diff --git a/htdocs/barcode/printsheet.php b/htdocs/barcode/printsheet.php index 1ac908f361a..dabd05bf745 100644 --- a/htdocs/barcode/printsheet.php +++ b/htdocs/barcode/printsheet.php @@ -36,10 +36,10 @@ $now = dol_now(); $year = dol_print_date($now, '%Y'); $month = dol_print_date($now, '%m'); $day = dol_print_date($now, '%d'); -$forbarcode = GETPOST('forbarcode'); -$fk_barcode_type = GETPOST('fk_barcode_type'); -$mode = GETPOST('mode'); -$modellabel = GETPOST("modellabel"); // Doc template to use +$forbarcode = GETPOST('forbarcode', 'alphanohtml'); +$fk_barcode_type = GETPOST('fk_barcode_type', 'int'); +$mode = GETPOST('mode', 'aZ09'); +$modellabel = GETPOST("modellabel", 'aZ09'); // Doc template to use $numberofsticker = GETPOST('numberofsticker', 'int'); $mesg = ''; @@ -57,8 +57,8 @@ $thirdpartytmp = new Societe($db); if (GETPOST('submitproduct') && GETPOST('submitproduct')) { $action = ''; // We reset because we don't want to build doc - if (GETPOST('productid') > 0) { - $result = $producttmp->fetch(GETPOST('productid')); + if (GETPOST('productid', 'int') > 0) { + $result = $producttmp->fetch(GETPOST('productid', 'int')); if ($result < 0) { setEventMessage($producttmp->error, 'errors'); } @@ -76,9 +76,9 @@ if (GETPOST('submitproduct') && GETPOST('submitproduct')) if (GETPOST('submitthirdparty') && GETPOST('submitthirdparty')) { $action = ''; // We reset because we don't want to build doc - if (GETPOST('socid') > 0) + if (GETPOST('socid', 'int') > 0) { - $thirdpartytmp->fetch(GETPOST('socid')); + $thirdpartytmp->fetch(GETPOST('socid', 'int')); $forbarcode = $thirdpartytmp->barcode; $fk_barcode_type = $thirdpartytmp->barcode_type_code; @@ -381,7 +381,7 @@ if (!empty($user->rights->produit->lire) || !empty($user->rights->service->lire) print ' '.$langs->trans("FillBarCodeTypeAndValueFromProduct").'   '; print '
'; print '
'; - $form->select_produits(GETPOST('productid'), 'productid', '', '', 0, -1, 2, '', 0, array(), 0, '1', 0, 'minwidth400imp', 1); + $form->select_produits(GETPOST('productid', 'int'), 'productid', '', '', 0, -1, 2, '', 0, array(), 0, '1', 0, 'minwidth400imp', 1); print '   '; print '
'; } @@ -391,7 +391,7 @@ if (!empty($user->rights->societe->lire)) print ' '.$langs->trans("FillBarCodeTypeAndValueFromThirdParty").'   '; print '
'; print '
'; - print $form->select_company(GETPOST('socid'), 'socid', '', 'SelectThirdParty', 0, 0, array(), 0, 'minwidth300'); + print $form->select_company(GETPOST('socid', 'int'), 'socid', '', 'SelectThirdParty', 0, 0, array(), 0, 'minwidth300'); print '   '; print '
'; } diff --git a/htdocs/core/data/cloud_metadata_for_ssrf_test.txt b/htdocs/core/data/cloud_metadata_for_ssrf_test.txt index 2b59f1a7806..4d98b656b3c 100644 --- a/htdocs/core/data/cloud_metadata_for_ssrf_test.txt +++ b/htdocs/core/data/cloud_metadata_for_ssrf_test.txt @@ -1,90 +1,23 @@ -## This file is a list of predefined URLs to block when trying to access them from the application (in case -## of application is used to get metadata). -## Found at https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb +## This file is a list of predefined URLs to block when trying to access them from the application, +## for example when using the grab website feature of module website +## Allowing grabbing local url allow to get metadata. -## IPv6 Tests -http://[::ffff:169.254.169.254] -http://[0:0:0:0:0:ffff:169.254.169.254] - -## AWS -# Amazon Web Services (No Header Required) -# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories -http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy -http://169.254.169.254/latest/user-data -http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] -http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] -http://169.254.169.254/latest/meta-data/ami-id -http://169.254.169.254/latest/meta-data/reservation-id -http://169.254.169.254/latest/meta-data/hostname -http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key -http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key - -# ECS Task : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v2.html -http://169.254.170.2/v2/credentials/ - -## Google Cloud (Header Sometimes Required) -# https://cloud.google.com/compute/docs/metadata -# - Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" on API v1 -# - Most endpoints can be accessed via the v1beta API without a header -http://169.254.169.254/computeMetadata/v1/ -http://metadata.google.internal/computeMetadata/v1/ -http://metadata/computeMetadata/v1/ -http://metadata.google.internal/computeMetadata/v1/instance/hostname -http://metadata.google.internal/computeMetadata/v1/instance/id -http://metadata.google.internal/computeMetadata/v1/project/project-id -# kube-env; thanks to JackMc for the heads up on this (https://hackerone.com/reports/341876) -http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env -# Google allows recursive pulls -http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true -# returns root password for Google -http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/?recursive=true&alt=json - -## Digital Ocean (No Header Required) -# https://developers.digitalocean.com/documentation/metadata/ -http://169.254.169.254/metadata/v1.json -http://169.254.169.254/metadata/v1/ -http://169.254.169.254/metadata/v1/id -http://169.254.169.254/metadata/v1/user-data -http://169.254.169.254/metadata/v1/hostname -http://169.254.169.254/metadata/v1/region -http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address - -## Packetcloud -https://metadata.packet.net/userdata - -# Azure (Header Required) -# Header: "Metadata: true" -# https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service -# (Old: ) https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/ -http://169.254.169.254/metadata/instance?api-version=2017-04-02 -http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text - -# Oracle Cloud (No Header Required) -# https://docs.us-phoenix-1.oraclecloud.com/Content/Compute/Tasks/gettingmetadata.htm -http://169.254.169.254/opc/v1/instance/ - -# Updated from jhaddix fork === -## Alibaba -# https://www.alibabacloud.com/help/faq-detail/49122.htm -http://100.100.100.200/latest/meta-data/ -http://100.100.100.200/latest/meta-data/instance-id -http://100.100.100.200/latest/meta-data/image-id -# === - -## OpenStack/RackSpace -# https://docs.openstack.org/nova/latest/user/metadata-service.html -http://169.254.169.254/openstack - -## Oracle Cloud -# https://docs.oracle.com/en/cloud/iaas/compute-iaas-cloud/stcsg/retrieving-instance-metadata.html -http://192.0.0.192/latest/ -http://192.0.0.192/latest/user-data/ -http://192.0.0.192/latest/meta-data/ -http://192.0.0.192/latest/attributes/ - -## Kubernetes -# Debug Services (https://kubernetes.io/docs/tasks/debug-application-cluster/debug-service/) -https://kubernetes.default.svc.cluster.local -https://kubernetes.default -# https://twitter.com/Random_Robbie/status/1072242182306832384 -https://kubernetes.default.svc/metrics +10.0.0.0/8 +0.0.0.0/8 +100.64.0.0/10 +127.0.0.0/8 +169.254.0.0/16 +172.16.0.0/12 +192.0.0.0/29 +192.0.2.0/24 +192.88.99.0/24 +192.168.0.0/16 +198.18.0.0/15 +198.51.100.0/24 +203.0.113.0/24 +224.0.0.0/4 +240.0.0.0/4 +metadata.google.internal +100.100.100.200 (Alibaba Metadata) +[::] +[::1]