Start fix [ bug #1437 ] Securitu Issue
Some of them can be fix, because GETPOST even with 'alpha' test do not warn if input is "2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e" for exemple I don't have magical solution for this kind of security issue
This commit is contained in:
Florian HENRY
parent
ebe49b0525
commit
77a9d4eb71
@ -292,11 +292,11 @@ function dol_loginfunction($langs,$conf,$mysoc)
|
||||
if (! empty($conf->global->MAIN_USE_JQUERY_THEME)) $jquerytheme = $conf->global->MAIN_USE_JQUERY_THEME;
|
||||
|
||||
// Set dol_hide_topmenu, dol_hide_leftmenu, dol_optimize_smallscreen, dol_nomousehover
|
||||
$dol_hide_topmenu=GETPOST('dol_hide_topmenu');
|
||||
$dol_hide_leftmenu=GETPOST('dol_hide_leftmenu');
|
||||
$dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen');
|
||||
$dol_no_mouse_hover=GETPOST('dol_no_mouse_hover');
|
||||
$dol_use_jmobile=GETPOST('dol_use_jmobile');
|
||||
$dol_hide_topmenu=GETPOST('dol_hide_topmenu','int');
|
||||
$dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int');
|
||||
$dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int');
|
||||
$dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int');
|
||||
$dol_use_jmobile=GETPOST('dol_use_jmobile','int');
|
||||
|
||||
// Include login page template
|
||||
include $template_dir.'login.tpl.php';
|
||||
|
||||
@ -360,16 +360,16 @@ if (! defined('NOLOGIN'))
|
||||
// It is not already authenticated and it requests the login / password
|
||||
include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
|
||||
|
||||
$dol_dst_observed=GETPOST("dst_observed",3);
|
||||
$dol_dst_first=GETPOST("dst_first",3);
|
||||
$dol_dst_second=GETPOST("dst_second",3);
|
||||
$dol_screenwidth=GETPOST("screenwidth",3);
|
||||
$dol_screenheight=GETPOST("screenheight",3);
|
||||
$dol_hide_topmenu=GETPOST('dol_hide_topmenu',3);
|
||||
$dol_hide_leftmenu=GETPOST('dol_hide_leftmenu',3);
|
||||
$dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen',3);
|
||||
$dol_no_mouse_hover=GETPOST('dol_no_mouse_hover',3);
|
||||
$dol_use_jmobile=GETPOST('dol_use_jmobile',3);
|
||||
$dol_dst_observed=GETPOST("dst_observed",'int',3);
|
||||
$dol_dst_first=GETPOST("dst_first",'int',3);
|
||||
$dol_dst_second=GETPOST("dst_second",'int',3);
|
||||
$dol_screenwidth=GETPOST("screenwidth",'int',3);
|
||||
$dol_screenheight=GETPOST("screenheight",'int',3);
|
||||
$dol_hide_topmenu=GETPOST('dol_hide_topmenu','int',3);
|
||||
$dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int',3);
|
||||
$dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int',3);
|
||||
$dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int',3);
|
||||
$dol_use_jmobile=GETPOST('dol_use_jmobile','int',3);
|
||||
//dol_syslog("POST key=".join(array_keys($_POST),',').' value='.join($_POST,','));
|
||||
|
||||
// If in demo mode, we check we go to home page through the public/demo/index.php page
|
||||
@ -1035,11 +1035,11 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
|
||||
$themeparam='?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'').'&userid='.$user->id.'&entity='.$conf->entity;
|
||||
$themeparam.=($ext?'&'.$ext:'');
|
||||
if (! empty($_SESSION['dol_resetcache'])) $themeparam.='&dol_resetcache='.$_SESSION['dol_resetcache'];
|
||||
if (GETPOST('dol_hide_topmenu')) { $themeparam.='&dol_hide_topmenu='.GETPOST('dol_hide_topmenu'); }
|
||||
if (GETPOST('dol_hide_leftmenu')) { $themeparam.='&dol_hide_leftmenu='.GETPOST('dol_hide_leftmenu'); }
|
||||
if (GETPOST('dol_optimize_smallscreen')) { $themeparam.='&dol_optimize_smallscreen='.GETPOST('dol_optimize_smallscreen'); }
|
||||
if (GETPOST('dol_no_mouse_hover')) { $themeparam.='&dol_no_mouse_hover='.GETPOST('dol_no_mouse_hover'); }
|
||||
if (GETPOST('dol_use_jmobile')) { $themeparam.='&dol_use_jmobile='.GETPOST('dol_use_jmobile'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile'); }
|
||||
if (GETPOST('dol_hide_topmenu')) { $themeparam.='&dol_hide_topmenu='.GETPOST('dol_hide_topmenu','int'); }
|
||||
if (GETPOST('dol_hide_leftmenu')) { $themeparam.='&dol_hide_leftmenu='.GETPOST('dol_hide_leftmenu','int'); }
|
||||
if (GETPOST('dol_optimize_smallscreen')) { $themeparam.='&dol_optimize_smallscreen='.GETPOST('dol_optimize_smallscreen','int'); }
|
||||
if (GETPOST('dol_no_mouse_hover')) { $themeparam.='&dol_no_mouse_hover='.GETPOST('dol_no_mouse_hover','int'); }
|
||||
if (GETPOST('dol_use_jmobile')) { $themeparam.='&dol_use_jmobile='.GETPOST('dol_use_jmobile','int'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int'); }
|
||||
//print 'themepath='.$themepath.' themeparam='.$themeparam;exit;
|
||||
print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.$themeparam.'">'."\n";
|
||||
|
||||
|
||||
@ -33,11 +33,11 @@ $langs->load("main");
|
||||
$langs->load("install");
|
||||
$langs->load("other");
|
||||
|
||||
$conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu');
|
||||
$conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu');
|
||||
$conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen');
|
||||
$conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover');
|
||||
$conf->dol_use_jmobile=GETPOST('dol_use_jmobile');
|
||||
$conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu','int');
|
||||
$conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int');
|
||||
$conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int');
|
||||
$conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int');
|
||||
$conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int');
|
||||
|
||||
// Security check
|
||||
global $dolibarr_main_demo;
|
||||
|
||||
@ -806,7 +806,7 @@ class User extends CommonObject
|
||||
|
||||
$sql = "SELECT login FROM ".MAIN_DB_PREFIX."user";
|
||||
$sql.= " WHERE login ='".$this->db->escape($this->login)."'";
|
||||
$sql.= " AND entity IN (0,".$conf->entity.")";
|
||||
$sql.= " AND entity IN (0,".$this->db->escape($conf->entity).")";
|
||||
|
||||
dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
|
||||
$resql=$this->db->query($sql);
|
||||
@ -825,7 +825,7 @@ class User extends CommonObject
|
||||
else
|
||||
{
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."user (datec,login,ldap_sid,entity)";
|
||||
$sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->entity.")";
|
||||
$sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->db->escape($this->entity).")";
|
||||
$result=$this->db->query($sql);
|
||||
|
||||
dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
|
||||
@ -922,7 +922,7 @@ class User extends CommonObject
|
||||
$this->lastname = $contact->lastname;
|
||||
$this->firstname = $contact->firstname;
|
||||
$this->email = $contact->email;
|
||||
$this->skype = $contact->skype;
|
||||
$this->skype = $contact->skype;
|
||||
$this->office_phone = $contact->phone_pro;
|
||||
$this->office_fax = $contact->fax;
|
||||
$this->user_mobile = $contact->phone_mobile;
|
||||
|
||||
@ -589,7 +589,7 @@ class UserGroup extends CommonObject
|
||||
$sql.= ") VALUES (";
|
||||
$sql.= "'".$this->db->idate($now)."'";
|
||||
$sql.= ",'".$this->db->escape($this->nom)."'";
|
||||
$sql.= ",".$entity;
|
||||
$sql.= ",".$this->db->escape($entity);
|
||||
$sql.= ")";
|
||||
|
||||
dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
|
||||
@ -640,7 +640,7 @@ class UserGroup extends CommonObject
|
||||
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."usergroup SET ";
|
||||
$sql.= " nom = '" . $this->db->escape($this->nom) . "'";
|
||||
$sql.= ", entity = " . $entity;
|
||||
$sql.= ", entity = " . $this->db->escape($entity);
|
||||
$sql.= ", note = '" . $this->db->escape($this->note) . "'";
|
||||
$sql.= " WHERE rowid = " . $this->id;
|
||||
|
||||
|
||||
@ -178,16 +178,16 @@ if ($action == 'add' && $canadduser)
|
||||
|
||||
if (! $message)
|
||||
{
|
||||
$object->lastname = GETPOST("lastname");
|
||||
$object->firstname = GETPOST("firstname");
|
||||
$object->login = GETPOST("login");
|
||||
$object->admin = GETPOST("admin");
|
||||
$object->office_phone = GETPOST("office_phone");
|
||||
$object->office_fax = GETPOST("office_fax");
|
||||
$object->lastname = GETPOST("lastname",'alpha');
|
||||
$object->firstname = GETPOST("firstname",'alpha');
|
||||
$object->login = GETPOST("login",'alpha');
|
||||
$object->admin = GETPOST("admin",'alpha');
|
||||
$object->office_phone = GETPOST("office_phone",'alpha');
|
||||
$object->office_fax = GETPOST("office_fax",'alpha');
|
||||
$object->user_mobile = GETPOST("user_mobile");
|
||||
$object->skype = GETPOST("skype");
|
||||
$object->email = GETPOST("email");
|
||||
$object->job = GETPOST("job");
|
||||
$object->email = GETPOST("email",'alpha');
|
||||
$object->job = GETPOST("job",'alpha');
|
||||
$object->signature = GETPOST("signature");
|
||||
$object->accountancy_code = GETPOST("accountancy_code");
|
||||
$object->note = GETPOST("note");
|
||||
@ -200,6 +200,7 @@ if ($action == 'add' && $canadduser)
|
||||
// If multicompany is off, admin users must all be on entity 0.
|
||||
if (! empty($conf->multicompany->enabled))
|
||||
{
|
||||
$entity=GETPOST('entity','int');
|
||||
if (! empty($_POST["superadmin"]))
|
||||
{
|
||||
$object->entity = 0;
|
||||
@ -210,12 +211,12 @@ if ($action == 'add' && $canadduser)
|
||||
}
|
||||
else
|
||||
{
|
||||
$object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]);
|
||||
$object->entity = (empty($entity) ? 0 : $entity);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]);
|
||||
$object->entity = (empty($entity) ? 0 : $entity);
|
||||
}
|
||||
|
||||
$db->begin();
|
||||
@ -316,17 +317,17 @@ if ($action == 'update' && ! $_POST["cancel"])
|
||||
|
||||
$object->oldcopy=dol_clone($object);
|
||||
|
||||
$object->lastname = GETPOST("lastname");
|
||||
$object->firstname = GETPOST("firstname");
|
||||
$object->login = GETPOST("login");
|
||||
$object->lastname = GETPOST("lastname",'alpha');
|
||||
$object->firstname = GETPOST("firstname",'alpha');
|
||||
$object->login = GETPOST("login",'alpha');
|
||||
$object->pass = GETPOST("password");
|
||||
$object->admin = empty($user->admin)?0:GETPOST("admin"); // A user can only be set admin by an admin
|
||||
$object->office_phone=GETPOST("office_phone");
|
||||
$object->office_fax = GETPOST("office_fax");
|
||||
$object->office_phone=GETPOST("office_phone",'alpha');
|
||||
$object->office_fax = GETPOST("office_fax",'alpha');
|
||||
$object->user_mobile= GETPOST("user_mobile");
|
||||
$object->skype =GETPOST("skype");
|
||||
$object->email = GETPOST("email");
|
||||
$object->job = GETPOST("job");
|
||||
$object->skype = GETPOST("skype");
|
||||
$object->email = GETPOST("email",'alpha');
|
||||
$object->job = GETPOST("job",'alpha');
|
||||
$object->signature = GETPOST("signature");
|
||||
$object->accountancy_code = GETPOST("accountancy_code");
|
||||
$object->openid = GETPOST("openid");
|
||||
@ -384,8 +385,8 @@ if ($action == 'update' && ! $_POST["cancel"])
|
||||
$contact->fetch($contactid);
|
||||
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."user";
|
||||
$sql.= " SET fk_socpeople=".$contactid;
|
||||
if ($contact->socid) $sql.=", fk_societe=".$contact->socid;
|
||||
$sql.= " SET fk_socpeople=".$db->escape($contactid);
|
||||
if ($contact->socid) $sql.=", fk_societe=".$db->escape($contact->socid);
|
||||
$sql.= " WHERE rowid=".$object->id;
|
||||
}
|
||||
else
|
||||
|
||||
Loading…
Reference in New Issue
Block a user