From 98c60c141201a945728a8af0b3d74db68afbe4d4 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 27 Nov 2011 18:44:27 +0100 Subject: [PATCH] Fix: preventing XSS injections and uniform code --- dev/skeletons/skeleton_page.php | 5 +- htdocs/adherents/type.php | 151 ++++++++++--------- htdocs/core/class/html.formbarcode.class.php | 6 +- htdocs/product/admin/produit.php | 2 +- htdocs/product/barcode.php | 78 +++++----- 5 files changed, 121 insertions(+), 121 deletions(-) diff --git a/dev/skeletons/skeleton_page.php b/dev/skeletons/skeleton_page.php index 5e7d2bc74a4..cb3ceda938b 100644 --- a/dev/skeletons/skeleton_page.php +++ b/dev/skeletons/skeleton_page.php @@ -52,8 +52,9 @@ $langs->load("companies"); $langs->load("other"); // Get parameters -$action = GETPOST('action'); -$myparam = GETPOST('myparam'); +$id = GETPOST('id','int'); +$action = GETPOST('action','alpha'); +$myparam = GETPOST('myparam','alpha'); // Protection if external user if ($user->societe_id > 0) diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php index 7d5172db623..470793fe1e5 100644 --- a/htdocs/adherents/type.php +++ b/htdocs/adherents/type.php @@ -30,11 +30,18 @@ require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php"); $langs->load("members"); -$rowid=GETPOST("rowid"); +$rowid = GETPOST('rowid','int'); +$action = GETPOST('action','alpha'); -$sortfield = GETPOST("sortfield",'alpha'); -$sortorder = GETPOST("sortorder",'alpha'); -$page = GETPOST("page",'int'); +$search_lastname = GETPOST('search_nom','alpha'); +$search_login = GETPOST('search_login','alpha'); +$search_email = GETPOST('search_email','alpha'); +$type = GETPOST('type','alpha'); +$status = GETPOST('status','alpha'); + +$sortfield = GETPOST('sortfield','alpha'); +$sortorder = GETPOST('sortorder','alpha'); +$page = GETPOST('page','int'); if ($page == -1) { $page = 0 ; } $offset = $conf->liste_limit * $page ; $pageprev = $page - 1; @@ -45,16 +52,12 @@ if (! $sortfield) { $sortfield="d.nom"; } // Security check if (! $user->rights->adherent->lire) accessforbidden(); -if ($_REQUEST["button_removefilter"]) +if (GETPOST('button_removefilter')) { - $_GET["search_nom"]=""; - $_REQUEST["search_nom"]=""; - $_GET["search_prenom"]=""; - $_REQUEST["search_prenom"]=""; - $_GET["type"]=""; - $_REQUEST["type"]=""; - $_GET["search_email"]=""; - $_REQUEST["search_email"]=""; + $search_lastname=""; + $search_login=""; + $search_email=""; + $type=""; $sall=""; } @@ -63,7 +66,7 @@ if ($_REQUEST["button_removefilter"]) /* * Actions */ -if ($user->rights->adherent->configurer && $_POST["action"] == 'add') +if ($action == 'add' && $user->rights->adherent->configurer) { if ($_POST["button"] != $langs->trans("Cancel")) { @@ -80,24 +83,24 @@ if ($user->rights->adherent->configurer && $_POST["action"] == 'add') $id=$adht->create($user->id); if ($id > 0) { - Header("Location: type.php"); + Header("Location: ".$_SERVER["PHP_SELF"]); exit; } else { $mesg=$adht->error; - $_GET["action"] = 'create'; + $action = 'create'; } } else { $mesg=$langs->trans("ErrorFieldRequired",$langs->transnoentities("Label")); - $_GET["action"] = 'create'; + $action = 'create'; } } } -if ($user->rights->adherent->configurer && $_POST["action"] == 'update') +if ($action == 'update' && $user->rights->adherent->configurer) { if ($_POST["button"] != $langs->trans("Cancel")) { @@ -111,12 +114,12 @@ if ($user->rights->adherent->configurer && $_POST["action"] == 'update') $adht->update($user->id); - Header("Location: type.php?rowid=".$_POST["rowid"]); + Header("Location: ".$_SERVER["PHP_SELF"]."?rowid=".$_POST["rowid"]); exit; } } -if ($user->rights->adherent->configurer && $_GET["action"] == 'delete') +if ($action == 'delete' && $user->rights->adherent->configurer) { $adht = new AdherentType($db); $adht->delete($rowid); @@ -124,7 +127,7 @@ if ($user->rights->adherent->configurer && $_GET["action"] == 'delete') exit; } -if ($user->rights->adherent->configurer && $_GET["action"] == 'commentaire') +if ($action == 'commentaire' && $user->rights->adherent->configurer) { $don = new Don($db); $don->fetch($rowid); @@ -143,7 +146,7 @@ $form=new Form($db); // Liste of members type -if (! $rowid && $_GET["action"] != 'create' && $_GET["action"] != 'edit') +if (! $rowid && $action != 'create' && $action != 'edit') { print_fiche_titre($langs->trans("MembersTypes")); @@ -199,7 +202,7 @@ if (! $rowid && $_GET["action"] != 'create' && $_GET["action"] != 'edit') // New type if ($user->rights->adherent->configurer) { - print "".$langs->trans("NewType").""; + print ''.$langs->trans("NewType").''; } print ""; @@ -212,7 +215,7 @@ if (! $rowid && $_GET["action"] != 'create' && $_GET["action"] != 'edit') /* Creation d'un type adherent */ /* */ /* ************************************************************************** */ -if ($_GET["action"] == 'create') +if ($action == 'create') { $form = new Form($db); @@ -220,7 +223,7 @@ if ($_GET["action"] == 'create') if ($mesg) print '
'.$mesg.'
'; - print "
"; + print ''; print ''; print ''; @@ -237,7 +240,7 @@ if ($_GET["action"] == 'create') print ''; print '"; + print ''; print '
'.$langs->trans("Description").''; - print "
'.$langs->trans("WelcomeEMail").''; require_once(DOL_DOCUMENT_ROOT."/core/class/doleditor.class.php"); @@ -261,7 +264,7 @@ if ($_GET["action"] == 'create') /* ************************************************************************** */ if ($rowid > 0) { - if ($_GET["action"] != 'edit') + if ($action != 'edit') { $adht = new AdherentType($db); $adht->id = $rowid; @@ -316,16 +319,16 @@ if ($rowid > 0) // Edit if ($user->rights->adherent->configurer) { - print "id."\">".$langs->trans("Modify").""; + print ''.$langs->trans("Modify").''; } // Add - print "id."\">".$langs->trans("AddMember").""; + print ''.$langs->trans("AddMember").''; // Delete if ($user->rights->adherent->configurer) { - print "id."\">".$langs->trans("DeleteType").""; + print ''.$langs->trans("DeleteType").''; } print ""; @@ -342,38 +345,35 @@ if ($rowid > 0) $sql.= " FROM ".MAIN_DB_PREFIX."adherent as d, ".MAIN_DB_PREFIX."adherent_type as t"; $sql.= " WHERE d.fk_adherent_type = t.rowid "; $sql.= " AND d.entity = ".$conf->entity; + $sql.= " AND t.rowid = ".$adht->id; if ($sall) { - $sql.=" AND (d.prenom like '%".$sall."%' OR d.nom like '%".$sall."%' OR d.societe like '%".$sall."%'"; - $sql.=" OR d.email like '%".$sall."%' OR d.login like '%".$sall."%' OR d.adresse like '%".$sall."%'"; - $sql.=" OR d.ville like '%".$sall."%' OR d.note like '%".$sall."%')"; + $sql.= " AND (d.prenom LIKE '%".$sall."%' OR d.nom LIKE '%".$sall."%' OR d.societe LIKE '%".$sall."%'"; + $sql.= " OR d.email LIKE '%".$sall."%' OR d.login LIKE '%".$sall."%' OR d.adresse LIKE '%".$sall."%'"; + $sql.= " OR d.ville LIKE '%".$sall."%' OR d.note LIKE '%".$sall."%')"; } - //if ($_REQUEST["type"] > 0) - //{ - //$sql.=" AND t.rowid=".$_REQUEST["type"]; - $sql.=" AND t.rowid=".$adht->id; - //} - if (isset($_GET["statut"])) + if ($status != '') { - $sql.=" AND d.statut in ($statut)"; // Peut valoir un nombre ou liste de nombre separes par virgules + $sql.= " AND d.statut IN (".$status.")"; // Peut valoir un nombre ou liste de nombre separes par virgules } - if ( $_POST["action"] == 'search') + if ($action == 'search') { - if (isset($_POST['search']) && $_POST['search'] != ''){ + if (isset($_POST['search']) && $_POST['search'] != '') + { $sql.= " AND (d.prenom LIKE '%".$_POST['search']."%' OR d.nom LIKE '%".$_POST['search']."%')"; } } - if ($_GET["search_nom"]) + if (! empty($search_lastname)) { - $sql.= " AND (d.prenom LIKE '%".$_GET["search_nom"]."%' OR d.nom LIKE '%".$_GET["search_nom"]."%')"; + $sql.= " AND (d.prenom LIKE '%".$search_lastname."%' OR d.nom LIKE '%".$search_lastname."%')"; } - if ($_GET["search_login"]) + if (! empty($search_login)) { - $sql.= " AND d.login LIKE '%".$_GET["search_login"]."%'"; + $sql.= " AND d.login LIKE '%".$search_login."%'"; } - if ($_GET["search_email"]) + if (! empty($search_email)) { - $sql.= " AND (d.email LIKE '%".$_GET["search_email"]."%')"; + $sql.= " AND d.email LIKE '%".$search_email."%'"; } if ($filter == 'uptodate') { @@ -402,32 +402,34 @@ if ($rowid > 0) $i = 0; $titre=$langs->trans("MembersList"); - if (isset($_GET["statut"])) + if ($status != '') { - if ($statut == '-1,1') { $titre=$langs->trans("MembersListQualified"); } - if ($statut == '-1') { $titre=$langs->trans("MembersListToValid"); } - if ($statut == '1' && ! $filter) { $titre=$langs->trans("MembersListValid"); } - if ($statut == '1' && $filter=='uptodate') { $titre=$langs->trans("MembersListUpToDate"); } - if ($statut == '1' && $filter=='outofdate') { $titre=$langs->trans("MembersListNotUpToDate"); } - if ($statut == '0') { $titre=$langs->trans("MembersListResiliated"); } + if ($status == '-1,1') { $titre=$langs->trans("MembersListQualified"); } + else if ($status == '-1') { $titre=$langs->trans("MembersListToValid"); } + else if ($status == '1' && ! $filter) { $titre=$langs->trans("MembersListValid"); } + else if ($status == '1' && $filter=='uptodate') { $titre=$langs->trans("MembersListUpToDate"); } + else if ($status == '1' && $filter=='outofdate') { $titre=$langs->trans("MembersListNotUpToDate"); } + else if ($status == '0') { $titre=$langs->trans("MembersListResiliated"); } } - elseif ($_POST["action"] == 'search') { + elseif ($action == 'search') + { $titre=$langs->trans("MembersListQualified"); } - if ($_REQUEST["type"] > 0) + if ($type > 0) { $membertype=new AdherentType($db); - $result=$membertype->fetch($_REQUEST["type"]); + $result=$membertype->fetch($type); $titre.=" (".$membertype->libelle.")"; } $param="&rowid=".$rowid; - if (isset($_GET["statut"])) $param.="&statut=".$_GET["statut"]; - if (isset($_GET["search_nom"])) $param.="&search_nom=".$_GET["search_nom"]; - if (isset($_GET["search_login"])) $param.="&search_login=".$_GET["search_login"]; - if (isset($_GET["search_email"])) $param.="&search_email=".$_GET["search_email"]; - if (isset($_GET["filter"])) $param.="&filter=".$_GET["filter"]; + if (! empty($status)) $param.="&status=".$status; + if (! empty($search_lastname)) $param.="&search_nom=".$search_lastname; + if (! empty($search_firstname)) $param.="&search_prenom=".$search_firstname; + if (! empty($search_login)) $param.="&search_login=".$search_login; + if (! empty($search_email)) $param.="&search_email=".$search_email; + if (! empty($filter)) $param.="&filter=".$filter; if ($sall) { @@ -436,7 +438,7 @@ if ($rowid > 0) print '
'; print_barre_liste('',$page,$_SERVER["PHP_SELF"],$param,$sortfield,$sortorder,'',$num,$nbtotalofrecords); - print ""; + print '
'; print ''; print_liste_field_titre($langs->trans("Name")." / ".$langs->trans("Company"),$_SERVER["PHP_SELF"],"d.nom",$param,"","",$sortfield,$sortorder); @@ -455,15 +457,15 @@ if ($rowid > 0) print ''; print ''; + print ''; print ''; + print ''; print ''; print ''; + print ''; print ''; @@ -487,14 +489,14 @@ if ($rowid > 0) // Nom $var=!$var; - print ""; + print ''; if ($objp->societe != '') { - print "\n"; + print ''."\n"; } else { - print "\n"; + print ''."\n"; } // Login @@ -552,12 +554,12 @@ if ($rowid > 0) print '"; @@ -579,7 +581,7 @@ if ($rowid > 0) } - if ($_GET["action"] == 'edit') + if ($action == 'edit') { $form = new Form($db); @@ -597,7 +599,6 @@ if ($rowid > 0) dol_fiche_head($head, 'card', $langs->trans("MemberType"), 0, 'group'); - print ''; print ''; print ''; @@ -617,7 +618,7 @@ if ($rowid > 0) print ''; print '"; + print ''; print '
'; - print ''; - print ' '; - print ' 
rowid\">".img_object($langs->trans("ShowMember"),"user").' '.$objp->prenom." ".dol_trunc($objp->nom,12)." / ".dol_trunc($objp->societe,12)."'.img_object($langs->trans("ShowMember"),"user").' '.$objp->prenom.' '.dol_trunc($objp->nom,12).' / '.dol_trunc($objp->societe,12).'rowid\">".img_object($langs->trans("ShowMember"),"user").' '.$objp->prenom." ".dol_trunc($objp->nom)."'.img_object($langs->trans("ShowMember"),"user").' '.$objp->prenom.' '.dol_trunc($objp->nom).''; if ($user->rights->adherent->creer) { - print "rowid&action=edit&return=liste.php\">".img_edit().""; + print ''.img_edit().''; } print ' '; if ($user->rights->adherent->supprimer) { - print "rowid&action=resign&return=liste.php\">".img_picto($langs->trans("Resiliate"),'disable.png').""; + print ''.img_picto($langs->trans("Resiliate"),'disable.png').''; } print "
'.$langs->trans("Description").''; - print "
'.$langs->trans("WelcomeEMail").''; require_once(DOL_DOCUMENT_ROOT."/core/class/doleditor.class.php"); diff --git a/htdocs/core/class/html.formbarcode.class.php b/htdocs/core/class/html.formbarcode.class.php index 703715c15c4..cd526042024 100644 --- a/htdocs/core/class/html.formbarcode.class.php +++ b/htdocs/core/class/html.formbarcode.class.php @@ -1,6 +1,6 @@ - * Copyright (C) 2008-2010 Laurent Destailleur +/* Copyright (C) 2007-2011 Regis Houssin + * Copyright (C) 2008-2011 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -18,7 +18,7 @@ */ /** - * \file htdocs/includes/barcode/html.formbarcode.class.php + * \file htdocs/core/class/html.formbarcode.class.php * \brief Fichier de la classe des fonctions predefinie de composants html */ diff --git a/htdocs/product/admin/produit.php b/htdocs/product/admin/produit.php index e19fceb7448..a158bc5a4b7 100644 --- a/htdocs/product/admin/produit.php +++ b/htdocs/product/admin/produit.php @@ -28,7 +28,7 @@ require("../../main.inc.php"); require_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php"); -require_once(DOL_DOCUMENT_ROOT."/includes/barcode/html.formbarcode.class.php"); +require_once(DOL_DOCUMENT_ROOT."/core/class/html.formbarcode.class.php"); $langs->load("admin"); diff --git a/htdocs/product/barcode.php b/htdocs/product/barcode.php index 58e9d13ee75..e7aadd55177 100644 --- a/htdocs/product/barcode.php +++ b/htdocs/product/barcode.php @@ -1,7 +1,7 @@ * Copyright (C) 2004-2011 Laurent Destailleur - * Copyright (C) 2005-2010 Regis Houssin + * Copyright (C) 2005-2011 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -26,44 +26,44 @@ require("../main.inc.php"); require_once(DOL_DOCUMENT_ROOT."/core/lib/product.lib.php"); require_once(DOL_DOCUMENT_ROOT."/product/class/product.class.php"); -require_once(DOL_DOCUMENT_ROOT."/includes/barcode/html.formbarcode.class.php"); +require_once(DOL_DOCUMENT_ROOT."/core/class/html.formbarcode.class.php"); $langs->load("products"); $langs->load("bills"); -// Security check -if (isset($_GET["id"]) || isset($_GET["ref"])) -{ - $id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:''); -} -$fieldid = isset($_GET["ref"])?'ref':'rowid'; -if ($user->societe_id) $socid=$user->societe_id; -$result=restrictedArea($user,'produit|service&barcode',$id,'product','','',$fieldid); +$id = GETPOST('id','int'); +$ref = GETPOST('ref','alpha'); +$action = GETPOST('action','alpha'); +// Security check +$fieldvalue = (! empty($id) ? $id : $ref); +$fieldname = (! empty($ref) ? 'ref' : 'rowid'); +if ($user->societe_id) $socid=$user->societe_id; +$result=restrictedArea($user,'produit|service&barcode',$fieldvalue,'product','','',$fieldname); + +$object = new Product($db); /* * Actions */ // Modification du type de code barre -if ($_POST['action'] == 'setbarcodetype' && $user->rights->barcode->creer) +if ($action == 'setbarcodetype' && $user->rights->barcode->creer) { - $product = new Product($db); - $product->fetch($_GET["id"]); - $product->barcode_type = $_POST['barcodetype_id']; - $result = $product->update_barcode_type($user); - Header("Location: barcode.php?id=".$_GET["id"]); + $object->fetch($id); + $object->barcode_type = $_POST['barcodetype_id']; + $result = $object->update_barcode_type($user); + Header("Location: ".$_SERVER['PHP_SELF']."?id=".$id); exit; } // Modification du code barre -if ($_POST['action'] == 'setbarcode' && $user->rights->barcode->creer) +if ($action == 'setbarcode' && $user->rights->barcode->creer) { - $product = new Product($db); - $product->fetch($_GET["id"]); - $product->barcode = $_POST['barcode']; //Todo: ajout verification de la validite du code barre en fonction du type - $result = $product->update_barcode($user); - Header("Location: barcode.php?id=".$_GET["id"]); + $object->fetch($id); + $object->barcode = $_POST['barcode']; //Todo: ajout verification de la validite du code barre en fonction du type + $result = $object->update_barcode($user); + Header("Location: ".$_SERVER['PHP_SELF']."?id=".$id); exit; } @@ -77,13 +77,11 @@ llxHeader("","",$langs->trans("BarCode")); $form = new Form($db); $formbarcode = new FormBarCode($db); -$product = new Product($db); -if ($_GET["ref"]) $result = $product->fetch('',$_GET["ref"]); -if ($_GET["id"]) $result = $product->fetch($_GET["id"]); +$result = $object->fetch($id,$ref); -$head=product_prepare_head($product, $user); -$titre=$langs->trans("CardProduct".$product->type); -$picto=($product->type==1?'service':'product'); +$head=product_prepare_head($object, $user); +$titre=$langs->trans("CardProduct".$object->type); +$picto=($object->type==1?'service':'product'); dol_fiche_head($head, 'barcode', $titre, 0, $picto); @@ -92,15 +90,15 @@ print ''."\n"; // Reference print ''; print ''; print ''."\n"; // Libelle -print ''; +print ''; // Barcode image -$url=DOL_URL_ROOT.'/viewimage.php?modulepart=barcode&generator='.urlencode($product->barcode_type_coder).'&code='.urlencode($product->barcode).'&encoding='.urlencode($product->barcode_type_code); +$url=DOL_URL_ROOT.'/viewimage.php?modulepart=barcode&generator='.urlencode($object->barcode_type_coder).'&code='.urlencode($object->barcode).'&encoding='.urlencode($object->barcode_type_code); print ''."\n"; // Status (to sell) print ''; // Status (to buy) print ''; // Barcode type @@ -123,16 +121,16 @@ print ''."\n"; @@ -141,20 +139,20 @@ print ''."\n";
'.$langs->trans("Ref").''; -print $form->showrefnav($product,'ref','',1,'ref'); +print $form->showrefnav($object,'ref','',1,'ref'); print '
'.$langs->trans("Label").''.$product->libelle.'
'.$langs->trans("Label").''.$object->libelle.''; print ''; print ''; @@ -110,12 +108,12 @@ print '
'.$langs->trans("Status").' ('.$langs->trans("Sell").')'.''; -print $product->getLibStatut(2,0); +print $object->getLibStatut(2,0); print '
'.$langs->trans("Status").' ('.$langs->trans("Buy").')'.''; -print $product->getLibStatut(2,1); +print $object->getLibStatut(2,1); print '
'; print ''; +if (($_GET['action'] != 'editbarcodetype') && $user->rights->barcode->creer) print ''; print '
'; print $langs->trans("BarcodeType"); print ''; -if (($_GET['action'] != 'editbarcodetype') && $user->rights->barcode->creer) print 'id.'">'.img_edit($langs->trans('SetBarcodeType'),1).'id.'">'.img_edit($langs->trans('SetBarcodeType'),1).'
'; print '		'; if ($_GET['action'] == 'editbarcodetype') { - $formbarcode->form_barcode_type($_SERVER['PHP_SELF'].'?id='.$product->id,$product->barcode_type,'barcodetype_id'); + $formbarcode->form_barcode_type($_SERVER['PHP_SELF'].'?id='.$object->id,$object->barcode_type,'barcodetype_id'); } else { - print $product->barcode_type_label?$product->barcode_type_label:'
'.$langs->trans("SetDefaultBarcodeType").'
'; + print $object->barcode_type_label?$object->barcode_type_label:'
'.$langs->trans("SetDefaultBarcodeType").'
'; } print '
'; print ''; +if (($_GET['action'] != 'editbarcode') && $user->rights->barcode->creer) print ''; print '
'; print $langs->trans("BarcodeValue"); print ''; -if (($_GET['action'] != 'editbarcode') && $user->rights->barcode->creer) print 'id.'">'.img_edit($langs->trans('SetBarcode'),1).'id.'">'.img_edit($langs->trans('SetBarcode'),1).'
'; print '		'; if ($_GET['action'] == 'editbarcode') { - print ''; + print ''; print ''; print ''; - print ''; + print ''; print ' '; } else { - print $product->barcode; + print $object->barcode; } print '