Skip to content
Permalink
Browse files Browse the repository at this point in the history
FIX security vulnerability reported by ADLab of Venustech
  • Loading branch information
eldy committed Dec 21, 2017
1 parent 62f895e commit 6a62e13
Show file tree
Hide file tree
Showing 60 changed files with 562 additions and 129 deletions.
9 changes: 9 additions & 0 deletions htdocs/accountancy/tpl/export_journal.tpl.php
Expand Up @@ -15,6 +15,15 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}


$prefix = $conf->global->ACCOUNTING_EXPORT_PREFIX_SPEC;
$format = $conf->global->ACCOUNTING_EXPORT_FORMAT;
$nodateexport = $conf->global->ACCOUNTING_EXPORT_NO_DATE_IN_FILENAME;
Expand Down
Expand Up @@ -14,8 +14,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE ADHERENTCARD_CREATE.TPL.PHP DEFAULT -->
Expand Down
Expand Up @@ -14,9 +14,16 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}


$contact = $GLOBALS['objcanvas']->control->object;

?>
Expand Down
10 changes: 9 additions & 1 deletion htdocs/adherents/canvas/default/tpl/adherentcard_view.tpl.php
Expand Up @@ -14,10 +14,18 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}


$contact = $GLOBALS['objcanvas']->control->object;

?>

<!-- BEGIN PHP TEMPLATE ADHERENTCARD_VIEW.TPL.PHP DEFAULT -->
Expand Down
11 changes: 9 additions & 2 deletions htdocs/adherents/tpl/linkedobjectblock.tpl.php
Expand Up @@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE -->
Expand All @@ -33,7 +40,7 @@
$total=0;
foreach($linkedObjectBlock as $key => $objectlink)
{

?>
<tr <?php echo $GLOBALS['bc'][$var]; ?> >
<td><?php echo $langs->trans("Subscription"); ?></td>
Expand Down
12 changes: 10 additions & 2 deletions htdocs/comm/propal/tpl/linkedobjectblock.tpl.php
Expand Up @@ -22,6 +22,14 @@
* \ingroup propal
* \brief Template to show objects linked to proposals
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE -->
Expand All @@ -40,7 +48,7 @@
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;

$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
Expand Down Expand Up @@ -71,7 +79,7 @@
<td align="right"></td>
<td align="right"></td>
</tr>
<?php
<?php
}
?>

Expand Down
13 changes: 10 additions & 3 deletions htdocs/commande/tpl/linkedobjectblock.tpl.php
Expand Up @@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE -->
Expand All @@ -36,7 +43,7 @@
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;

$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
Expand Down Expand Up @@ -76,7 +83,7 @@
<td align="right"></td>
<td align="right"></td>
</tr>
<?php
<?php
}
?>

Expand Down
2 changes: 1 addition & 1 deletion htdocs/compta/facture/card.php
Expand Up @@ -2538,7 +2538,7 @@
print '&nbsp;&nbsp;&nbsp; <input data-role="none" type="checkbox" name="invoiceAvoirWithLines" id="invoiceAvoirWithLines" value="1" onclick="$(\'#credit_note_options input[type=checkbox]\').not(this).prop(\'checked\', false);" '.(GETPOST('invoiceAvoirWithLines','int')>0 ? 'checked':'').' /> <label for="invoiceAvoirWithLines">'.$langs->trans('invoiceAvoirWithLines')."</label>";
print '<br>&nbsp;&nbsp;&nbsp; <input data-role="none" type="checkbox" name="invoiceAvoirWithPaymentRestAmount" id="invoiceAvoirWithPaymentRestAmount" value="1" onclick="$(\'#credit_note_options input[type=checkbox]\').not(this).prop(\'checked\', false);" '.(GETPOST('invoiceAvoirWithPaymentRestAmount','int')>0 ? 'checked':'').' /> <label for="invoiceAvoirWithPaymentRestAmount">'.$langs->trans('invoiceAvoirWithPaymentRestAmount')."</label>";
print '</div>';

print '</div></div>';
}
}
Expand Down
15 changes: 11 additions & 4 deletions htdocs/compta/facture/tpl/linkedobjectblock.tpl.php
Expand Up @@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE -->
Expand All @@ -36,7 +43,7 @@
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;

$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
Expand All @@ -54,7 +61,7 @@
$total = $total + $sign * $objectlink->total_ht;
echo price($objectlink->total_ht);
}
else
else
{
echo '<strike>'.price($objectlink->total_ht).'</strike>';
}
Expand All @@ -76,7 +83,7 @@
<td align="right"></td>
<td align="right"></td>
</tr>
<?php
<?php
}
?>

Expand Down
11 changes: 9 additions & 2 deletions htdocs/compta/facture/tpl/linkedobjectblockForRec.tpl.php
Expand Up @@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE -->
Expand All @@ -36,7 +43,7 @@
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;

$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
Expand Down
9 changes: 8 additions & 1 deletion htdocs/contact/canvas/default/tpl/contactcard_create.tpl.php
Expand Up @@ -13,8 +13,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE CONTACTCARD_CREATE.TPL.PHP DEFAULT -->
Expand Down
9 changes: 8 additions & 1 deletion htdocs/contact/canvas/default/tpl/contactcard_edit.tpl.php
Expand Up @@ -13,9 +13,16 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}


$contact = $GLOBALS['objcanvas']->control->object;

?>
Expand Down
9 changes: 8 additions & 1 deletion htdocs/contact/canvas/default/tpl/contactcard_view.tpl.php
Expand Up @@ -13,9 +13,16 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}


$contact = $GLOBALS['objcanvas']->control->object;
?>

Expand Down
10 changes: 9 additions & 1 deletion htdocs/contrat/tpl/linkedobjectblock.tpl.php
Expand Up @@ -14,6 +14,14 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE -->
Expand All @@ -33,7 +41,7 @@
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;

$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
Expand Down
23 changes: 15 additions & 8 deletions htdocs/core/tpl/admin_extrafields_add.tpl.php
Expand Up @@ -26,6 +26,13 @@
* $elementtype
*/

// Protection to avoid direct call of template
if (empty($conf) || ! is_object($conf))
{
print "Error, template page can't be called as URL";
exit;
}

?>

<!-- BEGIN PHP TEMPLATE admin_extrafields_add.tpl.php -->
Expand Down Expand Up @@ -56,11 +63,11 @@ function init_typeoffields(type)

// Case of computed field
console.log(type);
if (type == '' || type == 'varchar' || type == 'int' || type == 'double' || type == 'price') {
jQuery("tr.extra_computed_value").show();
if (type == '' || type == 'varchar' || type == 'int' || type == 'double' || type == 'price') {
jQuery("tr.extra_computed_value").show();
} else {
computed_value.val(''); jQuery("tr.extra_computed_value").hide();
}
}
if (computed_value.val())
{
console.log("We enter a computed formula");
Expand All @@ -75,7 +82,7 @@ function init_typeoffields(type)
jQuery("#default_value, #unique, #required, #alwayseditable, #ishidden, #list").attr('disabled', false);
jQuery("tr.extra_default_value, tr.extra_unique, tr.extra_required, tr.extra_alwayseditable, tr.extra_ishidden, tr.extra_list").show();
}

if (type == 'date') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value_choice").hide();jQuery("#helpchkbxlst").hide(); }
else if (type == 'datetime') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value_choice").hide(); jQuery("#helpchkbxlst").hide();}
else if (type == 'double') { size.val('24,8').removeAttr('disabled'); unique.removeAttr('disabled'); jQuery("#value_choice").hide(); jQuery("#helpchkbxlst").hide();}
Expand All @@ -90,8 +97,8 @@ function init_typeoffields(type)
else if (type == 'checkbox') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); jQuery("#value_choice").show();jQuery("#helpselect").show();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").hide();}
else if (type == 'chkbxlst') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); jQuery("#value_choice").show();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").show();jQuery("#helplink").hide();}
else if (type == 'link') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value_choice").show();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").show();}
else if (type == 'separate') {
size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); required.val('').prop('disabled', true);
else if (type == 'separate') {
size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); required.val('').prop('disabled', true);
jQuery("#value_choice").hide();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").hide();
}
else { // type = string
Expand All @@ -102,12 +109,12 @@ function init_typeoffields(type)
if (type == 'separate')
{
required.removeAttr('checked').prop('disabled', true); alwayseditable.removeAttr('checked').prop('disabled', true); list.val('').prop('disabled', true);
jQuery('#size, #default_value').val('').prop('disabled', true);
jQuery('#size, #default_value').val('').prop('disabled', true);
}
else
{
default_value.removeAttr('disabled');
required.removeAttr('disabled'); alwayseditable.removeAttr('disabled'); list.val('').removeAttr('disabled');
required.removeAttr('disabled'); alwayseditable.removeAttr('disabled'); list.val('').removeAttr('disabled');
}
}
init_typeoffields('<?php echo GETPOST('type'); ?>');
Expand Down

0 comments on commit 6a62e13

Please sign in to comment.