From 1ba03566dc20ed6851371db10fe8ec1dd426ca87 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 12 Jun 2020 02:15:02 +0200 Subject: [PATCH 1/3] Fix case of delete contact not correctly implemented. --- htdocs/core/class/commonobject.class.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 0f055d457ed..e104b82642d 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -8012,7 +8012,11 @@ abstract class CommonObject $error++; $this->errors[] = $this->error; } else { - $result = $this->delete($user); + if (get_class($this) == 'Contact') { // TODO special code because delete() for contact has not been standardized like other delete. + $result = $this->delete(); + } else { + $result = $this->delete($user); + } if ($result < 0) { $error++; $this->errors[] = $this->error; From 40e16672e3aa4e9208ea7a4829f30507dcdfc4ba Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 15 Jun 2020 15:08:52 +0200 Subject: [PATCH 2/3] FIX BlindBoolean SQL injection reported by Christian Weiler --- htdocs/accountancy/customer/card.php | 4 ++-- htdocs/accountancy/expensereport/card.php | 4 ++-- htdocs/accountancy/supplier/card.php | 4 ++-- htdocs/comm/mailing/info.php | 2 +- htdocs/compta/paiement/info.php | 2 +- htdocs/variants/ajax/get_attribute_values.php | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/htdocs/accountancy/customer/card.php b/htdocs/accountancy/customer/card.php index 0a39fbc8254..591606a7e26 100644 --- a/htdocs/accountancy/customer/card.php +++ b/htdocs/accountancy/customer/card.php @@ -34,8 +34,8 @@ $action = GETPOST('action', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); -$codeventil = GETPOST('codeventil'); -$id = GETPOST('id'); +$codeventil = GETPOST('codeventil', 'int'); +$id = GETPOST('id', 'int'); // Security check if ($user->socid > 0) diff --git a/htdocs/accountancy/expensereport/card.php b/htdocs/accountancy/expensereport/card.php index 36d587e0c99..9d7c504354f 100644 --- a/htdocs/accountancy/expensereport/card.php +++ b/htdocs/accountancy/expensereport/card.php @@ -38,8 +38,8 @@ $action = GETPOST('action', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); -$codeventil = GETPOST('codeventil'); -$id = GETPOST('id'); +$codeventil = GETPOST('codeventil', 'int'); +$id = GETPOST('id', 'int'); // Security check if ($user->socid > 0) diff --git a/htdocs/accountancy/supplier/card.php b/htdocs/accountancy/supplier/card.php index 6140f90fe8d..699459ad63a 100644 --- a/htdocs/accountancy/supplier/card.php +++ b/htdocs/accountancy/supplier/card.php @@ -38,8 +38,8 @@ $action = GETPOST('action', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); -$codeventil = GETPOST('codeventil'); -$id = GETPOST('id'); +$codeventil = GETPOST('codeventil', 'int'); +$id = GETPOST('id', 'int'); // Security check if ($user->socid > 0) diff --git a/htdocs/comm/mailing/info.php b/htdocs/comm/mailing/info.php index 3dfe0c4264c..070d46f6104 100644 --- a/htdocs/comm/mailing/info.php +++ b/htdocs/comm/mailing/info.php @@ -27,7 +27,7 @@ require_once DOL_DOCUMENT_ROOT.'/comm/mailing/class/mailing.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/emailing.lib.php'; -$id = GETPOST('id'); +$id = GETPOST('id', 'int'); // Load translation files required by the page $langs->load("mails"); diff --git a/htdocs/compta/paiement/info.php b/htdocs/compta/paiement/info.php index 3da6a95a1e8..00c3440b868 100644 --- a/htdocs/compta/paiement/info.php +++ b/htdocs/compta/paiement/info.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php'; // Load translation files required by the page $langs->loadLangs(array('bills', 'companies')); -$id = GETPOST('id'); +$id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $action = GETPOST('action', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); diff --git a/htdocs/variants/ajax/get_attribute_values.php b/htdocs/variants/ajax/get_attribute_values.php index 866bac1ef78..ee45ad18b23 100644 --- a/htdocs/variants/ajax/get_attribute_values.php +++ b/htdocs/variants/ajax/get_attribute_values.php @@ -28,7 +28,7 @@ require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttributeValue.class.php' header('Content-Type: application/json'); -$id = GETPOST('id'); +$id = GETPOST('id', 'int'); if (!$id) { print json_encode(array( From cbd99ea7a2e77403cfffcd40700b794814d3132f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 16 Jun 2020 21:57:49 +0200 Subject: [PATCH 3/3] FIX #14088 --- htdocs/fourn/commande/dispatch.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/htdocs/fourn/commande/dispatch.php b/htdocs/fourn/commande/dispatch.php index d132a87233f..5e285f20457 100644 --- a/htdocs/fourn/commande/dispatch.php +++ b/htdocs/fourn/commande/dispatch.php @@ -928,7 +928,7 @@ if ($id > 0 || !empty($ref)) { '; // List of lines already dispatched - $sql = "SELECT p.ref, p.label,"; + $sql = "SELECT p.rowid as pid, p.ref, p.label,"; $sql .= " e.rowid as warehouse_id, e.ref as entrepot,"; $sql .= " cfd.rowid as dispatchlineid, cfd.fk_product, cfd.qty, cfd.eatby, cfd.sellby, cfd.batch, cfd.comment, cfd.status, cfd.datec"; if ($conf->reception->enabled)$sql .= " ,cfd.fk_reception, r.date_delivery"; @@ -1005,9 +1005,18 @@ if ($id > 0 || !empty($ref)) { print ''.dol_print_date($db->jdate($objp->date_delivery), 'day').''; if (!empty($conf->productbatch->enabled)) { - print ''.$objp->batch.''; - print ''.dol_print_date($db->jdate($objp->eatby), 'day').''; - print ''.dol_print_date($db->jdate($objp->sellby), 'day').''; + if ($objp->batch) { + include_once DOL_DOCUMENT_ROOT.'/product/stock/class/productlot.class.php'; + $lot=new Productlot($db); + $lot->fetch(0, $objp->pid, $objp->batch); + print ''.$lot->getNomUrl(1).''; + print ''.dol_print_date($lot->eatby, 'day').''; + print ''.dol_print_date($lot->sellby, 'day').''; + } else { + print ''; + print ''; + print ''; + } } // Qty