FIX CVE-2018-9019
This commit is contained in:
Laurent Destailleur
parent
fdb3a11f34
commit
83b762b681
@ -45,7 +45,7 @@ $langs->loadLangs(array("errors","admin","companies","resource","holiday","compt
|
||||
|
||||
$action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
|
||||
$confirm=GETPOST('confirm','alpha');
|
||||
$id=GETPOST('id','int');
|
||||
$id=31;
|
||||
$rowid=GETPOST('rowid','alpha');
|
||||
$code=GETPOST('code','alpha');
|
||||
|
||||
@ -58,8 +58,8 @@ $listoffset=GETPOST('listoffset');
|
||||
$listlimit=GETPOST('listlimit')>0?GETPOST('listlimit'):1000;
|
||||
$active = 1;
|
||||
|
||||
$sortfield = GETPOST("sortfield",'alpha');
|
||||
$sortorder = GETPOST("sortorder",'alpha');
|
||||
$sortfield = GETPOST("sortfield",'aZ09comma');
|
||||
$sortorder = GETPOST("sortorder",'aZ09comma');
|
||||
$page = GETPOST("page",'int');
|
||||
if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1
|
||||
$offset = $listlimit * $page ;
|
||||
@ -84,59 +84,48 @@ $hookmanager->initHooks(array('admin'));
|
||||
$tabname=array();
|
||||
|
||||
$tabname[31]= MAIN_DB_PREFIX."accounting_system";
|
||||
$tabname[32]= MAIN_DB_PREFIX."c_accounting_category";
|
||||
|
||||
// Dictionary labels
|
||||
$tablib=array();
|
||||
$tablib[31]= "Pcg_version";
|
||||
$tablib[32]= "DictionaryAccountancyCategory";
|
||||
|
||||
// Requests to extract data
|
||||
$tabsql=array();
|
||||
$tabsql[31]= "SELECT s.rowid as rowid, pcg_version, s.label, s.fk_country as country_id, c.code as country_code, c.label as country, s.active FROM ".MAIN_DB_PREFIX."accounting_system as s, ".MAIN_DB_PREFIX."c_country as c WHERE s.fk_country=c.rowid and c.active=1";
|
||||
$tabsql[32]= "SELECT a.rowid as rowid, a.code as code, a.label, a.range_account, a.sens, a.category_type, a.formula, a.position as position, a.fk_country as country_id, c.code as country_code, c.label as country, a.active FROM ".MAIN_DB_PREFIX."c_accounting_category as a, ".MAIN_DB_PREFIX."c_country as c WHERE a.fk_country=c.rowid and c.active=1";
|
||||
|
||||
// Criteria to sort dictionaries
|
||||
$tabsqlsort=array();
|
||||
$tabsqlsort[31]="pcg_version ASC";
|
||||
$tabsqlsort[32]="position ASC";
|
||||
|
||||
// Nom des champs en resultat de select pour affichage du dictionnaire
|
||||
$tabfield=array();
|
||||
$tabfield[31]= "pcg_version,label,country_id,country";
|
||||
$tabfield[32]= "code,label,range_account,sens,category_type,formula,position,country_id,country";
|
||||
|
||||
// Nom des champs d'edition pour modification d'un enregistrement
|
||||
$tabfieldvalue=array();
|
||||
$tabfieldvalue[31]= "pcg_version,label,country";
|
||||
$tabfieldvalue[32]= "code,label,range_account,sens,category_type,formula,position,country";
|
||||
|
||||
// Nom des champs dans la table pour insertion d'un enregistrement
|
||||
$tabfieldinsert=array();
|
||||
$tabfieldinsert[31]= "pcg_version,label,fk_country";
|
||||
$tabfieldinsert[32]= "code,label,range_account,sens,category_type,formula,position,fk_country";
|
||||
|
||||
// Nom du rowid si le champ n'est pas de type autoincrement
|
||||
// Example: "" if id field is "rowid" and has autoincrement on
|
||||
// "nameoffield" if id field is not "rowid" or has not autoincrement on
|
||||
$tabrowid=array();
|
||||
$tabrowid[31]= "";
|
||||
$tabrowid[32]= "";
|
||||
|
||||
// Condition to show dictionary in setup page
|
||||
$tabcond=array();
|
||||
$tabcond[31]= ! empty($conf->accounting->enabled);
|
||||
$tabcond[32]= ! empty($conf->accounting->enabled);
|
||||
|
||||
// List of help for fields
|
||||
$tabhelp=array();
|
||||
$tabhelp[31] = array('pcg_version'=>$langs->trans("EnterAnyCode"));
|
||||
$tabhelp[32] = array('code'=>$langs->trans("EnterAnyCode"));
|
||||
|
||||
// List of check for fields (NOT USED YET)
|
||||
$tabfieldcheck=array();
|
||||
$tabfieldcheck[31] = array();
|
||||
$tabfieldcheck[32] = array();
|
||||
|
||||
|
||||
// Define elementList and sourceList (used for dictionary type of contacts "llx_c_type_contact")
|
||||
@ -484,7 +473,7 @@ print "<br>\n";
|
||||
// Confirmation de la suppression de la ligne
|
||||
if ($action == 'delete')
|
||||
{
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.urlencode($page).'&':'').'sortfield='.urlencode($sortfield).'&sortorder='.urlencode($sortorder).'&rowid='.urlencode($rowid).'&code='.urlencode($code).'&id='.urlencode($id), $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
}
|
||||
//var_dump($elementList);
|
||||
|
||||
@ -503,24 +492,9 @@ if ($id)
|
||||
$sql.= " c.rowid = ".$search_country_id;
|
||||
}
|
||||
|
||||
if ($sortfield)
|
||||
{
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.= " ORDER BY ".$sortfield;
|
||||
if ($sortorder)
|
||||
{
|
||||
$sql.=" ".strtoupper($sortorder);
|
||||
}
|
||||
$sql.=", ";
|
||||
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
|
||||
}
|
||||
else {
|
||||
$sql.=" ORDER BY ";
|
||||
}
|
||||
$sql.=$tabsqlsort[$id];
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.=$db->order($sortfield,$sortorder);
|
||||
$sql.=$db->plimit($listlimit+1,$offset);
|
||||
//print $sql;
|
||||
|
||||
|
||||
@ -88,7 +88,7 @@ $formaccounting = new FormAccounting($db);
|
||||
|
||||
llxheader('', $langs->trans('AccountingCategory'));
|
||||
|
||||
$linkback = '<a href="'.DOL_URL_ROOT.'/accountancy/admin/categories_list.php?search_country_id='.$mysoc->country_id.'">'.$langs->trans("BackToList").'</a>';
|
||||
$linkback = '<a href="'.DOL_URL_ROOT.'/accountancy/admin/categories_list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
|
||||
|
||||
print load_fiche_titre($langs->trans('AccountingCategory'), $linkback);
|
||||
|
||||
|
||||
@ -54,8 +54,8 @@ $listoffset=GETPOST('listoffset');
|
||||
$listlimit=GETPOST('listlimit')>0?GETPOST('listlimit'):1000;
|
||||
$active = 1;
|
||||
|
||||
$sortfield = GETPOST("sortfield",'alpha');
|
||||
$sortorder = GETPOST("sortorder",'alpha');
|
||||
$sortfield = GETPOST("sortfield",'aZ09comma');
|
||||
$sortorder = GETPOST("sortorder",'aZ09comma');
|
||||
$page = GETPOST("page",'int');
|
||||
if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1
|
||||
$offset = $listlimit * $page ;
|
||||
@ -300,7 +300,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
|
||||
if ($tabrowid[$id]) { $rowidcol=$tabrowid[$id]; }
|
||||
else { $rowidcol="rowid"; }
|
||||
|
||||
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
|
||||
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
|
||||
|
||||
dol_syslog("delete", LOG_DEBUG);
|
||||
$result = $db->query($sql);
|
||||
@ -324,10 +324,10 @@ if ($action == $acts[0])
|
||||
else { $rowidcol="rowid"; }
|
||||
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
|
||||
}
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$this->db->escape($code)."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@ -344,10 +344,10 @@ if ($action == $acts[1])
|
||||
else { $rowidcol="rowid"; }
|
||||
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
|
||||
}
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$this->db->escape($code)."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@ -364,10 +364,10 @@ if ($action == 'activate_favorite')
|
||||
else { $rowidcol="rowid"; }
|
||||
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
|
||||
}
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$this->db->escape($code)."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@ -384,10 +384,10 @@ if ($action == 'disable_favorite')
|
||||
else { $rowidcol="rowid"; }
|
||||
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
|
||||
}
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$this->db->escape($code)."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@ -437,24 +437,9 @@ if ($id)
|
||||
$sql.= " (a.fk_country = ".$search_country_id." OR a.fk_country = 0)";
|
||||
}
|
||||
|
||||
if ($sortfield)
|
||||
{
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.= " ORDER BY ".$sortfield;
|
||||
if ($sortorder)
|
||||
{
|
||||
$sql.=" ".strtoupper($sortorder);
|
||||
}
|
||||
$sql.=", ";
|
||||
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
|
||||
}
|
||||
else {
|
||||
$sql.=" ORDER BY ";
|
||||
}
|
||||
$sql.=$tabsqlsort[$id];
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.=$db->order($sortfield,$sortorder);
|
||||
$sql.=$db->plimit($listlimit+1,$offset);
|
||||
//print $sql;
|
||||
|
||||
@ -793,7 +778,7 @@ if ($id)
|
||||
print '<td class="center">';
|
||||
if (empty($obj->formula))
|
||||
{
|
||||
print '<a href="'.DOL_URL_ROOT.'/accountancy/admin/categories.php?action=display&account_category='.$obj->rowid.'">';
|
||||
print '<a href="'.DOL_URL_ROOT.'/accountancy/admin/categories.php?action=display&save_lastsearch_values=1&account_category='.$obj->rowid.'">';
|
||||
print $langs->trans("ListOfAccounts");
|
||||
print '</a>';
|
||||
}
|
||||
|
||||
@ -36,7 +36,7 @@ $langs->load("accountancy");
|
||||
|
||||
$action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
|
||||
$confirm=GETPOST('confirm','alpha');
|
||||
$id=GETPOST('id','int');
|
||||
$id=35;
|
||||
$rowid=GETPOST('rowid','alpha');
|
||||
$code=GETPOST('code','alpha');
|
||||
|
||||
@ -400,24 +400,9 @@ if ($id)
|
||||
$sql=$tabsql[$id];
|
||||
$sql.= " WHERE a.entity = ".$conf->entity;
|
||||
|
||||
if ($sortfield)
|
||||
{
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.= " ORDER BY ".$sortfield;
|
||||
if ($sortorder)
|
||||
{
|
||||
$sql.=" ".strtoupper($sortorder);
|
||||
}
|
||||
$sql.=", ";
|
||||
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
|
||||
}
|
||||
else {
|
||||
$sql.=" ORDER BY ";
|
||||
}
|
||||
$sql.=$tabsqlsort[$id];
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.=$db->order($sortfield,$sortorder);
|
||||
$sql.=$db->plimit($listlimit+1,$offset);
|
||||
|
||||
$fieldlist=explode(',',$tabfield[$id]);
|
||||
|
||||
@ -965,14 +965,14 @@ if (empty($id))
|
||||
print "<br>\n";
|
||||
|
||||
|
||||
$param = '&id='.$id;
|
||||
if ($search_country_id > 0) $param.= '&search_country_id='.$search_country_id;
|
||||
$param = '&id='.urlencode($id);
|
||||
if ($search_country_id > 0) $param.= '&search_country_id='.urlencode($search_country_id);
|
||||
if ($search_code != '') $param.= '&search_code='.urlencode($search_country_id);
|
||||
if ($entity != '') $param.= '&entity=' . (int) $entity;
|
||||
$paramwithsearch = $param;
|
||||
if ($sortorder) $paramwithsearch.= '&sortorder='.$sortorder;
|
||||
if ($sortfield) $paramwithsearch.= '&sortfield='.$sortfield;
|
||||
if (GETPOST('from')) $paramwithsearch.= '&from='.GETPOST('from','alpha');
|
||||
if ($sortorder) $paramwithsearch.= '&sortorder='.urlencode($sortorder);
|
||||
if ($sortfield) $paramwithsearch.= '&sortfield='.urlencode($sortfield);
|
||||
if (GETPOST('from')) $paramwithsearch.= '&from='.urlencode(GETPOST('from','alpha'));
|
||||
|
||||
|
||||
// Confirmation de la suppression de la ligne
|
||||
@ -999,10 +999,10 @@ if ($id)
|
||||
{
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.= " ORDER BY ".$sortfield;
|
||||
$sql.= " ORDER BY ".$db->escape($sortfield);
|
||||
if ($sortorder)
|
||||
{
|
||||
$sql.=" ".strtoupper($sortorder);
|
||||
$sql.=" ".strtoupper($db->escape($sortorder));
|
||||
}
|
||||
$sql.=", ";
|
||||
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
|
||||
|
||||
@ -430,24 +430,9 @@ if ($search_type_template != '' && $search_type_template != '-1') $sql.=natural_
|
||||
if ($search_lang) $sql.=natural_search('lang', $search_lang);
|
||||
if ($search_fk_user != '' && $search_fk_user != '-1') $sql.=natural_search('fk_user', $search_fk_user, 2);
|
||||
if ($search_topic) $sql.=natural_search('topic', $search_topic);
|
||||
if ($sortfield)
|
||||
{
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.= " ORDER BY ".$sortfield;
|
||||
if ($sortorder)
|
||||
{
|
||||
$sql.=" ".strtoupper($sortorder);
|
||||
}
|
||||
$sql.=", ";
|
||||
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
|
||||
}
|
||||
else {
|
||||
$sql.=" ORDER BY ";
|
||||
}
|
||||
$sql.=$tabsqlsort[$id];
|
||||
// If sort order is "country", we use country_code instead
|
||||
if ($sortfield == 'country') $sortfield='country_code';
|
||||
$sql.=$db->order($sortfield,$sortorder);
|
||||
$sql.=$db->plimit($listlimit+1,$offset);
|
||||
//print $sql;
|
||||
|
||||
|
||||
@ -419,24 +419,7 @@ if ($id)
|
||||
{
|
||||
// Complete requete recherche valeurs avec critere de tri
|
||||
$sql=$tabsql[$id];
|
||||
|
||||
if ($sortfield)
|
||||
{
|
||||
// If sort order is "country", we use country_code instead
|
||||
$sql.= " ORDER BY ".$sortfield;
|
||||
if ($sortorder)
|
||||
{
|
||||
$sql.=" ".strtoupper($sortorder);
|
||||
}
|
||||
$sql.=", ";
|
||||
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
|
||||
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
|
||||
}
|
||||
else {
|
||||
$sql.=" ORDER BY ";
|
||||
}
|
||||
$sql.=$tabsqlsort[$id];
|
||||
$sql.=$db->order($sortfield,$sortorder);
|
||||
$sql.=$db->plimit($limit+1, $offset);
|
||||
//print $sql;
|
||||
|
||||
|
||||
@ -578,12 +578,12 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU
|
||||
{
|
||||
//var_dump($paramname.' - '.$out.' '.$user->default_values[$relativepathstring]['filters'][$paramname]);
|
||||
|
||||
// We save search key only if:
|
||||
// - not empty, or
|
||||
// - if value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not).
|
||||
// We save search key only if $out not empty that means:
|
||||
// - posted value not empty, or
|
||||
// - if posted value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not).
|
||||
|
||||
//if (! empty($out) || ! empty($user->default_values[$relativepathstring]['filters'][$paramname]))
|
||||
if (! empty($out))
|
||||
if ($out != '') // $out = '0' like 'abc' is a search criteria to keep
|
||||
{
|
||||
$user->lastsearch_values_tmp[$relativepathstring][$paramname]=$out;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user