lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix Injection

Browse Source
This commit is contained in:
Laurent Destailleur 2019-05-21 14:33:28 +02:00
parent 479f8616e1
commit 61ead06950
2 changed files with 24 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
htdocs/admin/system/database-tables.php
View File

@ -36,7 +36,13 @@ $action=GETPOST('action','alpha');
if ($action == 'convert')
{
$db->query("alter table ".$_GET["table"]." ENGINE=INNODB");
$sql="ALTER TABLE ".$db->escape(GETPOST("table", "aZ09"))." ENGINE=INNODB";
$db->query($sql);
}
if ($action == 'convertutf8')
{
$sql="ALTER TABLE ".$db->escape(GETPOST("table", "aZ09"))." CHARACTER SET utf8 COLLATE utf8_unicode_ci";
$db->query($sql);
}
@ -111,9 +117,9 @@ else
print '<td><a href="dbtable.php?table='.$obj->Name.'">'.$obj->Name.'</a></td>';
print '<td>'.$obj->Engine.'</td>';
if (isset($row[1]) && $row[1] == "MyISAM")
if (isset($obj->Engine) && $obj->Engine == "MyISAM")
{
print '<td><a href="database-tables.php?action=convert&amp;table='.$row[0].'">'.$langs->trans("Convert").'</a></td>';
print '<td><a class="reposition" href="database-tables.php?action=convert&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' InnoDB</a></td>';
}
else
{
@ -127,7 +133,12 @@ else
print '<td align="right">'.$obj->Index_length.'</td>';
print '<td align="right">'.$obj->Auto_increment.'</td>';
print '<td align="right">'.$obj->Check_time.'</td>';
print '<td align="right">'.$obj->Collation.'</td>';
print '<td align="right">'.$obj->Collation;
if (isset($obj->Collation) && ($obj->Collation == "utf8mb4_general_ci" || $obj->Collation == "utf8mb4_unicode_ci"))
{
print '<br><a class="reposition" href="database-tables.php?action=convertutf8&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' UTF8</a>';
}
print '</td>';
print '</tr>';
$i++;
}

15
htdocs/admin/tools/export_files.php
View File

@ -36,6 +36,8 @@ $export_type=GETPOST('export_type','alpha');
$file=GETPOST('zipfilename_template','alpha');
$compression = GETPOST('compression');
$file = dol_sanitizeFileName($file);
$sortfield = GETPOST('sortfield','alpha');
$sortorder = GETPOST('sortorder','alpha');
$page = GETPOST("page",'int');
@ -57,10 +59,11 @@ $errormsg='';
if ($action == 'delete')
{
$file=$conf->admin->dir_output.'/'.GETPOST('urlfile');
$ret=dol_delete_file($file, 1);
if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile')), null, 'mesgs');
else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile')), null, 'errors');
$filerelative = dol_sanitizeFileName(GETPOST('urlfile', 'alpha'));
$filepath=$conf->admin->dir_output.'/'.$filerelative;
$ret=dol_delete_file($filepath, 1);
if ($ret) setEventMessages($langs->trans("FileWasRemoved", $filerelative), null, 'mesgs');
else setEventMessages($langs->trans("ErrorFailToDeleteFile", $filerelative), null, 'errors');
$action='';
}
@ -122,7 +125,7 @@ elseif (in_array($compression, array('gz', 'bz')))
$cmd = 'tar -cf '.$outputdir."/".$file." --exclude=documents/admin/documents -C ".DOL_DATA_ROOT." ".DOL_DATA_ROOT."/../documents/";
exec($cmd, $out, $retval);
//var_dump($cmd, DOL_DATA_ROOT);exit;
if ($retval != 0)
{
$langs->load("errors");
@ -139,7 +142,7 @@ elseif (in_array($compression, array('gz', 'bz')))
{
$cmd = "bzip2 " . $outputdir."/".$file;
}
exec($cmd, $out, $retval);
if ($retval != 0)
{