From 768cc19bbc10954eac1b8738324c778597d75f17 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 24 Dec 2017 15:07:06 +0100
Subject: [PATCH] Fix protection on tpl to avoid direct url call

---
 htdocs/core/tpl/bloc_comment.tpl.php                  | 8 ++++++++
 htdocs/core/tpl/card_presend.tpl.php                  | 9 ++++++++-
 htdocs/core/tpl/commonfields_add.tpl.php              | 8 ++++++++
 htdocs/core/tpl/commonfields_edit.tpl.php             | 8 ++++++++
 htdocs/core/tpl/commonfields_view.tpl.php             | 8 ++++++++
 htdocs/core/tpl/extrafields_add.tpl.php               | 8 ++++++++
 htdocs/core/tpl/extrafields_edit.tpl.php              | 8 ++++++++
 htdocs/core/tpl/extrafields_list_print_fields.tpl.php | 8 ++++++++
 htdocs/core/tpl/extrafields_list_search_input.tpl.php | 8 ++++++++
 htdocs/core/tpl/extrafields_list_search_param.tpl.php | 8 ++++++++
 htdocs/core/tpl/extrafields_list_search_sql.tpl.php   | 8 ++++++++
 htdocs/core/tpl/extrafields_list_search_title.tpl.php | 8 ++++++++
 htdocs/core/tpl/filemanager.tpl.php                   | 8 ++++++++
 htdocs/core/tpl/onlinepaymentlinks.tpl.php            | 7 +++++++
 14 files changed, 111 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/tpl/bloc_comment.tpl.php b/htdocs/core/tpl/bloc_comment.tpl.php
index 48b0e0c990f..473c42eb42f 100644
--- a/htdocs/core/tpl/bloc_comment.tpl.php
+++ b/htdocs/core/tpl/bloc_comment.tpl.php
@@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Require
 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
diff --git a/htdocs/core/tpl/card_presend.tpl.php b/htdocs/core/tpl/card_presend.tpl.php
index 9fd8e6b5cfa..25c1c3d8c58 100644
--- a/htdocs/core/tpl/card_presend.tpl.php
+++ b/htdocs/core/tpl/card_presend.tpl.php
@@ -16,7 +16,6 @@
  * or see http://www.gnu.org/
  */
 
-
 /*
  * Code to ouput content when action is presend
  *
@@ -26,6 +25,14 @@
  * $diroutput
  */
 
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
+
 if ($action == 'presend')
 {
 	$langs->load("mails");
diff --git a/htdocs/core/tpl/commonfields_add.tpl.php b/htdocs/core/tpl/commonfields_add.tpl.php
index 7179719e7db..5e1f02489f9 100644
--- a/htdocs/core/tpl/commonfields_add.tpl.php
+++ b/htdocs/core/tpl/commonfields_add.tpl.php
@@ -20,6 +20,14 @@
  * $conf
  * $langs
  */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE commonfields_add.tpl.php -->
 <?php
diff --git a/htdocs/core/tpl/commonfields_edit.tpl.php b/htdocs/core/tpl/commonfields_edit.tpl.php
index 9605a218544..fc51a8e1602 100644
--- a/htdocs/core/tpl/commonfields_edit.tpl.php
+++ b/htdocs/core/tpl/commonfields_edit.tpl.php
@@ -20,6 +20,14 @@
  * $conf
  * $langs
  */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE commonfields_edit.tpl.php -->
 <?php
diff --git a/htdocs/core/tpl/commonfields_view.tpl.php b/htdocs/core/tpl/commonfields_view.tpl.php
index cd8c567c418..c297c00b0a8 100644
--- a/htdocs/core/tpl/commonfields_view.tpl.php
+++ b/htdocs/core/tpl/commonfields_view.tpl.php
@@ -22,6 +22,14 @@
  *
  * $keyforbreak may be defined to key to switch on second column
  */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE commonfields_view.tpl.php -->
 <?php
diff --git a/htdocs/core/tpl/extrafields_add.tpl.php b/htdocs/core/tpl/extrafields_add.tpl.php
index f8be788ae2f..0dc6e81321f 100644
--- a/htdocs/core/tpl/extrafields_add.tpl.php
+++ b/htdocs/core/tpl/extrafields_add.tpl.php
@@ -24,6 +24,14 @@
  * $parameters
  * $cols
  */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE extrafields_add.tpl.php -->
 <?php
diff --git a/htdocs/core/tpl/extrafields_edit.tpl.php b/htdocs/core/tpl/extrafields_edit.tpl.php
index a2c3bf5771f..5c63233d373 100644
--- a/htdocs/core/tpl/extrafields_edit.tpl.php
+++ b/htdocs/core/tpl/extrafields_edit.tpl.php
@@ -24,6 +24,14 @@
  * $parameters
  * $cols
  */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 <!-- BEGIN PHP TEMPLATE extrafields_edit.tpl.php -->
 <?php
diff --git a/htdocs/core/tpl/extrafields_list_print_fields.tpl.php b/htdocs/core/tpl/extrafields_list_print_fields.tpl.php
index 30318350bc3..7cd86d767ae 100644
--- a/htdocs/core/tpl/extrafields_list_print_fields.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_print_fields.tpl.php
@@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to show all columns of extrafields from $obj, $extrafields and $db
 if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label))
 {
diff --git a/htdocs/core/tpl/extrafields_list_search_input.tpl.php b/htdocs/core/tpl/extrafields_list_search_input.tpl.php
index 8a65021b240..c3e3effc05d 100644
--- a/htdocs/core/tpl/extrafields_list_search_input.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_input.tpl.php
@@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to show all columns of extrafields for the search title line
 if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label))
 {
diff --git a/htdocs/core/tpl/extrafields_list_search_param.tpl.php b/htdocs/core/tpl/extrafields_list_search_param.tpl.php
index 9bb6fefe8b0..6cda8721dcd 100644
--- a/htdocs/core/tpl/extrafields_list_search_param.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_param.tpl.php
@@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to complete $param for extrafields
 foreach ($search_array_options as $key => $val)
 {
diff --git a/htdocs/core/tpl/extrafields_list_search_sql.tpl.php b/htdocs/core/tpl/extrafields_list_search_sql.tpl.php
index ed4fae40213..7006a54351b 100644
--- a/htdocs/core/tpl/extrafields_list_search_sql.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_sql.tpl.php
@@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to complete the sql search criterias from extrafields
 foreach ($search_array_options as $key => $val)
 {
diff --git a/htdocs/core/tpl/extrafields_list_search_title.tpl.php b/htdocs/core/tpl/extrafields_list_search_title.tpl.php
index bfda64d8464..8b986b1e4e6 100644
--- a/htdocs/core/tpl/extrafields_list_search_title.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_title.tpl.php
@@ -1,4 +1,12 @@
 <?php
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 // Loop to show all columns of extrafields for the title line
 if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label))
 {
diff --git a/htdocs/core/tpl/filemanager.tpl.php b/htdocs/core/tpl/filemanager.tpl.php
index d47853cbe5a..4399b62851a 100644
--- a/htdocs/core/tpl/filemanager.tpl.php
+++ b/htdocs/core/tpl/filemanager.tpl.php
@@ -17,6 +17,14 @@
  * Output code for the filemanager
  * $module must be defined ('ecm', 'medias', ...)
  */
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 ?>
 
 <!-- BEGIN PHP TEMPLATE core/tpl/filemanager.tpl.php -->
diff --git a/htdocs/core/tpl/onlinepaymentlinks.tpl.php b/htdocs/core/tpl/onlinepaymentlinks.tpl.php
index 8650ab4110d..27ba8b994b4 100644
--- a/htdocs/core/tpl/onlinepaymentlinks.tpl.php
+++ b/htdocs/core/tpl/onlinepaymentlinks.tpl.php
@@ -15,6 +15,13 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
 require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php';
 
 print '<!-- BEGIN PHP TEMPLATE ONLINEPAYMENTLINKS -->';