diff --git a/ChangeLog b/ChangeLog
index 3eb284ccc80..f48de97d970 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,47 @@ Following changes may create regression for some external modules, but were nece
html.formmargin.class.php
* Removed Societe::set_commnucation_level (was deprecated in 4.0). Was not used.
+***** ChangeLog for 5.0.2 compared to 5.0.1 *****
+FIX: #6468 + Fix missing translation
+FIX: #6517 #6525 Autocompletion of thirdparty after n chars not implemented
+FIX: #6613 Default subject for Supplier proposal emails is filled with a non-existing key
+FIX: #6614
+FIX: #6619 Template invoices list do not respect restricted thirdparty user rights
+FIX: #6621 Documents tab shows greyed out upload form even if the option to show actions not available is disabled
+FIX: #6623 User card shows "Return to list" link even if the user has no rights to list users
+FIX: #6636 Complete fix
+FIX: #6669 User with no permission to edit customer invoices can see a edit button in project entry
+FIX: #6671 Cannot remove thirdparty type with "#" in its name
+FIX: #6673 Missing "nature" table header in thirdparty list
+FIX: #6675 Restricted user with no agenda permissions can see a button to create appointment in thirdparty contact list
+FIX: #6679 User with restricted supplier invoice permissions can edit project, payment conditions, payment mode
+FIX: #6680 User with restricted supplier invoice permissions sees "reopen" button even if he has no permission to do it
+FIX: #6718 Bug: Discount amount is not locally formatted in CommonObject View
+FIX: #6767 serious critical error, no login possible with postgresql and ipv6.
+FIX: #6795 #6796
+FIX: Add option MAIN_MAIL_USE_MULTI_PART to include text content into HTML email and add option MAIN_MAIL_ADD_INLINE_IMAGES_IF_IN_MEDIAS to restore the inline images feature.
+FIX: ajax autocomplete on clone
+FIX: A non admin user can not download files attached to user.
+FIX: Can't download delivery receipts (function dol_check_secure_access_document)
+FIX: complete hourly rate when not defined into table of time spent
+FIX: dont get empty "Incoterms : - " string if no incoterm
+FIX: dont lose supplier ref if no supplier price in database
+FIX: Enter a direct bank transaction
+FIX: extrafield css for boolean type
+FIX: forgotten parameter for right multicompany use
+FIX: Found duplicate line when it is not.
+FIX: global $dateSelector isn't the good one, then date selector on objectline_create tpl was hidden
+FIX: Journal code of bank must be visible of accountaing module on.
+FIX: length_accounta return variable name
+FIX: limit+1 dosn't show Total line
+FIX: No filter on company when showing the link to elements.
+FIX: overwrapping of weight/volume on rouget template
+FIX: Several bugs in accounting module.
+FIX: shared bank account with multicompany not visible in invoice setup
+FIX: spaces not allowed into vat code
+FIX: supplier default condition not retrieved on create
+FIX: supplier order line were always created with rang = 0
+
***** ChangeLog for 5.0.1 compared to 5.0.0 *****
FIX: #6503: SQL error in "Last pending payment invoices"
FIX: #6505 Project elements page shows greyed-out links even if the option to show actions not available is disabled
diff --git a/build/makepack-dolibarr.pl b/build/makepack-dolibarr.pl
index b1282719cda..ff9e0878750 100755
--- a/build/makepack-dolibarr.pl
+++ b/build/makepack-dolibarr.pl
@@ -19,7 +19,7 @@ use Cwd;
# Change this to defined target for option 98 and 99
$PROJECT="dolibarr";
$PUBLISHSTABLE="eldy,dolibarr\@frs.sourceforge.net:/home/frs/project/dolibarr";
-$PUBLISHBETARC="ldestailleur\@asso.dolibarr.org:/home/dolibarr/dolibarr.org/httpdocs/files";
+$PUBLISHBETARC="ldestailleur\@vmprod.dolibarr.org:/home/dolibarr/dolibarr.org/httpdocs/files";
#@LISTETARGET=("TGZ","ZIP","RPM_GENERIC","RPM_FEDORA","RPM_MANDRIVA","RPM_OPENSUSE","DEB","APS","EXEDOLIWAMP","SNAPSHOT"); # Possible packages
@@ -509,7 +509,6 @@ if ($nboftargetok) {
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/documents`;
# Removed known external modules to avoid any error when packaging from env where external modules are tested
- #$ret=`find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \;`; # For custom we want to keep dir
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/allscreens*`;
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/ancotec*`;
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/cabinetmed*`;
@@ -572,6 +571,10 @@ if ($nboftargetok) {
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/fonts/utils`;
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/tools`;
$ret=`rm -f $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/LICENSE.TXT`;
+
+ print "Remove subdir of custom dir\n";
+ print "find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \\;\n";
+ $ret=`find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \\; >/dev/null 2>&1`; # For custom we want to keep dir
}
# Build package for each target
diff --git a/build/rpm/dolibarr_fedora.spec b/build/rpm/dolibarr_fedora.spec
index e65e6bc3b7d..083c4eb8f14 100755
--- a/build/rpm/dolibarr_fedora.spec
+++ b/build/rpm/dolibarr_fedora.spec
@@ -173,6 +173,7 @@ done >>%{name}.lang
%_datadir/dolibarr/htdocs/contrat
%_datadir/dolibarr/htdocs/core
%_datadir/dolibarr/htdocs/cron
+%_datadir/dolibarr/htdocs/custom
%_datadir/dolibarr/htdocs/don
%_datadir/dolibarr/htdocs/ecm
%_datadir/dolibarr/htdocs/expedition
diff --git a/build/rpm/dolibarr_generic.spec b/build/rpm/dolibarr_generic.spec
index 655ef87f925..b40a203a71f 100755
--- a/build/rpm/dolibarr_generic.spec
+++ b/build/rpm/dolibarr_generic.spec
@@ -253,6 +253,7 @@ done >>%{name}.lang
%_datadir/dolibarr/htdocs/contrat
%_datadir/dolibarr/htdocs/core
%_datadir/dolibarr/htdocs/cron
+%_datadir/dolibarr/htdocs/custom
%_datadir/dolibarr/htdocs/don
%_datadir/dolibarr/htdocs/ecm
%_datadir/dolibarr/htdocs/expedition
diff --git a/build/rpm/dolibarr_mandriva.spec b/build/rpm/dolibarr_mandriva.spec
index 55fb7183734..fa3e39f8693 100755
--- a/build/rpm/dolibarr_mandriva.spec
+++ b/build/rpm/dolibarr_mandriva.spec
@@ -170,6 +170,7 @@ done >>%{name}.lang
%_datadir/dolibarr/htdocs/contrat
%_datadir/dolibarr/htdocs/core
%_datadir/dolibarr/htdocs/cron
+%_datadir/dolibarr/htdocs/custom
%_datadir/dolibarr/htdocs/don
%_datadir/dolibarr/htdocs/ecm
%_datadir/dolibarr/htdocs/expedition
diff --git a/build/rpm/dolibarr_opensuse.spec b/build/rpm/dolibarr_opensuse.spec
index f7e29927ebb..b2f8cf6ede1 100755
--- a/build/rpm/dolibarr_opensuse.spec
+++ b/build/rpm/dolibarr_opensuse.spec
@@ -181,6 +181,7 @@ done >>%{name}.lang
%_datadir/dolibarr/htdocs/contrat
%_datadir/dolibarr/htdocs/core
%_datadir/dolibarr/htdocs/cron
+%_datadir/dolibarr/htdocs/custom
%_datadir/dolibarr/htdocs/don
%_datadir/dolibarr/htdocs/ecm
%_datadir/dolibarr/htdocs/expedition
diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php
index e3aad3c4ccc..7a6013b9b78 100644
--- a/htdocs/adherents/list.php
+++ b/htdocs/adherents/list.php
@@ -57,7 +57,7 @@ $type=GETPOST("type");
$search_email=GETPOST("search_email");
$search_categ = GETPOST("search_categ",'int');
$catid = GETPOST("catid",'int');
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$optioncss = GETPOST('optioncss','alpha');
if ($statut < -1) $statut = '';
diff --git a/htdocs/comm/mailing/list.php b/htdocs/comm/mailing/list.php
index 99af5749963..8a9c01787d1 100644
--- a/htdocs/comm/mailing/list.php
+++ b/htdocs/comm/mailing/list.php
@@ -41,8 +41,8 @@ $pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="m.date_creat";
-$sall=GETPOST("sall","alpha");
-$sref=GETPOST("sref","alpha");
+$sall=GETPOST('sall', 'alphanohtml');
+$sref=GETPOST("sref", "alpha");
$filteremail=GETPOST('filteremail','alpha');
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php
index ce6d6e2bc72..f52641dc63a 100644
--- a/htdocs/comm/propal/list.php
+++ b/htdocs/comm/propal/list.php
@@ -77,7 +77,7 @@ $viewstatut=GETPOST('viewstatut');
$optioncss = GETPOST('optioncss','alpha');
$object_statut=GETPOST('propal_statut');
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));
$day=GETPOST("day","int");
diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php
index 4185518b721..c88b3d552c1 100644
--- a/htdocs/commande/list.php
+++ b/htdocs/commande/list.php
@@ -66,7 +66,7 @@ $search_zip=GETPOST('search_zip','alpha');
$search_state=trim(GETPOST("search_state"));
$search_country=GETPOST("search_country",'int');
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
$socid=GETPOST('socid','int');
$search_user=GETPOST('search_user','int');
$search_sale=GETPOST('search_sale','int');
diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php
index c6b93cb8f0f..b05b6658ca7 100644
--- a/htdocs/commande/orderstoinvoice.php
+++ b/htdocs/commande/orderstoinvoice.php
@@ -52,7 +52,7 @@ $action = GETPOST('action','alpha');
$confirm = GETPOST('confirm','alpha');
$sref = GETPOST('sref');
$sref_client = GETPOST('sref_client');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$socid = GETPOST('socid','int');
$selected = GETPOST('orders_to_invoice');
$sortfield = GETPOST("sortfield",'alpha');
diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php
index 562455e9e5a..8946dc84bd4 100644
--- a/htdocs/compta/facture/list.php
+++ b/htdocs/compta/facture/list.php
@@ -53,7 +53,7 @@ $langs->load('bills');
$langs->load('companies');
$langs->load('products');
-$sall=trim(GETPOST('sall'));
+$sall=trim(GETPOST('sall', 'alphanohtml'));
$projectid=(GETPOST('projectid')?GETPOST('projectid','int'):0);
$id=(GETPOST('id','int')?GETPOST('id','int'):GETPOST('facid','int')); // For backward compatibility
diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php
index ef26c9c80e2..929dbdc91e8 100644
--- a/htdocs/contact/list.php
+++ b/htdocs/contact/list.php
@@ -42,7 +42,7 @@ $ref = ''; // There is no ref for contacts
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'contact', $contactid,'');
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$search_firstlast_only=GETPOST("search_firstlast_only");
$search_lastname=GETPOST("search_lastname");
$search_firstname=GETPOST("search_firstname");
diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php
index be1b2e5fccf..3bf4a45bb10 100644
--- a/htdocs/contrat/list.php
+++ b/htdocs/contrat/list.php
@@ -53,7 +53,7 @@ $search_country=GETPOST("search_country",'int');
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
$search_contract=GETPOST('search_contract');
$search_ref_supplier=GETPOST('search_ref_supplier','alpha');
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
$search_status=GETPOST('search_status');
$socid=GETPOST('socid');
$search_user=GETPOST('search_user','int');
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 6a503b40975..6b92265aac9 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -1461,9 +1461,9 @@ class Form
{
if (! empty($conf->multicompany->transverse_mode))
{
- $sql.= ", ".MAIN_DB_PREFIX."usergroup_user as ug";
- $sql.= " WHERE ug.fk_user = u.rowid";
- $sql.= " AND ug.entity = ".$conf->entity;
+ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."usergroup_user as ug";
+ $sql.= " ON ug.fk_user = u.rowid";
+ $sql.= " WHERE ug.entity = ".$conf->entity;
}
else
{
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 8dbc705c5b2..d7905b581fd 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -386,9 +386,17 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
if (! is_array($out) || empty($out)) $out=array();
break;
case 'nohtml':
- $out=dol_string_nohtmltag($out);
+ $out=dol_string_nohtmltag($out);
break;
- case 'custom':
+ case 'alphanohtml': // Recommended for search params
+ $out=trim($out);
+ // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
+ // '../' is dangerous because it allows dir transversals
+ if (preg_match('/"/',$out)) $out='';
+ else if (preg_match('/\.\.\//',$out)) $out='';
+ $out=dol_string_nohtmltag($out);
+ break;
+ case 'custom':
if (empty($filter)) return 'BadFourthParameterForGETPOST';
$out=filter_var($out, $filter, $options);
break;
diff --git a/htdocs/core/lib/geturl.lib.php b/htdocs/core/lib/geturl.lib.php
index da9e38e6dae..808e4f0ef09 100644
--- a/htdocs/core/lib/geturl.lib.php
+++ b/htdocs/core/lib/geturl.lib.php
@@ -59,9 +59,11 @@ function getURLContent($url,$postorget='GET',$param='',$followlocation=1,$addhea
if (count($addheaders)) curl_setopt($ch, CURLOPT_HTTPHEADER, $addheaders);
curl_setopt($ch, CURLINFO_HEADER_OUT, true); // To be able to retrieve request header and log it
- // TLSv1 by default or change to TLSv1.2 in module configuration
- //curl_setopt($ch, CURLOPT_SSLVERSION, (empty($conf->global->MAIN_CURL_SSLVERSION)?1:$conf->global->MAIN_CURL_SSLVERSION));
-
+ // By default use tls decied by PHP.
+ // You can force, if supported a version like TLSv1 or TLSv1.2
+ if (! empty($conf->global->MAIN_CURL_SSLVERSION)) curl_setopt($ch, CURLOPT_SSLVERSION, $conf->global->MAIN_CURL_SSLVERSION);
+ //curl_setopt($ch, CURLOPT_SSLVERSION, 6); for tls 1.2
+
//turning off the server and peer verification(TrustManager Concept).
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
diff --git a/htdocs/don/list.php b/htdocs/don/list.php
index 1e08cbae121..d271ea3e894 100644
--- a/htdocs/don/list.php
+++ b/htdocs/don/list.php
@@ -43,7 +43,7 @@ if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="d.datedon";
$statut=isset($_GET["statut"])?$_GET["statut"]:"-1";
-$search_all=GETPOST('sall','alpha');
+$search_all=GETPOST('sall', 'alphanohtml');
$search_ref=GETPOST('search_ref','alpha');
$search_company=GETPOST('search_company','alpha');
$search_name=GETPOST('search_name','alpha');
diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php
index b9ecc9e089c..bff7991fdeb 100644
--- a/htdocs/expedition/list.php
+++ b/htdocs/expedition/list.php
@@ -50,7 +50,7 @@ $search_zip=GETPOST('search_zip','alpha');
$search_state=trim(GETPOST("search_state"));
$search_country=GETPOST("search_country",'int');
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$optioncss = GETPOST('optioncss','alpha');
$limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit;
diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php
index 7f7b633577e..e9712816b34 100644
--- a/htdocs/expensereport/list.php
+++ b/htdocs/expensereport/list.php
@@ -63,7 +63,7 @@ if (!$sortorder) $sortorder="DESC";
if (!$sortfield) $sortfield="d.date_debut";
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$search_ref = GETPOST('search_ref');
$search_user = GETPOST('search_user','int');
$search_amount_ht = GETPOST('search_amount_ht','alpha');
diff --git a/htdocs/fichinter/list.php b/htdocs/fichinter/list.php
index 07ca1a02e9f..3b6f1be10ff 100644
--- a/htdocs/fichinter/list.php
+++ b/htdocs/fichinter/list.php
@@ -75,6 +75,13 @@ if (! $sortfield)
// Initialize technical object to manage context to save list fields
$contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'interventionlist';
+$sall=GETPOST('sall', 'alphanohtml');
+$search_ref=GETPOST('search_ref')?GETPOST('search_ref','alpha'):GETPOST('search_inter','alpha');
+$search_company=GETPOST('search_company','alpha');
+$search_desc=GETPOST('search_desc','alpha');
+$search_status=GETPOST('search_status');
+$optioncss = GETPOST('optioncss','alpha');
+
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
$hookmanager->initHooks(array($contextpage));
$extrafields = new ExtraFields($db);
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 958ac64573c..c7268680f19 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -164,14 +164,17 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force
// This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
// when we post forms (we allow GET to allow direct link to access a particular page).
// Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
-if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)
- && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
- && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
+if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
{
- //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
- print "Access refused by CSRF protection in main.inc.php.\n";
- print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n";
- die;
+ if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
+ && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
+ {
+ //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
+ print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
+ print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
+ die;
+ }
+ // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on.
}
if (empty($dolibarr_main_db_host))
{
diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php
index 8af15b92bc2..80a98cc5886 100644
--- a/htdocs/fourn/commande/list.php
+++ b/htdocs/fourn/commande/list.php
@@ -60,6 +60,8 @@ $orderday=GETPOST("orderday","int");
$deliveryyear=GETPOST("deliveryyear","int");
$deliverymonth=GETPOST("deliverymonth","int");
$deliveryday=GETPOST("deliveryday","int");
+
+$sall=GETPOST('search_all', 'alphanohtml');
$search_product_category=GETPOST('search_product_category','int');
$search_ref=GETPOST('search_ref');
$search_refsupp=GETPOST('search_refsupp');
@@ -75,7 +77,6 @@ $search_ht=GETPOST('search_ht');
$search_ttc=GETPOST('search_ttc');
$search_status=(GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha')); // alpha and not intbecause it can be '6,7'
$optioncss = GETPOST('optioncss','alpha');
-$sall=GETPOST('search_all');
$socid = GETPOST('socid','int');
$search_sale=GETPOST('search_sale','int');
$search_total_ht=GETPOST('search_total_ht','alpha');
diff --git a/htdocs/fourn/commande/orderstoinvoice.php b/htdocs/fourn/commande/orderstoinvoice.php
index f804a1d9ab7..32f1a5538b5 100644
--- a/htdocs/fourn/commande/orderstoinvoice.php
+++ b/htdocs/fourn/commande/orderstoinvoice.php
@@ -53,7 +53,7 @@ $action = GETPOST('action', 'alpha');
$confirm = GETPOST('confirm', 'alpha');
$sref = GETPOST('sref');
$sref_client = GETPOST('sref_client');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$socid = GETPOST('socid', 'int');
$selected = GETPOST('orders_to_invoice');
$sortfield = GETPOST("sortfield", 'alpha');
diff --git a/htdocs/fourn/facture/document.php b/htdocs/fourn/facture/document.php
index ab56a66d8a7..6926770bd91 100644
--- a/htdocs/fourn/facture/document.php
+++ b/htdocs/fourn/facture/document.php
@@ -93,7 +93,7 @@ if ($object->id > 0)
$totalpaye = $object->getSommePaiement();
- $linkback = '' . $langs->trans("BackToList") . '';
+ $linkback = '' . $langs->trans("BackToList") . '';
$morehtmlref='';
// Ref supplier
diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php
index ef0c0e6c6f6..6ff901521c6 100644
--- a/htdocs/fourn/facture/list.php
+++ b/htdocs/fourn/facture/list.php
@@ -97,7 +97,7 @@ $toselect = GETPOST('toselect', 'array');
$option = GETPOST('option');
if ($option == 'late') $filter = 'paye:0';
-$search_all = GETPOST('sall');
+$search_all = GETPOST('sall', 'alphanohtml');
$search_label = GETPOST("search_label","alpha");
$search_company = GETPOST("search_company","alpha");
$search_amount_no_tax = GETPOST("search_amount_no_tax","alpha");
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index d35fa9293c3..ab8a89670ae 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -55,7 +55,7 @@ $pagenext = $page + 1;
$id = GETPOST('id','int');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$search_ref = GETPOST('search_ref');
$month_create = GETPOST('month_create');
$year_create = GETPOST('year_create');
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 11dccf47ade..fe899012983 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -298,16 +298,24 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V
// Creation of a token against CSRF vulnerabilities
if (! defined('NOTOKENRENEWAL'))
{
- $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
// roulement des jetons car cree a chaque appel
if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
+
+ // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
+ $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
$_SESSION['newtoken'] = $token;
}
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) // Check validity of token, only if option enabled (this option breaks some features sometimes)
{
- if ($_SERVER['REQUEST_METHOD'] === 'POST')
+ if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token')) // Note, offender can still send request by GET
{
- if (GETPOST('token') != $_SESSION['token'])
+ print "Access refused by CSRF protection in main.inc.php. Token not provided.\n";
+ print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
+ die;
+ }
+ if ($_SERVER['REQUEST_METHOD'] === 'POST') // This test must be after loading $_SESSION['token'].
+ {
+ if (GETPOST('token', 'alpha') != $_SESSION['token'])
{
dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action').", _POST['token']=".GETPOST('token').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
diff --git a/htdocs/product/canvas/product/actions_card_product.class.php b/htdocs/product/canvas/product/actions_card_product.class.php
index 06803e8239d..8db1ae21469 100644
--- a/htdocs/product/canvas/product/actions_card_product.class.php
+++ b/htdocs/product/canvas/product/actions_card_product.class.php
@@ -326,7 +326,7 @@ class ActionsCardProduct
$this->list_datas = array();
// Clean parameters
- $sall=trim(GETPOST("sall"));
+ $sall=trim(GETPOST('sall', 'alphanohtml'));
foreach($this->field_list as $field)
{
diff --git a/htdocs/product/list.php b/htdocs/product/list.php
index 10d819738ca..b779d4b7bfa 100644
--- a/htdocs/product/list.php
+++ b/htdocs/product/list.php
@@ -51,11 +51,10 @@ $show_files=GETPOST('show_files','int');
$confirm=GETPOST('confirm','alpha');
$toselect = GETPOST('toselect', 'array');
+$sall=GETPOST('sall', 'alphanohtml');
$sref=GETPOST("sref");
$sbarcode=GETPOST("sbarcode");
$snom=GETPOST("snom");
-$sall=GETPOST("sall");
-$type= (int) GETPOST("type","int");
$search_sale = GETPOST("search_sale");
$search_categ = GETPOST("search_categ",'int');
$tosell = GETPOST("tosell", 'int');
@@ -66,6 +65,7 @@ $search_tobatch = GETPOST("search_tobatch",'int');
$search_accountancy_code_sell = GETPOST("search_accountancy_code_sell",'alpha');
$search_accountancy_code_buy = GETPOST("search_accountancy_code_buy",'alpha');
$optioncss = GETPOST('optioncss','alpha');
+$type= (int) GETPOST("type","int");
//Show/hide child products. Hidden by default
if (!$_POST) {
diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php
index 8e3d1aa1985..ca335558899 100644
--- a/htdocs/product/reassort.php
+++ b/htdocs/product/reassort.php
@@ -42,7 +42,7 @@ $result=restrictedArea($user,'produit|service');
$action=GETPOST('action','alpha');
$sref=GETPOST("sref");
$snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$type=GETPOST("type","int");
$sbarcode=GETPOST("sbarcode");
$catid=GETPOST('catid','int');
diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php
index af1c6f2ec15..183242c3c52 100644
--- a/htdocs/product/reassortlot.php
+++ b/htdocs/product/reassortlot.php
@@ -44,7 +44,7 @@ $result=restrictedArea($user,'produit|service');
$action=GETPOST('action','alpha');
$sref=GETPOST("sref");
$snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$type=GETPOST("type","int");
$sbarcode=GETPOST("sbarcode",'alpha');
$search_warehouse=GETPOST('search_warehouse','alpha');
diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php
index f1c625308e7..78b5b612da1 100644
--- a/htdocs/product/stock/list.php
+++ b/htdocs/product/stock/list.php
@@ -32,9 +32,9 @@ $langs->load("stocks");
// Security check
$result=restrictedArea($user,'stock');
+$sall=GETPOST('sall', 'alphanohtml');
$search_ref=GETPOST("sref","alpha")?GETPOST("sref","alpha"):GETPOST("search_ref","alpha");
$search_label=GETPOST("snom","alpha")?GETPOST("snom","alpha"):GETPOST("search_label","alpha");
-$sall=GETPOST("sall","alpha");
$search_status=GETPOST("search_status","int");
$limit = GETPOST('limit')?GETPOST('limit','int'):$conf->liste_limit;
diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php
index 2de8bbb19b7..fabfe736683 100644
--- a/htdocs/product/stock/replenish.php
+++ b/htdocs/product/stock/replenish.php
@@ -48,7 +48,7 @@ $result=restrictedArea($user,'produit|service');
$action = GETPOST('action','alpha');
$sref = GETPOST('sref', 'alpha');
$snom = GETPOST('snom', 'alpha');
-$sall = GETPOST('sall', 'alpha');
+$sall = GETPOST('sall', 'alphanohtml');
$type = GETPOST('type','int');
$tobuy = GETPOST('tobuy', 'int');
$salert = GETPOST('salert', 'alpha');
diff --git a/htdocs/product/stock/replenishorders.php b/htdocs/product/stock/replenishorders.php
index 607e28165ed..8967fd672d6 100644
--- a/htdocs/product/stock/replenishorders.php
+++ b/htdocs/product/stock/replenishorders.php
@@ -39,11 +39,11 @@ $langs->load("orders");
if ($user->societe_id) $socid=$user->societe_id;
$result=restrictedArea($user,'produit|service');
+$sall = GETPOST('search_all', 'alphanohtml');
$sref = GETPOST('search_ref', 'alpha');
$snom = GETPOST('search_nom', 'alpha');
$suser = GETPOST('search_user', 'alpha');
$sttc = GETPOST('search_ttc', 'alpha');
-$sall = GETPOST('search_all', 'alpha');
$sdate = GETPOST('search_date', 'alpha');
$page = GETPOST('page', 'int');
$sproduct = GETPOST('sproduct', 'int');
diff --git a/htdocs/product/stock/valo.php b/htdocs/product/stock/valo.php
index a523e2c66fc..0c71eb6ad18 100644
--- a/htdocs/product/stock/valo.php
+++ b/htdocs/product/stock/valo.php
@@ -33,7 +33,7 @@ $result=restrictedArea($user,'stock');
$sref=GETPOST("sref");
$snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$sortfield = GETPOST("sortfield");
$sortorder = GETPOST("sortorder");
diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php
index 3310b6d8cf7..e5cab88609a 100644
--- a/htdocs/projet/list.php
+++ b/htdocs/projet/list.php
@@ -67,13 +67,12 @@ $offset = $limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
-$search_all=GETPOST("search_all");
+$search_all=GETPOST('search_all', 'alphanohtml');
$search_categ=GETPOST("search_categ",'alpha');
$search_ref=GETPOST("search_ref");
$search_label=GETPOST("search_label");
$search_societe=GETPOST("search_societe");
$search_year=GETPOST("search_year");
-$search_all=GETPOST("search_all");
$search_status=GETPOST("search_status",'int');
$search_opp_status=GETPOST("search_opp_status",'alpha');
$search_opp_percent=GETPOST("search_opp_percent",'alpha');
diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php
index 59c6d1e6afa..9450a2620ed 100644
--- a/htdocs/projet/tasks/list.php
+++ b/htdocs/projet/tasks/list.php
@@ -40,7 +40,7 @@ $toselect = GETPOST('toselect', 'array');
$id=GETPOST('id','int');
-$search_all=GETPOST('search_all');
+$search_all=GETPOST('search_all', 'alphanohtml');
$search_categ=GETPOST("search_categ",'alpha');
$search_project=GETPOST('search_project');
if (! isset($_GET['search_projectstatus']) && ! isset($_POST['search_projectstatus']))
diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php
index ef162beb750..7693da9d818 100644
--- a/htdocs/societe/list.php
+++ b/htdocs/societe/list.php
@@ -48,7 +48,7 @@ $socid = GETPOST('socid','int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user,'societe',$socid,'');
-$search_all=trim(GETPOST("sall"));
+$search_all=trim(GETPOST('sall', 'alphanohtml'));
$search_nom=trim(GETPOST("search_nom"));
$search_nom_only=trim(GETPOST("search_nom_only"));
$search_barcode=trim(GETPOST("sbarcode"));
diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php
index c0e9611e6b6..efd0ae16647 100644
--- a/htdocs/supplier_proposal/list.php
+++ b/htdocs/supplier_proposal/list.php
@@ -66,7 +66,7 @@ $search_author=GETPOST('search_author','alpha');
$search_status=GETPOST('viewstatut','alpha')?GETPOST('viewstatut','alpha'):GETPOST('search_status','int');
$object_statut=$db->escape(GETPOST('supplier_proposal_statut'));
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));
$year=GETPOST("year");
$month=GETPOST("month");
diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php
index 539c1f2be23..6956a1ad5eb 100644
--- a/htdocs/user/group/index.php
+++ b/htdocs/user/group/index.php
@@ -34,7 +34,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
$langs->load("users");
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
$search_group=GETPOST('search_group');
$optioncss = GETPOST('optioncss','alpha');
diff --git a/htdocs/user/hierarchy.php b/htdocs/user/hierarchy.php
index 734b1aa0d14..ef5380e9678 100644
--- a/htdocs/user/hierarchy.php
+++ b/htdocs/user/hierarchy.php
@@ -39,7 +39,7 @@ $socid=0;
if ($user->societe_id > 0)
$socid = $user->societe_id;
-$sall=GETPOST('sall','alpha');
+$sall=GETPOST('sall', 'alphanohtml');
$search_user=GETPOST('search_user','alpha');
$userstatic=new User($db);
diff --git a/htdocs/user/index.php b/htdocs/user/index.php
index c3a32ae02fc..9592eed863f 100644
--- a/htdocs/user/index.php
+++ b/htdocs/user/index.php
@@ -110,7 +110,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab
}
// Init search fields
-$sall=GETPOST('sall','alpha');
+$sall=GETPOST('sall', 'alphanohtml');
$search_user=GETPOST('search_user','alpha');
$search_login=GETPOST('search_login','alpha');
$search_lastname=GETPOST('search_lastname','alpha');