diff --git a/htdocs/admin/index.php b/htdocs/admin/index.php
index 7545fff294e..1221a961085 100644
--- a/htdocs/admin/index.php
+++ b/htdocs/admin/index.php
@@ -55,10 +55,11 @@ print $langs->trans("SetupDescription1").' ';
print $langs->trans("AreaForAdminOnly").'
';
+print "
";
print "
";
print $langs->trans("SetupDescription2")."
";
-print "
";
+print "
";
//print '
';
print img_picto('','puce').' '.$langs->trans("SetupDescription3")."
";
print '
';
diff --git a/htdocs/cron/functions_cron.lib.php b/htdocs/cron/functions_cron.lib.php
index 5e4e59889f9..d3d09e584d7 100644
--- a/htdocs/cron/functions_cron.lib.php
+++ b/htdocs/cron/functions_cron.lib.php
@@ -20,7 +20,7 @@
/**
* \file cron/functions_cron.lib.php
* \ingroup core
- * \brief Functions for miscellanous cron tasks
+ * \brief Functions for miscellaneous cron tasks
* \version $Id$
*/
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index 4b4fa6a8d65..894a5b64f03 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -660,7 +660,7 @@ ListEvents=Audit events
ListOfSecurityEvents=List of Dolibarr security events
LogEventDesc=You can enable here the logging for Dolibarr security events. Administrators can then see its content via menu System tools - Audit. Warning, this feature can consume a large amount of data in database.
AreaForAdminOnly=Those features can be used by administrator users only.
-SystemInfoDesc=System information is miscellanous technical information you get in read only mode and visible for administrators only.
+SystemInfoDesc=System information is miscellaneous technical information you get in read only mode and visible for administrators only.
SystemAreaForAdminOnly=This area is available for administrator users only. None of the Dolibarr permissions can reduce this limit.
CompanyFundationDesc=Edit on this page all known information of the company or foundation you need to manage
DisplayDesc=You can choose each parameter related to the Dolibarr look and feel here
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 00642a2bfc8..2c63a26434d 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -62,8 +62,9 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP6
@set_magic_quotes_runtime(0);
}
-// Security: SQL Injection protection (Filters on GET, POST, REQUEST, COOKIE)
-function test_sql_inject($val)
+
+// Security: SQL and Script Injection protection (Filters on GET, POST)
+function test_sql_and_script_inject($val)
{
$sql_inj = 0;
$sql_inj += eregi('delete[[:space:]]+from', $val);
@@ -71,29 +72,31 @@ function test_sql_inject($val)
$sql_inj += eregi('update.+set.+=', $val);
$sql_inj += eregi('insert[[:space:]]+into', $val);
$sql_inj += eregi('select.+from', $val);
+ $sql_inj += eregi(' $value)
{
- if (test_sql_inject($key) > 0)
+ if (test_sql_and_script_inject($key) > 0)
{
- unset($var[$key]);
+ print 'Access refused by SQL/Script injection protection in main.inc.php';
+ exit;
}
else
{
- if (analyse_sql_injection($value))
+ if (analyse_sql_and_script($value))
{
$var[$key] = $value;
}
else
{
- unset($var[$key]);
+ print 'Access refused by SQL/Script injection protection in main.inc.php';
+ exit;
}
}
}
@@ -101,11 +104,11 @@ function analyse_sql_injection(&$var)
}
else
{
- return (test_sql_inject($var) <= 0);
+ return (test_sql_and_script_inject($var) <= 0);
}
}
-analyse_sql_injection($_GET);
-analyse_sql_injection($_POST);
+analyse_sql_and_script($_GET);
+analyse_sql_and_script($_POST);
// Security: CSRF protection
// The test to do is to check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST']).