diff --git a/.travis.yml b/.travis.yml index 688d706331d..9958556d42d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -404,6 +404,10 @@ script: php upgrade.php 11.0.0 12.0.0 ignoredbversion > $TRAVIS_BUILD_DIR/upgrade11001200.log php upgrade2.php 11.0.0 12.0.0 > $TRAVIS_BUILD_DIR/upgrade11001200-2.log php step5.php 11.0.0 12.0.0 > $TRAVIS_BUILD_DIR/upgrade11001200-3.log + php upgrade.php 12.0.0 13.0.0 ignoredbversion > $TRAVIS_BUILD_DIR/upgrade12001300.log + php upgrade2.php 12.0.0 13.0.0 > $TRAVIS_BUILD_DIR/upgrade12001300-2.log + php step5.php 12.0.0 13.0.0 > $TRAVIS_BUILD_DIR/upgrade12001300-3.log + # Enable modules not enabled into original dump php upgrade2.php 0.0.0 0.0.0 MAIN_MODULE_API,MAIN_MODULE_SUPPLIERPROPOSAL,MAIN_MODULE_WEBSITE,MAIN_MODULE_TICKETSUP,MAIN_MODULE_ACCOUNTING > $TRAVIS_BUILD_DIR/enablemodule.log echo $? diff --git a/ChangeLog b/ChangeLog index dafa90b9632..20a1748af6b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,7 +78,7 @@ FIX: we must export company mail address on contact vcard only if contact email FIX: when we filter a list on a view status, we want this filter to be on bookmark that we create FIX: Wrong Sql on getListOfTowns api method FIX: wrong user right's name to top menu "commercial" -FIX: XSS Vulnerability +FIX: XSS Vulnerability reported by Mehmet Kelepçe / Gais Cyber Security ***** ChangeLog for 12.0.0 compared to 11.0.0 ***** For Users: diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 15cfd9ed9db..cce441c4052 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -644,6 +644,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) if ($value == 'localtax2' && empty($_POST['localtax2_type'])) continue; if ($value == 'color' && empty($_POST['color'])) continue; if ($value == 'formula' && empty($_POST['formula'])) continue; + if ($value == 'dayrule' && empty($_POST['dayrule'])) continue; if ($value == 'sortorder') continue; // For a column name 'sortorder', we use the field name 'position' if ((!isset($_POST[$value]) || $_POST[$value] == '') && (!in_array($listfield[$f], array('decalage', 'module', 'accountancy_code', 'accountancy_code_sell', 'accountancy_code_buy', 'tracking')) // Fields that are not mandatory diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index f0ad4352b60..f642cd64182 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -177,7 +177,11 @@ $sessiontimeout = ini_get("session.gc_maxlifetime"); if (empty($conf->global->MAIN_SESSION_TIMEOUT)) $conf->global->MAIN_SESSION_TIMEOUT = $sessiontimeout; print ''; print ''.$langs->trans("SessionTimeOut").''; -print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"))); +if (ini_get("session.gc_probability") == 0) { + print $form->textwithpicto('', $langs->trans("SessionsPurgedByExternalSystem", ini_get("session.gc_maxlifetime"))); +} else { + print $form->textwithpicto('', $langs->trans("SessionExplanation", ini_get("session.gc_probability"), ini_get("session.gc_divisor"), ini_get("session.gc_maxlifetime"))); +} print ''; print ''; print ' '.strtolower($langs->trans("Seconds")); @@ -185,7 +189,6 @@ print ''; print ''; -$sessiontimeout = ini_get("session.gc_maxlifetime"); if (empty($conf->global->MAIN_APPLICATION_TITLE)) $conf->global->MAIN_APPLICATION_TITLE = ""; print ''; print ''.$langs->trans("MAIN_APPLICATION_TITLE").''; diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 7141d875567..bf906989d16 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -679,6 +679,7 @@ class ActionComm extends CommonObject $sql = "SELECT a.id,"; $sql .= " a.id as ref,"; + $sql .= " a.entity,"; $sql .= " a.ref_ext,"; $sql .= " a.datep,"; $sql .= " a.datep2,"; @@ -715,6 +716,7 @@ class ActionComm extends CommonObject $obj = $this->db->fetch_object($resql); $this->id = $obj->id; + $this->entity = $obj->entity; $this->ref = $obj->ref; $this->ref_ext = $obj->ref_ext; diff --git a/htdocs/compta/paiement/card.php b/htdocs/compta/paiement/card.php index 29d6f982d59..e14581f6531 100644 --- a/htdocs/compta/paiement/card.php +++ b/htdocs/compta/paiement/card.php @@ -342,7 +342,7 @@ if ($resql) print ''; print ''.$langs->trans('Bill').''; print ''.$langs->trans('Company').''; - if ($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)print ''.$langs->trans('Entity').''; + if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)) print ''.$langs->trans('Entity').''; print ''.$langs->trans('ExpectedToPay').''; print ''.$langs->trans('PayedByThisPayment').''; print ''.$langs->trans('RemainderToPay').''; @@ -379,7 +379,7 @@ if ($resql) print ''; // Expected to pay - if ($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED) { + if (!empty($conf->multicompany->enabled) && !empty($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED)) { print ''; $mc->getInfo($objp->entity); print $mc->label; diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index a3cdb1747a0..d9753001db2 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1590,7 +1590,7 @@ class Contact extends CommonObject public static function replaceThirdparty(DoliDB $db, $origin_id, $dest_id) { $tables = array( - 'socpeople' + 'socpeople', 'societe_contacts' ); return CommonObject::commonReplaceThirdparty($db, $origin_id, $dest_id, $tables); diff --git a/htdocs/core/lib/website.lib.php b/htdocs/core/lib/website.lib.php index b3419d2faae..782c22a7d33 100644 --- a/htdocs/core/lib/website.lib.php +++ b/htdocs/core/lib/website.lib.php @@ -520,7 +520,7 @@ function includeContainer($containerref) $tmpoutput = ob_get_contents(); ob_end_clean(); - print "\n".''."\n"; + print "\n".''."\n"; print preg_replace(array('/^.*]*>/ims', '/<\/body>.*$/ims'), array('', ''), $tmpoutput); if (!$res) @@ -533,8 +533,9 @@ function includeContainer($containerref) /** * Return HTML content to add structured data for an article, news or Blog Post. + * Use the json-ld format. * - * @param string $type 'blogpost', 'product', 'software'... + * @param string $type 'blogpost', 'product', 'software', 'organization', ... * @param array $data Array of data parameters for structured data * @return string HTML content */ @@ -551,7 +552,7 @@ function getStructuredData($type, $data = array()) "@type": "SoftwareApplication", "name": "'.dol_escape_json($data['name']).'", "operatingSystem": "'.dol_escape_json($data['os']).'", - "applicationCategory": "https://schema.org/GameApplication", + "applicationCategory": "https://schema.org/'.$data['applicationCategory'].'", "aggregateRating": { "@type": "AggregateRating", "ratingValue": "'.$data['ratingvalue'].'", @@ -575,21 +576,24 @@ function getStructuredData($type, $data = array()) $ret .= '{ "@context": "https://schema.org", "@type": "Organization", - "name": "'.dol_escape_json($companyname).'", - "url": "'.$url.'", - "logo": "/wrapper.php?modulepart=mycompany&file=logos%2F'.urlencode($mysoc->logo).'", + "name": "'.dol_escape_json($data['name'] ? $data['name'] : $companyname).'", + "url": "'.dol_escape_json($data['url'] ? $data['url'] : $url).'", + "logo": "'.($data['logo'] ? dol_escape_json($data['logo']) : '/wrapper.php?modulepart=mycompany&file=logos%2F'.urlencode($mysoc->logo)).'", "contactPoint": { "@type": "ContactPoint", "contactType": "Contact", - "email": "'.dol_escape_json($mysoc->email).'" - },'; + "email": "'.dol_escape_json($data['email'] ? $data['email'] : $mysoc->email).'" + },'."\n"; if (is_array($mysoc->socialnetworks) && count($mysoc->socialnetworks) > 0) { $ret .= '"sameAs": ['; $i = 0; foreach($mysoc->socialnetworks as $key => $value) { if ($key == 'linkedin') { $ret.= '"https://www.'.$key.'.com/company/'.dol_escape_json($value).'"'; - } else { + } elseif ($key == 'youtube') { + $ret.= '"https://www.'.$key.'.com/user/'.dol_escape_json($value).'"'; + } + else { $ret.= '"https://www.'.$key.'.com/'.dol_escape_json($value).'"'; } $i++; diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 52ec6048506..1ccfe9944f7 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -539,7 +539,7 @@ class Expedition extends CommonObject // Check parameters if (empty($id) && empty($ref) && empty($ref_ext)) return -1; - $sql = "SELECT e.rowid, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet as fk_project, e.billed"; + $sql = "SELECT e.rowid, e.entity, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet as fk_project, e.billed"; $sql .= ", e.date_valid"; $sql .= ", e.weight, e.weight_units, e.size, e.size_units, e.width, e.height"; $sql .= ", e.date_expedition as date_expedition, e.model_pdf, e.fk_address, e.date_delivery"; @@ -568,6 +568,7 @@ class Expedition extends CommonObject $obj = $this->db->fetch_object($result); $this->id = $obj->rowid; + $this->entity = $obj->entity; $this->ref = $obj->ref; $this->socid = $obj->socid; $this->ref_customer = $obj->ref_customer; diff --git a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql index 210fe31d1ef..782516353b2 100644 --- a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql +++ b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql @@ -33,4 +33,4 @@ -- For v13 - +ALTER TABLE llx_website ADD COLUMN position integer DEFAULT 0; diff --git a/htdocs/install/mysql/tables/llx_website.sql b/htdocs/install/mysql/tables/llx_website.sql index 743d4ec9ca8..717052f795c 100644 --- a/htdocs/install/mysql/tables/llx_website.sql +++ b/htdocs/install/mysql/tables/llx_website.sql @@ -35,6 +35,7 @@ CREATE TABLE llx_website fk_user_creat integer, fk_user_modif integer, date_creation datetime, + position integer DEFAULT 0, tms timestamp, import_key varchar(14) -- import key ) ENGINE=innodb; diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index 5e485c86dbc..84c64a23615 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -1145,6 +1145,7 @@ AvailableModules=Available app/modules ToActivateModule=To activate modules, go on setup Area (Home->Setup->Modules). SessionTimeOut=Time out for session SessionExplanation=This number guarantees that the session will never expire before this delay, if the session cleaner is done by Internal PHP session cleaner (and nothing else). Internal PHP session cleaner does not guarantee that the session will expire after this delay. It will expire, after this delay, and when the session cleaner is run, so every %s/%s access, but only during access made by other sessions (if value is 0, it means clearing of session is done only by an external process).
Note: on some servers with an external session cleaning mechanism (cron under debian, ubuntu ...), the sessions can be destroyed after a period defined by an external setup, no matter what the value entered here is. +SessionsPurgedByExternalSystem=Sessions on this server seems to be cleaned by an external mechanism (cron under debian, ubuntu ...), probably every %s seconds (= value of parameter session.gc_maxlifetime), so changing the value here has no effect. You must ask the server administrator to change session delay. TriggersAvailable=Available triggers TriggersDesc=Triggers are files that will modify the behavior of Dolibarr workflow once copied into the directory htdocs/core/triggers. They realize new actions, activated on Dolibarr events (new company creation, invoice validation, ...). TriggerDisabledByName=Triggers in this file are disabled by the -NORUN suffix in their name. diff --git a/scripts/cron/cron_run_jobs.php b/scripts/cron/cron_run_jobs.php index 79d52c49445..40421c3853e 100755 --- a/scripts/cron/cron_run_jobs.php +++ b/scripts/cron/cron_run_jobs.php @@ -176,11 +176,12 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs) > 0)) { // Force reload of setup for the current entity if ((empty($line->entity) ? 1 : $line->entity) != $conf->entity) { - dol_syslog("cron_run_jobs.php we work on another entity conf than ".$conf->entity." so we reload user and conf", LOG_DEBUG); - echo " -> we change entity so we reload user and conf"; + dol_syslog("cron_run_jobs.php we work on another entity conf than ".$conf->entity." so we reload mysoc, langs, user and conf", LOG_DEBUG); + echo " -> we change entity so we reload mysoc, langs, user and conf"; $conf->entity = (empty($line->entity) ? 1 : $line->entity); $conf->setValues($db); // This make also the $mc->setValues($conf); that reload $mc->sharings + $mysoc->setMysoc($conf); // Force recheck that user is ok for the entity to process and reload permission for entity if ($conf->entity != $user->entity && $user->entity != 0) @@ -203,6 +204,11 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs) > 0)) { } $user->getrights(); } + + // Reload langs + $langcode = (empty($conf->global->MAIN_LANG_DEFAULT)?'auto':$conf->global->MAIN_LANG_DEFAULT); + if (! empty($user->conf->MAIN_LANG_DEFAULT)) $langcode = $user->conf->MAIN_LANG_DEFAULT; + if ($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode); } //If date_next_jobs is less of current date, execute the program, and store the execution time of the next execution in database