Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix: Multiple directory traversal vulnerabilities with document.php
  • Loading branch information
hregis committed Feb 27, 2012
1 parent 1d0d820 commit 8f9b998
Show file tree
Hide file tree
Showing 10 changed files with 70 additions and 66 deletions.
2 changes: 1 addition & 1 deletion htdocs/comm/action/document.php
Expand Up @@ -2,7 +2,7 @@
/* Copyright (C) 2003-2004 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2010 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005 Marc Barilley / Ocebo <marc@ocebo.com>
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005 Simon TOSSER <simon@kornog-computing.com>
*
* This program is free software; you can redistribute it and/or modify
Expand Down
26 changes: 10 additions & 16 deletions htdocs/comm/action/fiche.php
Expand Up @@ -2,7 +2,7 @@
/* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005 Simon TOSSER <simon@kornog-computing.com>
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
Expand Down Expand Up @@ -43,11 +43,12 @@
$langs->load("orders");
$langs->load("agenda");

$action=GETPOST("action");
$action=GETPOST('action','alpha');
$backtopage=GETPOST('backtopage','alpha');

// Security check
$socid = GETPOST('socid');
$id = GETPOST('id');
$socid = GETPOST('socid','int');
$id = GETPOST('id','int');
if ($user->societe_id) $socid=$user->societe_id;
//$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id');

Expand All @@ -66,9 +67,7 @@
{
$error=0;

$backtopage='';
if (! empty($_POST["backtopage"])) $backtopage=$_POST["backtopage"];
if (! $backtopage)
if (empty($backtopage))
{
if ($socid > 0) $backtopage = DOL_URL_ROOT.'/societe/agenda.php?socid='.$socid;
else $backtopage=DOL_URL_ROOT.'/comm/action/index.php';
Expand Down Expand Up @@ -339,14 +338,9 @@
}
else
{
if (! empty($_POST["from"])) // deprecated. Use backtopage instead
{
header("Location: ".$_POST["from"]);
exit;
}
if (! empty($_POST["backtopage"]))
if (! empty($backtopage))
{
header("Location: ".$_POST["backtopage"]);
header("Location: ".$backtopage);
exit;
}
}
Expand Down Expand Up @@ -426,7 +420,7 @@ function setdatefields()
print '<form name="formaction" action="'.DOL_URL_ROOT.'/comm/action/fiche.php" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add_action">';
if (GETPOST("backtopage")) print '<input type="hidden" name="backtopage" value="'.(GETPOST("backtopage") != 1 ? GETPOST("backtopage") : $_SERVER["HTTP_REFERER"]).'">';
print '<input type="hidden" name="backtopage" value="'.(! empty($backtopage) ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';

if (GETPOST("actioncode") == 'AC_RDV') print_fiche_titre($langs->trans("AddActionRendezVous"));
else print_fiche_titre($langs->trans("AddAnAction"));
Expand Down Expand Up @@ -679,7 +673,7 @@ function setdatefields()
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="ref_ext" value="'.$act->ref_ext.'">';
if (GETPOST("backtopage")) print '<input type="hidden" name="backtopage" value="'.(GETPOST("backtopage") ? GETPOST("backtopage") : $_SERVER["HTTP_REFERER"]).'">';
print '<input type="hidden" name="backtopage" value="'.(! empty($backtopage) ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';

print '<table class="border" width="100%">';

Expand Down
16 changes: 9 additions & 7 deletions htdocs/comm/remise.php
Expand Up @@ -30,21 +30,23 @@
$langs->load("orders");
$langs->load("bills");

$socid = GETPOST("id");
$socid = GETPOST('id','int');
// Security check
if ($user->societe_id > 0)
{
$socid = $user->societe_id;
}

$backtopage = GETPOST('backtopage','alpha');


/*
* Actions
*/

if (GETPOST('cancel') && GETPOST('backtopage'))
if (GETPOST('cancel') && ! empty($backtopage))
{
Header("Location: ".GETPOST("backtopage"));
Header("Location: ".$backtopage);
exit;
}

Expand All @@ -56,9 +58,9 @@

if ($result > 0)
{
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
Header("Location: ".GETPOST('backtopage'));
Header("Location: ".$backtopage);
exit;
}
else
Expand Down Expand Up @@ -122,7 +124,7 @@
print '<form method="POST" action="remise.php?id='.$objsoc->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="setremise">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';

print '<table class="border" width="100%">';

Expand All @@ -138,7 +140,7 @@

print '<center>';
print '<input type="submit" class="button" value="'.$langs->trans("Modify").'">';
if (GETPOST("backtopage"))
if (! empty($backtopage))
{
print '&nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
Expand Down
15 changes: 8 additions & 7 deletions htdocs/comm/remx.php
Expand Up @@ -32,7 +32,8 @@
$langs->load("bills");
$langs->load("companies");

$action=GETPOST('action');
$action=GETPOST('action','alpha');
$backtopage=GETPOST('backtopage','alpha');

// Security check
$socid = GETPOST("id");
Expand All @@ -46,9 +47,9 @@
* Actions
*/

if (GETPOST('cancel') && GETPOST('backtopage'))
if (GETPOST('cancel') && ! empty($backtopage))
{
Header("Location: ".GETPOST("backtopage"));
Header("Location: ".$backtopage);
exit;
}

Expand Down Expand Up @@ -151,9 +152,9 @@

if ($discountid > 0)
{
if (GETPOST("backtopage"))
if (! empty($backtopage))
{
Header("Location: ".GETPOST("backtopage").'&discountid='.$discountid);
Header("Location: ".$backtopage.'&discountid='.$discountid);
exit;
}
else
Expand Down Expand Up @@ -228,7 +229,7 @@
print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'?id='.$objsoc->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="setremise">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';

print '<table class="border" width="100%">';

Expand Down Expand Up @@ -280,7 +281,7 @@

print '<center>';
print '<input type="submit" class="button" name="submit" value="'.$langs->trans("AddGlobalDiscount").'">';
if (GETPOST("backtopage"))
if (! empty($backtopage))
{
print '&nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
Expand Down
27 changes: 14 additions & 13 deletions htdocs/contact/fiche.php
Expand Up @@ -39,10 +39,11 @@

$mesg=''; $error=0; $errors=array();

$action = (GETPOST('action') ? GETPOST('action') : 'view');
$confirm = GETPOST('confirm');
$id = GETPOST("id");
$socid = GETPOST("socid");
$action = (GETPOST('action','alpha') ? GETPOST('action','alpha') : 'view');
$confirm = GETPOST('confirm','alpha');
$backtopage = GETPOST('backtopage','alpha');
$id = GETPOST('id','int');
$socid = GETPOST('socid','int');
if ($user->societe_id) $socid=$user->societe_id;

$object = new Contact($db);
Expand Down Expand Up @@ -76,17 +77,17 @@
if (empty($reshook))
{
// Cancel
if (GETPOST("cancel") && GETPOST('backtopage'))
if (GETPOST("cancel") && ! empty($backtopage))
{
header("Location: ".GETPOST('backtopage'));
header("Location: ".$backtopage);
exit;
}

// Creation utilisateur depuis contact
if ($action == 'confirm_create_user' && $confirm == 'yes' && $user->rights->user->user->creer)
{
// Recuperation contact actuel
$result = $object->fetch($_GET["id"]);
$result = $object->fetch($id);

if ($result > 0)
{
Expand Down Expand Up @@ -172,7 +173,7 @@
if (! $error && $id > 0)
{
$db->commit();
if (GETPOST('backtopage')) $url=GETPOST('backtopage');
if (! empty($backtopage)) $url=$backtopage;
else $url='fiche.php?id='.$id;
Header("Location: ".$url);
exit;
Expand Down Expand Up @@ -368,7 +369,7 @@
print '<form method="post" name="formsoc" action="'.$_SERVER["PHP_SELF"].'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';

// Name
Expand Down Expand Up @@ -497,7 +498,7 @@

print '<center>';
print '<input type="submit" class="button" name="add" value="'.$langs->trans("Add").'">';
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
print ' &nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
Expand Down Expand Up @@ -537,11 +538,11 @@
print '</script>';
}

print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?id='.GETPOST("id").'" name="formsoc">';
print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" name="formsoc">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="id" value="'.GETPOST("id").'">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<input type="hidden" name="contactid" value="'.$object->id.'">';
print '<input type="hidden" name="old_name" value="'.$object->name.'">';
print '<input type="hidden" name="old_firstname" value="'.$object->firstname.'">';
Expand Down
6 changes: 5 additions & 1 deletion htdocs/core/lib/functions.lib.php
Expand Up @@ -257,7 +257,11 @@ function GETPOST($paramname,$check='',$method=0)
// Check if alpha
//if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
if ($check == 'alpha')
{
if (preg_match('/"/',trim($out))) $out='';
else if (preg_match('/(\.\.\/)+/',trim($out))) $out='';
}
}

return $out;
Expand Down
12 changes: 6 additions & 6 deletions htdocs/document.php
Expand Up @@ -2,7 +2,7 @@
/* Copyright (C) 2004-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005 Simon Tosser <simon@kornog-computing.com>
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2010 Pierre Morin <pierre.morin@auguria.net>
* Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
*
Expand Down Expand Up @@ -50,10 +50,10 @@ function llxHeader() { }
require_once(DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php');

$encoding = '';
$action = GETPOST("action");
$original_file = GETPOST("file"); // Do not use urldecode here ($_GET are already decoded by PHP).
$modulepart = GETPOST("modulepart");
$urlsource = GETPOST("urlsource");
$action = GETPOST('action','alpha');
$original_file = GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP).
$modulepart = GETPOST('modulepart','alpha');
$urlsource = GETPOST('urlsource','alpha');

// Security check
if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
Expand All @@ -72,7 +72,7 @@ function llxHeader() { }

// Define mime type
$type = 'application/octet-stream';
if (GETPOST('type')) $type=GETPOST('type');
if (GETPOST('type','alpha')) $type=GETPOST('type','alpha');
else $type=dol_mimetype($original_file);
//print 'X'.$type.'-'.$original_file;exit;

Expand Down
13 changes: 7 additions & 6 deletions htdocs/projet/fiche.php
Expand Up @@ -34,8 +34,9 @@
$langs->load('companies');

$id=GETPOST('id','int');
$ref = GETPOST('ref');
$action=GETPOST('action');
$ref = GETPOST('ref','alpha');
$action=GETPOST('action','alpha');
$backtopage=GETPOST('backtopage','alpha');

if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && ! $_POST["cancel"])) accessforbidden();

Expand All @@ -55,9 +56,9 @@
*/

// Cancel
if (GETPOST("cancel") && GETPOST('backtopage'))
if (GETPOST("cancel") && ! empty($backtopage))
{
header("Location: ".GETPOST('backtopage'));
header("Location: ".$backtopage);
exit;
}

Expand Down Expand Up @@ -276,7 +277,7 @@
print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';

print '<table class="border" width="100%">';

Expand Down Expand Up @@ -332,7 +333,7 @@

print '<br><center>';
print '<input type="submit" class="button" value="'.$langs->trans("Create").'">';
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
print ' &nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
Expand Down
11 changes: 6 additions & 5 deletions htdocs/projet/tasks.php
Expand Up @@ -36,6 +36,7 @@
$action = GETPOST('action', 'alpha');
$id = GETPOST('id', 'int');
$ref = GETPOST('ref', 'alpha');
$backtopage=GETPOST('backtopage','alpha');

$mode = GETPOST('mode', 'alpha');
$mine = ($mode == 'mine' ? 1 : 0);
Expand Down Expand Up @@ -111,9 +112,9 @@

if (! $error)
{
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
Header("Location: ".GETPOST('backtopage'));
Header("Location: ".$backtopage);
exit;
}
else if (empty($projectid))
Expand All @@ -125,9 +126,9 @@
}
else
{
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
Header("Location: ".GETPOST('backtopage'));
Header("Location: ".$backtopage);
exit;
}
else if (empty($id))
Expand Down Expand Up @@ -219,7 +220,7 @@
print '<form action="'.$_SERVER['PHP_SELF'].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="createtask">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
if (! empty($object->id)) print '<input type="hidden" name="id" value="'.$object->id.'">';
if (! empty($mode)) print '<input type="hidden" name="mode" value="'.$mode.'">';

Expand Down

0 comments on commit 8f9b998

Please sign in to comment.