From 6b8793e1711269310bf1f044a7d904b4baf548cf Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Feb 2022 00:41:45 +0100 Subject: [PATCH 1/8] Fix sql error on web service --- htdocs/webservices/server_supplier_invoice.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/webservices/server_supplier_invoice.php b/htdocs/webservices/server_supplier_invoice.php index 926fa8f6418..1581d569f27 100644 --- a/htdocs/webservices/server_supplier_invoice.php +++ b/htdocs/webservices/server_supplier_invoice.php @@ -350,8 +350,8 @@ function getSupplierInvoicesForThirdParty($authentication, $idthirdparty) if (!$error) { $linesinvoice = array(); - $sql .= "SELECT f.rowid as facid"; - $sql .= " FROM '.MAIN_DB_PREFIX.'facture_fourn as f"; + $sql = "SELECT f.rowid as facid"; + $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f"; $sql .= " WHERE f.entity = ".((int) $conf->entity); if ($idthirdparty != 'all') { $sql .= " AND f.fk_soc = ".((int) $idthirdparty); From 996dcdde8262544692b8eb25e04869417f6c0332 Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Sat, 19 Feb 2022 18:34:53 +0100 Subject: [PATCH 2/8] FIX error with php8 --- htdocs/admin/system/filecheck.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php index 1f183e1b730..0d5a5673db1 100644 --- a/htdocs/admin/system/filecheck.php +++ b/htdocs/admin/system/filecheck.php @@ -416,7 +416,7 @@ if (empty($error) && !empty($xml)) { $outexpectedchecksum = ($checksumtoget ? $checksumtoget : $langs->trans("Unknown")); if ($checksumget == $checksumtoget) { - if (count($file_list['added'])) { + if (is_countable($file_list['added'])) { $resultcode = 'warning'; $resultcomment = 'FileIntegrityIsOkButFilesWereAdded'; $outcurrentchecksum = $checksumget.' - '.$langs->trans($resultcomment).''; From b8d82671b3df6d603f75c3553920629e3921eab9 Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Sun, 20 Feb 2022 10:39:59 +0100 Subject: [PATCH 3/8] Update filecheck.php --- htdocs/admin/system/filecheck.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php index 0d5a5673db1..10edae1a24b 100644 --- a/htdocs/admin/system/filecheck.php +++ b/htdocs/admin/system/filecheck.php @@ -416,7 +416,7 @@ if (empty($error) && !empty($xml)) { $outexpectedchecksum = ($checksumtoget ? $checksumtoget : $langs->trans("Unknown")); if ($checksumget == $checksumtoget) { - if (is_countable($file_list['added'])) { + if (is_array($file_list['added']) && count($file_list['added'])) { $resultcode = 'warning'; $resultcomment = 'FileIntegrityIsOkButFilesWereAdded'; $outcurrentchecksum = $checksumget.' - '.$langs->trans($resultcomment).''; From 678c3bdb76c09db995401176c3b9a7de7ec0d1ed Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Feb 2022 18:07:10 +0100 Subject: [PATCH 4/8] Fix switch to login page --- htdocs/main.inc.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 3f8da14338b..46315f2d688 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -533,7 +533,10 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt( dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (invalid token), so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING); //print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers. setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings'); - if (isset($_POST['id'])) $savid = ((int) $_POST['id']); + $savid = null; + if (isset($_POST['id'])) { + $savid = ((int) $_POST['id']); + } unset($_POST); //unset($_POST['action']); unset($_POST['massaction']); //unset($_POST['confirm']); unset($_POST['confirmmassaction']); @@ -541,7 +544,10 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt( unset($_GET['action']); unset($_GET['confirmmassaction']); unset($_GET['massaction']); - if (isset($savid)) $_POST['id'] = ((int) $savid); + unset($_GET['token']); // TODO Make a redirect if we have a token in url to remove it ? + if (isset($savid)) { + $_POST['id'] = ((int) $savid); + } } // Note: There is another CSRF protection into the filefunc.inc.php From f544219d922c6249aac9f3e13908adb5d25fb370 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 22 Feb 2022 16:44:17 +0100 Subject: [PATCH 5/8] FIX permission to download files of expense report with readall. --- htdocs/core/lib/files.lib.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index c70ea041e0a..d1364598c07 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2424,10 +2424,10 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, } $original_file = $conf->fournisseur->facture->dir_output.'/'.$original_file; } elseif (($modulepart == 'holiday') && !empty($conf->holiday->dir_output)) { - if ($fuser->rights->holiday->{$read} || preg_match('/^specimen/i', $original_file)) { + if ($fuser->rights->holiday->{$read} || !empty($fuser->rights->holiday->readall) || preg_match('/^specimen/i', $original_file)) { $accessallowed = 1; // If we known $id of holiday, call checkUserAccessToObject to check permission on properties and hierarchy of leave request - if ($refname && !preg_match('/^specimen/i', $original_file)) { + if ($refname && empty($fuser->rights->holiday->readall) && !preg_match('/^specimen/i', $original_file)) { include_once DOL_DOCUMENT_ROOT.'/holiday/class/holiday.class.php'; $tmpholiday = new Holiday($db); $tmpholiday->fetch('', $refname); @@ -2436,10 +2436,10 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, } $original_file = $conf->holiday->dir_output.'/'.$original_file; } elseif (($modulepart == 'expensereport') && !empty($conf->expensereport->dir_output)) { - if ($fuser->rights->expensereport->{$lire} || preg_match('/^specimen/i', $original_file)) { + if ($fuser->rights->expensereport->{$lire} || !empty($fuser->rights->expensereport->readall) || preg_match('/^specimen/i', $original_file)) { $accessallowed = 1; // If we known $id of expensereport, call checkUserAccessToObject to check permission on properties and hierarchy of expense report - if ($refname && !preg_match('/^specimen/i', $original_file)) { + if ($refname && empty($fuser->rights->expensereport->readall) && !preg_match('/^specimen/i', $original_file)) { include_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport.class.php'; $tmpexpensereport = new ExpenseReport($db); $tmpexpensereport->fetch('', $refname); From 2d841d5b99d1733e6933a0db6c985f8e468b97a2 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 22 Feb 2022 18:48:25 +0100 Subject: [PATCH 6/8] Fix param --- htdocs/website/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/website/index.php b/htdocs/website/index.php index 610607f0321..cdf425e3ae3 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -3487,7 +3487,7 @@ if ($action == 'createsite') { $siteref = $sitedesc = $sitelang = $siteotherlang = ''; if (GETPOST('WEBSITE_REF')) { - $siteref = GETPOST('WEBSITE_REF', 'alpha'); + $siteref = GETPOST('WEBSITE_REF', 'aZ09'); } if (GETPOST('WEBSITE_DESCRIPTION')) { $sitedesc = GETPOST('WEBSITE_DESCRIPTION', 'alpha'); From fb58b7e93090e69df3a8975fa766b429dd3ab374 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 22 Feb 2022 18:46:46 +0100 Subject: [PATCH 7/8] FIX #yogosha9048 --- htdocs/website/class/website.class.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php index 0e66e01db01..80a48048151 100644 --- a/htdocs/website/class/website.class.php +++ b/htdocs/website/class/website.class.php @@ -655,6 +655,13 @@ class Website extends CommonObject dol_syslog(__METHOD__, LOG_DEBUG); + $newref = dol_sanitizeFileName($newref); + + if (empty($newref)) { + $this->error = 'ErrorBadParameter'; + return -1; + } + $object = new self($this->db); // Check no site with ref exists @@ -671,8 +678,8 @@ class Website extends CommonObject $oldidforhome = $object->fk_default_home; $oldref = $object->ref; - $pathofwebsiteold = $dolibarr_main_data_root.'/website/'.$oldref; - $pathofwebsitenew = $dolibarr_main_data_root.'/website/'.$newref; + $pathofwebsiteold = $dolibarr_main_data_root.'/website/'.dol_sanitizeFileName($oldref); + $pathofwebsitenew = $dolibarr_main_data_root.'/website/'.dol_sanitizeFileName($newref); dol_delete_dir_recursive($pathofwebsitenew); $fileindex = $pathofwebsitenew.'/index.php'; From d6786459b4b7db881f30a194ed1434b1ed817d3a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 22 Feb 2022 22:03:34 +0100 Subject: [PATCH 8/8] FIX #yogosha9054 --- htdocs/accountancy/admin/journals_list.php | 60 ++++------------------ 1 file changed, 11 insertions(+), 49 deletions(-) diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php index 7f000290e1c..de6b8374c2a 100644 --- a/htdocs/accountancy/admin/journals_list.php +++ b/htdocs/accountancy/admin/journals_list.php @@ -165,45 +165,19 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) { // Check that all fields are filled $ok = 1; - foreach ($listfield as $f => $value) { - if ($fieldnamekey == 'libelle' || ($fieldnamekey == 'label')) { - $fieldnamekey = 'Label'; - } - if ($fieldnamekey == 'code') { - $fieldnamekey = 'Code'; - } - if ($fieldnamekey == 'nature') { - $fieldnamekey = 'NatureOfJournal'; - } - } + // Other checks if (GETPOSTISSET("code")) { if (GETPOST("code") == '0') { $ok = 0; setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors'); } - /*if (!is_numeric($_POST['code'])) // disabled, code may not be in numeric base - { - $ok = 0; - $msg .= $langs->transnoentities('ErrorFieldFormat', $langs->transnoentities('Code')).'
'; - }*/ } if (!GETPOST('label', 'alpha')) { setEventMessages($langs->transnoentities("ErrorFieldRequired", $langs->transnoentitiesnoconv("Label")), null, 'errors'); $ok = 0; } - // Clean some parameters - if ($_POST["accountancy_code"] <= 0) { - $_POST["accountancy_code"] = ''; // If empty, we force to null - } - if ($_POST["accountancy_code_sell"] <= 0) { - $_POST["accountancy_code_sell"] = ''; // If empty, we force to null - } - if ($_POST["accountancy_code_buy"] <= 0) { - $_POST["accountancy_code_buy"] = ''; // If empty, we force to null - } - // Si verif ok et action add, on ajoute la ligne if ($ok && GETPOST('actionadd', 'alpha')) { if ($tabrowid[$id]) { @@ -235,16 +209,13 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) { } $i = 0; foreach ($listfieldinsert as $f => $value) { - if ($value == 'entity') { - $_POST[$listfieldvalue[$i]] = $conf->entity; - } if ($i) { $sql .= ","; } - if ($_POST[$listfieldvalue[$i]] == '') { + if (GETPOST($listfieldvalue[$i]) == '') { $sql .= "null"; // For vat, we want/accept code = '' } else { - $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; + $sql .= "'".$db->escape(GETPOST($listfieldvalue[$i]))."'"; } $i++; } @@ -254,7 +225,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) { $result = $db->query($sql); if ($result) { // Add is ok setEventMessages($langs->transnoentities("RecordSaved"), null, 'mesgs'); - $_POST = array('id'=>$id); // Clean $_POST array, we keep only + $_POST = array('id'=>$id); // Clean $_POST array, we keep only id } else { if ($db->errno() == 'DB_ERROR_RECORD_ALREADY_EXISTS') { setEventMessages($langs->transnoentities("ErrorRecordAlreadyExists"), null, 'errors'); @@ -281,24 +252,15 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) { } $i = 0; foreach ($listfieldmodify as $field) { - if ($field == 'price' || preg_match('/^amount/i', $field) || $field == 'taux') { - $_POST[$listfieldvalue[$i]] = price2num($_POST[$listfieldvalue[$i]], 'MU'); - } elseif ($field == 'entity') { - $_POST[$listfieldvalue[$i]] = $conf->entity; - } if ($i) { $sql .= ","; } - $sql .= $field."="; - if ($_POST[$listfieldvalue[$i]] == '' && !($listfieldvalue[$i] == 'code' && $id == 10)) { - $sql .= "null"; // For vat, we want/accept code = '' - } else { - $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; - } + $sql .= $field." = "; + $sql .= "'".$db->escape(GETPOST($listfieldvalue[$i]))."'"; $i++; } $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); - $sql .= " AND entity = ".$conf->entity; + $sql .= " AND entity = ".((int) $conf->entity); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -323,7 +285,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') { // delete } $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); - $sql .= " AND entity = ".$conf->entity; + $sql .= " AND entity = ".((int) $conf->entity); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -410,7 +372,7 @@ if ($action == 'delete') { if ($id) { // Complete requete recherche valeurs avec critere de tri $sql = $tabsql[$id]; - $sql .= " WHERE a.entity = ".$conf->entity; + $sql .= " WHERE a.entity = ".((int) $conf->entity); // If sort order is "country", we use country_code instead if ($sortfield == 'country') { @@ -510,7 +472,7 @@ if ($id) { $num = $db->num_rows($resql); $i = 0; - $param = '&id='.$id; + $param = '&id='.((int) $id); if ($search_country_id > 0) { $param .= '&search_country_id='.urlencode($search_country_id); } @@ -635,7 +597,7 @@ if ($id) { $class = 'tddict'; // Show value for field if ($showfield) { - print ''.$valuetoshow.''; + print ''.dol_escape_htmltag($valuetoshow).''; } } }