From 4cd702bb1a5ad973b0b7a6ca29e98b9f3f6503fd Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 9 Oct 2012 09:34:12 +0200 Subject: [PATCH] Fix: prevent XSS and SQL injection --- htdocs/admin/modules.php | 27 +++++------- htdocs/install/etape1.php | 87 +++++++++++++++++++++---------------- htdocs/user/clicktodial.php | 6 +-- htdocs/user/group/index.php | 17 ++++---- htdocs/user/index.php | 21 +++++---- 5 files changed, 85 insertions(+), 73 deletions(-) diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 99f85b40fc9..cb1f619eedc 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -32,10 +32,11 @@ $langs->load("errors"); $langs->load("admin"); $mode=isset($_GET["mode"])?GETPOST("mode"):(isset($_SESSION['mode'])?$_SESSION['mode']:0); -$mesg=GETPOST("mesg"); -$action=GETPOST('action'); +$action=GETPOST('action','alpha'); +$value=GETPOST('value'); -if (!$user->admin) accessforbidden(); +if (! $user->admin) + accessforbidden(); $specialtostring=array(0=>'common', 1=>'interfaces', 2=>'other', 3=>'functional', 4=>'marketplace'); @@ -46,19 +47,17 @@ $specialtostring=array(0=>'common', 1=>'interfaces', 2=>'other', 3=>'functional' if ($action == 'set' && $user->admin) { - $result=activateModule($_GET["value"]); - $mesg=''; - if ($result) $mesg=$result; - header("Location: modules.php?mode=".$mode."&mesg=".urlencode($mesg)); + $result=activateModule($value); + if ($result) setEventMessage($result, 'errors'); + header("Location: modules.php?mode=".$mode); exit; } if ($action == 'reset' && $user->admin) { - $result=unActivateModule($_GET["value"]); - $mesg=''; - if ($result) $mesg=$result; - header("Location: modules.php?mode=".$mode."&mesg=".urlencode($mesg)); + $result=unActivateModule($value); + if ($result) setEventMessage($result, 'errors'); + header("Location: modules.php?mode=".$mode); exit; } @@ -129,7 +128,8 @@ foreach ($modulesdir as $dir) if (! empty($modNameLoaded[$modName])) { $mesg="Error: Module ".$modName." was found twice: Into ".$modNameLoaded[$modName]." and ".$dir.". You probably have an old file on your disk.
"; - dol_syslog($mesg, LOG_ERR); + setEventMessage($mesg, 'warnings'); + dol_syslog($mesg, LOG_ERR); continue; } @@ -269,9 +269,6 @@ $h++; dol_fiche_head($head, $mode, $langs->trans("Modules")); -dol_htmloutput_errors($mesg); - - if ($mode != 'marketplace') { print "\n"; diff --git a/htdocs/install/etape1.php b/htdocs/install/etape1.php index 8e6ca05e9d4..70c3f3e5c7f 100644 --- a/htdocs/install/etape1.php +++ b/htdocs/install/etape1.php @@ -29,8 +29,8 @@ define('DONOTLOADCONF',1); // To avoid loading conf by file inc.php include 'inc.php'; -$action=GETPOST('action'); -$setuplang=isset($_POST["selectlang"])?$_POST["selectlang"]:(isset($_GET["selectlang"])?$_GET["selectlang"]:'auto'); +$action=GETPOST('action','alpha'); +$setuplang=(GETPOST('selectlang')?GETPOST('selectlang'):'auto'); $langs->setDefaultLang($setuplang); $langs->load("admin"); @@ -38,10 +38,19 @@ $langs->load("install"); $langs->load("errors"); // Recuparation des information de connexion -$userroot=isset($_POST["db_user_root"])?$_POST["db_user_root"]:""; -$passroot=isset($_POST["db_pass_root"])?$_POST["db_pass_root"]:""; +$userroot=GETPOST('db_user_root'); +$passroot=GETPOST('db_pass_root'); // Repertoire des pages dolibarr -$main_dir=isset($_POST["main_dir"])?trim($_POST["main_dir"]):''; +$main_dir=GETPOST('main_dir'); +$main_url=GETPOST('main_url'); +// Database server +$db_type=GETPOST('db_type','alpha'); +$db_host=GETPOST('db_host','alpha'); +$db_name=GETPOST('db_name','alpha'); +$db_user=GETPOST('db_user','alpha'); +$db_pass=GETPOST('db_pass'); +$db_port=GETPOST('db_port','int'); +$db_prefix=GETPOST('db_prefix','alpha'); // Now we load forced value from install.forced.php file. $useforcedwizard=false; @@ -71,34 +80,34 @@ if (! is_writable($conffile)) // Check parameters -if (empty($_POST["db_type"])) +if (empty($db_type)) { print '
'.$langs->trans("ErrorFieldRequired",$langs->transnoentities("DatabaseType")).'
'; $error++; } -if (empty($_POST["db_host"])) +if (empty($db_host)) { print '
'.$langs->trans("ErrorFieldRequired",$langs->transnoentities("Server")).'
'; $error++; } -if (empty($_POST["db_name"])) +if (empty($db_name)) { print '
'.$langs->trans("ErrorFieldRequired",$langs->transnoentities("DatabaseName")).'
'; $error++; } -if (empty($_POST["db_user"])) +if (empty($db_user)) { print '
'.$langs->trans("ErrorFieldRequired",$langs->transnoentities("Login")).'
'; $error++; } -if (! empty($_POST["db_port"]) && ! is_numeric($_POST["db_port"])) +if (! empty($db_port) && ! is_numeric($db_port)) { - print '
'.$langs->trans("ErrorBadValueForParameter",$_POST["db_port"],$langs->transnoentities("Port")).'
'; + print '
'.$langs->trans("ErrorBadValueForParameter",$db_port,$langs->transnoentities("Port")).'
'; $error++; } -if (! empty($_POST["db_prefix"]) && ! preg_match('/^[a-z0-9]+_$/i', $_POST["db_prefix"])) +if (! empty($db_prefix) && ! preg_match('/^[a-z0-9]+_$/i', $db_prefix)) { - print '
'.$langs->trans("ErrorBadValueForParameter",$_POST["db_prefix"],$langs->transnoentities("DatabasePrefix")).'
'; + print '
'.$langs->trans("ErrorBadValueForParameter",$db_prefix,$langs->transnoentities("DatabasePrefix")).'
'; $error++; } @@ -110,9 +119,9 @@ if (substr($main_dir, dol_strlen($main_dir) -1) == "/") } // Remove last / into dans main_url -if (! empty($_POST["main_url"]) && substr($_POST["main_url"], dol_strlen($_POST["main_url"]) -1) == "/") +if (! empty($main_url) && substr($main_url, dol_strlen($main_url) -1) == "/") { - $_POST["main_url"] = substr($_POST["main_url"], 0, dol_strlen($_POST["main_url"])-1); + $main_url = substr($main_url, 0, dol_strlen($main_url)-1); } // Directory for generated documents (invoices, orders, ecm, etc...) @@ -123,13 +132,13 @@ if (! $main_data_dir) { $main_data_dir="$main_dir/documents"; } // Test database connexion if (! $error) { - $result=@include_once $main_dir."/core/db/".$_POST["db_type"].'.class.php'; + $result=@include_once $main_dir."/core/db/".$db_type.'.class.php'; if ($result) { // If we ask database or user creation we need to connect as root, so we need root login if (! empty($_POST["db_create_database"]) && ! $userroot) { - print '
'.$langs->trans("YouAskDatabaseCreationSoDolibarrNeedToConnect",$_POST["db_name"]).'
'; + print '
'.$langs->trans("YouAskDatabaseCreationSoDolibarrNeedToConnect",$db_name).'
'; print '
'; print $langs->trans("BecauseConnectionFailedParametersMayBeWrong").'

'; print $langs->trans("ErrorGoBackAndCorrectParameters"); @@ -137,7 +146,7 @@ if (! $error) } if (! empty($_POST["db_create_user"]) && ! $userroot) { - print '
'.$langs->trans("YouAskLoginCreationSoDolibarrNeedToConnect",$_POST["db_user"]).'
'; + print '
'.$langs->trans("YouAskLoginCreationSoDolibarrNeedToConnect",$db_user).'
'; print '
'; print $langs->trans("BecauseConnectionFailedParametersMayBeWrong").'

'; print $langs->trans("ErrorGoBackAndCorrectParameters"); @@ -147,14 +156,14 @@ if (! $error) // If we need root access if (! $error && (! empty($_POST["db_create_database"]) || ! empty($_POST["db_create_user"]))) { - $databasefortest=$_POST["db_name"]; + $databasefortest=$db_name; if (! empty($_POST["db_create_database"])) { - if ($_POST["db_type"] == 'mysql' || $_POST["db_type"] == 'mysqli') + if ($db_type == 'mysql' || $db_type == 'mysqli') { $databasefortest='mysql'; } - elseif ($_POST["db_type"] == 'pgsql') + elseif ($db_type == 'pgsql') { $databasefortest='postgres'; } @@ -165,14 +174,14 @@ if (! $error) } //print $_POST["db_type"].",".$_POST["db_host"].",$userroot,$passroot,$databasefortest,".$_POST["db_port"]; - $db=getDoliDBInstance($_POST["db_type"],$_POST["db_host"],$userroot,$passroot,$databasefortest,$_POST["db_port"]); + $db=getDoliDBInstance($db_type, $db_host, $userroot, $passroot, $databasefortest, $db_port); dol_syslog("databasefortest=".$databasefortest." connected=".$db->connected." database_selected=".$db->database_selected, LOG_DEBUG); //print "databasefortest=".$databasefortest." connected=".$db->connected." database_selected=".$db->database_selected; if (empty($_POST["db_create_database"]) && $db->connected && ! $db->database_selected) { - print '
'.$langs->trans("ErrorConnectedButDatabaseNotFound",$_POST["db_name"]).'
'; + print '
'.$langs->trans("ErrorConnectedButDatabaseNotFound",$db_name).'
'; print '
'; if (! $db->connected) print $langs->trans("IfDatabaseNotExistsGoBackAndUncheckCreate").'

'; print $langs->trans("ErrorGoBackAndCorrectParameters"); @@ -191,7 +200,7 @@ if (! $error) // If we need simple access if (! $error && (empty($_POST["db_create_database"]) && empty($_POST["db_create_user"]))) { - $db=getDoliDBInstance($_POST["db_type"],$_POST["db_host"],$_POST["db_user"],$_POST["db_pass"],$_POST["db_name"],$_POST["db_port"]); + $db=getDoliDBInstance($db_type, $db_host, $db_user, $db_pass, $db_name, $db_port); if ($db->error) { @@ -204,7 +213,7 @@ if (! $error) } else { - print "
\nFailed to include_once(\"".$main_dir."/core/db/".$_POST["db_type"].".class.php\")
\n"; + print "
\nFailed to include_once(\"".$main_dir."/core/db/".$db_type.".class.php\")
\n"; print '
'.$langs->trans("ErrorWrongValueForParameter",$langs->transnoentities("WebPagesDirectory")).'
'; print $langs->trans("ErrorGoBackAndCorrectParameters"); $error++; @@ -223,10 +232,10 @@ if (! $error && $db->connected) { if (! empty($_POST["db_create_database"])) { - $result=$db->select_db($_POST["db_name"]); + $result=$db->select_db($db_name); if ($result) { - print '
'.$langs->trans("ErrorDatabaseAlreadyExists",$_POST["db_name"]).'
'; + print '
'.$langs->trans("ErrorDatabaseAlreadyExists", $db_name).'
'; print $langs->trans("IfDatabaseExistsGoBackAndCheckCreate").'

'; print $langs->trans("ErrorGoBackAndCorrectParameters"); $error++; @@ -259,9 +268,10 @@ if (! $error && $db->connected) if (! $error && $db->connected && $action == "set") { umask(0); - foreach($_POST as $cle=>$valeur) + foreach($_POST as $key => $value) { - if (! preg_match('/^db_pass/i',$cle)) dolibarr_install_syslog("Choice for ".$cle." = ".$valeur); + if (! preg_match('/^db_pass/i', $key)) + dolibarr_install_syslog("Choice for ".$key." = ".$value); } // Show title of step @@ -399,7 +409,7 @@ if (! $error && $db->connected && $action == "set") } // Table prefix - $main_db_prefix = ((GETPOST("db_prefix") && GETPOST("db_prefix") != '') ? GETPOST("db_prefix") : 'llx_'); + $main_db_prefix = ((! empty($db_prefix) && $db_prefix != '') ? $db_prefix : 'llx_'); // Force https $main_force_https = ((GETPOST("main_force_https") && (GETPOST("main_force_https") == "on" || GETPOST("main_force_https") == 1)) ? '1' : '0'); @@ -766,6 +776,7 @@ function write_conf_file($conffile) global $dolibarr_main_url_root,$dolibarr_main_document_root,$dolibarr_main_data_root,$dolibarr_main_db_host; global $dolibarr_main_db_port,$dolibarr_main_db_name,$dolibarr_main_db_user,$dolibarr_main_db_pass; global $dolibarr_main_db_type,$dolibarr_main_db_character_set,$dolibarr_main_db_collation,$dolibarr_main_authentication; + global $db_host,$db_port,$db_name,$db_user,$db_pass,$db_type; global $conffile,$conffiletoshow,$conffiletoshowshort; global $force_dolibarr_lib_ADODB_PATH, $force_dolibarr_lib_NUSOAP_PATH; global $force_dolibarr_lib_TCPDF_PATH, $force_dolibarr_lib_FPDI_PATH; @@ -791,13 +802,13 @@ function write_conf_file($conffile) fputs($fp,'// and explanations for all possibles parameters.'."\n"); fputs($fp,'//'."\n"); - fputs($fp, '$dolibarr_main_url_root=\''.str_replace("'","\'",($_POST["main_url"])).'\';'); + fputs($fp, '$dolibarr_main_url_root=\''.str_replace("'","\'",($main_url)).'\';'); fputs($fp,"\n"); fputs($fp, '$dolibarr_main_document_root=\''.str_replace("'","\'",($main_dir)).'\';'); fputs($fp,"\n"); - fputs($fp, $main_use_alt_dir.'$dolibarr_main_url_root_alt=\''.str_replace("'","\'",($_POST["main_url"]."/".$main_alt_dir_name)).'\';'); + fputs($fp, $main_use_alt_dir.'$dolibarr_main_url_root_alt=\''.str_replace("'","\'",($main_url."/".$main_alt_dir_name)).'\';'); fputs($fp,"\n"); fputs($fp, $main_use_alt_dir.'$dolibarr_main_document_root_alt=\''.str_replace("'","\'",($main_dir."/".$main_alt_dir_name)).'\';'); @@ -806,24 +817,24 @@ function write_conf_file($conffile) fputs($fp, '$dolibarr_main_data_root=\''.str_replace("'","\'",($main_data_dir)).'\';'); fputs($fp,"\n"); - fputs($fp, '$dolibarr_main_db_host=\''.str_replace("'","\'",($_POST["db_host"])).'\';'); + fputs($fp, '$dolibarr_main_db_host=\''.str_replace("'","\'",($db_host)).'\';'); fputs($fp,"\n"); - fputs($fp, '$dolibarr_main_db_port=\''.str_replace("'","\'",($_POST["db_port"])).'\';'); + fputs($fp, '$dolibarr_main_db_port=\''.str_replace("'","\'",($db_port)).'\';'); fputs($fp,"\n"); - fputs($fp, '$dolibarr_main_db_name=\''.str_replace("'","\'",($_POST["db_name"])).'\';'); + fputs($fp, '$dolibarr_main_db_name=\''.str_replace("'","\'",($db_name)).'\';'); fputs($fp,"\n"); fputs($fp, '$dolibarr_main_db_prefix=\''.str_replace("'","\'",($main_db_prefix)).'\';'); fputs($fp,"\n"); - fputs($fp, '$dolibarr_main_db_user=\''.str_replace("'","\'",($_POST["db_user"])).'\';'); + fputs($fp, '$dolibarr_main_db_user=\''.str_replace("'","\'",($db_user)).'\';'); fputs($fp,"\n"); - fputs($fp, '$dolibarr_main_db_pass=\''.str_replace("'","\'",($_POST["db_pass"])).'\';'); + fputs($fp, '$dolibarr_main_db_pass=\''.str_replace("'","\'",($db_pass)).'\';'); fputs($fp,"\n"); - fputs($fp, '$dolibarr_main_db_type=\''.str_replace("'","\'",($_POST["db_type"])).'\';'); + fputs($fp, '$dolibarr_main_db_type=\''.str_replace("'","\'",($db_type)).'\';'); fputs($fp,"\n"); fputs($fp, '$dolibarr_main_db_character_set=\''.str_replace("'","\'",($_POST["dolibarr_main_db_character_set"])).'\';'); diff --git a/htdocs/user/clicktodial.php b/htdocs/user/clicktodial.php index 3b3a43729b2..476bdf1b470 100644 --- a/htdocs/user/clicktodial.php +++ b/htdocs/user/clicktodial.php @@ -69,7 +69,7 @@ $form = new Form($db); llxHeader("","ClickToDial"); -if ($id) +if ($id > 0) { $fuser = new User($db); $fuser->fetch($id); @@ -113,7 +113,7 @@ if ($id) if ($action == 'edit') { - print ''; + print ''; print ''; print ''; print '
'; @@ -192,7 +192,7 @@ if ($id) if (! empty($user->admin) && $action <> 'edit') { - print ''.$langs->trans("Modify").''; + print ''.$langs->trans("Modify").''; } print "\n"; diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php index 002e099c397..5d45e999149 100644 --- a/htdocs/user/group/index.php +++ b/htdocs/user/group/index.php @@ -28,17 +28,18 @@ require '../../main.inc.php'; if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { - if (! $user->rights->user->group_advance->read && ! $user->admin) accessforbidden(); + if (! $user->rights->user->group_advance->read && ! $user->admin) + accessforbidden(); } $langs->load("users"); -$sall=GETPOST("sall"); -$search_group=GETPOST('search_group'); +$sall=GETPOST('sall', 'alpha'); +$search_group=GETPOST('search_group','alpha'); -$sortfield = GETPOST("sortfield",'alpha'); -$sortorder = GETPOST("sortorder",'alpha'); -$page = GETPOST("page",'int'); +$sortfield = GETPOST('sortfield','alpha'); +$sortorder = GETPOST('sortorder','alpha'); +$page = GETPOST('page','int'); if ($page == -1) { $page = 0; } $offset = $conf->liste_limit * $page; $pageprev = $page - 1; @@ -67,9 +68,9 @@ else { $sql.= " WHERE g.entity IN (0,".$conf->entity.")"; } -if ($search_group) +if (! empty($search_group)) { - $sql .= " AND (g.nom LIKE '%".$db->escape($_POST["search_group"])."%' OR g.note LIKE '%".$db->escape($_POST["search_group"])."%')"; + $sql .= " AND (g.nom LIKE '%".$db->escape($search_group)."%' OR g.note LIKE '%".$db->escape($search_group)."%')"; } if ($sall) $sql.= " AND (g.nom LIKE '%".$db->escape($sall)."%' OR g.note LIKE '%".$db->escape($sall)."%')"; $sql.= " GROUP BY g.rowid, g.nom, g.entity, g.datec"; diff --git a/htdocs/user/index.php b/htdocs/user/index.php index 72a16a54d65..b91d5d2df10 100644 --- a/htdocs/user/index.php +++ b/htdocs/user/index.php @@ -24,24 +24,27 @@ */ require '../main.inc.php'; -if(! empty($conf->multicompany->enabled)) dol_include_once('/multicompany/class/actions_multicompany.class.php'); +if (! empty($conf->multicompany->enabled)) + dol_include_once('/multicompany/class/actions_multicompany.class.php', 'Multicompany'); -if (! $user->rights->user->user->lire && ! $user->admin) accessforbidden(); +if (! $user->rights->user->user->lire && ! $user->admin) + accessforbidden(); $langs->load("users"); $langs->load("companies"); // Security check (for external users) $socid=0; -if ($user->societe_id > 0) $socid = $user->societe_id; +if ($user->societe_id > 0) + $socid = $user->societe_id; $sall=GETPOST('sall','alpha'); $search_user=GETPOST('search_user','alpha'); -$sortfield = GETPOST("sortfield",'alpha'); -$sortorder = GETPOST("sortorder",'alpha'); -$page = GETPOST("page",'int'); +$sortfield = GETPOST('sortfield','alpha'); +$sortorder = GETPOST('sortorder','alpha'); +$page = GETPOST('page','int'); if ($page == -1) { $page = 0; } $offset = $conf->liste_limit * $page; $pageprev = $page - 1; @@ -78,10 +81,10 @@ else { $sql.= " WHERE u.entity IN (0,".$conf->entity.")"; } -if (!empty($socid)) $sql.= " AND u.fk_societe = ".$socid; -if ($search_user) +if (! empty($socid)) $sql.= " AND u.fk_societe = ".$socid; +if (! empty($search_user)) { - $sql.= " AND (u.login LIKE '%".$search_user."%' OR u.name LIKE '%".$search_user."%' OR u.firstname LIKE '%".$search_user."%')"; + $sql.= " AND (u.login LIKE '%".$db->escape($search_user)."%' OR u.name LIKE '%".$db->escape($search_user)."%' OR u.firstname LIKE '%".$db->escape($search_user)."%')"; } if ($sall) $sql.= " AND (u.login LIKE '%".$db->escape($sall)."%' OR u.name LIKE '%".$db->escape($sall)."%' OR u.firstname LIKE '%".$db->escape($sall)."%' OR u.email LIKE '%".$db->escape($sall)."%' OR u.note LIKE '%".$db->escape($sall)."%')"; $sql.=$db->order($sortfield,$sortorder);