Skip to content

Commit

Permalink
FIX CVE-2018-9019
Browse files Browse the repository at this point in the history
  • Loading branch information
@eldy
eldy committed Apr 25, 2018
1 parent fdb3a11 commit 83b762b
Show file tree
Hide file tree
Showing 8 changed files with 42 additions and 130 deletions.
40 changes: 7 additions & 33 deletions htdocs/accountancy/admin/accountmodel.php
View file
Expand Up @@ -45,7 +45,7 @@

$action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$id=31;
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');

Expand All @@ -58,8 +58,8 @@
$listlimit=GETPOST('listlimit')>0?GETPOST('listlimit'):1000;
$active = 1;

$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
$sortfield = GETPOST("sortfield",'aZ09comma');
$sortorder = GETPOST("sortorder",'aZ09comma');
$page = GETPOST("page",'int');
if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1
$offset = $listlimit * $page ;
Expand All @@ -84,59 +84,48 @@
$tabname=array();

$tabname[31]= MAIN_DB_PREFIX."accounting_system";
$tabname[32]= MAIN_DB_PREFIX."c_accounting_category";

// Dictionary labels
$tablib=array();
$tablib[31]= "Pcg_version";
$tablib[32]= "DictionaryAccountancyCategory";

// Requests to extract data
$tabsql=array();
$tabsql[31]= "SELECT s.rowid as rowid, pcg_version, s.label, s.fk_country as country_id, c.code as country_code, c.label as country, s.active FROM ".MAIN_DB_PREFIX."accounting_system as s, ".MAIN_DB_PREFIX."c_country as c WHERE s.fk_country=c.rowid and c.active=1";
$tabsql[32]= "SELECT a.rowid as rowid, a.code as code, a.label, a.range_account, a.sens, a.category_type, a.formula, a.position as position, a.fk_country as country_id, c.code as country_code, c.label as country, a.active FROM ".MAIN_DB_PREFIX."c_accounting_category as a, ".MAIN_DB_PREFIX."c_country as c WHERE a.fk_country=c.rowid and c.active=1";

// Criteria to sort dictionaries
$tabsqlsort=array();
$tabsqlsort[31]="pcg_version ASC";
$tabsqlsort[32]="position ASC";

// Nom des champs en resultat de select pour affichage du dictionnaire
$tabfield=array();
$tabfield[31]= "pcg_version,label,country_id,country";
$tabfield[32]= "code,label,range_account,sens,category_type,formula,position,country_id,country";

// Nom des champs d'edition pour modification d'un enregistrement
$tabfieldvalue=array();
$tabfieldvalue[31]= "pcg_version,label,country";
$tabfieldvalue[32]= "code,label,range_account,sens,category_type,formula,position,country";

// Nom des champs dans la table pour insertion d'un enregistrement
$tabfieldinsert=array();
$tabfieldinsert[31]= "pcg_version,label,fk_country";
$tabfieldinsert[32]= "code,label,range_account,sens,category_type,formula,position,fk_country";

// Nom du rowid si le champ n'est pas de type autoincrement
// Example: "" if id field is "rowid" and has autoincrement on
// "nameoffield" if id field is not "rowid" or has not autoincrement on
$tabrowid=array();
$tabrowid[31]= "";
$tabrowid[32]= "";

// Condition to show dictionary in setup page
$tabcond=array();
$tabcond[31]= ! empty($conf->accounting->enabled);
$tabcond[32]= ! empty($conf->accounting->enabled);

// List of help for fields
$tabhelp=array();
$tabhelp[31] = array('pcg_version'=>$langs->trans("EnterAnyCode"));
$tabhelp[32] = array('code'=>$langs->trans("EnterAnyCode"));

// List of check for fields (NOT USED YET)
$tabfieldcheck=array();
$tabfieldcheck[31] = array();
$tabfieldcheck[32] = array();


// Define elementList and sourceList (used for dictionary type of contacts "llx_c_type_contact")
Expand Down Expand Up @@ -484,7 +473,7 @@
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.urlencode($page).'&':'').'sortfield='.urlencode($sortfield).'&sortorder='.urlencode($sortorder).'&rowid='.urlencode($rowid).'&code='.urlencode($code).'&id='.urlencode($id), $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

Expand All @@ -503,24 +492,9 @@
$sql.= " c.rowid = ".$search_country_id;
}

if ($sortfield)
{
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.= " ORDER BY ".$sortfield;
if ($sortorder)
{
$sql.=" ".strtoupper($sortorder);
}
$sql.=", ";
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
}
else {
$sql.=" ORDER BY ";
}
$sql.=$tabsqlsort[$id];
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($listlimit+1,$offset);
//print $sql;

Expand Down
2 changes: 1 addition & 1 deletion htdocs/accountancy/admin/categories.php
View file
Expand Up @@ -88,7 +88,7 @@

llxheader('', $langs->trans('AccountingCategory'));

$linkback = '<a href="'.DOL_URL_ROOT.'/accountancy/admin/categories_list.php?search_country_id='.$mysoc->country_id.'">'.$langs->trans("BackToList").'</a>';
$linkback = '<a href="'.DOL_URL_ROOT.'/accountancy/admin/categories_list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';

print load_fiche_titre($langs->trans('AccountingCategory'), $linkback);

Expand Down
45 changes: 15 additions & 30 deletions htdocs/accountancy/admin/categories_list.php
View file
Expand Up @@ -54,8 +54,8 @@
$listlimit=GETPOST('listlimit')>0?GETPOST('listlimit'):1000;
$active = 1;

$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
$sortfield = GETPOST("sortfield",'aZ09comma');
$sortorder = GETPOST("sortorder",'aZ09comma');
$page = GETPOST("page",'int');
if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1
$offset = $listlimit * $page ;
Expand Down Expand Up @@ -300,7 +300,7 @@
if ($tabrowid[$id]) { $rowidcol=$tabrowid[$id]; }
else { $rowidcol="rowid"; }

$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'";

dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);
Expand All @@ -324,10 +324,10 @@
else { $rowidcol="rowid"; }

if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
}
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$this->db->escape($code)."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'";
}

$result = $db->query($sql);
Expand All @@ -344,10 +344,10 @@
else { $rowidcol="rowid"; }

if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
}
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$this->db->escape($code)."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'";
}

$result = $db->query($sql);
Expand All @@ -364,10 +364,10 @@
else { $rowidcol="rowid"; }

if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
}
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$this->db->escape($code)."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'";
}

$result = $db->query($sql);
Expand All @@ -384,10 +384,10 @@
else { $rowidcol="rowid"; }

if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
}
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$this->db->escape($code)."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'";
}

$result = $db->query($sql);
Expand Down Expand Up @@ -437,24 +437,9 @@
$sql.= " (a.fk_country = ".$search_country_id." OR a.fk_country = 0)";
}

if ($sortfield)
{
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.= " ORDER BY ".$sortfield;
if ($sortorder)
{
$sql.=" ".strtoupper($sortorder);
}
$sql.=", ";
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
}
else {
$sql.=" ORDER BY ";
}
$sql.=$tabsqlsort[$id];
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($listlimit+1,$offset);
//print $sql;

Expand Down Expand Up @@ -793,7 +778,7 @@
print '<td class="center">';
if (empty($obj->formula))
{
print '<a href="'.DOL_URL_ROOT.'/accountancy/admin/categories.php?action=display&account_category='.$obj->rowid.'">';
print '<a href="'.DOL_URL_ROOT.'/accountancy/admin/categories.php?action=display&save_lastsearch_values=1&account_category='.$obj->rowid.'">';
print $langs->trans("ListOfAccounts");
print '</a>';
}
Expand Down
23 changes: 4 additions & 19 deletions htdocs/accountancy/admin/journals_list.php
View file
Expand Up @@ -36,7 +36,7 @@

$action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$id=35;
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');

Expand Down Expand Up @@ -400,24 +400,9 @@
$sql=$tabsql[$id];
$sql.= " WHERE a.entity = ".$conf->entity;

if ($sortfield)
{
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.= " ORDER BY ".$sortfield;
if ($sortorder)
{
$sql.=" ".strtoupper($sortorder);
}
$sql.=", ";
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
}
else {
$sql.=" ORDER BY ";
}
$sql.=$tabsqlsort[$id];
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($listlimit+1,$offset);

$fieldlist=explode(',',$tabfield[$id]);
Expand Down
14 changes: 7 additions & 7 deletions htdocs/admin/dict.php
View file
Expand Up @@ -965,14 +965,14 @@
print "<br>\n";


$param = '&id='.$id;
if ($search_country_id > 0) $param.= '&search_country_id='.$search_country_id;
$param = '&id='.urlencode($id);
if ($search_country_id > 0) $param.= '&search_country_id='.urlencode($search_country_id);
if ($search_code != '') $param.= '&search_code='.urlencode($search_country_id);
if ($entity != '') $param.= '&entity=' . (int) $entity;
$paramwithsearch = $param;
if ($sortorder) $paramwithsearch.= '&sortorder='.$sortorder;
if ($sortfield) $paramwithsearch.= '&sortfield='.$sortfield;
if (GETPOST('from')) $paramwithsearch.= '&from='.GETPOST('from','alpha');
if ($sortorder) $paramwithsearch.= '&sortorder='.urlencode($sortorder);
if ($sortfield) $paramwithsearch.= '&sortfield='.urlencode($sortfield);
if (GETPOST('from')) $paramwithsearch.= '&from='.urlencode(GETPOST('from','alpha'));


// Confirmation de la suppression de la ligne
Expand All @@ -999,10 +999,10 @@
{
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.= " ORDER BY ".$sortfield;
$sql.= " ORDER BY ".$db->escape($sortfield);
if ($sortorder)
{
$sql.=" ".strtoupper($sortorder);
$sql.=" ".strtoupper($db->escape($sortorder));
}
$sql.=", ";
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
Expand Down
21 changes: 3 additions & 18 deletions htdocs/admin/mails_templates.php
View file
Expand Up @@ -430,24 +430,9 @@
if ($search_lang) $sql.=natural_search('lang', $search_lang);
if ($search_fk_user != '' && $search_fk_user != '-1') $sql.=natural_search('fk_user', $search_fk_user, 2);
if ($search_topic) $sql.=natural_search('topic', $search_topic);
if ($sortfield)
{
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.= " ORDER BY ".$sortfield;
if ($sortorder)
{
$sql.=" ".strtoupper($sortorder);
}
$sql.=", ";
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
}
else {
$sql.=" ORDER BY ";
}
$sql.=$tabsqlsort[$id];
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
$sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($listlimit+1,$offset);
//print $sql;

Expand Down
19 changes: 1 addition & 18 deletions htdocs/admin/website.php
View file
Expand Up @@ -419,24 +419,7 @@
{
// Complete requete recherche valeurs avec critere de tri
$sql=$tabsql[$id];

if ($sortfield)
{
// If sort order is "country", we use country_code instead
$sql.= " ORDER BY ".$sortfield;
if ($sortorder)
{
$sql.=" ".strtoupper($sortorder);
}
$sql.=", ";
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
$tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
}
else {
$sql.=" ORDER BY ";
}
$sql.=$tabsqlsort[$id];
$sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($limit+1, $offset);
//print $sql;

Expand Down
8 changes: 4 additions & 4 deletions htdocs/core/lib/functions.lib.php
View file
Expand Up @@ -578,12 +578,12 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU
{
//var_dump($paramname.' - '.$out.' '.$user->default_values[$relativepathstring]['filters'][$paramname]);

// We save search key only if:
// - not empty, or
// - if value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not).
// We save search key only if $out not empty that means:
// - posted value not empty, or
// - if posted value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not).

//if (! empty($out) || ! empty($user->default_values[$relativepathstring]['filters'][$paramname]))
if (! empty($out))
if ($out != '') // $out = '0' like 'abc' is a search criteria to keep
{
$user->lastsearch_values_tmp[$relativepathstring][$paramname]=$out;
}
Expand Down

0 comments on commit 83b762b

Please sign in to comment.