lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: prevent XSS and SQL injection

Browse Source
This commit is contained in:
Regis Houssin 2012-10-09 09:34:12 +02:00
parent d61a8ee947
commit 4cd702bb1a
5 changed files with 85 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
htdocs/admin/modules.php
View File

@ -32,10 +32,11 @@ $langs->load("errors");
$langs->load("admin");
$mode=isset($_GET["mode"])?GETPOST("mode"):(isset($_SESSION['mode'])?$_SESSION['mode']:0);
$mesg=GETPOST("mesg");
$action=GETPOST('action');
$action=GETPOST('action','alpha');
$value=GETPOST('value');
if (!$user->admin) accessforbidden();
if (! $user->admin)
accessforbidden();
$specialtostring=array(0=>'common', 1=>'interfaces', 2=>'other', 3=>'functional', 4=>'marketplace');
@ -46,19 +47,17 @@ $specialtostring=array(0=>'common', 1=>'interfaces', 2=>'other', 3=>'functional'
if ($action == 'set' && $user->admin)
{
$result=activateModule($_GET["value"]);
$mesg='';
if ($result) $mesg=$result;
header("Location: modules.php?mode=".$mode."&mesg=".urlencode($mesg));
$result=activateModule($value);
if ($result) setEventMessage($result, 'errors');
header("Location: modules.php?mode=".$mode);
exit;
}
if ($action == 'reset' && $user->admin)
{
$result=unActivateModule($_GET["value"]);
$mesg='';
if ($result) $mesg=$result;
header("Location: modules.php?mode=".$mode."&mesg=".urlencode($mesg));
$result=unActivateModule($value);
if ($result) setEventMessage($result, 'errors');
header("Location: modules.php?mode=".$mode);
exit;
}
@ -129,7 +128,8 @@ foreach ($modulesdir as $dir)
if (! empty($modNameLoaded[$modName]))
{
$mesg="Error: Module ".$modName." was found twice: Into ".$modNameLoaded[$modName]." and ".$dir.". You probably have an old file on your disk.<br>";
dol_syslog($mesg, LOG_ERR);
setEventMessage($mesg, 'warnings');
dol_syslog($mesg, LOG_ERR);
continue;
}
@ -269,9 +269,6 @@ $h++;
dol_fiche_head($head, $mode, $langs->trans("Modules"));
dol_htmloutput_errors($mesg);
if ($mode != 'marketplace')
{
print "<table summary=\"list_of_modules\" class=\"noborder\" width=\"100%\">\n";

87
htdocs/install/etape1.php
View File

@ -29,8 +29,8 @@ define('DONOTLOADCONF',1); // To avoid loading conf by file inc.php
include 'inc.php';
$action=GETPOST('action');
$setuplang=isset($_POST["selectlang"])?$_POST["selectlang"]:(isset($_GET["selectlang"])?$_GET["selectlang"]:'auto');
$action=GETPOST('action','alpha');
$setuplang=(GETPOST('selectlang')?GETPOST('selectlang'):'auto');
$langs->setDefaultLang($setuplang);
$langs->load("admin");
@ -38,10 +38,19 @@ $langs->load("install");
$langs->load("errors");
// Recuparation des information de connexion
$userroot=isset($_POST["db_user_root"])?$_POST["db_user_root"]:"";
$passroot=isset($_POST["db_pass_root"])?$_POST["db_pass_root"]:"";
$userroot=GETPOST('db_user_root');
$passroot=GETPOST('db_pass_root');
// Repertoire des pages dolibarr
$main_dir=isset($_POST["main_dir"])?trim($_POST["main_dir"]):'';
$main_dir=GETPOST('main_dir');
$main_url=GETPOST('main_url');
// Database server
$db_type=GETPOST('db_type','alpha');
$db_host=GETPOST('db_host','alpha');
$db_name=GETPOST('db_name','alpha');
$db_user=GETPOST('db_user','alpha');
$db_pass=GETPOST('db_pass');
$db_port=GETPOST('db_port','int');
$db_prefix=GETPOST('db_prefix','alpha');
// Now we load forced value from install.forced.php file.
$useforcedwizard=false;
@ -71,34 +80,34 @@ if (! is_writable($conffile))
// Check parameters
if (empty($_POST["db_type"]))
if (empty($db_type))
{
print '<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentities("DatabaseType")).'</div>';
$error++;
}
if (empty($_POST["db_host"]))
if (empty($db_host))
{
print '<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentities("Server")).'</div>';
$error++;
}
if (empty($_POST["db_name"]))
if (empty($db_name))
{
print '<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentities("DatabaseName")).'</div>';
$error++;
}
if (empty($_POST["db_user"]))
if (empty($db_user))
{
print '<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentities("Login")).'</div>';
$error++;
}
if (! empty($_POST["db_port"]) && ! is_numeric($_POST["db_port"]))
if (! empty($db_port) && ! is_numeric($db_port))
{
print '<div class="error">'.$langs->trans("ErrorBadValueForParameter",$_POST["db_port"],$langs->transnoentities("Port")).'</div>';
print '<div class="error">'.$langs->trans("ErrorBadValueForParameter",$db_port,$langs->transnoentities("Port")).'</div>';
$error++;
}
if (! empty($_POST["db_prefix"]) && ! preg_match('/^[a-z0-9]+_$/i', $_POST["db_prefix"]))
if (! empty($db_prefix) && ! preg_match('/^[a-z0-9]+_$/i', $db_prefix))
{
print '<div class="error">'.$langs->trans("ErrorBadValueForParameter",$_POST["db_prefix"],$langs->transnoentities("DatabasePrefix")).'</div>';
print '<div class="error">'.$langs->trans("ErrorBadValueForParameter",$db_prefix,$langs->transnoentities("DatabasePrefix")).'</div>';
$error++;
}
@ -110,9 +119,9 @@ if (substr($main_dir, dol_strlen($main_dir) -1) == "/")
}
// Remove last / into dans main_url
if (! empty($_POST["main_url"]) && substr($_POST["main_url"], dol_strlen($_POST["main_url"]) -1) == "/")
if (! empty($main_url) && substr($main_url, dol_strlen($main_url) -1) == "/")
{
$_POST["main_url"] = substr($_POST["main_url"], 0, dol_strlen($_POST["main_url"])-1);
$main_url = substr($main_url, 0, dol_strlen($main_url)-1);
}
// Directory for generated documents (invoices, orders, ecm, etc...)
@ -123,13 +132,13 @@ if (! $main_data_dir) { $main_data_dir="$main_dir/documents"; }
// Test database connexion
if (! $error)
{
$result=@include_once $main_dir."/core/db/".$_POST["db_type"].'.class.php';
$result=@include_once $main_dir."/core/db/".$db_type.'.class.php';
if ($result)
{
// If we ask database or user creation we need to connect as root, so we need root login
if (! empty($_POST["db_create_database"]) && ! $userroot)
{
print '<div class="error">'.$langs->trans("YouAskDatabaseCreationSoDolibarrNeedToConnect",$_POST["db_name"]).'</div>';
print '<div class="error">'.$langs->trans("YouAskDatabaseCreationSoDolibarrNeedToConnect",$db_name).'</div>';
print '<br>';
print $langs->trans("BecauseConnectionFailedParametersMayBeWrong").'<br><br>';
print $langs->trans("ErrorGoBackAndCorrectParameters");
@ -137,7 +146,7 @@ if (! $error)
}
if (! empty($_POST["db_create_user"]) && ! $userroot)
{
print '<div class="error">'.$langs->trans("YouAskLoginCreationSoDolibarrNeedToConnect",$_POST["db_user"]).'</div>';
print '<div class="error">'.$langs->trans("YouAskLoginCreationSoDolibarrNeedToConnect",$db_user).'</div>';
print '<br>';
print $langs->trans("BecauseConnectionFailedParametersMayBeWrong").'<br><br>';
print $langs->trans("ErrorGoBackAndCorrectParameters");
@ -147,14 +156,14 @@ if (! $error)
// If we need root access
if (! $error && (! empty($_POST["db_create_database"]) || ! empty($_POST["db_create_user"])))
{
$databasefortest=$_POST["db_name"];
$databasefortest=$db_name;
if (! empty($_POST["db_create_database"]))
{
if ($_POST["db_type"] == 'mysql' || $_POST["db_type"] == 'mysqli')
if ($db_type == 'mysql' || $db_type == 'mysqli')
{
$databasefortest='mysql';
}
elseif ($_POST["db_type"] == 'pgsql')
elseif ($db_type == 'pgsql')
{
$databasefortest='postgres';
}
@ -165,14 +174,14 @@ if (! $error)
}
//print $_POST["db_type"].",".$_POST["db_host"].",$userroot,$passroot,$databasefortest,".$_POST["db_port"];
$db=getDoliDBInstance($_POST["db_type"],$_POST["db_host"],$userroot,$passroot,$databasefortest,$_POST["db_port"]);
$db=getDoliDBInstance($db_type, $db_host, $userroot, $passroot, $databasefortest, $db_port);
dol_syslog("databasefortest=".$databasefortest." connected=".$db->connected." database_selected=".$db->database_selected, LOG_DEBUG);
//print "databasefortest=".$databasefortest." connected=".$db->connected." database_selected=".$db->database_selected;
if (empty($_POST["db_create_database"]) && $db->connected && ! $db->database_selected)
{
print '<div class="error">'.$langs->trans("ErrorConnectedButDatabaseNotFound",$_POST["db_name"]).'</div>';
print '<div class="error">'.$langs->trans("ErrorConnectedButDatabaseNotFound",$db_name).'</div>';
print '<br>';
if (! $db->connected) print $langs->trans("IfDatabaseNotExistsGoBackAndUncheckCreate").'<br><br>';
print $langs->trans("ErrorGoBackAndCorrectParameters");
@ -191,7 +200,7 @@ if (! $error)
// If we need simple access
if (! $error && (empty($_POST["db_create_database"]) && empty($_POST["db_create_user"])))
{
$db=getDoliDBInstance($_POST["db_type"],$_POST["db_host"],$_POST["db_user"],$_POST["db_pass"],$_POST["db_name"],$_POST["db_port"]);
$db=getDoliDBInstance($db_type, $db_host, $db_user, $db_pass, $db_name, $db_port);
if ($db->error)
{
@ -204,7 +213,7 @@ if (! $error)
}
else
{
print "<br>\nFailed to include_once(\"".$main_dir."/core/db/".$_POST["db_type"].".class.php\")<br>\n";
print "<br>\nFailed to include_once(\"".$main_dir."/core/db/".$db_type.".class.php\")<br>\n";
print '<div class="error">'.$langs->trans("ErrorWrongValueForParameter",$langs->transnoentities("WebPagesDirectory")).'</div>';
print $langs->trans("ErrorGoBackAndCorrectParameters");
$error++;
@ -223,10 +232,10 @@ if (! $error && $db->connected)
{
if (! empty($_POST["db_create_database"]))
{
$result=$db->select_db($_POST["db_name"]);
$result=$db->select_db($db_name);
if ($result)
{
print '<div class="error">'.$langs->trans("ErrorDatabaseAlreadyExists",$_POST["db_name"]).'</div>';
print '<div class="error">'.$langs->trans("ErrorDatabaseAlreadyExists", $db_name).'</div>';
print $langs->trans("IfDatabaseExistsGoBackAndCheckCreate").'<br><br>';
print $langs->trans("ErrorGoBackAndCorrectParameters");
$error++;
@ -259,9 +268,10 @@ if (! $error && $db->connected)
if (! $error && $db->connected && $action == "set")
{
umask(0);
foreach($_POST as $cle=>$valeur)
foreach($_POST as $key => $value)
{
if (! preg_match('/^db_pass/i',$cle)) dolibarr_install_syslog("Choice for ".$cle." = ".$valeur);
if (! preg_match('/^db_pass/i', $key))
dolibarr_install_syslog("Choice for ".$key." = ".$value);
}
// Show title of step
@ -399,7 +409,7 @@ if (! $error && $db->connected && $action == "set")
}
// Table prefix
$main_db_prefix = ((GETPOST("db_prefix") && GETPOST("db_prefix") != '') ? GETPOST("db_prefix") : 'llx_');
$main_db_prefix = ((! empty($db_prefix) && $db_prefix != '') ? $db_prefix : 'llx_');
// Force https
$main_force_https = ((GETPOST("main_force_https") && (GETPOST("main_force_https") == "on" || GETPOST("main_force_https") == 1)) ? '1' : '0');
@ -766,6 +776,7 @@ function write_conf_file($conffile)
global $dolibarr_main_url_root,$dolibarr_main_document_root,$dolibarr_main_data_root,$dolibarr_main_db_host;
global $dolibarr_main_db_port,$dolibarr_main_db_name,$dolibarr_main_db_user,$dolibarr_main_db_pass;
global $dolibarr_main_db_type,$dolibarr_main_db_character_set,$dolibarr_main_db_collation,$dolibarr_main_authentication;
global $db_host,$db_port,$db_name,$db_user,$db_pass,$db_type;
global $conffile,$conffiletoshow,$conffiletoshowshort;
global $force_dolibarr_lib_ADODB_PATH, $force_dolibarr_lib_NUSOAP_PATH;
global $force_dolibarr_lib_TCPDF_PATH, $force_dolibarr_lib_FPDI_PATH;
@ -791,13 +802,13 @@ function write_conf_file($conffile)
fputs($fp,'// and explanations for all possibles parameters.'."\n");
fputs($fp,'//'."\n");
fputs($fp, '$dolibarr_main_url_root=\''.str_replace("'","\'",($_POST["main_url"])).'\';');
fputs($fp, '$dolibarr_main_url_root=\''.str_replace("'","\'",($main_url)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_document_root=\''.str_replace("'","\'",($main_dir)).'\';');
fputs($fp,"\n");
fputs($fp, $main_use_alt_dir.'$dolibarr_main_url_root_alt=\''.str_replace("'","\'",($_POST["main_url"]."/".$main_alt_dir_name)).'\';');
fputs($fp, $main_use_alt_dir.'$dolibarr_main_url_root_alt=\''.str_replace("'","\'",($main_url."/".$main_alt_dir_name)).'\';');
fputs($fp,"\n");
fputs($fp, $main_use_alt_dir.'$dolibarr_main_document_root_alt=\''.str_replace("'","\'",($main_dir."/".$main_alt_dir_name)).'\';');
@ -806,24 +817,24 @@ function write_conf_file($conffile)
fputs($fp, '$dolibarr_main_data_root=\''.str_replace("'","\'",($main_data_dir)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_db_host=\''.str_replace("'","\'",($_POST["db_host"])).'\';');
fputs($fp, '$dolibarr_main_db_host=\''.str_replace("'","\'",($db_host)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_db_port=\''.str_replace("'","\'",($_POST["db_port"])).'\';');
fputs($fp, '$dolibarr_main_db_port=\''.str_replace("'","\'",($db_port)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_db_name=\''.str_replace("'","\'",($_POST["db_name"])).'\';');
fputs($fp, '$dolibarr_main_db_name=\''.str_replace("'","\'",($db_name)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_db_prefix=\''.str_replace("'","\'",($main_db_prefix)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_db_user=\''.str_replace("'","\'",($_POST["db_user"])).'\';');
fputs($fp, '$dolibarr_main_db_user=\''.str_replace("'","\'",($db_user)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_db_pass=\''.str_replace("'","\'",($_POST["db_pass"])).'\';');
fputs($fp, '$dolibarr_main_db_pass=\''.str_replace("'","\'",($db_pass)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_db_type=\''.str_replace("'","\'",($_POST["db_type"])).'\';');
fputs($fp, '$dolibarr_main_db_type=\''.str_replace("'","\'",($db_type)).'\';');
fputs($fp,"\n");
fputs($fp, '$dolibarr_main_db_character_set=\''.str_replace("'","\'",($_POST["dolibarr_main_db_character_set"])).'\';');

6
htdocs/user/clicktodial.php
View File

@ -69,7 +69,7 @@ $form = new Form($db);
llxHeader("","ClickToDial");
if ($id)
if ($id > 0)
{
$fuser = new User($db);
$fuser->fetch($id);
@ -113,7 +113,7 @@ if ($id)
if ($action == 'edit')
{
print '<form action="clicktodial.php?id='.$_GET["id"].'" method="post">';
print '<form action="'.$_SERVER['PHP_SELF'].'?id='.$fuser->id.'" method="post">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="update">';
print '<table class="border" width="100%">';
@ -192,7 +192,7 @@ if ($id)
if (! empty($user->admin) && $action <> 'edit')
{
print '<a class="butAction" href="clicktodial.php?id='.$fuser->id.'&amp;action=edit">'.$langs->trans("Modify").'</a>';
print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$fuser->id.'&amp;action=edit">'.$langs->trans("Modify").'</a>';
}
print "</div>\n";

17
htdocs/user/group/index.php
View File

@ -28,17 +28,18 @@ require '../../main.inc.php';
if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
{
if (! $user->rights->user->group_advance->read && ! $user->admin) accessforbidden();
if (! $user->rights->user->group_advance->read && ! $user->admin)
accessforbidden();
}
$langs->load("users");
$sall=GETPOST("sall");
$search_group=GETPOST('search_group');
$sall=GETPOST('sall', 'alpha');
$search_group=GETPOST('search_group','alpha');
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
$page = GETPOST("page",'int');
$sortfield = GETPOST('sortfield','alpha');
$sortorder = GETPOST('sortorder','alpha');
$page = GETPOST('page','int');
if ($page == -1) { $page = 0; }
$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
@ -67,9 +68,9 @@ else
{
$sql.= " WHERE g.entity IN (0,".$conf->entity.")";
}
if ($search_group)
if (! empty($search_group))
{
$sql .= " AND (g.nom LIKE '%".$db->escape($_POST["search_group"])."%' OR g.note LIKE '%".$db->escape($_POST["search_group"])."%')";
$sql .= " AND (g.nom LIKE '%".$db->escape($search_group)."%' OR g.note LIKE '%".$db->escape($search_group)."%')";
}
if ($sall) $sql.= " AND (g.nom LIKE '%".$db->escape($sall)."%' OR g.note LIKE '%".$db->escape($sall)."%')";
$sql.= " GROUP BY g.rowid, g.nom, g.entity, g.datec";

21
htdocs/user/index.php
View File

@ -24,24 +24,27 @@
*/
require '../main.inc.php';
if(! empty($conf->multicompany->enabled)) dol_include_once('/multicompany/class/actions_multicompany.class.php');
if (! empty($conf->multicompany->enabled))
dol_include_once('/multicompany/class/actions_multicompany.class.php', 'Multicompany');
if (! $user->rights->user->user->lire && ! $user->admin) accessforbidden();
if (! $user->rights->user->user->lire && ! $user->admin)
accessforbidden();
$langs->load("users");
$langs->load("companies");
// Security check (for external users)
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
if ($user->societe_id > 0)
$socid = $user->societe_id;
$sall=GETPOST('sall','alpha');
$search_user=GETPOST('search_user','alpha');
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
$page = GETPOST("page",'int');
$sortfield = GETPOST('sortfield','alpha');
$sortorder = GETPOST('sortorder','alpha');
$page = GETPOST('page','int');
if ($page == -1) { $page = 0; }
$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
@ -78,10 +81,10 @@ else
{
$sql.= " WHERE u.entity IN (0,".$conf->entity.")";
}
if (!empty($socid)) $sql.= " AND u.fk_societe = ".$socid;
if ($search_user)
if (! empty($socid)) $sql.= " AND u.fk_societe = ".$socid;
if (! empty($search_user))
{
$sql.= " AND (u.login LIKE '%".$search_user."%' OR u.name LIKE '%".$search_user."%' OR u.firstname LIKE '%".$search_user."%')";
$sql.= " AND (u.login LIKE '%".$db->escape($search_user)."%' OR u.name LIKE '%".$db->escape($search_user)."%' OR u.firstname LIKE '%".$db->escape($search_user)."%')";
}
if ($sall) $sql.= " AND (u.login LIKE '%".$db->escape($sall)."%' OR u.name LIKE '%".$db->escape($sall)."%' OR u.firstname LIKE '%".$db->escape($sall)."%' OR u.email LIKE '%".$db->escape($sall)."%' OR u.note LIKE '%".$db->escape($sall)."%')";
$sql.=$db->order($sortfield,$sortorder);