From b45d2a222ecc41b5e6730ccb6bdaae1fce4ee8b6 Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 8 Mar 2012 15:28:32 +0100 Subject: [PATCH] Fix: Security --- htdocs/expedition/fiche.php | 148 ++++++++++++++++++------------------ htdocs/expedition/liste.php | 14 ++-- 2 files changed, 81 insertions(+), 81 deletions(-) diff --git a/htdocs/expedition/fiche.php b/htdocs/expedition/fiche.php index 38ca9ea66d2..7632b65335a 100644 --- a/htdocs/expedition/fiche.php +++ b/htdocs/expedition/fiche.php @@ -3,7 +3,7 @@ * Copyright (C) 2005-2010 Laurent Destailleur * Copyright (C) 2005 Simon TOSSER * Copyright (C) 2005-2011 Regis Houssin - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -49,19 +49,19 @@ $langs->load('stocks'); $langs->load('other'); $langs->load('propal'); -$origin = GETPOST("origin")?GETPOST("origin"):'expedition'; // Example: commande, propal +$origin = GETPOST('origin','alpha')?GETPOST('origin','alpha'):'expedition'; // Example: commande, propal $origin_id = GETPOST('id','int')?GETPOST('id','int'):''; -if (empty($origin_id)) $origin_id = GETPOST("origin_id"); // Id of order or propal -if (empty($origin_id)) $origin_id = GETPOST("object_id"); // Id of order or propal +if (empty($origin_id)) $origin_id = GETPOST('origin_id','int'); // Id of order or propal +if (empty($origin_id)) $origin_id = GETPOST('object_id','int'); // Id of order or propal $id = $origin_id; -$ref=GETPOST('ref'); +$ref=GETPOST('ref','alpha'); // Security check if ($user->societe_id) $socid=$user->societe_id; $result=restrictedArea($user,$origin,$origin_id); -$action = GETPOST("action"); -$confirm = GETPOST("confirm"); +$action = GETPOST('action','alpha'); +$confirm = GETPOST('confirm','alpha'); $object = new Expedition($db); @@ -75,17 +75,17 @@ if ($action == 'add') $db->begin(); - $object->note = $_POST["note"]; + $object->note = GETPOST('note','alpha'); $object->origin = $origin; $object->origin_id = $origin_id; - $object->weight = $_POST["weight"]==""?"NULL":$_POST["weight"]; - $object->sizeH = $_POST["sizeH"]==""?"NULL":$_POST["sizeH"]; - $object->sizeW = $_POST["sizeW"]==""?"NULL":$_POST["sizeW"]; - $object->sizeS = $_POST["sizeS"]==""?"NULL":$_POST["sizeS"]; - $object->size_units = $_POST["size_units"]; - $object->weight_units = $_POST["weight_units"]; + $object->weight = GETPOST('weight','int')==''?"NULL":GETPOST('weight','int'); + $object->sizeH = GETPOST('sizeH','int')==''?"NULL":GETPOST('sizeH','int'); + $object->sizeW = GETPOST('sizeW','int')==''?"NULL":GETPOST('sizeW','int'); + $object->sizeS = GETPOST('sizeS','int')==''?"NULL":GETPOST('sizeS','int'); + $object->size_units = GETPOST('size_units','int'); + $object->weight_units = GETPOST('weight_units','int'); - $date_delivery = dol_mktime($_POST["date_deliveryhour"], $_POST["date_deliverymin"], 0, $_POST["date_deliverymonth"], $_POST["date_deliveryday"], $_POST["date_deliveryyear"]); + $date_delivery = dol_mktime(GETPOST('date_deliveryhour','int'), GETPOST('date_deliverymin','int'), 0, GETPOST('date_deliverymonth','int'), GETPOST('date_deliveryday','int'), GETPOST('date_deliveryyear','int')); // On va boucler sur chaque ligne du document d'origine pour completer objet expedition // avec info diverses + qte a livrer @@ -98,16 +98,16 @@ if ($action == 'add') $object->ref_customer = $objectsrc->ref_client; $object->date_delivery = $date_delivery; // Date delivery planed $object->fk_delivery_address = $objectsrc->fk_delivery_address; - $object->expedition_method_id = $_POST["expedition_method_id"]; - $object->tracking_number = $_POST["tracking_number"]; - $object->ref_int = $_POST["ref_int"]; + $object->expedition_method_id = GETPOST('expedition_method_id','int'); + $object->tracking_number = GETPOST('tracking_number','alpha'); + $object->ref_int = GETPOST('ref_int','alpha'); $num=count($objectsrc->lines); $totalqty=0; for ($i = 0; $i < $num; $i++) { $qty = "qtyl".$i; - if ($_POST[$qty] > 0) $totalqty+=$_POST[$qty]; + if (GETPOST($qty,'int') > 0) $totalqty+=GETPOST($qty,'int'); } if ($totalqty > 0) @@ -116,13 +116,13 @@ if ($action == 'add') for ($i = 0; $i < $num; $i++) { $qty = "qtyl".$i; - if ($_POST[$qty] > 0) + if (GETPOST($qty,'int') > 0) { $ent = "entl".$i; $idl = "idl".$i; - $entrepot_id = isset($_POST[$ent])?$_POST[$ent]:$_POST["entrepot_id"]; + $entrepot_id = GETPOST($ent,'int')?GETPOST($ent,'int'):GETPOST('entrepot_id','int'); - $ret=$object->addline($entrepot_id,$_POST[$idl],$_POST[$qty]); + $ret=$object->addline($entrepot_id,GETPOST($idl,'int'),GETPOST($qty,'int')); if ($ret < 0) { $mesg='
'.$object->error.'
'; @@ -156,7 +156,7 @@ if ($action == 'add') else { $db->rollback(); - $_GET["commande_id"]=$_POST["commande_id"]; + $_GET["commande_id"]=GETPOST('commande_id','int'); $action='create'; } } @@ -189,7 +189,7 @@ if ($action == 'confirm_valid' && $confirm == 'yes' && $user->rights->expedition // Define output language $outputlangs = $langs; $newlang=''; - if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id']; + if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','int')) $newlang=GETPOST('lang_id','int'); if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$object->client->default_lang; if (! empty($newlang)) { @@ -236,7 +236,7 @@ if ($action == 'reopen' && $user->rights->expedition->valider) if ($action == 'setdate_livraison' && $user->rights->expedition->creer) { //print "x ".$_POST['liv_month'].", ".$_POST['liv_day'].", ".$_POST['liv_year']; - $datedelivery=dol_mktime($_POST['liv_hour'], $_POST['liv_min'], 0, $_POST['liv_month'], $_POST['liv_day'], $_POST['liv_year']); + $datedelivery=dol_mktime(GETPOST('liv_hour','int'), GETPOST('liv_min','int'), 0, GETPOST('liv_month','int'), GETPOST('liv_day','int'), GETPOST('liv_year','int')); $object->fetch($id); $result=$object->set_date_livraison($user,$datedelivery); @@ -260,13 +260,13 @@ if ($action == 'settrackingnumber' || $action == 'settrackingurl' $result=$shipping->fetch($id); if ($result < 0) dol_print_error($db,$shipping->error); - if ($action == 'settrackingnumber') $shipping->tracking_number = trim($_REQUEST["trackingnumber"]); - if ($action == 'settrackingurl') $shipping->tracking_url = trim($_REQUEST["trackingurl"]); - if ($action == 'settrueWeight') $shipping->trueWeight = trim($_REQUEST["trueWeight"]); - if ($action == 'settrueWidth') $shipping->trueWidth = trim($_REQUEST["trueWidth"]); - if ($action == 'settrueHeight') $shipping->trueHeight = trim($_REQUEST["trueHeight"]); - if ($action == 'settrueDepth') $shipping->trueDepth = trim($_REQUEST["trueDepth"]); - if ($action == 'setexpedition_method_id') $shipping->expedition_method_id = trim($_REQUEST["expedition_method_id"]); + if ($action == 'settrackingnumber') $shipping->tracking_number = trim(GETPOST('trackingnumber','alpha')); + if ($action == 'settrackingurl') $shipping->tracking_url = trim(GETPOST('trackingurl','int')); + if ($action == 'settrueWeight') $shipping->trueWeight = trim(GETPOST('trueWeight','int')); + if ($action == 'settrueWidth') $shipping->trueWidth = trim(GETPOST('trueWidth','int')); + if ($action == 'settrueHeight') $shipping->trueHeight = trim(GETPOST('trueHeight','int')); + if ($action == 'settrueDepth') $shipping->trueDepth = trim(GETPOST('trueDepth','int')); + if ($action == 'setexpedition_method_id') $shipping->expedition_method_id = trim(GETPOST('expedition_method_id','int')); if (! $error) { @@ -294,22 +294,22 @@ if ($action == 'builddoc') // En get ou en post $shipment->fetch($id); $shipment->fetch_thirdparty(); - if ($_REQUEST['model']) + if (GETPOST('model','alpha')) { - $shipment->setDocModel($user, $_REQUEST['model']); + $shipment->setDocModel($user, GETPOST('model','alpha')); } // Define output language $outputlangs = $langs; $newlang=''; - if ($conf->global->MAIN_MULTILANGS && empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id']; + if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id','int')) $newlang=GETPOST('lang_id','int'); if ($conf->global->MAIN_MULTILANGS && empty($newlang)) $newlang=$shipment->client->default_lang; if (! empty($newlang)) { $outputlangs = new Translate("",$conf); $outputlangs->setDefaultLang($newlang); } - $result=expedition_pdf_create($db,$shipment,$_REQUEST['model'],$outputlangs); + $result=expedition_pdf_create($db,$shipment,GETPOST('model','alpha'),$outputlangs); if ($result <= 0) { dol_print_error($db,$result); @@ -320,7 +320,7 @@ if ($action == 'builddoc') // En get ou en post /* * Add file in email form */ -if ($_POST['addfile']) +if (GETPOST('addfile','alpha')) { require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php"); @@ -336,7 +336,7 @@ if ($_POST['addfile']) /* * Remove file in email form */ -if (! empty($_POST['removedfile'])) +if (GETPOST('removedfile','alpha')) { require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php"); @@ -345,7 +345,7 @@ if (! empty($_POST['removedfile'])) $upload_dir_tmp = $vardir.'/temp'; // TODO Delete only files that was uploaded from email form - $mesg=dol_remove_file_process($_POST['removedfile'],0); + $mesg=dol_remove_file_process(GETPOST('removedfile','int'),0); $action ='presend'; } @@ -353,7 +353,7 @@ if (! empty($_POST['removedfile'])) /* * Send mail */ -if ($action == 'send' && ! $_POST['addfile'] && ! $_POST['removedfile'] && ! $_POST['cancel']) +if ($action == 'send' && ! GETPOST('addfile','alpha') && ! GETPOST('removedfile','alpha') && ! GETPOST('cancel','alpha')) { $langs->load('mails'); @@ -367,24 +367,24 @@ if ($action == 'send' && ! $_POST['addfile'] && ! $_POST['removedfile'] && ! $_P if (is_readable($file)) { - if ($_POST['sendto']) + if (GETPOST('sendto','alpha')) { // Le destinataire a ete fourni via le champ libre - $sendto = $_POST['sendto']; + $sendto = GETPOST('sendto','alpha'); $sendtoid = 0; } - elseif ($_POST['receiver'] != '-1') + elseif (GETPOST('receiver','alpha') != '-1') { // Recipient was provided from combo list - if ($_POST['receiver'] == 'thirdparty') // Id of third party + if (GETPOST('receiver','alpha') == 'thirdparty') // Id of third party { $sendto = $object->client->email; $sendtoid = 0; } else // Id du contact { - $sendto = $object->client->contact_get_property($_POST['receiver'],'email'); - $sendtoid = $_POST['receiver']; + $sendto = $object->client->contact_get_property(GETPOST('receiver','alpha'),'email'); + $sendtoid = GETPOST('receiver','alpha'); } } @@ -392,15 +392,15 @@ if ($action == 'send' && ! $_POST['addfile'] && ! $_POST['removedfile'] && ! $_P { $langs->load("commercial"); - $from = $_POST['fromname'] . ' <' . $_POST['frommail'] .'>'; - $replyto = $_POST['replytoname']. ' <' . $_POST['replytomail'].'>'; - $message = $_POST['message']; - $sendtocc = $_POST['sendtocc']; - $deliveryreceipt = $_POST['deliveryreceipt']; + $from = GETPOST('fromname','alpha') . ' <' . GETPOST('frommail','alpha') .'>'; + $replyto = GETPOST('replytoname','alpha'). ' <' . GETPOST('replytomail','alpha').'>'; + $message = GETPOST('message','alpha'); + $sendtocc = GETPOST('sendtocc','alpha'); + $deliveryreceipt = GETPOST('deliveryreceipt','alpha'); - if ($_POST['action'] == 'send') + if ($action == 'send') { - if (dol_strlen($_POST['subject'])) $subject=$_POST['subject']; + if (dol_strlen(GETPOST('subject','alpha'))) $subject=GETPOST('subject','alpha'); else $subject = $langs->transnoentities('Shipping').' '.$object->ref; $actiontypecode='AC_SHIP'; $actionmsg = $langs->transnoentities('MailSentBy').' '.$from.' '.$langs->transnoentities('To').' '.$sendto.".\n"; @@ -564,9 +564,9 @@ if ($action == 'create') print ''; print ''; print ''; - if ($_GET["entrepot_id"]) + if (GETPOST('entrepot_id','int')) { - print ''; + print ''; } print ''; @@ -612,7 +612,7 @@ if ($action == 'create') print ''."\n"; } @@ -627,31 +627,31 @@ if ($action == 'create') // Weight print ''; + print ''; print ''; + print ''; print ''; // Delivery method print ""; print '\n"; // Tracking number print ""; print '\n"; print "
'; if (!empty($object->fk_delivery_address)) { - $formother->form_address($_SERVER['PHP_SELF'].'?id='.$object->id,$object->fk_delivery_address,$_GET['socid'],'none','commande',$object->id); + $formother->form_address($_SERVER['PHP_SELF'].'?id='.$object->id,$object->fk_delivery_address,GETPOST('socid','int'),'none','commande',$object->id); } print '
'; print $langs->trans("Weight"); - print ''; - print $formproduct->select_measuring_units("weight_units","weight",$_POST["weight_units"]); + print ''; + print $formproduct->select_measuring_units("weight_units","weight",GETPOST('weight_units','int')); print '
'; print $langs->trans("Width"); - print ' '; + print ' '; print $formproduct->select_measuring_units("size_units","size"); print '
'; print $langs->trans("Height"); - print '
'; print $langs->trans("Depth"); - print '
".$langs->trans("DeliveryMethod")."'; $expe->fetch_delivery_methods(); - print $form->selectarray("expedition_method_id",$expe->meths,$_POST["expedition_method_id"],1,0,0,"",1); + print $form->selectarray("expedition_method_id",$expe->meths,GETPOST('expedition_method_id','int'),1,0,0,"",1); print "
".$langs->trans("TrackingNumber")."'; - print ''; + print ''; print "
"; @@ -758,10 +758,10 @@ if ($action == 'create') $quantityToBeDelivered = $quantityAsked - $quantityDelivered; $defaultqty=0; - if ($_REQUEST["entrepot_id"]) + if (GETPOST('entrepot_id','int')) { //var_dump($product); - $stock = $product->stock_warehouse[$_REQUEST["entrepot_id"]]->real; + $stock = $product->stock_warehouse[GETPOST('entrepot_id','int')]->real; $stock+=0; // Convertit en numerique $defaultqty=min($quantityToBeDelivered, $stock); if (($line->product_type == 1 && empty($conf->global->STOCK_SUPPORTS_SERVICES)) || $defaultqty < 0) $defaultqty=0; @@ -784,9 +784,9 @@ if ($action == 'create') if ($line->product_type == 0 || ! empty($conf->global->STOCK_SUPPORTS_SERVICES)) { // Show warehous - if ($_REQUEST["entrepot_id"]) + if (GETPOST('entrepot_id','int')) { - print $formproduct->selectWarehouses($_REQUEST["entrepot_id"],'entl'.$indiceAsked,'',1,0,$line->fk_product); + print $formproduct->selectWarehouses(GETPOST('entrepot_id','int'),'entl'.$indiceAsked,'',1,0,$line->fk_product); //print $stock.' '.$quantityToBeDelivered; //if ($stock >= 0 && $stock < $quantityToBeDelivered) if ($stock < $quantityToBeDelivered) @@ -1011,10 +1011,10 @@ else print $langs->trans('DateDeliveryPlanned'); print ''; - if ($_GET['action'] != 'editdate_livraison') print 'id.'">'.img_edit($langs->trans('SetDeliveryDate'),1).''; + if ($action != 'editdate_livraison') print 'id.'">'.img_edit($langs->trans('SetDeliveryDate'),1).''; print ''; print ''; - if ($_GET['action'] == 'editdate_livraison') + if ($action == 'editdate_livraison') { print '
'; print ''; @@ -1100,10 +1100,10 @@ else print $langs->trans('SendingMethod'); print ''; - if ($_GET['action'] != 'editexpedition_method_id') print 'id.'">'.img_edit($langs->trans('SetSendingMethod'),1).''; + if ($action != 'editexpedition_method_id') print 'id.'">'.img_edit($langs->trans('SetSendingMethod'),1).''; print ''; print ''; - if ($_GET['action'] == 'editexpedition_method_id') + if ($action == 'editexpedition_method_id') { print ''; print ''; @@ -1184,7 +1184,7 @@ else $prod = new Product($db, $lines[$i]->fk_product); $outputlangs = $langs; $newlang=''; - if (empty($newlang) && ! empty($_REQUEST['lang_id'])) $newlang=$_REQUEST['lang_id']; + if (empty($newlang) && ! GETPOST('lang_id','int')) $newlang=GETPOST('lang_id','int'); if (empty($newlang)) $newlang=$object->client->default_lang; if (! empty($newlang)) { @@ -1392,7 +1392,7 @@ else $formmail->fromname = $user->getFullName($langs); $formmail->frommail = $user->email; $formmail->withfrom=1; - $formmail->withto=empty($_POST["sendto"])?1:$_POST["sendto"]; + $formmail->withto=GETPOST('sendto','int')?GETPOST('sendto','int'):1; $formmail->withtosocid=$soc->id; $formmail->withtocc=1; $formmail->withtoccsocid=0; @@ -1412,7 +1412,7 @@ else $formmail->param['returnurl']=$_SERVER["PHP_SELF"].'?id='.$object->id; // Init list of files - if (! empty($_REQUEST["mode"]) && $_REQUEST["mode"]=='init') + if (GETPOST('mode','alpha')=='init') { $formmail->clear_attached_files(); $formmail->add_attached_files($file,dol_sanitizeFilename($ref.'.pdf'),'application/pdf'); diff --git a/htdocs/expedition/liste.php b/htdocs/expedition/liste.php index 61ba8e84c01..d5e9c8a23af 100644 --- a/htdocs/expedition/liste.php +++ b/htdocs/expedition/liste.php @@ -30,14 +30,14 @@ $langs->load("sendings"); $langs->load('companies'); // Security check -$expeditionid = isset($_GET["id"])?$_GET["id"]:''; +$expeditionid = GETPOST('id','int'); if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user, 'expedition',$expeditionid,''); +$sortfield = GETPOST('sortfield','alpha'); +$sortorder = GETPOST('sortorder','alpha'); +$page = GETPOST('page','int'); -$sortfield = GETPOST("sortfield",'alpha'); -$sortorder = GETPOST("sortorder",'alpha'); -$page = GETPOST("page",'int'); if ($page == -1) { $page = 0; } $offset = $conf->liste_limit * $page; $pageprev = $page - 1; @@ -77,9 +77,9 @@ if ($socid) { $sql.= " AND e.fk_soc = ".$socid; } -if ($_POST["sf_ref"]) +if (GETPOST('sf_ref','alpha')) { - $sql.= " AND e.ref like '%".$db->escape($_POST["sf_ref"])."%'"; + $sql.= " AND e.ref like '%".$db->escape(GETPOST('sf_ref','alpha'))."%'"; } $sql.= $db->order($sortfield,$sortorder); @@ -94,7 +94,7 @@ if ($resql) $param="&socid=$socid"; - print_barre_liste($langs->trans('ListOfSendings'), $_GET["page"], "liste.php",$param,$sortfield,$sortorder,'',$num); + print_barre_liste($langs->trans('ListOfSendings'), $page, "liste.php",$param,$sortfield,$sortorder,'',$num); $i = 0;