From 9334cf8fd189e31509452f8d1b9483b7e3bbf367 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 19 Dec 2015 18:03:08 +0100
Subject: [PATCH 1/3] FIX #4243 sql injection

---
 htdocs/core/class/html.form.class.php  | 12 ++++++------
 htdocs/product/ajax/products.php       |  2 +-
 htdocs/product/class/product.class.php |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 902fff35bcb..10db9442ca6 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -1399,13 +1399,13 @@ class Form
             foreach ($scrit as $crit)
             {
             	if ($i > 0) $sql.=" AND ";
-                $sql.="(p.ref LIKE '".$prefix.$crit."%' OR p.label LIKE '".$prefix.$crit."%'";
-                if (! empty($conf->global->MAIN_MULTILANGS)) $sql.=" OR pl.label LIKE '".$prefix.$crit."%'";
+                $sql.="(p.ref LIKE '".$db->escape($prefix.$crit)."%' OR p.label LIKE '".$db->escape($prefix.$crit)."%'";
+                if (! empty($conf->global->MAIN_MULTILANGS)) $sql.=" OR pl.label LIKE '".$db->escape($prefix.$crit)."%'";
                 $sql.=")";
                 $i++;
             }
             if (count($scrit) > 1) $sql.=")";
-          	if (! empty($conf->barcode->enabled)) $sql.= " OR p.barcode LIKE '".$prefix.$filterkey."%'";
+          	if (! empty($conf->barcode->enabled)) $sql.= " OR p.barcode LIKE '".$db->escape($prefix.$filterkey)."%'";
         	$sql.=')';
         }
         $sql.= $db->order("p.ref");
@@ -1750,7 +1750,7 @@ class Form
         $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON pfp.fk_soc = s.rowid";
         $sql.= " WHERE p.entity IN (".getEntity('product', 1).")";
         $sql.= " AND p.tobuy = 1";
-        if (strval($filtertype) != '') $sql.=" AND p.fk_product_type=".$filtertype;
+        if (strval($filtertype) != '') $sql.=" AND p.fk_product_type=".$this->db->escape($filtertype);
         if (! empty($filtre)) $sql.=" ".$filtre;
         // Add criteria on ref/label
         if ($filterkey != '')
@@ -1764,11 +1764,11 @@ class Form
         	foreach ($scrit as $crit)
         	{
         		if ($i > 0) $sql.=" AND ";
-        		$sql.="(pfp.ref_fourn LIKE '".$prefix.$crit."%' OR p.ref LIKE '".$prefix.$crit."%' OR p.label LIKE '".$prefix.$crit."%')";
+        		$sql.="(pfp.ref_fourn LIKE '".$this->db->escape($prefix.$crit)."%' OR p.ref LIKE '".$this->db->escape($prefix.$crit)."%' OR p.label LIKE '".$this->db->escape($prefix.$crit)."%')";
         		$i++;
         	}
         	if (count($scrit) > 1) $sql.=")";
-        	if (! empty($conf->barcode->enabled)) $sql.= " OR p.barcode LIKE '".$prefix.$filterkey."%'";
+        	if (! empty($conf->barcode->enabled)) $sql.= " OR p.barcode LIKE '".$this->db->escape($prefix.$filterkey)."%'";
         	$sql.=')';
         }
         $sql.= " ORDER BY pfp.ref_fourn DESC, pfp.quantity ASC";
diff --git a/htdocs/product/ajax/products.php b/htdocs/product/ajax/products.php
index 61a1c3bff73..c8f78a11c42 100644
--- a/htdocs/product/ajax/products.php
+++ b/htdocs/product/ajax/products.php
@@ -169,7 +169,7 @@ if (! empty($action) && $action == 'fetch' && ! empty($id)) {
 	
 	$match = preg_grep('/(' . $htmlname . '[0-9]+)/', array_keys($_GET));
 	sort($match);
-	$idprod = (! empty($match [0]) ? $match [0] : '');
+	$idprod = (! empty($match[0]) ? $match[0] : '');
 	
 	if (! GETPOST($htmlname) && ! GETPOST($idprod))
 		return;
diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index 22dde9accc7..72f826d546f 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -2863,7 +2863,7 @@ class Product extends CommonObject
 	{
 		global $langs;
 		$langs->load('products');
-		if ($conf->productbatch->enabled) $langs->load("productbatch");
+		if (! empty($conf->productbatch->enabled)) $langs->load("productbatch");
 
 		if ($type == 2)
 		{

From b0b5e95c7fd060786fa42caebd7b75378dbc6353 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 21 Dec 2015 03:04:01 +0100
Subject: [PATCH 2/3] Backport travis change

---
 .travis.yml | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 647ed3e6ace..b205baf4b0c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -172,8 +172,8 @@ before_script:
   echo
 
 - |
-  echo "Setting up Dolibarr"
   export CONF_FILE=htdocs/conf/conf.php
+  echo "Setting up Dolibarr $CONF_FILE"
   echo '<?php ' > $CONF_FILE
   echo '$'dolibarr_main_url_root=\'http://127.0.0.1\'';' >> $CONF_FILE
   echo '$'dolibarr_main_document_root=\'$TRAVIS_BUILD_DIR/htdocs\'';' >> $CONF_FILE
@@ -190,15 +190,9 @@ before_script:
   #fi
   # TODO: SQLite
   echo '$'dolibarr_main_authentication=\'dolibarr\'';' >> $CONF_FILE
+  cat $CONF_FILE
   echo
 
-- |
-  if [ "$DEBUG" = true ]; then
-    echo "Debugging informations"
-    cat $CONF_FILE
-    echo
-  fi
-
 - |
   echo "Create documents directory and set permissions"
   # and admin/temp subdirectory needed for unit tests

From 67462a81a8a60fd22f1b76ed45156747118baf10 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 21 Dec 2015 12:22:31 +0100
Subject: [PATCH 3/3] Fix link to issues and dependencies

---
 composer.json | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/composer.json b/composer.json
index 4463efcfc74..622a307687d 100644
--- a/composer.json
+++ b/composer.json
@@ -6,24 +6,32 @@
     "homepage": "http://www.dolibarr.org",
     "license": "GPL-3.0+",
     "support": {
-        "issues": "https://doliforge.org/projects/dolibarr",
+        "issues": "https://github.com/Dolibarr/dolibarr/issues",
         "forum": "http://www.dolibarr.org/forum",
-        "wiki": "http://wiki.dolibarr.org"
+        "wiki": "http://wiki.dolibarr.org",
+        "irc": "irc://chat.freenode.net/dolibarr",
+        "source": "https://github.com/Dolibarr/dolibarr"
     },
     "require": {
         "php": ">=5.3.0",
-        "ext-gd": "*",
         "ext-curl": "*"
     },
     "suggest": {
-        "ext-mysqli": "*",
-        "ext-pgsql": "*",
-        "ext-mssql": "*",
-        "ext-pdo_sqlite": "*",
-        "ext-imagick": "*",
-        "ext-mcrypt": "*",
-        "ext-openssl": "*",
-        "ext-mbstring": "*",
-        "ext-soap": "*"
+        "ext-mysqlnd": "To use with MySQL or MariaDB",
+        "ext-mysqli": "To use with MySQL or MariaDB",
+        "ext-pgsql": "To use with PostgreSQL",
+        "ext-mssql": "To use with MSSQL (experimental)",
+        "ext-pdo_sqlite": "To use with SQLite (experimental)",
+        "ext-gd": "Image manipulation (Required but maybe built-in PHP)",
+        "ext-imagick": "Image manipulation (TCPDF)",
+        "ext-mcrypt": "(Required but maybe built-in PHP)",
+        "ext-openssl": "Secure connections (Emails, SOAP…)",
+        "ext-mbstring": "Handle non UTF-8 databases",
+        "ext-soap": "Native SOAP",
+        "ext-zip": "ODT and Excel support",
+        "ext-xml": "Excel support"
+    },
+    "config": {
+        "vendor-dir": "htdocs/includes"
     }
 }