From 84afd61eba8290a3adf778b06248b7b92dd87efe Mon Sep 17 00:00:00 2001 From: VESSILLER Date: Thu, 16 Mar 2023 11:21:56 +0100 Subject: [PATCH 1/2] FIX missing protection on ajax public ticket page for valid email --- htdocs/public/ticket/ajax/ajax.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/public/ticket/ajax/ajax.php b/htdocs/public/ticket/ajax/ajax.php index e125b0122e7..79c4b5bf530 100644 --- a/htdocs/public/ticket/ajax/ajax.php +++ b/htdocs/public/ticket/ajax/ajax.php @@ -55,7 +55,7 @@ include_once '../../../main.inc.php'; // Load $user and permissions $action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); -$email = GETPOST('email', 'alphanohtml'); +$email = GETPOST('email', 'custom', 0, 'FILTER_VALIDATE_EMAIL'); if (!isModEnabled('ticket')) { From 1793b84d4c2bb7ab8f8aaa05953e843f940011ff Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 17 Mar 2023 01:26:31 +0100 Subject: [PATCH 2/2] Fix disable an option that should not be available by default. --- htdocs/admin/ticket_public.php | 2 +- htdocs/install/mysql/migration/16.0.0-17.0.0.sql | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/admin/ticket_public.php b/htdocs/admin/ticket_public.php index a1bf95d819f..1f32fec97aa 100644 --- a/htdocs/admin/ticket_public.php +++ b/htdocs/admin/ticket_public.php @@ -330,7 +330,7 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) { print ''; // Auto fill the contact found from email - // This option is a serious security hole. it allowe to any non looged perso, to get the database of contacts + // This option is a serious security hole. it allows to any non logged perso, to get the database of contacts or to check if an email is a customer or not. We must keep it as hidden option only. /* print ''.$langs->trans("TicketCreateThirdPartyWithContactIfNotExist").''; print ''; diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql index a1e24fa6d2c..20a9d7b097f 100644 --- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql +++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql @@ -401,4 +401,6 @@ ALTER TABLE llx_facture_fourn_det MODIFY COLUMN ref varchar(128); ALTER TABLE llx_projet ADD COLUMN extraparams varchar(255); +DELETE FROM llx_const WHERE name = 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST'; +