diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php
index b9b78e55ec9..7a82459f845 100644
--- a/htdocs/admin/external_rss.php
+++ b/htdocs/admin/external_rss.php
@@ -66,8 +66,8 @@ else
if ($action == 'add' || GETPOST("modify"))
{
- $external_rss_title = "external_rss_title_" . GETPOST("norss");
- $external_rss_urlrss = "external_rss_urlrss_" . GETPOST("norss");
+ $external_rss_title = "external_rss_title_" . GETPOST("norss", 'int');
+ $external_rss_urlrss = "external_rss_urlrss_" . GETPOST("norss", 'int');
if (! empty($_POST[$external_rss_urlrss]))
{
@@ -95,7 +95,7 @@ if ($action == 'add' || GETPOST("modify"))
{
// Ajoute boite box_external_rss dans definition des boites
$sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes_def (file, note)";
- $sql.= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss").' ('.GETPOST($external_rss_title)).")')";
+ $sql.= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss", 'int').' ('.GETPOST($external_rss_title, 'alpha')).")')";
if (! $db->query($sql))
{
dol_print_error($db);
@@ -103,8 +103,8 @@ if ($action == 'add' || GETPOST("modify"))
}
}
- $result1=dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss"), GETPOST($external_rss_title), 'chaine', 0, '', $conf->entity);
- if ($result1) $result2=dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss"), GETPOST($external_rss_urlrss), 'chaine', 0, '', $conf->entity);
+ $result1=dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss", 'int'), GETPOST($external_rss_title, 'alpha'), 'chaine', 0, '', $conf->entity);
+ if ($result1) $result2=dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss", 'int'), GETPOST($external_rss_urlrss, 'alpha'), 'chaine', 0, '', $conf->entity);
if ($result1 && $result2)
{
@@ -122,13 +122,13 @@ if ($action == 'add' || GETPOST("modify"))
if ($_POST["delete"])
{
- if(GETPOST("norss"))
+ if (GETPOST("norss", 'int'))
{
$db->begin();
// Supprime boite box_external_rss de definition des boites
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def";
- $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss"))." %'";
+ $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss", 'int'))." %'";
$resql=$db->query($sql);
if ($resql)
@@ -168,8 +168,8 @@ if ($_POST["delete"])
}
- $result1=dolibarr_del_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss"), $conf->entity);
- if ($result1) $result2=dolibarr_del_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss"), $conf->entity);
+ $result1=dolibarr_del_const($db,"EXTERNAL_RSS_TITLE_" . GETPOST("norss", 'int'), $conf->entity);
+ if ($result1) $result2=dolibarr_del_const($db,"EXTERNAL_RSS_URLRSS_" . GETPOST("norss", 'int'), $conf->entity);
if ($result1 && $result2)
{
@@ -270,13 +270,13 @@ if ($resql)
print '';
print "| ".$langs->trans("Title")." | ";
- print "global->$keyrsstitle . "\"> | ";
+ print "global->$keyrsstitle) . "\"> | ";
print "
";
print '';
print "| ".$langs->trans("URL")." | ";
- print "global->$keyrssurl . "\"> | ";
+ print "global->$keyrssurl) . "\"> | ";
print "
";
diff --git a/htdocs/admin/system/database-tables.php b/htdocs/admin/system/database-tables.php
index 8e018bc2255..c04c91e0e66 100644
--- a/htdocs/admin/system/database-tables.php
+++ b/htdocs/admin/system/database-tables.php
@@ -36,7 +36,13 @@ $action=GETPOST('action', 'alpha');
if ($action == 'convert')
{
- $db->query("alter table ".$_GET["table"]." ENGINE=INNODB");
+ $sql="ALTER TABLE ".$db->escape(GETPOST("table", "aZ09"))." ENGINE=INNODB";
+ $db->query($sql);
+}
+if ($action == 'convertutf8')
+{
+ $sql="ALTER TABLE ".$db->escape(GETPOST("table", "aZ09"))." CHARACTER SET utf8 COLLATE utf8_unicode_ci";
+ $db->query($sql);
}
@@ -111,23 +117,28 @@ else
print ''.$obj->Name.' | ';
print ''.$obj->Engine.' | ';
- if (isset($row[1]) && $row[1] == "MyISAM")
+ if (isset($obj->Engine) && $obj->Engine == "MyISAM")
{
- print ''.$langs->trans("Convert").' | ';
+ print ''.$langs->trans("Convert").' InnoDB | ';
}
else
{
print ' | ';
}
print ''.$obj->Row_format.' | ';
- print ''.$obj->Rows.' | ';
- print ''.$obj->Avg_row_length.' | ';
- print ''.$obj->Data_length.' | ';
- print ''.$obj->Max_data_length.' | ';
- print ''.$obj->Index_length.' | ';
- print ''.$obj->Auto_increment.' | ';
- print ''.$obj->Check_time.' | ';
- print ''.$obj->Collation.' | ';
+ print ''.$obj->Rows.' | ';
+ print ''.$obj->Avg_row_length.' | ';
+ print ''.$obj->Data_length.' | ';
+ print ''.$obj->Max_data_length.' | ';
+ print ''.$obj->Index_length.' | ';
+ print ''.$obj->Auto_increment.' | ';
+ print ''.$obj->Check_time.' | ';
+ print ''.$obj->Collation;
+ if (isset($obj->Collation) && ($obj->Collation == "utf8mb4_general_ci" || $obj->Collation == "utf8mb4_unicode_ci"))
+ {
+ print '
'.$langs->trans("Convert").' UTF8';
+ }
+ print ' | ';
print '';
$i++;
}
diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php
index c593846a29d..c1ddedfea53 100644
--- a/htdocs/admin/tools/export_files.php
+++ b/htdocs/admin/tools/export_files.php
@@ -36,6 +36,8 @@ $export_type=GETPOST('export_type', 'alpha');
$file=GETPOST('zipfilename_template', 'alpha');
$compression = GETPOST('compression');
+$file = dol_sanitizeFileName($file);
+
$sortfield = GETPOST('sortfield', 'alpha');
$sortorder = GETPOST('sortorder', 'alpha');
$page = GETPOST("page", 'int');
@@ -57,10 +59,11 @@ $errormsg='';
if ($action == 'delete')
{
- $file=$conf->admin->dir_output.'/'.GETPOST('urlfile');
- $ret=dol_delete_file($file, 1);
- if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile')), null, 'mesgs');
- else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile')), null, 'errors');
+ $filerelative = dol_sanitizeFileName(GETPOST('urlfile', 'alpha'));
+ $filepath=$conf->admin->dir_output.'/'.$filerelative;
+ $ret=dol_delete_file($filepath, 1);
+ if ($ret) setEventMessages($langs->trans("FileWasRemoved", $filerelative), null, 'mesgs');
+ else setEventMessages($langs->trans("ErrorFailToDeleteFile", $filerelative), null, 'errors');
$action='';
}
diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php
index 272ac1532a6..72c78cb8a4d 100644
--- a/htdocs/core/actions_linkedfiles.inc.php
+++ b/htdocs/core/actions_linkedfiles.inc.php
@@ -194,7 +194,7 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha'))
// Security:
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
- if (preg_match('/(\.htm|\.html|\.php|\.pl|\.cgi)$/i', $filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
+ if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{
$filenameto.= '.noexe';
}
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 92bc9f11c00..f4a25334e00 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1056,7 +1056,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
// Security:
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
- if (preg_match('/(\.htm|\.html|\.php|\.pl|\.cgi)$/i', $dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
+ if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{
$file_name.= '.noexe';
}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index f6e530ba8de..bcd1b555906 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -7955,7 +7955,6 @@ function roundUpToNextMultiple($n, $x = 5)
*/
function dolGetBadge($label, $html = '', $type = 'primary', $mode = '', $url = '', $params = array())
{
-
$attr=array(
'class'=>'badge'.(!empty($mode)?' badge-'.$mode:'').(!empty($type)?' badge-'.$type:'')
);
@@ -8118,7 +8117,6 @@ function dolGetButtonAction($label, $html = '', $actionType = 'default', $url =
$attr['aria-label'] = $label;
}
-
if(empty($userRight)){
$attr['class'] = 'butActionRefused';
$attr['href'] = '';
@@ -8156,8 +8154,6 @@ function dolGetButtonAction($label, $html = '', $actionType = 'default', $url =
return '<'.$tag.' '.$compiledAttributes.'>'.$html.'
';
}
-
-
/**
* Function dolGetButtonTitle : this kind of buttons are used in title in list
*
@@ -8269,3 +8265,18 @@ function dolGetButtonTitle($label, $helpText = '', $iconClass = 'fa fa-file', $u
return $button;
}
+
+/**
+ * Return if a file can contains executable content
+ *
+ * @param string $filename File NamedRange
+ * @return boolean True if yes, False if no
+ */
+function isAFileWithExecutableContent($filename)
+{
+ if (preg_match('/\.(htm|html|js|php|phtml|pl|py|cgi|ksh|sh|bash)$/i', $filename))
+ {
+ return true;
+ }
+ return false;
+}