From 715c88b52eb1ddd7cfd367c610dc430c5639f63d Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Tue, 26 Apr 2011 20:22:29 +0000
Subject: [PATCH] Fix: A local file inclusion vulnerability can be exploited to
 include arbitrary files.

---
 htdocs/main.inc.php               |  5 +++--
 htdocs/user/passwordforgotten.php | 27 ++++++++++++++-------------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 733de089a67..113c22b8b22 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -75,6 +75,7 @@ function test_sql_and_script_inject($val,$get)
 	$sql_inj += preg_match('/insert[\s]+into/i', $val);
 	$sql_inj += preg_match('/select.+from/i', $val);
 	$sql_inj += preg_match('/union.+select/i', $val);
+	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
 	// For XSS Injection done by adding javascript with script
 	$sql_inj += preg_match('/<script/i', $val);
 	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
@@ -664,9 +665,9 @@ if (! defined('NOREQUIRETRAN'))
 }
 
 // Case forcing style from url
-if (! empty($_GET["theme"]))
+if (GETPOST('theme'))
 {
-	$conf->theme=$_GET["theme"];
+	$conf->theme=GETPOST('theme');
 	$conf->css  = "/theme/".$conf->theme."/style.css.php";
 }
 
diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php
index 6b65b1163cd..6d308014f38 100644
--- a/htdocs/user/passwordforgotten.php
+++ b/htdocs/user/passwordforgotten.php
@@ -42,12 +42,13 @@ if ($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK)
 	exit;
 }
 
-$action=isset($_GET["action"])?$_GET["action"]:$_POST["action"];
+$action=GETPOST('action');
 $mode=$dolibarr_main_authentication;
 if (! $mode) $mode='http';
 
-$login = isset($_POST["username"])?$_POST["username"]:'';
-$conf->entity = isset($_POST["entity"])?$_POST["entity"]:1;
+$username 		= GETPOST('username');
+$passwordmd5	= GETPOST('passwordmd5');
+$conf->entity 	= ( GETPOST('entity') ? GETPOST('entity') : 1 );
 
 
 /**
@@ -55,17 +56,17 @@ $conf->entity = isset($_POST["entity"])?$_POST["entity"]:1;
  */
 
 // Action modif mot de passe
-if ($_GET["action"] == 'validatenewpassword' && $_GET["username"] && $_GET["passwordmd5"])
+if ($action == 'validatenewpassword' && $username && $passwordmd5)
 {
     $edituser = new User($db);
     $result=$edituser->fetch('',$_GET["username"]);
 	if ($result < 0)
 	{
-        $message = '<div class="error">'.$langs->trans("ErrorLoginDoesNotExists",$_GET["username"]).'</div>';
+        $message = '<div class="error">'.$langs->trans("ErrorLoginDoesNotExists",$username).'</div>';
 	}
 	else
 	{
-		if (md5($edituser->pass_temp) == $_GET["passwordmd5"])
+		if (md5($edituser->pass_temp) == $passwordmd5)
 		{
 			$newpassword=$edituser->setPassword($user,$edituser->pass_temp,0);
 			dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database");
@@ -81,7 +82,7 @@ if ($_GET["action"] == 'validatenewpassword' && $_GET["username"] && $_GET["pass
 	}
 }
 // Action modif mot de passe
-if ($_POST["action"] == 'buildnewpassword' && $_POST["username"])
+if ($action == 'buildnewpassword' && $username)
 {
 	require_once DOL_DOCUMENT_ROOT.'/includes/artichow/Artichow.cfg.php';
 	require_once ARTICHOW."/AntiSpam.class.php";
@@ -97,11 +98,11 @@ if ($_POST["action"] == 'buildnewpassword' && $_POST["username"])
 	else
 	{
 	    $edituser = new User($db);
-	    $result=$edituser->fetch('',$_POST["username"],'',1);
+	    $result=$edituser->fetch('',$username,'',1);
 		if ($result <= 0 && $edituser->error == 'USERNOTFOUND')
 		{
-	        $message = '<div class="error">'.$langs->trans("ErrorLoginDoesNotExists",$_POST["username"]).'</div>';
-			$_POST["username"]='';
+	        $message = '<div class="error">'.$langs->trans("ErrorLoginDoesNotExists",$username).'</div>';
+			$username='';
 		}
 		else
 		{
@@ -124,7 +125,7 @@ if ($_POST["action"] == 'buildnewpassword' && $_POST["username"])
 			        {
 			        	$message = '<div class="ok">'.$langs->trans("PasswordChangeRequestSent",$edituser->login,$edituser->email).'</div>';
 						//$message.=$newpassword;
-						$_POST["username"]='';
+						$username='';
 					}
 					else
 					{
@@ -182,12 +183,12 @@ else
 	$login_background = DOL_URL_ROOT.'/theme/login_background.png';
 }
 
-if (! $_REQUEST["username"]) $focus_element = 'username';
+if (! $username) $focus_element = 'username';
 else $focus_element = 'password';
 
 // Send password button enabled ?
 $disabled='disabled';
-if ($mode == 'dolibarr') $disabled='';
+if (preg_match('/dolibarr/i',$mode)) $disabled='';
 if ($conf->global->MAIN_SECURITY_ENABLE_SENDPASSWORD) $disabled='';	 // To force button enabled
 
 // Show logo (search in order: small company logo, large company logo, theme logo, common logo)