Skip to content
Permalink
Browse files Browse the repository at this point in the history
Security: A lot of security fixes
  • Loading branch information
eldy committed Nov 2, 2011
1 parent 295745f commit 63820ab
Show file tree
Hide file tree
Showing 10 changed files with 74 additions and 70 deletions.
4 changes: 2 additions & 2 deletions htdocs/lib/databases/mssql.lib.php
Expand Up @@ -518,8 +518,8 @@ function order($sortfield=0,$sortorder=0)
if (! $return) $return.=' ORDER BY ';
else $return.=',';

$return.=$val;
if ($sortorder) $return.=' '.$sortorder;
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}
Expand Down
5 changes: 3 additions & 2 deletions htdocs/lib/databases/mysql.lib.php
Expand Up @@ -494,6 +494,7 @@ function plimit($limit=0,$offset=0)

/**
* Define sort criteria of request
*
* @param sortfield List of sort fields
* @param sortorder Sort order
* @return string String to provide syntax of a sort sql string
Expand All @@ -510,8 +511,8 @@ function order($sortfield=0,$sortorder=0)
if (! $return) $return.=' ORDER BY ';
else $return.=',';

$return.=$val;
if ($sortorder) $return.=' '.$sortorder;
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}
Expand Down
4 changes: 2 additions & 2 deletions htdocs/lib/databases/mysqli.lib.php
Expand Up @@ -524,8 +524,8 @@ function order($sortfield=0,$sortorder=0)
if (! $return) $return.=' ORDER BY ';
else $return.=',';

$return.=$val;
if ($sortorder) $return.=' '.$sortorder;
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}
Expand Down
4 changes: 2 additions & 2 deletions htdocs/lib/databases/pgsql.lib.php
Expand Up @@ -666,8 +666,8 @@ function order($sortfield=0,$sortorder=0)
if (! $return) $return.=' ORDER BY ';
else $return.=',';

$return.=$val;
if ($sortorder) $return.=' '.$sortorder;
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}
Expand Down
73 changes: 37 additions & 36 deletions htdocs/user/fiche.php
Expand Up @@ -35,6 +35,11 @@
if ($conf->ldap->enabled) require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
if ($conf->adherent->enabled) require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php");

$id=GETPOST('id','int');
$action=GETPOST("action");
$group=GETPOST("group","int",3);
$confirm=GETPOST("confirm");

// Define value to know what current user can do on users
$canadduser=($user->admin || $user->rights->user->user->creer);
$canreaduser=($user->admin || $user->rights->user->user->lire);
Expand All @@ -48,26 +53,22 @@
$caneditgroup=($user->admin || $user->rights->user->group_advance->write);
}
// Define value to know what current user can do on properties of edited user
if ($_GET["id"])
if ($id)
{
// $user est le user qui edite, $_GET["id"] est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $_GET["id"]) && $user->rights->user->self->creer)
|| (($user->id != $_GET["id"]) && $user->rights->user->user->creer) );
$caneditpassword=( (($user->id == $_GET["id"]) && $user->rights->user->self->password)
|| (($user->id != $_GET["id"]) && $user->rights->user->user->password) );
// $user est le user qui edite, $id est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $id) && $user->rights->user->self->creer)
|| (($user->id != $id) && $user->rights->user->user->creer) );
$caneditpassword=( (($user->id == $id) && $user->rights->user->self->password)
|| (($user->id != $id) && $user->rights->user->user->password) );
}

$action=GETPOST("action");
$group=GETPOST("group","int",3);
$confirm=GETPOST("confirm");

// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2='user';
if ($user->id == $_GET["id"]) { $feature2=''; $canreaduser=1; } // A user can always read its own card
$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
if ($user->id <> $_GET["id"] && ! $canreaduser) accessforbidden();
if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
$result = restrictedArea($user, 'user', $id, '', $feature2);
if ($user->id <> $id && ! $canreaduser) accessforbidden();

$langs->load("users");
$langs->load("companies");
Expand All @@ -82,36 +83,36 @@
if ($_GET["subaction"] == 'addrights' && $canedituser)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->addrights($_GET["rights"]);
}

if ($_GET["subaction"] == 'delrights' && $canedituser)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->delrights($_GET["rights"]);
}

if ($action == 'confirm_disable' && $confirm == "yes" && $candisableuser)
{
if ($_GET["id"] <> $user->id)
if ($id <> $user->id)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
$edituser->setstatus(0);
Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$_GET["id"]);
Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$id);
exit;
}
}
if ($action == 'confirm_enable' && $confirm == "yes" && $candisableuser)
{
if ($_GET["id"] <> $user->id)
if ($id <> $user->id)
{
$message='';

$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);

if (!empty($conf->file->main_limit_users))
{
Expand All @@ -125,18 +126,18 @@
if (! $message)
{
$edituser->setstatus(1);
Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$_GET["id"]);
Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$id);
exit;
}
}
}

if ($action == 'confirm_delete' && $confirm == "yes" && $candisableuser)
{
if ($_GET["id"] <> $user->id)
if ($id <> $user->id)
{
$edituser = new User($db);
$edituser->id=$_GET["id"];
$edituser->id=$id;
$result = $edituser->delete();
if ($result < 0)
{
Expand Down Expand Up @@ -232,13 +233,13 @@
$editgroup->oldcopy=dol_clone($editgroup);

$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);
if ($action == 'addgroup') $edituser->SetInGroup($group,GETPOST('entity'));
if ($action == 'removegroup') $edituser->RemoveFromGroup($group,GETPOST('entity'));

if ($result > 0)
{
header("Location: fiche.php?id=".$_GET["id"]);
header("Location: fiche.php?id=".$id);
exit;
}
else
Expand Down Expand Up @@ -271,7 +272,7 @@
{
$db->begin();
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);

$edituser->oldcopy=dol_clone($edituser);

Expand Down Expand Up @@ -360,7 +361,7 @@
else if ($caneditpassword) // Case we can edit only password
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);

$edituser->oldcopy=dol_clone($edituser);

Expand All @@ -377,7 +378,7 @@
|| ($action == 'confirm_passwordsend' && $confirm == 'yes')) && $caneditpassword)
{
$edituser = new User($db);
$edituser->fetch($_GET["id"]);
$edituser->fetch($id);

$newpassword=$edituser->setPassword($user,'');
if ($newpassword < 0)
Expand Down Expand Up @@ -800,10 +801,10 @@
/* */
/* ************************************************************************** */

if ($_GET["id"])
if ($id)
{
$fuser = new User($db);
$fuser->fetch($_GET["id"]);
$fuser->fetch($id);

// Connexion ldap
// pour recuperer passDoNotExpire et userChangePassNextLogon
Expand Down Expand Up @@ -1169,13 +1170,13 @@
// Si on a un gestionnaire de generation de mot de passe actif
if ($conf->global->USER_PASSWORD_GENERATED != 'none')
{
if (($user->id != $_GET["id"] && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
if (($user->id != $id && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)))
{
print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=password">'.$langs->trans("ReinitPassword").'</a>';
}

if (($user->id != $_GET["id"] && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
if (($user->id != $id && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
if ($fuser->email) print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=passwordsend">'.$langs->trans("SendNewPassword").'</a>';
Expand All @@ -1184,19 +1185,19 @@
}

// Activer
if ($user->id <> $_GET["id"] && $candisableuser && $fuser->statut == 0 &&
if ($user->id <> $id && $candisableuser && $fuser->statut == 0 &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=enable">'.$langs->trans("Reactivate").'</a>';
}
// Desactiver
if ($user->id <> $_GET["id"] && $candisableuser && $fuser->statut == 1 &&
if ($user->id <> $id && $candisableuser && $fuser->statut == 1 &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butActionDelete" href="fiche.php?action=disable&amp;id='.$fuser->id.'">'.$langs->trans("DisableUser").'</a>';
}
// Delete
if ($user->id <> $_GET["id"] && $candisableuser &&
if ($user->id <> $id && $candisableuser &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butActionDelete" href="fiche.php?action=delete&amp;id='.$fuser->id.'">'.$langs->trans("DeleteUser").'</a>';
Expand Down Expand Up @@ -1232,7 +1233,7 @@
if ($caneditgroup)
{
$form = new Form($db);
print '<form action="fiche.php?id='.$_GET["id"].'" method="post">'."\n";
print '<form action="fiche.php?id='.$id.'" method="post">'."\n";
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="addgroup">';
print '<input type="hidden" name="entity" value="'.$conf->entity.'">';
Expand Down
8 changes: 4 additions & 4 deletions htdocs/user/index.php
Expand Up @@ -35,7 +35,7 @@
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;

$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
$sall=GETPOST("sall");

$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
Expand All @@ -51,6 +51,7 @@
$userstatic=new User($db);
$companystatic = new Societe($db);


/*
* View
*/
Expand All @@ -73,9 +74,8 @@
{
$sql.= " AND (u.login like '%".$_POST["search_user"]."%' OR u.name like '%".$_POST["search_user"]."%' OR u.firstname like '%".$_POST["search_user"]."%')";
}
if ($sall) $sql.= " AND (u.login like '%".$sall."%' OR u.name like '%".$sall."%' OR u.firstname like '%".$sall."%' OR u.email like '%".$sall."%' OR u.note like '%".$sall."%')";
if ($sortfield) $sql.=" ORDER BY $sortfield $sortorder";

if ($sall) $sql.= " AND (u.login like '%".$db->escape($sall)."%' OR u.name like '%".$db->escape($sall)."%' OR u.firstname like '%".$db->escape($sall)."%' OR u.email like '%".$db->escape($sall)."%' OR u.note like '%".$db->escape($sall)."%')";
$sql.=$db->order($sortfield,$sortorder);
$result = $db->query($sql);
if ($result)
{
Expand Down
2 changes: 1 addition & 1 deletion htdocs/user/info.php
Expand Up @@ -30,7 +30,7 @@
$langs->load("users");

// Security check
$id = isset($_GET["id"])?$_GET["id"]:'';
$id = GETPOST('id','int');
$fuser = new User($db);
$fuser->fetch($id);

Expand Down
4 changes: 2 additions & 2 deletions htdocs/user/note.php
Expand Up @@ -27,8 +27,8 @@
require_once(DOL_DOCUMENT_ROOT.'/lib/usergroups.lib.php');
require_once(DOL_DOCUMENT_ROOT.'/user/class/user.class.php');

$action=isset($_GET["action"])?$_GET["action"]:(isset($_POST["action"])?$_POST["action"]:"");
$id=isset($_GET["id"])?$_GET["id"]:(isset($_POST["id"])?$_POST["id"]:"");
$action=GETPOST('action');
$id=GETPOST('id','int');

$langs->load("companies");
$langs->load("members");
Expand Down
17 changes: 9 additions & 8 deletions htdocs/user/param_ihm.php
Expand Up @@ -33,30 +33,31 @@
$langs->load("users");
$langs->load("languages");

$id=GETPOST('id','int');

// Defini si peux lire/modifier permisssions
$canreaduser=($user->admin || $user->rights->user->user->lire);

if ($_REQUEST["id"])
if ($id)
{
// $user est le user qui edite, $_REQUEST["id"] est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $_REQUEST["id"]) && $user->rights->user->self->creer)
|| (($user->id != $_REQUEST["id"]) && $user->rights->user->user->creer));
// $user est le user qui edite, $id est l'id de l'utilisateur edite
$caneditfield=( (($user->id == $id) && $user->rights->user->self->creer)
|| (($user->id != $id) && $user->rights->user->user->creer));
}

// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
if ($user->id == $_REQUEST["id"]) // A user can always read its own card
if ($user->id == $id) // A user can always read its own card
{
$feature2='';
$canreaduser=1;
}
$result = restrictedArea($user, 'user', $_REQUEST["id"], '', $feature2);
if ($user->id <> $_REQUEST["id"] && ! $canreaduser) accessforbidden();
$result = restrictedArea($user, 'user', $id, '', $feature2);
if ($user->id <> $id && ! $canreaduser) accessforbidden();


$id=! empty($_GET["id"])?$_GET["id"]:$_POST["id"];
$dirtop = "../includes/menus/standard";
$dirleft = "../includes/menus/standard";

Expand Down

0 comments on commit 63820ab

Please sign in to comment.