From 86338d1781f812ebae2d584330fdd9e33cdef831 Mon Sep 17 00:00:00 2001 From: florian HENRY Date: Mon, 24 Apr 2017 09:03:25 +0200 Subject: [PATCH 01/10] FIX : #6747 --- htdocs/core/class/html.form.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 0b5778a512a..7f10fca51f8 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1435,8 +1435,8 @@ class Form { if (! empty($conf->multicompany->transverse_mode)) { - $sql.= ", ".MAIN_DB_PREFIX."usergroup_user as ug"; - $sql.= " WHERE ug.fk_user = u.rowid"; + $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."usergroup_user as ug"; + $sql.= " ON ug.fk_user = u.rowid"; $sql.= " AND ug.entity = ".$conf->entity; } else From b8d63ae6c0c927326cd31e37c0b85f7d73070c1e Mon Sep 17 00:00:00 2001 From: florian HENRY Date: Thu, 4 May 2017 14:04:30 +0200 Subject: [PATCH 02/10] Better fix --- htdocs/core/class/html.form.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 7f10fca51f8..3687a070dbb 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1437,7 +1437,7 @@ class Form { $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."usergroup_user as ug"; $sql.= " ON ug.fk_user = u.rowid"; - $sql.= " AND ug.entity = ".$conf->entity; + $sql.= " WHERE ug.entity = ".$conf->entity; } else { From a7e9dc1ce4b1545bc755746217b50e454e6dbcd3 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 6 May 2017 13:06:33 +0200 Subject: [PATCH 03/10] Prepare 5.0.2 --- ChangeLog | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/ChangeLog b/ChangeLog index c9ac46b0f2a..3d4c5a29595 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,48 @@ English Dolibarr ChangeLog -------------------------------------------------------------- + +***** ChangeLog for 5.0.2 compared to 5.0.1 ***** +FIX: #6468 + Fix missing translation +FIX: #6517 #6525 Autocompletion of thirdparty after n chars not implemented +FIX: #6613 Default subject for Supplier proposal emails is filled with a non-existing key +FIX: #6614 +FIX: #6619 Template invoices list do not respect restricted thirdparty user rights +FIX: #6621 Documents tab shows greyed out upload form even if the option to show actions not available is disabled +FIX: #6623 User card shows "Return to list" link even if the user has no rights to list users +FIX: #6636 Complete fix +FIX: #6669 User with no permission to edit customer invoices can see a edit button in project entry +FIX: #6671 Cannot remove thirdparty type with "#" in its name +FIX: #6673 Missing "nature" table header in thirdparty list +FIX: #6675 Restricted user with no agenda permissions can see a button to create appointment in thirdparty contact list +FIX: #6679 User with restricted supplier invoice permissions can edit project, payment conditions, payment mode +FIX: #6680 User with restricted supplier invoice permissions sees "reopen" button even if he has no permission to do it +FIX: #6718 Bug: Discount amount is not locally formatted in CommonObject View +FIX: #6767 serious critical error, no login possible with postgresql and ipv6. +FIX: #6795 #6796 +FIX: Add option MAIN_MAIL_USE_MULTI_PART to include text content into HTML email and add option MAIN_MAIL_ADD_INLINE_IMAGES_IF_IN_MEDIAS to restore the inline images feature. +FIX: ajax autocomplete on clone +FIX: A non admin user can not download files attached to user. +FIX: Can't download delivery receipts (function dol_check_secure_access_document) +FIX: complete hourly rate when not defined into table of time spent +FIX: dont get empty "Incoterms : - " string if no incoterm +FIX: dont lose supplier ref if no supplier price in database +FIX: Enter a direct bank transaction +FIX: extrafield css for boolean type +FIX: forgotten parameter for right multicompany use +FIX: Found duplicate line when it is not. +FIX: global $dateSelector isn't the good one, then date selector on objectline_create tpl was hidden +FIX: Journal code of bank must be visible of accountaing module on. +FIX: length_accounta return variable name +FIX: limit+1 dosn't show Total line +FIX: No filter on company when showing the link to elements. +FIX: overwrapping of weight/volume on rouget template +FIX: Several bugs in accounting module. +FIX: shared bank account with multicompany not visible in invoice setup +FIX: spaces not allowed into vat code +FIX: supplier default condition not retrieved on create +FIX: supplier order line were always created with rang = 0 + ***** ChangeLog for 5.0.1 compared to 5.0.0 ***** FIX: #6503: SQL error in "Last pending payment invoices" FIX: #6505 Project elements page shows greyed-out links even if the option to show actions not available is disabled From c4475ca9462c56eb412592afcbe859dee5e99f57 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 6 May 2017 14:56:16 +0200 Subject: [PATCH 04/10] Add a protection to avoid to take modules into custom dir. --- build/makepack-dolibarr.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build/makepack-dolibarr.pl b/build/makepack-dolibarr.pl index f465cf51234..061e2a18557 100755 --- a/build/makepack-dolibarr.pl +++ b/build/makepack-dolibarr.pl @@ -509,7 +509,6 @@ if ($nboftargetok) { $ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/documents`; # Removed known external modules to avoid any error when packaging from env where external modules are tested - #$ret=`find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \;`; # For custom we want to keep dir $ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/allscreens*`; $ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/ancotec*`; $ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/cabinetmed*`; @@ -575,6 +574,10 @@ if ($nboftargetok) { $ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/tools`; $ret=`rm -f $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/LICENSE.TXT`; $ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/includes/savant`; + + print "Remove subdir of custom dir\n"; + print "find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \\;\n"; + $ret=`find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \\; >/dev/null 2>&1`; # For custom we want to keep dir } # Build package for each target From 880e2d0f72b951c7d64d1f6d70dd6777b554e818 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 6 May 2017 15:05:24 +0200 Subject: [PATCH 05/10] Fix packaging 5.0.2 --- build/rpm/dolibarr_fedora.spec | 1 + build/rpm/dolibarr_generic.spec | 1 + build/rpm/dolibarr_mandriva.spec | 1 + build/rpm/dolibarr_opensuse.spec | 1 + 4 files changed, 4 insertions(+) diff --git a/build/rpm/dolibarr_fedora.spec b/build/rpm/dolibarr_fedora.spec index e65e6bc3b7d..083c4eb8f14 100755 --- a/build/rpm/dolibarr_fedora.spec +++ b/build/rpm/dolibarr_fedora.spec @@ -173,6 +173,7 @@ done >>%{name}.lang %_datadir/dolibarr/htdocs/contrat %_datadir/dolibarr/htdocs/core %_datadir/dolibarr/htdocs/cron +%_datadir/dolibarr/htdocs/custom %_datadir/dolibarr/htdocs/don %_datadir/dolibarr/htdocs/ecm %_datadir/dolibarr/htdocs/expedition diff --git a/build/rpm/dolibarr_generic.spec b/build/rpm/dolibarr_generic.spec index 655ef87f925..b40a203a71f 100755 --- a/build/rpm/dolibarr_generic.spec +++ b/build/rpm/dolibarr_generic.spec @@ -253,6 +253,7 @@ done >>%{name}.lang %_datadir/dolibarr/htdocs/contrat %_datadir/dolibarr/htdocs/core %_datadir/dolibarr/htdocs/cron +%_datadir/dolibarr/htdocs/custom %_datadir/dolibarr/htdocs/don %_datadir/dolibarr/htdocs/ecm %_datadir/dolibarr/htdocs/expedition diff --git a/build/rpm/dolibarr_mandriva.spec b/build/rpm/dolibarr_mandriva.spec index 55fb7183734..fa3e39f8693 100755 --- a/build/rpm/dolibarr_mandriva.spec +++ b/build/rpm/dolibarr_mandriva.spec @@ -170,6 +170,7 @@ done >>%{name}.lang %_datadir/dolibarr/htdocs/contrat %_datadir/dolibarr/htdocs/core %_datadir/dolibarr/htdocs/cron +%_datadir/dolibarr/htdocs/custom %_datadir/dolibarr/htdocs/don %_datadir/dolibarr/htdocs/ecm %_datadir/dolibarr/htdocs/expedition diff --git a/build/rpm/dolibarr_opensuse.spec b/build/rpm/dolibarr_opensuse.spec index f7e29927ebb..b2f8cf6ede1 100755 --- a/build/rpm/dolibarr_opensuse.spec +++ b/build/rpm/dolibarr_opensuse.spec @@ -181,6 +181,7 @@ done >>%{name}.lang %_datadir/dolibarr/htdocs/contrat %_datadir/dolibarr/htdocs/core %_datadir/dolibarr/htdocs/cron +%_datadir/dolibarr/htdocs/custom %_datadir/dolibarr/htdocs/don %_datadir/dolibarr/htdocs/ecm %_datadir/dolibarr/htdocs/expedition From ab8dcbd3665fc8b4f182799dc9f7e5d47169a2fd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 6 May 2017 16:36:05 +0200 Subject: [PATCH 06/10] Use virtual name --- build/makepack-dolibarr.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/makepack-dolibarr.pl b/build/makepack-dolibarr.pl index 061e2a18557..6959ae67623 100755 --- a/build/makepack-dolibarr.pl +++ b/build/makepack-dolibarr.pl @@ -19,7 +19,7 @@ use Cwd; # Change this to defined target for option 98 and 99 $PROJECT="dolibarr"; $PUBLISHSTABLE="eldy,dolibarr\@frs.sourceforge.net:/home/frs/project/dolibarr"; -$PUBLISHBETARC="ldestailleur\@asso.dolibarr.org:/home/dolibarr/dolibarr.org/httpdocs/files"; +$PUBLISHBETARC="ldestailleur\@vmprod.dolibarr.org:/home/dolibarr/dolibarr.org/httpdocs/files"; #@LISTETARGET=("TGZ","ZIP","RPM_GENERIC","RPM_FEDORA","RPM_MANDRIVA","RPM_OPENSUSE","DEB","APS","EXEDOLIWAMP","SNAPSHOT"); # Possible packages From fd6518182beb1b7fbd627f3c7d567207b2fd4730 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 8 May 2017 12:08:43 +0200 Subject: [PATCH 07/10] Fix can force tls version --- htdocs/core/lib/geturl.lib.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/htdocs/core/lib/geturl.lib.php b/htdocs/core/lib/geturl.lib.php index da9e38e6dae..808e4f0ef09 100644 --- a/htdocs/core/lib/geturl.lib.php +++ b/htdocs/core/lib/geturl.lib.php @@ -59,9 +59,11 @@ function getURLContent($url,$postorget='GET',$param='',$followlocation=1,$addhea if (count($addheaders)) curl_setopt($ch, CURLOPT_HTTPHEADER, $addheaders); curl_setopt($ch, CURLINFO_HEADER_OUT, true); // To be able to retrieve request header and log it - // TLSv1 by default or change to TLSv1.2 in module configuration - //curl_setopt($ch, CURLOPT_SSLVERSION, (empty($conf->global->MAIN_CURL_SSLVERSION)?1:$conf->global->MAIN_CURL_SSLVERSION)); - + // By default use tls decied by PHP. + // You can force, if supported a version like TLSv1 or TLSv1.2 + if (! empty($conf->global->MAIN_CURL_SSLVERSION)) curl_setopt($ch, CURLOPT_SSLVERSION, $conf->global->MAIN_CURL_SSLVERSION); + //curl_setopt($ch, CURLOPT_SSLVERSION, 6); for tls 1.2 + //turning off the server and peer verification(TrustManager Concept). curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); From d7d212bbe19ecc4fde6eccebe020abdd72186664 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 8 May 2017 12:31:37 +0200 Subject: [PATCH 08/10] Fix bad link to list --- htdocs/fourn/facture/document.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/fourn/facture/document.php b/htdocs/fourn/facture/document.php index 52c44fc67b0..e68604fe092 100644 --- a/htdocs/fourn/facture/document.php +++ b/htdocs/fourn/facture/document.php @@ -93,7 +93,7 @@ if ($object->id > 0) $totalpaye = $object->getSommePaiement(); - $linkback = '' . $langs->trans("BackToList") . ''; + $linkback = '' . $langs->trans("BackToList") . ''; $morehtmlref='
'; // Ref supplier From 667e3c28764176781785e93caaebe086c3780b1a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 9 May 2017 19:26:28 +0200 Subject: [PATCH 09/10] Add another security sanitizing option --- htdocs/core/lib/functions.lib.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 8d14a377c75..e0c9d520eef 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -308,9 +308,17 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL) if (! is_array($out) || empty($out)) $out=array(); break; case 'nohtml': - $out=dol_string_nohtmltag($out); + $out=dol_string_nohtmltag($out); break; - case 'custom': + case 'alphanohtml': // Recommended for search params + $out=trim($out); + // '"' is dangerous because param in url can close the href= or src= and add javascript functions. + // '../' is dangerous because it allows dir transversals + if (preg_match('/"/',$out)) $out=''; + else if (preg_match('/\.\.\//',$out)) $out=''; + $out=dol_string_nohtmltag($out); + break; + case 'custom': if (empty($filter)) return 'BadFourthParameterForGETPOST'; $out=filter_var($out, $filter, $options); break; From 6d01bd712db021a03a8bd78a461e63c26fa63e44 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 9 May 2017 19:36:10 +0200 Subject: [PATCH 10/10] FIX Better sanitizing of search all parameter. --- htdocs/adherents/list.php | 2 +- htdocs/comm/mailing/list.php | 4 ++-- htdocs/comm/propal/list.php | 2 +- htdocs/commande/list.php | 2 +- htdocs/commande/orderstoinvoice.php | 2 +- htdocs/compta/facture/list.php | 2 +- htdocs/contact/list.php | 2 +- htdocs/contrat/list.php | 2 +- htdocs/don/list.php | 2 +- htdocs/expedition/list.php | 2 +- htdocs/expensereport/list.php | 2 +- htdocs/fichinter/list.php | 2 +- htdocs/filefunc.inc.php | 17 ++++++++++------- htdocs/fourn/commande/list.php | 3 ++- htdocs/fourn/commande/orderstoinvoice.php | 2 +- htdocs/fourn/facture/list.php | 2 +- htdocs/holiday/list.php | 2 +- htdocs/main.inc.php | 14 +++++++++++--- .../product/actions_card_product.class.php | 2 +- htdocs/product/list.php | 2 +- htdocs/product/reassort.php | 2 +- htdocs/product/reassortlot.php | 2 +- htdocs/product/stock/list.php | 2 +- htdocs/product/stock/replenish.php | 2 +- htdocs/product/stock/replenishorders.php | 2 +- htdocs/product/stock/valo.php | 2 +- htdocs/projet/list.php | 3 +-- htdocs/projet/tasks/list.php | 2 +- htdocs/societe/list.php | 2 +- htdocs/supplier_proposal/list.php | 2 +- htdocs/user/group/index.php | 2 +- htdocs/user/hierarchy.php | 2 +- htdocs/user/index.php | 2 +- 33 files changed, 54 insertions(+), 43 deletions(-) diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index 28cd8773d53..4eda43dcca5 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -57,7 +57,7 @@ $type=GETPOST("type"); $search_email=GETPOST("search_email"); $search_categ = GETPOST("search_categ",'int'); $catid = GETPOST("catid",'int'); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss','alpha'); if ($statut < -1) $statut = ''; diff --git a/htdocs/comm/mailing/list.php b/htdocs/comm/mailing/list.php index 2d6fae37b98..7346c0045f5 100644 --- a/htdocs/comm/mailing/list.php +++ b/htdocs/comm/mailing/list.php @@ -41,8 +41,8 @@ $pagenext = $page + 1; if (! $sortorder) $sortorder="DESC"; if (! $sortfield) $sortfield="m.date_creat"; -$sall=GETPOST("sall","alpha"); -$sref=GETPOST("sref","alpha"); +$sall=GETPOST('sall', 'alphanohtml'); +$sref=GETPOST("sref", "alpha"); $filteremail=GETPOST('filteremail','alpha'); // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 44a2b9356e8..d85448397de 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -77,7 +77,7 @@ $viewstatut=GETPOST('viewstatut'); $optioncss = GETPOST('optioncss','alpha'); $object_statut=GETPOST('propal_statut'); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg")); $day=GETPOST("day","int"); diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php index 073a20bc391..80601ec9727 100644 --- a/htdocs/commande/list.php +++ b/htdocs/commande/list.php @@ -71,7 +71,7 @@ $search_zip=GETPOST('search_zip','alpha'); $search_state=trim(GETPOST("search_state")); $search_country=GETPOST("search_country",'int'); $search_type_thirdparty=GETPOST("search_type_thirdparty",'int'); -$sall=GETPOST('sall'); +$sall=GETPOST('sall', 'alphanohtml'); $socid=GETPOST('socid','int'); $search_user=GETPOST('search_user','int'); $search_sale=GETPOST('search_sale','int'); diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php index 009326f1f41..40071a0b21d 100644 --- a/htdocs/commande/orderstoinvoice.php +++ b/htdocs/commande/orderstoinvoice.php @@ -52,7 +52,7 @@ $action = GETPOST('action','alpha'); $confirm = GETPOST('confirm','alpha'); $sref = GETPOST('sref'); $sref_client = GETPOST('sref_client'); -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $socid = GETPOST('socid','int'); $selected = GETPOST('orders_to_invoice'); $sortfield = GETPOST("sortfield",'alpha'); diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 5dbbeb24e5a..cce94646616 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -52,7 +52,7 @@ $langs->load('bills'); $langs->load('companies'); $langs->load('products'); -$sall=trim(GETPOST('sall')); +$sall=trim(GETPOST('sall', 'alphanohtml')); $projectid=(GETPOST('projectid')?GETPOST('projectid','int'):0); $id=(GETPOST('id','int')?GETPOST('id','int'):GETPOST('facid','int')); // For backward compatibility diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index ae0f8f9398a..b425ea56667 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -42,7 +42,7 @@ $ref = ''; // There is no ref for contacts if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user, 'contact', $contactid,''); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $search_firstlast_only=GETPOST("search_firstlast_only"); $search_lastname=GETPOST("search_lastname"); $search_firstname=GETPOST("search_firstname"); diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index 7436c16fe69..8a22f7ee324 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -53,7 +53,7 @@ $search_country=GETPOST("search_country",'int'); $search_type_thirdparty=GETPOST("search_type_thirdparty",'int'); $search_contract=GETPOST('search_contract'); $search_ref_supplier=GETPOST('search_ref_supplier','alpha'); -$sall=GETPOST('sall'); +$sall=GETPOST('sall', 'alphanohtml'); $search_status=GETPOST('search_status'); $socid=GETPOST('socid'); $search_user=GETPOST('search_user','int'); diff --git a/htdocs/don/list.php b/htdocs/don/list.php index d925573b859..1b490b34085 100644 --- a/htdocs/don/list.php +++ b/htdocs/don/list.php @@ -43,7 +43,7 @@ if (! $sortorder) $sortorder="DESC"; if (! $sortfield) $sortfield="d.datedon"; $statut=isset($_GET["statut"])?$_GET["statut"]:"-1"; -$search_all=GETPOST('sall','alpha'); +$search_all=GETPOST('sall', 'alphanohtml'); $search_ref=GETPOST('search_ref','alpha'); $search_company=GETPOST('search_company','alpha'); $search_name=GETPOST('search_name','alpha'); diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php index 65d7fd5223e..68f3add0229 100644 --- a/htdocs/expedition/list.php +++ b/htdocs/expedition/list.php @@ -50,7 +50,7 @@ $search_zip=GETPOST('search_zip','alpha'); $search_state=trim(GETPOST("search_state")); $search_country=GETPOST("search_country",'int'); $search_type_thirdparty=GETPOST("search_type_thirdparty",'int'); -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss','alpha'); $limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit; diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index 13b95311dee..58541330c83 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -63,7 +63,7 @@ if (!$sortorder) $sortorder="DESC"; if (!$sortfield) $sortfield="d.date_debut"; -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $search_ref = GETPOST('search_ref'); $search_user = GETPOST('search_user','int'); $search_amount_ht = GETPOST('search_amount_ht','alpha'); diff --git a/htdocs/fichinter/list.php b/htdocs/fichinter/list.php index 563c57f5ad7..9ef7d22ad10 100644 --- a/htdocs/fichinter/list.php +++ b/htdocs/fichinter/list.php @@ -62,7 +62,7 @@ $search_ref=GETPOST('search_ref')?GETPOST('search_ref','alpha'):GETPOST('search_ $search_company=GETPOST('search_company','alpha'); $search_desc=GETPOST('search_desc','alpha'); $search_status=GETPOST('search_status'); -$sall=GETPOST('sall'); +$sall=GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss','alpha'); // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 427f428d652..59a3bd3a809 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -164,14 +164,17 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force // This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST']) // when we post forms (we allow GET to allow direct link to access a particular page). // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host -if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) - && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) - && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))) +if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) { - //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; - print "Access refused by CSRF protection in main.inc.php.\n"; - print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n"; - die; + if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) + && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))) + { + //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; + print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n"; + print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; + die; + } + // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on. } if (empty($dolibarr_main_db_host)) { diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index 49de2dac7a3..42773058471 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -54,6 +54,8 @@ $orderday=GETPOST("orderday","int"); $deliveryyear=GETPOST("deliveryyear","int"); $deliverymonth=GETPOST("deliverymonth","int"); $deliveryday=GETPOST("deliveryday","int"); + +$sall=GETPOST('search_all', 'alphanohtml'); $search_product_category=GETPOST('search_product_category','int'); $search_ref=GETPOST('search_ref'); $search_refsupp=GETPOST('search_refsupp'); @@ -69,7 +71,6 @@ $search_ht=GETPOST('search_ht'); $search_ttc=GETPOST('search_ttc'); $search_status=(GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha')); // alpha and not intbecause it can be '6,7' $optioncss = GETPOST('optioncss','alpha'); -$sall=GETPOST('search_all'); $socid = GETPOST('socid','int'); $search_sale=GETPOST('search_sale','int'); $search_total_ht=GETPOST('search_total_ht','alpha'); diff --git a/htdocs/fourn/commande/orderstoinvoice.php b/htdocs/fourn/commande/orderstoinvoice.php index f804a1d9ab7..32f1a5538b5 100644 --- a/htdocs/fourn/commande/orderstoinvoice.php +++ b/htdocs/fourn/commande/orderstoinvoice.php @@ -53,7 +53,7 @@ $action = GETPOST('action', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); $sref = GETPOST('sref'); $sref_client = GETPOST('sref_client'); -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $socid = GETPOST('socid', 'int'); $selected = GETPOST('orders_to_invoice'); $sortfield = GETPOST("sortfield", 'alpha'); diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index 3afb97c5fb1..396d5ffd8a5 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -88,7 +88,7 @@ $toselect = GETPOST('toselect', 'array'); $option = GETPOST('option'); if ($option == 'late') $filter = 'paye:0'; -$search_all = GETPOST('sall'); +$search_all = GETPOST('sall', 'alphanohtml'); $search_label = GETPOST("search_label","alpha"); $search_company = GETPOST("search_company","alpha"); $search_amount_no_tax = GETPOST("search_amount_no_tax","alpha"); diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 131dcc3651b..1ab8fbd785f 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -55,7 +55,7 @@ $pagenext = $page + 1; $id = GETPOST('id','int'); -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $search_ref = GETPOST('search_ref'); $month_create = GETPOST('month_create'); $year_create = GETPOST('year_create'); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index dd45222fa42..9d97770e48a 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -298,16 +298,24 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V // Creation of a token against CSRF vulnerabilities if (! defined('NOTOKENRENEWAL')) { - $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number // roulement des jetons car cree a chaque appel if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; + + // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] + $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number $_SESSION['newtoken'] = $token; } if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) // Check validity of token, only if option enabled (this option breaks some features sometimes) { - if ($_SERVER['REQUEST_METHOD'] === 'POST') + if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token')) // Note, offender can still send request by GET { - if (GETPOST('token') != $_SESSION['token']) + print "Access refused by CSRF protection in main.inc.php. Token not provided.\n"; + print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; + die; + } + if ($_SERVER['REQUEST_METHOD'] === 'POST') // This test must be after loading $_SESSION['token']. + { + if (GETPOST('token', 'alpha') != $_SESSION['token']) { dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action').", _POST['token']=".GETPOST('token').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING); //print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers. diff --git a/htdocs/product/canvas/product/actions_card_product.class.php b/htdocs/product/canvas/product/actions_card_product.class.php index 06803e8239d..8db1ae21469 100644 --- a/htdocs/product/canvas/product/actions_card_product.class.php +++ b/htdocs/product/canvas/product/actions_card_product.class.php @@ -326,7 +326,7 @@ class ActionsCardProduct $this->list_datas = array(); // Clean parameters - $sall=trim(GETPOST("sall")); + $sall=trim(GETPOST('sall', 'alphanohtml')); foreach($this->field_list as $field) { diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 9efdca6a4d0..1aec109474e 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -49,7 +49,7 @@ $action = GETPOST('action'); $sref=GETPOST("sref"); $sbarcode=GETPOST("sbarcode"); $snom=GETPOST("snom"); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $type=GETPOST("type","int"); $search_sale = GETPOST("search_sale"); $search_categ = GETPOST("search_categ",'int'); diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php index 13bc0fef186..e3e9af6a61a 100644 --- a/htdocs/product/reassort.php +++ b/htdocs/product/reassort.php @@ -42,7 +42,7 @@ $result=restrictedArea($user,'produit|service'); $action=GETPOST('action','alpha'); $sref=GETPOST("sref"); $snom=GETPOST("snom"); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $type=GETPOST("type","int"); $sbarcode=GETPOST("sbarcode"); $catid=GETPOST('catid','int'); diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 01285f09417..40b96c24db1 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -44,7 +44,7 @@ $result=restrictedArea($user,'produit|service'); $action=GETPOST('action','alpha'); $sref=GETPOST("sref"); $snom=GETPOST("snom"); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $type=GETPOST("type","int"); $sbarcode=GETPOST("sbarcode",'alpha'); $search_warehouse=GETPOST('search_warehouse','alpha'); diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php index 0bfd9048352..ed1b91b4ad5 100644 --- a/htdocs/product/stock/list.php +++ b/htdocs/product/stock/list.php @@ -32,9 +32,9 @@ $langs->load("stocks"); // Security check $result=restrictedArea($user,'stock'); +$sall=GETPOST('sall', 'alphanohtml'); $search_ref=GETPOST("sref","alpha")?GETPOST("sref","alpha"):GETPOST("search_ref","alpha"); $search_label=GETPOST("snom","alpha")?GETPOST("snom","alpha"):GETPOST("search_label","alpha"); -$sall=GETPOST("sall","alpha"); $search_status=GETPOST("search_status","int"); $limit = GETPOST('limit')?GETPOST('limit','int'):$conf->liste_limit; diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php index 437361b5cf5..26c6ab1dfd1 100644 --- a/htdocs/product/stock/replenish.php +++ b/htdocs/product/stock/replenish.php @@ -48,7 +48,7 @@ $result=restrictedArea($user,'produit|service'); $action = GETPOST('action','alpha'); $sref = GETPOST('sref', 'alpha'); $snom = GETPOST('snom', 'alpha'); -$sall = GETPOST('sall', 'alpha'); +$sall = GETPOST('sall', 'alphanohtml'); $type = GETPOST('type','int'); $tobuy = GETPOST('tobuy', 'int'); $salert = GETPOST('salert', 'alpha'); diff --git a/htdocs/product/stock/replenishorders.php b/htdocs/product/stock/replenishorders.php index 4986d7c524d..5b1fda0371f 100644 --- a/htdocs/product/stock/replenishorders.php +++ b/htdocs/product/stock/replenishorders.php @@ -39,11 +39,11 @@ $langs->load("orders"); if ($user->societe_id) $socid=$user->societe_id; $result=restrictedArea($user,'produit|service'); +$sall = GETPOST('search_all', 'alphanohtml'); $sref = GETPOST('search_ref', 'alpha'); $snom = GETPOST('search_nom', 'alpha'); $suser = GETPOST('search_user', 'alpha'); $sttc = GETPOST('search_ttc', 'alpha'); -$sall = GETPOST('search_all', 'alpha'); $sdate = GETPOST('search_date', 'alpha'); $page = GETPOST('page', 'int'); $sproduct = GETPOST('sproduct', 'int'); diff --git a/htdocs/product/stock/valo.php b/htdocs/product/stock/valo.php index be56636ee57..b13dd0bd27e 100644 --- a/htdocs/product/stock/valo.php +++ b/htdocs/product/stock/valo.php @@ -33,7 +33,7 @@ $result=restrictedArea($user,'stock'); $sref=GETPOST("sref"); $snom=GETPOST("snom"); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $sortfield = GETPOST("sortfield"); $sortorder = GETPOST("sortorder"); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index dadc199d146..51f260cac6f 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -62,13 +62,12 @@ $offset = $limit * $page ; $pageprev = $page - 1; $pagenext = $page + 1; -$search_all=GETPOST("search_all"); +$search_all=GETPOST('search_all', 'alphanohtml'); $search_categ=GETPOST("search_categ",'alpha'); $search_ref=GETPOST("search_ref"); $search_label=GETPOST("search_label"); $search_societe=GETPOST("search_societe"); $search_year=GETPOST("search_year"); -$search_all=GETPOST("search_all"); $search_status=GETPOST("search_status",'int'); $search_opp_status=GETPOST("search_opp_status",'alpha'); $search_opp_percent=GETPOST("search_opp_percent",'alpha'); diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 74f9b122f14..30a89109115 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -36,7 +36,7 @@ $langs->load('companies'); $id=GETPOST('id','int'); -$search_all=GETPOST('search_all'); +$search_all=GETPOST('search_all', 'alphanohtml'); $search_project=GETPOST('search_project'); if (! isset($_GET['search_projectstatus']) && ! isset($_POST['search_projectstatus'])) { diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 393d3a1fad4..0a79921d153 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -48,7 +48,7 @@ $socid = GETPOST('socid','int'); if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user,'societe',$socid,''); -$search_all=trim(GETPOST("sall")); +$search_all=trim(GETPOST('sall', 'alphanohtml')); $search_nom=trim(GETPOST("search_nom")); $search_nom_only=trim(GETPOST("search_nom_only")); $search_barcode=trim(GETPOST("sbarcode")); diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index caf79597e53..7a841a13b19 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -66,7 +66,7 @@ $search_author=GETPOST('search_author','alpha'); $search_status=GETPOST('viewstatut','alpha')?GETPOST('viewstatut','alpha'):GETPOST('search_status','int'); $object_statut=$db->escape(GETPOST('supplier_proposal_statut')); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg")); $year=GETPOST("year"); $month=GETPOST("month"); diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php index 94c12147f1a..12e51a79d0f 100644 --- a/htdocs/user/group/index.php +++ b/htdocs/user/group/index.php @@ -34,7 +34,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS)) $langs->load("users"); -$sall=GETPOST('sall'); +$sall=GETPOST('sall', 'alphanohtml'); $search_group=GETPOST('search_group'); $optioncss = GETPOST('optioncss','alpha'); diff --git a/htdocs/user/hierarchy.php b/htdocs/user/hierarchy.php index bb558bd56b3..2bba66d464e 100644 --- a/htdocs/user/hierarchy.php +++ b/htdocs/user/hierarchy.php @@ -39,7 +39,7 @@ $socid=0; if ($user->societe_id > 0) $socid = $user->societe_id; -$sall=GETPOST('sall','alpha'); +$sall=GETPOST('sall', 'alphanohtml'); $search_user=GETPOST('search_user','alpha'); $userstatic=new User($db); diff --git a/htdocs/user/index.php b/htdocs/user/index.php index 623e2df3434..9e7c78f9799 100644 --- a/htdocs/user/index.php +++ b/htdocs/user/index.php @@ -110,7 +110,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab } // Init search fields -$sall=GETPOST('sall','alpha'); +$sall=GETPOST('sall', 'alphanohtml'); $search_user=GETPOST('search_user','alpha'); $search_login=GETPOST('search_login','alpha'); $search_lastname=GETPOST('search_lastname','alpha');