From 762ca96203f6bd92050ca547a9dbe48c3324f2a3 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 May 2020 18:28:15 +0200 Subject: [PATCH 1/8] FIX #13841 --- htdocs/admin/dict.php | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 2ad521f79a2..b7f65ddf91f 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -644,6 +644,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) if ($value == 'localtax2' && empty($_POST['localtax2_type'])) continue; if ($value == 'color' && empty($_POST['color'])) continue; if ($value == 'formula' && empty($_POST['formula'])) continue; + if ($value == 'dayrule' && empty($_POST['dayrule'])) continue; if ($value == 'sortorder') continue; // For a column name 'sortorder', we use the field name 'position' if ((!isset($_POST[$value]) || $_POST[$value] == '') && (!in_array($listfield[$f], array('decalage', 'module', 'accountancy_code', 'accountancy_code_sell', 'accountancy_code_buy', 'tracking')) // Fields that are not mandatory From 8b79b7f074335f2cc3ea77a8b936121cd0b93fd6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 May 2020 20:00:59 +0200 Subject: [PATCH 2/8] Update changelog --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index bcbfb1a959c..67cf9513a4a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,7 +78,7 @@ FIX: we must export company mail address on contact vcard only if contact email FIX: when we filter a list on a view status, we want this filter to be on bookmark that we create FIX: Wrong Sql on getListOfTowns api method FIX: wrong user right's name to top menu "commercial" -FIX: XSS Vulnerability +FIX: XSS Vulnerability reported by Mehmet Kelepçe / Gais Cyber Security ***** ChangeLog for 11.0.3 compared to 11.0.2 ***** FIX: unit price for selected supplier products not set. NaN was used. From 54af917afb333d91300fc2203914d3231896dd08 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Sat, 16 May 2020 20:04:07 +0200 Subject: [PATCH 3/8] Fix cron globals reload, missing mysoc and langs --- scripts/cron/cron_run_jobs.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/cron/cron_run_jobs.php b/scripts/cron/cron_run_jobs.php index 635c128a89f..104443feba1 100755 --- a/scripts/cron/cron_run_jobs.php +++ b/scripts/cron/cron_run_jobs.php @@ -191,11 +191,12 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs)>0)) // Force reload of setup for the current entity if ($line->entity != $conf->entity) { - dol_syslog("cron_run_jobs.php we work on another entity so we reload user and conf", LOG_DEBUG); - echo " -> we change entity so we reload user and conf"; + dol_syslog("cron_run_jobs.php we work on another entity so we reload mysoc, langs, user and conf", LOG_DEBUG); + echo " -> we change entity so we reload mysoc, langs, user and conf"; $conf->entity = (empty($line->entity)?1:$line->entity); $conf->setValues($db); // This make also the $mc->setValues($conf); that reload $mc->sharings + $mysoc->setMysoc($conf); // Force recheck that user is ok for the entity to process and reload permission for entity if ($conf->entity != $user->entity && $user->entity != 0) @@ -218,6 +219,11 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs)>0)) } $user->getrights(); } + + // Reload langs + $langcode = (empty($conf->global->MAIN_LANG_DEFAULT)?'auto':$conf->global->MAIN_LANG_DEFAULT); + if (! empty($user->conf->MAIN_LANG_DEFAULT)) $langcode = $user->conf->MAIN_LANG_DEFAULT; + if($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode); } //If date_next_jobs is less of current date, execute the program, and store the execution time of the next execution in database From cf96383bf92b93b6492ba89172c00b0f8caf4262 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Mon, 18 May 2020 10:44:55 +0200 Subject: [PATCH 4/8] Fix : entity was missing in actioncomm fetch --- htdocs/comm/action/class/actioncomm.class.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 98b910fdfca..1d86f1eba08 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -572,6 +572,7 @@ class ActionComm extends CommonObject $sql = "SELECT a.id,"; $sql.= " a.id as ref,"; + $sql.= " a.entity,"; $sql.= " a.ref_ext,"; $sql.= " a.datep,"; $sql.= " a.datep2,"; @@ -608,6 +609,7 @@ class ActionComm extends CommonObject $obj = $this->db->fetch_object($resql); $this->id = $obj->id; + $this->entity = $obj->entity; $this->ref = $obj->ref; $this->ref_ext = $obj->ref_ext; From baa502a224c92fb795abf3599f08fb67e783d835 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Mon, 18 May 2020 10:54:25 +0200 Subject: [PATCH 5/8] Fix third merge issue with contact roles --- htdocs/contact/class/contact.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index a2235097811..8a1b26e9d33 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1576,7 +1576,7 @@ class Contact extends CommonObject public static function replaceThirdparty(DoliDB $db, $origin_id, $dest_id) { $tables = array( - 'socpeople' + 'socpeople', 'societe_contacts' ); return CommonObject::commonReplaceThirdparty($db, $origin_id, $dest_id, $tables); From 3d9d5d0ad522a76a65d8a9daaf35b2b693c5a138 Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Mon, 18 May 2020 11:03:32 +0200 Subject: [PATCH 6/8] Fix : entity was missing in expedition fetch --- htdocs/expedition/class/expedition.class.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 70e3683b22c..838cbd87152 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -527,7 +527,7 @@ class Expedition extends CommonObject // Check parameters if (empty($id) && empty($ref) && empty($ref_ext) && empty($ref_int)) return -1; - $sql = "SELECT e.rowid, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet, e.billed"; + $sql = "SELECT e.rowid, e.entity, e.ref, e.fk_soc as socid, e.date_creation, e.ref_customer, e.ref_ext, e.ref_int, e.fk_user_author, e.fk_statut, e.fk_projet, e.billed"; $sql.= ", e.weight, e.weight_units, e.size, e.size_units, e.width, e.height"; $sql.= ", e.date_expedition as date_expedition, e.model_pdf, e.fk_address, e.date_delivery"; $sql.= ", e.fk_shipping_method, e.tracking_number"; @@ -555,6 +555,7 @@ class Expedition extends CommonObject $obj = $this->db->fetch_object($result); $this->id = $obj->rowid; + $this->entity = $obj->entity; $this->ref = $obj->ref; $this->socid = $obj->socid; $this->ref_customer = $obj->ref_customer; From a9d1519f966163a092a6d994fe6cbb13f472090d Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Mon, 18 May 2020 14:52:33 +0200 Subject: [PATCH 7/8] FIX php error if multicompany disabled --- htdocs/compta/paiement/card.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/compta/paiement/card.php b/htdocs/compta/paiement/card.php index 848cc20d483..27086713b07 100644 --- a/htdocs/compta/paiement/card.php +++ b/htdocs/compta/paiement/card.php @@ -342,7 +342,7 @@ if ($resql) print ''; print ''.$langs->trans('Bill').''; print ''.$langs->trans('Company').''; - if($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED )print ''.$langs->trans('Entity').''; + if (!empty($conf->multicompany->enabled) && $conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED ) print ''.$langs->trans('Entity').''; print ''.$langs->trans('ExpectedToPay').''; print ''.$langs->trans('PayedByThisPayment').''; print ''.$langs->trans('RemainderToPay').''; @@ -379,7 +379,7 @@ if ($resql) print ''; // Expected to pay - if($conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED ){ + if(!empty($conf->multicompany->enabled) && $conf->global->MULTICOMPANY_INVOICE_SHARING_ENABLED ){ print ''; $mc->getInfo($objp->entity); print $mc->label; From 18a19dafe513942a8a099cac13e60303a7eb3dc1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 18 May 2020 15:01:29 +0200 Subject: [PATCH 8/8] Update cron_run_jobs.php --- scripts/cron/cron_run_jobs.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/cron/cron_run_jobs.php b/scripts/cron/cron_run_jobs.php index 104443feba1..6438b13e884 100755 --- a/scripts/cron/cron_run_jobs.php +++ b/scripts/cron/cron_run_jobs.php @@ -223,7 +223,7 @@ if (is_array($qualifiedjobs) && (count($qualifiedjobs)>0)) // Reload langs $langcode = (empty($conf->global->MAIN_LANG_DEFAULT)?'auto':$conf->global->MAIN_LANG_DEFAULT); if (! empty($user->conf->MAIN_LANG_DEFAULT)) $langcode = $user->conf->MAIN_LANG_DEFAULT; - if($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode); + if ($langs->getDefaultLang() != $langcode) $langs->setDefaultLang($langcode); } //If date_next_jobs is less of current date, execute the program, and store the execution time of the next execution in database