From ab558ee5fae5fbbaa92452160e80d8664e83453a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?=
 <frederic34@users.noreply.github.com>
Date: Thu, 14 Dec 2017 09:49:55 +0100
Subject: [PATCH 1/6] Update product.php

---
 htdocs/product/admin/product.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/htdocs/product/admin/product.php b/htdocs/product/admin/product.php
index 2757234251d..69355a7f1e8 100644
--- a/htdocs/product/admin/product.php
+++ b/htdocs/product/admin/product.php
@@ -56,7 +56,6 @@ $select_pricing_rules=array(
 );
 if ($conf->global->MAIN_FEATURES_LEVEL >= 2)
 {
-    $langs->load("admin");
 	$select_pricing_rules['PRODUIT_CUSTOMER_PRICES_BY_QTY'] = $langs->trans('PriceByQuantity').' ('.$langs->trans("VersionExperimental").')';	// TODO If this is enabled, price must be hidden when price by qty is enabled, also price for quantity must be used when adding product into order/propal/invoice
 	$select_pricing_rules['PRODUIT_CUSTOMER_PRICES_BY_QTY&PRODUIT_MULTIPRICES'] = $langs->trans('MultiPricesAbility') . '+' . $langs->trans('PriceByQuantity').' ('.$langs->trans("VersionExperimental").')';
 }

From 1331e8add737ae66638fef468fbd31d879db78c9 Mon Sep 17 00:00:00 2001
From: John <john.botella@atm-consulting.fr>
Date: Tue, 2 Jan 2018 17:19:42 +0100
Subject: [PATCH 2/6] fix filter for TYPE_SITUATION invoice

---
 htdocs/compta/facture/list.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php
index 4b734a5e7d9..d7f9384399f 100644
--- a/htdocs/compta/facture/list.php
+++ b/htdocs/compta/facture/list.php
@@ -785,7 +785,8 @@ if ($resql)
 		    Facture::TYPE_STANDARD=>$langs->trans("InvoiceStandard"),
 		    Facture::TYPE_REPLACEMENT=>$langs->trans("InvoiceReplacement"),
 		    Facture::TYPE_CREDIT_NOTE=>$langs->trans("InvoiceAvoir"),
-		    Facture::TYPE_DEPOSIT=>$langs->trans("InvoiceDeposit"),
+			Facture::TYPE_DEPOSIT=>$langs->trans("InvoiceDeposit"),
+			Facture::TYPE_SITUATION=>$langs->trans("InvoiceSituation"),
         );
 		//$listtype[Facture::TYPE_PROFORMA]=$langs->trans("InvoiceProForma");     // A proformat invoice is not an invoice but must be an order.
 		print $form->selectarray('search_type', $listtype, $search_type, 1, 0, 0, '', 0, 0, 0, 'ASC', 'maxwidth100');

From 61efda4cbd148b2656df9ddc8023c05fe6badfc3 Mon Sep 17 00:00:00 2001
From: ATM-Nicolas <nicolas.prevost@atm-consulting.fr>
Date: Tue, 2 Jan 2018 17:21:04 +0100
Subject: [PATCH 3/6] FIX : product best price on product list

---
 htdocs/product/list.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/product/list.php b/htdocs/product/list.php
index 8322fec244e..84cf070b39d 100644
--- a/htdocs/product/list.php
+++ b/htdocs/product/list.php
@@ -821,7 +821,7 @@ else
     							if (! empty($conf->fournisseur->enabled) && $user->rights->fournisseur->lire)
     							{
     								$htmltext=$product_fourn->display_price_product_fournisseur(1, 1, 0, 1);
-    								print $form->textwithpicto(price($product_fourn->fourn_unitprice).' '.$langs->trans("HT"),$htmltext);
+    								print $form->textwithpicto(price($product_fourn->fourn_unitprice * (1 - $product_fourn->fourn_remise_percent/100) + $product_fourn->fourn_unitcharges - $product_fourn->fourn_remise).' '.$langs->trans("HT"),$htmltext);
     							}
     							else print price($product_fourn->fourn_unitprice).' '.$langs->trans("HT");
     						}

From 25390e5f73f5497ced8d451ea1e903255e619f96 Mon Sep 17 00:00:00 2001
From: florian HENRY <florian.henry@atm-consulting.fr>
Date: Wed, 3 Jan 2018 17:03:00 +0100
Subject: [PATCH 4/6] fix : linked object (new format  of linked_object atribut
 on 6.0)

---
 htdocs/fourn/commande/orderstoinvoice.php | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/htdocs/fourn/commande/orderstoinvoice.php b/htdocs/fourn/commande/orderstoinvoice.php
index b1a8c0c08c1..20f9a3674cf 100644
--- a/htdocs/fourn/commande/orderstoinvoice.php
+++ b/htdocs/fourn/commande/orderstoinvoice.php
@@ -171,16 +171,15 @@ if (($action == 'create' || $action == 'add') && ! $error) {
 			if ($ret < 0) $error++;
 
 			if ($_POST['origin'] && $_POST['originid']) {
-				$object->linked_objects = $orders_id;
+				$linked_orders_ids=array();
+				foreach ( $orders_id as $origin => $origin_id ) {
+					$origin_id = (! empty($origin_id) ? $origin_id : $orders_id[$ii]);
+					$linked_orders_ids[]=$origin_id;
+				}
+				$object->linked_objects = array(GETPOST('origin')=>$linked_orders_ids);
 				$id = $object->create($user);
 
 				if ($id > 0) {
-					foreach ( $orders_id as $origin => $origin_id ) {
-						$origin_id = (! empty($origin_id) ? $origin_id : $orders_id[$ii]);
-
-						$object->add_object_linked(GETPOST('origin'), $origin_id);
-					}
-
 					while ( $ii < $nn ) {
 						$objectsrc = new CommandeFournisseur($db);
 						dol_syslog("Try to find source object origin=" . $object->origin . " originid=" . $object->origin_id . " to add lines");

From 58470e0913ad38f4462185295f58379b21005b5a Mon Sep 17 00:00:00 2001
From: gauthier <gauthier.verdol@atm-consulting.fr>
Date: Thu, 4 Jan 2018 12:01:21 +0100
Subject: [PATCH 5/6] FIX : $oldvatrateclean & $newvatrateclean must be set if
 preg_match === false

---
 htdocs/product/admin/product_tools.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/product/admin/product_tools.php b/htdocs/product/admin/product_tools.php
index f19f672a25e..c9323f75823 100644
--- a/htdocs/product/admin/product_tools.php
+++ b/htdocs/product/admin/product_tools.php
@@ -73,7 +73,7 @@ if ($action == 'convert')
 		{
 			$vat_src_code_old = $reg[1];
 			$oldvatrateclean = preg_replace('/\s*\(.*\)/', '', $oldvatrate);    // Remove code into vatrate.
-		}
+		} else $oldvatrateclean=$oldvatrate;
 
 		// Clean vat code new
 		$vat_src_code_new='';
@@ -81,7 +81,7 @@ if ($action == 'convert')
 		{
 			$vat_src_code_new = $reg[1];
 			$newvatrateclean = preg_replace('/\s*\(.*\)/', '', $newvatrate);    // Remove code into vatrate.
-		}
+		} else $newvatrateclean=$newvatrate;
 
 		// If country to edit is my country, so we change customer prices
 		if ($country_id == $mysoc->country_id)

From b2feac9d90f2ecfd5916c4d49176ff1a138744c8 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 4 Jan 2018 19:25:52 +0100
Subject: [PATCH 6/6] CVE-2017-17971

---
 htdocs/main.inc.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 2b4ad4de3c5..501b7d8a97f 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -102,6 +102,8 @@ function test_sql_and_script_inject($val, $type)
     $inj += preg_match('/onerror\s*=/i', $val);       // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
     $inj += preg_match('/onfocus\s*=/i', $val);       // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
     $inj += preg_match('/onload\s*=/i', $val);        // onload can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
+    $inj += preg_match('/onclick\s*=/i', $val);       // onclick can be set on img text html tag like <img onclick = alert(1)>
+    $inj += preg_match('/onscroll\s*=/i', $val);      // onscroll can be textarea
     if ($type == 1)
     {
         $inj += preg_match('/javascript:/i', $val);