lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '9.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/admin/external_rss.php
	htdocs/admin/system/database-tables.php
	htdocs/admin/tools/export_files.php
	htdocs/core/actions_linkedfiles.inc.php
	htdocs/core/lib/files.lib.php
	htdocs/core/lib/functions.lib.php
This commit is contained in:
Laurent Destailleur 2019-05-21 15:13:25 +02:00
commit 42f5ebed2d
6 changed files with 57 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
htdocs/admin/external_rss.php
View File

@ -66,8 +66,8 @@ else
if ($action == 'add' || GETPOST("modify"))
{
$external_rss_title = "external_rss_title_" . GETPOST("norss");
$external_rss_urlrss = "external_rss_urlrss_" . GETPOST("norss");
$external_rss_title = "external_rss_title_" . GETPOST("norss", 'int');
$external_rss_urlrss = "external_rss_urlrss_" . GETPOST("norss", 'int');
if (! empty($_POST[$external_rss_urlrss]))
{
@ -95,7 +95,7 @@ if ($action == 'add' || GETPOST("modify"))
{
// Ajoute boite box_external_rss dans definition des boites
$sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes_def (file, note)";
$sql.= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss").' ('.GETPOST($external_rss_title)).")')";
$sql.= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss", 'int').' ('.GETPOST($external_rss_title, 'alpha')).")')";
if (! $db->query($sql))
{
dol_print_error($db);
@ -103,8 +103,8 @@ if ($action == 'add' || GETPOST("modify"))
}
}
$result1=dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss"), GETPOST($external_rss_title), 'chaine', 0, '', $conf->entity);
if ($result1) $result2=dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss"), GETPOST($external_rss_urlrss), 'chaine', 0, '', $conf->entity);
$result1=dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss", 'int'), GETPOST($external_rss_title, 'alpha'), 'chaine', 0, '', $conf->entity);
if ($result1) $result2=dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss", 'int'), GETPOST($external_rss_urlrss, 'alpha'), 'chaine', 0, '', $conf->entity);
if ($result1 && $result2)
{
@ -122,13 +122,13 @@ if ($action == 'add' || GETPOST("modify"))
if ($_POST["delete"])
{
if(GETPOST("norss"))
if (GETPOST("norss", 'int'))
{
$db->begin();
// Supprime boite box_external_rss de definition des boites
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def";
$sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss"))." %'";
$sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss", 'int'))." %'";
$resql=$db->query($sql);
if ($resql)
@ -168,8 +168,8 @@ if ($_POST["delete"])
}
$result1=dolibarr_del_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss"), $conf->entity);
if ($result1) $result2=dolibarr_del_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss"), $conf->entity);
$result1=dolibarr_del_const($db,"EXTERNAL_RSS_TITLE_" . GETPOST("norss", 'int'), $conf->entity);
if ($result1) $result2=dolibarr_del_const($db,"EXTERNAL_RSS_URLRSS_" . GETPOST("norss", 'int'), $conf->entity);
if ($result1 && $result2)
{
@ -270,13 +270,13 @@ if ($resql)
print '<tr class="oddeven">';
print "<td width=\"100px\">".$langs->trans("Title")."</td>";
print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_title_" . $idrss . "\" value=\"" . $conf->global->$keyrsstitle . "\"></td>";
print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_title_" . $idrss . "\" value=\"" . dol_escape_htmltag($conf->global->$keyrsstitle) . "\"></td>";
print "</tr>";
print '<tr class="oddeven">';
print "<td>".$langs->trans("URL")."</td>";
print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_urlrss_" . $idrss . "\" value=\"" . $conf->global->$keyrssurl . "\"></td>";
print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_urlrss_" . $idrss . "\" value=\"" . dol_escape_htmltag($conf->global->$keyrssurl) . "\"></td>";
print "</tr>";

33
htdocs/admin/system/database-tables.php
View File

@ -36,7 +36,13 @@ $action=GETPOST('action', 'alpha');
if ($action == 'convert')
{
$db->query("alter table ".$_GET["table"]." ENGINE=INNODB");
$sql="ALTER TABLE ".$db->escape(GETPOST("table", "aZ09"))." ENGINE=INNODB";
$db->query($sql);
}
if ($action == 'convertutf8')
{
$sql="ALTER TABLE ".$db->escape(GETPOST("table", "aZ09"))." CHARACTER SET utf8 COLLATE utf8_unicode_ci";
$db->query($sql);
}
@ -111,23 +117,28 @@ else
print '<td><a href="dbtable.php?table='.$obj->Name.'">'.$obj->Name.'</a></td>';
print '<td>'.$obj->Engine.'</td>';
if (isset($row[1]) && $row[1] == "MyISAM")
if (isset($obj->Engine) && $obj->Engine == "MyISAM")
{
print '<td><a href="database-tables.php?action=convert&amp;table='.$row[0].'">'.$langs->trans("Convert").'</a></td>';
print '<td><a class="reposition" href="database-tables.php?action=convert&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' InnoDB</a></td>';
}
else
{
print '<td>&nbsp;</td>';
}
print '<td>'.$obj->Row_format.'</td>';
print '<td class="right">'.$obj->Rows.'</td>';
print '<td class="right">'.$obj->Avg_row_length.'</td>';
print '<td class="right">'.$obj->Data_length.'</td>';
print '<td class="right">'.$obj->Max_data_length.'</td>';
print '<td class="right">'.$obj->Index_length.'</td>';
print '<td class="right">'.$obj->Auto_increment.'</td>';
print '<td class="right">'.$obj->Check_time.'</td>';
print '<td class="right">'.$obj->Collation.'</td>';
print '<td align="right">'.$obj->Rows.'</td>';
print '<td align="right">'.$obj->Avg_row_length.'</td>';
print '<td align="right">'.$obj->Data_length.'</td>';
print '<td align="right">'.$obj->Max_data_length.'</td>';
print '<td align="right">'.$obj->Index_length.'</td>';
print '<td align="right">'.$obj->Auto_increment.'</td>';
print '<td align="right">'.$obj->Check_time.'</td>';
print '<td align="right">'.$obj->Collation;
if (isset($obj->Collation) && ($obj->Collation == "utf8mb4_general_ci" || $obj->Collation == "utf8mb4_unicode_ci"))
{
print '<br><a class="reposition" href="database-tables.php?action=convertutf8&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' UTF8</a>';
}
print '</td>';
print '</tr>';
$i++;
}

11
htdocs/admin/tools/export_files.php
View File

@ -36,6 +36,8 @@ $export_type=GETPOST('export_type', 'alpha');
$file=GETPOST('zipfilename_template', 'alpha');
$compression = GETPOST('compression');
$file = dol_sanitizeFileName($file);
$sortfield = GETPOST('sortfield', 'alpha');
$sortorder = GETPOST('sortorder', 'alpha');
$page = GETPOST("page", 'int');
@ -57,10 +59,11 @@ $errormsg='';
if ($action == 'delete')
{
$file=$conf->admin->dir_output.'/'.GETPOST('urlfile');
$ret=dol_delete_file($file, 1);
if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile')), null, 'mesgs');
else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile')), null, 'errors');
$filerelative = dol_sanitizeFileName(GETPOST('urlfile', 'alpha'));
$filepath=$conf->admin->dir_output.'/'.$filerelative;
$ret=dol_delete_file($filepath, 1);
if ($ret) setEventMessages($langs->trans("FileWasRemoved", $filerelative), null, 'mesgs');
else setEventMessages($langs->trans("ErrorFailToDeleteFile", $filerelative), null, 'errors');
$action='';
}

2
htdocs/core/actions_linkedfiles.inc.php
View File

@ -194,7 +194,7 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha'))
// Security:
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (preg_match('/(\.htm|\.html|\.php|\.pl|\.cgi)$/i', $filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{
$filenameto.= '.noexe';
}

2
htdocs/core/lib/files.lib.php
View File

@ -1056,7 +1056,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
// Security:
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (preg_match('/(\.htm|\.html|\.php|\.pl|\.cgi)$/i', $dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{
$file_name.= '.noexe';
}

19
htdocs/core/lib/functions.lib.php
View File

@ -7955,7 +7955,6 @@ function roundUpToNextMultiple($n, $x = 5)
*/
function dolGetBadge($label, $html = '', $type = 'primary', $mode = '', $url = '', $params = array())
{
$attr=array(
'class'=>'badge'.(!empty($mode)?' badge-'.$mode:'').(!empty($type)?' badge-'.$type:'')
);
@ -8118,7 +8117,6 @@ function dolGetButtonAction($label, $html = '', $actionType = 'default', $url =
$attr['aria-label'] = $label;
}
if(empty($userRight)){
$attr['class'] = 'butActionRefused';
$attr['href'] = '';
@ -8156,8 +8154,6 @@ function dolGetButtonAction($label, $html = '', $actionType = 'default', $url =
return '<div class="inline-block divButAction"><'.$tag.' '.$compiledAttributes.'>'.$html.'</'.$tag.'></div>';
}
/**
* Function dolGetButtonTitle : this kind of buttons are used in title in list
*
@ -8269,3 +8265,18 @@ function dolGetButtonTitle($label, $helpText = '', $iconClass = 'fa fa-file', $u
return $button;
}
/**
* Return if a file can contains executable content
*
* @param string $filename File NamedRange
* @return boolean True if yes, False if no
*/
function isAFileWithExecutableContent($filename)
{
if (preg_match('/\.(htm|html|js|php|phtml|pl|py|cgi|ksh|sh|bash)$/i', $filename))
{
return true;
}
return false;
}