lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '4.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/filefunc.inc.php
	htdocs/install/mysql/data/llx_c_payment_term.sql
	htdocs/langs/en_US/bills.lang
	htdocs/langs/en_US/mails.lang
This commit is contained in:
Laurent Destailleur 2016-12-16 13:56:55 +01:00
commit c750ba8b99
16 changed files with 111 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
build/debian/conf.php.install
View File

@ -221,7 +221,13 @@ $dolibarr_main_prod='0';
# $dolibarr_main_limit_users='0';
# dolibarr_mailing_limit_sendbyweb
# Can set a limit for mailing send by web, can be used for a restricted mode.
# Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
# Default value: 0 (use database value if exist)
# Examples:
# $dolibarr_mailing_limit_sendbyweb='0';
# dolibarr_mailing_limit_sendbycli
# Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
# Default value: 0 (use database value if exist)
# Examples:
# $dolibarr_mailing_limit_sendbycli='0';

3
htdocs/admin/system/constall.php
View File

@ -90,7 +90,8 @@ $configfileparameters=array(
'?dolibarr_font_DOL_DEFAULT_TTF_BOLD',
'separator',
'?dolibarr_mailing_limit_sendbyweb',
'?dolibarr_strict_mode'
'?dolibarr_mailing_limit_sendbycli',
'?dolibarr_strict_mode'
);
$configfilelib=array(
// 'separator',

3
htdocs/admin/system/dolibarr.php
View File

@ -286,7 +286,8 @@ $configfileparameters=array(
'separator4' => '',
'dolibarr_main_prod' => 'Production mode (Hide all error messages)',
'?dolibarr_mailing_limit_sendbyweb' => 'Limit nb of email sent by page',
'?dolibarr_strict_mode' => 'Strict mode is on/off',
'?dolibarr_mailing_limit_sendbycli' => 'Limit nb of email sent by cli',
'?dolibarr_strict_mode' => 'Strict mode is on/off',
'?dolibarr_pdf_force_fpdf' => 'Force fpdf usage to generate PDF'
);

13
htdocs/comm/mailing/card.php
View File

@ -756,6 +756,7 @@ else
$sendingmode=$conf->global->MAIN_MAIL_SENDMODE;
if (empty($sendingmode)) $sendingmode='mail'; // If not defined, we use php mail function
// Note: MAILING_LIMIT_SENDBYWEB is always defined to something != 0
if (! empty($conf->global->MAILING_NO_USING_PHPMAIL) && $sendingmode == 'mail')
{
// EMailing feature may be a spam problem, so when you host several users/instance, having this option may force each user to use their own SMTP agent.
@ -767,19 +768,21 @@ else
if (! empty($conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS)) setEventMessages($langs->trans("MailSendSetupIs3", $conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS), null, 'warnings');
$_GET["action"]='';
}
else if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
else if ($conf->global->MAILING_LIMIT_SENDBYWEB == '-1')
{
// Pour des raisons de securite, on ne permet pas cette fonction via l'IHM,
// on affiche donc juste un message
// No limit was defined, so the feature is forbidden from GUI, we show just a message.
setEventMessages($langs->trans("MailingNeedCommand"), null, 'warnings');
setEventMessages('<textarea cols="60" rows="'.ROWS_1.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.'</textarea>', null, 'warnings');
setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings');
if ($conf->file->mailing_limit_sendbyweb != '-1')
{
setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings'); // You can send online with constant...
}
$_GET["action"]='';
}
else
{
$text='';
if ($conf->file->mailing_limit_sendbyweb == 0)
if ($conf->global->MAILING_LIMIT_SENDBYCLI >= 0)
{
$text.=$langs->trans("MailingNeedCommand");
$text.='<br><textarea cols="60" rows="'.ROWS_2.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.' '.$user->login.'</textarea>';

12
htdocs/conf/conf.php.example
View File

@ -273,6 +273,18 @@ $dolibarr_nocsrfcheck='0';
// Examples:
// $dolibarr_main_limit_users='0';
// dolibarr_mailing_limit_sendbyweb
// Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
// Default value: '0' (no overwrite, use database value if exists)
// Examples: '-1' (sending by web is forbidden)
// $dolibarr_mailing_limit_sendbyweb='0';
// dolibarr_mailing_limit_sendbycli
// Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
// Default value: '0' (no overwrite, use database value if exists)
// Examples: '-1' (sending by cli is forbidden)
// $dolibarr_mailing_limit_sendbycli='0';
// dolibarr_strict_mode
// Set this to 1 to enable the PHP strict mode. For dev environment only.
// Default value: 0 (use database value if exist)

2
htdocs/core/class/CMailFile.class.php
View File

@ -824,7 +824,7 @@ class CMailFile
global $conf;
$out = "";
$host = dol_getprefix();
$host = dol_getprefix('email');
// Sender
//$out.= "Sender: ".getValidAddress($this->addr_from,2)).$this->eol2;

2
htdocs/core/class/smtps.class.php
View File

@ -1195,7 +1195,7 @@ class SMTPs
$host=preg_replace('@tcp://@i','',$host); // Remove prefix
$host=preg_replace('@ssl://@i','',$host); // Remove prefix
$host=dol_getprefix().'-'.$host;
$host=dol_getprefix('email').'-'.$host;
//NOTE: Message-ID should probably contain the username of the user who sent the msg
$_header .= 'Subject: ' . $this->getSubject() . "\r\n";

15
htdocs/core/lib/functions.lib.php
View File

@ -321,19 +321,22 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
* This prefix is unique for instance and avoid conflict between multi-instances,
* even when having two instances with one root dir or two instances in virtual servers
*
* @param string $mode '' or 'email'
* @return string A calculated prefix
*/
function dol_getprefix()
function dol_getprefix($mode='')
{
global $conf;
// If MAIL_PREFIX_FOR_EMAIL_ID is set and prefix is for email
if ($mode == 'email' && ! empty($conf->global->MAIL_PREFIX_FOR_EMAIL_ID))
{
if ($conf->global->MAIL_PREFIX_FOR_EMAIL_ID != 'SERVER_NAME') return $conf->global->MAIL_PREFIX_FOR_EMAIL_ID;
else if (isset($_SERVER["SERVER_NAME"])) return $_SERVER["SERVER_NAME"];
}
if (isset($_SERVER["SERVER_NAME"]) && isset($_SERVER["DOCUMENT_ROOT"]))
{
if (! empty($conf->global->MAIL_PREFIX_FOR_EMAIL_ID))
{
if ($conf->global->MAIL_PREFIX_FOR_EMAIL_ID == 'SERVER_NAME') return $_SERVER["SERVER_NAME"];
return $conf->global->MAIL_PREFIX_FOR_EMAIL_ID;
}
return dol_hash($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
// Use this for a "clear" cookie name
//return dol_sanitizeFileName($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);

1
htdocs/filefunc.inc.php
View File

@ -154,6 +154,7 @@ if (empty($dolibarr_main_db_encryption)) $dolibarr_main_db_encryption=0;
if (empty($dolibarr_main_db_cryptkey)) $dolibarr_main_db_cryptkey='';
if (empty($dolibarr_main_limit_users)) $dolibarr_main_limit_users=0;
if (empty($dolibarr_mailing_limit_sendbyweb)) $dolibarr_mailing_limit_sendbyweb=0;
if (empty($dolibarr_mailing_limit_sendbycli)) $dolibarr_mailing_limit_sendbycli=0;
if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php strict mode
// TODO Multicompany Remove this. Useless.
if (empty($multicompany_transverse_mode)) $multicompany_transverse_mode=0;

2
htdocs/install/mysql/data/llx_c_payment_term.sql
View File

@ -27,7 +27,7 @@
-- de l'install et tous les sigles '--' sont supprimés.
--
insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (1,'RECEP', 1,1, 'A réception de facture','Réception de facture',0,1);
insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (1,'RECEP', 1,1, 'Due Upon Receipt','Due Upon Receipt',0,1);
insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (2,'30D', 2,1, '30 jours','Réglement à 30 jours',0,30);
insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (3,'30DENDMONTH', 3,1, '30 jours fin de mois','Réglement à 30 jours fin de mois',1,30);
insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (4,'60D', 4,1, '60 jours','Réglement à 60 jours',0,60);

4
htdocs/langs/en_US/bills.lang
View File

@ -333,8 +333,8 @@ DateIsNotEnough=Date not reached yet
InvoiceGeneratedFromTemplate=Invoice %s generated from recurring template invoice %s
# PaymentConditions
Statut=Status
PaymentConditionShortRECEP=Immediate
PaymentConditionRECEP=Immediate
PaymentConditionShortRECEP=Due Upon Receipt
PaymentConditionRECEP=Due Upon Receipt
PaymentConditionShort30D=30 days
PaymentCondition30D=30 days
PaymentConditionShort30DENDMONTH=30 days of month-end

5
htdocs/langs/en_US/mails.lang
View File

@ -88,9 +88,10 @@ MailNoChangePossible=Recipients for validated emailing can't be changed
SearchAMailing=Search mailing
SendMailing=Send emailing
SendMail=Send email
MailingNeedCommand=For security reason, sending an emailing is better when performed from command line. If you have one, ask your server administrator to launch the following command to send the emailing to all recipients:
SentBy=Sent by
MailingNeedCommand=For security reason, sending an emailing must be performed from command line. Ask your server administrator to launch the following command to send the emailing to all recipients:
MailingNeedCommand2=You can however send them online by adding parameter MAILING_LIMIT_SENDBYWEB with value of max number of emails you want to send by session. For this, go on Home - Setup - Other.
ConfirmSendingEmailing=If you can't or prefer sending them with your www browser, please confirm you are sure you want to send emailing now from your browser?
ConfirmSendingEmailing=If you want to send emailing directly from this screen, please confirm you are sure you want to send emailing now from your browser ?
LimitSendingEmailing=Note: Sending of emailings from web interface is done in several times for security and timeout reasons, <b>%s</b> recipients at a time for each sending session.
TargetsReset=Clear list
ToClearAllRecipientsClickHere=Click here to clear the recipient list for this emailing

4
htdocs/main.inc.php
View File

@ -89,7 +89,6 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/union.+select/i', $val);
$sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
$sql_inj += preg_match('/onerror=/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
@ -98,7 +97,8 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/si', $val);
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);

13
htdocs/master.inc.php
View File

@ -61,6 +61,7 @@ if (defined('TEST_DB_FORCE_TYPE')) $conf->db->type=constant('TEST_DB_FORCE_TYPE'
// Set properties specific to conf file
$conf->file->main_limit_users = $dolibarr_main_limit_users;
$conf->file->mailing_limit_sendbyweb = $dolibarr_mailing_limit_sendbyweb;
$conf->file->mailing_limit_sendbycli = $dolibarr_mailing_limit_sendbycli;
$conf->file->main_authentication = empty($dolibarr_main_authentication)?'':$dolibarr_main_authentication; // Identification mode
$conf->file->main_force_https = empty($dolibarr_main_force_https)?'':$dolibarr_main_force_https; // Force https
$conf->file->strict_mode = empty($dolibarr_strict_mode)?'':$dolibarr_strict_mode; // Force php strict mode (for debug)
@ -188,6 +189,18 @@ if (! empty($conf->file->mailing_limit_sendbyweb))
{
$conf->global->MAILING_LIMIT_SENDBYWEB = $conf->file->mailing_limit_sendbyweb;
}
if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
{
$conf->global->MAILING_LIMIT_SENDBYWEB = 25;
}
if (! empty($conf->file->mailing_limit_sendbycli))
{
$conf->global->MAILING_LIMIT_SENDBYCLI = $conf->file->mailing_limit_sendbycli;
}
if (empty($conf->global->MAILING_LIMIT_SENDBYCLI))
{
$conf->global->MAILING_LIMIT_SENDBYCLI = 0;
}
// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
if (! empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED))

11
scripts/emailings/mailing-send.php
View File

@ -61,6 +61,11 @@ $error=0;
@set_time_limit(0);
print "***** ".$script_file." (".$version.") pid=".dol_getmypid()." *****\n";
if ($conf->global->MAILING_LIMIT_SENDBYCLI == '-1')
{
}
$user = new User($db);
// for signature, we use user send as parameter
if (! empty($login)) $user->fetch('',$login);
@ -108,7 +113,11 @@ if ($resql)
$sql2 = "SELECT mc.rowid, mc.lastname as lastname, mc.firstname as firstname, mc.email, mc.other, mc.source_url, mc.source_id, mc.source_type, mc.tag";
$sql2.= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
$sql2.= " WHERE mc.statut < 1 AND mc.fk_mailing = ".$id;
if ($conf->global->MAILING_LIMIT_SENDBYCLI > 0)
{
$sql2.= " LIMIT ".$conf->global->MAILING_LIMIT_SENDBYCLI;
}
$resql2=$db->query($sql2);
if ($resql2)
{

54
test/phpunit/CoreTest.php
View File

@ -219,7 +219,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
print __METHOD__." DOL_MAIN_URL_ROOT=".DOL_MAIN_URL_ROOT."\n";
print __METHOD__." DOL_URL_ROOT=".DOL_URL_ROOT."\n";
$this->assertEquals(DOL_URL_ROOT,$expectedresult);
$this->assertEquals($expectedresult, DOL_URL_ROOT);
return true;
}
@ -245,7 +245,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
global $dolibarr_main_db_prefix;
// This is code copied from main.inc.php
// This is code copied from main.inc.php !!!!!!!!!!!!!!!
/**
* Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
@ -258,14 +258,16 @@ class CoreTest extends PHPUnit_Framework_TestCase
{
$sql_inj = 0;
// For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
if ($type != 2) {
$sql_inj += preg_match('/delete[\s]+from/i', $val);
$sql_inj += preg_match('/create[\s]+table/i', $val);
$sql_inj += preg_match('/update.+set.+=/i', $val);
$sql_inj += preg_match('/insert[\s]+into/i', $val);
$sql_inj += preg_match('/select.+from/i', $val);
$sql_inj += preg_match('/union.+select/i', $val);
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
if ($type != 2)
{
$sql_inj += preg_match('/delete\s+from/i', $val);
$sql_inj += preg_match('/create\s+table/i', $val);
$sql_inj += preg_match('/update.+set.+=/i', $val);
$sql_inj += preg_match('/insert\s+into/i', $val);
$sql_inj += preg_match('/select.+from/i', $val);
$sql_inj += preg_match('/union.+select/i', $val);
$sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
@ -273,22 +275,40 @@ class CoreTest extends PHPUnit_Framework_TestCase
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/i', $val);
if ($type == 1) {
$sql_inj += preg_match('/base[\s]+href/si', $val);
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);
$sql_inj += preg_match('/vbscript:/i', $val);
}
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($type == 1) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val); // PHP_SELF is an url and must match url syntax
if ($type == 2) $sql_inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces.
return $sql_inj;
}
//type=2 key=0 value=/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices
// Run tests
$_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
$result=test_sql_and_script_inject($_SERVER["PHP_SELF"],2);
$result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
$expectedresult=0;
$this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1a');
$_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices;badaction';
$result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
$expectedresult=1;
$this->assertEquals($result,$expectedresult);
$this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1b');
$_GET['aaa']="<img src='1.jpg' onerror =javascript:alert('XSS')>";
$result=test_sql_and_script_inject($_GET['aaa'], 0);
$expectedresult=1;
$this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 2');
$_POST['bbb']="<img src='1.jpg' onerror =javascript:alert('XSS')>";
$result=test_sql_and_script_inject($_POST['bbb'], 2);
$expectedresult=1;
$this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 3');
}
}