From f2e7afafd3f4616269de7b1262d7d865a47007bd Mon Sep 17 00:00:00 2001 From: simnandez Date: Thu, 29 Mar 2012 17:04:10 +0100 Subject: [PATCH] Fix: Sanitize data --- htdocs/admin/barcode.php | 13 +++++++------ htdocs/admin/fckeditor.php | 11 +++++++---- htdocs/admin/mailing.php | 12 ++++++------ htdocs/bookmarks/admin/bookmark.php | 9 ++++----- 4 files changed, 24 insertions(+), 21 deletions(-) diff --git a/htdocs/admin/barcode.php b/htdocs/admin/barcode.php index 9ec0f0dd84f..f87df7b6ea9 100644 --- a/htdocs/admin/barcode.php +++ b/htdocs/admin/barcode.php @@ -2,6 +2,7 @@ /* Copyright (C) 2003-2004 Rodolphe Quiedeville * Copyright (C) 2004-2011 Laurent Destailleur * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2011 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,7 +32,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); /* @@ -40,8 +41,8 @@ $action = GETPOST("action"); if ($action == 'setcoder') { - $coder = GETPOST("coder"); - $code_id = GETPOST("code_id"); + $coder = GETPOST('coder','alpha'); + $code_id = GETPOST('code_id','alpha'); $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type"; $sqlp.= " SET coder = '" . $coder."'"; $sqlp.= " WHERE rowid = ". $code_id; @@ -52,17 +53,17 @@ if ($action == 'setcoder') } else if ($action == 'setgenbarcodelocation') { - $location = GETPOST("genbarcodelocation"); + $location = GETPOST('genbarcodelocation','alpha'); $res = dolibarr_set_const($db, "GENBARCODE_LOCATION",$location,'chaine',0,'',$conf->entity); } else if ($action == 'setdefaultbarcodetype') { - $coder_id = GETPOST("coder_id"); + $coder_id = GETPOST('coder_id','alpha'); $res = dolibarr_set_const($db, "PRODUIT_DEFAULT_BARCODE_TYPE", $coder_id,'chaine',0,'',$conf->entity); } else if ($action == 'GENBARCODE_BARCODETYPE_THIRDPARTY') { - $coder_id = GETPOST("coder_id"); + $coder_id = GETPOST('coder_id','alpha'); $res = dolibarr_set_const($db, "GENBARCODE_BARCODETYPE_THIRDPARTY", $coder_id,'chaine',0,'',$conf->entity); } /* diff --git a/htdocs/admin/fckeditor.php b/htdocs/admin/fckeditor.php index 16ac49d543b..98c78196204 100644 --- a/htdocs/admin/fckeditor.php +++ b/htdocs/admin/fckeditor.php @@ -1,6 +1,7 @@ * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,6 +31,8 @@ require_once(DOL_DOCUMENT_ROOT."/core/class/doleditor.class.php"); $langs->load("admin"); $langs->load("fckeditor"); +$action = GETPOST('action','alpha'); + if (!$user->admin) accessforbidden(); // Constante et traduction de la description du module @@ -62,7 +65,7 @@ $picto = array( foreach($modules as $const => $desc) { - if ($_GET["action"] == 'activate_'.strtolower($const)) + if ($action == 'activate_'.strtolower($const)) { dolibarr_set_const($db, "FCKEDITOR_ENABLE_".$const, "1",'chaine',0,'',$conf->entity); // Si fckeditor est active dans la description produit/service, on l'active dans les formulaires @@ -73,7 +76,7 @@ foreach($modules as $const => $desc) Header("Location: ".$_SERVER["PHP_SELF"]); exit; } - if ($_GET["action"] == 'disable_'.strtolower($const)) + if ($action == 'disable_'.strtolower($const)) { dolibarr_del_const($db, "FCKEDITOR_ENABLE_".$const,$conf->entity); Header("Location: ".$_SERVER["PHP_SELF"]); @@ -81,9 +84,9 @@ foreach($modules as $const => $desc) } } -if ($_POST["save"]) +if (GETPOST('save','alpha')) { - dolibarr_set_const($db, "FCKEDITOR_TEST", $_POST["formtestfield"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FCKEDITOR_TEST", GETPOST('formtestfield','alpha'),'chaine',0,'',$conf->entity); } diff --git a/htdocs/admin/mailing.php b/htdocs/admin/mailing.php index c86c5d1e02e..bad34ac83b2 100644 --- a/htdocs/admin/mailing.php +++ b/htdocs/admin/mailing.php @@ -1,7 +1,7 @@ - * Copyright (C) 2005-2011 Laurent Destailleur - * Copyright (C) 2011 Juanjo Menent +/* Copyright (C) 2004 Rodolphe Quiedeville + * Copyright (C) 2005-2011 Laurent Destailleur + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -32,7 +32,7 @@ $langs->load("mails"); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); +$action = GETPOST('action','alpha'); /* * Actions @@ -42,8 +42,8 @@ if ($action == 'setvalue' && $user->admin) { $db->begin(); - $mailfrom = GETPOST("MAILING_EMAIL_FROM"); - $mailerror = GETPOST("MAILING_EMAIL_ERRORSTO"); + $mailfrom = GETPOST('MAILING_EMAIL_FROM','alpha'); + $mailerror = GETPOST('MAILING_EMAIL_ERRORSTO','alpha'); $res=dolibarr_set_const($db, "MAILING_EMAIL_FROM",$mailfrom,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; diff --git a/htdocs/bookmarks/admin/bookmark.php b/htdocs/bookmarks/admin/bookmark.php index acb7689d80b..5f056656ddc 100644 --- a/htdocs/bookmarks/admin/bookmark.php +++ b/htdocs/bookmarks/admin/bookmark.php @@ -1,7 +1,7 @@ * Copyright (C) 2005-2009 Laurent Destailleur - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,11 +30,11 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action=GETPOST("action"); +$action=GETPOST('action','alpha'); if ($action == 'setvalue') { - $showmenu = GETPOST("BOOKMARKS_SHOW_IN_MENU"); + $showmenu = GETPOST('BOOKMARKS_SHOW_IN_MENU','alpha'); $res = dolibarr_set_const($db, "BOOKMARKS_SHOW_IN_MENU",$showmenu,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -53,8 +53,7 @@ if ($action == 'setvalue') /* - * - * + * View */ llxHeader();