From e6a989e51a2670c0eaaa49e969f46c302a7ac8a5 Mon Sep 17 00:00:00 2001 From: kamel Date: Fri, 25 Mar 2022 17:00:23 +0100 Subject: [PATCH 01/11] FIX - Case of invoice situation at 100% with a credit note Set situation_final to 0 if is a credit note and the invoice source is a invoice situation (case when invoice situation is at 100%) when the credit note is validated So we can continue to create new invoice situation --- htdocs/compta/facture/class/facture.class.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 4feeb3d60b6..4caa9a8bca6 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -2848,6 +2848,25 @@ class Facture extends CommonInvoice } } + /* + * Set situation_final to 0 if is a credit note and the invoice source is a invoice situation (case when invoice situation is at 100%) + * So we can continue to create new invoice situation + */ + if (!$error && $this->type == self::TYPE_CREDIT_NOTE && $this->fk_facture_source > 0) { + $invoice_situation = new Facture($this->db); + $result = $invoice_situation->fetch($this->fk_facture_source); + if ($result > 0) { + $invoice_situation->situation_final = 0; + // Disable triggers because module can force situation_final to 1 by triggers (ex: SubTotal) + $result = $invoice_situation->setFinal($user, 1); + } + if ($result < 0) { + $this->error = $invoice_situation->error; + $this->errors = $invoice_situation->errors; + $error++; + } + } + // Trigger calls if (!$error && !$notrigger) { // Call trigger From 2ca5c38f0acfe4b988c55ff98033afb1d47ca3bd Mon Sep 17 00:00:00 2001 From: kamel Date: Mon, 4 Apr 2022 10:40:10 +0200 Subject: [PATCH 02/11] Add test for checking if parent invoice is of type 'situation' --- htdocs/compta/facture/class/facture.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 939db98330c..29101108d00 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -2902,7 +2902,7 @@ class Facture extends CommonInvoice if (!$error && $this->type == self::TYPE_CREDIT_NOTE && $this->fk_facture_source > 0) { $invoice_situation = new Facture($this->db); $result = $invoice_situation->fetch($this->fk_facture_source); - if ($result > 0) { + if ($result > 0 && $invoice_situation->type == self::TYPE_SITUATION && $invoice_situation->situation_final == 1) { $invoice_situation->situation_final = 0; // Disable triggers because module can force situation_final to 1 by triggers (ex: SubTotal) $result = $invoice_situation->setFinal($user, 1); From 8be15e8e27dc8c51dacb510febf64db34f4bf851 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?This=20Charl=C3=A8ne?= <1179011+defrance@users.noreply.github.com> Date: Mon, 11 Jul 2022 07:11:45 +0200 Subject: [PATCH 03/11] php v8 fix warning missing and bad name variables --- htdocs/commande/card.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index 22505f6b921..c407d80c727 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -1609,7 +1609,7 @@ if ($action == 'create' && $usercancreate) { $fk_account = $soc->fk_account; $availability_id = 0; $shipping_method_id = $soc->shipping_method_id; - $warehouse_id = $soc->warehouse_id; + $warehouse_id = $soc->fk_warehouse; $demand_reason_id = $soc->demand_reason_id; $remise_percent = $soc->remise_percent; $remise_absolue = 0; @@ -1722,7 +1722,7 @@ if ($action == 'create' && $usercancreate) { // Date delivery planned print ''.$langs->trans("DateDeliveryPlanned").''; print ''; - $date_delivery = ($date_delivery ? $date_delivery : $object->date_delivery); + $date_delivery = ($date_delivery ? $date_delivery : $object->delivery_date); print $form->selectDate($date_delivery ? $date_delivery : -1, 'liv_', 1, 1, 1); print "\n"; print ''; @@ -1803,7 +1803,10 @@ if ($action == 'create' && $usercancreate) { } // Other attributes - $parameters = array('objectsrc' => $objectsrc, 'socid'=>$socid); + if (!empty($origin) && !empty($originid) && is_object($objectsrc)) + $parameters['objectsrc'] = $objectsrc; + $parameters['socid'] = $socid; + // Note that $action and $object may be modified by hook $reshook = $hookmanager->executeHooks('formObjectOptions', $parameters, $object, $action); print $hookmanager->resPrint; From 796f718012be642b8812ddcd15eaf251904e0412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?This=20Charl=C3=A8ne?= <1179011+defrance@users.noreply.github.com> Date: Mon, 11 Jul 2022 07:14:46 +0200 Subject: [PATCH 04/11] Update card.php --- htdocs/commande/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index c407d80c727..5f90927860d 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -1698,7 +1698,7 @@ if ($action == 'create' && $usercancreate) { // Contacts (ask contact only if thirdparty already defined). print "".$langs->trans("DefaultContact").''; print img_picto('', 'contact', 'class="pictofixedwidth"'); - print $form->selectcontacts($soc->id, $contactid, 'contactid', 1, $srccontactslist, '', 1, 'maxwidth200 widthcentpercentminusx'); + print $form->selectcontacts($soc->id, $contactid, 'contactid', 1, !empty($srccontactslist)?$srccontactslist:"", '', 1, 'maxwidth200 widthcentpercentminusx'); print ''; // Ligne info remises tiers From 204bf2e61878376e82d92f3cbf850ea466aa0895 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 11 Jul 2022 10:54:23 +0200 Subject: [PATCH 05/11] Update card.php --- htdocs/commande/card.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index 5f90927860d..1e6a33e8ae8 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -1803,8 +1803,10 @@ if ($action == 'create' && $usercancreate) { } // Other attributes - if (!empty($origin) && !empty($originid) && is_object($objectsrc)) + $parameters = array(); + if (!empty($origin) && !empty($originid) && is_object($objectsrc)) { $parameters['objectsrc'] = $objectsrc; + } $parameters['socid'] = $socid; // Note that $action and $object may be modified by hook From 490944baac510625944a2f3102df3abc8e11d4bb Mon Sep 17 00:00:00 2001 From: Francis Appels Date: Mon, 11 Jul 2022 17:29:26 +0200 Subject: [PATCH 06/11] Fix php 8 warning --- htdocs/comm/action/card.php | 2 +- htdocs/core/class/commonobject.class.php | 50 ++++++++++--------- htdocs/fourn/commande/list.php | 2 +- .../template/myobject_agenda.php | 2 +- 4 files changed, 29 insertions(+), 27 deletions(-) diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index 351ab9212bc..933f6534d55 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -1031,7 +1031,7 @@ if ($action == 'create') { // Recurring event $userepeatevent = ($conf->global->MAIN_FEATURES_LEVEL == 2 ? 1 : 0); - if ($userepeatevent) { + if ($userepeatevent && !empty($object->recurid)) { // Repeat //print ''; print '        
'; diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index a6d29aa6fab..8a2d093448c 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -4986,7 +4986,7 @@ abstract class CommonObject } $text .= ' - '.(!empty($line->label) ? $line->label : $label); - $description .= (!empty($conf->global->PRODUIT_DESC_IN_FORM) ? '' : dol_htmlentitiesbr($line->description)); // Description is what to show on popup. We shown nothing if already into desc. + $description .= (!empty($conf->global->PRODUIT_DESC_IN_FORM) ? '' : (!empty($line->description) ? dol_htmlentitiesbr($line->description) : '')); // Description is what to show on popup. We shown nothing if already into desc. } $line->pu_ttc = price2num((!empty($line->subprice) ? $line->subprice : 0) * (1 + ((!empty($line->tva_tx) ? $line->tva_tx : 0) / 100)), 'MU'); @@ -7495,33 +7495,35 @@ abstract class CommonObject $resql = $this->db->query($sql); if ($resql) { $value = ''; // value was used, so now we reste it to use it to build final output + $numrows = $this->db->num_rows($resql); + if ($numrows) { + $obj = $this->db->fetch_object($resql); - $obj = $this->db->fetch_object($resql); + // Several field into label (eq table:code|libelle:rowid) + $fields_label = explode('|', $InfoFieldList[1]); - // Several field into label (eq table:code|libelle:rowid) - $fields_label = explode('|', $InfoFieldList[1]); - - if (is_array($fields_label) && count($fields_label) > 1) { - foreach ($fields_label as $field_toshow) { - $translabel = ''; - if (!empty($obj->$field_toshow)) { - $translabel = $langs->trans($obj->$field_toshow); + if (is_array($fields_label) && count($fields_label) > 1) { + foreach ($fields_label as $field_toshow) { + $translabel = ''; + if (!empty($obj->$field_toshow)) { + $translabel = $langs->trans($obj->$field_toshow); + } + if ($translabel != $field_toshow) { + $value .= dol_trunc($translabel, 18).' '; + } else { + $value .= $obj->$field_toshow.' '; + } } - if ($translabel != $field_toshow) { - $value .= dol_trunc($translabel, 18).' '; - } else { - $value .= $obj->$field_toshow.' '; - } - } - } else { - $translabel = ''; - if (!empty($obj->{$InfoFieldList[1]})) { - $translabel = $langs->trans($obj->{$InfoFieldList[1]}); - } - if ($translabel != $obj->{$InfoFieldList[1]}) { - $value = dol_trunc($translabel, 18); } else { - $value = $obj->{$InfoFieldList[1]}; + $translabel = ''; + if (!empty($obj->{$InfoFieldList[1]})) { + $translabel = $langs->trans($obj->{$InfoFieldList[1]}); + } + if ($translabel != $obj->{$InfoFieldList[1]}) { + $value = dol_trunc($translabel, 18); + } else { + $value = $obj->{$InfoFieldList[1]}; + } } } } else { diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index 22c4921b5b1..91b92523e11 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -1122,7 +1122,7 @@ if ($resql) { $url .= '&socid='.((int) $socid); $url .= '&backtopage='.urlencode(DOL_URL_ROOT.'/fourn/commande/list.php?socid='.((int) $socid)); } - $newcardbutton = dolGetButtonTitle($langs->trans('NewSupplierOrderShort'), '', 'fa fa-plus-circle', $url, '', $permissitiontoadd); + $newcardbutton = dolGetButtonTitle($langs->trans('NewSupplierOrderShort'), '', 'fa fa-plus-circle', $url, '', $permissiontoadd); // Lines of title fields print '
'; diff --git a/htdocs/modulebuilder/template/myobject_agenda.php b/htdocs/modulebuilder/template/myobject_agenda.php index 6b6f60bf8c6..740d419719a 100644 --- a/htdocs/modulebuilder/template/myobject_agenda.php +++ b/htdocs/modulebuilder/template/myobject_agenda.php @@ -290,7 +290,7 @@ if ($object->id > 0) { print '
'; if (isModEnabled('agenda') && (!empty($user->rights->agenda->myactions->read) || !empty($user->rights->agenda->allactions->read))) { - $param = '&id='.$object->id.'&socid='.$socid; + $param = '&id='.$object->id.(!empty($socid) ? '&socid='.$socid : ''); if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) { $param .= '&contextpage='.urlencode($contextpage); } From 4f9211d3e5299199f624b99e2cbf422e5bcc0592 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 11 Jul 2022 19:24:55 +0200 Subject: [PATCH 07/11] Fix link --- htdocs/core/boxes/box_dolibarr_state_board.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/boxes/box_dolibarr_state_board.php b/htdocs/core/boxes/box_dolibarr_state_board.php index b25a42228e7..4b85ce9d396 100644 --- a/htdocs/core/boxes/box_dolibarr_state_board.php +++ b/htdocs/core/boxes/box_dolibarr_state_board.php @@ -209,7 +209,7 @@ class box_dolibarr_state_board extends ModeleBoxes 'expensereports' => DOL_URL_ROOT . '/expensereport/list.php?mainmenu=hrm&leftmenu=expensereport', 'holidays' => DOL_URL_ROOT . '/holiday/list.php?mainmenu=hrm&leftmenu=holiday', 'ticket' => DOL_URL_ROOT . '/ticket/list.php?leftmenu=ticket', - 'dolresource' => DOL_URL_ROOT . '/resource/list.php?mainmenu=tools', + 'dolresource' => DOL_URL_ROOT . '/resource/list.php?mainmenu=agenda', ); $titres = array( 'users' => "Users", From 85a0ae123670bb49de87dd990d34a7e7f523a3b8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 11 Jul 2022 19:58:28 +0200 Subject: [PATCH 08/11] Fix token for ping --- htdocs/core/ajax/pingresult.php | 5 +++-- htdocs/main.inc.php | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/htdocs/core/ajax/pingresult.php b/htdocs/core/ajax/pingresult.php index 202dfbae390..8e3cc622512 100644 --- a/htdocs/core/ajax/pingresult.php +++ b/htdocs/core/ajax/pingresult.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2019-2022 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -17,7 +17,8 @@ /** * \file htdocs/core/ajax/pingresult.php - * \brief File to save result of an anonymous ping into database (1 ping is done per installation) + * \brief Page called after a ping was done in js to the official dolibarr ping service. + * This ajax URL is called with parameter 'firstpingok' or 'firstpingko' depending on the result of the ping. */ if (!defined('NOTOKENRENEWAL')) { diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 69dfffba3a7..ea292e1d616 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -3364,7 +3364,7 @@ if (!function_exists("llxFooter")) { url: '', timeout: 500, // timeout milliseconds cache: false, - data: { hash_algo: 'md5', hash_unique_id: '', action: 'firstpingok', token: 'notrequired' }, // for update + data: { hash_algo: 'md5', hash_unique_id: '', action: 'firstpingok', token: '' }, // for update }); }, error: function (data,status,xhr) { // error callback function @@ -3374,7 +3374,7 @@ if (!function_exists("llxFooter")) { url: '', timeout: 500, // timeout milliseconds cache: false, - data: { hash_algo: 'md5', hash_unique_id: '', action: 'firstpingko', token: 'notrequired' }, + data: { hash_algo: 'md5', hash_unique_id: '', action: 'firstpingko', token: '' }, }); } }); From 1cbeaf6ac01df612c4606916d20acc366bd2a699 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 11 Jul 2022 20:05:49 +0200 Subject: [PATCH 09/11] Fix php8 --- htdocs/comm/action/card.php | 5 +++-- htdocs/comm/action/class/actioncomm.class.php | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index 933f6534d55..e543b7e6bd1 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -1031,15 +1031,16 @@ if ($action == 'create') { // Recurring event $userepeatevent = ($conf->global->MAIN_FEATURES_LEVEL == 2 ? 1 : 0); - if ($userepeatevent && !empty($object->recurid)) { + if ($userepeatevent) { // Repeat //print ''; print '        
'; print img_picto($langs->trans("Recurrence"), 'recurring', 'class="paddingright2"'); - print ''; + print ''; $selectedrecurrulefreq = 'no'; $selectedrecurrulebymonthday = ''; $selectedrecurrulebyday = ''; + $reg = array(); if ($object->recurrule && preg_match('/FREQ=([A-Z]+)/i', $object->recurrule, $reg)) { $selectedrecurrulefreq = $reg[1]; } diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 7d03def1464..22419629333 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -373,6 +373,16 @@ class ActionComm extends CommonObject */ public $status; + /** + * Properties to manage the recurring events + */ + public $recurid; + public $recurrule; + public $recurdateend; + + public $calling_duration; + + /** * Typical value for a event that is in a todo state */ From f0090ef92845c9cb1aeffa09a2e1dffba3dea624 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 11 Jul 2022 20:18:03 +0200 Subject: [PATCH 10/11] FIX #yogosha11755 --- .../public/emailing/mailing-unsubscribe.php | 4 ++++ htdocs/public/members/public_card.php | 10 +------- htdocs/public/members/public_list.php | 24 +++++++------------ htdocs/public/test/test_arrays.php | 4 ++++ htdocs/public/test/test_badges.php | 10 ++++++++ .../test/{buttons.php => test_buttons.php} | 0 htdocs/public/test/test_csrf.php | 5 ++++ htdocs/public/test/test_exec.php | 17 +++++-------- htdocs/public/test/test_sessionlock.php | 11 +++++++++ 9 files changed, 49 insertions(+), 36 deletions(-) rename htdocs/public/test/{buttons.php => test_buttons.php} (100%) diff --git a/htdocs/public/emailing/mailing-unsubscribe.php b/htdocs/public/emailing/mailing-unsubscribe.php index 76a73e8de05..7c85d9a2fc0 100644 --- a/htdocs/public/emailing/mailing-unsubscribe.php +++ b/htdocs/public/emailing/mailing-unsubscribe.php @@ -157,6 +157,10 @@ if (!empty($tag) && ($unsuscrib == '1')) { header("Content-type: text/html; charset=".$conf->file->character_set_client); + // Security options + header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) + header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + print ''; print "\n"; print "\n"; diff --git a/htdocs/public/members/public_card.php b/htdocs/public/members/public_card.php index a6512b83a60..d58b6448edb 100644 --- a/htdocs/public/members/public_card.php +++ b/htdocs/public/members/public_card.php @@ -147,16 +147,8 @@ $db->close(); */ function llxHeaderVierge($title, $head = "") { - global $user, $conf, $langs; + top_htmlhead($head, $title); - header("Content-type: text/html; charset=".$conf->file->character_set_client); - print "\n"; - print "\n"; - print "".$title."\n"; - if ($head) { - print $head."\n"; - } - print "\n"; print ''."\n"; } diff --git a/htdocs/public/members/public_list.php b/htdocs/public/members/public_list.php index 4bf2a6b94bf..178af5fce11 100644 --- a/htdocs/public/members/public_list.php +++ b/htdocs/public/members/public_list.php @@ -65,16 +65,8 @@ $langs->loadLangs(array("main", "members", "companies", "other")); */ function llxHeaderVierge($title, $head = "") { - global $user, $conf, $langs; + top_htmlhead($head, $title); - header("Content-type: text/html; charset=".$conf->file->character_set_client); - print "\n"; - print "\n"; - print "".$title."\n"; - if ($head) { - print $head."\n"; - } - print "\n"; print ''."\n"; } @@ -151,13 +143,13 @@ if ($result) { print ''; print ''; - print ''; - print ''."\n"; + print ''; + print ''."\n"; //print_liste_field_titre("DateOfBirth", $_SERVER["PHP_SELF"],"birth",'',$param,$sortfield,$sortorder); // est-ce nécessaire ?? - print_liste_field_titre("EMail", $_SERVER["PHP_SELF"], "email", '', $param, '', $sortfield, $sortorder, 'public_'); - print_liste_field_titre("Zip", $_SERVER["PHP_SELF"], "zip", "", $param, '', $sortfield, $sortorder, 'public_'); - print_liste_field_titre("Town", $_SERVER["PHP_SELF"], "town", "", $param, '', $sortfield, $sortorder, 'public_'); - print_liste_field_titre("Photo", $_SERVER["PHP_SELF"], "", "", $param, '', $sortfield, $sortorder, 'public_'); + print_liste_field_titre("EMail", $_SERVER["PHP_SELF"], "email", '', $param, '', $sortfield, $sortorder, 'left public_'); + print_liste_field_titre("Zip", $_SERVER["PHP_SELF"], "zip", "", $param, '', $sortfield, $sortorder, 'left public_'); + print_liste_field_titre("Town", $_SERVER["PHP_SELF"], "town", "", $param, '', $sortfield, $sortorder, 'left public_'); + print_liste_field_titre("Photo", $_SERVER["PHP_SELF"], "", "", $param, '', $sortfield, $sortorder, 'center public_'); print "\n"; while ($i < $num && $i < $conf->liste_limit) { @@ -170,7 +162,7 @@ if ($result) { print ''."\n"; print ''."\n"; if (isset($objp->photo) && $objp->photo != '') { - print ''."\n"; } else { diff --git a/htdocs/public/test/test_arrays.php b/htdocs/public/test/test_arrays.php index 01910f71aaf..609ced5f684 100644 --- a/htdocs/public/test/test_arrays.php +++ b/htdocs/public/test/test_arrays.php @@ -44,6 +44,10 @@ $usedolheader = 1; // 1 = Test inside a dolibarr page, 0 = Use hard coded header if (empty($usedolheader)) { header("Content-type: text/html; charset=UTF8"); + + // Security options + header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) + header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) ?> diff --git a/htdocs/public/test/test_badges.php b/htdocs/public/test/test_badges.php index 64ccf82345b..d3ed6476f95 100644 --- a/htdocs/public/test/test_badges.php +++ b/htdocs/public/test/test_badges.php @@ -12,6 +12,16 @@ if ($dolibarr_main_prod) { accessforbidden('Access forbidden when $dolibarr_main_prod is set to 1'); } +/* + * View + */ + +header("Content-type: text/html; charset=UTF8"); + +// Security options +header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) +header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + ?> diff --git a/htdocs/public/test/buttons.php b/htdocs/public/test/test_buttons.php similarity index 100% rename from htdocs/public/test/buttons.php rename to htdocs/public/test/test_buttons.php diff --git a/htdocs/public/test/test_csrf.php b/htdocs/public/test/test_csrf.php index 3127a765985..43372d22f15 100644 --- a/htdocs/public/test/test_csrf.php +++ b/htdocs/public/test/test_csrf.php @@ -34,6 +34,11 @@ if ($dolibarr_main_prod) { * View */ +header("Content-type: text/html; charset=UTF8"); + +// Security options +header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) +header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) ?> This is a form to test if a CSRF exists into a Dolibarr page.
diff --git a/htdocs/public/test/test_exec.php b/htdocs/public/test/test_exec.php index 026a8d12b7b..ef6f41df132 100644 --- a/htdocs/public/test/test_exec.php +++ b/htdocs/public/test/test_exec.php @@ -41,17 +41,6 @@ if (!defined("NOSESSION")) { define("NOSESSION", '1'); } -print "*** SHOW SESSION STATUS
\n"; -print "Legend:
\n"; -print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."
\n"; -print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."
\n"; -print 'PHP_SESSION_ACTIVE='.PHP_SESSION_ACTIVE."
\n"; -print '
'; - -print 'session_status='.session_status().' (before main.inc.php)
'; - -print '

'."\n"; - require '../../main.inc.php'; // Security @@ -64,6 +53,12 @@ if ($dolibarr_main_prod) { * View */ +header("Content-type: text/html; charset=UTF8"); + +// Security options +header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) +header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + print "*** TEST READ OF /tmp/test.txt FILE
\n"; $out=''; diff --git a/htdocs/public/test/test_sessionlock.php b/htdocs/public/test/test_sessionlock.php index 8464ba2eb4f..1aea6204b3e 100644 --- a/htdocs/public/test/test_sessionlock.php +++ b/htdocs/public/test/test_sessionlock.php @@ -41,6 +41,17 @@ if (!defined("NOSESSION")) { define("NOSESSION", '1'); } + +// Special +// We add header and output some content before the include of main.inc.php !! +// Because we need to So we can make +header("Content-type: text/html; charset=UTF8"); + +// Security options +header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) +header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + + print "Legend:
\n"; print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."
\n"; print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."
\n"; From bce665e11b262fa83e8b480dc4e853aa416a67cd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 12 Jul 2022 02:04:29 +0200 Subject: [PATCH 11/11] css --- htdocs/theme/eldy/global.inc.php | 1 + htdocs/theme/md/style.css.php | 1 + 2 files changed, 2 insertions(+) diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php index 2e225e1658f..eff502190cb 100644 --- a/htdocs/theme/eldy/global.inc.php +++ b/htdocs/theme/eldy/global.inc.php @@ -5099,6 +5099,7 @@ tr.visible { .websiteformtoolbar { position: sticky; top: ; + z-index: 1000; } .exampleapachesetup { diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php index ceb5caa9d44..8a6c864fb17 100644 --- a/htdocs/theme/md/style.css.php +++ b/htdocs/theme/md/style.css.php @@ -4953,6 +4953,7 @@ tr.visible { .websiteformtoolbar { position: sticky; top: ; + z-index: 1000; } .exampleapachesetup {
'.dolGetFirstLastname($langs->trans("Firstname"), $langs->trans("Lastname")).''.$langs->trans("Company").''.dolGetFirstLastname($langs->trans("Firstname"), $langs->trans("Lastname")).''.$langs->trans("Company").'
'.$objp->zip.''.$objp->town.''; + print ''; print $form->showphoto('memberphoto', $objp, 64); print '