From 3f3282400af95124d476501bac2b63cc5083c37e Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 11 Sep 2019 13:57:15 +0200
Subject: [PATCH] FIX SQL syntax error and CSRF check on vat reports

---
 htdocs/compta/localtax/card.php          |  2 --
 htdocs/compta/localtax/clients.php       | 17 +++++++++-----
 htdocs/compta/localtax/index.php         | 21 ++++++++++++++++--
 htdocs/compta/localtax/quadri_detail.php | 28 ++++++++++++++----------
 htdocs/compta/tva/clients.php            | 10 ++++-----
 htdocs/compta/tva/index.php              |  8 +++++--
 htdocs/compta/tva/quadri_detail.php      |  5 +++--
 htdocs/core/lib/tax.lib.php              |  2 +-
 htdocs/langs/en_US/companies.lang        |  2 --
 9 files changed, 63 insertions(+), 32 deletions(-)

diff --git a/htdocs/compta/localtax/card.php b/htdocs/compta/localtax/card.php
index 821e4d05d7e..0a741e7691b 100644
--- a/htdocs/compta/localtax/card.php
+++ b/htdocs/compta/localtax/card.php
@@ -156,8 +156,6 @@ $title=$langs->trans("LT".$object->ltt) . " - " . $langs->trans("Card");
 $help_url='';
 llxHeader("", $title, $helpurl);
 
-
-
 if ($action == 'create')
 {
     print load_fiche_titre($langs->transcountry($lttype==2?"newLT2Payment":"newLT1Payment", $mysoc->country_code));
diff --git a/htdocs/compta/localtax/clients.php b/htdocs/compta/localtax/clients.php
index 58b1ccd3f21..c4157d81984 100644
--- a/htdocs/compta/localtax/clients.php
+++ b/htdocs/compta/localtax/clients.php
@@ -85,6 +85,12 @@ $socid = GETPOST('socid', 'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'tax', '', '', 'charges');
 
+if (empty($local))
+{
+	accessforbidden('Parameter localTaxType is missing');
+	exit;
+}
+
 
 
 /*
@@ -106,11 +112,12 @@ llxHeader('', '', '', '', 0, 0, '', '', $morequerystring);
 
 $name=$langs->transcountry($local==1?"LT1ReportByCustomers":"LT2ReportByCustomers", $mysoc->country_code);
 
-$fsearch.='<br>';
-$fsearch.='  <input type="hidden" name="year" value="'.$year.'">';
-$fsearch.='  <input type="hidden" name="modetax" value="'.$modetax.'">';
-$fsearch.='  '.$langs->trans("SalesTurnoverMinimum").': ';
-$fsearch.='  <input type="text" name="min" id="min" value="'.$min.'" size="6">';
+$fsearch ='<!-- hidden fields for form -->';
+$fsearch.='<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+$fsearch.='<input type="hidden" name="modetax" value="'.$modetax.'">';
+$fsearch.='<input type="hidden" name="localTaxType" value="'.$local.'">';
+$fsearch.=$langs->trans("SalesTurnoverMinimum").': ';
+$fsearch.='<input type="text" name="min" id="min" value="'.$min.'" size="6">';
 
 $calc=$conf->global->MAIN_INFO_LOCALTAX_CALC.$local;
 // Affiche en-tete du rapport
diff --git a/htdocs/compta/localtax/index.php b/htdocs/compta/localtax/index.php
index 8d288274049..ef5013c84f6 100644
--- a/htdocs/compta/localtax/index.php
+++ b/htdocs/compta/localtax/index.php
@@ -188,6 +188,19 @@ function pt($db, $sql, $date)
     }
 }
 
+if (empty($localTaxType))
+{
+	accessforbidden('Parameter localTaxType is missing');
+	exit;
+}
+
+
+/*
+ * Actions
+ */
+
+// None
+
 
 /*
  * View
@@ -213,7 +226,11 @@ if($localTaxType==1) {
 	$CalcLT= $conf->global->MAIN_INFO_LOCALTAX_CALC2;
 }
 
-$fsearch.='  <input type="hidden" name="localTaxType" value="'.$localTaxType.'">';
+$fsearch = '<!-- hidden fields for form -->';
+$fsearch.= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+$fsearch.= '<input type="hidden" name="localTaxType" value="'.$localTaxType.'">';
+$fsearch.= '<input type="hidden" name="modetax" value="'.$modetax.'">';
+
 $description = $fsearch;
 
 // Show report header
@@ -528,7 +545,7 @@ while ((($y < $yend) || ($y == $yend && $m <= $mend)) && $mcursor < 1000)	// $mc
     $total = $total + $diff;
     $subtotal = price2num($subtotal + $diff, 'MT');
 
-    print '<td class="nowrap right">'.price(price2num($diff, 'MT')).'</td>\n';
+    print '<td class="nowrap right">'.price(price2num($diff, 'MT')).'</td>'."\n";
     print "<td>&nbsp;</td>\n";
     print "</tr>\n";
 
diff --git a/htdocs/compta/localtax/quadri_detail.php b/htdocs/compta/localtax/quadri_detail.php
index 4bbe5c723e1..c28c5f5f48b 100644
--- a/htdocs/compta/localtax/quadri_detail.php
+++ b/htdocs/compta/localtax/quadri_detail.php
@@ -97,6 +97,12 @@ $socid = GETPOST('socid', 'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'tax', '', '', 'charges');
 
+if (empty($local))
+{
+	accessforbidden('Parameter localTaxType is missing');
+	exit;
+}
+
 
 
 /*
@@ -122,9 +128,10 @@ foreach ($listofparams as $param)
 
 llxHeader('', $langs->trans("LocalTaxReport"), '', '', 0, 0, '', '', $morequerystring);
 
-$fsearch.='  <input type="hidden" name="year" value="'.$year.'">';
-$fsearch.='  <input type="hidden" name="modetax" value="'.$modetax.'">';
-$fsearch.='  <input type="hidden" name="localTaxType" value="'.$local.'">';
+$fsearch = '<!-- hidden fields for form -->';
+$fsearch.= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+$fsearch.= '<input type="hidden" name="modetax" value="'.$modetax.'">';
+$fsearch.= '<input type="hidden" name="localTaxType" value="'.$local.'">';
 
 $name=$langs->transcountry($local==1?"LT1ReportByQuarters":"LT2ReportByQuarters", $mysoc->country_code);
 $calcmode='';
@@ -161,7 +168,7 @@ if (! empty($conf->global->FACTURE_DEPOSITS_ARE_JUST_PAYMENTS)) {
 	$description.='<br>'.$langs->trans("DepositsAreNotIncluded");
 }
 */
-if (! empty($conf->global->MAIN_MODULE_ACCOUNTING)) $description.='<br>'.$langs->trans("ThisIsAnEstimatedValue");
+if (! empty($conf->global->MAIN_MODULE_ACCOUNTING)) $description.=$langs->trans("ThisIsAnEstimatedValue");
 
 // Customers invoices
 $elementcust=$langs->trans("CustomersInvoices");
@@ -186,15 +193,14 @@ if ($mysoc->tva_assuj) {
 
 report_header($name, '', $period, $periodlink, $description, $builddate, $exportlink, array(), $calcmode);
 
-
 if($local==1){
-	$vatcust=$langs->transcountry("LocalTax1", $mysoc->country_code);
-	$vatsup=$langs->transcountry("LocalTax1", $mysoc->country_code);
-	$vatexpensereport=$langs->transcountry("LocalTax1", $mysoc->country_code);
+	$vatcust=$langs->transcountry("LT1", $mysoc->country_code);
+	$vatsup=$langs->transcountry("LT1", $mysoc->country_code);
+	$vatexpensereport=$langs->transcountry("LT1", $mysoc->country_code);
 }else{
-	$vatcust=$langs->transcountry("LocalTax2", $mysoc->country_code);
-	$vatsup=$langs->transcountry("LocalTax2", $mysoc->country_code);
-	$vatexpensereport=$langs->transcountry("LocalTax2", $mysoc->country_code);
+	$vatcust=$langs->transcountry("LT2", $mysoc->country_code);
+	$vatsup=$langs->transcountry("LT2", $mysoc->country_code);
+	$vatexpensereport=$langs->transcountry("LT2", $mysoc->country_code);
 }
 
 // VAT Received and paid
diff --git a/htdocs/compta/tva/clients.php b/htdocs/compta/tva/clients.php
index e0775313dd3..969d5322008 100644
--- a/htdocs/compta/tva/clients.php
+++ b/htdocs/compta/tva/clients.php
@@ -123,11 +123,11 @@ if (isset($_REQUEST['extra_report']) && $_REQUEST['extra_report'] == 1) {
 
 llxHeader('', $langs->trans("VATReport"), '', '', 0, 0, '', '', $morequerystring);
 
-$fsearch.='<br>';
-$fsearch.='  <input type="hidden" name="year" value="'.$year.'">';
-$fsearch.='  <input type="hidden" name="modetax" value="'.$modetax.'">';
-$fsearch.='  '.$langs->trans("SalesTurnoverMinimum").': ';
-$fsearch.='  <input type="text" name="min" id="min" value="'.$min.'" size="6">';
+$fsearch ='<!-- hidden fields for form -->';
+$fsearch.='<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+$fsearch.='<input type="hidden" name="modetax" value="'.$modetax.'">';
+$fsearch.=$langs->trans("SalesTurnoverMinimum").': ';
+$fsearch.='<input type="text" name="min" id="min" value="'.$min.'" size="6">';
 
 // Show report header
 $name=$langs->trans("VATReportByThirdParties");
diff --git a/htdocs/compta/tva/index.php b/htdocs/compta/tva/index.php
index f0c96dccdd6..6a83d25070b 100644
--- a/htdocs/compta/tva/index.php
+++ b/htdocs/compta/tva/index.php
@@ -198,7 +198,11 @@ $form=new Form($db);
 $company_static=new Societe($db);
 $tva = new Tva($db);
 
-$description = '';
+$fsearch ='<!-- hidden fields for form -->';
+$fsearch.='<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+$fsearch.='<input type="hidden" name="modetax" value="'.$modetax.'">';
+
+$description = $fsearch;
 
 // Show report header
 $name = $langs->trans("ReportByMonth");
@@ -208,7 +212,7 @@ if ($modetax == 1) $calcmode=$langs->trans('OptionVATDebitOption');
 if ($modetax == 2) $calcmode=$langs->trans('OptionPaymentForProductAndServices');
 $calcmode.='<br>('.$langs->trans("TaxModuleSetupToModifyRules", DOL_URL_ROOT.'/admin/taxes.php').')';
 
-$description = $langs->trans("VATSummary").'<br>';
+$description .= $langs->trans("VATSummary").'<br>';
 if ($conf->global->TAX_MODE_SELL_PRODUCT == 'invoice') $description.=$langs->trans("RulesVATDueProducts");
 if ($conf->global->TAX_MODE_SELL_PRODUCT == 'payment') $description.=$langs->trans("RulesVATInProducts");
 if ($conf->global->TAX_MODE_SELL_SERVICE == 'invoice') $description.='<br>'.$langs->trans("RulesVATDueServices");
diff --git a/htdocs/compta/tva/quadri_detail.php b/htdocs/compta/tva/quadri_detail.php
index 8b58bde4199..581e9a1d13e 100644
--- a/htdocs/compta/tva/quadri_detail.php
+++ b/htdocs/compta/tva/quadri_detail.php
@@ -122,8 +122,9 @@ llxHeader('', $langs->trans("VATReport"), '', '', 0, 0, '', '', $morequerystring
 //print load_fiche_titre($langs->trans("VAT"),"");
 
 //$fsearch.='<br>';
-$fsearch.='  <input type="hidden" name="year" value="'.$year.'">';
-$fsearch.='  <input type="hidden" name="modetax" value="'.$modetax.'">';
+$fsearch ='<!-- hidden fields for form -->';
+$fsearch.='<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+$fsearch.='<input type="hidden" name="modetax" value="'.$modetax.'">';
 //$fsearch.='  '.$langs->trans("SalesTurnoverMinimum").': ';
 //$fsearch.='  <input type="text" name="min" value="'.$min.'">';
 
diff --git a/htdocs/core/lib/tax.lib.php b/htdocs/core/lib/tax.lib.php
index 884ff4fc922..d959a660224 100644
--- a/htdocs/core/lib/tax.lib.php
+++ b/htdocs/core/lib/tax.lib.php
@@ -124,7 +124,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di
     	$invoicefieldref='ref';
     }
 
-    if ( strpos($type, 'localtax') === 0 ) {
+    if (strpos($type, 'localtax') === 0) {
     	$f_rate = $type . '_tx';
     } else {
     	$f_rate = 'tva_tx';
diff --git a/htdocs/langs/en_US/companies.lang b/htdocs/langs/en_US/companies.lang
index dccd53c597a..532fbf14cb7 100644
--- a/htdocs/langs/en_US/companies.lang
+++ b/htdocs/langs/en_US/companies.lang
@@ -96,8 +96,6 @@ LocalTax1IsNotUsedES= RE is not used
 LocalTax2IsUsed=Use third tax
 LocalTax2IsUsedES= IRPF is used
 LocalTax2IsNotUsedES= IRPF is not used
-LocalTax1ES=RE
-LocalTax2ES=IRPF
 WrongCustomerCode=Customer code invalid
 WrongSupplierCode=Vendor code invalid
 CustomerCodeModel=Customer code model