From cc37a7d84823b6db24ae6a09d53451ec0c841a35 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 9 Jun 2017 13:11:34 +0200 Subject: [PATCH 1/4] Fix parenthesis --- .../prelevement/class/bonprelevement.class.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/htdocs/compta/prelevement/class/bonprelevement.class.php b/htdocs/compta/prelevement/class/bonprelevement.class.php index 9b86bd66897..0785efe6b1a 100644 --- a/htdocs/compta/prelevement/class/bonprelevement.class.php +++ b/htdocs/compta/prelevement/class/bonprelevement.class.php @@ -252,7 +252,7 @@ class BonPrelevement extends CommonObject function getErrorString($error) { global $langs; - + $errors = array(); $errors[1027] = $langs->trans("DateInvalid"); @@ -920,7 +920,7 @@ class BonPrelevement extends CommonObject $dir=$conf->prelevement->dir_output.'/receipts'; if (! is_dir($dir)) dol_mkdir($dir); - + $this->filename = $dir.'/'.$ref.'.xml'; // Create withdraw receipt in database @@ -1028,7 +1028,7 @@ class BonPrelevement extends CommonObject $this->emetteur_bic = $account->bic; $this->emetteur_ics = $conf->global->PRELEVEMENT_ICS; // Ex: PRELEVEMENT_ICS = "FR78ZZZ123456"; - + $this->raison_sociale = $account->proprio; } @@ -1572,7 +1572,7 @@ class BonPrelevement extends CommonObject $XML_DEBITOR .=' '.strtoupper(dolEscapeXML(dol_string_unaccent($row_nom))).''.$CrLf; $XML_DEBITOR .=' '.$CrLf; $XML_DEBITOR .=' '.$row_country_code.''.$CrLf; - $XML_DEBITOR .=' '.dolEscapeXML(dol_trunc(dol_string_unaccent(strtr($row_address, array(CHR(13) => ", ", CHR(10) => "")))),70,'right','UTF-8',true).''.$CrLf; + $XML_DEBITOR .=' '.dolEscapeXML(dol_trunc(dol_string_unaccent(strtr($row_address, array(CHR(13) => ", ", CHR(10) => ""))),70,'right','UTF-8',true)).''.$CrLf; $XML_DEBITOR .=' '.dolEscapeXML(dol_string_unaccent($row_zip.' '.$row_town)).''.$CrLf; $XML_DEBITOR .=' '.$CrLf; $XML_DEBITOR .=' '.$CrLf; @@ -1668,7 +1668,7 @@ class BonPrelevement extends CommonObject * @return string String with SEPA Sender */ function EnregEmetteurSEPA($configuration, $ladate, $nombre, $total, $CrLf='\n') - { + { // SEPA INITIALISATION global $conf; @@ -1687,12 +1687,12 @@ class BonPrelevement extends CommonObject $this->emetteur_number_key = $account->cle_rib; $this->emetteur_iban = $account->iban; $this->emetteur_bic = $account->bic; - + $this->emetteur_ics = $conf->global->PRELEVEMENT_ICS; // Ex: PRELEVEMENT_ICS = "FR78ZZZ123456"; - + $this->raison_sociale = $account->proprio; } - + // Récupération info demandeur $sql = "SELECT rowid, ref"; $sql.= " FROM"; From d037515e37938161982583d866c598fc03061c9d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 29 May 2017 09:57:05 +0200 Subject: [PATCH 2/4] FIX SQL injection on user/index.php parameter search_statut. Conflicts: htdocs/user/index.php --- htdocs/core/lib/functions.lib.php | 3 ++ htdocs/user/index.php | 58 +++++++++++++++---------------- 2 files changed, 32 insertions(+), 29 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 3ced09db552..a212b82c18f 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -250,6 +250,9 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL) case 'int': if (! is_numeric($out)) { $out=''; } break; + case 'intcomma': + if (preg_match('/[^0-9,]+/i',$out)) $out=''; + break; case 'alpha': $out=trim($out); // '"' is dangerous because param in url can close the href= or src= and add javascript functions. diff --git a/htdocs/user/index.php b/htdocs/user/index.php index 5d8f02e1c32..669152cb145 100644 --- a/htdocs/user/index.php +++ b/htdocs/user/index.php @@ -100,7 +100,7 @@ $arrayfields=array( // Extra fields if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label)) { - foreach($extrafields->attribute_label as $key => $val) + foreach($extrafields->attribute_label as $key => $val) { $arrayfields["ef.".$key]=array('label'=>$extrafields->attribute_label[$key], 'checked'=>$extrafields->attribute_list[$key], 'position'=>$extrafields->attribute_pos[$key], 'enabled'=>$extrafields->attribute_perms[$key]); } @@ -116,9 +116,9 @@ $search_gender=GETPOST('search_gender','alpha'); $search_employee=GETPOST('search_employee','alpha'); $search_accountancy_code=GETPOST('search_accountancy_code','alpha'); $search_email=GETPOST('search_email','alpha'); -$search_statut=GETPOST('search_statut','alpha'); +$search_statut=GETPOST('search_statut','intcomma'); $search_thirdparty=GETPOST('search_thirdparty','alpha'); -$search_supervisor=GETPOST('search_supervisor','alpha'); +$search_supervisor=GETPOST('search_supervisor','intcomma'); $search_previousconn=GETPOST('search_previousconn','alpha'); $optioncss = GETPOST('optioncss','alpha'); @@ -131,7 +131,7 @@ if ($mode == 'employee') $search_employee=1; /* * Actions */ - + $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); @@ -196,8 +196,8 @@ else } if ($socid > 0) $sql.= " AND u.fk_soc = ".$socid; //if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user); -if ($search_supervisor > 0) $sql.= " AND u.fk_user = ".$search_supervisor; -if ($search_thirdparty != '') $sql.=natural_search(array('s.nom'), $search_thirdparty); +if ($search_supervisor > 0) $sql.= " AND u.fk_user = ".$db->escape($search_supervisor); +if ($search_thirdparty != '') $sql.= natural_search(array('s.nom'), $search_thirdparty); if ($search_login != '') $sql.= natural_search("u.login", $search_login); if ($search_lastname != '') $sql.= natural_search("u.lastname", $search_lastname); if ($search_firstname != '') $sql.= natural_search("u.firstname", $search_firstname); @@ -206,9 +206,9 @@ if (is_numeric($search_employee) && $search_employee >= 0) { $sql .= ' AND u.employee = '.(int) $search_employee; } if ($search_accountancy_code != '') $sql.= natural_search("u.accountancy_code", $search_accountancy_code); -if ($search_email != '') $sql.= natural_search("u.email", $search_email); -if ($search_statut != '' && $search_statut >= 0) $sql.= " AND (u.statut=".$search_statut.")"; -if ($sall) $sql.= natural_search(array_keys($fieldstosearchall), $sall); +if ($search_email != '') $sql.= natural_search("u.email", $search_email); +if ($search_statut != '' && $search_statut >= 0) $sql.= " AND u.statut IN (".$db->escape($search_statut).")"; +if ($sall) $sql.= natural_search(array_keys($fieldstosearchall), $sall); // Add where from extra fields foreach ($search_array_options as $key => $val) { @@ -217,7 +217,7 @@ foreach ($search_array_options as $key => $val) $typ=$extrafields->attribute_type[$tmpkey]; $mode=0; if (in_array($typ, array('int','double'))) $mode=1; // Search on a numeric - if ($val && ( ($crit != '' && ! in_array($typ, array('select'))) || ! empty($crit))) + if ($val && ( ($crit != '' && ! in_array($typ, array('select'))) || ! empty($crit))) { $sql .= natural_search('ef.'.$tmpkey, $crit, $mode); } @@ -265,27 +265,27 @@ if ($result) $crit=$val; $tmpkey=preg_replace('/search_options_/','',$key); if ($val != '') $param.='&search_options_'.$tmpkey.'='.urlencode($val); - } - - + } + + print '
'."\n"; if ($optioncss != '') print ''; print ''; print ''; print ''; print ''; - + if ($sall) { foreach($fieldstosearchall as $key => $val) $fieldstosearchall[$key]=$langs->trans($val); print $langs->trans("FilterOnInto", $sall) . join(', ',$fieldstosearchall); } - + $moreforfilter=''; - + $varpage=empty($contextpage)?$_SERVER["PHP_SELF"]:$contextpage; $selectedfields=$form->multiSelectArrayWithCheckbox('selectedfields', $arrayfields, $varpage); // This also change content of $arrayfields - + print ''; print ''; if (! empty($arrayfields['u.login']['checked'])) print_liste_field_titre($langs->trans("Login"),$_SERVER['PHP_SELF'],"u.login",$param,"","",$sortfield,$sortorder); @@ -303,9 +303,9 @@ if ($result) // Extra fields if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label)) { - foreach($extrafields->attribute_label as $key => $val) + foreach($extrafields->attribute_label as $key => $val) { - if (! empty($arrayfields["ef.".$key]['checked'])) + if (! empty($arrayfields["ef.".$key]['checked'])) { $align=$extrafields->getAlignFlag($key); print_liste_field_titre($extralabels[$key],$_SERVER["PHP_SELF"],"ef.".$key,"",$param,($align?'align="'.$align.'"':''),$sortfield,$sortorder); @@ -340,7 +340,7 @@ if ($result) { print ''; } if (! empty($arrayfields['u.employee']['checked'])) @@ -380,9 +380,9 @@ if ($result) // Extra fields if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label)) { - foreach($extrafields->attribute_label as $key => $val) + foreach($extrafields->attribute_label as $key => $val) { - if (! empty($arrayfields["ef.".$key]['checked'])) + if (! empty($arrayfields["ef.".$key]['checked'])) { $align=$extrafields->getAlignFlag($key); $typeofextrafield=$extrafields->attribute_type[$key]; @@ -428,7 +428,7 @@ if ($result) $searchpitco=$form->showFilterAndCheckAddButtons(0); print $searchpitco; print ''; - + print "\n"; $user2=new User($db); @@ -451,7 +451,7 @@ if ($result) $userstatic->lastname=$obj->lastname; $userstatic->employee=$obj->employee; $userstatic->photo=$obj->photo; - + $li=$userstatic->getNomUrl(-1,'',0,0,24,1,'login'); print ""; @@ -564,8 +564,8 @@ if ($result) } } print ''; - } - + } + // Date last login if (! empty($arrayfields['u.datelastlogin']['checked'])) { @@ -576,13 +576,13 @@ if ($result) { print ''; } - + // Extra fields if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label)) { - foreach($extrafields->attribute_label as $key => $val) + foreach($extrafields->attribute_label as $key => $val) { - if (! empty($arrayfields["ef.".$key]['checked'])) + if (! empty($arrayfields["ef.".$key]['checked'])) { print 'getAlignFlag($key); From 9c482b9f2a021604e29b7321e2e18eed60d08932 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 10 Jun 2017 21:37:27 +0200 Subject: [PATCH 3/4] FIX CVE-2017-7886 --- htdocs/core/datepicker.php | 2 +- htdocs/core/get_menudiv.php | 2 +- htdocs/core/lib/functions.lib.php | 106 +++++++++++++++--------------- htdocs/core/search_page.php | 8 +-- htdocs/externalsite/frames.php | 2 +- htdocs/install/inc.php | 6 +- htdocs/main.inc.php | 4 +- htdocs/master.inc.php | 2 +- htdocs/support/inc.php | 2 +- htdocs/theme/eldy/style.css.php | 12 ++-- htdocs/theme/md/style.css.php | 52 +++++++-------- 11 files changed, 99 insertions(+), 99 deletions(-) diff --git a/htdocs/core/datepicker.php b/htdocs/core/datepicker.php index 63b765fbadb..99bf9b15a80 100644 --- a/htdocs/core/datepicker.php +++ b/htdocs/core/datepicker.php @@ -39,7 +39,7 @@ if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML',1); require_once '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; -if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL by the main.inc.php +if (GETPOST('lang', 'aZ09')) $langs->setDefaultLang(GETPOST('lang', 'aZ09')); // If language was forced on URL by the main.inc.php $langs->load("main"); $langs->load("agenda"); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); diff --git a/htdocs/core/get_menudiv.php b/htdocs/core/get_menudiv.php index 655e10afd67..f8b3a652e08 100644 --- a/htdocs/core/get_menudiv.php +++ b/htdocs/core/get_menudiv.php @@ -35,7 +35,7 @@ if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML',1); require_once '../main.inc.php'; -if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL by the main.inc.php +if (GETPOST('lang', 'aZ09')) $langs->setDefaultLang(GETPOST('lang', 'aZ09')); // If language was forced on URL by the main.inc.php $langs->load("main"); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index a212b82c18f..c4674fbe5a0 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -191,7 +191,7 @@ function getBrowserInfo($user_agent) elseif (preg_match('/opera(\/|\s)([\d\.]*)/i', $user_agent, $reg)) { $name='opera'; $version=$reg[2]; } elseif (preg_match('/(MSIE\s([0-9]+\.[0-9]))|.*(Trident\/[0-9]+.[0-9];\srv:([0-9]+\.[0-9]+))/i', $user_agent, $reg)) { $name='ie'; $version=end($reg); } // MS products at end elseif (preg_match('/l(i|y)n(x|ks)(\(|\/|\s)*([\d\.]+)/i', $user_agent, $reg)) { $name='lynxlinks'; $version=$reg[4]; } - + if ($tablet) { $layout = 'tablet'; } elseif ($phone) { @@ -269,7 +269,7 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL) break; case 'aZ09': $out=trim($out); - if (preg_match('/[^a-z0-9]+/i',$out)) $out=''; + if (preg_match('/[^a-z0-9_\-]+/i',$out)) $out=''; break; case 'array': if (! is_array($out) || empty($out)) $out=array(); @@ -290,13 +290,13 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL) * This prefix is unique for instance and avoid conflict between multi-instances, * even when having two instances with one root dir or two instances in virtual servers * - * @param string $mode '' or 'email' + * @param string $mode '' or 'email' * @return string A calculated prefix */ function dol_getprefix($mode='') { global $conf; - + // If MAIL_PREFIX_FOR_EMAIL_ID is set and prefix is for email if ($mode == 'email' && ! empty($conf->global->MAIL_PREFIX_FOR_EMAIL_ID)) { @@ -378,15 +378,15 @@ function dol_buildpath($path, $type=0) if ($type == 1) $res = DOL_URL_ROOT.'/'.$path; // Standard value if ($type == 2) $res = DOL_MAIN_URL_ROOT.'/'.$path; // Standard value if ($type == 3) $res = DOL_URL_ROOT.'/'.$path; - + foreach ($conf->file->dol_document_root as $key => $dirroot) // ex: array(["main"]=>"/home/main/htdocs", ["alt0"]=>"/home/dirmod/htdocs", ...) { - if ($key == 'main') + if ($key == 'main') { if ($type == 3) { global $dolibarr_main_url_root; - + // Define $urlwithroot $urlwithouturlroot=preg_replace('/'.preg_quote(DOL_URL_ROOT,'/').'$/i','',trim($dolibarr_main_url_root)); $urlwithroot=$urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file @@ -413,12 +413,12 @@ function dol_buildpath($path, $type=0) if ($type == 3) { global $dolibarr_main_url_root; - + // Define $urlwithroot $urlwithouturlroot=preg_replace('/'.preg_quote(DOL_URL_ROOT,'/').'$/i','',trim($dolibarr_main_url_root)); $urlwithroot=$urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file //$urlwithroot=DOL_MAIN_URL_ROOT; // This is to use same domain name than current - + $res=(preg_match('/^http/i',$conf->file->dol_url_root[$key])?'':$urlwithroot).$conf->file->dol_url_root[$key].'/'.$path; // Test on start with http is for old conf syntax } break; @@ -957,7 +957,7 @@ function dol_banner_tab($object, $paramid, $morehtml='', $shownav=1, $fieldid='r $maxvisiblephotos=(isset($conf->global->PRODUCT_MAX_VISIBLE_PHOTO)?$conf->global->PRODUCT_MAX_VISIBLE_PHOTO:5); if ($conf->browser->phone) $maxvisiblephotos=1; if ($showimage) $morehtmlleft.='
'.$object->show_photos($conf->product->multidir_output[$object->entity],'small',$maxvisiblephotos,0,0,0,$width,0).'
'; - else + else { if (!empty($conf->global->PRODUCT_NODISPLAYIFNOPHOTO)) { $nophoto=''; @@ -967,17 +967,17 @@ function dol_banner_tab($object, $paramid, $morehtml='', $shownav=1, $fieldid='r $nophoto='/public/theme/common/nophoto.png'; $morehtmlleft.='
No photo
'; } - + } } - else + else { if ($showimage) $morehtmlleft.='
'.$form->showphoto($modulepart,$object,0,0,0,'photoref','small',1,0,$maxvisiblephotos).'
'; } if ($showbarcode) $morehtmlleft.='
'.$form->showbarcode($object).'
'; if ($object->element == 'societe' && ! empty($conf->use_javascript_ajax) && $user->rights->societe->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) { $morehtmlright.=ajax_object_onoff($object, 'status', 'status', 'InActivity', 'ActivityCeased'); - } + } elseif ($object->element == 'product') { //$morehtmlright.=$langs->trans("Status").' ('.$langs->trans("Sell").') '; @@ -999,7 +999,7 @@ function dol_banner_tab($object, $paramid, $morehtml='', $shownav=1, $fieldid='r } if (! empty($object->name_alias)) $morehtmlref.='
'.$object->name_alias.'
'; // For thirdparty if (! empty($object->label)) $morehtmlref.='
'.$object->label.'
'; // For product - if ($object->element != 'product') + if ($object->element != 'product') { $morehtmlref.='
'; $morehtmlref.=$object->getBannerAddress('refaddress',$object); @@ -1184,9 +1184,9 @@ function dol_print_date($time,$format='',$tzoutput='tzserver',$outputlangs='',$e $reduceformat=(! empty($conf->dol_optimize_smallscreen) && in_array($format,array('day','dayhour')))?1:0; $formatwithoutreduce = preg_replace('/reduceformat/','',$format); if ($formatwithoutreduce != $format) { $format = $formatwithoutreduce; $reduceformat=1; } // so format 'dayreduceformat' is processed like day - + // Change predefined format into computer format. If found translation in lang file we use it, otherwise we use default. - // TODO Add format daysmallyear and dayhoursmallyear + // TODO Add format daysmallyear and dayhoursmallyear if ($format == 'day') $format=($outputlangs->trans("FormatDateShort")!="FormatDateShort"?$outputlangs->trans("FormatDateShort"):$conf->format_date_short); else if ($format == 'hour') $format=($outputlangs->trans("FormatHourShort")!="FormatHourShort"?$outputlangs->trans("FormatHourShort"):$conf->format_hour_short); else if ($format == 'hourduration') $format=($outputlangs->trans("FormatHourShortDuration")!="FormatHourShortDuration"?$outputlangs->trans("FormatHourShortDuration"):$conf->format_hour_short_duration); @@ -1957,7 +1957,7 @@ function dol_print_graph($htmlid,$width,$height,$data,$showlegend=0,$type='pie', print '
'.$langs->trans("NotEnoughDataYet").'
'; return; } - + if (empty($conf->use_javascript_ajax)) return; $jsgraphlib='flot'; $datacolor=array(); @@ -2126,7 +2126,7 @@ function dol_trunc($string,$size=40,$trunc='right',$stringencoding='UTF-8',$nodo global $conf; if ($size==0 || ! empty($conf->global->MAIN_DISABLE_TRUNC)) return $string; - + if (empty($stringencoding)) $stringencoding='UTF-8'; // reduce for small screen if ($conf->dol_optimize_smallscreen==1 && $display==1) $size = round($size/3); @@ -3076,7 +3076,7 @@ function load_fiche_titre($titre, $mesg='', $picto='title_generic.png', $pictois * @param string $options parametres complementaires lien ('' par defaut) * @param string $sortfield champ de tri ('' par defaut) * @param string $sortorder ordre de tri ('' par defaut) - * @param string $center chaine du centre ('' par defaut). We often find here string $massaction comming from $form->selectMassAction() + * @param string $center chaine du centre ('' par defaut). We often find here string $massaction comming from $form->selectMassAction() * @param int $num number of records found by select with limit+1 * @param int $totalnboflines Total number of records/lines for all pages (if known). Use a negative value to no show number. * @param string $picto Icon to use before title (should be a 32x32 transparent png file) @@ -3090,11 +3090,11 @@ function load_fiche_titre($titre, $mesg='', $picto='title_generic.png', $pictois function print_barre_liste($titre, $page, $file, $options='', $sortfield='', $sortorder='', $center='', $num=-1, $totalnboflines=0, $picto='title_generic.png', $pictoisfullpath=0, $morehtml='', $morecss='', $limit=-1, $hideselectlimit=0) { global $conf,$langs; - + $savlimit = $limit; $savtotalnboflines = $totalnboflines; $totalnboflines=abs($totalnboflines); - + if ($picto == 'setup') $picto='title_setup.png'; if (($conf->browser->name == 'ie') && $picto=='title_generic.png') $picto='title.gif'; if ($limit < 0) $limit = $conf->liste_limit; @@ -3107,7 +3107,7 @@ function print_barre_liste($titre, $page, $file, $options='', $sortfield='', $so $nextpage = 0; } //print 'totalnboflines='.$totalnboflines.'-savlimit='.$savlimit.'-limit='.$limit.'-num='.$num.'-nextpage='.$nextpage; - + print "\n"; print "\n"; print '
'; $arraygender=array('man'=>$langs->trans("Genderman"),'woman'=>$langs->trans("Genderwoman")); - print $form->selectarray('search_gender', $arraygender, $search_gender, 1); + print $form->selectarray('search_gender', $arraygender, $search_gender, 1); print '
'.dol_print_date($db->jdate($obj->datepreviouslogin),"dayhour").'
'; @@ -3206,7 +3206,7 @@ function print_fleche_navigation($page, $file, $options='', $nextpage=0, $betwee //$pagesizechoices.=',0:'.$langs->trans("All"); // Not yet supported //$pagesizechoices.=',2:2'; if (! empty($conf->global->MAIN_PAGESIZE_CHOICES)) $pagesizechoices=$conf->global->MAIN_PAGESIZE_CHOICES; - + print '