lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security: A lot of security fixes

Browse Source
This commit is contained in:
Laurent Destailleur 2011-11-02 20:17:23 +01:00
parent 295745f62a
commit 63820ab375
10 changed files with 74 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/lib/databases/mssql.lib.php
View File

@ -518,8 +518,8 @@ class DoliDb
if (! $return) $return.=' ORDER BY ';
else $return.=',';
$return.=$val;
if ($sortorder) $return.=' '.$sortorder;
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}

5
htdocs/lib/databases/mysql.lib.php
View File

@ -494,6 +494,7 @@ class DoliDb
/**
* Define sort criteria of request
*
* @param sortfield List of sort fields
* @param sortorder Sort order
* @return string String to provide syntax of a sort sql string
@ -510,8 +511,8 @@ class DoliDb
if (! $return) $return.=' ORDER BY ';
else $return.=',';
$return.=$val;
if ($sortorder) $return.=' '.$sortorder;
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}

4
htdocs/lib/databases/mysqli.lib.php
View File

@ -524,8 +524,8 @@ class DoliDb
if (! $return) $return.=' ORDER BY ';
else $return.=',';
$return.=$val;
if ($sortorder) $return.=' '.$sortorder;
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}

4
htdocs/lib/databases/pgsql.lib.php
View File

@ -666,8 +666,8 @@ class DoliDb
if (! $return) $return.=' ORDER BY ';
else $return.=',';
$return.=$val;
if ($sortorder) $return.=' '.$sortorder;
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}

73
htdocs/user/fiche.php
View File

@ -35,6 +35,11 @@ require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php");
if ($conf->ldap->enabled) require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
if ($conf->adherent->enabled) require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php");
$id=GETPOST('id','int');
$action=GETPOST("action");
$group=GETPOST("group","int",3);
$confirm=GETPOST("confirm");
// Define value to know what current user can do on users
$canadduser=($user->admin || $user->rights->user->user->creer);
$canreaduser=($user->admin || $user->rights->user->user->lire);
@ -48,26 +53,22 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
$caneditgroup=($user->admin || $user->rights->user->group_advance->write);
}
// Define value to know what current user can do on properties of edited user
if ($_GET["id"])
if ($id)
{
// $user est le user qui edite, $_GET["id"] est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $_GET["id"]) && $user->rights->user->self->creer)
|| (($user->id != $_GET["id"]) && $user->rights->user->user->creer) );
$caneditpassword=( (($user->id == $_GET["id"]) && $user->rights->user->self->password)
|| (($user->id != $_GET["id"]) && $user->rights->user->user->password) );
// $user est le user qui edite, $id est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $id) && $user->rights->user->self->creer)
|| (($user->id != $id) && $user->rights->user->user->creer) );
$caneditpassword=( (($user->id == $id) && $user->rights->user->self->password)
|| (($user->id != $id) && $user->rights->user->user->password) );
}
$action=GETPOST("action");
$group=GETPOST("group","int",3);
$confirm=GETPOST("confirm");
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2='user';
if ($user->id == $_GET["id"]) { $feature2=''; $canreaduser=1; } // A user can always read its own card
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
if ($user->id <> $_GET["id"] && ! $canreaduser) accessforbidden();
if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
$result = restrictedArea($user, 'user', $id, '', $feature2);
if ($user->id <> $id && ! $canreaduser) accessforbidden();
$langs->load("users");
$langs->load("companies");
@ -82,36 +83,36 @@ $form = new Form($db);
if ($_GET["subaction"] == 'addrights' && $canedituser)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->addrights($_GET["rights"]);
}
if ($_GET["subaction"] == 'delrights' && $canedituser)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->delrights($_GET["rights"]);
}
if ($action == 'confirm_disable' && $confirm == "yes" && $candisableuser)
{
if ($_GET["id"] <> $user->id)
if ($id <> $user->id)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->setstatus(0);
Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$_GET["id"]);
Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$id);
exit;
}
}
if ($action == 'confirm_enable' && $confirm == "yes" && $candisableuser)
{
if ($_GET["id"] <> $user->id)
if ($id <> $user->id)
{
$message='';
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
if (!empty($conf->file->main_limit_users))
{
@ -125,7 +126,7 @@ if ($action == 'confirm_enable' && $confirm == "yes" && $candisableuser)
if (! $message)
{
$edituser->setstatus(1);
Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$_GET["id"]);
Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$id);
exit;
}
}
@ -133,10 +134,10 @@ if ($action == 'confirm_enable' && $confirm == "yes" && $candisableuser)
if ($action == 'confirm_delete' && $confirm == "yes" && $candisableuser)
{
if ($_GET["id"] <> $user->id)
if ($id <> $user->id)
{
$edituser = new User($db);
$edituser->id=$_GET["id"];
$edituser->id=$id;
$result = $edituser->delete();
if ($result < 0)
{
@ -232,13 +233,13 @@ if (($action == 'addgroup' || $action == 'removegroup') && $caneditfield)
$editgroup->oldcopy=dol_clone($editgroup);
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
if ($action == 'addgroup') $edituser->SetInGroup($group,GETPOST('entity'));
if ($action == 'removegroup') $edituser->RemoveFromGroup($group,GETPOST('entity'));
if ($result > 0)
{
header("Location: fiche.php?id=".$_GET["id"]);
header("Location: fiche.php?id=".$id);
exit;
}
else
@ -271,7 +272,7 @@ if ($action == 'update' && ! $_POST["cancel"])
{
$db->begin();
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->oldcopy=dol_clone($edituser);
@ -360,7 +361,7 @@ if ($action == 'update' && ! $_POST["cancel"])
else if ($caneditpassword) // Case we can edit only password
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->oldcopy=dol_clone($edituser);
@ -377,7 +378,7 @@ if ((($action == 'confirm_password' && $confirm == 'yes')
|| ($action == 'confirm_passwordsend' && $confirm == 'yes')) && $caneditpassword)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$newpassword=$edituser->setPassword($user,'');
if ($newpassword < 0)
@ -800,10 +801,10 @@ else
/* */
/* ************************************************************************** */
if ($_GET["id"])
if ($id)
{
$fuser = new User($db);
$fuser->fetch($_GET["id"]);
$fuser->fetch($id);
// Connexion ldap
// pour recuperer passDoNotExpire et userChangePassNextLogon
@ -1169,13 +1170,13 @@ else
// Si on a un gestionnaire de generation de mot de passe actif
if ($conf->global->USER_PASSWORD_GENERATED != 'none')
{
if (($user->id != $_GET["id"] && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
if (($user->id != $id && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)))
{
print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=password">'.$langs->trans("ReinitPassword").'</a>';
}
if (($user->id != $_GET["id"] && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
if (($user->id != $id && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
if ($fuser->email) print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=passwordsend">'.$langs->trans("SendNewPassword").'</a>';
@ -1184,19 +1185,19 @@ else
}
// Activer
if ($user->id <> $_GET["id"] && $candisableuser && $fuser->statut == 0 &&
if ($user->id <> $id && $candisableuser && $fuser->statut == 0 &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=enable">'.$langs->trans("Reactivate").'</a>';
}
// Desactiver
if ($user->id <> $_GET["id"] && $candisableuser && $fuser->statut == 1 &&
if ($user->id <> $id && $candisableuser && $fuser->statut == 1 &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butActionDelete" href="fiche.php?action=disable&amp;id='.$fuser->id.'">'.$langs->trans("DisableUser").'</a>';
}
// Delete
if ($user->id <> $_GET["id"] && $candisableuser &&
if ($user->id <> $id && $candisableuser &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butActionDelete" href="fiche.php?action=delete&amp;id='.$fuser->id.'">'.$langs->trans("DeleteUser").'</a>';
@ -1232,7 +1233,7 @@ else
if ($caneditgroup)
{
$form = new Form($db);
print '<form action="fiche.php?id='.$_GET["id"].'" method="post">'."\n";
print '<form action="fiche.php?id='.$id.'" method="post">'."\n";
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="addgroup">';
print '<input type="hidden" name="entity" value="'.$conf->entity.'">';

8
htdocs/user/index.php
View File

@ -35,7 +35,7 @@ $langs->load("companies");
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
$sall=GETPOST("sall");
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
@ -51,6 +51,7 @@ if (! $sortorder) $sortorder="ASC";
$userstatic=new User($db);
$companystatic = new Societe($db);
/*
* View
*/
@ -73,9 +74,8 @@ if ($_POST["search_user"])
{
$sql.= " AND (u.login like '%".$_POST["search_user"]."%' OR u.name like '%".$_POST["search_user"]."%' OR u.firstname like '%".$_POST["search_user"]."%')";
}
if ($sall) $sql.= " AND (u.login like '%".$sall."%' OR u.name like '%".$sall."%' OR u.firstname like '%".$sall."%' OR u.email like '%".$sall."%' OR u.note like '%".$sall."%')";
if ($sortfield) $sql.=" ORDER BY $sortfield $sortorder";
if ($sall) $sql.= " AND (u.login like '%".$db->escape($sall)."%' OR u.name like '%".$db->escape($sall)."%' OR u.firstname like '%".$db->escape($sall)."%' OR u.email like '%".$db->escape($sall)."%' OR u.note like '%".$db->escape($sall)."%')";
$sql.=$db->order($sortfield,$sortorder);
$result = $db->query($sql);
if ($result)
{

2
htdocs/user/info.php
View File

@ -30,7 +30,7 @@ require_once(DOL_DOCUMENT_ROOT."/user/class/user.class.php");
$langs->load("users");
// Security check
$id = isset($_GET["id"])?$_GET["id"]:'';
$id = GETPOST('id','int');
$fuser = new User($db);
$fuser->fetch($id);

4
htdocs/user/note.php
View File

@ -27,8 +27,8 @@ require("../main.inc.php");
require_once(DOL_DOCUMENT_ROOT.'/lib/usergroups.lib.php');
require_once(DOL_DOCUMENT_ROOT.'/user/class/user.class.php');
$action=isset($_GET["action"])?$_GET["action"]:(isset($_POST["action"])?$_POST["action"]:"");
$id=isset($_GET["id"])?$_GET["id"]:(isset($_POST["id"])?$_POST["id"]:"");
$action=GETPOST('action');
$id=GETPOST('id','int');
$langs->load("companies");
$langs->load("members");

17
htdocs/user/param_ihm.php
View File

@ -33,30 +33,31 @@ $langs->load("admin");
$langs->load("users");
$langs->load("languages");
$id=GETPOST('id','int');
// Defini si peux lire/modifier permisssions
$canreaduser=($user->admin || $user->rights->user->user->lire);
if ($_REQUEST["id"])
if ($id)
{
// $user est le user qui edite, $_REQUEST["id"] est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $_REQUEST["id"]) && $user->rights->user->self->creer)
|| (($user->id != $_REQUEST["id"]) && $user->rights->user->user->creer));
// $user est le user qui edite, $id est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $id) && $user->rights->user->self->creer)
|| (($user->id != $id) && $user->rights->user->user->creer));
}
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
if ($user->id == $_REQUEST["id"]) // A user can always read its own card
if ($user->id == $id) // A user can always read its own card
{
$feature2='';
$canreaduser=1;
}
$result = restrictedArea($user, 'user', $_REQUEST["id"], '', $feature2);
if ($user->id <> $_REQUEST["id"] && ! $canreaduser) accessforbidden();
$result = restrictedArea($user, 'user', $id, '', $feature2);
if ($user->id <> $id && ! $canreaduser) accessforbidden();
$id=! empty($_GET["id"])?$_GET["id"]:$_POST["id"];
$dirtop = "../includes/menus/standard";
$dirleft = "../includes/menus/standard";

23
htdocs/user/perms.php
View File

@ -32,8 +32,9 @@ $langs->load("users");
$langs->load("admin");
$module=isset($_GET["module"])?$_GET["module"]:$_POST["module"];
$id = GETPOST('id','int');
if (! isset($_GET["id"]) || empty($_GET["id"])) accessforbidden();
if (! $id) accessforbidden();
// Defini si peux lire les permissions
$canreaduser=($user->admin || $user->rights->user->user->lire);
@ -43,7 +44,7 @@ $caneditperms=($user->admin || $user->rights->user->user->creer);
if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
{
$canreaduser=($user->admin || ($user->rights->user->user->lire && $user->rights->user->user_advance->readperms));
$caneditselfperms=($user->id == $_GET["id"] && $user->rights->user->self_advance->writeperms);
$caneditselfperms=($user->id == $id && $user->rights->user->self_advance->writeperms);
$caneditperms = '('.$caneditperms.' || '.$caneditselfperms.')';
}
@ -51,12 +52,12 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
if ($user->id == $_GET["id"]) // A user can always read its own card
if ($user->id == $id) // A user can always read its own card
{
$feature2='';
$canreaduser=1;
}
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
$result = restrictedArea($user, 'user', $id, '', $feature2);
if ($user->id <> $_REQUEST["id"] && ! $canreaduser) accessforbidden();
@ -66,11 +67,11 @@ if ($user->id <> $_REQUEST["id"] && ! $canreaduser) accessforbidden();
if ($_GET["action"] == 'addrights' && $caneditperms)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->addrights($_GET["rights"],$module);
// Si on a touche a ses propres droits, on recharge
if ($_GET["id"] == $user->id)
if ($id == $user->id)
{
$user->clearrights();
$user->getrights();
@ -80,11 +81,11 @@ if ($_GET["action"] == 'addrights' && $caneditperms)
if ($_GET["action"] == 'delrights' && $caneditperms)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->delrights($_GET["rights"],$module);
// Si on a touche a ses propres droits, on recharge
if ($_GET["id"] == $user->id)
if ($id == $user->id)
{
$user->clearrights();
$user->getrights();
@ -104,7 +105,7 @@ llxHeader('',$langs->trans("Permissions"));
$form=new Form($db);
$fuser = new User($db);
$fuser->fetch($_GET["id"]);
$fuser->fetch($id);
$fuser->getrights();
/*
@ -125,9 +126,9 @@ $modulesdir = array();
foreach ($conf->file->dol_document_root as $type => $dirroot)
{
$modulesdir[] = $dirroot . "/includes/modules/";
if ($type == 'alt')
{
{
$handle=@opendir($dirroot);
if (is_resource($handle))
{