From 9c99cae9110b7acc21bf4960d3b9531f91984c24 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 28 Jun 2015 23:32:38 +0200
Subject: [PATCH] FIX XSS security using the onerror and missing escapement on
 type of member page.

---
 htdocs/adherents/type.php         | 45 ++++++++++++++++++-------------
 htdocs/core/lib/functions.lib.php |  4 +--
 htdocs/main.inc.php               |  1 +
 3 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php
index ea39a200c97..14bbcb8e854 100644
--- a/htdocs/adherents/type.php
+++ b/htdocs/adherents/type.php
@@ -51,6 +51,12 @@ $pagenext = $page + 1;
 if (! $sortorder) {  $sortorder="DESC"; }
 if (! $sortfield) {  $sortfield="d.lastname"; }
 
+$label=GETPOST("libelle","alpha");
+$cotisation=GETPOST("cotisation","int");
+$vote=GETPOST("vote","int");
+$comment=GETPOST("comment");
+$mail_valid=GETPOST("mail_valid");
+
 // Security check
 $result=restrictedArea($user,'adherent',$rowid,'adherent_type');
 
@@ -81,11 +87,11 @@ if ($action == 'add' && $user->rights->adherent->configurer)
 	{
 		$adht = new AdherentType($db);
 
-		$adht->libelle     = trim($_POST["libelle"]);
-		$adht->cotisation  = trim($_POST["cotisation"]);
-		$adht->note        = trim($_POST["comment"]);
-		$adht->mail_valid  = trim($_POST["mail_valid"]);
-		$adht->vote        = trim($_POST["vote"]);
+		$adht->libelle     = trim($label);
+		$adht->cotisation  = trim($cotisation);
+		$adht->note        = trim($comment);
+		$adht->mail_valid  = trim($mail_valid);
+		$adht->vote        = trim($vote);
 
 		// Fill array 'array_options' with data from add form
 		$ret = $extrafields->setOptionalsFromPost($extralabels,$adht);
@@ -118,12 +124,12 @@ if ($action == 'update' && $user->rights->adherent->configurer)
 	if ($_POST["button"] != $langs->trans("Cancel"))
 	{
 		$adht = new AdherentType($db);
-		$adht->id          = $_POST["rowid"];
-		$adht->libelle     = trim($_POST["libelle"]);
-		$adht->cotisation  = trim($_POST["cotisation"]);
-		$adht->note        = trim($_POST["comment"]);
-		$adht->mail_valid  = trim($_POST["mail_valid"]);
-		$adht->vote        = trim($_POST["vote"]);
+		$adht->id          = $rowid;
+		$adht->libelle     = trim($label);
+		$adht->cotisation  = trim($cotisation);
+		$adht->note        = trim($comment);
+		$adht->mail_valid  = trim($mail_valid);
+		$adht->vote        = trim($vote);
 
 		// Fill array 'array_options' with data from add form
 		$ret = $extrafields->setOptionalsFromPost($extralabels,$adht);
@@ -196,7 +202,7 @@ if (! $rowid && $action != 'create' && $action != 'edit')
 			$var=!$var;
 			print "<tr ".$bc[$var].">";
 			print '<td><a href="'.$_SERVER["PHP_SELF"].'?rowid='.$objp->rowid.'">'.img_object($langs->trans("ShowType"),'group').' '.$objp->rowid.'</a></td>';
-			print '<td>'.$objp->libelle.'</td>';
+			print '<td>'.dol_escape_htmltag($objp->libelle).'</td>';
 			print '<td align="center">'.yn($objp->cotisation).'</td>';
 			print '<td align="center">'.yn($objp->vote).'</td>';
 			print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=edit&rowid='.$objp->rowid.'">'.img_edit().'</a></td>';
@@ -314,7 +320,7 @@ if ($rowid > 0)
 		print '</td></tr>';
 
 		// Label
-		print '<tr><td width="15%">'.$langs->trans("Label").'</td><td>'.$adht->libelle.'</td></tr>';
+		print '<tr><td width="15%">'.$langs->trans("Label").'</td><td>'.dol_escape_htmltag($adht->libelle).'</td></tr>';
 
 		print '<tr><td>'.$langs->trans("SubscriptionRequired").'</td><td>';
 		print yn($adht->cotisation);
@@ -491,15 +497,15 @@ if ($rowid > 0)
 			print '<tr class="liste_titre">';
 
 			print '<td class="liste_titre" align="left">';
-			print '<input class="flat" type="text" name="search_lastname" value="'.$search_lastname.'" size="12"></td>';
+			print '<input class="flat" type="text" name="search_lastname" value="'.dol_escape_htmltag($search_lastname).'" size="12"></td>';
 
 			print '<td class="liste_titre" align="left">';
-			print '<input class="flat" type="text" name="search_login" value="'.$search_login.'" size="7"></td>';
+			print '<input class="flat" type="text" name="search_login" value="'.dol_escape_htmltag($search_login).'" size="7"></td>';
 
 			print '<td class="liste_titre">&nbsp;</td>';
 
 			print '<td class="liste_titre" align="left">';
-			print '<input class="flat" type="text" name="search_email" value="'.$search_email.'" size="12"></td>';
+			print '<input class="flat" type="text" name="search_email" value="'.dol_escape_htmltag($search_email).'" size="12"></td>';
 
 			print '<td class="liste_titre">&nbsp;</td>';
 
@@ -561,7 +567,7 @@ if ($rowid > 0)
 		        if ($datefin)
 		        {
 			        print '<td align="center" class="nowrap">';
-		            if ($datefin < time() && $objp->statut > 0)
+		            if ($datefin < dol_now() && $objp->statut > 0)
 		            {
 		                print dol_print_date($datefin,'day')." ".img_warning($langs->trans("SubscriptionLate"));
 		            }
@@ -641,7 +647,7 @@ if ($rowid > 0)
 
 		print '<tr><td width="15%">'.$langs->trans("Ref").'</td><td>'.$adht->id.'</td></tr>';
 
-		print '<tr><td>'.$langs->trans("Label").'</td><td><input type="text" name="libelle" size="40" value="'.$adht->libelle.'"></td></tr>';
+		print '<tr><td>'.$langs->trans("Label").'</td><td><input type="text" name="libelle" size="40" value="'.dol_escape_htmltag($adht->libelle).'"></td></tr>';
 
 		print '<tr><td>'.$langs->trans("SubscriptionRequired").'</td><td>';
 		print $form->selectyesno("cotisation",$adht->cotisation,1);
@@ -687,6 +693,7 @@ if ($rowid > 0)
 	}
 }
 
-$db->close();
 
 llxFooter();
+
+$db->close();
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index f3f4fa838ee..830911fdfb4 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -189,7 +189,7 @@ function dol_shutdown()
  *  Return value of a param into GET or POST supervariable
  *
  *  @param	string	$paramname   Name of parameter to found
- *  @param	string	$check	     Type of check (''=no check,  'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array, 'san_alpha'= Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string), 'custom'= custom filter specify $filter and $options)
+ *  @param	string	$check	     Type of check (''=no check,  'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array, 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string), 'custom'= custom filter specify $filter and $options)
  *  @param	int		$method	     Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie)
  *  @param  int     $filter      Filter to apply when $check is set to custom. (See http://php.net/manual/en/filter.filters.php for détails)
  *  @param  mixed   $options     Options to pass to filter_var when $check is set to custom
@@ -507,7 +507,7 @@ function dol_escape_js($stringtoescape, $mode=0, $noescapebackslashn=0)
 
 
 /**
- *  Returns text escaped for inclusion in HTML alt or title tags, or into values of HTMPL input fields
+ *  Returns text escaped for inclusion in HTML alt or title tags, or into values of HTML input fields.
  *
  *  @param      string		$stringtoescape		String to escape
  *  @param		int			$keepb				Do not clean b tags
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 53c2987ace7..e432db3e025 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -89,6 +89,7 @@ function test_sql_and_script_inject($val, $type)
         $sql_inj += preg_match('/union.+select/i', 	 $val);
         $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i',  $val);
         $sql_inj += preg_match('/(\.\.%2f)+/i',		 $val);
+        $sql_inj += preg_match('/onerror=/i', 	     $val);
     }
     // For XSS Injection done by adding javascript with script
     // This is all cases a browser consider text is javascript: