From 914096bd0a4692a3b519a0bafee2044fc1696a56 Mon Sep 17 00:00:00 2001 From: Guenter Lukas Date: Mon, 13 Mar 2023 08:45:29 +0100 Subject: [PATCH 1/2] update --- htdocs/comm/action/card.php | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index 545088e47e9..806011b2575 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -90,8 +90,8 @@ if ($fulldayevent) { // Security check $socid = GETPOST('socid', 'int'); $id = GETPOST('id', 'int'); -if ($user->socid) { - $socid = $user->socid; +if ($user->socid && ($socid != $user->socid)) { + accessforbidden(); } $error = GETPOST("error"); @@ -142,9 +142,6 @@ if (!empty($conf->global->AGENDA_REMINDER_EMAIL)) { $TDurationTypes = array('y'=>$langs->trans('Years'), 'm'=>$langs->trans('Month'), 'w'=>$langs->trans('Weeks'), 'd'=>$langs->trans('Days'), 'h'=>$langs->trans('Hours'), 'i'=>$langs->trans('Minutes')); $result = restrictedArea($user, 'agenda', $object->id, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id'); -if ($user->socid && $socid) { - $result = restrictedArea($user, 'societe', $socid); -} /* From e0cd351b3eeb38909f5bffcfe7fcf3c00c93f06a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 27 Mar 2023 17:37:09 +0200 Subject: [PATCH 2/2] Fix sanitize website module --- htdocs/core/lib/website.lib.php | 12 ++++++++---- test/phpunit/AllTests.php | 5 +++++ ...Website.class.php => WebsiteTest.class.php} | 18 ++++++++++++++++++ 3 files changed, 31 insertions(+), 4 deletions(-) rename test/phpunit/{Website.class.php => WebsiteTest.class.php} (91%) diff --git a/htdocs/core/lib/website.lib.php b/htdocs/core/lib/website.lib.php index af48ec64885..8012d6cce4c 100644 --- a/htdocs/core/lib/website.lib.php +++ b/htdocs/core/lib/website.lib.php @@ -35,8 +35,10 @@ function dolStripPhpCode($str, $replacewith = '') $newstr = ''; - //split on each opening tag - $parts = explode('addTestSuite('AccountingAccountTest'); + // Rest require_once dirname(__FILE__).'/RestAPIUserTest.php'; $suite->addTestSuite('RestAPIUserTest'); require_once dirname(__FILE__).'/RestAPIDocumentTest.php'; @@ -270,6 +271,10 @@ class AllTests require_once dirname(__FILE__).'/EmailCollectorTest.php'; $suite->addTestSuite('EmailCollectorTest'); + // Website + require_once dirname(__FILE__).'/WebsiteTest.php'; + $suite->addTestSuite('Website'); + return $suite; } } diff --git a/test/phpunit/Website.class.php b/test/phpunit/WebsiteTest.class.php similarity index 91% rename from test/phpunit/Website.class.php rename to test/phpunit/WebsiteTest.class.php index 50d0c16453d..2f0afbbed96 100644 --- a/test/phpunit/Website.class.php +++ b/test/phpunit/WebsiteTest.class.php @@ -175,4 +175,22 @@ class WebsiteTest extends PHPUnit\Framework\TestCase // We must found no line (so code should be KO). If we found somethiing, it means there is a SQL injection of the 1=1 $this->assertEquals($res['code'], 'KO'); } + + /** + * testDolStripPhpCode + * + * @return void + */ + public function testDolStripPhpCode() + { + global $db; + + $s = "abc\nghi"; + $result = dolStripPhpCode($s); + $this->assertEquals("abc\nghi", $result); + + $s = "abc\nghi"; + $result = dolStripPhpCode($s); + $this->assertEquals("abc\nghi", $result); + } }