Fix: minor vulnerabilities

htdocs/admin/modules.php

@@ -31,9 +31,9 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 $langs->load("errors");
 $langs->load("admin");
 
-$mode=isset($_GET["mode"])?GETPOST("mode"):(isset($_SESSION['mode'])?$_SESSION['mode']:0);
+$mode=GETPOST('mode', 'alpha')?GETPOST('mode', 'alpha'):(isset($_SESSION['mode'])?$_SESSION['mode']:0);
 $action=GETPOST('action','alpha');
-$value=GETPOST('value');
+$value=GETPOST('value', 'alpha');
 
 if (! $user->admin)
 	accessforbidden();

htdocs/externalsite/frames.php

@@ -34,11 +34,11 @@ if (empty($conf->global->EXTERNALSITE_URL))
 	llxFooter();
 }
 
-$mainmenu=GETPOST('mainmenu');
-$leftmenu=GETPOST('leftmenu');
-$idmenu=GETPOST('idmenu');
-$theme=GETPOST('theme');
-$codelang=GETPOST('lang');
+$mainmenu=GETPOST('mainmenu', 'alpha');
+$leftmenu=GETPOST('leftmenu', 'alpha');
+$idmenu=GETPOST('idmenu', 'int');
+$theme=GETPOST('theme', 'alpha');
+$codelang=GETPOST('lang', 'alpha');
 
 print "
 <html>

htdocs/index.php

@@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
 
 
 // If not defined, we select menu "home"
-if (! isset($_GET["mainmenu"])) $_GET["mainmenu"]="home";
+$_GET['mainmenu']=GETPOST('mainmenu', 'alpha')?GETPOST('mainmenu', 'alpha'):'home';
 $action=GETPOST('action');
 
 

htdocs/user/class/user.class.php

@@ -303,7 +303,7 @@ class User extends CommonObject
 			// les caracteristiques (module, perms et subperms) de ce droit.
 			$sql = "SELECT module, perms, subperms";
 			$sql.= " FROM ".MAIN_DB_PREFIX."rights_def";
-			$sql.= " WHERE id = '".$rid."'";
+			$sql.= " WHERE id = '".$this->escape($rid)."'";
 			$sql.= " AND entity = ".$entity;
 
 			$result=$this->db->query($sql);
@@ -319,21 +319,21 @@ class User extends CommonObject
 			}
 
 			// Where pour la liste des droits a ajouter
-			$whereforadd="id=".$rid;
+			$whereforadd="id=".$this->escape($rid);
 			// Ajout des droits induits
-			if ($subperms)   $whereforadd.=" OR (module='$module' AND perms='$perms' AND (subperms='lire' OR subperms='read'))";
-			else if ($perms) $whereforadd.=" OR (module='$module' AND (perms='lire' OR perms='read') AND subperms IS NULL)";
+			if (! empty($subperms))   $whereforadd.=" OR (module='$module' AND perms='$perms' AND (subperms='lire' OR subperms='read'))";
+			else if (! empty($perms)) $whereforadd.=" OR (module='$module' AND (perms='lire' OR perms='read') AND subperms IS NULL)";
 		}
 		else {
 			// On a pas demande un droit en particulier mais une liste de droits
 			// sur la base d'un nom de module de de perms
 			// Where pour la liste des droits a ajouter
-			if ($allmodule) $whereforadd="module='$allmodule'";
-			if ($allperms)  $whereforadd=" AND perms='$allperms'";
+			if (! empty($allmodule)) $whereforadd="module='".$this->escape($allmodule)."'";
+			if (! empty($allperms))  $whereforadd=" AND perms='".$this->escape($allperms)."'";
 		}
 
 		// Ajout des droits trouves grace au critere whereforadd
-		if ($whereforadd)
+		if (! empty($whereforadd))
 		{
 			//print "$module-$perms-$subperms";
 			$sql = "SELECT id";
@@ -403,7 +403,7 @@ class User extends CommonObject
 			// les caracteristiques module, perms et subperms de ce droit.
 			$sql = "SELECT module, perms, subperms";
 			$sql.= " FROM ".MAIN_DB_PREFIX."rights_def";
-			$sql.= " WHERE id = '".$rid."'";
+			$sql.= " WHERE id = '".$this->escape($rid)."'";
 			$sql.= " AND entity = ".$entity;
 
 			$result=$this->db->query($sql);
@@ -419,7 +419,7 @@ class User extends CommonObject
 			}
 
 			// Where pour la liste des droits a supprimer
-			$wherefordel="id=".$rid;
+			$wherefordel="id=".$this->escape($rid);
 			// Suppression des droits induits
 			if ($subperms=='lire' || $subperms=='read') $wherefordel.=" OR (module='$module' AND perms='$perms' AND subperms IS NOT NULL)";
 			if ($perms=='lire' || $perms=='read')       $wherefordel.=" OR (module='$module')";
@@ -427,12 +427,12 @@ class User extends CommonObject
 		else {
 			// On a demande suppression d'un droit sur la base d'un nom de module ou perms
 			// Where pour la liste des droits a supprimer
-			if ($allmodule) $wherefordel="module='$allmodule'";
-			if ($allperms)  $wherefordel=" AND perms='$allperms'";
+			if (! empty($allmodule)) $wherefordel="module='".$this->escape($allmodule)."'";
+			if (! empty($allperms))  $wherefordel=" AND perms='".$this->escape($allperms)."'";
 		}
 
 		// Suppression des droits selon critere defini dans wherefordel
-		if ($wherefordel)
+		if (! empty($wherefordel))
 		{
 			//print "$module-$perms-$subperms";
 			$sql = "SELECT id";

htdocs/user/group/perms.php

@@ -33,9 +33,10 @@ $langs->load("users");
 $langs->load("admin");
 
 $id=GETPOST('id','int');
-$action=GETPOST("action");
-$confirm=GETPOST("confirm");
-$module=GETPOST("module");
+$action=GETPOST('action', 'alpha');
+$confirm=GETPOST('confirm', 'alpha');
+$module=GETPOST('module', 'alpha');
+$rights=GETPOST('rights', 'int');
 
 // Defini si peux lire les permissions
 $canreadperms=($user->admin || $user->rights->user->user->lire);
@@ -60,14 +61,14 @@ if ($action == 'addrights' && $caneditperms)
 {
     $editgroup = new Usergroup($db);
     $result=$editgroup->fetch($id);
-    if ($result > 0) $editgroup->addrights($_GET["rights"],$module);
+    if ($result > 0) $editgroup->addrights($rights, $module);
 }
 
 if ($action == 'delrights' && $caneditperms)
 {
     $editgroup = new Usergroup($db);
     $result=$editgroup->fetch($id);
-    if ($result > 0) $editgroup->delrights($_GET["rights"],$module);
+    if ($result > 0) $editgroup->delrights($rights, $module);
 }
 
 

htdocs/user/perms.php

@@ -35,8 +35,8 @@ $langs->load("admin");
 $id=GETPOST('id', 'int');
 $action=GETPOST('action', 'alpha');
 $confirm=GETPOST('confirm', 'alpha');
-$rights=GETPOST('rights','int');
-$module=GETPOST('module');
+$module=GETPOST('module', 'alpha');
+$rights=GETPOST('rights', 'int');
 $entity=(GETPOST('entity','int')?GETPOST('entity','int'):$conf->entity);
 
 if (! isset($id) || empty($id)) accessforbidden();