From 314456f812b425f2b6162e6fa85784405b4f177b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 30 Jan 2020 13:03:33 +0100 Subject: [PATCH 01/14] Fix var not defined --- htdocs/resource/class/dolresource.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/resource/class/dolresource.class.php b/htdocs/resource/class/dolresource.class.php index 4af42ea8ff2..bf9acde2d50 100644 --- a/htdocs/resource/class/dolresource.class.php +++ b/htdocs/resource/class/dolresource.class.php @@ -948,7 +948,7 @@ class Dolresource extends CommonObject */ public function getNomUrl($withpicto = 0, $option = '', $get_params = '', $notooltip = 0, $morecss = '', $save_lastsearch_value = -1) { - global $langs; + global $conf, $langs; $result = ''; $label = ''.$langs->trans("ShowResource").''; From d60ce8a2c3e318abb397b06da51146a6d89f5c08 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 30 Jan 2020 20:00:41 +0100 Subject: [PATCH 02/14] Fix showoncombobox --- htdocs/contact/class/contact.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 038cb82845e..56ba2e24def 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -72,8 +72,8 @@ class Contact extends CommonObject 'entity' =>array('type'=>'integer', 'label'=>'Entity', 'default'=>1, 'enabled'=>1, 'visible'=>0, 'notnull'=>1, 'position'=>30, 'index'=>1), 'ref_ext' =>array('type'=>'varchar(255)', 'label'=>'Ref ext', 'enabled'=>1, 'visible'=>0, 'position'=>35), 'civility' =>array('type'=>'varchar(6)', 'label'=>'Civility', 'enabled'=>1, 'visible'=>-1, 'position'=>40), - 'lastname' =>array('type'=>'varchar(50)', 'label'=>'Lastname', 'enabled'=>1, 'visible'=>-1, 'position'=>45), - 'firstname' =>array('type'=>'varchar(50)', 'label'=>'Firstname', 'enabled'=>1, 'visible'=>-1, 'position'=>50), + 'lastname' =>array('type'=>'varchar(50)', 'label'=>'Lastname', 'enabled'=>1, 'visible'=>-1, 'position'=>45, 'showoncombobox'=>1), + 'firstname' =>array('type'=>'varchar(50)', 'label'=>'Firstname', 'enabled'=>1, 'visible'=>-1, 'position'=>50, 'showoncombobox'=>1), 'address' =>array('type'=>'varchar(255)', 'label'=>'Address', 'enabled'=>1, 'visible'=>-1, 'position'=>55), 'zip' =>array('type'=>'varchar(25)', 'label'=>'Zip', 'enabled'=>1, 'visible'=>-1, 'position'=>60), 'town' =>array('type'=>'text', 'label'=>'Town', 'enabled'=>1, 'visible'=>-1, 'position'=>65), From 1c24bcc7248fda053f60913e4e665d05c3e8d362 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 31 Jan 2020 10:29:41 +0100 Subject: [PATCH 03/14] FIX CVE Need permission to be able to develop modules --- htdocs/core/modules/modModuleBuilder.class.php | 16 ++++++++++++++++ htdocs/modulebuilder/index.php | 3 +++ 2 files changed, 19 insertions(+) diff --git a/htdocs/core/modules/modModuleBuilder.class.php b/htdocs/core/modules/modModuleBuilder.class.php index 16ee16984d8..1c52ad866c2 100644 --- a/htdocs/core/modules/modModuleBuilder.class.php +++ b/htdocs/core/modules/modModuleBuilder.class.php @@ -45,6 +45,7 @@ class modModuleBuilder extends DolibarrModules // Family can be 'crm','financial','hr','projects','products','ecm','technic','other' // It is used to group modules in module setup page $this->family = "technic"; + $this->module_position = '90'; // Module label (no space allowed), used if translation string 'ModuleXXXName' not found (where XXX is value of numeric property 'numero' of module) $this->name = preg_replace('/^mod/i', '', get_class($this)); $this->description = "A RAD (Rapid Application Development) tool to help developers to build their own module."; @@ -82,6 +83,21 @@ class modModuleBuilder extends DolibarrModules //------ $this->boxes = array(); + // Permissions + //------------ + $this->rights = array(); // Permission array used by this module + $this->rights_class = 'modulebuilder'; + + $r=0; + + $r++; + $this->rights[$r][0] = 3301; + $this->rights[$r][1] = 'Generate new modules'; + $this->rights[$r][2] = 'a'; + $this->rights[$r][3] = 0; + $this->rights[$r][4] = 'run'; + + // Main menu entries //------------------ $this->menu = array(); diff --git a/htdocs/modulebuilder/index.php b/htdocs/modulebuilder/index.php index 51e35ab050a..0afcd403406 100644 --- a/htdocs/modulebuilder/index.php +++ b/htdocs/modulebuilder/index.php @@ -90,6 +90,9 @@ if (empty($newmask)) // This should no happen $newmask = '0664'; } +$result = restrictedArea($user, 'modulebuilder', null); + + /* * Actions From 8e18a08377d550d1a177c0403c71055ef5b1ed9d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 31 Jan 2020 16:59:10 +0100 Subject: [PATCH 04/14] Fix log of proxy forward only if it differs from remote_addr --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index e4a200fceff..17fa72e43b0 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -1059,7 +1059,7 @@ function dol_syslog($message, $level = LOG_INFO, $ident = 0, $suffixinfilename = ); // This is when server run behind a reverse proxy - if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $data['ip'] = $_SERVER['HTTP_X_FORWARDED_FOR'].(empty($_SERVER["REMOTE_ADDR"]) ? '' : '->'.$_SERVER['REMOTE_ADDR']); + if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $data['ip'] = $_SERVER['HTTP_X_FORWARDED_FOR'].((empty($_SERVER["REMOTE_ADDR"]) || ($_SERVER['HTTP_X_FORWARDED_FOR'] == $_SERVER['REMOTE_ADDR'])) ? '' : '->'.$_SERVER['REMOTE_ADDR']); // This is when server run normally on a server elseif (!empty($_SERVER["REMOTE_ADDR"])) $data['ip'] = $_SERVER['REMOTE_ADDR']; // This is when PHP session is ran inside a web server but not inside a client request (example: init code of apache) From b81d223ab3eb4f05a698bbe07a44181378e45f72 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 31 Jan 2020 17:27:48 +0100 Subject: [PATCH 05/14] Do no retry ping after error the same month --- htdocs/core/ajax/pingresult.php | 4 +- htdocs/main.inc.php | 121 +++++++++++++++++--------------- 2 files changed, 67 insertions(+), 58 deletions(-) diff --git a/htdocs/core/ajax/pingresult.php b/htdocs/core/ajax/pingresult.php index 0dbb5167f9e..7e9fad309d4 100644 --- a/htdocs/core/ajax/pingresult.php +++ b/htdocs/core/ajax/pingresult.php @@ -53,8 +53,8 @@ print ''; $hash_unique_id = md5('dolibarr'.$conf->file->instance_unique_id); if (empty($conf->global->MAIN_FIRST_PING_OK_DATE) || (!empty($conf->file->instance_unique_id) && ($hash_unique_id != $conf->global->MAIN_FIRST_PING_OK_ID) && ($conf->global->MAIN_FIRST_PING_OK_ID != 'disabled')) - || GETPOST('forceping', 'alpha')) + || $forceping) { - if (strpos('alpha', DOL_VERSION) > 0) { + // No ping done if we are into an alpha version + if (strpos('alpha', DOL_VERSION) > 0 && ! $forceping) { print "\n\n"; } - elseif (empty($_COOKIE['DOLINSTALLNOPING_'.$hash_unique_id])) // Cookie is set when we uncheck the checkbox in the installation wizard. + elseif (empty($_COOKIE['DOLINSTALLNOPING_'.$hash_unique_id]) || $forceping) // Cookie is set when we uncheck the checkbox in the installation wizard. { - include_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; + // MAIN_LAST_PING_KO_DATE + // TODO Disable ping if MAIN_LAST_PING_KO_DATE is set and is recent + if (! empty($conf->global->MAIN_LAST_PING_KO_DATE) && substr($conf->global->MAIN_LAST_PING_KO_DATE, 0, 6) == dol_print_date(dol_now(), '%Y%m') && ! $forceping) { + print "\n\n"; + } else { - print "\n".''."\n"; - print "\n\n"; - $url_for_ping = (empty($conf->global->MAIN_URL_FOR_PING) ? "https://ping.dolibarr.org/" : $conf->global->MAIN_URL_FOR_PING); - // Try to guess the distrib used - $distrib = 'standard'; - if ($_SERVER["SERVER_ADMIN"] == 'doliwamp@localhost') $distrib = 'doliwamp'; - if (! empty($dolibarr_distrib)) $distrib = $dolibarr_distrib; - ?> - - global->MAIN_FIRST_PING_OK_DATE.' MAIN_FIRST_PING_OK_ID='.$conf->global->MAIN_FIRST_PING_OK_ID.' MAIN_LAST_PING_KO_DATE='.$conf->global->MAIN_LAST_PING_KO_DATE.' -->'."\n"; + print "\n\n"; + $url_for_ping = (empty($conf->global->MAIN_URL_FOR_PING) ? "https://ping.dolibarr.org/" : $conf->global->MAIN_URL_FOR_PING); + // Try to guess the distrib used + $distrib = 'standard'; + if ($_SERVER["SERVER_ADMIN"] == 'doliwamp@localhost') $distrib = 'doliwamp'; + if (! empty($dolibarr_distrib)) $distrib = $dolibarr_distrib; + ?> + + Date: Fri, 31 Jan 2020 17:51:30 +0100 Subject: [PATCH 06/14] Fix log through proxy --- htdocs/core/lib/functions.lib.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 17fa72e43b0..5bc3ad0056c 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -1058,10 +1058,13 @@ function dol_syslog($message, $level = LOG_INFO, $ident = 0, $suffixinfilename = 'ip' => false ); - // This is when server run behind a reverse proxy - if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $data['ip'] = $_SERVER['HTTP_X_FORWARDED_FOR'].((empty($_SERVER["REMOTE_ADDR"]) || ($_SERVER['HTTP_X_FORWARDED_FOR'] == $_SERVER['REMOTE_ADDR'])) ? '' : '->'.$_SERVER['REMOTE_ADDR']); - // This is when server run normally on a server - elseif (!empty($_SERVER["REMOTE_ADDR"])) $data['ip'] = $_SERVER['REMOTE_ADDR']; + $remoteip = getUserRemoteIP(); // Get ip when page run on a web server + if (! empty($remoteip)) { + $data['ip'] = $remoteip; + // This is when server run behind a reverse proxy + if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != $remoteip) $data['ip'] = $_SERVER['HTTP_X_FORWARDED_FOR'].' -> '.$data['ip']; + elseif (!empty($_SERVER['HTTP_CLIENT_IP']) && $_SERVER['HTTP_CLIENT_IP'] != $remoteip) $data['ip'] = $_SERVER['HTTP_CLIENT_IP'].' -> '.$data['ip']; + } // This is when PHP session is ran inside a web server but not inside a client request (example: init code of apache) elseif (!empty($_SERVER['SERVER_ADDR'])) $data['ip'] = $_SERVER['SERVER_ADDR']; // This is when PHP session is ran outside a web server, like from Windows command line (Not always defined, but useful if OS defined it). From b83c90e348676c2d6bc6da9649b1021bc694acee Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 31 Jan 2020 18:02:18 +0100 Subject: [PATCH 07/14] Fix phpcs --- htdocs/main.inc.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 267d65fd8e1..d396ad4cadc 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -2569,11 +2569,10 @@ if (!function_exists("llxFooter")) elseif (empty($_COOKIE['DOLINSTALLNOPING_'.$hash_unique_id]) || $forceping) // Cookie is set when we uncheck the checkbox in the installation wizard. { // MAIN_LAST_PING_KO_DATE - // TODO Disable ping if MAIN_LAST_PING_KO_DATE is set and is recent + // Disable ping if MAIN_LAST_PING_KO_DATE is set and is recent if (! empty($conf->global->MAIN_LAST_PING_KO_DATE) && substr($conf->global->MAIN_LAST_PING_KO_DATE, 0, 6) == dol_print_date(dol_now(), '%Y%m') && ! $forceping) { print "\n\n"; } else { - include_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; print "\n".''."\n"; From d530c7f7089a7344a6ea4d80c7ce3d2f9453831c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 31 Jan 2020 18:16:16 +0100 Subject: [PATCH 08/14] Try fix for #12984 --- htdocs/product/index.php | 332 ++++++++++++++++++++------------------- 1 file changed, 169 insertions(+), 163 deletions(-) diff --git a/htdocs/product/index.php b/htdocs/product/index.php index d885b36a877..49df2b36cc9 100644 --- a/htdocs/product/index.php +++ b/htdocs/product/index.php @@ -40,7 +40,7 @@ if ($type == '' && !$user->rights->service->lire) $type = '0'; // Force global p // Security check if ($type == '0') $result = restrictedArea($user, 'produit'); elseif ($type == '1') $result = restrictedArea($user, 'service'); -else $result = restrictedArea($user, 'produit|service'); +else $result = restrictedArea($user, 'produit|service|expedition'); // Load translation files required by the page $langs->loadLangs(array('products', 'stocks')); @@ -117,77 +117,80 @@ if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) // This is useles /* * Number of products and/or services */ -$prodser = array(); -$prodser[0][0] = $prodser[0][1] = $prodser[0][2] = $prodser[0][3] = 0; -$prodser[1][0] = $prodser[1][1] = $prodser[1][2] = $prodser[1][3] = 0; - -$sql = "SELECT COUNT(p.rowid) as total, p.fk_product_type, p.tosell, p.tobuy"; -$sql .= " FROM ".MAIN_DB_PREFIX."product as p"; -$sql .= ' WHERE p.entity IN ('.getEntity($product_static->element, 1).')'; -// Add where from hooks -$parameters = array(); -$reshook = $hookmanager->executeHooks('printFieldListWhere', $parameters); // Note that $action and $object may have been modified by hook -$sql .= $hookmanager->resPrint; -$sql .= " GROUP BY p.fk_product_type, p.tosell, p.tobuy"; -$result = $db->query($sql); -while ($objp = $db->fetch_object($result)) +if ((!empty($conf->product->enabled) || !empty($conf->service->enabled)) && ($user->rights->produit->lire || $user->rights->service->lire)) { - $status = 3; // On sale + On purchase - if (!$objp->tosell && !$objp->tobuy) $status = 0; // Not on sale, not on purchase - if ($objp->tosell && !$objp->tobuy) $status = 1; // On sale only - if (!$objp->tosell && $objp->tobuy) $status = 2; // On purchase only - $prodser[$objp->fk_product_type][$status] = $objp->total; - if ($objp->tosell) $prodser[$objp->fk_product_type]['sell'] += $objp->total; - if ($objp->tobuy) $prodser[$objp->fk_product_type]['buy'] += $objp->total; - if (!$objp->tosell && !$objp->tobuy) $prodser[$objp->fk_product_type]['none'] += $objp->total; -} + $prodser = array(); + $prodser[0][0] = $prodser[0][1] = $prodser[0][2] = $prodser[0][3] = 0; + $prodser[1][0] = $prodser[1][1] = $prodser[1][2] = $prodser[1][3] = 0; -if ($conf->use_javascript_ajax) -{ - print '
'; - print ''; - print ''; - print ''; + print '
'.$langs->trans("Statistics").'
'; - - $SommeA = $prodser[0]['sell']; - $SommeB = $prodser[0]['buy']; - $SommeC = $prodser[0]['none']; - $SommeD = $prodser[1]['sell']; - $SommeE = $prodser[1]['buy']; - $SommeF = $prodser[1]['none']; - $total = 0; - $dataval = array(); - $datalabels = array(); - $i = 0; - - $total = $SommeA + $SommeB + $SommeC + $SommeD + $SommeE + $SommeF; - $dataseries = array(); - if (!empty($conf->product->enabled)) + $sql = "SELECT COUNT(p.rowid) as total, p.fk_product_type, p.tosell, p.tobuy"; + $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; + $sql .= ' WHERE p.entity IN ('.getEntity($product_static->element, 1).')'; + // Add where from hooks + $parameters = array(); + $reshook = $hookmanager->executeHooks('printFieldListWhere', $parameters); // Note that $action and $object may have been modified by hook + $sql .= $hookmanager->resPrint; + $sql .= " GROUP BY p.fk_product_type, p.tosell, p.tobuy"; + $result = $db->query($sql); + while ($objp = $db->fetch_object($result)) { - $dataseries[] = array($langs->trans("ProductsOnSale"), round($SommeA)); - $dataseries[] = array($langs->trans("ProductsOnPurchase"), round($SommeB)); - $dataseries[] = array($langs->trans("ProductsNotOnSell"), round($SommeC)); - } - if (!empty($conf->service->enabled)) - { - $dataseries[] = array($langs->trans("ServicesOnSale"), round($SommeD)); - $dataseries[] = array($langs->trans("ServicesOnPurchase"), round($SommeE)); - $dataseries[] = array($langs->trans("ServicesNotOnSell"), round($SommeF)); + $status = 3; // On sale + On purchase + if (!$objp->tosell && !$objp->tobuy) $status = 0; // Not on sale, not on purchase + if ($objp->tosell && !$objp->tobuy) $status = 1; // On sale only + if (!$objp->tosell && $objp->tobuy) $status = 2; // On purchase only + $prodser[$objp->fk_product_type][$status] = $objp->total; + if ($objp->tosell) $prodser[$objp->fk_product_type]['sell'] += $objp->total; + if ($objp->tobuy) $prodser[$objp->fk_product_type]['buy'] += $objp->total; + if (!$objp->tosell && !$objp->tobuy) $prodser[$objp->fk_product_type]['none'] += $objp->total; } - include_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; - $dolgraph = new DolGraph(); - $dolgraph->SetData($dataseries); - $dolgraph->setShowLegend(1); - $dolgraph->setShowPercent(0); - $dolgraph->SetType(array('pie')); - $dolgraph->setWidth('100%'); - $dolgraph->draw('idgraphstatus'); - print $dolgraph->show($total ? 0 : 1); + if ($conf->use_javascript_ajax) + { + print '
'; + print ''; + print ''; + print ''; - print '
'.$langs->trans("Statistics").'
'; - print '
'; - print '
'; + $SommeA = $prodser[0]['sell']; + $SommeB = $prodser[0]['buy']; + $SommeC = $prodser[0]['none']; + $SommeD = $prodser[1]['sell']; + $SommeE = $prodser[1]['buy']; + $SommeF = $prodser[1]['none']; + $total = 0; + $dataval = array(); + $datalabels = array(); + $i = 0; + + $total = $SommeA + $SommeB + $SommeC + $SommeD + $SommeE + $SommeF; + $dataseries = array(); + if (!empty($conf->product->enabled)) + { + $dataseries[] = array($langs->trans("ProductsOnSale"), round($SommeA)); + $dataseries[] = array($langs->trans("ProductsOnPurchase"), round($SommeB)); + $dataseries[] = array($langs->trans("ProductsNotOnSell"), round($SommeC)); + } + if (!empty($conf->service->enabled)) + { + $dataseries[] = array($langs->trans("ServicesOnSale"), round($SommeD)); + $dataseries[] = array($langs->trans("ServicesOnPurchase"), round($SommeE)); + $dataseries[] = array($langs->trans("ServicesNotOnSell"), round($SommeF)); + } + + include_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; + $dolgraph = new DolGraph(); + $dolgraph->SetData($dataseries); + $dolgraph->setShowLegend(1); + $dolgraph->setShowPercent(0); + $dolgraph->SetType(array('pie')); + $dolgraph->setWidth('100%'); + $dolgraph->draw('idgraphstatus'); + print $dolgraph->show($total ? 0 : 1); + + print '
'; + print '
'; + } } @@ -270,120 +273,123 @@ print '
'; /* * Latest modified products */ -$max = 15; -$sql = "SELECT p.rowid, p.label, p.price, p.ref, p.fk_product_type, p.tosell, p.tobuy, p.tobatch, p.fk_price_expression,"; -$sql .= " p.entity,"; -$sql .= " p.tms as datem"; -$sql .= " FROM ".MAIN_DB_PREFIX."product as p"; -$sql .= " WHERE p.entity IN (".getEntity($product_static->element, 1).")"; -if ($type != '') $sql .= " AND p.fk_product_type = ".$type; -// Add where from hooks -$parameters = array(); -$reshook = $hookmanager->executeHooks('printFieldListWhere', $parameters); // Note that $action and $object may have been modified by hook -$sql .= $hookmanager->resPrint; -$sql .= $db->order("p.tms", "DESC"); -$sql .= $db->plimit($max, 0); - -//print $sql; -$result = $db->query($sql); -if ($result) +if ((!empty($conf->product->enabled) || !empty($conf->service->enabled)) && ($user->rights->produit->lire || $user->rights->service->lire)) { - $num = $db->num_rows($result); + $max = 15; + $sql = "SELECT p.rowid, p.label, p.price, p.ref, p.fk_product_type, p.tosell, p.tobuy, p.tobatch, p.fk_price_expression,"; + $sql .= " p.entity,"; + $sql .= " p.tms as datem"; + $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; + $sql .= " WHERE p.entity IN (".getEntity($product_static->element, 1).")"; + if ($type != '') $sql .= " AND p.fk_product_type = ".$type; + // Add where from hooks + $parameters = array(); + $reshook = $hookmanager->executeHooks('printFieldListWhere', $parameters); // Note that $action and $object may have been modified by hook + $sql .= $hookmanager->resPrint; + $sql .= $db->order("p.tms", "DESC"); + $sql .= $db->plimit($max, 0); - $i = 0; - - if ($num > 0) + //print $sql; + $result = $db->query($sql); + if ($result) { - $transRecordedType = $langs->trans("LastModifiedProductsAndServices", $max); - if (isset($_GET["type"]) && $_GET["type"] == 0) $transRecordedType = $langs->trans("LastRecordedProducts", $max); - if (isset($_GET["type"]) && $_GET["type"] == 1) $transRecordedType = $langs->trans("LastRecordedServices", $max); + $num = $db->num_rows($result); - print '
'; - print ''; + $i = 0; - $colnb = 2; - if (empty($conf->global->PRODUIT_MULTIPRICES)) $colnb++; - - print ''; - print ''; - - while ($i < $num) + if ($num > 0) { - $objp = $db->fetch_object($result); + $transRecordedType = $langs->trans("LastModifiedProductsAndServices", $max); + if (isset($_GET["type"]) && $_GET["type"] == 0) $transRecordedType = $langs->trans("LastRecordedProducts", $max); + if (isset($_GET["type"]) && $_GET["type"] == 1) $transRecordedType = $langs->trans("LastRecordedServices", $max); - $product_static->id = $objp->rowid; - $product_static->ref = $objp->ref; - $product_static->label = $objp->label; - $product_static->type = $objp->fk_product_type; - $product_static->entity = $objp->entity; - $product_static->status = $objp->tosell; - $product_static->status_buy = $objp->tobuy; - $product_static->status_batch = $objp->tobatch; + print '
'; + print '
'.$transRecordedType.''.$langs->trans("FullList").''; - print '
'; - //Multilangs - if (!empty($conf->global->MAIN_MULTILANGS)) + $colnb = 2; + if (empty($conf->global->PRODUIT_MULTIPRICES)) $colnb++; + + print ''; + print ''; + + while ($i < $num) { - $sql = "SELECT label"; - $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; - $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $objp = $db->fetch_object($result); - $resultd = $db->query($sql); - if ($resultd) + $product_static->id = $objp->rowid; + $product_static->ref = $objp->ref; + $product_static->label = $objp->label; + $product_static->type = $objp->fk_product_type; + $product_static->entity = $objp->entity; + $product_static->status = $objp->tosell; + $product_static->status_buy = $objp->tobuy; + $product_static->status_batch = $objp->tobatch; + + //Multilangs + if (!empty($conf->global->MAIN_MULTILANGS)) { - $objtp = $db->fetch_object($resultd); - if ($objtp && $objtp->label != '') $objp->label = $objtp->label; + $sql = "SELECT label"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; + $sql .= " WHERE fk_product=".$objp->rowid; + $sql .= " AND lang='".$langs->getDefaultLang()."'"; + + $resultd = $db->query($sql); + if ($resultd) + { + $objtp = $db->fetch_object($resultd); + if ($objtp && $objtp->label != '') $objp->label = $objtp->label; + } } - } - print ''; - print '\n"; - print ''; - print ""; - // Sell price - if (empty($conf->global->PRODUIT_MULTIPRICES)) - { - if (!empty($conf->dynamicprices->enabled) && !empty($objp->fk_price_expression)) - { - $product = new Product($db); - $product->fetch($objp->rowid); - $priceparser = new PriceParser($db); - $price_result = $priceparser->parseProduct($product); - if ($price_result >= 0) { - $objp->price = $price_result; - } - } - print ''; + print ''; + print '\n"; + print ''; + print ""; + // Sell price + if (empty($conf->global->PRODUIT_MULTIPRICES)) + { + if (!empty($conf->dynamicprices->enabled) && !empty($objp->fk_price_expression)) + { + $product = new Product($db); + $product->fetch($objp->rowid); + $priceparser = new PriceParser($db); + $price_result = $priceparser->parseProduct($product); + if ($price_result >= 0) { + $objp->price = $price_result; + } + } + print ''; + } + print '"; + print '"; + print "\n"; + $i++; } - print '"; - print '"; - print "\n"; - $i++; + + $db->free($result); + + print "
'.$transRecordedType.''.$langs->trans("FullList").''; + print '
'; - print $product_static->getNomUrl(1, '', 16); - print "'.dol_trunc($objp->label, 32).'"; - print dol_print_date($db->jdate($objp->datem), 'day'); - print "'; - if (isset($objp->price_base_type) && $objp->price_base_type == 'TTC') print price($objp->price_ttc).' '.$langs->trans("TTC"); - else print price($objp->price).' '.$langs->trans("HT"); - print '
'; + print $product_static->getNomUrl(1, '', 16); + print "'.dol_trunc($objp->label, 32).'"; + print dol_print_date($db->jdate($objp->datem), 'day'); + print "'; + if (isset($objp->price_base_type) && $objp->price_base_type == 'TTC') print price($objp->price_ttc).' '.$langs->trans("TTC"); + else print price($objp->price).' '.$langs->trans("HT"); + print ''; + print $product_static->LibStatut($objp->tosell, 3, 0); + print "'; + print $product_static->LibStatut($objp->tobuy, 3, 1); + print "
'; - print $product_static->LibStatut($objp->tosell, 3, 0); - print "'; - print $product_static->LibStatut($objp->tobuy, 3, 1); - print "
"; + print '
'; + print '
'; } - - $db->free($result); - - print ""; - print '
'; - print '
'; } -} -else -{ - dol_print_error($db); + else + { + dol_print_error($db); + } } From aa54aaeb01274dcabc972d2e4456533ad4c73827 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 31 Jan 2020 19:46:03 +0100 Subject: [PATCH 09/14] FIX search filter on extrafields were not restored avec "Back to list" --- htdocs/core/lib/functions.lib.php | 49 ++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 5bc3ad0056c..a0db5c8333d 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -224,7 +224,54 @@ function dol_shutdown() */ function GETPOSTISSET($paramname) { - return (isset($_POST[$paramname]) || isset($_GET[$paramname])); + $isset = 0; + + $relativepathstring = $_SERVER["PHP_SELF"]; + // Clean $relativepathstring + if (constant('DOL_URL_ROOT')) $relativepathstring = preg_replace('/^'.preg_quote(constant('DOL_URL_ROOT'), '/').'/', '', $relativepathstring); + $relativepathstring = preg_replace('/^\//', '', $relativepathstring); + $relativepathstring = preg_replace('/^custom\//', '', $relativepathstring); + //var_dump($relativepathstring); + //var_dump($user->default_values); + + // Code for search criteria persistence. + // Retrieve values if restore_lastsearch_values + if (!empty($_GET['restore_lastsearch_values'])) // Use $_GET here and not GETPOST + { + if (!empty($_SESSION['lastsearch_values_'.$relativepathstring])) // If there is saved values + { + $tmp = json_decode($_SESSION['lastsearch_values_'.$relativepathstring], true); + if (is_array($tmp)) + { + foreach ($tmp as $key => $val) + { + if ($key == $paramname) // We are on the requested parameter + { + $isset = 1; + break; + } + } + } + } + // If there is saved contextpage, page or limit + if ($paramname == 'contextpage' && !empty($_SESSION['lastsearch_contextpage_'.$relativepathstring])) + { + $isset = 1; + } + elseif ($paramname == 'page' && !empty($_SESSION['lastsearch_page_'.$relativepathstring])) + { + $isset = 1; + } + elseif ($paramname == 'limit' && !empty($_SESSION['lastsearch_limit_'.$relativepathstring])) + { + $isset = 1; + } + } + else { + $isset = (isset($_POST[$paramname]) || isset($_GET[$paramname])); + } + + return $isset; } /** From ec649bc0a3554ad7fcb4e4cc413be3397f260432 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 1 Feb 2020 10:09:31 +0100 Subject: [PATCH 10/14] Fix CSS --- htdocs/support/default.css | 20 ++++++++++++++++++-- htdocs/support/inc.php | 13 +++++-------- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/htdocs/support/default.css b/htdocs/support/default.css index c0d99f56657..735224254d3 100644 --- a/htdocs/support/default.css +++ b/htdocs/support/default.css @@ -23,6 +23,22 @@ background: #f9f9f9; margin: 5px 5px; } +.center { + text-align: center; +} + +.centpercent { + width: 100%; +} + +.valignmiddle { + vertical-align: middle; +} + +inline-block { + display: inline-block; +} + div.titre { padding: 5px 5px 5px 5px; margin: 0 0 0 0; @@ -147,10 +163,10 @@ padding: 4px 4px 4px 4px; tr.title { -background: #DDDFDD; +background: #EEEEEE; } -table.login { border: 1px solid #C0C0C0; background: #FFF; } +table.login { border: 1px solid #E0E0E0; background: #FFF; } .tablesupport { padding: 6px; diff --git a/htdocs/support/inc.php b/htdocs/support/inc.php index dd369e233b9..941bf6bb0d3 100644 --- a/htdocs/support/inc.php +++ b/htdocs/support/inc.php @@ -223,15 +223,12 @@ function pHeader($soutitre, $next, $action = 'none') print ''.$langs->trans("DolibarrHelpCenter").''."\n"; print ''."\n"; - print ''."\n"; + print ''."\n"; - print ''; - print ''; - print '
'; - print 'logohelpcenter'; - print ''; - print ''.$soutitre.''."\n"; - print '
'; + print '
'; + print 'logohelpcenter

'; + print ''.$soutitre.''."\n"; + print '

'; } /** From bd322dc12e43d955d74d28f6e8957cd4950d271d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 2 Feb 2020 12:59:11 +0100 Subject: [PATCH 11/14] Fix search on country --- htdocs/admin/dict.php | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index af07dc9bfc6..d634f547ff9 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -58,6 +58,7 @@ if ($id == 10 && !empty($user->rights->accounting->chartofaccount)) $allowed = 1 if ($id == 17 && !empty($user->rights->accounting->chartofaccount)) $allowed = 1; // Dictionary with type of expense report and accounting account allowed to manager of chart account if (!$allowed) accessforbidden(); +$acts =array(); $actl =array(); $acts[0] = "activate"; $acts[1] = "disable"; $actl[0] = img_picto($langs->trans("Disabled"), 'switch_off'); @@ -76,7 +77,7 @@ $pageprev = $page - 1; $pagenext = $page + 1; $search_country_id = GETPOST('search_country_id', 'int'); -if ($search_country_id == '' && ($id == 2 || $id == 3 || $id == 10)) // Not a so good idea to force on current country for all dictionaries. Some tables have entries that are for all countries, we must be able to see them, so this is done for dedicated dictionaries only. +if (! GETPOSTISSET('search_country_id') && $search_country_id == '' && ($id == 2 || $id == 3 || $id == 10)) // Not a so good idea to force on current country for all dictionaries. Some tables have entries that are for all countries, we must be able to see them, so this is done for dedicated dictionaries only. { $search_country_id = $mysoc->country_id; } @@ -178,7 +179,7 @@ $tablib[38] = "DictionarySocialNetworks"; $tabsql = array(); $tabsql[1] = "SELECT f.rowid as rowid, f.code, f.libelle, c.code as country_code, c.label as country, f.active FROM ".MAIN_DB_PREFIX."c_forme_juridique as f, ".MAIN_DB_PREFIX."c_country as c WHERE f.fk_pays=c.rowid"; $tabsql[2] = "SELECT d.rowid as rowid, d.code_departement as code, d.nom as libelle, d.fk_region as region_id, r.nom as region, c.code as country_code, c.label as country, d.active FROM ".MAIN_DB_PREFIX."c_departements as d, ".MAIN_DB_PREFIX."c_regions as r, ".MAIN_DB_PREFIX."c_country as c WHERE d.fk_region=r.code_region and r.fk_pays=c.rowid and r.active=1 and c.active=1"; -$tabsql[3] = "SELECT r.rowid as rowid, r.code_region as code, r.nom as libelle, r.fk_pays as country_id, c.code as country_code, c.label as country, r.active FROM ".MAIN_DB_PREFIX."c_regions as r, ".MAIN_DB_PREFIX."c_country as c WHERE r.fk_pays=c.rowid and c.active=1"; +$tabsql[3] = "SELECT r.rowid as rowid, r.code_region as state_code, r.nom as libelle, r.fk_pays as country_id, c.code as country_code, c.label as country, r.active FROM ".MAIN_DB_PREFIX."c_regions as r, ".MAIN_DB_PREFIX."c_country as c WHERE r.fk_pays=c.rowid and c.active=1"; $tabsql[4] = "SELECT c.rowid as rowid, c.code, c.label, c.active, c.favorite FROM ".MAIN_DB_PREFIX."c_country AS c"; $tabsql[5] = "SELECT c.rowid as rowid, c.code as code, c.label, c.active FROM ".MAIN_DB_PREFIX."c_civility AS c"; $tabsql[6] = "SELECT a.id as rowid, a.code as code, a.libelle AS libelle, a.type, a.active, a.module, a.color, a.position FROM ".MAIN_DB_PREFIX."c_actioncomm AS a"; @@ -759,12 +760,13 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) $_POST[$listfieldvalue[$i]] = getEntity($tabname[$id]); } if ($i) $sql .= ","; + if ($listfieldvalue[$i] == 'sortorder') // For column name 'sortorder', we use the field name 'position' { - $sql .= "'".(int) $db->escape($_POST['position'])."'"; + $sql .= "'".(int) $db->escape(GETPOST('position'))."'"; } elseif ($_POST[$listfieldvalue[$i]] == '' && !($listfieldvalue[$i] == 'code' && $id == 10)) $sql .= "null"; // For vat, we want/accept code = '' - else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; + else $sql .= "'".$db->escape(GETPOST($listfieldvalue[$i], 'nohtml'))."'"; $i++; } $sql .= ",1)"; @@ -1011,6 +1013,7 @@ if ($id) if ($search_code != '' && $id == 9) $sql .= natural_search("code_iso", $search_code); elseif ($search_code != '' && $id == 28) $sql .= natural_search("h.code", $search_code); elseif ($search_code != '' && $id == 32) $sql .= natural_search("a.code", $search_code); + elseif ($search_code != '' && $id == 3) $sql .= natural_search("r.code_region", $search_code); elseif ($search_code != '' && $id != 9) $sql .= natural_search("code", $search_code); if ($sortfield) @@ -1146,7 +1149,7 @@ if ($id) if ($fieldlist[$field] == 'revenuestamp_type') { $valuetoshow = $langs->trans('TypeOfRevenueStamp'); } if ($fieldlist[$field] == 'use_default') { $valuetoshow = $langs->trans('Default'); } - if ($id == 2) // Special cas for state page + if ($id == 2) // Special case for state page { if ($fieldlist[$field] == 'region_id') { $valuetoshow = ' '; $showfield = 1; } if ($fieldlist[$field] == 'region') { $valuetoshow = $langs->trans("Country").'/'.$langs->trans("Region"); $showfield = 1; } @@ -1228,6 +1231,7 @@ if ($id) // List of available record in database dol_syslog("htdocs/admin/dict", LOG_DEBUG); + $resql = $db->query($sql); if ($resql) { @@ -1620,7 +1624,9 @@ if ($id) $key = $langs->trans($obj->label); $valuetoshow = ($obj->label && $key != strtoupper($obj->label) ? $key : $obj->{$fieldlist[$field]}); } - + elseif ($fieldlist[$field] == 'code' && $id == 3) { + $valuetoshow = $obj->state_code; + } $class .= ($class ? ' ' : '').'tddict'; if ($fieldlist[$field] == 'note' && $id == 10) $class .= ' tdoverflowmax200'; if ($fieldlist[$field] == 'tracking') $class .= ' tdoverflowauto'; From 967d97ccd74935a65db7d04cbc6d5a8b1012dd28 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 2 Feb 2020 15:01:57 +0100 Subject: [PATCH 12/14] FIX CVE-2020-7994 --- htdocs/admin/company.php | 14 +++++++------- htdocs/admin/const.php | 2 +- htdocs/admin/defaultvalues.php | 24 ++++++++++++------------ htdocs/admin/translation.php | 19 +++++++++---------- 4 files changed, 29 insertions(+), 30 deletions(-) diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index ce75d83505a..df72e1bde04 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -95,15 +95,15 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha')) dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM", GETPOST("nom", 'nohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ADDRESS", GETPOST("MAIN_INFO_SOCIETE_ADDRESS", 'nohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN", GETPOST("MAIN_INFO_SOCIETE_TOWN", 'nohtml'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("MAIN_INFO_SOCIETE_ZIP", 'alpha'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_REGION", GETPOST("region_code", 'alpha'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("MAIN_INFO_SOCIETE_ZIP", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_REGION", GETPOST("region_code", 'alphanohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency", 'aZ09'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel", 'alpha'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax", 'alpha'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail", 'alpha'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB", GETPOST("web", 'alpha'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB", GETPOST("web", 'alphanohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE", GETPOST("note", 'none'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD", GETPOST("barcode", 'alpha'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD", GETPOST("barcode", 'alphanohtml'), 'chaine', 0, '', $conf->entity); $dirforimage = $conf->mycompany->dir_output.'/logos/'; diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php index eed7f40910c..baeac243ce0 100644 --- a/htdocs/admin/const.php +++ b/htdocs/admin/const.php @@ -40,7 +40,7 @@ $update=GETPOST('update', 'alpha'); $delete=GETPOST('delete', 'none'); // Do not use alpha here $debug=GETPOST('debug', 'int'); $consts=GETPOST('const', 'array'); -$constname=GETPOST('constname', 'alpha'); +$constname=GETPOST('constname', 'alphanohtml'); $constvalue=GETPOST('constvalue', 'none'); // We shoul dbe able to send everything here $constnote=GETPOST('constnote', 'alpha'); diff --git a/htdocs/admin/defaultvalues.php b/htdocs/admin/defaultvalues.php index 29043720dee..d6981448ea6 100644 --- a/htdocs/admin/defaultvalues.php +++ b/htdocs/admin/defaultvalues.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2017-2020 Laurent Destailleur * Copyright (C) 2017-2018 Regis Houssin * * This program is free software; you can redistribute it and/or modify @@ -52,15 +52,15 @@ $pagenext = $page + 1; if (!$sortfield) $sortfield = 'page,param'; if (!$sortorder) $sortorder = 'ASC'; -$defaulturl = GETPOST('defaulturl'); -$defaultkey = GETPOST('defaultkey', 'alpha'); -$defaultvalue = GETPOST('defaultvalue'); +$defaulturl = GETPOST('defaulturl', 'alphanohtml'); +$defaultkey = GETPOST('defaultkey', 'alphanohtml'); +$defaultvalue = GETPOST('defaultvalue', 'none'); $defaulturl = preg_replace('/^\//', '', $defaulturl); -$urlpage = GETPOST('urlpage'); -$key = GETPOST('key'); -$value = GETPOST('value'); +$urlpage = GETPOST('urlpage', 'alphanohtml'); +$key = GETPOST('key', 'alphanohtml'); +$value = GETPOST('value', 'none'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('admindefaultvalues', 'globaladmin')); @@ -210,9 +210,9 @@ print load_fiche_titre($langs->trans("DefaultValues"), $enabledisablehtml, 'titl print ''.$langs->trans("DefaultValuesDesc")."
\n"; print "
\n"; -if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage; -if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit; -if ($optioncss != '') $param .= '&optioncss='.$optioncss; +if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage); +if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit); +if ($optioncss != '') $param .= '&optioncss='.urlencode($optioncss); if ($defaulturl) $param .= '&defaulturl='.urlencode($defaulturl); if ($defaultkey) $param .= '&defaultkey='.urlencode($defaultkey); if ($defaultvalue) $param .= '&defaultvalue='.urlencode($defaultvalue); @@ -359,7 +359,7 @@ if ($result) // Page print ''; - if ($action != 'edit' || GETPOST('rowid') != $obj->rowid) print $obj->page; + if ($action != 'edit' || GETPOST('rowid', 'int') != $obj->rowid) print $obj->page; else print ''; print ''."\n"; @@ -378,7 +378,7 @@ if ($result) print ''; print ''; */ - if ($action != 'edit' || GETPOST('rowid') != $obj->rowid) print $obj->value; + if ($action != 'edit' || GETPOST('rowid') != $obj->rowid) print dol_escape_htmltag($obj->value); else print ''; print ''; } diff --git a/htdocs/admin/translation.php b/htdocs/admin/translation.php index 5e98d7c5503..c641be11a59 100644 --- a/htdocs/admin/translation.php +++ b/htdocs/admin/translation.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2007-2020 Laurent Destailleur * Copyright (C) 2009-2017 Regis Houssin * Copyright (C) 2017 Frédéric France * @@ -35,9 +35,9 @@ if (!$user->admin) accessforbidden(); $id = GETPOST('rowid', 'int'); $action = GETPOST('action', 'alpha'); -$langcode = GETPOST('langcode', 'alpha'); -$transkey = GETPOST('transkey', 'alpha'); -$transvalue = GETPOST('transvalue', 'alpha'); +$langcode = GETPOST('langcode', 'alphanohtml'); +$transkey = GETPOST('transkey', 'alphanohtml'); +$transvalue = GETPOST('transvalue', 'none'); $mode = GETPOST('mode', 'aZ09') ?GETPOST('mode', 'aZ09') : 'overwrite'; @@ -190,7 +190,6 @@ if ($action == 'delete') - /* * View */ @@ -231,9 +230,9 @@ print ''.$form->textwithpicto($langs->trans("Current print '
'; -if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage; -if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit; -if ($optioncss != '') $param.='&optioncss='.$optioncss; +if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage); +if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.urlencode($limit); +if ($optioncss != '') $param.='&optioncss='.urlencode($optioncss); if ($langcode) $param.='&langcode='.urlencode($langcode); if ($transkey) $param.='&transkey='.urlencode($transkey); if ($transvalue) $param.='&transvalue='.urlencode($transvalue); @@ -348,11 +347,11 @@ if ($mode == 'overwrite') */ if ($action == 'edit' && $obj->rowid == GETPOST('rowid', 'int')) { - print ''; + print ''; } else { - print $obj->transvalue; + print dol_escape_htmltag($obj->transvalue); } print ''; From 71b5e1daf9cf62c548d3c1f12d425164ba12cbb1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 2 Feb 2020 15:57:41 +0100 Subject: [PATCH 13/14] FIX Log of authentication ko or ko --- htdocs/admin/system/browser.php | 7 +++++-- htdocs/core/lib/security2.lib.php | 2 +- htdocs/core/login/functions_dolibarr.php | 8 ++++---- htdocs/core/login/functions_ldap.php | 8 ++++---- htdocs/main.inc.php | 2 +- 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/htdocs/admin/system/browser.php b/htdocs/admin/system/browser.php index 5035c6c4a7d..cae6e568d65 100644 --- a/htdocs/admin/system/browser.php +++ b/htdocs/admin/system/browser.php @@ -49,12 +49,15 @@ $tmp=getBrowserInfo($_SERVER["HTTP_USER_AGENT"]); print '
'; print ''; print ''."\n"; -print ''."\n"; +print ''."\n"; print ''."\n"; print ''."\n"; print ''."\n"; print ''."\n"; -print ''."\n"; +print ''."\n"; print ''."\n"; print ''."\n"; diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index 26e97499482..8d3adfa2df7 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -104,7 +104,7 @@ function checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $auth } else { - dol_syslog("Authentification ko - failed to load file '".$authfile."'", LOG_ERR); + dol_syslog("Authentication KO - failed to load file '".$authfile."'", LOG_ERR); sleep(1); // Load translation files required by the page $langs->loadLangs(array('other', 'main', 'errors')); diff --git a/htdocs/core/login/functions_dolibarr.php b/htdocs/core/login/functions_dolibarr.php index 7e5439fa66a..861c31a0e37 100644 --- a/htdocs/core/login/functions_dolibarr.php +++ b/htdocs/core/login/functions_dolibarr.php @@ -110,7 +110,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes else { sleep(2); // Anti brut force protection - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko bad password for '".$usertotest."', cryptType=".$cryptType); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO bad password for '".$usertotest."', cryptType=".$cryptType, LOG_NOTICE); // Load translation files required by the page $langs->loadLangs(array('main', 'errors')); @@ -129,7 +129,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes $ret = $mc->checkRight($obj->rowid, $entitytotest); if ($ret < 0) { - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko entity '" . $entitytotest . "' not allowed for user '" . $obj->rowid . "'"); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO entity '" . $entitytotest . "' not allowed for user '" . $obj->rowid . "'", LOG_NOTICE); $login = ''; // force authentication failure } } @@ -137,7 +137,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes } else { - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko user not found for '".$usertotest."'"); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO user not found for '".$usertotest."'", LOG_NOTICE); sleep(1); // Load translation files required by the page @@ -148,7 +148,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes } else { - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko db error for '".$usertotest."' error=".$db->lasterror()); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO db error for '".$usertotest."' error=".$db->lasterror(), LOG_ERR); sleep(1); $_SESSION["dol_loginmesg"]=$db->lasterror(); } diff --git a/htdocs/core/login/functions_ldap.php b/htdocs/core/login/functions_ldap.php index 63a4c6d01e6..81bbfdf5b84 100644 --- a/htdocs/core/login/functions_ldap.php +++ b/htdocs/core/login/functions_ldap.php @@ -52,7 +52,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest) if (! function_exists("ldap_connect")) { - dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP. LDAP functions are disabled on this PHP"); + dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP. LDAP functions are disabled on this PHP", LOG_ERR); sleep(1); // Load translation files required by the page @@ -202,7 +202,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest) $ret=$mc->checkRight($usertmp->id, $entitytotest); if ($ret < 0) { - dol_syslog("functions_ldap::check_user_password_ldap Authentification ko entity '".$entitytotest."' not allowed for user '".$usertmp->id."'"); + dol_syslog("functions_ldap::check_user_password_ldap Authentication KO entity '".$entitytotest."' not allowed for user '".$usertmp->id."'", LOG_NOTICE); $login=''; // force authentication failure } unset($usertmp); @@ -210,7 +210,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest) } if ($result == 1) { - dol_syslog("functions_ldap::check_user_password_ldap Authentification ko bad user/password for '".$usertotest."'"); + dol_syslog("functions_ldap::check_user_password_ldap Authentication KO bad user/password for '".$usertotest."'", LOG_NOTICE); sleep(1); // Load translation files required by the page @@ -229,7 +229,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest) ** 49 - Wrong password ** 53 - Account inactive (manually locked out by administrator) */ - dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$usertotest."'"); + dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP for '".$usertotest."'", LOG_NOTICE); if (is_resource($ldap->connection)) // If connection ok but bind ko { $ldap->ldapErrorCode = ldap_errno($ldap->connection); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index d396ad4cadc..4e1745413ce 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -957,7 +957,7 @@ if (!defined('NOLOGIN')) { // If not active, we refuse the user $langs->load("other"); - dol_syslog("Authentification ko as login is disabled"); + dol_syslog("Authentication KO as login is disabled", LOG_NOTICE); accessforbidden($langs->trans("ErrorLoginDisabled")); exit; } From 075b1ea7443d9dd17b5bfd5c0e8da160c88307ad Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 2 Feb 2020 15:57:41 +0100 Subject: [PATCH 14/14] FIX Log of authentication ko or ko + CVE-2020-7996 --- htdocs/admin/system/browser.php | 7 +++++-- htdocs/core/lib/security2.lib.php | 2 +- htdocs/core/login/functions_dolibarr.php | 8 ++++---- htdocs/core/login/functions_ldap.php | 8 ++++---- htdocs/main.inc.php | 2 +- 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/htdocs/admin/system/browser.php b/htdocs/admin/system/browser.php index 5035c6c4a7d..cae6e568d65 100644 --- a/htdocs/admin/system/browser.php +++ b/htdocs/admin/system/browser.php @@ -49,12 +49,15 @@ $tmp=getBrowserInfo($_SERVER["HTTP_USER_AGENT"]); print '
'; print '
'.$langs->trans("Parameter").''.$langs->trans("Value").'
'.$langs->trans("UserAgent").''.$_SERVER['HTTP_USER_AGENT'].'
'.$langs->trans("UserAgent").''.dol_escape_htmltag($_SERVER['HTTP_USER_AGENT']).'
'.$langs->trans("BrowserName").''.$tmp['browsername'].'
'.$langs->trans("BrowserOS").''.$tmp['browseros'].'
'.$langs->trans("Version").''.$tmp['browserversion'].'
'.$langs->trans("Layout").' (phone/tablet/classic)'.$tmp['layout'].'
'.$langs->trans("IPAddress").''.$_SERVER['REMOTE_ADDR'].'
'.$langs->trans("IPAddress").''.dol_escape_htmltag($_SERVER['REMOTE_ADDR']); +if (! empty($_SERVER['HTTP_CLIENT_IP'])) print ' (HTTP_CLIENT_IP='.dol_escape_htmltag($_SERVER['HTTP_CLIENT_IP']).')'; +if (! empty($_SERVER['HTTP_X_FORWARDED_FOR'])) print ' (HTTP_X_FORWARDED_FOR='.dol_escape_htmltag($_SERVER['HTTP_X_FORWARDED_FOR']).')'; +print '
'.$langs->trans("SessionName").''.session_name().'
'.$langs->trans("SessionId").''.session_id().'
'; print ''."\n"; -print ''."\n"; +print ''."\n"; print ''."\n"; print ''."\n"; print ''."\n"; print ''."\n"; -print ''."\n"; +print ''."\n"; print ''."\n"; print ''."\n"; diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index 26e97499482..8d3adfa2df7 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -104,7 +104,7 @@ function checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $auth } else { - dol_syslog("Authentification ko - failed to load file '".$authfile."'", LOG_ERR); + dol_syslog("Authentication KO - failed to load file '".$authfile."'", LOG_ERR); sleep(1); // Load translation files required by the page $langs->loadLangs(array('other', 'main', 'errors')); diff --git a/htdocs/core/login/functions_dolibarr.php b/htdocs/core/login/functions_dolibarr.php index 7e5439fa66a..861c31a0e37 100644 --- a/htdocs/core/login/functions_dolibarr.php +++ b/htdocs/core/login/functions_dolibarr.php @@ -110,7 +110,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes else { sleep(2); // Anti brut force protection - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko bad password for '".$usertotest."', cryptType=".$cryptType); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO bad password for '".$usertotest."', cryptType=".$cryptType, LOG_NOTICE); // Load translation files required by the page $langs->loadLangs(array('main', 'errors')); @@ -129,7 +129,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes $ret = $mc->checkRight($obj->rowid, $entitytotest); if ($ret < 0) { - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko entity '" . $entitytotest . "' not allowed for user '" . $obj->rowid . "'"); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO entity '" . $entitytotest . "' not allowed for user '" . $obj->rowid . "'", LOG_NOTICE); $login = ''; // force authentication failure } } @@ -137,7 +137,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes } else { - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko user not found for '".$usertotest."'"); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO user not found for '".$usertotest."'", LOG_NOTICE); sleep(1); // Load translation files required by the page @@ -148,7 +148,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes } else { - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko db error for '".$usertotest."' error=".$db->lasterror()); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO db error for '".$usertotest."' error=".$db->lasterror(), LOG_ERR); sleep(1); $_SESSION["dol_loginmesg"]=$db->lasterror(); } diff --git a/htdocs/core/login/functions_ldap.php b/htdocs/core/login/functions_ldap.php index 63a4c6d01e6..81bbfdf5b84 100644 --- a/htdocs/core/login/functions_ldap.php +++ b/htdocs/core/login/functions_ldap.php @@ -52,7 +52,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest) if (! function_exists("ldap_connect")) { - dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP. LDAP functions are disabled on this PHP"); + dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP. LDAP functions are disabled on this PHP", LOG_ERR); sleep(1); // Load translation files required by the page @@ -202,7 +202,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest) $ret=$mc->checkRight($usertmp->id, $entitytotest); if ($ret < 0) { - dol_syslog("functions_ldap::check_user_password_ldap Authentification ko entity '".$entitytotest."' not allowed for user '".$usertmp->id."'"); + dol_syslog("functions_ldap::check_user_password_ldap Authentication KO entity '".$entitytotest."' not allowed for user '".$usertmp->id."'", LOG_NOTICE); $login=''; // force authentication failure } unset($usertmp); @@ -210,7 +210,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest) } if ($result == 1) { - dol_syslog("functions_ldap::check_user_password_ldap Authentification ko bad user/password for '".$usertotest."'"); + dol_syslog("functions_ldap::check_user_password_ldap Authentication KO bad user/password for '".$usertotest."'", LOG_NOTICE); sleep(1); // Load translation files required by the page @@ -229,7 +229,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest) ** 49 - Wrong password ** 53 - Account inactive (manually locked out by administrator) */ - dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$usertotest."'"); + dol_syslog("functions_ldap::check_user_password_ldap Authentication KO failed to connect to LDAP for '".$usertotest."'", LOG_NOTICE); if (is_resource($ldap->connection)) // If connection ok but bind ko { $ldap->ldapErrorCode = ldap_errno($ldap->connection); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index d396ad4cadc..4e1745413ce 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -957,7 +957,7 @@ if (!defined('NOLOGIN')) { // If not active, we refuse the user $langs->load("other"); - dol_syslog("Authentification ko as login is disabled"); + dol_syslog("Authentication KO as login is disabled", LOG_NOTICE); accessforbidden($langs->trans("ErrorLoginDisabled")); exit; }
'.$langs->trans("Parameter").''.$langs->trans("Value").'
'.$langs->trans("UserAgent").''.$_SERVER['HTTP_USER_AGENT'].'
'.$langs->trans("UserAgent").''.dol_escape_htmltag($_SERVER['HTTP_USER_AGENT']).'
'.$langs->trans("BrowserName").''.$tmp['browsername'].'
'.$langs->trans("BrowserOS").''.$tmp['browseros'].'
'.$langs->trans("Version").''.$tmp['browserversion'].'
'.$langs->trans("Layout").' (phone/tablet/classic)'.$tmp['layout'].'
'.$langs->trans("IPAddress").''.$_SERVER['REMOTE_ADDR'].'
'.$langs->trans("IPAddress").''.dol_escape_htmltag($_SERVER['REMOTE_ADDR']); +if (! empty($_SERVER['HTTP_CLIENT_IP'])) print ' (HTTP_CLIENT_IP='.dol_escape_htmltag($_SERVER['HTTP_CLIENT_IP']).')'; +if (! empty($_SERVER['HTTP_X_FORWARDED_FOR'])) print ' (HTTP_X_FORWARDED_FOR='.dol_escape_htmltag($_SERVER['HTTP_X_FORWARDED_FOR']).')'; +print '
'.$langs->trans("SessionName").''.session_name().'
'.$langs->trans("SessionId").''.session_id().'