From 7e2eca661bd289ff76138c2fa6ed081b9133197f Mon Sep 17 00:00:00 2001 From: Marc de Lima Lucio Date: Tue, 18 Dec 2018 09:40:58 +0100 Subject: [PATCH 01/12] FIX: contact/adress tab: when changing company ajax combo, the first contact change is not taken into account --- htdocs/core/class/html.form.class.php | 4 ++-- htdocs/core/class/html.formcompany.class.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index bc9aa55f6f6..1dc334560ec 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1355,7 +1355,7 @@ class Form $out .= ajax_combobox($htmlid, $events, $conf->global->CONTACT_USE_SEARCH_TO_SELECT); } - if ($htmlname != 'none' || $options_only) $out.= ''; if ($showempty == 1) $out.= ''; if ($showempty == 2) $out.= ''; $num = $this->db->num_rows($resql); @@ -1417,7 +1417,7 @@ class Form { $out.= ''; } - if ($htmlname != 'none' || $options_only) + if ($htmlname != 'none' && ! $options_only) { $out.= ''; } diff --git a/htdocs/core/class/html.formcompany.class.php b/htdocs/core/class/html.formcompany.class.php index 63babef655e..317f5fe1af6 100644 --- a/htdocs/core/class/html.formcompany.class.php +++ b/htdocs/core/class/html.formcompany.class.php @@ -589,8 +589,8 @@ class FormCompany runJsCodeForEvent'.$htmlname.'(values); } }); - /* Clean contact */ - $("div#s2id_contactid>a>span").html(\'\'); + + $(this).trigger("blur"); }); // Function used to execute events when search_htmlname change From 96144e18f11db066333bec03cb2df4dd0576e0ac Mon Sep 17 00:00:00 2001 From: ATM-Nicolas Date: Tue, 18 Dec 2018 15:27:32 +0100 Subject: [PATCH 02/12] FIX : Function updatePrice with wrong parameters --- htdocs/product/price.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 259f7d24c0a..a56ae34fc84 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -1440,7 +1440,7 @@ if ((empty($conf->global->PRODUIT_CUSTOMER_PRICES) || $action=='showlog_default_ // Il doit au moins y avoir la ligne de prix initial. // On l'ajoute donc pour remettre a niveau (pb vieilles versions) - $object->updatePrice($object->price, $object->price_base_type, $user, $newprice_min); + $object->updatePrice($object->price, $object->price_base_type, $user, $object->tva_tx, $object->price_min); $result = $db->query($sql); $num = $db->num_rows($result); From 707af49025f7fcceda13dee05ca9893ca051b5bf Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 19 Dec 2018 12:07:26 +0100 Subject: [PATCH 03/12] FIX Missing last month on vat report per month --- htdocs/compta/tva/index.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/compta/tva/index.php b/htdocs/compta/tva/index.php index 2fdd1591ead..5c346ca9ced 100644 --- a/htdocs/compta/tva/index.php +++ b/htdocs/compta/tva/index.php @@ -256,7 +256,8 @@ $mend = $tmp['mon']; //var_dump($m); $total=0; $subtotalcoll=0; $subtotalpaye=0; $subtotal=0; $i=0; $mcursor=0; -while ((($y < $yend) || ($y == $yend && $m < $mend)) && $mcursor < 1000) // $mcursor is to avoid too large loop + +while ((($y < $yend) || ($y == $yend && $m <= $mend)) && $mcursor < 1000) // $mcursor is to avoid too large loop { //$m = $conf->global->SOCIETE_FISCAL_MONTH_START + ($mcursor % 12); if ($m == 13) $y++; From 9b215e117a592bcbe3547496a15fcfb59eb762f7 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 21 Dec 2018 11:23:44 +0100 Subject: [PATCH 04/12] FIX check if "entity" is already defined in "$param" --- htdocs/core/class/html.formfile.class.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 2444dc293fd..c7288aa63d3 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -300,8 +300,10 @@ class FormFile return $this->getDocumentsLink($modulepart, $modulesubdir, $filedir); } - // Add entity in $param - $param.= 'entity='.(!empty($object->entity)?$object->entity:$conf->entity); + // Add entity in $param if not already exists + if (!preg_match('/entity\=[0-9]+/', $param)) { + $param.= 'entity='.(!empty($object->entity)?$object->entity:$conf->entity); + } $printer=0; if (in_array($modulepart,array('facture','supplier_proposal','propal','proposal','order','commande','expedition', 'commande_fournisseur', 'expensereport'))) // The direct print feature is implemented only for such elements From 09ce84ca93ba746cc12c7f50dad5f9b48ad331d0 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 21 Dec 2018 16:38:02 +0100 Subject: [PATCH 05/12] FIX avoid Class 'AdherentType' not found --- .../triggers/interface_50_modLdap_Ldapsynchro.class.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php b/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php index 1e9c2c2ec31..500f6bfa966 100644 --- a/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php +++ b/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php @@ -436,9 +436,10 @@ class InterfaceLdapsynchro extends DolibarrTriggers // For member type if (! empty($conf->global->LDAP_MEMBER_TYPE_ACTIVE) && (string) $conf->global->LDAP_MEMBER_TYPE_ACTIVE == '1') { - $membertype=new AdherentType($this->db); if ($object->typeid > 0) { + require_once DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php"; + $membertype=new AdherentType($this->db); $membertype->fetch($object->typeid); $membertype->listMembersForMemberType(); @@ -555,6 +556,8 @@ class InterfaceLdapsynchro extends DolibarrTriggers // For member type if (! empty($conf->global->LDAP_MEMBER_TYPE_ACTIVE) && (string) $conf->global->LDAP_MEMBER_TYPE_ACTIVE == '1') { + require_once DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php"; + /* * Change member info */ @@ -679,6 +682,8 @@ class InterfaceLdapsynchro extends DolibarrTriggers { if ($object->typeid > 0) { + require_once DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php"; + /* * Remove member in member type */ From 0f06e39d23636bd1e4039ac61a743c79725c798b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 22 Dec 2018 16:55:31 +0100 Subject: [PATCH 06/12] FIX CVE-2018-19992 --- htdocs/adherents/card.php | 6 +++--- htdocs/adherents/type.php | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index c29743b60c4..0d7869d12db 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -951,14 +951,14 @@ else // Address print ''.$langs->trans("Address").''; - print ''; + print ''; print ''; // Zip / Town print ''.$langs->trans("Zip").' / '.$langs->trans("Town").''; - print $formcompany->select_ziptown((GETPOST('zipcode','alpha')?GETPOST('zipcode','alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6); + print $formcompany->select_ziptown((GETPOST('zipcode','alphanohtml')?GETPOST('zipcode','alphanohtml'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6); print ' '; - print $formcompany->select_ziptown((GETPOST('town','alpha')?GETPOST('town','alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id')); + print $formcompany->select_ziptown((GETPOST('town','alphanohtml')?GETPOST('town','alphanohtml'):$object->town),'town',array('zipcode','selectcountry_id','state_id')); print ''; // Country diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php index 56363599c10..81375220a85 100644 --- a/htdocs/adherents/type.php +++ b/htdocs/adherents/type.php @@ -42,7 +42,7 @@ $backtopage = GETPOST('backtopage','alpha'); $search_lastname = GETPOST('search_lastname','alpha'); $search_login = GETPOST('search_login','alpha'); $search_email = GETPOST('search_email','alpha'); -$type = GETPOST('type','alpha'); +$type = GETPOST('type','intcomma'); $status = GETPOST('status','alpha'); $limit = GETPOST('limit','int')?GETPOST('limit','int'):$conf->liste_limit; @@ -59,8 +59,8 @@ if (! $sortfield) { $sortfield="d.lastname"; } $label=GETPOST("label","alpha"); $subscription=GETPOST("subscription","int"); $vote=GETPOST("vote","int"); -$comment=GETPOST("comment"); -$mail_valid=GETPOST("mail_valid"); +$comment=GETPOST("comment",'alphanohtml'); +$mail_valid=GETPOST("mail_valid",'none'); // Security check $result=restrictedArea($user,'adherent',$rowid,'adherent_type'); From fc3fcc5455d9a610b85723e89e8be43a41ad1378 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 22 Dec 2018 16:59:30 +0100 Subject: [PATCH 07/12] FIX CVE-2018-19993 --- htdocs/public/notice.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/public/notice.php b/htdocs/public/notice.php index 623baa2020a..6a55411ae3b 100644 --- a/htdocs/public/notice.php +++ b/htdocs/public/notice.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2016-2018 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -19,13 +19,13 @@ * \file htdocs/public/notice.php * \brief Dolibarr page to show a notice. * Default notice is a message to say network connection is off. - * You can also call this page with URL: + * You can also call this page with URL: * /public/notice.php?lang=xx_XX&transkey=translation_key (key must be inside file main.lang, error.lang or other.lang) * /public/notice.php?transphrase=url_encoded_sentence_to_show */ define('NOCSRFCHECK',1); -define('NOLOGIN',1); +define('NOLOGIN',1); require '../main.inc.php'; @@ -34,7 +34,7 @@ require '../main.inc.php'; * View */ -if (! GETPOST('transkey') && ! GETPOST('transphrase')) +if (! GETPOST('transkey','alphanohtml') && ! GETPOST('transphrase','alphanohtml')) { print 'Sorry, it seems your internet connexion is off.
'; print 'You need to be connected to network to use this software.
'; @@ -43,8 +43,8 @@ else { $langs->load("error"); $langs->load("other"); - - if (GETPOST('transphrase')) print GETPOST('transphrase'); - if (GETPOST('transkey')) print $langs->trans(GETPOST('transkey')); + + if (GETPOST('transphrase','alphanohtml')) print GETPOST('transphrase','alphanohtml'); + if (GETPOST('transkey','alphanohtml')) print $langs->trans(GETPOST('transkey','alphanohtml')); } From 850b939ffd2c7a4443649331b923d5e0da2d6446 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 22 Dec 2018 17:03:50 +0100 Subject: [PATCH 08/12] FIX CVE-2018-19994 --- htdocs/product/class/product.class.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index c30376622a4..66f7e288efa 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -859,9 +859,9 @@ class Product extends CommonObject $sql.= ", barcode = ". (empty($this->barcode)?"null":"'".$this->db->escape($this->barcode)."'"); $sql.= ", fk_barcode_type = ". (empty($this->barcode_type)?"null":$this->db->escape($this->barcode_type)); - $sql.= ", tosell = " . $this->status; - $sql.= ", tobuy = " . $this->status_buy; - $sql.= ", tobatch = " . ((empty($this->status_batch) || $this->status_batch < 0) ? '0' : $this->status_batch); + $sql.= ", tosell = " . (int) $this->status; + $sql.= ", tobuy = " . (int) $this->status_buy; + $sql.= ", tobatch = " . ((empty($this->status_batch) || $this->status_batch < 0) ? '0' : (int) $this->status_batch); $sql.= ", finished = " . ((! isset($this->finished) || $this->finished < 0) ? "null" : (int) $this->finished); $sql.= ", weight = " . ($this->weight!='' ? "'".$this->db->escape($this->weight)."'" : 'null'); $sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->db->escape($this->weight_units)."'": 'null'); @@ -880,18 +880,18 @@ class Product extends CommonObject $sql.= ", description = '" . $this->db->escape($this->description) ."'"; $sql.= ", url = " . ($this->url?"'".$this->db->escape($this->url)."'":'null'); $sql.= ", customcode = '" . $this->db->escape($this->customcode) ."'"; - $sql.= ", fk_country = " . ($this->country_id > 0 ? $this->country_id : 'null'); + $sql.= ", fk_country = " . ($this->country_id > 0 ? (int) $this->country_id : 'null'); $sql.= ", note = ".(isset($this->note) ? "'" .$this->db->escape($this->note)."'" : 'null'); $sql.= ", duration = '" . $this->db->escape($this->duration_value . $this->duration_unit) ."'"; $sql.= ", accountancy_code_buy = '" . $this->db->escape($this->accountancy_code_buy)."'"; $sql.= ", accountancy_code_sell= '" . $this->db->escape($this->accountancy_code_sell)."'"; $sql.= ", accountancy_code_sell_intra= '" . $this->db->escape($this->accountancy_code_sell_intra)."'"; $sql.= ", accountancy_code_sell_export= '" . $this->db->escape($this->accountancy_code_sell_export)."'"; - $sql.= ", desiredstock = " . ((isset($this->desiredstock) && $this->desiredstock != '') ? $this->desiredstock : "null"); + $sql.= ", desiredstock = " . ((isset($this->desiredstock) && $this->desiredstock != '') ? (int) $this->desiredstock : "null"); $sql.= ", cost_price = " . ($this->cost_price != '' ? $this->db->escape($this->cost_price) : 'null'); - $sql.= ", fk_unit= " . (!$this->fk_unit ? 'NULL' : $this->fk_unit); + $sql.= ", fk_unit= " . ((! $this->fk_unit) ? 'NULL' : (int) $this->fk_unit); $sql.= ", price_autogen = " . (!$this->price_autogen ? 0 : 1); - $sql.= ", fk_price_expression = ".($this->fk_price_expression != 0 ? $this->fk_price_expression : 'NULL'); + $sql.= ", fk_price_expression = ".($this->fk_price_expression != 0 ? (int) $this->fk_price_expression : 'NULL'); $sql.= ", fk_user_modif = ".($user->id > 0 ? $user->id : 'NULL'); // stock field is not here because it is a denormalized value from product_stock. $sql.= " WHERE rowid = " . $id; From 4b8be6ed64763327018ac1c076f81ddffa87855e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 22 Dec 2018 17:08:55 +0100 Subject: [PATCH 09/12] FIX CVE-2018-19995 --- htdocs/user/card.php | 52 ++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/htdocs/user/card.php b/htdocs/user/card.php index b6886d32dbf..6743078c9d2 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -191,31 +191,31 @@ if (empty($reshook)) { $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear')); $object->birth = $birth; $object->admin = GETPOST("admin", 'alpha'); - $object->address = GETPOST('address', 'alpha'); - $object->zip = GETPOST('zipcode', 'alpha'); - $object->town = GETPOST('town', 'alpha'); + $object->address = GETPOST('address', 'alphanohtml'); + $object->zip = GETPOST('zipcode', 'alphanohtml'); + $object->town = GETPOST('town', 'alphanohtml'); $object->country_id = GETPOST('country_id', 'int'); $object->state_id = GETPOST('state_id', 'int'); - $object->office_phone = GETPOST("office_phone", 'alpha'); - $object->office_fax = GETPOST("office_fax", 'alpha'); - $object->user_mobile = GETPOST("user_mobile"); - $object->skype = GETPOST("skype", 'alpha'); + $object->office_phone = GETPOST("office_phone", 'alphanohtml'); + $object->office_fax = GETPOST("office_fax", 'alphanohtml'); + $object->user_mobile = GETPOST("user_mobile", 'alphanohtml'); + $object->skype = GETPOST("skype", 'alphanohtml'); $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); $object->job = GETPOST("job", 'alpha'); - $object->signature = GETPOST("signature"); - $object->accountancy_code = GETPOST("accountancy_code"); - $object->note = GETPOST("note"); - $object->ldap_sid = GETPOST("ldap_sid"); - $object->fk_user = GETPOST("fk_user") > 0 ? GETPOST("fk_user") : 0; - $object->employee = GETPOST('employee'); + $object->signature = GETPOST("signature", 'none'); + $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); + $object->note = GETPOST("note", 'none'); + $object->ldap_sid = GETPOST("ldap_sid", 'alphanohtml'); + $object->fk_user = GETPOST("fk_user", 'int') > 0 ? GETPOST("fk_user", 'int') : 0; + $object->employee = GETPOST('employee', 'alphanohtml'); - $object->thm = GETPOST("thm") != '' ? GETPOST("thm") : ''; - $object->tjm = GETPOST("tjm") != '' ? GETPOST("tjm") : ''; - $object->salary = GETPOST("salary") != '' ? GETPOST("salary") : ''; - $object->salaryextra = GETPOST("salaryextra") != '' ? GETPOST("salaryextra") : ''; - $object->weeklyhours = GETPOST("weeklyhours") != '' ? GETPOST("weeklyhours") : ''; + $object->thm = GETPOST("thm", 'alphanohtml') != '' ? GETPOST("thm", 'alphanohtml') : ''; + $object->tjm = GETPOST("tjm", 'alphanohtml') != '' ? GETPOST("tjm", 'alphanohtml') : ''; + $object->salary = GETPOST("salary", 'alphanohtml') != '' ? GETPOST("salary", 'alphanohtml') : ''; + $object->salaryextra = GETPOST("salaryextra", 'alphanohtml') != '' ? GETPOST("salaryextra", 'alphanohtml') : ''; + $object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : ''; - $object->color = GETPOST("color") != '' ? GETPOST("color") : ''; + $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth'), GETPOST('dateemploymentday'), GETPOST('dateemploymentyear')); $object->dateemployment = $dateemployment; @@ -335,14 +335,14 @@ if (empty($reshook)) { $object->pass = GETPOST("password",'none'); $object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key; if (! empty($user->admin)) $object->admin = GETPOST("admin"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request - $object->address = GETPOST('address', 'alpha'); - $object->zip = GETPOST('zipcode', 'alpha'); - $object->town = GETPOST('town', 'alpha'); + $object->address = GETPOST('address', 'alphanohtml'); + $object->zip = GETPOST('zipcode', 'alphanohtml'); + $object->town = GETPOST('town', 'alphanohtml'); $object->country_id = GETPOST('country_id', 'int'); $object->state_id = GETPOST('state_id', 'int'); - $object->office_phone = GETPOST("office_phone", 'alpha'); - $object->office_fax = GETPOST("office_fax", 'alpha'); - $object->user_mobile = GETPOST("user_mobile"); + $object->office_phone = GETPOST("office_phone", 'alphanohtml'); + $object->office_fax = GETPOST("office_fax", 'alphanohtml'); + $object->user_mobile = GETPOST("user_mobile", 'alphanohtml'); $object->skype = GETPOST("skype", 'alpha'); $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); $object->job = GETPOST("job", 'alpha'); @@ -350,7 +350,7 @@ if (empty($reshook)) { $object->accountancy_code = GETPOST("accountancy_code",'alpha'); $object->openid = GETPOST("openid",'alpha'); $object->fk_user = GETPOST("fk_user",'int') > 0 ? GETPOST("fk_user",'int') : 0; - $object->employee = GETPOST('employee'); + $object->employee = GETPOST('employee','alphanothtml'); $object->thm = GETPOST("thm",'alphanohtml') != '' ? GETPOST("thm",'alphanohtml') : ''; $object->tjm = GETPOST("tjm",'alphanohtml') != '' ? GETPOST("tjm",'alphanohtml') : ''; From bacd5110fbdc81a35030fdc322775fa15ea85924 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 22 Dec 2018 17:08:55 +0100 Subject: [PATCH 10/12] FIX CVE-2018-19995 and CVE-2018-19998 --- htdocs/user/card.php | 52 ++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/htdocs/user/card.php b/htdocs/user/card.php index b6886d32dbf..6743078c9d2 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -191,31 +191,31 @@ if (empty($reshook)) { $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear')); $object->birth = $birth; $object->admin = GETPOST("admin", 'alpha'); - $object->address = GETPOST('address', 'alpha'); - $object->zip = GETPOST('zipcode', 'alpha'); - $object->town = GETPOST('town', 'alpha'); + $object->address = GETPOST('address', 'alphanohtml'); + $object->zip = GETPOST('zipcode', 'alphanohtml'); + $object->town = GETPOST('town', 'alphanohtml'); $object->country_id = GETPOST('country_id', 'int'); $object->state_id = GETPOST('state_id', 'int'); - $object->office_phone = GETPOST("office_phone", 'alpha'); - $object->office_fax = GETPOST("office_fax", 'alpha'); - $object->user_mobile = GETPOST("user_mobile"); - $object->skype = GETPOST("skype", 'alpha'); + $object->office_phone = GETPOST("office_phone", 'alphanohtml'); + $object->office_fax = GETPOST("office_fax", 'alphanohtml'); + $object->user_mobile = GETPOST("user_mobile", 'alphanohtml'); + $object->skype = GETPOST("skype", 'alphanohtml'); $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); $object->job = GETPOST("job", 'alpha'); - $object->signature = GETPOST("signature"); - $object->accountancy_code = GETPOST("accountancy_code"); - $object->note = GETPOST("note"); - $object->ldap_sid = GETPOST("ldap_sid"); - $object->fk_user = GETPOST("fk_user") > 0 ? GETPOST("fk_user") : 0; - $object->employee = GETPOST('employee'); + $object->signature = GETPOST("signature", 'none'); + $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); + $object->note = GETPOST("note", 'none'); + $object->ldap_sid = GETPOST("ldap_sid", 'alphanohtml'); + $object->fk_user = GETPOST("fk_user", 'int') > 0 ? GETPOST("fk_user", 'int') : 0; + $object->employee = GETPOST('employee', 'alphanohtml'); - $object->thm = GETPOST("thm") != '' ? GETPOST("thm") : ''; - $object->tjm = GETPOST("tjm") != '' ? GETPOST("tjm") : ''; - $object->salary = GETPOST("salary") != '' ? GETPOST("salary") : ''; - $object->salaryextra = GETPOST("salaryextra") != '' ? GETPOST("salaryextra") : ''; - $object->weeklyhours = GETPOST("weeklyhours") != '' ? GETPOST("weeklyhours") : ''; + $object->thm = GETPOST("thm", 'alphanohtml') != '' ? GETPOST("thm", 'alphanohtml') : ''; + $object->tjm = GETPOST("tjm", 'alphanohtml') != '' ? GETPOST("tjm", 'alphanohtml') : ''; + $object->salary = GETPOST("salary", 'alphanohtml') != '' ? GETPOST("salary", 'alphanohtml') : ''; + $object->salaryextra = GETPOST("salaryextra", 'alphanohtml') != '' ? GETPOST("salaryextra", 'alphanohtml') : ''; + $object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : ''; - $object->color = GETPOST("color") != '' ? GETPOST("color") : ''; + $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth'), GETPOST('dateemploymentday'), GETPOST('dateemploymentyear')); $object->dateemployment = $dateemployment; @@ -335,14 +335,14 @@ if (empty($reshook)) { $object->pass = GETPOST("password",'none'); $object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key; if (! empty($user->admin)) $object->admin = GETPOST("admin"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request - $object->address = GETPOST('address', 'alpha'); - $object->zip = GETPOST('zipcode', 'alpha'); - $object->town = GETPOST('town', 'alpha'); + $object->address = GETPOST('address', 'alphanohtml'); + $object->zip = GETPOST('zipcode', 'alphanohtml'); + $object->town = GETPOST('town', 'alphanohtml'); $object->country_id = GETPOST('country_id', 'int'); $object->state_id = GETPOST('state_id', 'int'); - $object->office_phone = GETPOST("office_phone", 'alpha'); - $object->office_fax = GETPOST("office_fax", 'alpha'); - $object->user_mobile = GETPOST("user_mobile"); + $object->office_phone = GETPOST("office_phone", 'alphanohtml'); + $object->office_fax = GETPOST("office_fax", 'alphanohtml'); + $object->user_mobile = GETPOST("user_mobile", 'alphanohtml'); $object->skype = GETPOST("skype", 'alpha'); $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); $object->job = GETPOST("job", 'alpha'); @@ -350,7 +350,7 @@ if (empty($reshook)) { $object->accountancy_code = GETPOST("accountancy_code",'alpha'); $object->openid = GETPOST("openid",'alpha'); $object->fk_user = GETPOST("fk_user",'int') > 0 ? GETPOST("fk_user",'int') : 0; - $object->employee = GETPOST('employee'); + $object->employee = GETPOST('employee','alphanothtml'); $object->thm = GETPOST("thm",'alphanohtml') != '' ? GETPOST("thm",'alphanohtml') : ''; $object->tjm = GETPOST("tjm",'alphanohtml') != '' ? GETPOST("tjm",'alphanohtml') : ''; From 2b088a73c121a52e006c0d76ea4da7ffeb7b4f4a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 22 Dec 2018 17:16:08 +0100 Subject: [PATCH 11/12] FIX CVE-2018-19998 --- htdocs/user/card.php | 2 +- htdocs/user/class/user.class.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/user/card.php b/htdocs/user/card.php index 6743078c9d2..f0b3fb819f2 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -350,7 +350,7 @@ if (empty($reshook)) { $object->accountancy_code = GETPOST("accountancy_code",'alpha'); $object->openid = GETPOST("openid",'alpha'); $object->fk_user = GETPOST("fk_user",'int') > 0 ? GETPOST("fk_user",'int') : 0; - $object->employee = GETPOST('employee','alphanothtml'); + $object->employee = GETPOST('employee','int'); $object->thm = GETPOST("thm",'alphanohtml') != '' ? GETPOST("thm",'alphanohtml') : ''; $object->tjm = GETPOST("tjm",'alphanohtml') != '' ? GETPOST("tjm",'alphanohtml') : ''; diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 161cea20e77..ef2b828f6e5 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -1405,12 +1405,12 @@ class User extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."user SET"; $sql.= " lastname = '".$this->db->escape($this->lastname)."'"; $sql.= ", firstname = '".$this->db->escape($this->firstname)."'"; - $sql.= ", employee = ".$this->employee; + $sql.= ", employee = ".(int) $this->employee; $sql.= ", login = '".$this->db->escape($this->login)."'"; $sql.= ", api_key = ".($this->api_key ? "'".$this->db->escape($this->api_key)."'" : "null"); $sql.= ", gender = ".($this->gender != -1 ? "'".$this->db->escape($this->gender)."'" : "null"); // 'man' or 'woman' $sql.= ", birth=".(strval($this->birth)!='' ? "'".$this->db->idate($this->birth)."'" : 'null'); - if (! empty($user->admin)) $sql.= ", admin = ".$this->admin; // admin flag can be set/unset only by an admin user + if (! empty($user->admin)) $sql.= ", admin = ".(int) $this->admin; // admin flag can be set/unset only by an admin user $sql.= ", address = '".$this->db->escape($this->address)."'"; $sql.= ", zip = '".$this->db->escape($this->zip)."'"; $sql.= ", town = '".$this->db->escape($this->town)."'"; @@ -1502,7 +1502,7 @@ class User extends CommonObject $adh->zip=$this->zip; $adh->state_id=$this->state_id; $adh->country_id=$this->country_id; - + $adh->email=$this->email; $adh->skype=$this->skype; $adh->phone=$this->office_phone; From f8b0e535fae484348da17099e3747b0823ce52f6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 22 Dec 2018 17:30:22 +0100 Subject: [PATCH 12/12] Code comment --- htdocs/main.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 0e586e6f4a4..ca182c7b337 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -352,7 +352,7 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V // Creation of a token against CSRF vulnerabilities if (! defined('NOTOKENRENEWAL')) { - // roulement des jetons car cree a chaque appel + // Rolling token at each call ($_SESSION['token'] contains token of previous page) if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']