lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vulnerabiity: External users can set a public note

Browse Source
This commit is contained in:
Laurent Destailleur 2021-05-09 12:50:46 +02:00
parent 0271645d8e
commit 8cc100012d
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
htdocs/core/actions_setnotes.inc.php
View File

@ -67,16 +67,18 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel',
}
}
}
} elseif ($action == 'setnote_private' && !empty($permissionnote) && !GETPOST('cancel', 'alpha')) {
// Set public note
if (empty($action) || !is_object($object) || empty($id)) {
dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before');
}
if (empty($object->id)) {
$object->fetch($id); // Fetch may not be already done
}
$result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES | ENT_HTML5), '_private');
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
} elseif ($action == 'setnote_private' && !empty($permissionnote) && !GETPOST('cancel', 'alpha')) { // Set public note
if (empty($user->socid)) {
// Private notes (always hidden to external users)
if (empty($action) || !is_object($object) || empty($id)) {
dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before');
}
if (empty($object->id)) {
$object->fetch($id); // Fetch may not be already done
}
$result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES | ENT_HTML5), '_private');
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
}
}
}