lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '3.7' of github.com:Dolibarr/dolibarr into 3.7

Browse Source
This commit is contained in:
Laurent Destailleur 2016-01-10 18:49:11 +01:00
commit 861376e461
4 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -335,6 +335,17 @@ Dolibarr better:
- Replaced USER_UPDATE_SESSION trigger with an updateSession hook may break modules using it.
***** ChangeLog for 3.6.6 compared to 3.6.5 *****
FIX: #3734 Do not show empty links of deleted source objects in stock movement list
FIX: #4081 Added missing translation
FIX: #4097 Public holiday calculation
FIX: #4242 Allow disabling dashes in documents
FIX: #4243 sql injection
FIX: Add a protection to not make release if ChangeLog was not generated. Prepare package 3.6.5
FIX: export with category contact extrafields
FIX: Not delete a product when have customer price
FIX: Not deleting contrats on element_element table
***** ChangeLog for 3.6.5 compared to 3.6.4 *****
FIX: #2957 : missing $langs object for trigger
FIX: #2983 Load gravatar avatar images securely over HTTPS

11
htdocs/admin/agenda_extsites.php
View File

@ -1,6 +1,7 @@
<?php
/* Copyright (C) 2008-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2011-2014 Juanjo Menent <jmenent@2byte.es>
/* Copyright (C) 2008-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2011-2014 Juanjo Menent <jmenent@2byte.es>
* Copyright (C) 2016 Raphaël Doursenaud <rdoursenaud@gpcsolutions.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -91,7 +92,7 @@ if ($actionsave)
// Save nb of agenda
if (! $error)
{
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
if (! $res > 0) $error++;
if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
@ -205,9 +206,9 @@ while ($i <= $MAXAGENDA)
// Nb
print '<td width="180" class="nowrap">'.$langs->trans("AgendaExtNb",$key)."</td>";
// Name
print '<td><input type="text" class="flat hideifnotset" name="AGENDA_EXT_NAME'.$key.'" value="'. (GETPOST('AGENDA_EXT_NAME'.$key)?GETPOST('AGENDA_EXT_NAME'.$key):$conf->global->$name) . '" size="28"></td>';
print '<td><input type="text" class="flat hideifnotset" name="AGENDA_EXT_NAME'.$key.'" value="'. (GETPOST('AGENDA_EXT_NAME'.$key)?GETPOST('AGENDA_EXT_NAME'.$key, 'alpha'):$conf->global->$name) . '" size="28"></td>';
// URL
print '<td><input type="url" class="flat hideifnotset" name="AGENDA_EXT_SRC'.$key.'" value="'. (GETPOST('AGENDA_EXT_SRC'.$key)?GETPOST('AGENDA_EXT_SRC'.$key):$conf->global->$src) . '" size="60"></td>';
print '<td><input type="url" class="flat hideifnotset" name="AGENDA_EXT_SRC'.$key.'" value="'. (GETPOST('AGENDA_EXT_SRC'.$key)?GETPOST('AGENDA_EXT_SRC'.$key, 'alpha'):$conf->global->$src) . '" size="60"></td>';
// Color (Possible colors are limited by Google)
print '<td class="nowrap" align="right">';
//print $formadmin->selectColor($conf->global->$color, "google_agenda_color".$key, $colorlist);

5
htdocs/admin/dict.php
View File

@ -9,6 +9,7 @@
* Copyright (C) 2012-2015 Marcos García <marcosgdf@gmail.com>
* Copyright (C) 2012 Christophe Battarel <christophe.battarel@ltairis.fr>
* Copyright (C) 2011-2014 Alexandre Spangaro <alexandre.spangaro@gmail.com>
* Copyright (C) 2015 Ferran Marcet <fmarcet@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -154,7 +155,7 @@ $tabsql[21]= "SELECT c.rowid as rowid, code, label, active FROM ".MAIN_DB_PREFIX
$tabsql[22]= "SELECT rowid as rowid, code, label, active FROM ".MAIN_DB_PREFIX."c_input_reason";
$tabsql[23]= "SELECT t.rowid, t.taux, c.label as country, c.code as country_code, t.fk_pays as country_id, t.note, t.active, t.accountancy_code_sell, t.accountancy_code_buy FROM ".MAIN_DB_PREFIX."c_revenuestamp as t, ".MAIN_DB_PREFIX."c_country as c WHERE t.fk_pays=c.rowid";
$tabsql[24]= "SELECT rowid as rowid, code, label, active FROM ".MAIN_DB_PREFIX."c_type_resource";
$tabsql[25]= "SELECT rowid as rowid, label, type_template, private, position, topic, content, active FROM ".MAIN_DB_PREFIX."c_email_templates";
$tabsql[25]= "SELECT rowid as rowid, label, type_template, private, position, topic, content, active FROM ".MAIN_DB_PREFIX."c_email_templates WHERE entity IN (".getEntity('email_template',1).")";
// Criteria to sort dictionaries
$tabsqlsort=array();
@ -266,7 +267,7 @@ $tabfieldinsert[21]= "code,label";
$tabfieldinsert[22]= "code,label";
$tabfieldinsert[23]= "fk_pays,taux,accountancy_code_sell,accountancy_code_buy,note";
$tabfieldinsert[24]= "code,label";
$tabfieldinsert[25]= "label,type_template,private,position,topic,content";
$tabfieldinsert[25]= "label,type_template,private,position,topic,content,entity";
// Nom du rowid si le champ n'est pas de type autoincrement
// Example: "" if id field is "rowid" and has autoincrement on

3
htdocs/main.inc.php
View File

@ -97,7 +97,8 @@ function test_sql_and_script_inject($val, $type)
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/i', $val);
$sql_inj += preg_match('/base[\s]+href/si', $val);
$sql_inj += preg_match('/<.*onmouseover/si', $val); // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);