From d97a95aa2adf6796e9d50b5390cd1e1d3d1f0856 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 7 Jul 2021 14:38:52 +0200 Subject: [PATCH 1/3] Fix CSRF token generation must be fast, can have low entropy. --- htdocs/main.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index e9f5b16b6a9..9e5d27c26ff 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -448,7 +448,7 @@ if (!defined('NOTOKENRENEWAL')) { } // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] - $token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number + $token = dol_hash(uniqid(mt_rand(), false), 'md5'); // Generates a hash of a random number. We don't need a secured hash, just a changing random value. $_SESSION['newtoken'] = $token; dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG); } From 9308fab7ca58a3b510a50b0896577e5fa8dcdd86 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 7 Jul 2021 18:41:37 +0200 Subject: [PATCH 2/3] Fix css for field pos/position in dictionary. Conflicts: htdocs/admin/dict.php --- htdocs/admin/dict.php | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index a0790ba23fe..97853ab6a37 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -882,12 +882,12 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) { } if ($keycode == 'sortorder') { // For column name 'sortorder', we use the field name 'position' - $sql .= "'".(int) GETPOST('position', 'int')."'"; + $sql .= (int) GETPOST('position', 'int'); } elseif ($_POST[$keycode] == '' && !($keycode == 'code' && $id == 10)) { $sql .= "null"; // For vat, we want/accept code = '' } elseif ($keycode == 'content') { $sql .= "'".$db->escape(GETPOST($keycode, 'restricthtml'))."'"; - } elseif (in_array($keycode, array('joinfile', 'private', 'position', 'scale'))) { + } elseif (in_array($keycode, array('joinfile', 'private', 'pos', 'position', 'scale'))) { $sql .= (int) GETPOST($keycode, 'int'); } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; @@ -898,8 +898,8 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) { $sql .= ",1)"; dol_syslog("actionadd", LOG_DEBUG); - $result = $db->query($sql); - if ($result) { // Add is ok + $resql = $db->query($sql); + if ($resql) { // Add is ok setEventMessages($langs->transnoentities("RecordCreatedSuccessfully"), null, 'mesgs'); // Clean $_POST array, we keep only id of dictionary @@ -956,7 +956,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) { $sql .= "null"; // For vat, we want/accept code = '' } elseif ($keycode == 'content') { $sql .= "'".$db->escape(GETPOST($keycode, 'restricthtml'))."'"; - } elseif (in_array($keycode, array('private', 'position', 'scale'))) { + } elseif (in_array($keycode, array('joinfile', 'private', 'pos', 'position', 'scale'))) { $sql .= (int) GETPOST($keycode, 'int'); } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; @@ -1234,7 +1234,7 @@ if ($id) { $class = ''; if ($value == 'pos') { - $valuetoshow = $langs->trans("Position"); $class = 'maxwidth100'; + $valuetoshow = $langs->trans("Position"); $class = 'right'; } if ($value == 'source') { $valuetoshow = $langs->trans("Contact"); @@ -1623,11 +1623,8 @@ if ($id) { if ($value == 'code') { $valuetoshow = $langs->trans("Code"); } - if ($value == 'pos') { - $cssprefix = 'right '; $valuetoshow = $langs->trans("Position"); - } - if ($value == 'position') { - $cssprefix = 'right '; $valuetoshow = $langs->trans("Position"); + if (in_array($value, array('pos', 'position'))) { + $valuetoshow = $langs->trans("Position"); $cssprefix = 'right '; } if ($value == 'libelle' || $value == 'label') { $valuetoshow = $langs->trans("Label"); @@ -1992,7 +1989,7 @@ if ($id) { if ($value == 'tracking') { $class .= ' tdoverflowauto'; } - if ($value == 'position') { + if (in_array($value, array('pos', 'position'))) { $class .= ' right'; } if ($value == 'localtax1_type') { @@ -2001,10 +1998,7 @@ if ($id) { if ($value == 'localtax2_type') { $class .= ' nowrap'; } - if ($value == 'pos') { - $class .= ' right'; - } - if ($value == 'use_default') { + if (in_array($value, array('use_default', 'fk_parent'))) { $class .= ' center'; } if ($value == 'public') { @@ -2377,7 +2371,10 @@ function fieldList($fieldlist, $obj = '', $tabname = '', $context = '') if ($fieldlist[$field] == 'code') { $class = 'maxwidth100'; } - if (in_array($fieldlist[$field], array('dayrule', 'day', 'month', 'year', 'pos', 'use_default', 'affect', 'delay', 'position', 'public', 'sortorder', 'sens', 'category_type'))) { + if (in_array($fieldlist[$field], array('pos', 'position'))) { + $classtd = 'right'; $class = 'maxwidth50 right'; + } + if (in_array($fieldlist[$field], array('dayrule', 'day', 'month', 'year', 'use_default', 'affect', 'delay', 'public', 'sortorder', 'sens', 'category_type', 'fk_parent'))) { $class = 'maxwidth50 center'; } if (in_array($fieldlist[$field], array('use_default', 'public'))) { From 2acbdc2c80be9a2382207226d5755ac49c9cc959 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 7 Jul 2021 18:51:00 +0200 Subject: [PATCH 3/3] Fix avoid error message --- htdocs/admin/dict.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 97853ab6a37..1ae714afdc5 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -887,7 +887,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) { $sql .= "null"; // For vat, we want/accept code = '' } elseif ($keycode == 'content') { $sql .= "'".$db->escape(GETPOST($keycode, 'restricthtml'))."'"; - } elseif (in_array($keycode, array('joinfile', 'private', 'pos', 'position', 'scale'))) { + } elseif (in_array($keycode, array('joinfile', 'private', 'pos', 'position', 'scale', 'use_default'))) { $sql .= (int) GETPOST($keycode, 'int'); } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; @@ -956,7 +956,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) { $sql .= "null"; // For vat, we want/accept code = '' } elseif ($keycode == 'content') { $sql .= "'".$db->escape(GETPOST($keycode, 'restricthtml'))."'"; - } elseif (in_array($keycode, array('joinfile', 'private', 'pos', 'position', 'scale'))) { + } elseif (in_array($keycode, array('joinfile', 'private', 'pos', 'position', 'scale', 'use_default'))) { $sql .= (int) GETPOST($keycode, 'int'); } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'";