FIX security bugs
This commit is contained in:
Laurent Destailleur
parent
78bf209119
commit
a736f3782c
@ -38,7 +38,7 @@ $langs->load("other");
|
||||
$langs->load("accountancy");
|
||||
|
||||
// Filter
|
||||
$year = $_GET["year"];
|
||||
$year = GETPOST("year",'int');
|
||||
if ($year == 0) {
|
||||
$year_current = strftime("%Y", time());
|
||||
$year_start = $year_current;
|
||||
@ -47,9 +47,11 @@ if ($year == 0) {
|
||||
$year_start = $year;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
llxHeader('', $langs->trans("Bookkeeping"));
|
||||
|
||||
$textprevyear = '<a href="' . $_SERVER["PHP_SELF"] . '?year=' . ($year_current - 1) . '">' . img_previous() . '</a>';
|
||||
|
||||
@ -47,7 +47,7 @@ if (! $user->rights->accounting->bind->write)
|
||||
accessforbidden();
|
||||
|
||||
// Filter
|
||||
$year = $_GET["year"];
|
||||
$year = GETPOST("year",'int');
|
||||
if ($year == 0) {
|
||||
$year_current = strftime("%Y", time());
|
||||
$year_start = $year_current;
|
||||
@ -57,7 +57,7 @@ if ($year == 0) {
|
||||
}
|
||||
|
||||
// Validate History
|
||||
$action = GETPOST('action');
|
||||
$action = GETPOST('action','alpha');
|
||||
|
||||
|
||||
|
||||
|
||||
@ -43,7 +43,7 @@ $rowid = GETPOST('rowid', 'int');
|
||||
$cancel = GETPOST('cancel');
|
||||
|
||||
// Filter
|
||||
$year = $_GET["year"];
|
||||
$year = GETPOST('year','int');
|
||||
if ($year == 0) {
|
||||
$year_current = strftime("%Y", time());
|
||||
$year_start = $year_current;
|
||||
@ -64,9 +64,11 @@ if (! $user->rights->accounting->comptarapport->lire)
|
||||
|
||||
$AccCat = new AccountancyCategory($db);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
llxheader('', $langs->trans('ReportInOut'));
|
||||
|
||||
$formaccounting = new FormAccounting($db);
|
||||
|
||||
@ -45,7 +45,7 @@ if (! $user->rights->accounting->bind->write)
|
||||
accessforbidden();
|
||||
|
||||
// Filter
|
||||
$year = $_GET["year"];
|
||||
$year = GETPOST("year",'int');
|
||||
if ($year == 0) {
|
||||
$year_current = strftime("%Y", time());
|
||||
$year_start = $year_current;
|
||||
@ -55,7 +55,7 @@ if ($year == 0) {
|
||||
}
|
||||
|
||||
// Validate History
|
||||
$action = GETPOST('action');
|
||||
$action = GETPOST('action', 'alpha');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -85,10 +85,10 @@ if (! isset($conf->global->ASTERISK_PRIORITY)) $conf->global->ASTERISK_PRIORITY
|
||||
if (! isset($conf->global->ASTERISK_MAX_RETRY)) $conf->global->ASTERISK_MAX_RETRY="2";
|
||||
|
||||
|
||||
$login = $_GET['login'];
|
||||
$password = $_GET['password'];
|
||||
$caller = $_GET['caller'];
|
||||
$called = $_GET['called'];
|
||||
$login = GETPOST('login');
|
||||
$password = GETPOST('password');
|
||||
$caller = GETPOST('caller');
|
||||
$called = GETPOST('called');
|
||||
|
||||
// IP address of Asterisk server
|
||||
$strHost = $conf->global->ASTERISK_HOST;
|
||||
|
||||
@ -277,7 +277,7 @@ if ($action == 'add' && ($user->rights->produit->creer || $user->rights->service
|
||||
print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="action" value="vadd">';
|
||||
print '<input type="hidden" name="id" value="'.$_GET["id"].'">';
|
||||
print '<input type="hidden" name="id" value="'.$id.'">';
|
||||
|
||||
print '<table class="border" width="100%">';
|
||||
print '<tr><td class="fieldtitlecreate fieldrequired">'.$langs->trans('Translation').'</td><td>';
|
||||
|
||||
@ -79,7 +79,7 @@ $db=getDoliDBInstance($conf->db->type,$conf->db->host,$conf->db->user,$conf->db-
|
||||
if ($db->ok)
|
||||
{
|
||||
print '<tr><td>'.$langs->trans("DolibarrAdminLogin").' :</td><td>';
|
||||
print '<input name="login" type="text" value="' . (!empty($_GET["login"]) ? $_GET["login"] : (isset($force_install_dolibarrlogin) ? $force_install_dolibarrlogin : '')) . '"' . (@$force_install_noedit == 2 && $force_install_dolibarrlogin !== null ? ' disabled' : '') . '></td></tr>';
|
||||
print '<input name="login" type="text" value="' . (!empty($_GET["login"]) ? GETPOST("login") : (isset($force_install_dolibarrlogin) ? $force_install_dolibarrlogin : '')) . '"' . (@$force_install_noedit == 2 && $force_install_dolibarrlogin !== null ? ' disabled' : '') . '></td></tr>';
|
||||
print '<tr><td>'.$langs->trans("Password").' :</td><td>';
|
||||
print '<input type="password" name="pass"></td></tr>';
|
||||
print '<tr><td>'.$langs->trans("PasswordAgain").' :</td><td>';
|
||||
|
||||
@ -49,12 +49,12 @@ $error = false;
|
||||
* Set the USER INPUT values
|
||||
* --------------------------------------------------- */
|
||||
if (isset($_REQUEST['form_complete'])) {
|
||||
$sale_price = $_REQUEST['sale_price'];
|
||||
$annual_interest_percent = $_REQUEST['annual_interest_percent'];
|
||||
$year_term = $_REQUEST['year_term'];
|
||||
$down_percent = $_REQUEST['down_percent'];
|
||||
$show_progress = (isset($_REQUEST['show_progress'])) ? $_REQUEST['show_progress'] : false;
|
||||
$form_complete = $_REQUEST['form_complete'];
|
||||
$sale_price = GETPOST('sale_price');
|
||||
$annual_interest_percent = GETPOST('annual_interest_percent');
|
||||
$year_term = GETPOST('year_term');
|
||||
$down_percent = GETPOST('down_percent');
|
||||
$show_progress = (isset($_REQUEST['show_progress'])) ? GETPOST('show_progress') : false;
|
||||
$form_complete = GETPOST('form_complete');
|
||||
}
|
||||
|
||||
// This function does the actual mortgage calculations
|
||||
|
||||
@ -32,7 +32,7 @@ $langs->load('companies');
|
||||
$langs->load('loan');
|
||||
|
||||
// Security check
|
||||
$id=GETPOST("id");
|
||||
$id=GETPOST("id",'int');
|
||||
$action=GETPOST("action");
|
||||
$confirm=GETPOST('confirm');
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
@ -120,7 +120,7 @@ $form = new Form($db);
|
||||
|
||||
$h=0;
|
||||
|
||||
$head[$h][0] = DOL_URL_ROOT.'/loan/payment/card.php?id='.$_GET["id"];
|
||||
$head[$h][0] = DOL_URL_ROOT.'/loan/payment/card.php?id='.$id;
|
||||
$head[$h][1] = $langs->trans("Card");
|
||||
$hselected = $h;
|
||||
$h++;
|
||||
|
||||
@ -325,16 +325,15 @@ class ActionsCardProduct
|
||||
|
||||
$this->list_datas = array();
|
||||
|
||||
//$_GET["sall"] = 'LL';
|
||||
// Clean parameters
|
||||
$sall=trim(isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"]);
|
||||
$sall=trim(GETPOST("sall"));
|
||||
|
||||
foreach($this->field_list as $field)
|
||||
{
|
||||
if ($field['enabled'])
|
||||
{
|
||||
$fieldname = "s".$field['alias'];
|
||||
$$fieldname = trim(isset($_GET[$fieldname])?$_GET[$fieldname]:$_POST[$fieldname]);
|
||||
$$fieldname = trim(GETPOST($fieldname));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -308,9 +308,9 @@ class ActionsCardService
|
||||
$sql.= ' FROM '.MAIN_DB_PREFIX.'product as p';
|
||||
// We'll need this table joined to the select in order to filter by categ
|
||||
if ($search_categ) $sql.= ", ".MAIN_DB_PREFIX."categorie_product as cp";
|
||||
if ($_GET["fourn_id"] > 0)
|
||||
if (GETPOST("fourn_id",'int') > 0)
|
||||
{
|
||||
$fourn_id = $_GET["fourn_id"];
|
||||
$fourn_id = GETPOST("fourn_id",'int');
|
||||
$sql.= ", ".MAIN_DB_PREFIX."product_fournisseur_price as pfp";
|
||||
}
|
||||
$sql.= " WHERE p.entity IN (".getEntity('product', 1).")";
|
||||
|
||||
@ -305,7 +305,7 @@ if ($action == 'add' && ($user->rights->produit->creer || $user->rights->service
|
||||
print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="action" value="vadd">';
|
||||
print '<input type="hidden" name="id" value="'.$_GET["id"].'">';
|
||||
print '<input type="hidden" name="id" value="'.GETPOST("id",'int').'">';
|
||||
|
||||
print '<table class="border" width="100%">';
|
||||
print '<tr><td valign="top" class="titlefieldcreate fieldrequired">'.$langs->trans('Language').'</td><td>';
|
||||
|
||||
Loading…
Reference in New Issue
Block a user