Skip to content

Commit 8f9b998

Browse files
committed
Fix: Multiple directory traversal vulnerabilities with document.php
1 parent 1d0d820 commit 8f9b998

File tree

10 files changed

+70
-66
lines changed

10 files changed

+70
-66
lines changed

Diff for: htdocs/comm/action/document.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
/* Copyright (C) 2003-2004 Rodolphe Quiedeville <rodolphe@quiedeville.org>
33
* Copyright (C) 2004-2010 Laurent Destailleur <eldy@users.sourceforge.net>
44
* Copyright (C) 2005 Marc Barilley / Ocebo <marc@ocebo.com>
5-
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
5+
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
66
* Copyright (C) 2005 Simon TOSSER <simon@kornog-computing.com>
77
*
88
* This program is free software; you can redistribute it and/or modify

Diff for: htdocs/comm/action/fiche.php

+10-16
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
/* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
33
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
44
* Copyright (C) 2005 Simon TOSSER <simon@kornog-computing.com>
5-
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
5+
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
66
* Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
77
*
88
* This program is free software; you can redistribute it and/or modify
@@ -43,11 +43,12 @@
4343
$langs->load("orders");
4444
$langs->load("agenda");
4545

46-
$action=GETPOST("action");
46+
$action=GETPOST('action','alpha');
47+
$backtopage=GETPOST('backtopage','alpha');
4748

4849
// Security check
49-
$socid = GETPOST('socid');
50-
$id = GETPOST('id');
50+
$socid = GETPOST('socid','int');
51+
$id = GETPOST('id','int');
5152
if ($user->societe_id) $socid=$user->societe_id;
5253
//$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id');
5354

@@ -66,9 +67,7 @@
6667
{
6768
$error=0;
6869

69-
$backtopage='';
70-
if (! empty($_POST["backtopage"])) $backtopage=$_POST["backtopage"];
71-
if (! $backtopage)
70+
if (empty($backtopage))
7271
{
7372
if ($socid > 0) $backtopage = DOL_URL_ROOT.'/societe/agenda.php?socid='.$socid;
7473
else $backtopage=DOL_URL_ROOT.'/comm/action/index.php';
@@ -339,14 +338,9 @@
339338
}
340339
else
341340
{
342-
if (! empty($_POST["from"])) // deprecated. Use backtopage instead
343-
{
344-
header("Location: ".$_POST["from"]);
345-
exit;
346-
}
347-
if (! empty($_POST["backtopage"]))
341+
if (! empty($backtopage))
348342
{
349-
header("Location: ".$_POST["backtopage"]);
343+
header("Location: ".$backtopage);
350344
exit;
351345
}
352346
}
@@ -426,7 +420,7 @@ function setdatefields()
426420
print '<form name="formaction" action="'.DOL_URL_ROOT.'/comm/action/fiche.php" method="POST">';
427421
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
428422
print '<input type="hidden" name="action" value="add_action">';
429-
if (GETPOST("backtopage")) print '<input type="hidden" name="backtopage" value="'.(GETPOST("backtopage") != 1 ? GETPOST("backtopage") : $_SERVER["HTTP_REFERER"]).'">';
423+
print '<input type="hidden" name="backtopage" value="'.(! empty($backtopage) ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
430424

431425
if (GETPOST("actioncode") == 'AC_RDV') print_fiche_titre($langs->trans("AddActionRendezVous"));
432426
else print_fiche_titre($langs->trans("AddAnAction"));
@@ -679,7 +673,7 @@ function setdatefields()
679673
print '<input type="hidden" name="action" value="update">';
680674
print '<input type="hidden" name="id" value="'.$id.'">';
681675
print '<input type="hidden" name="ref_ext" value="'.$act->ref_ext.'">';
682-
if (GETPOST("backtopage")) print '<input type="hidden" name="backtopage" value="'.(GETPOST("backtopage") ? GETPOST("backtopage") : $_SERVER["HTTP_REFERER"]).'">';
676+
print '<input type="hidden" name="backtopage" value="'.(! empty($backtopage) ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
683677

684678
print '<table class="border" width="100%">';
685679

Diff for: htdocs/comm/remise.php

+9-7
Original file line numberDiff line numberDiff line change
@@ -30,21 +30,23 @@
3030
$langs->load("orders");
3131
$langs->load("bills");
3232

33-
$socid = GETPOST("id");
33+
$socid = GETPOST('id','int');
3434
// Security check
3535
if ($user->societe_id > 0)
3636
{
3737
$socid = $user->societe_id;
3838
}
3939

40+
$backtopage = GETPOST('backtopage','alpha');
41+
4042

4143
/*
4244
* Actions
4345
*/
4446

45-
if (GETPOST('cancel') && GETPOST('backtopage'))
47+
if (GETPOST('cancel') && ! empty($backtopage))
4648
{
47-
Header("Location: ".GETPOST("backtopage"));
49+
Header("Location: ".$backtopage);
4850
exit;
4951
}
5052

@@ -56,9 +58,9 @@
5658

5759
if ($result > 0)
5860
{
59-
if (GETPOST('backtopage'))
61+
if (! empty($backtopage))
6062
{
61-
Header("Location: ".GETPOST('backtopage'));
63+
Header("Location: ".$backtopage);
6264
exit;
6365
}
6466
else
@@ -122,7 +124,7 @@
122124
print '<form method="POST" action="remise.php?id='.$objsoc->id.'">';
123125
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
124126
print '<input type="hidden" name="action" value="setremise">';
125-
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
127+
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
126128

127129
print '<table class="border" width="100%">';
128130

@@ -138,7 +140,7 @@
138140

139141
print '<center>';
140142
print '<input type="submit" class="button" value="'.$langs->trans("Modify").'">';
141-
if (GETPOST("backtopage"))
143+
if (! empty($backtopage))
142144
{
143145
print '&nbsp; &nbsp; ';
144146
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';

Diff for: htdocs/comm/remx.php

+8-7
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,8 @@
3232
$langs->load("bills");
3333
$langs->load("companies");
3434

35-
$action=GETPOST('action');
35+
$action=GETPOST('action','alpha');
36+
$backtopage=GETPOST('backtopage','alpha');
3637

3738
// Security check
3839
$socid = GETPOST("id");
@@ -46,9 +47,9 @@
4647
* Actions
4748
*/
4849

49-
if (GETPOST('cancel') && GETPOST('backtopage'))
50+
if (GETPOST('cancel') && ! empty($backtopage))
5051
{
51-
Header("Location: ".GETPOST("backtopage"));
52+
Header("Location: ".$backtopage);
5253
exit;
5354
}
5455

@@ -151,9 +152,9 @@
151152

152153
if ($discountid > 0)
153154
{
154-
if (GETPOST("backtopage"))
155+
if (! empty($backtopage))
155156
{
156-
Header("Location: ".GETPOST("backtopage").'&discountid='.$discountid);
157+
Header("Location: ".$backtopage.'&discountid='.$discountid);
157158
exit;
158159
}
159160
else
@@ -228,7 +229,7 @@
228229
print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'?id='.$objsoc->id.'">';
229230
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
230231
print '<input type="hidden" name="action" value="setremise">';
231-
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
232+
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
232233

233234
print '<table class="border" width="100%">';
234235

@@ -280,7 +281,7 @@
280281

281282
print '<center>';
282283
print '<input type="submit" class="button" name="submit" value="'.$langs->trans("AddGlobalDiscount").'">';
283-
if (GETPOST("backtopage"))
284+
if (! empty($backtopage))
284285
{
285286
print '&nbsp; &nbsp; ';
286287
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';

Diff for: htdocs/contact/fiche.php

+14-13
Original file line numberDiff line numberDiff line change
@@ -39,10 +39,11 @@
3939

4040
$mesg=''; $error=0; $errors=array();
4141

42-
$action = (GETPOST('action') ? GETPOST('action') : 'view');
43-
$confirm = GETPOST('confirm');
44-
$id = GETPOST("id");
45-
$socid = GETPOST("socid");
42+
$action = (GETPOST('action','alpha') ? GETPOST('action','alpha') : 'view');
43+
$confirm = GETPOST('confirm','alpha');
44+
$backtopage = GETPOST('backtopage','alpha');
45+
$id = GETPOST('id','int');
46+
$socid = GETPOST('socid','int');
4647
if ($user->societe_id) $socid=$user->societe_id;
4748

4849
$object = new Contact($db);
@@ -76,17 +77,17 @@
7677
if (empty($reshook))
7778
{
7879
// Cancel
79-
if (GETPOST("cancel") && GETPOST('backtopage'))
80+
if (GETPOST("cancel") && ! empty($backtopage))
8081
{
81-
header("Location: ".GETPOST('backtopage'));
82+
header("Location: ".$backtopage);
8283
exit;
8384
}
8485

8586
// Creation utilisateur depuis contact
8687
if ($action == 'confirm_create_user' && $confirm == 'yes' && $user->rights->user->user->creer)
8788
{
8889
// Recuperation contact actuel
89-
$result = $object->fetch($_GET["id"]);
90+
$result = $object->fetch($id);
9091

9192
if ($result > 0)
9293
{
@@ -172,7 +173,7 @@
172173
if (! $error && $id > 0)
173174
{
174175
$db->commit();
175-
if (GETPOST('backtopage')) $url=GETPOST('backtopage');
176+
if (! empty($backtopage)) $url=$backtopage;
176177
else $url='fiche.php?id='.$id;
177178
Header("Location: ".$url);
178179
exit;
@@ -368,7 +369,7 @@
368369
print '<form method="post" name="formsoc" action="'.$_SERVER["PHP_SELF"].'">';
369370
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
370371
print '<input type="hidden" name="action" value="add">';
371-
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
372+
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
372373
print '<table class="border" width="100%">';
373374

374375
// Name
@@ -497,7 +498,7 @@
497498

498499
print '<center>';
499500
print '<input type="submit" class="button" name="add" value="'.$langs->trans("Add").'">';
500-
if (GETPOST('backtopage'))
501+
if (! empty($backtopage))
501502
{
502503
print ' &nbsp; &nbsp; ';
503504
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
@@ -537,11 +538,11 @@
537538
print '</script>';
538539
}
539540

540-
print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?id='.GETPOST("id").'" name="formsoc">';
541+
print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" name="formsoc">';
541542
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
542-
print '<input type="hidden" name="id" value="'.GETPOST("id").'">';
543+
print '<input type="hidden" name="id" value="'.$id.'">';
543544
print '<input type="hidden" name="action" value="update">';
544-
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
545+
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
545546
print '<input type="hidden" name="contactid" value="'.$object->id.'">';
546547
print '<input type="hidden" name="old_name" value="'.$object->name.'">';
547548
print '<input type="hidden" name="old_firstname" value="'.$object->firstname.'">';

Diff for: htdocs/core/lib/functions.lib.php

+5-1
Original file line numberDiff line numberDiff line change
@@ -257,7 +257,11 @@ function GETPOST($paramname,$check='',$method=0)
257257
// Check if alpha
258258
//if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
259259
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
260-
if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
260+
if ($check == 'alpha')
261+
{
262+
if (preg_match('/"/',trim($out))) $out='';
263+
else if (preg_match('/(\.\.\/)+/',trim($out))) $out='';
264+
}
261265
}
262266

263267
return $out;

Diff for: htdocs/document.php

+6-6
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
/* Copyright (C) 2004-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
33
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
44
* Copyright (C) 2005 Simon Tosser <simon@kornog-computing.com>
5-
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
5+
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
66
* Copyright (C) 2010 Pierre Morin <pierre.morin@auguria.net>
77
* Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
88
*
@@ -50,10 +50,10 @@ function llxHeader() { }
5050
require_once(DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php');
5151

5252
$encoding = '';
53-
$action = GETPOST("action");
54-
$original_file = GETPOST("file"); // Do not use urldecode here ($_GET are already decoded by PHP).
55-
$modulepart = GETPOST("modulepart");
56-
$urlsource = GETPOST("urlsource");
53+
$action = GETPOST('action','alpha');
54+
$original_file = GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP).
55+
$modulepart = GETPOST('modulepart','alpha');
56+
$urlsource = GETPOST('urlsource','alpha');
5757

5858
// Security check
5959
if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
@@ -72,7 +72,7 @@ function llxHeader() { }
7272

7373
// Define mime type
7474
$type = 'application/octet-stream';
75-
if (GETPOST('type')) $type=GETPOST('type');
75+
if (GETPOST('type','alpha')) $type=GETPOST('type','alpha');
7676
else $type=dol_mimetype($original_file);
7777
//print 'X'.$type.'-'.$original_file;exit;
7878

Diff for: htdocs/projet/fiche.php

+7-6
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,9 @@
3434
$langs->load('companies');
3535

3636
$id=GETPOST('id','int');
37-
$ref = GETPOST('ref');
38-
$action=GETPOST('action');
37+
$ref = GETPOST('ref','alpha');
38+
$action=GETPOST('action','alpha');
39+
$backtopage=GETPOST('backtopage','alpha');
3940

4041
if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && ! $_POST["cancel"])) accessforbidden();
4142

@@ -55,9 +56,9 @@
5556
*/
5657

5758
// Cancel
58-
if (GETPOST("cancel") && GETPOST('backtopage'))
59+
if (GETPOST("cancel") && ! empty($backtopage))
5960
{
60-
header("Location: ".GETPOST('backtopage'));
61+
header("Location: ".$backtopage);
6162
exit;
6263
}
6364

@@ -276,7 +277,7 @@
276277
print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
277278
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
278279
print '<input type="hidden" name="action" value="add">';
279-
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
280+
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
280281

281282
print '<table class="border" width="100%">';
282283

@@ -332,7 +333,7 @@
332333

333334
print '<br><center>';
334335
print '<input type="submit" class="button" value="'.$langs->trans("Create").'">';
335-
if (GETPOST('backtopage'))
336+
if (! empty($backtopage))
336337
{
337338
print ' &nbsp; &nbsp; ';
338339
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';

Diff for: htdocs/projet/tasks.php

+6-5
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
$action = GETPOST('action', 'alpha');
3737
$id = GETPOST('id', 'int');
3838
$ref = GETPOST('ref', 'alpha');
39+
$backtopage=GETPOST('backtopage','alpha');
3940

4041
$mode = GETPOST('mode', 'alpha');
4142
$mine = ($mode == 'mine' ? 1 : 0);
@@ -111,9 +112,9 @@
111112

112113
if (! $error)
113114
{
114-
if (GETPOST('backtopage'))
115+
if (! empty($backtopage))
115116
{
116-
Header("Location: ".GETPOST('backtopage'));
117+
Header("Location: ".$backtopage);
117118
exit;
118119
}
119120
else if (empty($projectid))
@@ -125,9 +126,9 @@
125126
}
126127
else
127128
{
128-
if (GETPOST('backtopage'))
129+
if (! empty($backtopage))
129130
{
130-
Header("Location: ".GETPOST('backtopage'));
131+
Header("Location: ".$backtopage);
131132
exit;
132133
}
133134
else if (empty($id))
@@ -219,7 +220,7 @@
219220
print '<form action="'.$_SERVER['PHP_SELF'].'" method="POST">';
220221
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
221222
print '<input type="hidden" name="action" value="createtask">';
222-
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
223+
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
223224
if (! empty($object->id)) print '<input type="hidden" name="id" value="'.$object->id.'">';
224225
if (! empty($mode)) print '<input type="hidden" name="mode" value="'.$mode.'">';
225226

0 commit comments

Comments
 (0)