From 66381a4f4d035786dfdd0b92a8fdff09adb3653c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 29 Nov 2020 19:41:11 +0100 Subject: [PATCH] FIX #15558 --- htdocs/core/actions_extrafields.inc.php | 67 ++++++++++++++++++------- htdocs/langs/en_US/errors.lang | 2 + 2 files changed, 52 insertions(+), 17 deletions(-) diff --git a/htdocs/core/actions_extrafields.inc.php b/htdocs/core/actions_extrafields.inc.php index 9ad3ce1e92e..1557d156f03 100644 --- a/htdocs/core/actions_extrafields.inc.php +++ b/htdocs/core/actions_extrafields.inc.php @@ -40,7 +40,7 @@ if ($type == 'select') $extrasize = ''; // Add attribute if ($action == 'add') { - if ($_POST["button"] != $langs->trans("Cancel")) + if (GETPOST("button") != $langs->trans("Cancel")) { // Check values if (!$type) @@ -132,10 +132,28 @@ if ($action == 'add') } } - if (!$error) - { + if (!$error) { + if (strlen(GETPOST('attrname', 'aZ09')) < 3) { + $error++; + $langs->load("errors"); + $mesg[] = $langs->trans("ErrorValueLength", $langs->transnoentitiesnoconv("AttributeCode"), 3); + $action = 'create'; + } + } + + // Check reserved keyword with more than 3 characters + if (!$error) { + if (in_array(GETPOST('attrname', 'aZ09'), array('and', 'keyword', 'table', 'index', 'integer', 'float', 'double', 'position'))) { + $error++; + $langs->load("errors"); + $mesg[] = $langs->trans("ErrorReservedKeyword", GETPOST('attrname', 'aZ09')); + $action = 'create'; + } + } + + if (!$error) { // attrname must be alphabetical and lower case only - if (isset($_POST["attrname"]) && preg_match("/^[a-z0-9-_]+$/", $_POST['attrname']) && !is_numeric($_POST["attrname"])) + if (GETPOSISSET("attrname") && preg_match("/^[a-z0-9-_]+$/", GETPOST('attrname', 'aZ09')) && !is_numeric(GETPOST('attrname', 'aZ09'))) { // Construct array for parameter (value of select list) $default_value = GETPOST('default_value', 'alpha'); @@ -161,7 +179,7 @@ if ($action == 'add') if ($type == 'separate') $visibility = 3; $result = $extrafields->addExtraField( - GETPOST('attrname', 'alpha'), + GETPOST('attrname', 'aZ09'), GETPOST('label', 'alpha'), $type, GETPOST('pos', 'int'), @@ -208,7 +226,7 @@ if ($action == 'add') // Rename field if ($action == 'update') { - if ($_POST["button"] != $langs->trans("Cancel")) + if (GETPOST("button") != $langs->trans("Cancel")) { // Check values if (!$type) @@ -293,9 +311,28 @@ if ($action == 'update') } } + if (!$error) { + if (strlen(GETPOST('attrname', 'aZ09')) < 3 && empty($conf->global->MAIN_DISABLE_EXTRAFIELDS_CHECK_FOR_UPDATE)) { + $error++; + $langs->load("errors"); + $mesg[] = $langs->trans("ErrorValueLength", $langs->transnoentitiesnoconv("AttributeCode"), 3); + $action = 'edit'; + } + } + + // Check reserved keyword with more than 3 characters + if (!$error) { + if (in_array(GETPOST('attrname', 'aZ09'), array('and', 'keyword', 'table', 'index', 'integer', 'float', 'double', 'position')) && empty($conf->global->MAIN_DISABLE_EXTRAFIELDS_CHECK_FOR_UPDATE)) { + $error++; + $langs->load("errors"); + $mesg[] = $langs->trans("ErrorReservedKeyword", GETPOST('attrname', 'aZ09')); + $action = 'edit'; + } + } + if (!$error) { - if (isset($_POST["attrname"]) && preg_match("/^\w[a-zA-Z0-9-_]*$/", $_POST['attrname'])) + if (GETPOSTISSET("attrname") && preg_match("/^\w[a-zA-Z0-9-_]*$/", GETPOST('attrname', 'aZ09')) && !is_numeric(GETPOST('attrname', 'aZ09'))) { $pos = GETPOST('pos', 'int'); // Construct array for parameter (value of select list) @@ -321,7 +358,7 @@ if ($action == 'update') if ($type == 'separate') $visibility = 3; $result = $extrafields->update( - GETPOST('attrname', 'alpha'), + GETPOST('attrname', 'aZ09'), GETPOST('label', 'alpha'), $type, $extrasize, @@ -342,8 +379,7 @@ if ($action == 'update') (GETPOST('totalizable', 'alpha') ? 1 : 0), GETPOST('printable', 'alpha') ); - if ($result > 0) - { + if ($result > 0) { setEventMessages($langs->trans('SetupSaved'), null, 'mesgs'); header("Location: ".$_SERVER["PHP_SELF"]); exit; @@ -365,13 +401,10 @@ if ($action == 'update') } // Delete attribute -if ($action == 'delete') -{ - if (isset($_GET["attrname"]) && preg_match("/^\w[a-zA-Z0-9-_]*$/", $_GET["attrname"])) - { - $result = $extrafields->delete($_GET["attrname"], $elementtype); - if ($result >= 0) - { +if ($action == 'delete') { + if (GETPOSTISSET("attrname") && preg_match("/^\w[a-zA-Z0-9-_]*$/", GETPOST("attrname", 'aZ09'))) { + $result = $extrafields->delete(GETPOST("attrname", 'aZ09'), $elementtype); + if ($result >= 0) { header("Location: ".$_SERVER["PHP_SELF"]); exit; } else $mesg = $extrafields->error; diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index 700a76e32a5..b13a229f10d 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -246,6 +246,8 @@ ErrorProductDoesNotNeedBatchNumber=Error, product '%s' does not accept a ErrorFailedToReadObject=Error, failed to read object of type %s ErrorParameterMustBeEnabledToAllwoThisFeature=Error, parameter %s must be enabled into conf/conf.php to allow use of Command Line Interface by the internal job scheduler ErrorLoginDateValidity=Error, this login is outside the validity date range +ErrorValueLength=Length of field '%s' must be higher than '%s' +ErrorReservedKeyword=The word '%s' is a reserved keyword # Warnings WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup. WarningPasswordSetWithNoAccount=A password was set for this member. However, no user account was created. So this password is stored but can't be used to login to Dolibarr. It may be used by an external module/interface but if you don't need to define any login nor password for a member, you can disable option "Manage a login for each member" from Member module setup. If you need to manage a login but don't need any password, you can keep this field empty to avoid this warning. Note: Email can also be used as a login if the member is linked to a user.