Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Security: A lot of security fixes

  • Loading branch information...
commit 63820ab37537fdff842539425b2bf2881f0d8e91 1 parent 295745f
@eldy eldy authored
View
4 htdocs/lib/databases/mssql.lib.php
@@ -518,8 +518,8 @@ function order($sortfield=0,$sortorder=0)
if (! $return) $return.=' ORDER BY ';
else $return.=',';
- $return.=$val;
- if ($sortorder) $return.=' '.$sortorder;
+ $return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
+ if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}
View
5 htdocs/lib/databases/mysql.lib.php
@@ -494,6 +494,7 @@ function plimit($limit=0,$offset=0)
/**
* Define sort criteria of request
+ *
* @param sortfield List of sort fields
* @param sortorder Sort order
* @return string String to provide syntax of a sort sql string
@@ -510,8 +511,8 @@ function order($sortfield=0,$sortorder=0)
if (! $return) $return.=' ORDER BY ';
else $return.=',';
- $return.=$val;
- if ($sortorder) $return.=' '.$sortorder;
+ $return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
+ if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}
View
4 htdocs/lib/databases/mysqli.lib.php
@@ -524,8 +524,8 @@ function order($sortfield=0,$sortorder=0)
if (! $return) $return.=' ORDER BY ';
else $return.=',';
- $return.=$val;
- if ($sortorder) $return.=' '.$sortorder;
+ $return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
+ if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}
View
4 htdocs/lib/databases/pgsql.lib.php
@@ -666,8 +666,8 @@ function order($sortfield=0,$sortorder=0)
if (! $return) $return.=' ORDER BY ';
else $return.=',';
- $return.=$val;
- if ($sortorder) $return.=' '.$sortorder;
+ $return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
+ if ($sortorder) $return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
}
return $return;
}
View
73 htdocs/user/fiche.php
@@ -35,6 +35,11 @@
if ($conf->ldap->enabled) require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
if ($conf->adherent->enabled) require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php");
+$id=GETPOST('id','int');
+$action=GETPOST("action");
+$group=GETPOST("group","int",3);
+$confirm=GETPOST("confirm");
+
// Define value to know what current user can do on users
$canadduser=($user->admin || $user->rights->user->user->creer);
$canreaduser=($user->admin || $user->rights->user->user->lire);
@@ -48,26 +53,22 @@
$caneditgroup=($user->admin || $user->rights->user->group_advance->write);
}
// Define value to know what current user can do on properties of edited user
-if ($_GET["id"])
+if ($id)
{
- // $user est le user qui edite, $_GET["id"] est l'id de l'utilisateur edite
- $caneditfield=( (($user->id == $_GET["id"]) && $user->rights->user->self->creer)
- || (($user->id != $_GET["id"]) && $user->rights->user->user->creer) );
- $caneditpassword=( (($user->id == $_GET["id"]) && $user->rights->user->self->password)
- || (($user->id != $_GET["id"]) && $user->rights->user->user->password) );
+ // $user est le user qui edite, $id est l'id de l'utilisateur edite
+ $caneditfield=( (($user->id == $id) && $user->rights->user->self->creer)
+ || (($user->id != $id) && $user->rights->user->user->creer) );
+ $caneditpassword=( (($user->id == $id) && $user->rights->user->self->password)
+ || (($user->id != $id) && $user->rights->user->user->password) );
}
-$action=GETPOST("action");
-$group=GETPOST("group","int",3);
-$confirm=GETPOST("confirm");
-
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2='user';
-if ($user->id == $_GET["id"]) { $feature2=''; $canreaduser=1; } // A user can always read its own card
-$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
-if ($user->id <> $_GET["id"] && ! $canreaduser) accessforbidden();
+if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
+$result = restrictedArea($user, 'user', $id, '', $feature2);
+if ($user->id <> $id && ! $canreaduser) accessforbidden();
$langs->load("users");
$langs->load("companies");
@@ -82,36 +83,36 @@
if ($_GET["subaction"] == 'addrights' && $canedituser)
{
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
$edituser->addrights($_GET["rights"]);
}
if ($_GET["subaction"] == 'delrights' && $canedituser)
{
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
$edituser->delrights($_GET["rights"]);
}
if ($action == 'confirm_disable' && $confirm == "yes" && $candisableuser)
{
- if ($_GET["id"] <> $user->id)
+ if ($id <> $user->id)
{
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
$edituser->setstatus(0);
- Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$_GET["id"]);
+ Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$id);
exit;
}
}
if ($action == 'confirm_enable' && $confirm == "yes" && $candisableuser)
{
- if ($_GET["id"] <> $user->id)
+ if ($id <> $user->id)
{
$message='';
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
if (!empty($conf->file->main_limit_users))
{
@@ -125,7 +126,7 @@
if (! $message)
{
$edituser->setstatus(1);
- Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$_GET["id"]);
+ Header("Location: ".DOL_URL_ROOT.'/user/fiche.php?id='.$id);
exit;
}
}
@@ -133,10 +134,10 @@
if ($action == 'confirm_delete' && $confirm == "yes" && $candisableuser)
{
- if ($_GET["id"] <> $user->id)
+ if ($id <> $user->id)
{
$edituser = new User($db);
- $edituser->id=$_GET["id"];
+ $edituser->id=$id;
$result = $edituser->delete();
if ($result < 0)
{
@@ -232,13 +233,13 @@
$editgroup->oldcopy=dol_clone($editgroup);
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
if ($action == 'addgroup') $edituser->SetInGroup($group,GETPOST('entity'));
if ($action == 'removegroup') $edituser->RemoveFromGroup($group,GETPOST('entity'));
if ($result > 0)
{
- header("Location: fiche.php?id=".$_GET["id"]);
+ header("Location: fiche.php?id=".$id);
exit;
}
else
@@ -271,7 +272,7 @@
{
$db->begin();
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
$edituser->oldcopy=dol_clone($edituser);
@@ -360,7 +361,7 @@
else if ($caneditpassword) // Case we can edit only password
{
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
$edituser->oldcopy=dol_clone($edituser);
@@ -377,7 +378,7 @@
|| ($action == 'confirm_passwordsend' && $confirm == 'yes')) && $caneditpassword)
{
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
$newpassword=$edituser->setPassword($user,'');
if ($newpassword < 0)
@@ -800,10 +801,10 @@
/* */
/* ************************************************************************** */
- if ($_GET["id"])
+ if ($id)
{
$fuser = new User($db);
- $fuser->fetch($_GET["id"]);
+ $fuser->fetch($id);
// Connexion ldap
// pour recuperer passDoNotExpire et userChangePassNextLogon
@@ -1169,13 +1170,13 @@
// Si on a un gestionnaire de generation de mot de passe actif
if ($conf->global->USER_PASSWORD_GENERATED != 'none')
{
- if (($user->id != $_GET["id"] && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
+ if (($user->id != $id && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)))
{
print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=password">'.$langs->trans("ReinitPassword").'</a>';
}
- if (($user->id != $_GET["id"] && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
+ if (($user->id != $id && $caneditpassword) && $fuser->login && !$fuser->ldap_sid &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
if ($fuser->email) print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=passwordsend">'.$langs->trans("SendNewPassword").'</a>';
@@ -1184,19 +1185,19 @@
}
// Activer
- if ($user->id <> $_GET["id"] && $candisableuser && $fuser->statut == 0 &&
+ if ($user->id <> $id && $candisableuser && $fuser->statut == 0 &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butAction" href="fiche.php?id='.$fuser->id.'&amp;action=enable">'.$langs->trans("Reactivate").'</a>';
}
// Desactiver
- if ($user->id <> $_GET["id"] && $candisableuser && $fuser->statut == 1 &&
+ if ($user->id <> $id && $candisableuser && $fuser->statut == 1 &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butActionDelete" href="fiche.php?action=disable&amp;id='.$fuser->id.'">'.$langs->trans("DisableUser").'</a>';
}
// Delete
- if ($user->id <> $_GET["id"] && $candisableuser &&
+ if ($user->id <> $id && $candisableuser &&
(empty($conf->multicompany->enabled) || ($fuser->entity == $conf->entity)) )
{
print '<a class="butActionDelete" href="fiche.php?action=delete&amp;id='.$fuser->id.'">'.$langs->trans("DeleteUser").'</a>';
@@ -1232,7 +1233,7 @@
if ($caneditgroup)
{
$form = new Form($db);
- print '<form action="fiche.php?id='.$_GET["id"].'" method="post">'."\n";
+ print '<form action="fiche.php?id='.$id.'" method="post">'."\n";
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="addgroup">';
print '<input type="hidden" name="entity" value="'.$conf->entity.'">';
View
8 htdocs/user/index.php
@@ -35,7 +35,7 @@
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
-$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
+$sall=GETPOST("sall");
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
@@ -51,6 +51,7 @@
$userstatic=new User($db);
$companystatic = new Societe($db);
+
/*
* View
*/
@@ -73,9 +74,8 @@
{
$sql.= " AND (u.login like '%".$_POST["search_user"]."%' OR u.name like '%".$_POST["search_user"]."%' OR u.firstname like '%".$_POST["search_user"]."%')";
}
-if ($sall) $sql.= " AND (u.login like '%".$sall."%' OR u.name like '%".$sall."%' OR u.firstname like '%".$sall."%' OR u.email like '%".$sall."%' OR u.note like '%".$sall."%')";
-if ($sortfield) $sql.=" ORDER BY $sortfield $sortorder";
-
+if ($sall) $sql.= " AND (u.login like '%".$db->escape($sall)."%' OR u.name like '%".$db->escape($sall)."%' OR u.firstname like '%".$db->escape($sall)."%' OR u.email like '%".$db->escape($sall)."%' OR u.note like '%".$db->escape($sall)."%')";
+$sql.=$db->order($sortfield,$sortorder);
$result = $db->query($sql);
if ($result)
{
View
2  htdocs/user/info.php
@@ -30,7 +30,7 @@
$langs->load("users");
// Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = GETPOST('id','int');
$fuser = new User($db);
$fuser->fetch($id);
View
4 htdocs/user/note.php
@@ -27,8 +27,8 @@
require_once(DOL_DOCUMENT_ROOT.'/lib/usergroups.lib.php');
require_once(DOL_DOCUMENT_ROOT.'/user/class/user.class.php');
-$action=isset($_GET["action"])?$_GET["action"]:(isset($_POST["action"])?$_POST["action"]:"");
-$id=isset($_GET["id"])?$_GET["id"]:(isset($_POST["id"])?$_POST["id"]:"");
+$action=GETPOST('action');
+$id=GETPOST('id','int');
$langs->load("companies");
$langs->load("members");
View
17 htdocs/user/param_ihm.php
@@ -33,30 +33,31 @@
$langs->load("users");
$langs->load("languages");
+$id=GETPOST('id','int');
+
// Defini si peux lire/modifier permisssions
$canreaduser=($user->admin || $user->rights->user->user->lire);
-if ($_REQUEST["id"])
+if ($id)
{
- // $user est le user qui edite, $_REQUEST["id"] est l'id de l'utilisateur edite
- $caneditfield=( (($user->id == $_REQUEST["id"]) && $user->rights->user->self->creer)
- || (($user->id != $_REQUEST["id"]) && $user->rights->user->user->creer));
+ // $user est le user qui edite, $id est l'id de l'utilisateur edite
+ $caneditfield=( (($user->id == $id) && $user->rights->user->self->creer)
+ || (($user->id != $id) && $user->rights->user->user->creer));
}
// Security check
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
-if ($user->id == $_REQUEST["id"]) // A user can always read its own card
+if ($user->id == $id) // A user can always read its own card
{
$feature2='';
$canreaduser=1;
}
-$result = restrictedArea($user, 'user', $_REQUEST["id"], '', $feature2);
-if ($user->id <> $_REQUEST["id"] && ! $canreaduser) accessforbidden();
+$result = restrictedArea($user, 'user', $id, '', $feature2);
+if ($user->id <> $id && ! $canreaduser) accessforbidden();
-$id=! empty($_GET["id"])?$_GET["id"]:$_POST["id"];
$dirtop = "../includes/menus/standard";
$dirleft = "../includes/menus/standard";
View
23 htdocs/user/perms.php
@@ -32,8 +32,9 @@
$langs->load("admin");
$module=isset($_GET["module"])?$_GET["module"]:$_POST["module"];
+$id = GETPOST('id','int');
-if (! isset($_GET["id"]) || empty($_GET["id"])) accessforbidden();
+if (! $id) accessforbidden();
// Defini si peux lire les permissions
$canreaduser=($user->admin || $user->rights->user->user->lire);
@@ -43,7 +44,7 @@
if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
{
$canreaduser=($user->admin || ($user->rights->user->user->lire && $user->rights->user->user_advance->readperms));
- $caneditselfperms=($user->id == $_GET["id"] && $user->rights->user->self_advance->writeperms);
+ $caneditselfperms=($user->id == $id && $user->rights->user->self_advance->writeperms);
$caneditperms = '('.$caneditperms.' || '.$caneditselfperms.')';
}
@@ -51,12 +52,12 @@
$socid=0;
if ($user->societe_id > 0) $socid = $user->societe_id;
$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
-if ($user->id == $_GET["id"]) // A user can always read its own card
+if ($user->id == $id) // A user can always read its own card
{
$feature2='';
$canreaduser=1;
}
-$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
+$result = restrictedArea($user, 'user', $id, '', $feature2);
if ($user->id <> $_REQUEST["id"] && ! $canreaduser) accessforbidden();
@@ -66,11 +67,11 @@
if ($_GET["action"] == 'addrights' && $caneditperms)
{
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
$edituser->addrights($_GET["rights"],$module);
// Si on a touche a ses propres droits, on recharge
- if ($_GET["id"] == $user->id)
+ if ($id == $user->id)
{
$user->clearrights();
$user->getrights();
@@ -80,11 +81,11 @@
if ($_GET["action"] == 'delrights' && $caneditperms)
{
$edituser = new User($db);
- $edituser->fetch($_GET["id"]);
+ $edituser->fetch($id);
$edituser->delrights($_GET["rights"],$module);
// Si on a touche a ses propres droits, on recharge
- if ($_GET["id"] == $user->id)
+ if ($id == $user->id)
{
$user->clearrights();
$user->getrights();
@@ -104,7 +105,7 @@
$form=new Form($db);
$fuser = new User($db);
-$fuser->fetch($_GET["id"]);
+$fuser->fetch($id);
$fuser->getrights();
/*
@@ -125,9 +126,9 @@
foreach ($conf->file->dol_document_root as $type => $dirroot)
{
$modulesdir[] = $dirroot . "/includes/modules/";
-
+
if ($type == 'alt')
- {
+ {
$handle=@opendir($dirroot);
if (is_resource($handle))
{
Please sign in to comment.
Something went wrong with that request. Please try again.