Merge remote-tracking branch 'upstream/develop' into free_email

.travis.yml

@@ -404,6 +404,10 @@ script:
   php upgrade.php 11.0.0 12.0.0 ignoredbversion > $TRAVIS_BUILD_DIR/upgrade11001200.log
   php upgrade2.php 11.0.0 12.0.0 > $TRAVIS_BUILD_DIR/upgrade11001200-2.log
   php step5.php 11.0.0 12.0.0 > $TRAVIS_BUILD_DIR/upgrade11001200-3.log
+  php upgrade.php 12.0.0 13.0.0 ignoredbversion > $TRAVIS_BUILD_DIR/upgrade12001300.log
+  php upgrade2.php 12.0.0 13.0.0 > $TRAVIS_BUILD_DIR/upgrade12001300-2.log
+  php step5.php 12.0.0 13.0.0 > $TRAVIS_BUILD_DIR/upgrade12001300-3.log
+
   # Enable modules not enabled into original dump
   php upgrade2.php 0.0.0 0.0.0 MAIN_MODULE_API,MAIN_MODULE_SUPPLIERPROPOSAL,MAIN_MODULE_WEBSITE,MAIN_MODULE_TICKETSUP,MAIN_MODULE_ACCOUNTING > $TRAVIS_BUILD_DIR/enablemodule.log
   echo $?

ChangeLog

@@ -78,7 +78,7 @@ FIX: we must export company mail address on contact vcard only if contact email
 FIX: when we filter a list on a view status, we want this filter to be on bookmark that we create
 FIX: Wrong Sql on getListOfTowns api method
 FIX: wrong user right's name to top menu "commercial"
-FIX: XSS Vulnerability
+FIX: XSS Vulnerability reported by Mehmet Kelepçe / Gais Cyber Security
 
 ***** ChangeLog for 12.0.0 compared to 11.0.0 *****
 For Users:

htdocs/admin/dict.php

@@ -644,6 +644,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify'))
         if ($value == 'localtax2' && empty($_POST['localtax2_type'])) continue;
         if ($value == 'color' && empty($_POST['color'])) continue;
 		if ($value == 'formula' && empty($_POST['formula'])) continue;
+		if ($value == 'dayrule' && empty($_POST['dayrule'])) continue;
 		if ($value == 'sortorder') continue; // For a column name 'sortorder', we use the field name 'position'
 		if ((!isset($_POST[$value]) || $_POST[$value] == '')
         	&& (!in_array($listfield[$f], array('decalage', 'module', 'accountancy_code', 'accountancy_code_sell', 'accountancy_code_buy', 'tracking'))  // Fields that are not mandatory

htdocs/admin/security_other.php

@@ -177,7 +177,11 @@ $sessiontimeout = ini_get("session.gc_maxlifetime");
 if (empty($conf->global->MAIN_SESSION_TIMEOUT)) $conf->global->MAIN_SESSION_TIMEOUT = $sessiontimeout;
 print '<tr class="oddeven">';
 print '<td>'.$langs->trans("SessionTimeOut").'</td><td class="right">';
-print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor")));
+if (ini_get("session.gc_probability") == 0) {
+	print $form->textwithpicto('', $langs->trans("SessionsPurgedByExternalSystem", ini_get("session.gc_maxlifetime")));
+} else {
+	print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"), ini_get("session.gc_maxlifetime")));
+}
 print '</td>';
 print '<td class="nowrap">';
 print '<input class="flat" name="MAIN_SESSION_TIMEOUT" type="text" size="6" value="'.htmlentities($conf->global->MAIN_SESSION_TIMEOUT).'"> '.strtolower($langs->trans("Seconds"));
@@ -185,7 +189,6 @@ print '</td>';
 print '</tr>';
 
 
-$sessiontimeout = ini_get("session.gc_maxlifetime");
 if (empty($conf->global->MAIN_APPLICATION_TITLE)) $conf->global->MAIN_APPLICATION_TITLE = "";
 print '<tr class="oddeven">';
 print '<td>'.$langs->trans("MAIN_APPLICATION_TITLE").'</td><td class="right">';

htdocs/comm/action/class/actioncomm.class.php

@@ -679,6 +679,7 @@ class ActionComm extends CommonObject
 
         $sql = "SELECT a.id,";
         $sql .= " a.id as ref,";
+        $sql .= " a.entity,";
         $sql .= " a.ref_ext,";
         $sql .= " a.datep,";
         $sql .= " a.datep2,";
@@ -715,6 +716,7 @@ class ActionComm extends CommonObject
                 $obj = $this->db->fetch_object($resql);
 
                 $this->id         = $obj->id;
+				$this->entity     = $obj->entity;
                 $this->ref        = $obj->ref;
                 $this->ref_ext    = $obj->ref_ext;
 

htdocs/compta/paiement/card.php

@@ -342,7 +342,7 @@ if ($resql)
 	print '<tr class="liste_titre">';
 	print '<td>'.$langs->trans('Bill').'</td>';
 	print '<td>'.$langs->trans('Company').'</td>';
-	if ($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)print '<td>'.$langs->trans('Entity').'</td>';
+	if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)) print '<td>'.$langs->trans('Entity').'</td>';
 	print '<td class="right">'.$langs->trans('ExpectedToPay').'</td>';
     print '<td class="right">'.$langs->trans('PayedByThisPayment').'</td>';
     print '<td class="right">'.$langs->trans('RemainderToPay').'</td>';
@@ -379,7 +379,7 @@ if ($resql)
 			print '</td>';
 
 			// Expected to pay
-			if ($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED) {
+			if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)) {
 				print '<td>';
 				$mc->getInfo($objp->entity);
 				print $mc->label;

htdocs/contact/class/contact.class.php

@@ -1590,7 +1590,7 @@ class Contact extends CommonObject
 	public static function replaceThirdparty(DoliDB $db, $origin_id, $dest_id)
 	{
 		$tables = array(
-			'socpeople'
+			'socpeople', 'societe_contacts'
 		);
 
 		return CommonObject::commonReplaceThirdparty($db, $origin_id, $dest_id, $tables);

htdocs/core/lib/website.lib.php

@@ -520,7 +520,7 @@ function includeContainer($containerref)
 	$tmpoutput = ob_get_contents();
 	ob_end_clean();
 
-	print "\n".'<!-- include '.$fullpathfile.' level = '.$includehtmlcontentopened.' -->'."\n";
+	print "\n".'<!-- include '.$websitekey.'/'.$containerref.' level = '.$includehtmlcontentopened.' -->'."\n";
 	print preg_replace(array('/^.*<body[^>]*>/ims', '/<\/body>.*$/ims'), array('', ''), $tmpoutput);
 
 	if (!$res)
@@ -533,8 +533,9 @@ function includeContainer($containerref)
 
 /**
  * Return HTML content to add structured data for an article, news or Blog Post.
+ * Use the json-ld format.
  *
- * @param 	string		$type				'blogpost', 'product', 'software'...
+ * @param 	string		$type				'blogpost', 'product', 'software', 'organization', ...
  * @param	array		$data				Array of data parameters for structured data
  * @return  string							HTML content
  */
@@ -551,7 +552,7 @@ function getStructuredData($type, $data = array())
 			"@type": "SoftwareApplication",
 			"name": "'.dol_escape_json($data['name']).'",
 			"operatingSystem": "'.dol_escape_json($data['os']).'",
-			"applicationCategory": "https://schema.org/GameApplication",
+			"applicationCategory": "https://schema.org/'.$data['applicationCategory'].'",
 			"aggregateRating": {
 				"@type": "AggregateRating",
 				"ratingValue": "'.$data['ratingvalue'].'",
@@ -575,21 +576,24 @@ function getStructuredData($type, $data = array())
 		$ret .= '{
 			"@context": "https://schema.org",
 			"@type": "Organization",
-			"name": "'.dol_escape_json($companyname).'",
-			"url": "'.$url.'",
-			"logo": "/wrapper.php?modulepart=mycompany&file=logos%2F'.urlencode($mysoc->logo).'",
+			"name": "'.dol_escape_json($data['name'] ? $data['name'] : $companyname).'",
+			"url": "'.dol_escape_json($data['url'] ? $data['url'] : $url).'",
+			"logo": "'.($data['logo'] ? dol_escape_json($data['logo']) : '/wrapper.php?modulepart=mycompany&file=logos%2F'.urlencode($mysoc->logo)).'",
 			"contactPoint": {
 				"@type": "ContactPoint",
 				"contactType": "Contact",
-				"email": "'.dol_escape_json($mysoc->email).'"
-			},';
+				"email": "'.dol_escape_json($data['email'] ? $data['email'] : $mysoc->email).'"
+			},'."\n";
 		if (is_array($mysoc->socialnetworks) && count($mysoc->socialnetworks) > 0) {
 			$ret .= '"sameAs": [';
 			$i = 0;
 			foreach($mysoc->socialnetworks as $key => $value) {
 				if ($key == 'linkedin') {
 					$ret.= '"https://www.'.$key.'.com/company/'.dol_escape_json($value).'"';
-				} else {
+				} elseif ($key == 'youtube') {
+					$ret.= '"https://www.'.$key.'.com/user/'.dol_escape_json($value).'"';
+				}
+				else {
 					$ret.= '"https://www.'.$key.'.com/'.dol_escape_json($value).'"';
 				}
 				$i++;

htdocs/expedition/class/expedition.class.php

@@ -539,7 +539,7 @@ class Expedition extends CommonObject
 		// Check parameters
 		if (empty($id) && empty($ref) && empty($ref_ext)) return -1;
 
-		$sql = "SELECT e.rowid, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet as fk_project, e.billed";
+		$sql = "SELECT e.rowid, e.entity, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet as fk_project, e.billed";
         $sql .= ", e.date_valid";
 		$sql .= ", e.weight, e.weight_units, e.size, e.size_units, e.width, e.height";
 		$sql .= ", e.date_expedition as date_expedition, e.model_pdf, e.fk_address, e.date_delivery";
@@ -568,6 +568,7 @@ class Expedition extends CommonObject
 				$obj = $this->db->fetch_object($result);
 
 				$this->id                   = $obj->rowid;
+				$this->entity               = $obj->entity;
 				$this->ref                  = $obj->ref;
 				$this->socid                = $obj->socid;
 				$this->ref_customer = $obj->ref_customer;

htdocs/install/mysql/migration/12.0.0-13.0.0.sql

@@ -33,4 +33,4 @@
 
 -- For v13
 
-
+ALTER TABLE llx_website ADD COLUMN position integer DEFAULT 0;

htdocs/install/mysql/tables/llx_website.sql

@@ -35,6 +35,7 @@ CREATE TABLE llx_website
     fk_user_creat integer,
     fk_user_modif integer,
     date_creation datetime,
+    position      integer DEFAULT 0,
 	tms           timestamp,
     import_key    varchar(14)      -- import key	
 ) ENGINE=innodb;

htdocs/langs/en_US/admin.lang

@@ -1145,6 +1145,7 @@ AvailableModules=Available app/modules
 ToActivateModule=To activate modules, go on setup Area (Home->Setup->Modules).
 SessionTimeOut=Time out for session
 SessionExplanation=This number guarantees that the session will never expire before this delay, if the session cleaner is done by Internal PHP session cleaner (and nothing else). Internal PHP session cleaner does not guarantee that the session will expire after this delay. It will expire, after this delay, and when the session cleaner is run, so every <b>%s/%s</b> access, but only during access made by other sessions (if value is 0, it means clearing of session is done only by an external process).<br>Note: on some servers with an external session cleaning mechanism (cron under debian, ubuntu ...), the sessions can be destroyed after a period defined by an external setup, no matter what the value entered here is.
+SessionsPurgedByExternalSystem=Sessions on this server seems to be cleaned by an external mechanism (cron under debian, ubuntu ...), probably every <b>%s</b> seconds (= value of parameter <b>session.gc_maxlifetime</b>), so changing the value here has no effect. You must ask the server administrator to change session delay.
 TriggersAvailable=Available triggers
 TriggersDesc=Triggers are files that will modify the behavior of Dolibarr workflow once copied into the directory <b>htdocs/core/triggers</b>. They realize new actions, activated on Dolibarr events (new company creation, invoice validation, ...).
 TriggerDisabledByName=Triggers in this file are disabled by the <b>-NORUN</b> suffix in their name.

scripts/cron/cron_run_jobs.php

@@ -176,11 +176,12 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs) > 0)) {
 		// Force reload of setup for the current entity
 		if ((empty($line->entity) ? 1 : $line->entity) != $conf->entity)
 		{
-			dol_syslog("cron_run_jobs.php we work on another entity conf than ".$conf->entity." so we reload user and conf", LOG_DEBUG);
-		    echo " -> we change entity so we reload user and conf";
+			dol_syslog("cron_run_jobs.php we work on another entity conf than ".$conf->entity." so we reload mysoc, langs, user and conf", LOG_DEBUG);
+			echo " -> we change entity so we reload mysoc, langs, user and conf";
 
 		    $conf->entity = (empty($line->entity) ? 1 : $line->entity);
 		    $conf->setValues($db); // This make also the $mc->setValues($conf); that reload $mc->sharings
+		    $mysoc->setMysoc($conf);
 
 		    // Force recheck that user is ok for the entity to process and reload permission for entity
 		    if ($conf->entity != $user->entity && $user->entity != 0)
@@ -203,6 +204,11 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs) > 0)) {
     		    }
     		    $user->getrights();
 		    }
+
+		    // Reload langs
+		    $langcode = (empty($conf->global->MAIN_LANG_DEFAULT)?'auto':$conf->global->MAIN_LANG_DEFAULT);
+		    if (! empty($user->conf->MAIN_LANG_DEFAULT)) $langcode = $user->conf->MAIN_LANG_DEFAULT;
+		    if ($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode);
 		}
 
 		//If date_next_jobs is less of current date, execute the program, and store the execution time of the next execution in database