @@ if ($socid > 0) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -280,7 +281,7 @@ if ($socid > 0) print '
'; print ''; - if (GETPOST("backtopage")) + if (! empty($backtopage)) { print '    '; print ''; diff --git a/htdocs/contact/fiche.php b/htdocs/contact/fiche.php index 213980d55a1..bb6ff79a06d 100644 --- a/htdocs/contact/fiche.php +++ b/htdocs/contact/fiche.php @@ -39,10 +39,11 @@ $langs->load("commercial"); $mesg=''; $error=0; $errors=array(); -$action = (GETPOST('action') ? GETPOST('action') : 'view'); -$confirm = GETPOST('confirm'); -$id = GETPOST("id"); -$socid = GETPOST("socid"); +$action = (GETPOST('action','alpha') ? GETPOST('action','alpha') : 'view'); +$confirm = GETPOST('confirm','alpha'); +$backtopage = GETPOST('backtopage','alpha'); +$id = GETPOST('id','int'); +$socid = GETPOST('socid','int'); if ($user->societe_id) $socid=$user->societe_id; $object = new Contact($db); @@ -76,9 +77,9 @@ $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); if (empty($reshook)) { // Cancel - if (GETPOST("cancel") && GETPOST('backtopage')) + if (GETPOST("cancel") && ! empty($backtopage)) { - header("Location: ".GETPOST('backtopage')); + header("Location: ".$backtopage); exit; } @@ -86,7 +87,7 @@ if (empty($reshook)) if ($action == 'confirm_create_user' && $confirm == 'yes' && $user->rights->user->user->creer) { // Recuperation contact actuel - $result = $object->fetch($_GET["id"]); + $result = $object->fetch($id); if ($result > 0) { @@ -172,7 +173,7 @@ if (empty($reshook)) if (! $error && $id > 0) { $db->commit(); - if (GETPOST('backtopage')) $url=GETPOST('backtopage'); + if (! empty($backtopage)) $url=$backtopage; else $url='fiche.php?id='.$id; Header("Location: ".$url); exit; @@ -368,7 +369,7 @@ else print ''; print ''; print ''; - print ''; + print ''; print '
'; // Name @@ -497,7 +498,7 @@ else print '
'; print ''; - if (GETPOST('backtopage')) + if (! empty($backtopage)) { print '     '; print ''; @@ -537,11 +538,11 @@ else print ''; } - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; print ''; print ''; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f9836b4165a..5dfcda5ab17 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -257,7 +257,11 @@ function GETPOST($paramname,$check='',$method=0) // Check if alpha //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out=''; // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - if ($check == 'alpha' && preg_match('/"/',trim($out))) $out=''; + if ($check == 'alpha') + { + if (preg_match('/"/',trim($out))) $out=''; + else if (preg_match('/(\.\.\/)+/',trim($out))) $out=''; + } } return $out; diff --git a/htdocs/projet/fiche.php b/htdocs/projet/fiche.php index 95aba87efb0..371028f02fd 100644 --- a/htdocs/projet/fiche.php +++ b/htdocs/projet/fiche.php @@ -34,8 +34,9 @@ $langs->load("projects"); $langs->load('companies'); $id=GETPOST('id','int'); -$ref = GETPOST('ref'); -$action=GETPOST('action'); +$ref = GETPOST('ref','alpha'); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && ! $_POST["cancel"])) accessforbidden(); @@ -55,9 +56,9 @@ $result = restrictedArea($user, 'projet', $id); */ // Cancel -if (GETPOST("cancel") && GETPOST('backtopage')) +if (GETPOST("cancel") && ! empty($backtopage)) { - header("Location: ".GETPOST('backtopage')); + header("Location: ".$backtopage); exit; } @@ -276,7 +277,7 @@ if ($action == 'create' && $user->rights->projet->creer) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -332,7 +333,7 @@ if ($action == 'create' && $user->rights->projet->creer) print '
'; print ''; - if (GETPOST('backtopage')) + if (! empty($backtopage)) { print '     '; print ''; diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php index c05bac91f4e..6c4ccb733fa 100644 --- a/htdocs/projet/tasks.php +++ b/htdocs/projet/tasks.php @@ -36,6 +36,7 @@ $langs->load("projects"); $action = GETPOST('action', 'alpha'); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); +$backtopage=GETPOST('backtopage','alpha'); $mode = GETPOST('mode', 'alpha'); $mine = ($mode == 'mine' ? 1 : 0); @@ -111,9 +112,9 @@ if ($action == 'createtask' && $user->rights->projet->creer) if (! $error) { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else if (empty($projectid)) @@ -125,9 +126,9 @@ if ($action == 'createtask' && $user->rights->projet->creer) } else { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else if (empty($id)) @@ -219,7 +220,7 @@ if ($action == 'create' && $user->rights->projet->creer && (empty($object->socie print ''; print ''; print ''; - print ''; + print ''; if (! empty($object->id)) print ''; if (! empty($mode)) print ''; diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index fc7feedb0ae..d1d63d0310e 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -47,8 +47,8 @@ require_once(DOL_DOCUMENT_ROOT."/core/lib/company.lib.php"); $errmsg=''; $num=0; $error=0; -$backtopage=GETPOST('backtopage'); -$action=GETPOST('action'); +$backtopage=GETPOST('backtopage','alpha'); +$action=GETPOST('action','alpha'); // Load translation files $langs->load("main"); @@ -255,7 +255,7 @@ if ($action == 'add') $result=$adh->send_an_email($conf->global->ADHERENT_AUTOREGISTER_MAIL,$conf->global->ADHERENT_AUTOREGISTER_MAIL_SUBJECT,array(),array(),array(),"","",0,-1); } - if ($backtopage) $urlback=$backtopage; + if (! empty($backtopage)) $urlback=$backtopage; else if ($conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION) { $urlback=$conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION; @@ -545,7 +545,7 @@ print "
\n"; // Save print '
'; print ''; -if ($backtopage) +if (! empty($backtopage)) { print '     '; } From 8f9b9987ffb42cfbe907fe31ded3001bfc1b3417 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 27 Feb 2012 17:02:56 +0100 Subject: [PATCH 4/6] Fix: Multiple directory traversal vulnerabilities with document.php --- htdocs/comm/action/document.php | 2 +- htdocs/comm/action/fiche.php | 26 ++++++++++---------------- htdocs/comm/remise.php | 16 +++++++++------- htdocs/comm/remx.php | 15 ++++++++------- htdocs/contact/fiche.php | 27 ++++++++++++++------------- htdocs/core/lib/functions.lib.php | 6 +++++- htdocs/document.php | 12 ++++++------ htdocs/projet/fiche.php | 13 +++++++------ htdocs/projet/tasks.php | 11 ++++++----- htdocs/public/members/new.php | 8 ++++---- 10 files changed, 70 insertions(+), 66 deletions(-) diff --git a/htdocs/comm/action/document.php b/htdocs/comm/action/document.php index da79ff42233..88fa0f440ea 100755 --- a/htdocs/comm/action/document.php +++ b/htdocs/comm/action/document.php @@ -2,7 +2,7 @@ /* Copyright (C) 2003-2004 Rodolphe Quiedeville * Copyright (C) 2004-2010 Laurent Destailleur * Copyright (C) 2005 Marc Barilley / Ocebo - * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2005 Simon TOSSER * * This program is free software; you can redistribute it and/or modify diff --git a/htdocs/comm/action/fiche.php b/htdocs/comm/action/fiche.php index 85bb92979bd..2951f701c77 100644 --- a/htdocs/comm/action/fiche.php +++ b/htdocs/comm/action/fiche.php @@ -2,7 +2,7 @@ /* Copyright (C) 2001-2005 Rodolphe Quiedeville * Copyright (C) 2004-2012 Laurent Destailleur * Copyright (C) 2005 Simon TOSSER - * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2010 Juanjo Menent * * This program is free software; you can redistribute it and/or modify @@ -43,11 +43,12 @@ $langs->load("bills"); $langs->load("orders"); $langs->load("agenda"); -$action=GETPOST("action"); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); // Security check -$socid = GETPOST('socid'); -$id = GETPOST('id'); +$socid = GETPOST('socid','int'); +$id = GETPOST('id','int'); if ($user->societe_id) $socid=$user->societe_id; //$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id'); @@ -66,9 +67,7 @@ if ($action == 'add_action') { $error=0; - $backtopage=''; - if (! empty($_POST["backtopage"])) $backtopage=$_POST["backtopage"]; - if (! $backtopage) + if (empty($backtopage)) { if ($socid > 0) $backtopage = DOL_URL_ROOT.'/societe/agenda.php?socid='.$socid; else $backtopage=DOL_URL_ROOT.'/comm/action/index.php'; @@ -339,14 +338,9 @@ if ($action == 'update') } else { - if (! empty($_POST["from"])) // deprecated. Use backtopage instead - { - header("Location: ".$_POST["from"]); - exit; - } - if (! empty($_POST["backtopage"])) + if (! empty($backtopage)) { - header("Location: ".$_POST["backtopage"]); + header("Location: ".$backtopage); exit; } } @@ -426,7 +420,7 @@ if ($action == 'create') print ''; print ''; print ''; - if (GETPOST("backtopage")) print ''; + print ''; if (GETPOST("actioncode") == 'AC_RDV') print_fiche_titre($langs->trans("AddActionRendezVous")); else print_fiche_titre($langs->trans("AddAnAction")); @@ -679,7 +673,7 @@ if ($id) print ''; print ''; print ''; - if (GETPOST("backtopage")) print ''; + print ''; print ''; diff --git a/htdocs/comm/remise.php b/htdocs/comm/remise.php index abfb5005972..b124a83714f 100644 --- a/htdocs/comm/remise.php +++ b/htdocs/comm/remise.php @@ -30,21 +30,23 @@ $langs->load("companies"); $langs->load("orders"); $langs->load("bills"); -$socid = GETPOST("id"); +$socid = GETPOST('id','int'); // Security check if ($user->societe_id > 0) { $socid = $user->societe_id; } +$backtopage = GETPOST('backtopage','alpha'); + /* * Actions */ -if (GETPOST('cancel') && GETPOST('backtopage')) +if (GETPOST('cancel') && ! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage")); + Header("Location: ".$backtopage); exit; } @@ -56,9 +58,9 @@ if (GETPOST("action") == 'setremise') if ($result > 0) { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else @@ -122,7 +124,7 @@ if ($socid > 0) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -138,7 +140,7 @@ if ($socid > 0) print '
'; print ''; - if (GETPOST("backtopage")) + if (! empty($backtopage)) { print '    '; print ''; diff --git a/htdocs/comm/remx.php b/htdocs/comm/remx.php index 8f26a58463e..42bac50817f 100644 --- a/htdocs/comm/remx.php +++ b/htdocs/comm/remx.php @@ -32,7 +32,8 @@ $langs->load("orders"); $langs->load("bills"); $langs->load("companies"); -$action=GETPOST('action'); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); // Security check $socid = GETPOST("id"); @@ -46,9 +47,9 @@ if ($user->societe_id > 0) * Actions */ -if (GETPOST('cancel') && GETPOST('backtopage')) +if (GETPOST('cancel') && ! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage")); + Header("Location: ".$backtopage); exit; } @@ -151,9 +152,9 @@ if ($action == 'setremise') if ($discountid > 0) { - if (GETPOST("backtopage")) + if (! empty($backtopage)) { - Header("Location: ".GETPOST("backtopage").'&discountid='.$discountid); + Header("Location: ".$backtopage.'&discountid='.$discountid); exit; } else @@ -228,7 +229,7 @@ if ($socid > 0) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -280,7 +281,7 @@ if ($socid > 0) print '
'; print ''; - if (GETPOST("backtopage")) + if (! empty($backtopage)) { print '    '; print ''; diff --git a/htdocs/contact/fiche.php b/htdocs/contact/fiche.php index 213980d55a1..bb6ff79a06d 100644 --- a/htdocs/contact/fiche.php +++ b/htdocs/contact/fiche.php @@ -39,10 +39,11 @@ $langs->load("commercial"); $mesg=''; $error=0; $errors=array(); -$action = (GETPOST('action') ? GETPOST('action') : 'view'); -$confirm = GETPOST('confirm'); -$id = GETPOST("id"); -$socid = GETPOST("socid"); +$action = (GETPOST('action','alpha') ? GETPOST('action','alpha') : 'view'); +$confirm = GETPOST('confirm','alpha'); +$backtopage = GETPOST('backtopage','alpha'); +$id = GETPOST('id','int'); +$socid = GETPOST('socid','int'); if ($user->societe_id) $socid=$user->societe_id; $object = new Contact($db); @@ -76,9 +77,9 @@ $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); if (empty($reshook)) { // Cancel - if (GETPOST("cancel") && GETPOST('backtopage')) + if (GETPOST("cancel") && ! empty($backtopage)) { - header("Location: ".GETPOST('backtopage')); + header("Location: ".$backtopage); exit; } @@ -86,7 +87,7 @@ if (empty($reshook)) if ($action == 'confirm_create_user' && $confirm == 'yes' && $user->rights->user->user->creer) { // Recuperation contact actuel - $result = $object->fetch($_GET["id"]); + $result = $object->fetch($id); if ($result > 0) { @@ -172,7 +173,7 @@ if (empty($reshook)) if (! $error && $id > 0) { $db->commit(); - if (GETPOST('backtopage')) $url=GETPOST('backtopage'); + if (! empty($backtopage)) $url=$backtopage; else $url='fiche.php?id='.$id; Header("Location: ".$url); exit; @@ -368,7 +369,7 @@ else print ''; print ''; print ''; - print ''; + print ''; print '
'; // Name @@ -497,7 +498,7 @@ else print '
'; print ''; - if (GETPOST('backtopage')) + if (! empty($backtopage)) { print '     '; print ''; @@ -537,11 +538,11 @@ else print ''; } - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; print ''; print ''; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f9836b4165a..5dfcda5ab17 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -257,7 +257,11 @@ function GETPOST($paramname,$check='',$method=0) // Check if alpha //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out=''; // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - if ($check == 'alpha' && preg_match('/"/',trim($out))) $out=''; + if ($check == 'alpha') + { + if (preg_match('/"/',trim($out))) $out=''; + else if (preg_match('/(\.\.\/)+/',trim($out))) $out=''; + } } return $out; diff --git a/htdocs/document.php b/htdocs/document.php index 9c59f1da051..8836ebdbf97 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -2,7 +2,7 @@ /* Copyright (C) 2004-2007 Rodolphe Quiedeville * Copyright (C) 2004-2012 Laurent Destailleur * Copyright (C) 2005 Simon Tosser - * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2010 Pierre Morin * Copyright (C) 2010 Juanjo Menent * @@ -50,10 +50,10 @@ require("./main.inc.php"); // Load $user and permissions require_once(DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'); $encoding = ''; -$action = GETPOST("action"); -$original_file = GETPOST("file"); // Do not use urldecode here ($_GET are already decoded by PHP). -$modulepart = GETPOST("modulepart"); -$urlsource = GETPOST("urlsource"); +$action = GETPOST('action','alpha'); +$original_file = GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP). +$modulepart = GETPOST('modulepart','alpha'); +$urlsource = GETPOST('urlsource','alpha'); // Security check if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart'); @@ -72,7 +72,7 @@ if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart'); // Define mime type $type = 'application/octet-stream'; -if (GETPOST('type')) $type=GETPOST('type'); +if (GETPOST('type','alpha')) $type=GETPOST('type','alpha'); else $type=dol_mimetype($original_file); //print 'X'.$type.'-'.$original_file;exit; diff --git a/htdocs/projet/fiche.php b/htdocs/projet/fiche.php index 95aba87efb0..371028f02fd 100644 --- a/htdocs/projet/fiche.php +++ b/htdocs/projet/fiche.php @@ -34,8 +34,9 @@ $langs->load("projects"); $langs->load('companies'); $id=GETPOST('id','int'); -$ref = GETPOST('ref'); -$action=GETPOST('action'); +$ref = GETPOST('ref','alpha'); +$action=GETPOST('action','alpha'); +$backtopage=GETPOST('backtopage','alpha'); if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && ! $_POST["cancel"])) accessforbidden(); @@ -55,9 +56,9 @@ $result = restrictedArea($user, 'projet', $id); */ // Cancel -if (GETPOST("cancel") && GETPOST('backtopage')) +if (GETPOST("cancel") && ! empty($backtopage)) { - header("Location: ".GETPOST('backtopage')); + header("Location: ".$backtopage); exit; } @@ -276,7 +277,7 @@ if ($action == 'create' && $user->rights->projet->creer) print ''; print ''; print ''; - print ''; + print ''; print '
'; @@ -332,7 +333,7 @@ if ($action == 'create' && $user->rights->projet->creer) print '
'; print ''; - if (GETPOST('backtopage')) + if (! empty($backtopage)) { print '     '; print ''; diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php index c05bac91f4e..6c4ccb733fa 100644 --- a/htdocs/projet/tasks.php +++ b/htdocs/projet/tasks.php @@ -36,6 +36,7 @@ $langs->load("projects"); $action = GETPOST('action', 'alpha'); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); +$backtopage=GETPOST('backtopage','alpha'); $mode = GETPOST('mode', 'alpha'); $mine = ($mode == 'mine' ? 1 : 0); @@ -111,9 +112,9 @@ if ($action == 'createtask' && $user->rights->projet->creer) if (! $error) { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else if (empty($projectid)) @@ -125,9 +126,9 @@ if ($action == 'createtask' && $user->rights->projet->creer) } else { - if (GETPOST('backtopage')) + if (! empty($backtopage)) { - Header("Location: ".GETPOST('backtopage')); + Header("Location: ".$backtopage); exit; } else if (empty($id)) @@ -219,7 +220,7 @@ if ($action == 'create' && $user->rights->projet->creer && (empty($object->socie print ''; print ''; print ''; - print ''; + print ''; if (! empty($object->id)) print ''; if (! empty($mode)) print ''; diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index fc7feedb0ae..d1d63d0310e 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -47,8 +47,8 @@ require_once(DOL_DOCUMENT_ROOT."/core/lib/company.lib.php"); $errmsg=''; $num=0; $error=0; -$backtopage=GETPOST('backtopage'); -$action=GETPOST('action'); +$backtopage=GETPOST('backtopage','alpha'); +$action=GETPOST('action','alpha'); // Load translation files $langs->load("main"); @@ -255,7 +255,7 @@ if ($action == 'add') $result=$adh->send_an_email($conf->global->ADHERENT_AUTOREGISTER_MAIL,$conf->global->ADHERENT_AUTOREGISTER_MAIL_SUBJECT,array(),array(),array(),"","",0,-1); } - if ($backtopage) $urlback=$backtopage; + if (! empty($backtopage)) $urlback=$backtopage; else if ($conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION) { $urlback=$conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION; @@ -545,7 +545,7 @@ print "
\n"; // Save print '
'; print ''; -if ($backtopage) +if (! empty($backtopage)) { print '     '; } From 0bae0148c1b0379ce3cddb7644ca33c75a832cce Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 27 Feb 2012 17:24:56 +0100 Subject: [PATCH 5/6] Fix: sql injection --- htdocs/adherents/fiche.php | 93 +++++++++++++++++++------------------- 1 file changed, 47 insertions(+), 46 deletions(-) diff --git a/htdocs/adherents/fiche.php b/htdocs/adherents/fiche.php index 7621df556b1..d567cb5bd23 100644 --- a/htdocs/adherents/fiche.php +++ b/htdocs/adherents/fiche.php @@ -2,7 +2,7 @@ /* Copyright (C) 2001-2004 Rodolphe Quiedeville * Copyright (C) 2002-2003 Jean-Louis Bergamo * Copyright (C) 2004-2011 Laurent Destailleur - * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -49,9 +49,12 @@ $extrafields = new ExtraFields($db); $errmsg=''; $errmsgs=array(); -$action=GETPOST("action"); -$rowid=GETPOST("rowid"); -$typeid=GETPOST("typeid"); +$action=GETPOST('action','alpha'); +$confirm=GETPOST('confirm','alpha'); +$rowid=GETPOST('rowid','int'); +$typeid=GETPOST('typeid','int'); +$userid=GETPOST('userid','int'); +$socid=GETPOST('socid','int'); if ($rowid) { @@ -93,12 +96,12 @@ $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks -if ($_POST['action'] == 'setuserid' && ($user->rights->user->self->creer || $user->rights->user->user->creer)) +if ($action == 'setuserid' && ($user->rights->user->self->creer || $user->rights->user->user->creer)) { $error=0; if (empty($user->rights->user->user->creer)) // If can edit only itself user, we can link to itself only { - if ($_POST["userid"] != $user->id && $_POST["userid"] != $object->user_id) + if ($userid != $user->id && $userid != $object->user_id) { $error++; $mesg='
'.$langs->trans("ErrorUserPermissionAllowsToLinksToItselfOnly").'
'; @@ -107,24 +110,23 @@ if ($_POST['action'] == 'setuserid' && ($user->rights->user->self->creer || $use if (! $error) { - if ($_POST["userid"] != $object->user_id) // If link differs from currently in database + if ($userid != $object->user_id) // If link differs from currently in database { - $result=$object->setUserId($_POST["userid"]); + $result=$object->setUserId($userid); if ($result < 0) dol_print_error($object->db,$object->error); - $_POST['action']=''; $action=''; } } } -if ($_POST['action'] == 'setsocid') +if ($action == 'setsocid') { $error=0; if (! $error) { - if ($_POST["socid"] != $object->fk_soc) // If link differs from currently in database + if ($socid != $object->fk_soc) // If link differs from currently in database { $sql ="SELECT rowid FROM ".MAIN_DB_PREFIX."adherent"; - $sql.=" WHERE fk_soc = '".$_POST["socid"]."'"; + $sql.=" WHERE fk_soc = '".$socid."'"; $sql.=" AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) @@ -135,7 +137,7 @@ if ($_POST['action'] == 'setsocid') $othermember=new Adherent($db); $othermember->fetch($obj->rowid); $thirdparty=new Societe($db); - $thirdparty->fetch($_POST["socid"]); + $thirdparty->fetch($socid); $error++; $errmsg='
'.$langs->trans("ErrorMemberIsAlreadyLinkedToThisThirdParty",$othermember->getFullName($langs),$othermember->login,$thirdparty->name).'
'; } @@ -143,9 +145,8 @@ if ($_POST['action'] == 'setsocid') if (! $error) { - $result=$object->setThirdPartyId($_POST["socid"]); + $result=$object->setThirdPartyId($socid); if ($result < 0) dol_print_error($object->db,$object->error); - $_POST['action']=''; $action=''; } } @@ -153,13 +154,13 @@ if ($_POST['action'] == 'setsocid') } // Create user from a member -if ($_POST["action"] == 'confirm_create_user' && $_POST["confirm"] == 'yes' && $user->rights->user->user->creer) +if ($action == 'confirm_create_user' && $confirm == 'yes' && $user->rights->user->user->creer) { if ($result > 0) { // Creation user $nuser = new User($db); - $result=$nuser->create_from_member($object,$_POST["login"]); + $result=$nuser->create_from_member($object,GETPOST('login','alpha')); if ($result < 0) { @@ -174,13 +175,13 @@ if ($_POST["action"] == 'confirm_create_user' && $_POST["confirm"] == 'yes' && $ } // Create third party from a member -if ($_POST["action"] == 'confirm_create_thirdparty' && $_POST["confirm"] == 'yes' && $user->rights->societe->creer) +if ($action == 'confirm_create_thirdparty' && $confirm == 'yes' && $user->rights->societe->creer) { if ($result > 0) { // Creation user $company = new Societe($db); - $result=$company->create_from_member($object,$_POST["companyname"]); + $result=$company->create_from_member($object,GETPOST('companyname','alpha')); if ($result < 0) { @@ -195,7 +196,7 @@ if ($_POST["action"] == 'confirm_create_thirdparty' && $_POST["confirm"] == 'yes } } -if ($_REQUEST["action"] == 'confirm_sendinfo' && $_REQUEST["confirm"] == 'yes') +if ($action == 'confirm_sendinfo' && $confirm == 'yes') { if ($object->email) { @@ -204,7 +205,7 @@ if ($_REQUEST["action"] == 'confirm_sendinfo' && $_REQUEST["confirm"] == 'yes') } } -if ($_REQUEST["action"] == 'update' && ! $_POST["cancel"] && $user->rights->adherent->creer) +if ($action == 'update' && ! $_POST["cancel"] && $user->rights->adherent->creer) { require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php"); @@ -328,8 +329,8 @@ if ($_REQUEST["action"] == 'update' && ! $_POST["cancel"] && $user->rights->adhe } } - $_GET["rowid"]=$object->id; - $_REQUEST["action"]=''; + $rowid=$object->id; + $action=''; } else { @@ -340,7 +341,7 @@ if ($_REQUEST["action"] == 'update' && ! $_POST["cancel"] && $user->rights->adhe } } -if ($_POST["action"] == 'add' && $user->rights->adherent->creer) +if ($action == 'add' && $user->rights->adherent->creer) { $datenaiss=''; if (isset($_POST["naissday"]) && $_POST["naissday"] @@ -499,7 +500,7 @@ if ($_POST["action"] == 'add' && $user->rights->adherent->creer) } } -if ($user->rights->adherent->supprimer && $_REQUEST["action"] == 'confirm_delete' && $_REQUEST["confirm"] == 'yes') +if ($user->rights->adherent->supprimer && $action == 'confirm_delete' && $confirm == 'yes') { $result=$object->delete($rowid); if ($result > 0) @@ -513,7 +514,7 @@ if ($user->rights->adherent->supprimer && $_REQUEST["action"] == 'confirm_delete } } -if ($user->rights->adherent->creer && $_POST["action"] == 'confirm_valid' && $_POST["confirm"] == 'yes') +if ($user->rights->adherent->creer && $action == 'confirm_valid' && $confirm == 'yes') { $result=$object->validate($user); @@ -547,7 +548,7 @@ if ($user->rights->adherent->creer && $_POST["action"] == 'confirm_valid' && $_P } } -if ($user->rights->adherent->supprimer && $_POST["action"] == 'confirm_resign' && $_POST["confirm"] == 'yes') +if ($user->rights->adherent->supprimer && $action == 'confirm_resign' && $confirm == 'yes') { $adht = new AdherentType($db); $adht->fetch($object->typeid); @@ -580,7 +581,7 @@ if ($user->rights->adherent->supprimer && $_POST["action"] == 'confirm_resign' & } } -if ($user->rights->adherent->supprimer && $_POST["action"] == 'confirm_del_spip' && $_POST["confirm"] == 'yes') +if ($user->rights->adherent->supprimer && $action == 'confirm_del_spip' && $confirm == 'yes') { if (! count($object->errors)) { @@ -591,7 +592,7 @@ if ($user->rights->adherent->supprimer && $_POST["action"] == 'confirm_del_spip' } } -if ($user->rights->adherent->creer && $_POST["action"] == 'confirm_add_spip' && $_POST["confirm"] == 'yes') +if ($user->rights->adherent->creer && $action == 'confirm_add_spip' && $confirm == 'yes') { if (! count($object->errors)) { @@ -629,7 +630,7 @@ if ($action == 'create') $object->fk_departement = $_POST["departement_id"]; // We set country_id, country_code and country for the selected country - $object->country_id=$_POST["country_id"]?$_POST["country_id"]:$mysoc->country_id; + $object->country_id=GETPOST('country_id','int')?GETPOST('country_id','int'):$mysoc->country_id; if ($object->country_id) { $tmparray=getCountry($object->country_id,'all'); @@ -674,7 +675,7 @@ if ($action == 'create') $morphys["phy"] = $langs->trans("Physical"); $morphys["mor"] = $langs->trans("Moral"); print ''.$langs->trans("Nature")."\n"; - print $form->selectarray("morphy", $morphys, isset($_POST["morphy"])?$_POST["morphy"]:$object->morphy, 1); + print $form->selectarray("morphy", $morphys, GETPOST('morphy','alpha')?GETPOST('morphy','alpha'):$object->morphy, 1); print "\n"; // Type @@ -682,26 +683,26 @@ if ($action == 'create') $listetype=$adht->liste_array(); if (count($listetype)) { - print $form->selectarray("typeid", $listetype, isset($_POST["typeid"])?$_POST["typeid"]:$typeid, 1); + print $form->selectarray("typeid", $listetype, GETPOST('typeid','int')?GETPOST('typeid','int'):$typeid, 1); } else { print ''.$langs->trans("NoTypeDefinedGoToSetup").''; } print "\n"; // Company - print ''.$langs->trans("Company").'societe).'">'; + print ''.$langs->trans("Company").''; // Civility print ''.$langs->trans("UserTitle").''; - print $formcompany->select_civility(isset($_POST["civilite_id"])?$_POST["civilite_id"]:$object->civilite_id,'civilite_id').''; + print $formcompany->select_civility(GETPOST('civilite_id','int')?GETPOST('civilite_id','int'):$object->civilite_id,'civilite_id').''; print ''; // Lastname - print ''.$langs->trans("Lastname").'lastname).'" size="40">'; + print ''.$langs->trans("Lastname").''; print ''; // Firstname - print ''.$langs->trans("Firstname").'firstname).'">'; + print ''.$langs->trans("Firstname").''; print ''; // Password @@ -716,20 +717,20 @@ if ($action == 'create') // Address print ''.$langs->trans("Address").''; - print ''; + print ''; print ''; // Zip / Town print ''.$langs->trans("Zip").' / '.$langs->trans("Town").''; - print $formcompany->select_ziptown((isset($_POST["zipcode"])?$_POST["zipcode"]:$object->zip),'zipcode',array('town','selectcountry_id','departement_id'),6); + print $formcompany->select_ziptown((GETPOST('zipcode','alpha')?GETPOST('zipcode','alpha'):$object->zip),'zipcode',array('town','selectcountry_id','departement_id'),6); print ' '; - print $formcompany->select_ziptown((isset($_POST["town"])?$_POST["town"]:$object->town),'town',array('zipcode','selectcountry_id','departement_id')); + print $formcompany->select_ziptown((GETPOST('town','alpha')?GETPOST('town','alpha'):$object->town),'town',array('zipcode','selectcountry_id','departement_id')); print ''; // Country $object->country_id=$object->country_id?$object->country_id:$mysoc->country_id; print ''.$langs->trans('Country').''; - print $form->select_country(isset($_POST["country_id"])?$_POST["country_id"]:$object->country_id,'country_id'); + print $form->select_country(GETPOST('country_id','alpha')?GETPOST('country_id','alpha'):$object->country_id,'country_id'); if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionnarySetup"),1); print ''; @@ -739,7 +740,7 @@ if ($action == 'create') print ''.$langs->trans('State').''; if ($object->country_id) { - print $formcompany->select_state(isset($_POST["departement_id"])?$_POST["departement_id"]:$object->fk_departement,$object->country_code); + print $formcompany->select_state(GETPOST('departement_id','int')?GETPOST('departement_id','int'):$object->fk_departement,$object->country_code); } else { @@ -749,16 +750,16 @@ if ($action == 'create') } // Tel pro - print ''.$langs->trans("PhonePro").'phone).'">'; + print ''.$langs->trans("PhonePro").''; // Tel perso - print ''.$langs->trans("PhonePerso").'phone_perso).'">'; + print ''.$langs->trans("PhonePerso").''; // Tel mobile - print ''.$langs->trans("PhoneMobile").'phone_mobile).'">'; + print ''.$langs->trans("PhoneMobile").''; // EMail - print ''.($conf->global->ADHERENT_MAIL_REQUIRED?'':'').$langs->trans("EMail").($conf->global->ADHERENT_MAIL_REQUIRED?'':'').'email).'">'; + print ''.($conf->global->ADHERENT_MAIL_REQUIRED?'':'').$langs->trans("EMail").($conf->global->ADHERENT_MAIL_REQUIRED?'':'').''; // Birthday print "".$langs->trans("Birthday")."\n"; @@ -777,7 +778,7 @@ if ($action == 'create') { foreach($extrafields->attribute_label as $key=>$label) { - $value=(isset($_POST["options_".$key])?$_POST["options_".$key]:$object->array_options["options_".$key]); + $value=(GETPOST('options_'.$key,'alpha')?GETPOST('options_'.$key,'alpha'):$object->array_options["options_".$key]); print ''.$label.''; print $extrafields->showInputField($key,$value); print ''."\n"; From 4bec281dd84cbdd0e2ed8d9f88fb78790c76fcb9 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 27 Feb 2012 17:36:27 +0100 Subject: [PATCH 6/6] Fix: access forbidden if rowid is empty --- htdocs/adherents/fiche.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/htdocs/adherents/fiche.php b/htdocs/adherents/fiche.php index d567cb5bd23..3278d89ae44 100644 --- a/htdocs/adherents/fiche.php +++ b/htdocs/adherents/fiche.php @@ -56,7 +56,7 @@ $typeid=GETPOST('typeid','int'); $userid=GETPOST('userid','int'); $socid=GETPOST('socid','int'); -if ($rowid) +if ($rowid > 0) { // Load member $result = $object->fetch($rowid); @@ -73,6 +73,10 @@ if ($rowid) || (($user->id != $adh->user_id) && $user->rights->user->user->password) ); } } +else +{ + accessforbidden(); +} // Define variables to know what current user can do on members $canaddmember=$user->rights->adherent->creer;