lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security: More security holes fixed

Browse Source
This commit is contained in:
Laurent Destailleur 2011-11-02 21:20:00 +01:00
parent 63820ab375
commit c539155d6a
5 changed files with 23 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
htdocs/admin/boxes.php
View File

@ -29,8 +29,9 @@ include_once(DOL_DOCUMENT_ROOT."/lib/admin.lib.php");
$langs->load("admin");
if (!$user->admin)
accessforbidden();
$id=GETPOST('rowid','int');
if (!$user->admin) accessforbidden();
// Definition des positions possibles pour les boites
$pos_array = array(0); // Positions possibles pour une boite (0,1,2,...)
@ -101,7 +102,7 @@ if ($_GET["action"] == 'delete')
$db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes";
$sql.= " WHERE rowid=".$_GET["rowid"];
$sql.= " WHERE rowid=".$id;
$resql = $db->query($sql);
// Remove all personalized setup when a box is activated or disabled
@ -288,7 +289,7 @@ if ($resql)
dol_include_once($sourcefile);
$box=new $boxname($db,$obj->note);
$enabled=true;
if ($box->depends && sizeof($box->depends) > 0)
{
@ -297,7 +298,7 @@ if ($resql)
if (empty($conf->$module->enabled)) $enabled=false;
}
}
if ($enabled)
{
//if (in_array($obj->rowid, $actives) && $box->box_multiple <> 1)
@ -308,7 +309,7 @@ if ($resql)
else
{
$var=!$var;
if (preg_match('/^([^@]+)@([^@]+)$/i',$box->boximg))
{
$logo = $box->boximg;
@ -317,14 +318,14 @@ if ($resql)
{
$logo=preg_replace("/^object_/i","",$box->boximg);
}
print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<tr '.$bc[$var].'>';
print '<td>'.img_object("",$logo).' '.$box->boxlabel.'</td>';
print '<td>' . ($obj->note?$obj->note:'&nbsp;') . '</td>';
print '<td>' . $sourcefile . '</td>';
// Pour chaque position possible, on affiche un lien
// d'activation si boite non deja active pour cette position
print '<td>';
@ -333,11 +334,11 @@ if ($resql)
print '<input type="hidden" name="boxid" value="'.$obj->rowid.'">';
print ' <input type="submit" class="button" name="button" value="'.$langs->trans("Activate").'">';
print '</td>';
print '</tr></form>';
}
}
$i++;
}

3
htdocs/admin/ihm.php
View File

@ -38,8 +38,7 @@ $langs->load("companies");
$langs->load("products");
$langs->load("members");
if (!$user->admin)
accessforbidden();
if (!$user->admin) accessforbidden();
if (! defined("MAIN_MOTD")) define("MAIN_MOTD","");

2
htdocs/lib/usergroups.lib.php
View File

@ -234,7 +234,7 @@ function show_theme($fuser,$edit=0,$foruserprofile=false)
$url=$urltheme."/".$subdir."/thumb.png";
if (! file_exists($file)) $url=$urltheme."/common/nophoto.jpg";
print '<table><tr><td>';
print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(! empty($_GET["optioncss"])?'&optioncss='.$_GET["optioncss"]:'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(GETPOST("optioncss")?'&optioncss='.GETPOST("optioncss",'alpha',1):'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
if ($subdir == $conf->global->MAIN_THEME) $title=$langs->trans("ThemeCurrentlyActive");
else $title=$langs->trans("ShowPreview");
print '<img src="'.$url.'" border="0" width="80" height="60" alt="'.$title.'" title="'.$title.'">';

11
htdocs/main.inc.php
View File

@ -76,6 +76,7 @@ function test_sql_and_script_inject($val,$get)
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
// For XSS Injection done by adding javascript with script
$sql_inj += preg_match('/<script/i', $val);
if ($get) $sql_inj += preg_match('/javascript:/i', $val);
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
return $sql_inj;
@ -751,11 +752,11 @@ if (!empty($conf->global->MAIN_MODULE_MULTICOMPANY))
if (GETPOST('action') == 'switchentity' && $user->admin && ! $user->entity)
{
$res = @dol_include_once("/multicompany/class/actions_multicompany.class.php");
if ($res)
{
$mc = new ActionsMulticompany($db);
if($mc->switchEntity(GETPOST('entity')) > 0)
{
Header("Location: ".DOL_URL_ROOT.'/');
@ -872,7 +873,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
// Output style sheets (optioncss='print' or '')
$themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1);
//print 'themepath='.$themepath;exit;
print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.'?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'').'">'."\n";
print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.'?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'').'">'."\n";
// CSS forced by modules (relative url starting with /)
if (is_array($conf->css_modules))
{
@ -880,7 +881,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
{ // cssfile is an absolute path
print '<link rel="stylesheet" type="text/css" title="default" href="'.dol_buildpath($cssfile,1);
// We add params only if page is not static, because some web server setup does not return content type text/css if url has parameters and browser cache is not used.
if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'');
if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'');
print '">'."\n";
}
}
@ -891,7 +892,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
{
print '<link rel="stylesheet" type="text/css" title="default" href="'.dol_buildpath($cssfile,1);
// We add params only if page is not static, because some web server setup does not return content type text/css if url has parameters and browser cache is not used.
if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'');
if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'');
print '">'."\n";
}
}

8
htdocs/user/group/index.php
View File

@ -33,7 +33,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
$langs->load("users");
$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
$sall=GETPOST("sall");
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
@ -61,9 +61,9 @@ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."usergroup_user as ugu ON ugu.fk_usergroup =
$sql.= " WHERE g.entity IN (0,".$conf->entity.")";
if ($_POST["search_group"])
{
$sql .= " AND (g.nom like '%".$_POST["search_group"]."%' OR g.note like '%".$_POST["search_group"]."%')";
$sql .= " AND (g.nom like '%".$db->escape($_POST["search_group"])."%' OR g.note like '%".$db->escape($_POST["search_group"])."%')";
}
if ($sall) $sql.= " AND (g.nom like '%".$sall."%' OR g.note like '%".$sall."%')";
if ($sall) $sql.= " AND (g.nom like '%".$db->escape($sall)."%' OR g.note like '%".$db->escape($sall)."%')";
$sql.= " GROUP BY g.rowid, g.nom, g.entity, g.datec";
$sql.= $db->order($sortfield,$sortorder);
@ -73,7 +73,7 @@ if ($resql)
$num = $db->num_rows($resql);
$i = 0;
$param="search_group=$search_group&amp;sall=$sall";
$param="search_group=".$search_group."&amp;sall=".$sall;
print "<table class=\"noborder\" width=\"100%\">";
print '<tr class="liste_titre">';
print_liste_field_titre($langs->trans("Group"),$_SERVER["PHP_SELF"],"g.nom",$param,"","",$sortfield,$sortorder);