Merge branch '16.0' of git@github.com:Dolibarr/dolibarr.git into develop

htdocs/core/class/rssparser.class.php

@@ -49,6 +49,8 @@ class RssParser
 	private $_lastfetchdate; // Last successful fetch
 	private $_rssarray = array();
 
+	private $current_namespace;
+
 	// For parsing with xmlparser
 	public $stack = array(); // parser stack
 	private $_CONTENT_CONSTRUCTS = array('content', 'summary', 'info', 'title', 'tagline', 'copyright');

htdocs/core/lib/admin.lib.php

@@ -324,10 +324,11 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
 	$keyforsql = md5($sqlfile);
 	foreach ($arraysql as $i => $sql) {
 		if ($sql) {
-			// Test if sql is allowed
+			// Test if th SQL is allowed SQL
 			if ($onlysqltoimportwebsite) {
-				$newsql = str_replace(array("\'"), '__BACKSLASHQUOTE__', $sql);
+				$newsql = str_replace(array("\'"), '__BACKSLASHQUOTE__', $sql);	// Replace the \' seque,ce
-				// Remove all strings contents
+
+				// Remove all strings contents including the ' so we can analyse SQL instruction only later
 				$l = strlen($newsql);
 				$is = 0;
 				$quoteopen = 0;
@@ -348,11 +349,12 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
 				$newsqlclean = str_replace(array("null"), '__000__', $newsqlclean);
 				//print $newsqlclean."<br>\n";
 
-				// A very small control. This can still by bypassed by adding a second SQL request concatenated
 				$qualified = 0;
+
+				// A very small control. This can still by bypassed by adding a second SQL request concatenated
 				if (preg_match('/^--/', $newsqlclean)) {
 					$qualified = 1;
-				} elseif (preg_match('/^UPDATE llx_website SET fk_default_home = \d+\+\d+ WHERE rowid = \d+;$/', $newsqlclean)) {
+				} elseif (preg_match('/^UPDATE llx_website SET \w+ = \d+\+\d+ WHERE rowid = \d+;$/', $newsqlclean)) {
 					$qualified = 1;
 				} elseif (preg_match('/^INSERT INTO llx_website_page\([a-z0-9_\s,]+\) VALUES\([0-9_\s,\+]+\);$/', $newsqlclean)) {
 					// Insert must match
@@ -360,11 +362,18 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
 					$qualified = 1;
 				}
 
+				// Another check to allow some legitimate original urls
+				if (!$qualified) {
+					if (preg_match('/^UPDATE llx_website SET \w+ = \'[a-zA-Z,\s]*\' WHERE rowid = \d+;$/', $sql)) {
+						$qualified = 1;
+					}
+				}
+
 				if (!$qualified) {
 					$error++;
 					//print 'Request '.($i + 1)." contains non allowed instructions.<br>\n";
 					//print "newsqlclean = ".$newsqlclean."<br>\n";
-					dol_syslog('Admin.lib::run_sql Request '.($i + 1)." contains non allowed instructions.", LOG_DEBUG);
+					dol_syslog('Admin.lib::run_sql Request '.($i + 1)." contains non allowed instructions.", LOG_WARNING);
 					dol_syslog('$newsqlclean='.$newsqlclean, LOG_DEBUG);
 					break;
 				}
@@ -424,6 +433,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
 					$error++;
 					break;
 				}
+
 				$from = '__'.$cursor.'__';
 				$to = $listofinsertedrowid[$cursor];
 				$newsql = str_replace($from, $to, $newsql);

htdocs/website/class/website.class.php

@@ -1103,7 +1103,7 @@ class Website extends CommonObject
 		}
 
 		$line = "\n-- For Dolibarr v14+ --;\n";
-		$line .= "UPDATE llx_website SET lang = '".$this->db->escape($this->fk_default_lang)."' WHERE rowid = __WEBSITE_ID__;\n";
+		$line .= "UPDATE llx_website SET lang = '".$this->db->escape($this->lang)."' WHERE rowid = __WEBSITE_ID__;\n";
 		$line .= "UPDATE llx_website SET otherlang = '".$this->db->escape($this->otherlang)."' WHERE rowid = __WEBSITE_ID__;\n";
 		$line .= "\n";
 		fputs($fp, $line);
@@ -1146,7 +1146,7 @@ class Website extends CommonObject
 		$object = $this;
 		if (empty($object->ref)) {
 			$this->error = 'Function importWebSite called on object not loaded (object->ref is empty)';
-			return -1;
+			return -2;
 		}
 
 		dol_delete_dir_recursive($conf->website->dir_temp."/".$object->ref);
@@ -1155,14 +1155,14 @@ class Website extends CommonObject
 		$filename = basename($pathtofile);
 		if (!preg_match('/^website_(.*)-(.*)$/', $filename, $reg)) {
 			$this->errors[] = 'Bad format for filename '.$filename.'. Must be website_XXX-VERSION.';
-			return -1;
+			return -3;
 		}
 
 		$result = dol_uncompress($pathtofile, $conf->website->dir_temp.'/'.$object->ref);
 
 		if (!empty($result['error'])) {
 			$this->errors[] = 'Failed to unzip file '.$pathtofile.'.';
-			return -1;
+			return -4;
 		}
 
 		$arrayreplacement = array();
@@ -1211,7 +1211,7 @@ class Website extends CommonObject
 		// Load sql record
 		$runsql = run_sql($sqlfile, 1, '', 0, '', 'none', 0, 1, 0, 0, 1); // The maxrowid of table is searched into this function two
 		if ($runsql <= 0) {
-			$this->errors[] = 'Failed to load sql file '.$sqlfile;
+			$this->errors[] = 'Failed to load sql file '.$sqlfile.' (ret='.$runsql.')';
 			$error++;
 		}
 

htdocs/website/class/websitepage.class.php

@@ -612,6 +612,8 @@ class WebsitePage extends CommonObject
 	 */
 	public function delete(User $user, $notrigger = false)
 	{
+		global $conf;
+
 		$error = 0;
 
 		// Delete all child tables
@@ -630,7 +632,7 @@ class WebsitePage extends CommonObject
 		}
 
 		if (!$error) {
-			$result = $this->deleteCommon($user, $trigger);
+			$result = $this->deleteCommon($user, $notrigger);
 			if ($result <= 0) {
 				$error++;
 			}

htdocs/website/index.php

@@ -2307,6 +2307,7 @@ if ($action == 'importsiteconfirm' && $usercanedit) {
 
 			if (!$error) {
 				$result = $object->importWebSite($fileofzip);
+
 				if ($result < 0) {
 					setEventMessages($object->error, $object->errors, 'errors');
 					$action = 'importsite';
@@ -4688,7 +4689,7 @@ if ($action == 'preview' || $action == 'createfromclone' || $action == 'createpa
 			try {
 				$res = include $filephp;
 				if (empty($res)) {
-					print "ERROR: Failed to include file '".$filephp."'. Try to edit and save page.";
+					print "ERROR: Failed to include file '".$filephp."'. Try to edit and re-save page ith this ID.";
 				}
 			} catch (Exception $e) {
 				print $e->getMessage();