lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX Var not enough sanitized

Browse Source
This commit is contained in:
Laurent Destailleur 2019-09-24 14:16:24 +02:00
parent c53be23122
commit db334a3b94
10 changed files with 43 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/admin/emailcollector_card.php
View File

@ -116,7 +116,7 @@ if (empty($reshook))
if (GETPOST('addfilter', 'alpha'))
{
$emailcollectorfilter = new EmailCollectorFilter($db);
$emailcollectorfilter->type = GETPOST('filtertype', 'az09');
$emailcollectorfilter->type = GETPOST('filtertype', 'aZ09');
$emailcollectorfilter->rulevalue = GETPOST('rulevalue', 'alpha');
$emailcollectorfilter->fk_emailcollector = $object->id;
$emailcollectorfilter->status = 1;
@ -150,7 +150,7 @@ if ($action == 'deletefilter')
if (GETPOST('addoperation', 'alpha'))
{
$emailcollectoroperation = new EmailCollectorAction($db);
$emailcollectoroperation->type = GETPOST('operationtype', 'az09');
$emailcollectoroperation->type = GETPOST('operationtype', 'aZ09');
$emailcollectoroperation->actionparam = GETPOST('operationparam', 'none');
$emailcollectoroperation->fk_emailcollector = $object->id;
$emailcollectoroperation->status = 1;

2
htdocs/categories/viewcat.php
View File

@ -36,7 +36,7 @@ $langs->load("categories");
$id = GETPOST('id', 'int');
$label= GETPOST('label', 'alpha');
$type = GETPOST('type', 'az09');
$type = GETPOST('type', 'aZ09');
$action=GETPOST('action', 'aZ09');
$confirm = GETPOST('confirm', 'alpha');
$removeelem = GETPOST('removeelem', 'int');

2
htdocs/comm/action/index.php
View File

@ -87,7 +87,7 @@ $week=GETPOST("week", "int")?GETPOST("week", "int"):date("W");
$day=GETPOST("day", "int")?GETPOST("day", "int"):date("d");
$pid=GETPOST("search_projectid", "int", 3)?GETPOST("search_projectid", "int", 3):GETPOST("projectid", "int", 3);
$status=GETPOST("search_status", 'aZ09')?GETPOST("search_status", 'aZ09'):GETPOST("status", 'aZ09'); // status may be 0, 50, 100, 'todo'
$type=GETPOST("search_type", 'az09')?GETPOST("search_type", 'az09'):GETPOST("type", 'az09');
$type=GETPOST("search_type", 'aZ09')?GETPOST("search_type", 'aZ09'):GETPOST("type", 'aZ09');
$maxprint=(isset($_GET["maxprint"])?GETPOST("maxprint"):$conf->global->AGENDA_MAX_EVENTS_DAY_VIEW);
// Set actioncode (this code must be same for setting actioncode into peruser, listacton and index)
if (GETPOST('search_actioncode', 'array'))

2
htdocs/install/check.php
View File

@ -35,7 +35,7 @@ $allowinstall = 0;
$allowupgrade = false;
$checksok = 1;
$setuplang=GETPOST("selectlang", 'az09', 3)?GETPOST("selectlang", 'az09', 3):$langs->getDefaultLang();
$setuplang=GETPOST("selectlang", 'aZ09', 3)?GETPOST("selectlang", 'aZ09', 3):$langs->getDefaultLang();
$langs->setDefaultLang($setuplang);
$langs->load("install");

2
htdocs/install/repair.php
View File

@ -42,7 +42,7 @@ error_reporting(0);
@set_time_limit(120);
error_reporting($err);
$setuplang=GETPOST("selectlang", 'az09', 3)?GETPOST("selectlang", 'az09', 3):'auto';
$setuplang=GETPOST("selectlang", 'aZ09', 3)?GETPOST("selectlang", 'aZ09', 3):'auto';
$langs->setDefaultLang($setuplang);
$langs->loadLangs(array("admin","install","other"));

2
htdocs/main.inc.php
View File

@ -988,7 +988,7 @@ if (! defined('NOLOGIN'))
}
dol_syslog("--- Access to ".$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'az09').', massaction='.GETPOST('massaction', 'az09'));
dol_syslog("--- Access to ".$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09'));
//Another call for easy debugg
//dol_syslog("Access to ".$_SERVER["PHP_SELF"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST));

6
htdocs/public/ticket/create_ticket.php
View File

@ -138,9 +138,9 @@ if ($action == 'create_ticket' && GETPOST('add', 'alpha')) {
$object->message = GETPOST("message", "none");
$object->origin_email = $origin_email;
$object->type_code = GETPOST("type_code", 'az09');
$object->category_code = GETPOST("category_code", 'az09');
$object->severity_code = GETPOST("severity_code", 'az09');
$object->type_code = GETPOST("type_code", 'aZ09');
$object->category_code = GETPOST("category_code", 'aZ09');
$object->severity_code = GETPOST("severity_code", 'aZ09');
if (is_array($searched_companies)) {
$object->fk_soc = $searched_companies[0]->id;
}

6
htdocs/ticket/card.php
View File

@ -570,9 +570,9 @@ if ($action == "change_property" && GETPOST('btn_update_ticket_prop', 'alpha') &
{
$object->fetch(GETPOST('id', 'int'), '', GETPOST('track_id', 'alpha'));
$object->type_code = GETPOST('update_value_type', 'az09');
$object->severity_code = GETPOST('update_value_severity', 'az09');
$object->category_code = GETPOST('update_value_category', 'az09');
$object->type_code = GETPOST('update_value_type', 'aZ09');
$object->severity_code = GETPOST('update_value_severity', 'aZ09');
$object->category_code = GETPOST('update_value_category', 'aZ09');
$ret = $object->update($user);
if ($ret > 0) {

53
htdocs/user/card.php
View File

@ -54,7 +54,6 @@ $id = GETPOST('id', 'int');
$action = GETPOST('action', 'aZ09');
$mode = GETPOST('mode', 'alpha');
$confirm = GETPOST('confirm', 'alpha');
$subaction = GETPOST('subaction', 'alpha');
$group = GETPOST("group", "int", 3);
$cancel = GETPOST('cancel', 'alpha');
$contextpage= GETPOST('contextpage', 'aZ')?GETPOST('contextpage', 'aZ'):'useracard'; // To manage different context of search
@ -195,14 +194,14 @@ if (empty($reshook)) {
}
if (!$error) {
$object->lastname = GETPOST("lastname", 'alpha');
$object->firstname = GETPOST("firstname", 'alpha');
$object->login = GETPOST("login", 'alpha');
$object->api_key = GETPOST("api_key", 'alpha');
$object->gender = GETPOST("gender", 'alpha');
$birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear'));
$object->lastname = GETPOST("lastname", 'alphanohtml');
$object->firstname = GETPOST("firstname", 'alphanohtml');
$object->login = GETPOST("login", 'alphanohtml');
$object->api_key = GETPOST("api_key", 'alphanohtml');
$object->gender = GETPOST("gender", 'aZ09');
$birth = dol_mktime(0, 0, 0, GETPOST('birthmonth', 'int'), GETPOST('birthday', 'int'), GETPOST('birthyear', 'int'));
$object->birth = $birth;
$object->admin = GETPOST("admin", 'alpha');
$object->admin = GETPOST("admin", 'int');
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alphanohtml');
$object->town = GETPOST('town', 'alphanohtml');
@ -217,7 +216,7 @@ if (empty($reshook)) {
$object->facebook = GETPOST("facebook", 'alphanohtml');
$object->linkedin = GETPOST("linkedin", 'alphanohtml');
$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha'));
$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml'));
$object->job = GETPOST("job", 'nohtml');
$object->signature = GETPOST("signature", 'none');
$object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml');
@ -233,10 +232,10 @@ if (empty($reshook)) {
$object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : '';
$object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : '';
$dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth'), GETPOST('dateemploymentday'), GETPOST('dateemploymentyear'));
$dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int'));
$object->dateemployment = $dateemployment;
$dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth'), GETPOST('dateemploymentendday'), GETPOST('dateemploymentendyear'));
$dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int'));
$object->dateemploymentend = $dateemploymentend;
$object->fk_warehouse = GETPOST('fk_warehouse', 'int');
@ -348,15 +347,15 @@ if (empty($reshook)) {
$db->begin();
$object->lastname = GETPOST("lastname", 'alpha');
$object->firstname = GETPOST("firstname", 'alpha');
$object->login = GETPOST("login", 'alpha');
$object->gender = GETPOST("gender", 'alpha');
$birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear'));
$object->lastname = GETPOST("lastname", 'alphanohtml');
$object->firstname = GETPOST("firstname", 'alphanohtml');
$object->login = GETPOST("login", 'alphanohtml');
$object->gender = GETPOST("gender", 'aZ09');
$birth = dol_mktime(0, 0, 0, GETPOST('birthmonth', 'int'), GETPOST('birthday', 'int'), GETPOST('birthyear', 'int'));
$object->birth = $birth;
$object->pass = GETPOST("password", 'none');
$object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key;
if (! empty($user->admin)) $object->admin = GETPOST("admin"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
$object->api_key = (GETPOST("api_key", 'alphanohtml')) ? GETPOST("api_key", 'alphanohtml') : $object->api_key;
if (! empty($user->admin)) $object->admin = GETPOST("admin", "int"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alphanohtml');
$object->town = GETPOST('town', 'alphanohtml');
@ -365,15 +364,17 @@ if (empty($reshook)) {
$object->office_phone = GETPOST("office_phone", 'alphanohtml');
$object->office_fax = GETPOST("office_fax", 'alphanohtml');
$object->user_mobile = GETPOST("user_mobile", 'alphanohtml');
$object->skype = GETPOST("skype", 'alpha');
$object->twitter = GETPOST("twitter", 'alpha');
$object->facebook = GETPOST("facebook", 'alpha');
$object->linkedin = GETPOST("linkedin", 'alpha');
$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha'));
$object->skype = GETPOST("skype", 'alphanohtml');
$object->twitter = GETPOST("twitter", 'alphanohtml');
$object->facebook = GETPOST("facebook", 'alphanohtml');
$object->linkedin = GETPOST("linkedin", 'alphanohtml');
$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml'));
$object->job = GETPOST("job", 'nohtml');
$object->signature = GETPOST("signature", 'none');
$object->accountancy_code = GETPOST("accountancy_code", 'alpha');
$object->openid = GETPOST("openid", 'alpha');
$object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml');
$object->openid = GETPOST("openid", 'alphanohtml');
$object->fk_user = GETPOST("fk_user", 'int') > 0 ? GETPOST("fk_user", 'int') : 0;
$object->employee = GETPOST('employee', 'int');
@ -383,7 +384,7 @@ if (empty($reshook)) {
$object->salaryextra = GETPOST("salaryextra", 'alphanohtml') != '' ? GETPOST("salaryextra", 'alphanohtml') : '';
$object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : '';
$object->color = GETPOST("color", 'alpha') != '' ? GETPOST("color", 'alpha') : '';
$object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : '';
$dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int'));
$object->dateemployment = $dateemployment;
$dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int'));

6
htdocs/website/index.php
View File

@ -2073,7 +2073,7 @@ if (! GETPOST('hide_websitemenu'))
$formquestion = array(
array('type' => 'checkbox', 'name' => 'delete_also_js', 'label' => $langs->trans("DeleteAlsoJs"), 'value' => 0),
array('type' => 'checkbox', 'name' => 'delete_also_medias', 'label' => $langs->trans("DeleteAlsoMedias"), 'value' => 0),
//array('type' => 'other','name' => 'newlang','label' => $langs->trans("Language"), 'value' => $formadmin->select_language(GETPOST('newlang', 'az09')?GETPOST('newlang', 'az09'):$langs->defaultlang, 'newlang', 0, null, '', 0, 0, 'minwidth200')),
//array('type' => 'other','name' => 'newlang','label' => $langs->trans("Language"), 'value' => $formadmin->select_language(GETPOST('newlang', 'aZ09')?GETPOST('newlang', 'aZ09'):$langs->defaultlang, 'newlang', 0, null, '', 0, 0, 'minwidth200')),
//array('type' => 'other','name' => 'newwebsite','label' => $langs->trans("WebSite"), 'value' => $formwebsite->selectWebsite($object->id, 'newwebsite', 0))
);
@ -2088,7 +2088,7 @@ if (! GETPOST('hide_websitemenu'))
$formquestion = array(
array('type' => 'text', 'name' => 'siteref', 'label'=> $langs->trans("WebSite") ,'value'=> 'copy_of_'.$object->ref),
//array('type' => 'checkbox', 'name' => 'is_a_translation', 'label' => $langs->trans("SiteIsANewTranslation"), 'value' => 0),
//array('type' => 'other','name' => 'newlang','label' => $langs->trans("Language"), 'value' => $formadmin->select_language(GETPOST('newlang', 'az09')?GETPOST('newlang', 'az09'):$langs->defaultlang, 'newlang', 0, null, '', 0, 0, 'minwidth200')),
//array('type' => 'other','name' => 'newlang','label' => $langs->trans("Language"), 'value' => $formadmin->select_language(GETPOST('newlang', 'aZ09')?GETPOST('newlang', 'aZ09'):$langs->defaultlang, 'newlang', 0, null, '', 0, 0, 'minwidth200')),
//array('type' => 'other','name' => 'newwebsite','label' => $langs->trans("WebSite"), 'value' => $formwebsite->selectWebsite($object->id, 'newwebsite', 0))
);
@ -2102,7 +2102,7 @@ if (! GETPOST('hide_websitemenu'))
// Confirmation to clone
if ($action == 'createpagefromclone') {
// Create an array for form
$preselectedlanguage = GETPOST('newlang', 'az09') ? GETPOST('newlang', 'az09') : ($objectpage->lang ? $objectpage->lang : $langs->defaultlang);
$preselectedlanguage = GETPOST('newlang', 'aZ09') ? GETPOST('newlang', 'aZ09') : ($objectpage->lang ? $objectpage->lang : $langs->defaultlang);
$formquestion = array(
array('type' => 'hidden', 'name' => 'sourcepageurl', 'value'=> $objectpage->pageurl),
array('type' => 'checkbox', 'tdclass'=>'maxwidth200', 'name' => 'is_a_translation', 'label' => $langs->trans("PageIsANewTranslation"), 'value' => 0),