Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix: Multiple directory traversal vulnerabilities with backtopage

  • Loading branch information...
commit 5381986e50dd6055f2b3b63281eaacffa0449da2 1 parent 1d0d820
Regis Houssin authored
View
26 htdocs/comm/action/fiche.php
@@ -2,7 +2,7 @@
/* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005 Simon TOSSER <simon@kornog-computing.com>
- * Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
+ * Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
@@ -43,11 +43,12 @@
$langs->load("orders");
$langs->load("agenda");
-$action=GETPOST("action");
+$action=GETPOST('action','alpha');
+$backtopage=GETPOST('backtopage','alpha');
// Security check
-$socid = GETPOST('socid');
-$id = GETPOST('id');
+$socid = GETPOST('socid','int');
+$id = GETPOST('id','int');
if ($user->societe_id) $socid=$user->societe_id;
//$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id');
@@ -66,9 +67,7 @@
{
$error=0;
- $backtopage='';
- if (! empty($_POST["backtopage"])) $backtopage=$_POST["backtopage"];
- if (! $backtopage)
+ if (empty($backtopage))
{
if ($socid > 0) $backtopage = DOL_URL_ROOT.'/societe/agenda.php?socid='.$socid;
else $backtopage=DOL_URL_ROOT.'/comm/action/index.php';
@@ -339,14 +338,9 @@
}
else
{
- if (! empty($_POST["from"])) // deprecated. Use backtopage instead
- {
- header("Location: ".$_POST["from"]);
- exit;
- }
- if (! empty($_POST["backtopage"]))
+ if (! empty($backtopage))
{
- header("Location: ".$_POST["backtopage"]);
+ header("Location: ".$backtopage);
exit;
}
}
@@ -426,7 +420,7 @@ function setdatefields()
print '<form name="formaction" action="'.DOL_URL_ROOT.'/comm/action/fiche.php" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add_action">';
- if (GETPOST("backtopage")) print '<input type="hidden" name="backtopage" value="'.(GETPOST("backtopage") != 1 ? GETPOST("backtopage") : $_SERVER["HTTP_REFERER"]).'">';
+ print '<input type="hidden" name="backtopage" value="'.(! empty($backtopage) ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
if (GETPOST("actioncode") == 'AC_RDV') print_fiche_titre($langs->trans("AddActionRendezVous"));
else print_fiche_titre($langs->trans("AddAnAction"));
@@ -679,7 +673,7 @@ function setdatefields()
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="ref_ext" value="'.$act->ref_ext.'">';
- if (GETPOST("backtopage")) print '<input type="hidden" name="backtopage" value="'.(GETPOST("backtopage") ? GETPOST("backtopage") : $_SERVER["HTTP_REFERER"]).'">';
+ print '<input type="hidden" name="backtopage" value="'.(! empty($backtopage) ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
print '<table class="border" width="100%">';
View
16 htdocs/comm/remise.php
@@ -30,21 +30,23 @@
$langs->load("orders");
$langs->load("bills");
-$socid = GETPOST("id");
+$socid = GETPOST('id','int');
// Security check
if ($user->societe_id > 0)
{
$socid = $user->societe_id;
}
+$backtopage = GETPOST('backtopage','alpha');
+
/*
* Actions
*/
-if (GETPOST('cancel') && GETPOST('backtopage'))
+if (GETPOST('cancel') && ! empty($backtopage))
{
- Header("Location: ".GETPOST("backtopage"));
+ Header("Location: ".$backtopage);
exit;
}
@@ -56,9 +58,9 @@
if ($result > 0)
{
- if (GETPOST('backtopage'))
+ if (! empty($backtopage))
{
- Header("Location: ".GETPOST('backtopage'));
+ Header("Location: ".$backtopage);
exit;
}
else
@@ -122,7 +124,7 @@
print '<form method="POST" action="remise.php?id='.$objsoc->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="setremise">';
- print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
+ print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';
@@ -138,7 +140,7 @@
print '<center>';
print '<input type="submit" class="button" value="'.$langs->trans("Modify").'">';
- if (GETPOST("backtopage"))
+ if (! empty($backtopage))
{
print '&nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
View
15 htdocs/comm/remx.php
@@ -32,7 +32,8 @@
$langs->load("bills");
$langs->load("companies");
-$action=GETPOST('action');
+$action=GETPOST('action','alpha');
+$backtopage=GETPOST('backtopage','alpha');
// Security check
$socid = GETPOST("id");
@@ -46,9 +47,9 @@
* Actions
*/
-if (GETPOST('cancel') && GETPOST('backtopage'))
+if (GETPOST('cancel') && ! empty($backtopage))
{
- Header("Location: ".GETPOST("backtopage"));
+ Header("Location: ".$backtopage);
exit;
}
@@ -151,9 +152,9 @@
if ($discountid > 0)
{
- if (GETPOST("backtopage"))
+ if (! empty($backtopage))
{
- Header("Location: ".GETPOST("backtopage").'&discountid='.$discountid);
+ Header("Location: ".$backtopage.'&discountid='.$discountid);
exit;
}
else
@@ -228,7 +229,7 @@
print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'?id='.$objsoc->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="setremise">';
- print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
+ print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';
@@ -280,7 +281,7 @@
print '<center>';
print '<input type="submit" class="button" name="submit" value="'.$langs->trans("AddGlobalDiscount").'">';
- if (GETPOST("backtopage"))
+ if (! empty($backtopage))
{
print '&nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
View
27 htdocs/contact/fiche.php
@@ -39,10 +39,11 @@
$mesg=''; $error=0; $errors=array();
-$action = (GETPOST('action') ? GETPOST('action') : 'view');
-$confirm = GETPOST('confirm');
-$id = GETPOST("id");
-$socid = GETPOST("socid");
+$action = (GETPOST('action','alpha') ? GETPOST('action','alpha') : 'view');
+$confirm = GETPOST('confirm','alpha');
+$backtopage = GETPOST('backtopage','alpha');
+$id = GETPOST('id','int');
+$socid = GETPOST('socid','int');
if ($user->societe_id) $socid=$user->societe_id;
$object = new Contact($db);
@@ -76,9 +77,9 @@
if (empty($reshook))
{
// Cancel
- if (GETPOST("cancel") && GETPOST('backtopage'))
+ if (GETPOST("cancel") && ! empty($backtopage))
{
- header("Location: ".GETPOST('backtopage'));
+ header("Location: ".$backtopage);
exit;
}
@@ -86,7 +87,7 @@
if ($action == 'confirm_create_user' && $confirm == 'yes' && $user->rights->user->user->creer)
{
// Recuperation contact actuel
- $result = $object->fetch($_GET["id"]);
+ $result = $object->fetch($id);
if ($result > 0)
{
@@ -172,7 +173,7 @@
if (! $error && $id > 0)
{
$db->commit();
- if (GETPOST('backtopage')) $url=GETPOST('backtopage');
+ if (! empty($backtopage)) $url=$backtopage;
else $url='fiche.php?id='.$id;
Header("Location: ".$url);
exit;
@@ -368,7 +369,7 @@
print '<form method="post" name="formsoc" action="'.$_SERVER["PHP_SELF"].'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add">';
- print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
+ print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';
// Name
@@ -497,7 +498,7 @@
print '<center>';
print '<input type="submit" class="button" name="add" value="'.$langs->trans("Add").'">';
- if (GETPOST('backtopage'))
+ if (! empty($backtopage))
{
print ' &nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
@@ -537,11 +538,11 @@
print '</script>';
}
- print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?id='.GETPOST("id").'" name="formsoc">';
+ print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" name="formsoc">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
- print '<input type="hidden" name="id" value="'.GETPOST("id").'">';
+ print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="action" value="update">';
- print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
+ print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<input type="hidden" name="contactid" value="'.$object->id.'">';
print '<input type="hidden" name="old_name" value="'.$object->name.'">';
print '<input type="hidden" name="old_firstname" value="'.$object->firstname.'">';
View
6 htdocs/core/lib/functions.lib.php
@@ -257,7 +257,11 @@ function GETPOST($paramname,$check='',$method=0)
// Check if alpha
//if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
- if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
+ if ($check == 'alpha')
+ {
+ if (preg_match('/"/',trim($out))) $out='';
+ else if (preg_match('/(\.\.\/)+/',trim($out))) $out='';
+ }
}
return $out;
View
13 htdocs/projet/fiche.php
@@ -34,8 +34,9 @@
$langs->load('companies');
$id=GETPOST('id','int');
-$ref = GETPOST('ref');
-$action=GETPOST('action');
+$ref = GETPOST('ref','alpha');
+$action=GETPOST('action','alpha');
+$backtopage=GETPOST('backtopage','alpha');
if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && ! $_POST["cancel"])) accessforbidden();
@@ -55,9 +56,9 @@
*/
// Cancel
-if (GETPOST("cancel") && GETPOST('backtopage'))
+if (GETPOST("cancel") && ! empty($backtopage))
{
- header("Location: ".GETPOST('backtopage'));
+ header("Location: ".$backtopage);
exit;
}
@@ -276,7 +277,7 @@
print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add">';
- print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
+ print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';
@@ -332,7 +333,7 @@
print '<br><center>';
print '<input type="submit" class="button" value="'.$langs->trans("Create").'">';
- if (GETPOST('backtopage'))
+ if (! empty($backtopage))
{
print ' &nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
View
11 htdocs/projet/tasks.php
@@ -36,6 +36,7 @@
$action = GETPOST('action', 'alpha');
$id = GETPOST('id', 'int');
$ref = GETPOST('ref', 'alpha');
+$backtopage=GETPOST('backtopage','alpha');
$mode = GETPOST('mode', 'alpha');
$mine = ($mode == 'mine' ? 1 : 0);
@@ -111,9 +112,9 @@
if (! $error)
{
- if (GETPOST('backtopage'))
+ if (! empty($backtopage))
{
- Header("Location: ".GETPOST('backtopage'));
+ Header("Location: ".$backtopage);
exit;
}
else if (empty($projectid))
@@ -125,9 +126,9 @@
}
else
{
- if (GETPOST('backtopage'))
+ if (! empty($backtopage))
{
- Header("Location: ".GETPOST('backtopage'));
+ Header("Location: ".$backtopage);
exit;
}
else if (empty($id))
@@ -219,7 +220,7 @@
print '<form action="'.$_SERVER['PHP_SELF'].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="createtask">';
- print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
+ print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
if (! empty($object->id)) print '<input type="hidden" name="id" value="'.$object->id.'">';
if (! empty($mode)) print '<input type="hidden" name="mode" value="'.$mode.'">';
View
8 htdocs/public/members/new.php
@@ -47,8 +47,8 @@
$errmsg='';
$num=0;
$error=0;
-$backtopage=GETPOST('backtopage');
-$action=GETPOST('action');
+$backtopage=GETPOST('backtopage','alpha');
+$action=GETPOST('action','alpha');
// Load translation files
$langs->load("main");
@@ -255,7 +255,7 @@ function llxFooterVierge()
$result=$adh->send_an_email($conf->global->ADHERENT_AUTOREGISTER_MAIL,$conf->global->ADHERENT_AUTOREGISTER_MAIL_SUBJECT,array(),array(),array(),"","",0,-1);
}
- if ($backtopage) $urlback=$backtopage;
+ if (! empty($backtopage)) $urlback=$backtopage;
else if ($conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION)
{
$urlback=$conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION;
@@ -545,7 +545,7 @@ function initturnover() {
// Save
print '<br><center>';
print '<input type="submit" value="'.$langs->trans("Save").'" id="submitsave" class="button">';
-if ($backtopage)
+if (! empty($backtopage))
{
print ' &nbsp; &nbsp; <input type="submit" value="'.$langs->trans("Cancel").'" id="submitcancel" class="button">';
}
Please sign in to comment.
Something went wrong with that request. Please try again.