Fix: XSS injection

2011-11-25 17:35:01 +01:00 · 2011-11-25 17:35:01 +01:00 · ad6705977b
commit ad6705977b
parent 3fb1db1cf2 2ce2c94f5d
3 changed files with 42 additions and 42 deletions
--- a/htdocs/comm/propal.php
+++ b/htdocs/comm/propal.php
@ -52,6 +52,10 @@ $action=GETPOST('action');
 $confirm=GETPOST('confirm');
 $lineid=GETPOST('lineid');

+$search_ref=GETPOST('sf_ref')?GETPOST('sf_ref','alpha'):GETPOST('search_ref','alpha');
+$search_societe=GETPOST('search_societe','alpha');
+$search_montant_ht=GETPOST('search_montant_ht','alpha');
+
 $sall=GETPOST("sall");
 $mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));
 $year=GETPOST("year");
@ -1744,23 +1748,23 @@ else
 	{
 		$sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 	}
-	if (GETPOST('search_ref'))
+	if ($search_ref)
 	{
-		$sql.= " AND p.ref LIKE '%".$db->escape(GETPOST('search_ref'))."%'";
+		$sql.= " AND p.ref LIKE '%".$db->escape(trim($search_ref))."%'";
 	}
-	if (!empty($_GET['search_societe']))
+	if ($search_societe)
 	{
-		$sql.= " AND s.nom LIKE '%".$db->escape(GETPOST('search_societe'))."%'";
+		$sql.= " AND s.nom LIKE '%".$db->escape(trim($search_societe))."%'";
 	}
-	if (!empty($_GET['search_montant_ht']))
+	if ($search_montant_ht)
 	{
-		$sql.= " AND p.total_ht='".$db->escape(GETPOST('search_montant_ht'))."'";
+		$sql.= " AND p.total_ht='".$db->escape(trim($search_montant_ht))."'";
 	}
-	if ($sall) $sql.= " AND (s.nom like '%".$db->escape($sall)."%' OR p.note like '%".$db->escape($sall)."%' OR pd.description like '%".$db->escape($sall)."%')";
+	if ($sall) $sql.= " AND (s.nom LIKE '%".$db->escape($sall)."%' OR p.note LIKE '%".$db->escape($sall)."%' OR pd.description LIKE '%".$db->escape($sall)."%')";
 	if ($socid) $sql.= ' AND s.rowid = '.$socid;
 	if ($viewstatut <> '')
 	{
-		$sql.= ' AND p.fk_statut in ('.$viewstatut.')';
+		$sql.= ' AND p.fk_statut IN ('.$viewstatut.')';
 	}
 	if ($month > 0)
 	{
@ -1773,10 +1777,6 @@ else
 	{
 		$sql.= " AND date_format(p.datep, '%Y') = '".$year."'";
 	}
-	if (dol_strlen($_POST['sf_ref']) > 0)
-	{
-		$sql.= " AND p.ref like '%".$db->escape($_POST["sf_ref"]) . "%'";
-	}

 	$sql.= ' ORDER BY '.$sortfield.' '.$sortorder.', p.ref DESC';
 	$sql.= $db->plimit($limit + 1,$offset);
@ -1817,10 +1817,10 @@ else

 		print '<tr class="liste_titre">';
 		print '<td class="liste_titre">';
-		print '<input class="flat" size="10" type="text" name="search_ref" value="'.GETPOST('search_ref').'">';
+		print '<input class="flat" size="10" type="text" name="search_ref" value="'.$search_ref.'">';
 		print '</td>';
 		print '<td class="liste_titre" align="left">';
-		print '<input class="flat" type="text" size="16" name="search_societe" value="'.GETPOST('search_societe').'">';
+		print '<input class="flat" type="text" size="16" name="search_societe" value="'.$search_societe.'">';
 		print '</td>';
 		print '<td class="liste_titre" colspan="1" align="center">';
 		print $langs->trans('Month').': <input class="flat" type="text" size="1" maxlength="2" name="month" value="'.$month.'">';
@ -1831,7 +1831,7 @@ else
 		print '</td>';
 		print '<td class="liste_titre" colspan="1">&nbsp;</td>';
 		print '<td class="liste_titre" align="right">';
-		print '<input class="flat" type="text" size="10" name="search_montant_ht" value="'.GETPOST('search_montant_ht').'">';
+		print '<input class="flat" type="text" size="10" name="search_montant_ht" value="'.$search_montant_ht.'">';
 		print '</td>';
 		print '<td class="liste_titre">&nbsp;</td>';
 		print '<td class="liste_titre" align="right">';
--- a/htdocs/commande/liste.php
+++ b/htdocs/commande/liste.php
@ -37,16 +37,16 @@ $orderyear=GETPOST("orderyear","int");
 $ordermonth=GETPOST("ordermonth","int");
 $deliveryyear=GETPOST("deliveryyear","int");
 $deliverymonth=GETPOST("deliverymonth","int");
-$sref=GETPOST('sref');
-$sref_client=GETPOST('sref_client');
-$snom=GETPOST('snom');
+$sref=GETPOST('sref','alpha');
+$sref_client=GETPOST('sref_client','alpha');
+$snom=GETPOST('snom','alpha');
 $sall=GETPOST('sall');
 $socid=GETPOST('socid','int');

 // Security check
-$orderid = isset($_GET["orderid"])?$_GET["orderid"]:'';
+$id = (GETPOST('orderid')?GETPOST('orderid'):GETPOST('id'));
 if ($user->societe_id) $socid=$user->societe_id;
-$result = restrictedArea($user, 'commande', $orderid,'');
+$result = restrictedArea($user, 'commande', $id,'');

 $sortfield = GETPOST("sortfield",'alpha');
 $sortorder = GETPOST("sortorder",'alpha');
@ -111,19 +111,19 @@ if ($viewstatut <> '')
 		$sql .= ' AND c.fk_statut IN (1,2,3) AND c.facture = 0';
 	}
 }
-if ($_GET['ordermonth'] > 0)
+if ($ordermonth > 0)
 {
 	$sql.= " AND date_format(c.date_valid, '%Y-%m') = '".$orderyear."-".$ordermonth."'";
 }
-if ($_GET['orderyear'] > 0)
+if ($orderyear > 0)
 {
 	$sql.= " AND date_format(c.date_valid, '%Y') = '".$orderyear."'";
 }
-if ($_GET['deliverymonth'] > 0)
+if ($deliverymonth > 0)
 {
 	$sql.= " AND date_format(c.date_livraison, '%Y-%m') = '".$deliveryyear."-".$deliverymonth."'";
 }
-if ($_GET['deliveryyear'] > 0)
+if ($deliveryyear > 0)
 {
 	$sql.= " AND date_format(c.date_livraison, '%Y') = '".$deliveryyear."'";
 }
@ -153,23 +153,23 @@ if ($resql)
 	{
 		$title = $langs->trans('ListOfOrders');
 	}
-	if (strval($_GET['viewstatut']) == '0')
+	if (strval($viewstatut) == '0')
 	$title.=' - '.$langs->trans('StatusOrderDraftShort');
-	if ($_GET['viewstatut'] == 1)
+	if ($viewstatut == 1)
 	$title.=' - '.$langs->trans('StatusOrderValidatedShort');
-	if ($_GET['viewstatut'] == 2)
+	if ($viewstatut == 2)
 	$title.=' - '.$langs->trans('StatusOrderOnProcessShort');
-	if ($_GET['viewstatut'] == 3)
+	if ($viewstatut == 3)
 	$title.=' - '.$langs->trans('StatusOrderToBillShort');
-	if ($_GET['viewstatut'] == 4)
+	if ($viewstatut == 4)
 	$title.=' - '.$langs->trans('StatusOrderProcessedShort');
-	if ($_GET['viewstatut'] == -1)
+	if ($viewstatut == -1)
 	$title.=' - '.$langs->trans('StatusOrderCanceledShort');
-	if ($_GET['viewstatut'] == -2)
+	if ($viewstatut == -2)
 	$title.=' - '.$langs->trans('StatusOrderToProcessShort');

 	$num = $db->num_rows($resql);
-	print_barre_liste($title, $_GET['page'], 'liste.php','&amp;socid='.$socid.'&amp;viewstatut='.$viewstatut,$sortfield,$sortorder,'',$num);
+	print_barre_liste($title, $page, 'liste.php','&amp;socid='.$socid.'&amp;viewstatut='.$viewstatut,$sortfield,$sortorder,'',$num);
 	$i = 0;
 	print '<table class="noborder" width="100%">';
 	print '<tr class="liste_titre">';
--- a/htdocs/compta/facture.php
+++ b/htdocs/compta/facture.php
@ -50,22 +50,22 @@ $langs->load('main');
 if (GETPOST('mesg','int',1) && isset($_SESSION['message'])) $mesg=$_SESSION['message'];

 $sall=trim(GETPOST('sall'));
-$projectid=isset($_GET['projectid'])?$_GET['projectid']:0;
+$projectid=(GETPOST('projectid')?GETPOST('projectid','int'):0);

-$id=(GETPOST('id')?GETPOST("id"):GETPOST("facid"));  // For backward compatibility
-$ref=GETPOST('ref');
-$socid=GETPOST('socid');
-$action=GETPOST('action');
-$confirm=GETPOST('confirm');
-$lineid=GETPOST('lineid');
-$userid=GETPOST('userid');
+$id=(GETPOST('id')?GETPOST('id','int'):GETPOST('facid','int'));  // For backward compatibility
+$ref=GETPOST('ref','alpha');
+$socid=GETPOST('socid','int');
+$action=GETPOST('action','alpha');
+$confirm=GETPOST('confirm','alpha');
+$lineid=GETPOST('lineid','int');
+$userid=GETPOST('userid','int');
 $search_ref=GETPOST('sf_ref')?GETPOST('sf_ref','alpha'):GETPOST('search_ref','alpha');
 $search_societe=GETPOST('search_societe','alpha');
 $search_montant_ht=GETPOST('search_montant_ht','alpha');
-$search_montant_ttc=GETPOST('search_montant_ht','alpha');
+$search_montant_ttc=GETPOST('search_montant_ttc','alpha');

 // Security check
-$fieldid = isset($_GET["ref"])?'facnumber':'rowid';
+$fieldid = (! empty($ref)?'facnumber':'rowid');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'facture', $id,'','','fk_soc',$fieldid);