From 99589fd69318f3777ad1913af1ac4e55f12dd797 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 27 Apr 2021 09:57:27 +0200 Subject: [PATCH 1/6] added fk_project in $facture --- htdocs/public/eventorganization/attendee_subscription.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index 40f238c90d6..5f0025b23aa 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -342,7 +342,7 @@ if (empty($reshook) && $action == 'add') { $facture->paye = 0; $facture->date = dol_now(); $facture->cond_reglement_id = $confattendee->cond_reglement_id; - + $facture->fk_project = $project->id; if (empty($facture->cond_reglement_id)) { $paymenttermstatic = new PaymentTerm($confattendee->db); $facture->cond_reglement_id = $paymenttermstatic->getDefaultId(); From d034446205e41d31d7c103500b99c483386852ad Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 27 Apr 2021 10:08:32 +0200 Subject: [PATCH 2/6] not giving the invoiceref anymore in the url from newpayment to paymentok, since it was already in ref= anyway --- htdocs/public/payment/newpayment.php | 10 ---------- htdocs/public/payment/paymentok.php | 1 - 2 files changed, 11 deletions(-) diff --git a/htdocs/public/payment/newpayment.php b/htdocs/public/payment/newpayment.php index b351367f6ea..0e24d94c177 100644 --- a/htdocs/public/payment/newpayment.php +++ b/htdocs/public/payment/newpayment.php @@ -376,9 +376,6 @@ if ($action == 'dopayment') { dol_syslog("SCRIPT_URI: ".(empty($_SERVER["SCRIPT_URI"]) ? '' : $_SERVER["SCRIPT_URI"]), LOG_DEBUG); // If defined script uri must match domain of PAYPAL_API_OK and PAYPAL_API_KO // A redirect is added if API call successfull - if ($source == 'conferencesubscription') { - $PAYPAL_API_OK .= '&invoice='.dol_encode($invoice->id, $dolibarr_main_instance_unique_id); - } $mesg = print_paypal_redirect($PAYPAL_API_PRICE, $PAYPAL_API_DEVISE, $PAYPAL_PAYMENT_TYPE, $PAYPAL_API_OK, $PAYPAL_API_KO, $FULLTAG); // If we are here, it means the Paypal redirect was not done, so we show error message @@ -397,10 +394,6 @@ if ($action == 'dopayment') { $urlok = preg_replace('/securekey=[^&]+/', '', $urlok); $urlko = preg_replace('/securekey=[^&]+/', '', $urlko); - if ($source == 'conferencesubscription') { - $urlok .= '&invoice='.dol_encode($invoice->id, $dolibarr_main_instance_unique_id); - } - $mesg = ''; if (empty($PRICE) || !is_numeric($PRICE)) { $mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Amount")); @@ -755,9 +748,6 @@ if ($action == 'charge' && !empty($conf->stripe->enabled)) { header("Location: ".$urlko); exit; } else { - if ($source == 'conferencesubscription') { - $urlok .= '&invoice='.dol_encode($invoice->id, $dolibarr_main_instance_unique_id); - } header("Location: ".$urlok); exit; } diff --git a/htdocs/public/payment/paymentok.php b/htdocs/public/payment/paymentok.php index 3d3946927c8..1cfeb99ec80 100644 --- a/htdocs/public/payment/paymentok.php +++ b/htdocs/public/payment/paymentok.php @@ -104,7 +104,6 @@ if (empty($FULLTAG)) { } $source = GETPOST('s', 'alpha') ? GETPOST('s', 'alpha') : GETPOST('source', 'alpha'); $ref = GETPOST('ref'); -$invoiceref = GETPOST('invoice'); $suffix = GETPOST("suffix", 'aZ09'); $membertypeid = GETPOST("membertypeid", 'int'); From a508cdbf5957dbc4d87035ee6119e374fb055147 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 27 Apr 2021 14:01:44 +0200 Subject: [PATCH 3/6] every dol_encode for securekey replaced with dol_hash (dol_encode kept for encoding ids --- .../class/conferenceorbooth.class.php | 2 +- .../conferenceorbooth_list.php | 2 +- htdocs/langs/en_US/eventorganization.lang | 4 ++-- .../attendee_subscription.php | 21 ++++++++++--------- .../eventorganization/subscriptionok.php | 8 +++++-- 5 files changed, 21 insertions(+), 16 deletions(-) diff --git a/htdocs/eventorganization/class/conferenceorbooth.class.php b/htdocs/eventorganization/class/conferenceorbooth.class.php index 02714496b35..16e61959f0c 100644 --- a/htdocs/eventorganization/class/conferenceorbooth.class.php +++ b/htdocs/eventorganization/class/conferenceorbooth.class.php @@ -244,7 +244,7 @@ class ConferenceOrBooth extends ActionComm $encodedid = dol_encode($id, $dolibarr_main_instance_unique_id); $link_subscription = $dolibarr_main_url_root.'/public/eventorganization/attendee_subscription.php?id='.$encodedid; - $encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$encodedid, $dolibarr_main_instance_unique_id); + $encodedsecurekey = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2); $link_subscription .= '&securekey='.urlencode($encodedsecurekey); $this->fields['pubregister'] = array('type'=>'url', 'label'=>$langs->trans("PublicAttendeeSubscriptionPage"), 'enabled'=>'1', 'position'=>72, 'notnull'=>0, 'visible'=>1); diff --git a/htdocs/eventorganization/conferenceorbooth_list.php b/htdocs/eventorganization/conferenceorbooth_list.php index cbf0e91f7fa..e3ba815121c 100644 --- a/htdocs/eventorganization/conferenceorbooth_list.php +++ b/htdocs/eventorganization/conferenceorbooth_list.php @@ -366,7 +366,7 @@ if ($projectid > 0) { print ''.$langs->trans("RegisterPage").''; $encodedid = dol_encode($project->id, $dolibarr_main_instance_unique_id); $linkregister = $dolibarr_main_url_root.'/public/project/index.php?id='.$encodedid; - $encodedsecurekey = dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY.$encodedid, $dolibarr_main_instance_unique_id); + $encodedsecurekey = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$project->id, 2); $linkregister .= '&securekey='.urlencode($encodedsecurekey); print ''.$linkregister.''; print ''; diff --git a/htdocs/langs/en_US/eventorganization.lang b/htdocs/langs/en_US/eventorganization.lang index 6ef39e81ff6..55117ebb5e4 100644 --- a/htdocs/langs/en_US/eventorganization.lang +++ b/htdocs/langs/en_US/eventorganization.lang @@ -105,8 +105,8 @@ ViewAndVote = View and vote for suggested events PublicAttendeeSubscriptionPage = Public link of registration to a conference MissingOrBadSecureKey = The security key is invalid or missing EvntOrgWelcomeMessage = This form allows you to register as a new participant to the conference -EvntOrgDuration = This conference starts on %s and ends on %s -ConferenceAttendeeFee = Conference attendee fee for the event : '%s' occurring from %s to %s +EvntOrgDuration = This conference starts on %s and ends on %s. +ConferenceAttendeeFee = Conference attendee fee for the event : '%s' occurring from %s to %s. # # SubscriptionOk page # diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index 5f0025b23aa..0f583f7cfc0 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -101,16 +101,13 @@ if ($resultproject < 0) { $errmsg .= $project->error; } -// Getting 'securekey'.'id' from Post and decoding it -$encodedsecurekeyandid = GETPOST('securekey', 'alpha'); -$securekeyandid = dol_decode($encodedsecurekeyandid, $dolibarr_main_instance_unique_id); -// Securekey decomposition into pure securekey and id added at the end -$securekey = substr($securekeyandid, 0, strlen($securekeyandid)-strlen($encodedid)); -$idgotfromsecurekey = dol_decode(substr($securekeyandid, -strlen($encodedid), strlen($encodedid)), $dolibarr_main_instance_unique_id); +// Getting 'securekey'.'id' from Post and decoding it +$securekeyreceived = GETPOST('securekey', 'alpha'); +$securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2); // We check if the securekey collected is OK and if the id collected is the same than the id in the securekey -if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY || $idgotfromsecurekey != $id) { +if ($securekeytocompare != $securekeyreceived) { print $langs->trans('MissingOrBadSecureKey'); exit; } @@ -251,7 +248,9 @@ if (empty($reshook) && $action == 'add') { // If the attendee has already paid if ($confattendee->status == 1) { - $redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?securekey='.dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY, $dolibarr_main_instance_unique_id); + $encodedid = dol_encode($id, $dolibarr_main_instance_unique_id); + $securekeyurl = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2); + $redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?id='.$encodedid.'&securekey='.$securekeyurl; Header("Location: ".$redirection); exit; } @@ -435,7 +434,9 @@ if (empty($reshook) && $action == 'add') { dol_syslog("Failed to send EMail to ".$sendto, LOG_ERR, 0, '_payment'); } - $redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?securekey='.dol_encode($conf->global->EVENTORGANIZATION_SECUREKEY, $dolibarr_main_instance_unique_id); + $encodedid = dol_encode($id, $dolibarr_main_instance_unique_id); + $securekeyurl = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2); + $redirection = $dolibarr_main_url_root.'/public/eventorganization/subscriptionok.php?id='.$encodedid.'&securekey='.$securekeyurl; Header("Location: ".$redirection); exit; } @@ -478,7 +479,7 @@ print ''; print ''; print ''; print ''; -print ''; +print ''; print '
'; diff --git a/htdocs/public/eventorganization/subscriptionok.php b/htdocs/public/eventorganization/subscriptionok.php index 81db5ac1c02..31c3281a526 100644 --- a/htdocs/public/eventorganization/subscriptionok.php +++ b/htdocs/public/eventorganization/subscriptionok.php @@ -65,8 +65,12 @@ $object = new stdClass(); // For triggers $error = 0; // Security check -$securekey = dol_decode(GETPOST('securekey'), $dolibarr_main_instance_unique_id); -if ($securekey != $conf->global->EVENTORGANIZATION_SECUREKEY) { +$encodedid = GETPOST("id"); +$id = dol_decode($encodedid, $dolibarr_main_instance_unique_id); +$securekeyreceived = GETPOST("securekey"); +$securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2); + +if ($securekeyreceived != $securekeytocompare) { print $langs->trans('MissingOrBadSecureKey'); exit; } From fab12bc5e582e61b41e42487acdfea7c27d9e45e Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 27 Apr 2021 14:04:08 +0200 Subject: [PATCH 4/6] removed the indicated id of conf when on the subscription page for security (now showing label instead) --- htdocs/langs/en_US/eventorganization.lang | 2 +- htdocs/public/eventorganization/attendee_subscription.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/langs/en_US/eventorganization.lang b/htdocs/langs/en_US/eventorganization.lang index 55117ebb5e4..9f75374f2a0 100644 --- a/htdocs/langs/en_US/eventorganization.lang +++ b/htdocs/langs/en_US/eventorganization.lang @@ -104,7 +104,7 @@ SuggestBooth = Suggest a booth ViewAndVote = View and vote for suggested events PublicAttendeeSubscriptionPage = Public link of registration to a conference MissingOrBadSecureKey = The security key is invalid or missing -EvntOrgWelcomeMessage = This form allows you to register as a new participant to the conference +EvntOrgWelcomeMessage = This form allows you to register as a new participant to the conference : '%s' EvntOrgDuration = This conference starts on %s and ends on %s. ConferenceAttendeeFee = Conference attendee fee for the event : '%s' occurring from %s to %s. # diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index 0f583f7cfc0..f6b167d91f3 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -466,8 +466,8 @@ print '
'; print '
'; // Welcome message -print $langs->trans("EvntOrgWelcomeMessage"); -print $id.".".'
'; +print $langs->trans("EvntOrgWelcomeMessage", $conference->label); +print '
'; print $langs->trans("EvntOrgDuration", dol_print_date($conference->datep), dol_print_date($conference->datef)); print '
'; From 79dce3ad0567ffed65841402e8a9e515c989802e Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 27 Apr 2021 14:06:40 +0200 Subject: [PATCH 5/6] typo in comment --- htdocs/public/eventorganization/attendee_subscription.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index f6b167d91f3..5c31c88c38a 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -102,7 +102,7 @@ if ($resultproject < 0) { } -// Getting 'securekey'.'id' from Post and decoding it +// Security check $securekeyreceived = GETPOST('securekey', 'alpha'); $securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2); From 74057251980a089632f4bb1d28009dddaddf0792 Mon Sep 17 00:00:00 2001 From: Dorian Vabre Date: Tue, 27 Apr 2021 14:11:46 +0200 Subject: [PATCH 6/6] added security check at beginning of /project/index page (according to the security I added in the previous commits) --- .../public/eventorganization/attendee_subscription.php | 2 +- htdocs/public/project/index.php | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/htdocs/public/eventorganization/attendee_subscription.php b/htdocs/public/eventorganization/attendee_subscription.php index 5c31c88c38a..4940f5965fe 100644 --- a/htdocs/public/eventorganization/attendee_subscription.php +++ b/htdocs/public/eventorganization/attendee_subscription.php @@ -106,7 +106,7 @@ if ($resultproject < 0) { $securekeyreceived = GETPOST('securekey', 'alpha'); $securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2); -// We check if the securekey collected is OK and if the id collected is the same than the id in the securekey +// We check if the securekey collected is OK if ($securekeytocompare != $securekeyreceived) { print $langs->trans('MissingOrBadSecureKey'); exit; diff --git a/htdocs/public/project/index.php b/htdocs/public/project/index.php index 03f26ed2f37..d1744db0b4e 100644 --- a/htdocs/public/project/index.php +++ b/htdocs/public/project/index.php @@ -78,7 +78,15 @@ $langs->loadLangs(array("main", "other", "dict", "bills", "companies", "errors", // No check on module enabled. Done later according to $validpaymentmethod $action = GETPOST('action', 'aZ09'); -$id = dol_decode(GETPOST('id'), $dolibarr_main_instance_unique_id); +$encodedid = GETPOST('id'); +$id = dol_decode($encodedid, $dolibarr_main_instance_unique_id); +$securekeyreceived = GETPOST("securekey"); +$securekeytocompare = dol_hash($conf->global->EVENTORGANIZATION_SECUREKEY.'conferenceorbooth'.$id, 2); + +if ($securekeytocompare != $securekeyreceived) { + print $langs->trans('MissingOrBadSecureKey'); + exit; +} // Define $urlwithroot //$urlwithouturlroot=preg_replace('/'.preg_quote(DOL_URL_ROOT,'/').'$/i','',trim($dolibarr_main_url_root));