From 762f98ab4137749d0993612b4e3544a4207e78a1 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Tue, 8 Nov 2011 17:17:21 +0100
Subject: [PATCH] Fix: [Bug #232] Multiple Cross-Site-Scripting vulnerabilities

---
 htdocs/lib/security.lib.php |  2 +-
 htdocs/main.inc.php         | 13 ++++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php
index 4212cc12529..0a8ceafa2a1 100644
--- a/htdocs/lib/security.lib.php
+++ b/htdocs/lib/security.lib.php
@@ -181,7 +181,7 @@ function dol_loginfunction($langs,$conf,$mysoc)
 	}
 
 	// Login
-	$login = (!empty($lastuser)?$lastuser:(GETPOST("username")?GETPOST("username"):$demologin));
+	$login = (!empty($lastuser)?$lastuser:(GETPOST("username","alpha",2)?GETPOST("username","alpha",2):$demologin));
 	$password = $demopassword;
 
 	// Show logo (search in order: small company logo, large company logo, theme logo, common logo)
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index e6796b41870..c6ee7bd423e 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -76,6 +76,9 @@ function test_sql_and_script_inject($val,$get)
 	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
 	// For XSS Injection done by adding javascript with script
 	$sql_inj += preg_match('/<script/i', $val);
+	$sql_inj += preg_match('/img[\s]+src/i', $val);
+	$sql_inj += preg_match('/base[\s]+href/i', $val);
+	$sql_inj += preg_match('/style([\s]+)?=/i', $val);
 	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
 	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
 	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value
@@ -324,7 +327,7 @@ if (! defined('NOLOGIN'))
         }
 
 		// Verification security graphic code
-		if (isset($_POST["username"]) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
+		if (GETPOST("username","alpha",2) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
 		{
 			require_once DOL_DOCUMENT_ROOT.'/includes/artichow/Artichow.cfg.php';
 			require_once ARTICHOW."/AntiSpam.class.php";
@@ -339,7 +342,7 @@ if (! defined('NOLOGIN'))
 				$langs->load('main');
 				$langs->load('other');
 
-				$user->trigger_mesg='ErrorBadValueForCode - login='.$_POST["username"];
+				$user->trigger_mesg='ErrorBadValueForCode - login='.GETPOST("username","alpha",2);
 				$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadValueForCode");
 				$test=false;
 
@@ -365,7 +368,7 @@ if (! defined('NOLOGIN'))
 		// If error, we will put error message in session under the name dol_loginmesg
 		$goontestloop=false;
 		if (isset($_SERVER["REMOTE_USER"]) && in_array('http',$authmode)) $goontestloop=true;
-		if (isset($_POST["username"]) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
+		if (GETPOST("username","alpha",2) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
 
 		if ($test && $goontestloop)
 		{
@@ -378,7 +381,7 @@ if (! defined('NOLOGIN'))
 					if ($result)
 					{
 						// Call function to check user/password
-						$usertotest=$_POST["username"];
+						$usertotest=GETPOST("username","alpha",2);
 						$passwordtotest=$_POST["password"];
 						$entitytotest=$_POST["entity"];
 						$function='check_user_password_'.$mode;
@@ -411,7 +414,7 @@ if (! defined('NOLOGIN'))
 				$langs->load('other');
 
 				// Bad password. No authmode has found a good password.
-				$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.$_POST["username"];
+				$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.GETPOST("username","alpha",2);
 				$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
 
 				// Appel des triggers