From a12d453d381fba0440c0a1f41ab83a544e0219e8 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Sat, 13 Oct 2012 11:41:17 +0200
Subject: [PATCH] Fix: security

---
 htdocs/comm/contact.php | 31 ++++++++++++++++++-------------
 htdocs/comm/index.php   | 13 ++++++++-----
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php
index d1e29fe5a40..eb46f093ccf 100644
--- a/htdocs/comm/contact.php
+++ b/htdocs/comm/contact.php
@@ -37,7 +37,11 @@ if ($page < 0) { $page = 0; }
 $limit = $conf->liste_limit;
 $offset = $limit * $page ;
 
-$type=$_GET["type"];
+$type=GETPOST('type', 'alpha');
+$search_lastname=GETPOST('search_nom')?GETPOST('search_nom'):GETPOST('search_lastname');			// For backward compatibility
+$search_firstname=GETPOST('search_prenom')?GETPOST('search_prenom'):GETPOST('search_firstname');	// For backward compatibility
+$search_company=GETPOST('search_societe')?GETPOST('search_societe'):GETPOST('search_company');		// For backward compatibility
+$contactname=GETPOST('contactname');
 
 // Security check
 $socid = GETPOST('socid','int');
@@ -91,29 +95,30 @@ if (dol_strlen($stcomm))
   $sql.= " AND s.fk_stcomm=$stcomm";
 }
 
+// FIXME $begin not exist
 if (dol_strlen($begin)) // filtre sur la premiere lettre du nom
 {
   $sql.= " AND upper(p.name) LIKE '".$begin."%'";
 }
 
-if (trim($_GET["search_nom"]))
+if (! empty($search_lastname))
 {
-  $sql.= " AND p.name LIKE '%".trim($_GET["search_nom"])."%'";
+  $sql.= " AND p.name LIKE '%".$db->escape($search_lastname)."%'";
 }
 
-if (trim($_GET["search_prenom"]))
+if (! empty($search_firstname))
 {
-  $sql.= " AND p.firstname LIKE '%".trim($_GET["search_prenom"])."%'";
+  $sql.= " AND p.firstname LIKE '%".$db->escape($search_firstname)."%'";
 }
 
-if (trim($_GET["search_societe"]))
+if (! empty($search_company))
 {
-  $sql.= " AND s.nom LIKE '%".trim($_GET["search_societe"])."%'";
+  $sql.= " AND s.nom LIKE '%".$db->escape($search_company)."%'";
 }
 
-if ($_GET["contactname"]) // acces a partir du module de recherche
+if (! empty($contactname)) // acces a partir du module de recherche
 {
-  $sql.= " AND (p.name LIKE '%".strtolower($_GET["contactname"])."%' OR lower(p.firstname) LIKE '%".strtolower($_GET["contactname"])."%') ";
+  $sql.= " AND (p.name LIKE '%".$db->escape(strtolower($contactname))."%' OR lower(p.firstname) LIKE '%".$db->escape(strtolower($contactname))."%') ";
   $sortfield = "p.name";
   $sortorder = "ASC";
 }
@@ -125,7 +130,7 @@ $resql = $db->query($sql);
 if ($resql)
 {
   $num = $db->num_rows($resql);
-  
+
   $title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("ListOfContacts") : $langs->trans("ListOfContactsAddresses"));
   print_barre_liste($title.($label?" (".$label.")":""),$page, $_SERVER["PHP_SELF"], "&amp;type=$type",$sortfield,$sortorder,"",$num);
 
@@ -140,9 +145,9 @@ if ($resql)
 
   print '<form action="'.$_SERVER["PHP_SELF"].'?type='.$_GET["type"].'" method="GET">';
   print '<tr class="liste_titre">';
-  print '<td class="liste_titre"><input class="flat" name="search_nom" size="12" value="'.$_GET["search_nom"].'"></td>';
-  print '<td class="liste_titre"><input class="flat" name="search_prenom" size="12"  value="'.$_GET["search_prenom"].'"></td>';
-  print '<td class="liste_titre"><input class="flat" name="search_societe" size="12"  value="'.$_GET["search_societe"].'"></td>';
+  print '<td class="liste_titre"><input class="flat" name="search_lastname" size="12" value="'.$search_lastname.'"></td>';
+  print '<td class="liste_titre"><input class="flat" name="search_firstname" size="12"  value="'.$search_firstname.'"></td>';
+  print '<td class="liste_titre"><input class="flat" name="search_company" size="12"  value="'.$search_company.'"></td>';
   print '<td class="liste_titre">&nbsp;</td>';
   print '<td class="liste_titre" align="right"><input type="image" class="liste_titre" src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/search.png" value="'.dol_escape_htmltag($langs->trans("Search")).'" title="'.dol_escape_htmltag($langs->trans("Search")).'"></td>';
   print "</tr>\n";
diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php
index d124b836692..e3df88ec3ce 100644
--- a/htdocs/comm/index.php
+++ b/htdocs/comm/index.php
@@ -35,6 +35,9 @@ if (! $user->rights->societe->lire) accessforbidden();
 
 $langs->load("commercial");
 
+$action=GETPOST('action', 'alpha');
+$bid=GETPOST('bid', 'int');
+
 // Securite acces client
 $socid=GETPOST('socid','int');
 if (isset($user->societe_id) && $user->societe_id > 0)
@@ -50,23 +53,23 @@ $now=dol_now();
  * Actions
  */
 
-if (isset($_GET["action"]) && $_GET["action"] == 'add_bookmark')
+if ($action == 'add_bookmark' && ! empty($socid))
 {
-	$sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE fk_soc = ".$_GET["socid"]." AND fk_user=".$user->id;
+	$sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE fk_soc = ".$db->escape($socid)." AND fk_user=".$user->id;
 	if (! $db->query($sql) )
 	{
 		dol_print_error($db);
 	}
-	$sql = "INSERT INTO ".MAIN_DB_PREFIX."bookmark (fk_soc, dateb, fk_user) VALUES (".$_GET["socid"].", ".$db->idate($now).",".$user->id.");";
+	$sql = "INSERT INTO ".MAIN_DB_PREFIX."bookmark (fk_soc, dateb, fk_user) VALUES (".$db->escape($socid).", ".$db->idate($now).",".$user->id.");";
 	if (! $db->query($sql) )
 	{
 		dol_print_error($db);
 	}
 }
 
-if (isset($_GET["action"]) && $_GET["action"] == 'del_bookmark')
+if ($action == 'del_bookmark' && ! empty($bid))
 {
-	$sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE rowid=".$_GET["bid"];
+	$sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE rowid=".$db->escape($bid);
 	$result = $db->query($sql);
 }