From 2e7ce7647b223dce88b2c7564b0e01034b55a107 Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 29 Mar 2012 08:38:38 +0100 Subject: [PATCH 1/7] Fix: Sanizite data --- htdocs/admin/compta.php | 14 +++++----- htdocs/admin/dons.php | 45 ++++++++++++++++++++----------- htdocs/admin/facture.php | 33 ++++++++++++----------- htdocs/admin/prelevement.php | 2 +- htdocs/admin/taxes.php | 6 ++--- htdocs/compta/bank/admin/bank.php | 8 +++--- 6 files changed, 61 insertions(+), 47 deletions(-) diff --git a/htdocs/admin/compta.php b/htdocs/admin/compta.php index 3004a4e2cab..0ffd319cf13 100644 --- a/htdocs/admin/compta.php +++ b/htdocs/admin/compta.php @@ -2,7 +2,7 @@ /* Copyright (C) 2004 Rodolphe Quiedeville * Copyright (C) 2004-2008 Laurent Destailleur * Copyright (C) 2005-2009 Regis Houssin - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -33,13 +33,13 @@ $langs->load('compta'); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); $compta_mode = defined('COMPTA_MODE')?COMPTA_MODE:'RECETTES-DEPENSES'; if ($action == 'setcomptamode') { - $compta_mode = GETPOST("compta_mode"); + $compta_mode = GETPOST('compta_mode','alpha'); $res = dolibarr_set_const($db, 'COMPTA_MODE', $compta_mode,'chaine',0,'',$conf->entity); @@ -58,10 +58,10 @@ if ($action == 'setcomptamode') if ($action == 'update' || $action == 'add') { - $constname = GETPOST("constname"); - $constvalue = GETPOST("constvalue"); - $consttype = GETPOST("consttype"); - $constnote = GETPOST("constnote"); + $constname = GETPOST('constname','alpha'); + $constvalue = GETPOST('constvalue','alpha'); + $consttype = GETPOST('consttype','alpha'); + $constnote = GETPOST('constnote','alpha'); $res = dolibarr_set_const($db, $constname, $constvalue, $consttype, 0, $constnote, $conf->entity); diff --git a/htdocs/admin/dons.php b/htdocs/admin/dons.php index 7fada7e9ee8..b78dfb92797 100644 --- a/htdocs/admin/dons.php +++ b/htdocs/admin/dons.php @@ -1,5 +1,6 @@ +/* Copyright (C) 2005-2010 Laurent Destailleur + * Copyright (C) 2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,14 +32,16 @@ if (!$user->admin) accessforbidden(); $typeconst=array('yesno','texte','chaine'); +$action = GETPOST('action','alpha'); + /* * Action */ -if ($_GET["action"] == 'specimen') +if ($action == 'specimen') { - $modele=$_GET["module"]; + $modele=GETPOST('module','alpha'); $don = new Don($db); $don->initAsSpecimen(); @@ -71,25 +74,29 @@ if ($_GET["action"] == 'specimen') } } -if ($_GET["action"] == 'setdoc') +if ($action == 'setdoc') { + $value = GETPOST('value','alpha'); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); + $db->begin(); - if (dolibarr_set_const($db, "DON_ADDON_MODEL",$_GET["value"],'chaine',0,'',$conf->entity)) + if (dolibarr_set_const($db, "DON_ADDON_MODEL",$value,'chaine',0,'',$conf->entity)) { - $conf->global->DON_ADDON_MODEL = $_GET["value"]; + $conf->global->DON_ADDON_MODEL = $value; } // On active le modele $type='donation'; $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; - $sql_del.= " WHERE nom = '".$db->escape($_GET["value"])."' AND type = '".$type."'"; + $sql_del.= " WHERE nom = '".$db->escape($value)."' AND type = '".$type."'"; $result1=$db->query($sql_del); $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql.= " VALUES ('".$db->escape($_GET["value"])."', '".$type."', ".$conf->entity.", "; - $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", "; - $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null"); + $sql.= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", "; + $sql.= ($label?"'".$db->escape($label)."'":'null').", "; + $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null"); $sql.= ")"; $result2=$db->query($sql); if ($result1 && $result2) @@ -102,22 +109,28 @@ if ($_GET["action"] == 'setdoc') } } -if ($_GET["action"] == 'set') +if ($action == 'set') { + $value = GETPOST('value','alpha'); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); + $type='donation'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql.= " VALUES ('".$db->escape($_GET["value"])."','".$type."',".$conf->entity.", "; - $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", "; - $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null"); + $sql.= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", "; + $sql.= ($label?"'".$db->escape($label)."'":'null').", "; + $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null"); $sql.= ")"; $resql=$db->query($sql); } -if ($_GET["action"] == 'del') +if ($action == 'del') { + $value = GETPOST('value','alpha'); + $type='donation'; $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE nom = '".$_GET["value"]."' AND type = '".$type."'"; + $sql .= " WHERE nom = '".$value."' AND type = '".$type."'"; $resql=$db->query($sql); } diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php index 06b749d7afc..b7f362f21ae 100644 --- a/htdocs/admin/facture.php +++ b/htdocs/admin/facture.php @@ -4,6 +4,7 @@ * Copyright (C) 2005 Eric Seigne * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2008 Raphael Bertrand (Resultic) + * Copyright (C) 2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -44,10 +45,10 @@ $value = GETPOST('value','alpha'); if ($action == 'updateMask') { - $maskconstinvoice=GETPOST("maskconstinvoice"); - $maskconstcredit=GETPOST("maskconstcredit"); - $maskinvoice=GETPOST("maskinvoice"); - $maskcredit=GETPOST("maskcredit"); + $maskconstinvoice=GETPOST('maskconstinvoice','alpha'); + $maskconstcredit=GETPOST('maskconstcredit','alpha'); + $maskinvoice=GETPOST('maskinvoice','alpha'); + $maskcredit=GETPOST('maskcredit','alpha'); if ($maskconstinvoice) $res = dolibarr_set_const($db,$maskconstinvoice,$maskinvoice,'chaine',0,'',$conf->entity); if ($maskconstcredit) $res = dolibarr_set_const($db,$maskconstcredit,$maskcredit,'chaine',0,'',$conf->entity); @@ -65,7 +66,7 @@ if ($action == 'updateMask') if ($action == 'specimen') { - $modele=GETPOST("module"); + $modele=GETPOST('module','alpha'); $facture = new Facture($db); $facture->initAsSpecimen(); @@ -116,8 +117,8 @@ if ($action == 'setModuleOptions') { if (array_key_exists('param'.$i,$_POST)) { - $param=$_POST["param".$i]; - $value=$_POST["value".$i]; + $param=GETPOST("param".$i,'alpha'); + $value=GETPOST("value".$i,'alpha'); if ($param) $res = dolibarr_set_const($db,$param,$value,'chaine',0,'',$conf->entity); } } @@ -135,8 +136,8 @@ if ($action == 'setModuleOptions') if ($action == 'set') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $type='invoice'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; @@ -166,8 +167,8 @@ if ($action == 'del') if ($action == 'setdoc') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $db->begin(); @@ -214,8 +215,8 @@ if ($action == 'setmod') if ($action == 'setribchq') { - $rib = GETPOST("rib"); - $chq = GETPOST("chq"); + $rib = GETPOST('rib','alpha'); + $chq = GETPOST('chq','alpha'); $res = dolibarr_set_const($db, "FACTURE_RIB_NUMBER",$rib,'chaine',0,'',$conf->entity); $res = dolibarr_set_const($db, "FACTURE_CHQ_NUMBER",$chq,'chaine',0,'',$conf->entity); @@ -234,7 +235,7 @@ if ($action == 'setribchq') if ($action == 'set_FACTURE_DRAFT_WATERMARK') { - $draft = GETPOST("FACTURE_DRAFT_WATERMARK"); + $draft = GETPOST('FACTURE_DRAFT_WATERMARK','alpha'); $res = dolibarr_set_const($db, "FACTURE_DRAFT_WATERMARK",trim($draft),'chaine',0,'',$conf->entity); @@ -252,7 +253,7 @@ if ($action == 'set_FACTURE_DRAFT_WATERMARK') if ($action == 'set_FACTURE_FREE_TEXT') { - $free = GETPOST("FACTURE_FREE_TEXT"); + $free = GETPOST('FACTURE_FREE_TEXT','alpha'); $res = dolibarr_set_const($db, "FACTURE_FREE_TEXT",$free,'chaine',0,'',$conf->entity); @@ -270,7 +271,7 @@ if ($action == 'set_FACTURE_FREE_TEXT') if ($action == 'setforcedate') { - $forcedate = GETPOST("forcedate"); + $forcedate = GETPOST('forcedate','alpha'); $res = dolibarr_set_const($db, "FAC_FORCE_DATE_VALIDATION",$forcedate,'chaine',0,'',$conf->entity); diff --git a/htdocs/admin/prelevement.php b/htdocs/admin/prelevement.php index d128244c369..a5c02129e37 100644 --- a/htdocs/admin/prelevement.php +++ b/htdocs/admin/prelevement.php @@ -35,7 +35,7 @@ $langs->load("withdrawals"); // Security check if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); /* diff --git a/htdocs/admin/taxes.php b/htdocs/admin/taxes.php index 9a110b89f24..f161fbd3927 100644 --- a/htdocs/admin/taxes.php +++ b/htdocs/admin/taxes.php @@ -2,7 +2,7 @@ /* Copyright (C) 2004 Rodolphe Quiedeville * Copyright (C) 2004-2008 Laurent Destailleur * Copyright (C) 2005-2009 Regis Houssin - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,7 +31,7 @@ $langs->load('admin'); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); /* * Actions @@ -53,7 +53,7 @@ $tax_mode = empty($conf->global->TAX_MODE)?0:$conf->global->TAX_MODE; if ($action == 'settaxmode') { - $tax_mode = GETPOST("tax_mode"); + $tax_mode = GETPOST('tax_mode','alpha'); $db->begin(); diff --git a/htdocs/compta/bank/admin/bank.php b/htdocs/compta/bank/admin/bank.php index e9c205f2776..ffe87be45ce 100644 --- a/htdocs/compta/bank/admin/bank.php +++ b/htdocs/compta/bank/admin/bank.php @@ -1,6 +1,6 @@ - * Copyright (C) 2010-2011 Juanjo Menent + * Copyright (C) 2010-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -36,7 +36,7 @@ $langs->load("banks"); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); /* @@ -45,7 +45,7 @@ $action = GETPOST("action"); if ($action == 'set_BANK_CHEQUERECEIPT_FREE_TEXT') { - $free = GETPOST("BANK_CHEQUERECEIPT_FREE_TEXT"); + $free = GETPOST('BANK_CHEQUERECEIPT_FREE_TEXT','alpha'); $res = dolibarr_set_const($db, "BANK_CHEQUERECEIPT_FREE_TEXT",$free,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -63,7 +63,7 @@ if ($action == 'set_BANK_CHEQUERECEIPT_FREE_TEXT') //Order display of bank account if ($action == 'setbankorder') { - if (dolibarr_set_const($db, "BANK_SHOW_ORDER_OPTION",$_GET["value"],'chaine',0,'',$conf->entity) > 0) + if (dolibarr_set_const($db, "BANK_SHOW_ORDER_OPTION",GETPOST('value','alpha'),'chaine',0,'',$conf->entity) > 0) { Header("Location: ".$_SERVER["PHP_SELF"]); exit; From a0cae7709c358afa998d4bee8804d93f77597db4 Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 29 Mar 2012 09:54:48 +0100 Subject: [PATCH 2/7] Fix: Sanitize data --- htdocs/adherents/admin/adherent.php | 10 ++++---- htdocs/admin/fournisseur.php | 37 +++++++++++++++++------------ htdocs/cashdesk/admin/cashdesk.php | 22 ++++++++--------- htdocs/product/admin/product.php | 20 ++++++++-------- 4 files changed, 48 insertions(+), 41 deletions(-) diff --git a/htdocs/adherents/admin/adherent.php b/htdocs/adherents/admin/adherent.php index fc99e2fe659..ab568991486 100644 --- a/htdocs/adherents/admin/adherent.php +++ b/htdocs/adherents/admin/adherent.php @@ -4,8 +4,8 @@ * Copyright (C) 2004-2012 Laurent Destailleur * Copyright (C) 2004 Sebastien Di Cintio * Copyright (C) 2004 Benoit Mortier - * Copyright (C) 2005-2011 Regis Houssin - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2005-2012 Regis Houssin + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -39,7 +39,7 @@ if (! $user->admin) accessforbidden(); $type=array('yesno','texte','chaine'); -$action = GETPOST("action"); +$action = POST('action','alpha'); /* @@ -78,7 +78,7 @@ if ($action == 'update' || $action == 'add') // Action activation d'un sous module du module adherent if ($action == 'set') { - $result=dolibarr_set_const($db, $_GET["name"],$_GET["value"],'',0,'',$conf->entity); + $result=dolibarr_set_const($db, GETPOST('name','alpha'),GETPOST('value','alpha'),'',0,'',$conf->entity); if ($result < 0) { print $db->error(); @@ -88,7 +88,7 @@ if ($action == 'set') // Action desactivation d'un sous module du module adherent if ($action == 'unset') { - $result=dolibarr_del_const($db,$_GET["name"],$conf->entity); + $result=dolibarr_del_const($db,GETPOST('name','alpha'),$conf->entity); if ($result < 0) { print $db->error(); diff --git a/htdocs/admin/fournisseur.php b/htdocs/admin/fournisseur.php index 7ab06bcbc6c..b433731f1f6 100644 --- a/htdocs/admin/fournisseur.php +++ b/htdocs/admin/fournisseur.php @@ -4,7 +4,7 @@ * Copyright (C) 2005-2011 Regis Houssin * Copyright (C) 2004 Sebastien Di Cintio * Copyright (C) 2004 Benoit Mortier - * Copyright (C) 2010-2011 Juanjo Menent + * Copyright (C) 2010-2012 Juanjo Menent * Copyright (C) 2011 Philippe Grand * * This program is free software; you can redistribute it and/or modify @@ -38,9 +38,9 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$type=GETPOST('type'); -$value=GETPOST('value'); -$action=GETPOST('action'); +$type=GETPOST('type', 'alpha'); +$value=GETPOST('value', 'alpha'); +$action=GETPOST('action', 'alpha'); $specimenthirdparty=new Societe($db); $specimenthirdparty->initAsSpecimen(); @@ -52,8 +52,9 @@ $specimenthirdparty->initAsSpecimen(); if ($action == 'updateMask') { - $maskconstorder=$_POST['maskconstorder']; - $maskorder=$_POST['maskorder']; + $maskconstorder=GETPOST('maskconstorder','alpha'); + $maskorder=GETPOST('maskorder','alpha'); + if ($maskconstorder) $res = dolibarr_set_const($db,$maskconstorder,$maskorder,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -70,7 +71,7 @@ if ($action == 'updateMask') if ($action == 'specimen') // For orders { - $modele=GETPOST("module"); + $modele=GETPOST('module','alpha'); $commande = new CommandeFournisseur($db); $commande->initAsSpecimen(); @@ -116,7 +117,7 @@ if ($action == 'specimen') // For orders if ($action == 'specimenfacture') // For invoices { - $modele=GETPOST("module"); + $modele=GETPOST('module','alpha'); $facture = new FactureFournisseur($db); $facture->initAsSpecimen(); @@ -162,10 +163,13 @@ if ($action == 'specimenfacture') // For invoices if ($action == 'set') { + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); + $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; $sql.= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", "; - $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", "; - $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null"); + $sql.= ($label?"'".$db->escape($label)."'":'null').", "; + $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null"); $sql.= ")"; $res=$db->query($sql); if ($res) @@ -191,14 +195,17 @@ if ($action == 'del') if ($action == 'setdoc') { + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); + $db->begin(); - if ($_GET["type"] == 'order_supplier' && dolibarr_set_const($db, "COMMANDE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity)) + if ($type == 'order_supplier' && dolibarr_set_const($db, "COMMANDE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity)) { $conf->global->COMMANDE_SUPPLIER_ADDON_PDF = $value; } - if ($_GET["type"] == 'invoice_supplier' && dolibarr_set_const($db, "INVOICE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity)) + if ($type == 'invoice_supplier' && dolibarr_set_const($db, "INVOICE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity)) { $conf->global->INVOICE_SUPPLIER_ADDON_PDF = $value; } @@ -212,8 +219,8 @@ if ($action == 'setdoc') $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; $sql.= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", "; - $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", "; - $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null"); + $sql.= ($label?"'".$db->escape($label)."'":'null').", "; + $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null"); $sql.= ")"; $result2=$db->query($sql); if ($result1 && $result2) @@ -242,7 +249,7 @@ if ($action == 'addcat') if ($action == 'set_SUPPLIER_INVOICE_FREE_TEXT') { - $free = GETPOST("SUPPLIER_INVOICE_FREE_TEXT"); + $free = GETPOST('SUPPLIER_INVOICE_FREE_TEXT','alpha'); $res = dolibarr_set_const($db, "SUPPLIER_INVOICE_FREE_TEXT",$free,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; diff --git a/htdocs/cashdesk/admin/cashdesk.php b/htdocs/cashdesk/admin/cashdesk.php index 8b3bb8a9fcf..e92dd6e0f4d 100644 --- a/htdocs/cashdesk/admin/cashdesk.php +++ b/htdocs/cashdesk/admin/cashdesk.php @@ -1,6 +1,6 @@ - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -29,9 +29,9 @@ require_once(DOL_DOCUMENT_ROOT."/product/class/html.formproduct.class.php"); // If socid provided by ajax company selector if (! empty($_REQUEST['CASHDESK_ID_THIRDPARTY_id'])) { - $_GET['CASHDESK_ID_THIRDPARTY'] = $_GET['CASHDESK_ID_THIRDPARTY_id']; - $_POST['CASHDESK_ID_THIRDPARTY'] = $_POST['CASHDESK_ID_THIRDPARTY_id']; - $_REQUEST['CASHDESK_ID_THIRDPARTY'] = $_REQUEST['CASHDESK_ID_THIRDPARTY_id']; + $_GET['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha'); + $_POST['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha'); + $_REQUEST['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha'); } // Security check @@ -45,7 +45,7 @@ $langs->load("cashdesk"); /* * Actions */ -if (GETPOST("action") == 'set') +if (GETPOST('action','alpha') == 'set') { $db->begin(); @@ -54,13 +54,13 @@ if (GETPOST("action") == 'set') if (GETPOST("CASHDESK_ID_WAREHOUSE") < 0) $_POST["CASHDESK_ID_WAREHOUSE"]='';*/ $res = dolibarr_set_const($db,"CASHDESK_ID_THIRDPARTY",GETPOST('socid','int'),'chaine',0,'',$conf->entity); - $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CASH",GETPOST("CASHDESK_ID_BANKACCOUNT_CASH"),'chaine',0,'',$conf->entity); - $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CHEQUE",GETPOST("CASHDESK_ID_BANKACCOUNT_CHEQUE"),'chaine',0,'',$conf->entity); - $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CB",GETPOST("CASHDESK_ID_BANKACCOUNT_CB"),'chaine',0,'',$conf->entity); - $res = dolibarr_set_const($db,"CASHDESK_ID_WAREHOUSE",GETPOST("CASHDESK_ID_WAREHOUSE"),'chaine',0,'',$conf->entity); - $res = dolibarr_set_const($db,"CASHDESK_SERVICES", GETPOST("CASHDESK_SERVICES"),'chaine',0,'',$conf->entity); + $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CASH",GETPOST('CASHDESK_ID_BANKACCOUNT_CASH','alpha'),'chaine',0,'',$conf->entity); + $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CHEQUE",GETPOST('CASHDESK_ID_BANKACCOUNT_CHEQUE','alpha'),'chaine',0,'',$conf->entity); + $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CB",GETPOST('CASHDESK_ID_BANKACCOUNT_CB','alpha'),'chaine',0,'',$conf->entity); + $res = dolibarr_set_const($db,"CASHDESK_ID_WAREHOUSE",GETPOST('CASHDESK_ID_WAREHOUSE','alpha'),'chaine',0,'',$conf->entity); + $res = dolibarr_set_const($db,"CASHDESK_SERVICES", GETPOST('CASHDESK_SERVICES','alpha'),'chaine',0,'',$conf->entity); - dol_syslog("admin/cashdesk: level ".GETPOST("level")); + dol_syslog("admin/cashdesk: level ".GETPOST('level','alpha')); if (! $res > 0) $error++; diff --git a/htdocs/product/admin/product.php b/htdocs/product/admin/product.php index 1de35cbee03..3df46970edc 100644 --- a/htdocs/product/admin/product.php +++ b/htdocs/product/admin/product.php @@ -4,7 +4,7 @@ * Copyright (C) 2006-2007 Rodolphe Quiedeville * Copyright (C) 2007 Auguria SARL * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * Copyright (C) 2012 Christophe Battarel ** * This program is free software; you can redistribute it and/or modify @@ -38,8 +38,8 @@ $langs->load("products"); // Security check if (! $user->admin) accessforbidden(); -$action = GETPOST("action"); -$value = GETPOST("value"); +$action = GETPOST('action','alpha'); +$value = GETPOST('value','alpha'); /* @@ -56,35 +56,35 @@ else if ($action == 'multiprix_num') } if ($action == 'multiprix') { - $multiprix = GETPOST("activate_multiprix"); + $multiprix = GETPOST('activate_multiprix','alpha'); $res = dolibarr_set_const($db, "PRODUIT_MULTIPRICES", $multiprix,'chaine',0,'',$conf->entity); $res =dolibarr_set_const($db, "PRODUIT_MULTIPRICES_LIMIT", "5",'chaine',0,'',$conf->entity); } else if ($action == 'sousproduits') { - $sousproduits = GETPOST("activate_sousproduits"); + $sousproduits = GETPOST('activate_sousproduits','alpha'); $res = dolibarr_set_const($db, "PRODUIT_SOUSPRODUITS", $sousproduits,'chaine',0,'',$conf->entity); } else if ($action == 'viewProdDescInForm') { - $view = GETPOST("activate_viewProdDescInForm"); + $view = GETPOST('activate_viewProdDescInForm','alpha'); $res = dolibarr_set_const($db, "PRODUIT_DESC_IN_FORM", $view,'chaine',0,'',$conf->entity); } else if ($action == 'viewProdTextsInThirdpartyLanguage') { - $view = GETPOST("activate_viewProdTextsInThirdpartyLanguage"); + $view = GETPOST('activate_viewProdTextsInThirdpartyLanguage','alpha'); $res = dolibarr_set_const($db, "PRODUIT_TEXTS_IN_THIRDPARTY_LANGUAGE", $view,'chaine',0,'',$conf->entity); } else if ($action == 'usesearchtoselectproduct') { - $usesearch = GETPOST("activate_usesearchtoselectproduct"); + $usesearch = GETPOST('activate_usesearchtoselectproduct','alpha'); $res = dolibarr_set_const($db, "PRODUIT_USE_SEARCH_TO_SELECT", $usesearch,'chaine',0,'',$conf->entity); } else if ($action == 'set') { - $const = "PRODUCT_SPECIAL_".strtoupper($_GET["spe"]); - if ($_GET["value"]) $res = dolibarr_set_const($db, $const, $value,'chaine',0,'',$conf->entity); + $const = "PRODUCT_SPECIAL_".strtoupper(GETPOST('spe','alpha')); + if (GETPOST('value','alpha')) $res = dolibarr_set_const($db, $const, $value,'chaine',0,'',$conf->entity); else $res = dolibarr_del_const($db, $const,$conf->entity); } /*else if ($action == 'useecotaxe') From 97cbaf0c06e4a0e33dcf9afe547c5adca9f6cd9d Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 29 Mar 2012 11:58:35 +0300 Subject: [PATCH 3/7] Update htdocs/adherents/admin/adherent.php --- htdocs/adherents/admin/adherent.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/adherents/admin/adherent.php b/htdocs/adherents/admin/adherent.php index ab568991486..c636200bdf4 100644 --- a/htdocs/adherents/admin/adherent.php +++ b/htdocs/adherents/admin/adherent.php @@ -39,7 +39,7 @@ if (! $user->admin) accessforbidden(); $type=array('yesno','texte','chaine'); -$action = POST('action','alpha'); +$action = GETPOST('action','alpha'); /* From ae37a5bf865be439429bdbbd68744d7e15d9a9eb Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 29 Mar 2012 10:19:52 +0100 Subject: [PATCH 4/7] Trad: Fix missing translation for products attributs --- htdocs/langs/ca_ES/admin.lang | 1 + htdocs/langs/ca_ES/members.lang | 1 - htdocs/langs/en_US/admin.lang | 1 + htdocs/langs/en_US/members.lang | 1 - htdocs/langs/es_ES/admin.lang | 3 ++- htdocs/langs/es_ES/members.lang | 1 - htdocs/langs/fr_FR/admin.lang | 1 + htdocs/langs/fr_FR/members.lang | 1 - 8 files changed, 5 insertions(+), 5 deletions(-) diff --git a/htdocs/langs/ca_ES/admin.lang b/htdocs/langs/ca_ES/admin.lang index 418ba8a88be..d35b3009023 100644 --- a/htdocs/langs/ca_ES/admin.lang +++ b/htdocs/langs/ca_ES/admin.lang @@ -868,6 +868,7 @@ MAIN_PROXY_PASS=Contrasenya del servidor proxy DefineHereComplementaryAttributes=Definiu aquí la llista d'atributs addicionals, no disponibles a estàndard, i que vol gestionar per %s. ExtraFields=Atributs addicionals ExtraFieldHasWrongValue=L'atribut %s te un valor incorrecte. +AlphaNumOnlyCharsAndNoSpace=només carateres alfanumèrics sense espais SendingMailSetup=Configuració de l'enviament per mail SendmailOptionNotComplete=Atenció, en alguns sistemes Linux, amb aquest mètode d'enviament, per poder enviar mails en nom seu, la configuració de sendmail ha de contenir l'opció -ba (paràmetre mail.force_extra_parameters a l'arxiu php.ini). Si alguns dels seus destinataris no reben els seus missatges, proveu de modificar aquest paràmetre PHP amb mail.force_extra_parameters =-ba . PathToDocuments=Rutes d'accés a documents diff --git a/htdocs/langs/ca_ES/members.lang b/htdocs/langs/ca_ES/members.lang index fd9eebd43ba..0b42727353a 100644 --- a/htdocs/langs/ca_ES/members.lang +++ b/htdocs/langs/ca_ES/members.lang @@ -123,7 +123,6 @@ LastMembersModified=Els %s darrers membres modificats LastSubscriptionsModified=Les %s últimes afiliacions modificades AttributeName=Nom de l'atribut FieldEdition=Edició del camp %s -AlphaNumOnlyCharsAndNoSpace=només carateres alfanumèrics sense espais String=Cadena Text=Text llarg Int=Numèric diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index fbf8a8833cb..318ab276c29 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -861,6 +861,7 @@ MAIN_PROXY_PASS=Password to use the proxy server DefineHereComplementaryAttributes=Define here all atributes, not already available by default, and that you want to be supported for %s. ExtraFields=Complementary attributes ExtraFieldHasWrongValue=Attribut %s has a wrong value. +AlphaNumOnlyCharsAndNoSpace=only alphanumericals characters without space SendingMailSetup=Setup of sendings by email SendmailOptionNotComplete=Warning, on some Linux systems, to send email from your email, sendmail execution setup must conatins option -ba (parameter mail.force_extra_parameters into your php.ini file). If some recipients never receive emails, try to edit this PHP parameter with mail.force_extra_parameters = -ba). PathToDocuments=Path to documents diff --git a/htdocs/langs/en_US/members.lang b/htdocs/langs/en_US/members.lang index 4ecd3a3ccba..cfaba733759 100644 --- a/htdocs/langs/en_US/members.lang +++ b/htdocs/langs/en_US/members.lang @@ -120,7 +120,6 @@ LastMembersModified=Last %s modified members LastSubscriptionsModified=Last %s modified subscriptions AttributeName=Attribute name FieldEdition=Edition of field %s -AlphaNumOnlyCharsAndNoSpace=only alphanumericals characters without space String=String Text=Text Int=Int diff --git a/htdocs/langs/es_ES/admin.lang b/htdocs/langs/es_ES/admin.lang index a23694d2501..ecbc12e4e88 100644 --- a/htdocs/langs/es_ES/admin.lang +++ b/htdocs/langs/es_ES/admin.lang @@ -868,7 +868,8 @@ MAIN_PROXY_PASS=Contraseña del servidor proxy DefineHereComplementaryAttributes=Defina aquí la lista de atributos adicionales, no disponibles en estándar, y que desea gestionar para %s. ExtraFields=Atributos adicionales ExtraFieldHasWrongValue=El atributo %s tiene un valor incorrecto. -SendingMailSetup=Configuració de l'enviament per mail +AlphaNumOnlyCharsAndNoSpace=solamente caracteres alfanuméricos sin espacios +SendingMailSetup=Configuración del envío por mail SendmailOptionNotComplete=Atención, en algunos sistemas Linux, con este método de envio, para poder enviar mails en su nombre, la configuración de sendmail debe contener la opción -ba (parámetro mail.force_extra_parameters en el archivo php.ini). Si algunos de sus destinatarios no reciben sus mensajes, pruebe a modificar este parámetro PHP con mail.force_extra_parameters=-ba. PathToDocuments=Rutas de acceso a documentos PathDirectory=Directorio diff --git a/htdocs/langs/es_ES/members.lang b/htdocs/langs/es_ES/members.lang index 308acf69e5a..fac0c82d0c5 100644 --- a/htdocs/langs/es_ES/members.lang +++ b/htdocs/langs/es_ES/members.lang @@ -123,7 +123,6 @@ LastMembersModified=Los %s últimos miembros modificados LastSubscriptionsModified=Lass %s últimas afiliaciones modificadas AttributeName=Nombre del atributo FieldEdition=Edición del campo %s -AlphaNumOnlyCharsAndNoSpace=solamente caracteres alfanuméricos sin espacios String=Cadena Text=Texto largo Int=Numérico diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang index b5053e3aef7..b33b2983fc5 100644 --- a/htdocs/langs/fr_FR/admin.lang +++ b/htdocs/langs/fr_FR/admin.lang @@ -869,6 +869,7 @@ MAIN_PROXY_PASS=Mot de passe pour passer le serveur proxy mandataire DefineHereComplementaryAttributes=Definissez ici la liste des attributs supplémentaire, non disponible en standard, et que vous voulez voir gérez sur les %s. ExtraFields=Attributs suplémentaires ExtraFieldHasWrongValue=L'attribut %s a une valeur incorrecte. +AlphaNumOnlyCharsAndNoSpace=uniquement caractères alphanumériques sans espace SendingMailSetup=Configuration de l'envoi par mail SendmailOptionNotComplete=Attention, sur certains systèmes Linux, avec cette méthode d'envoi, pour pouvoir envoyer des mails en votre nom, la configuration d'exécution de sendmail doit contenir l'option -ba (paramètre mail.force_extra_parameters dans le fichier php.ini). Si certains de vos destinataires ne reçoivent pas de message, essayer de modifer ce paramètre PHP avec mail.force_extra_parameters = -ba. PathToDocuments= Chemin d'accès aux documents diff --git a/htdocs/langs/fr_FR/members.lang b/htdocs/langs/fr_FR/members.lang index b28d2c009a4..f02948d4983 100644 --- a/htdocs/langs/fr_FR/members.lang +++ b/htdocs/langs/fr_FR/members.lang @@ -124,7 +124,6 @@ LastMembersModified=Les %s derniers adhérents modifiés LastSubscriptionsModified=Les %s dernières adhésions modifiées AttributeName=Nom de l'attribut FieldEdition=Édition du champ %s -AlphaNumOnlyCharsAndNoSpace=uniquement caractères alphanumériques sans espace String=Chaîne Text=Texte long Int=Numérique From f14d29492548afa0210c61ea59c3653e4c3c69e6 Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 29 Mar 2012 11:41:11 +0100 Subject: [PATCH 5/7] Fix: Sanitize data --- htdocs/admin/agenda.php | 11 ++++++----- htdocs/admin/agenda_extsites.php | 18 +++++++++--------- htdocs/admin/agenda_xcal.php | 17 +++++++++-------- htdocs/admin/project.php | 27 ++++++++++++++------------- htdocs/admin/stock.php | 17 +++++++++-------- 5 files changed, 47 insertions(+), 43 deletions(-) diff --git a/htdocs/admin/agenda.php b/htdocs/admin/agenda.php index 0274080510c..969cd1fb2ce 100644 --- a/htdocs/admin/agenda.php +++ b/htdocs/admin/agenda.php @@ -1,7 +1,7 @@ * Copyright (C) 2011 Regis Houssin - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -33,7 +33,8 @@ if (!$user->admin) $langs->load("admin"); $langs->load("other"); -$action=$_POST["action"]; +$action = GETPOST('action','alpha'); +$cancel = GETPOST('cancel','alpha'); // Get list of triggers available $sql = "SELECT a.rowid, a.code, a.label, a.elementtype"; @@ -66,7 +67,7 @@ else /* * Actions */ -if ($action == "save" && empty($_POST["cancel"])) +if ($action == "save" && empty($cancel)) { $i=0; @@ -76,7 +77,7 @@ if ($action == "save" && empty($_POST["cancel"])) { $param='MAIN_AGENDA_ACTIONAUTO_'.$trigger['code']; //print "param=".$param." - ".$_POST[$param]; - if (! empty($_POST[$param])) $res = dolibarr_set_const($db,$param,$_POST[$param],'chaine',0,'',$conf->entity); + if (GETPOST($param,'alpha')) $res = dolibarr_set_const($db,$param,GETPOST($param,'alpha'),'chaine',0,'',$conf->entity); else $res = dolibarr_del_const($db,$param,$conf->entity); if (! $res > 0) $error++; } @@ -141,7 +142,7 @@ if (! empty($triggers)) print ''; $key='MAIN_AGENDA_ACTIONAUTO_'.$trigger['code']; $value=$conf->global->$key; - print ''; + print ''; print ''."\n"; } } diff --git a/htdocs/admin/agenda_extsites.php b/htdocs/admin/agenda_extsites.php index 3b34474cd1f..b9309c2abb3 100644 --- a/htdocs/admin/agenda_extsites.php +++ b/htdocs/admin/agenda_extsites.php @@ -1,6 +1,6 @@ - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -37,8 +37,8 @@ $langs->load("admin"); $langs->load("other"); $def = array(); -$actiontest=GETPOST("test"); -$actionsave=GETPOST("save"); +$actiontest=GETPOST('test','alpha'); +$actionsave=GETPOST('save','alpha'); if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5; $MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB; @@ -53,7 +53,7 @@ if ($actionsave) { $db->begin(); - $disableext=GETPOST("AGENDA_DISABLE_EXT"); + $disableext=GETPOST('AGENDA_DISABLE_EXT','alpha'); if ($disableext) $disableext=0; else $disableext=1; $res=dolibarr_set_const($db,'AGENDA_DISABLE_EXT',$disableext,'chaine',0); @@ -63,20 +63,20 @@ if ($actionsave) // Save agendas while ($i <= $MAXAGENDA) { - $color=trim(GETPOST("agenda_ext_color".$i)); + $color=trim(GETPOST('agenda_ext_color'.$i,'alpha')); if ($color=='-1') $color=''; //print 'color='.$color; - $res=dolibarr_set_const($db,'AGENDA_EXT_NAME'.$i,trim(GETPOST("agenda_ext_name".$i)),'chaine',0); + $res=dolibarr_set_const($db,'AGENDA_EXT_NAME'.$i,trim(GETPOST('agenda_ext_name'.$i),'alpha'),'chaine',0); if (! $res > 0) $error++; - $res=dolibarr_set_const($db,'AGENDA_EXT_SRC'.$i,trim(GETPOST("agenda_ext_src".$i)),'chaine',0); + $res=dolibarr_set_const($db,'AGENDA_EXT_SRC'.$i,trim(GETPOST('agenda_ext_src'.$i,'alpha')),'chaine',0); if (! $res > 0) $error++; $res=dolibarr_set_const($db,'AGENDA_EXT_COLOR'.$i,$color,'chaine',0); if (! $res > 0) $error++; $i++; } // Save nb of agenda - $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST("AGENDA_EXT_NB")),'chaine',0); + $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0); if (! $res > 0) $error++; if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5; $MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB; @@ -119,7 +119,7 @@ dol_fiche_head($head, 'extsites', $langs->trans("Agenda")); print '
'; -$selectedvalue=(GETPOST("AGENDA_DISABLE_AGENDA"))?GETPOST("AGENDA_DISABLE_EXT"):$conf->global->AGENDA_DISABLE_EXT; +$selectedvalue=(GETPOST('AGENDA_DISABLE_AGENDA','alpha'))?GETPOST('AGENDA_DISABLE_EXT','alpha'):$conf->global->AGENDA_DISABLE_EXT; if ($selectedvalue==1) $selectedvalue=0; else $selectedvalue=1; print $langs->trans("ExtSitesEnableThisTool").' '.$form->selectyesno("AGENDA_DISABLE_EXT",$selectedvalue,1).'

'; diff --git a/htdocs/admin/agenda_xcal.php b/htdocs/admin/agenda_xcal.php index 3d370927fe9..53071557620 100644 --- a/htdocs/admin/agenda_xcal.php +++ b/htdocs/admin/agenda_xcal.php @@ -1,5 +1,6 @@ +/* Copyright (C) 2008-2010 Laurent Destailleur + * Copyright (C) 2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -34,7 +35,7 @@ $langs->load("other"); $langs->load("agenda"); $def = array(); -$actionsave=$_POST["save"]; +$actionsave=GETPOST('save','alpha'); // Sauvegardes parametres if ($actionsave) @@ -43,9 +44,9 @@ if ($actionsave) $db->begin(); - $i+=dolibarr_set_const($db,'MAIN_AGENDA_XCAL_EXPORTKEY',trim($_POST["MAIN_AGENDA_XCAL_EXPORTKEY"]),'chaine',0,'',$conf->entity); - $i+=dolibarr_set_const($db,'MAIN_AGENDA_EXPORT_PAST_DELAY',trim($_POST["MAIN_AGENDA_EXPORT_PAST_DELAY"]),'chaine',0,'',$conf->entity); - $i+=dolibarr_set_const($db,'MAIN_AGENDA_EXPORT_CACHE',trim($_POST["MAIN_AGENDA_EXPORT_CACHE"]),'chaine',0,'',$conf->entity); + $i+=dolibarr_set_const($db,'MAIN_AGENDA_XCAL_EXPORTKEY',trim(GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha')),'chaine',0,'',$conf->entity); + $i+=dolibarr_set_const($db,'MAIN_AGENDA_EXPORT_PAST_DELAY',trim(GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha')),'chaine',0,'',$conf->entity); + $i+=dolibarr_set_const($db,'MAIN_AGENDA_EXPORT_CACHE',trim(GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha')),'chaine',0,'',$conf->entity); if ($i >= 3) { @@ -94,19 +95,19 @@ print ""; print ""; print ''.$langs->trans("PasswordTogetVCalExport").""; -print "global->MAIN_AGENDA_XCAL_EXPORTKEY) . "\" size=\"40\">"; +print "global->MAIN_AGENDA_XCAL_EXPORTKEY) . "\" size=\"40\">"; print " "; print ""; print ""; print "".$langs->trans("PastDelayVCalExport").""; -print "global->MAIN_AGENDA_EXPORT_PAST_DELAY) . "\" size=\"10\"> ".$langs->trans("days").""; +print "global->MAIN_AGENDA_EXPORT_PAST_DELAY) . "\" size=\"10\"> ".$langs->trans("days").""; print " "; print ""; print ""; print "".$langs->trans("UseACacheDelay").""; -print "global->MAIN_AGENDA_EXPORT_CACHE) . "\" size=\"10\">"; +print "global->MAIN_AGENDA_EXPORT_CACHE) . "\" size=\"10\">"; print " "; print ""; diff --git a/htdocs/admin/project.php b/htdocs/admin/project.php index fae20ebd30a..1a7bc3b37f7 100644 --- a/htdocs/admin/project.php +++ b/htdocs/admin/project.php @@ -1,7 +1,7 @@ - * Copyright (C) 2011 Laurent Destailleur - * Copyright (C) 2011 Juanjo Menent +/* Copyright (C) 2010 Regis Houssin + * Copyright (C) 2011 Laurent Destailleur + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -35,8 +35,8 @@ $langs->load("projects"); if (!$user->admin) accessforbidden(); -$value=GETPOST('value'); -$action=GETPOST('action'); +$value=GETPOST('value','action'); +$action=GETPOST('action','action'); /* @@ -45,8 +45,9 @@ $action=GETPOST('action'); if ($action == 'updateMask') { - $maskconstproject=GETPOST("maskconstproject"); - $maskproject=GETPOST("maskproject"); + $maskconstproject=GETPOST('maskconstproject','alpha'); + $maskproject=GETPOST('maskproject','alpha'); + if ($maskconstproject) $res = dolibarr_set_const($db,$maskconstproject,$maskproject,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -63,7 +64,7 @@ if ($action == 'updateMask') if ($action == 'specimen') { - $modele=GETPOST("module"); + $modele=GETPOST('module','alpha'); $project = new Project($db); $project->initAsSpecimen(); @@ -98,8 +99,8 @@ if ($action == 'specimen') if ($action == 'set') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $type='project'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; @@ -125,8 +126,8 @@ if ($action == 'del') if ($action == 'setdoc') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $db->begin(); @@ -164,7 +165,7 @@ if ($action == 'setmod') // TODO Verifier si module numerotation choisi peut etre active // par appel methode canBeActivated - dolibarr_set_const($db, "PROJECT_ADDON",$_GET["value"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "PROJECT_ADDON",GETPOST('value','alpha'),'chaine',0,'',$conf->entity); } /* diff --git a/htdocs/admin/stock.php b/htdocs/admin/stock.php index 0047e488ffe..ceb137be24b 100644 --- a/htdocs/admin/stock.php +++ b/htdocs/admin/stock.php @@ -2,6 +2,7 @@ /* Copyright (C) 2006 Rodolphe Quiedeville * Copyright (C) 2008-2010 Laurent Destailleur * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,7 +32,7 @@ $langs->load("stocks"); // Securit check if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); /* @@ -41,7 +42,7 @@ $action = GETPOST("action"); if ($action == 'STOCK_USERSTOCK_AUTOCREATE') { $db->begin(); - $res = dolibarr_set_const($db, "STOCK_USERSTOCK_AUTOCREATE", GETPOST("STOCK_USERSTOCK_AUTOCREATE"),'chaine',0,'',$conf->entity); + $res = dolibarr_set_const($db, "STOCK_USERSTOCK_AUTOCREATE", GETPOST('STOCK_USERSTOCK_AUTOCREATE','alpha'),'chaine',0,'',$conf->entity); } // Mode of stock decrease if ($action == 'STOCK_CALCULATE_ON_BILL' @@ -52,9 +53,9 @@ if ($action == 'STOCK_CALCULATE_ON_BILL' $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_BILL", '','chaine',0,'',$conf->entity); $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_VALIDATE_ORDER", '','chaine',0,'',$conf->entity); $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SHIPMENT", '','chaine',0,'',$conf->entity); - if ($action == 'STOCK_CALCULATE_ON_BILL') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_BILL", GETPOST("STOCK_CALCULATE_ON_BILL"),'chaine',0,'',$conf->entity); - if ($action == 'STOCK_CALCULATE_ON_VALIDATE_ORDER') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_VALIDATE_ORDER", GETPOST("STOCK_CALCULATE_ON_VALIDATE_ORDER"),'chaine',0,'',$conf->entity); - if ($action == 'STOCK_CALCULATE_ON_SHIPMENT') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SHIPMENT", GETPOST("STOCK_CALCULATE_ON_SHIPMENT"),'chaine',0,'',$conf->entity); + if ($action == 'STOCK_CALCULATE_ON_BILL') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_BILL", GETPOST('STOCK_CALCULATE_ON_BILL','alpha'),'chaine',0,'',$conf->entity); + if ($action == 'STOCK_CALCULATE_ON_VALIDATE_ORDER') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_VALIDATE_ORDER", GETPOST('STOCK_CALCULATE_ON_VALIDATE_ORDER','alpha'),'chaine',0,'',$conf->entity); + if ($action == 'STOCK_CALCULATE_ON_SHIPMENT') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SHIPMENT", GETPOST('STOCK_CALCULATE_ON_SHIPMENT','alpha'),'chaine',0,'',$conf->entity); } // Mode of stock increase if ($action == 'STOCK_CALCULATE_ON_SUPPLIER_BILL' @@ -65,9 +66,9 @@ if ($action == 'STOCK_CALCULATE_ON_SUPPLIER_BILL' $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_BILL", '','chaine',0,'',$conf->entity); $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER", '','chaine',0,'',$conf->entity); $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_DISPATCH_ORDER", '','chaine',0,'',$conf->entity); - if ($action == 'STOCK_CALCULATE_ON_SUPPLIER_BILL') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_BILL", GETPOST("STOCK_CALCULATE_ON_SUPPLIER_BILL"),'chaine',0,'',$conf->entity); - if ($action == 'STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER", GETPOST("STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER"),'chaine',0,'',$conf->entity); - if ($action == 'STOCK_CALCULATE_ON_SUPPLIER_DISPATCH_ORDER') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_DISPATCH_ORDER", GETPOST("STOCK_CALCULATE_ON_SUPPLIER_DISPATCH_ORDER"),'chaine',0,'',$conf->entity); + if ($action == 'STOCK_CALCULATE_ON_SUPPLIER_BILL') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_BILL", GETPOST('STOCK_CALCULATE_ON_SUPPLIER_BILL','alpha'),'chaine',0,'',$conf->entity); + if ($action == 'STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER", GETPOST('STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER','alpha'),'chaine',0,'',$conf->entity); + if ($action == 'STOCK_CALCULATE_ON_SUPPLIER_DISPATCH_ORDER') $res=dolibarr_set_const($db, "STOCK_CALCULATE_ON_SUPPLIER_DISPATCH_ORDER", GETPOST('STOCK_CALCULATE_ON_SUPPLIER_DISPATCH_ORDER','alpha'),'chaine',0,'',$conf->entity); } if($action) From 78e2d85e666d88b7bb634da246f2126c0d5cc96c Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 29 Mar 2012 11:48:02 +0100 Subject: [PATCH 6/7] Trad: Fix missing translation --- htdocs/langs/ca_ES/agenda.lang | 6 ++++-- htdocs/langs/es_ES/agenda.lang | 6 +++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/htdocs/langs/ca_ES/agenda.lang b/htdocs/langs/ca_ES/agenda.lang index 53c89b3be21..33b6c984cfb 100644 --- a/htdocs/langs/ca_ES/agenda.lang +++ b/htdocs/langs/ca_ES/agenda.lang @@ -10,6 +10,8 @@ LocalAgenda=Calendari local AffectedTo=Assignada a DoneBy=Realitzat per Events=Esdeveniments +MyEvents=Els meus events +OtherEvents=Altres events ListOfActions=Llista d'esdeveniments EventOnFullDay=Esdeveniment per tot el dia Location=Localització @@ -63,12 +65,12 @@ AgendaUrlOptions4=logint=%s per a restringir insercions a accions que afe AgendaUrlOptions5=logind=%s per a restringir insercions a accions realitzades per l'usuari %s. AgendaShowBirthdayEvents=Mostra aniversari dels contactes AgendaHideBirthdayEvents=Amaga aniversari dels contacte -ExtSites=Calendaris externs # External Sites ical +ExportCal=Exportar calendari ExtSites=Calendaris externs ExtSitesEnableThisTool=Mostrar calendaris externs a l'agenda ExtSitesNbOfAgenda=Nombre de calendaris AgendaExtNb=Calendari nº %s ExtSiteUrlAgenda=Url d'accés a l'arxiu. ical -ExtSiteNoLabel=Sense descripció \ No newline at end of file +ExtSiteNoLabel=Sense descripció diff --git a/htdocs/langs/es_ES/agenda.lang b/htdocs/langs/es_ES/agenda.lang index f7ba39c6fdb..d23a658373d 100644 --- a/htdocs/langs/es_ES/agenda.lang +++ b/htdocs/langs/es_ES/agenda.lang @@ -10,6 +10,8 @@ LocalAgenda=Calendario local AffectedTo=Asignada a DoneBy=Realizado por Events=Eventos +MyEvents=Mis eventos +OtherEvents=Otros eventos ListOfActions=Listado de eventos EventOnFullDay=Evento para todo el día Location=Localización @@ -63,8 +65,10 @@ AgendaUrlOptions4=logint=%s para restringir inserciones a acciones que af AgendaUrlOptions5=logind=%s para restringir inserciones a acciones realizadas por el usuario %s. AgendaShowBirthdayEvents=Mostrar cumpleaños de los contactos AgendaHideBirthdayEvents=Ocultar cumpleaños de los contactos + +# External Sites ical +ExportCal=Exportar calendario ExtSites=Calendarios externos -# External Sites ical= ExtSitesEnableThisTool=Mostrar calendarios externos en la agenda ExtSitesNbOfAgenda=Número de calendarios AgendaExtNb=Calendario nº %s From f2e7afafd3f4616269de7b1262d7d865a47007bd Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 29 Mar 2012 17:04:10 +0100 Subject: [PATCH 7/7] Fix: Sanitize data --- htdocs/admin/barcode.php | 13 +++++++------ htdocs/admin/fckeditor.php | 11 +++++++---- htdocs/admin/mailing.php | 12 ++++++------ htdocs/bookmarks/admin/bookmark.php | 9 ++++----- 4 files changed, 24 insertions(+), 21 deletions(-) diff --git a/htdocs/admin/barcode.php b/htdocs/admin/barcode.php index 9ec0f0dd84f..f87df7b6ea9 100644 --- a/htdocs/admin/barcode.php +++ b/htdocs/admin/barcode.php @@ -2,6 +2,7 @@ /* Copyright (C) 2003-2004 Rodolphe Quiedeville * Copyright (C) 2004-2011 Laurent Destailleur * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2011 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,7 +32,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); /* @@ -40,8 +41,8 @@ $action = GETPOST("action"); if ($action == 'setcoder') { - $coder = GETPOST("coder"); - $code_id = GETPOST("code_id"); + $coder = GETPOST('coder','alpha'); + $code_id = GETPOST('code_id','alpha'); $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type"; $sqlp.= " SET coder = '" . $coder."'"; $sqlp.= " WHERE rowid = ". $code_id; @@ -52,17 +53,17 @@ if ($action == 'setcoder') } else if ($action == 'setgenbarcodelocation') { - $location = GETPOST("genbarcodelocation"); + $location = GETPOST('genbarcodelocation','alpha'); $res = dolibarr_set_const($db, "GENBARCODE_LOCATION",$location,'chaine',0,'',$conf->entity); } else if ($action == 'setdefaultbarcodetype') { - $coder_id = GETPOST("coder_id"); + $coder_id = GETPOST('coder_id','alpha'); $res = dolibarr_set_const($db, "PRODUIT_DEFAULT_BARCODE_TYPE", $coder_id,'chaine',0,'',$conf->entity); } else if ($action == 'GENBARCODE_BARCODETYPE_THIRDPARTY') { - $coder_id = GETPOST("coder_id"); + $coder_id = GETPOST('coder_id','alpha'); $res = dolibarr_set_const($db, "GENBARCODE_BARCODETYPE_THIRDPARTY", $coder_id,'chaine',0,'',$conf->entity); } /* diff --git a/htdocs/admin/fckeditor.php b/htdocs/admin/fckeditor.php index 16ac49d543b..98c78196204 100644 --- a/htdocs/admin/fckeditor.php +++ b/htdocs/admin/fckeditor.php @@ -1,6 +1,7 @@ * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,6 +31,8 @@ require_once(DOL_DOCUMENT_ROOT."/core/class/doleditor.class.php"); $langs->load("admin"); $langs->load("fckeditor"); +$action = GETPOST('action','alpha'); + if (!$user->admin) accessforbidden(); // Constante et traduction de la description du module @@ -62,7 +65,7 @@ $picto = array( foreach($modules as $const => $desc) { - if ($_GET["action"] == 'activate_'.strtolower($const)) + if ($action == 'activate_'.strtolower($const)) { dolibarr_set_const($db, "FCKEDITOR_ENABLE_".$const, "1",'chaine',0,'',$conf->entity); // Si fckeditor est active dans la description produit/service, on l'active dans les formulaires @@ -73,7 +76,7 @@ foreach($modules as $const => $desc) Header("Location: ".$_SERVER["PHP_SELF"]); exit; } - if ($_GET["action"] == 'disable_'.strtolower($const)) + if ($action == 'disable_'.strtolower($const)) { dolibarr_del_const($db, "FCKEDITOR_ENABLE_".$const,$conf->entity); Header("Location: ".$_SERVER["PHP_SELF"]); @@ -81,9 +84,9 @@ foreach($modules as $const => $desc) } } -if ($_POST["save"]) +if (GETPOST('save','alpha')) { - dolibarr_set_const($db, "FCKEDITOR_TEST", $_POST["formtestfield"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FCKEDITOR_TEST", GETPOST('formtestfield','alpha'),'chaine',0,'',$conf->entity); } diff --git a/htdocs/admin/mailing.php b/htdocs/admin/mailing.php index c86c5d1e02e..bad34ac83b2 100644 --- a/htdocs/admin/mailing.php +++ b/htdocs/admin/mailing.php @@ -1,7 +1,7 @@ - * Copyright (C) 2005-2011 Laurent Destailleur - * Copyright (C) 2011 Juanjo Menent +/* Copyright (C) 2004 Rodolphe Quiedeville + * Copyright (C) 2005-2011 Laurent Destailleur + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -32,7 +32,7 @@ $langs->load("mails"); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); /* * Actions @@ -42,8 +42,8 @@ if ($action == 'setvalue' && $user->admin) { $db->begin(); - $mailfrom = GETPOST("MAILING_EMAIL_FROM"); - $mailerror = GETPOST("MAILING_EMAIL_ERRORSTO"); + $mailfrom = GETPOST('MAILING_EMAIL_FROM','alpha'); + $mailerror = GETPOST('MAILING_EMAIL_ERRORSTO','alpha'); $res=dolibarr_set_const($db, "MAILING_EMAIL_FROM",$mailfrom,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; diff --git a/htdocs/bookmarks/admin/bookmark.php b/htdocs/bookmarks/admin/bookmark.php index acb7689d80b..5f056656ddc 100644 --- a/htdocs/bookmarks/admin/bookmark.php +++ b/htdocs/bookmarks/admin/bookmark.php @@ -1,7 +1,7 @@ * Copyright (C) 2005-2009 Laurent Destailleur - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,11 +30,11 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action=GETPOST("action"); +$action=GETPOST('action','alpha'); if ($action == 'setvalue') { - $showmenu = GETPOST("BOOKMARKS_SHOW_IN_MENU"); + $showmenu = GETPOST('BOOKMARKS_SHOW_IN_MENU','alpha'); $res = dolibarr_set_const($db, "BOOKMARKS_SHOW_IN_MENU",$showmenu,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -53,8 +53,7 @@ if ($action == 'setvalue') /* - * - * + * View */ llxHeader();