Skip to content

Commit c539155

Browse files
committed
Security: More security holes fixed
1 parent 63820ab commit c539155

File tree

5 files changed

+23
-22
lines changed

5 files changed

+23
-22
lines changed

Diff for: htdocs/admin/boxes.php

+11-10
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,9 @@
2929

3030
$langs->load("admin");
3131

32-
if (!$user->admin)
33-
accessforbidden();
32+
$id=GETPOST('rowid','int');
33+
34+
if (!$user->admin) accessforbidden();
3435

3536
// Definition des positions possibles pour les boites
3637
$pos_array = array(0); // Positions possibles pour une boite (0,1,2,...)
@@ -101,7 +102,7 @@
101102
$db->begin();
102103

103104
$sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes";
104-
$sql.= " WHERE rowid=".$_GET["rowid"];
105+
$sql.= " WHERE rowid=".$id;
105106
$resql = $db->query($sql);
106107

107108
// Remove all personalized setup when a box is activated or disabled
@@ -288,7 +289,7 @@
288289

289290
dol_include_once($sourcefile);
290291
$box=new $boxname($db,$obj->note);
291-
292+
292293
$enabled=true;
293294
if ($box->depends && sizeof($box->depends) > 0)
294295
{
@@ -297,7 +298,7 @@
297298
if (empty($conf->$module->enabled)) $enabled=false;
298299
}
299300
}
300-
301+
301302
if ($enabled)
302303
{
303304
//if (in_array($obj->rowid, $actives) && $box->box_multiple <> 1)
@@ -308,7 +309,7 @@
308309
else
309310
{
310311
$var=!$var;
311-
312+
312313
if (preg_match('/^([^@]+)@([^@]+)$/i',$box->boximg))
313314
{
314315
$logo = $box->boximg;
@@ -317,14 +318,14 @@
317318
{
318319
$logo=preg_replace("/^object_/i","",$box->boximg);
319320
}
320-
321+
321322
print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
322323
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
323324
print '<tr '.$bc[$var].'>';
324325
print '<td>'.img_object("",$logo).' '.$box->boxlabel.'</td>';
325326
print '<td>' . ($obj->note?$obj->note:'&nbsp;') . '</td>';
326327
print '<td>' . $sourcefile . '</td>';
327-
328+
328329
// Pour chaque position possible, on affiche un lien
329330
// d'activation si boite non deja active pour cette position
330331
print '<td>';
@@ -333,11 +334,11 @@
333334
print '<input type="hidden" name="boxid" value="'.$obj->rowid.'">';
334335
print ' <input type="submit" class="button" name="button" value="'.$langs->trans("Activate").'">';
335336
print '</td>';
336-
337+
337338
print '</tr></form>';
338339
}
339340
}
340-
341+
341342
$i++;
342343
}
343344

Diff for: htdocs/admin/ihm.php

+1-2
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,7 @@
3838
$langs->load("products");
3939
$langs->load("members");
4040

41-
if (!$user->admin)
42-
accessforbidden();
41+
if (!$user->admin) accessforbidden();
4342

4443

4544
if (! defined("MAIN_MOTD")) define("MAIN_MOTD","");

Diff for: htdocs/lib/usergroups.lib.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -234,7 +234,7 @@ function show_theme($fuser,$edit=0,$foruserprofile=false)
234234
$url=$urltheme."/".$subdir."/thumb.png";
235235
if (! file_exists($file)) $url=$urltheme."/common/nophoto.jpg";
236236
print '<table><tr><td>';
237-
print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(! empty($_GET["optioncss"])?'&optioncss='.$_GET["optioncss"]:'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
237+
print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(GETPOST("optioncss")?'&optioncss='.GETPOST("optioncss",'alpha',1):'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
238238
if ($subdir == $conf->global->MAIN_THEME) $title=$langs->trans("ThemeCurrentlyActive");
239239
else $title=$langs->trans("ShowPreview");
240240
print '<img src="'.$url.'" border="0" width="80" height="60" alt="'.$title.'" title="'.$title.'">';

Diff for: htdocs/main.inc.php

+6-5
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@ function test_sql_and_script_inject($val,$get)
7676
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
7777
// For XSS Injection done by adding javascript with script
7878
$sql_inj += preg_match('/<script/i', $val);
79+
if ($get) $sql_inj += preg_match('/javascript:/i', $val);
7980
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
8081
if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
8182
return $sql_inj;
@@ -751,11 +752,11 @@ function analyse_sql_and_script(&$var,$get)
751752
if (GETPOST('action') == 'switchentity' && $user->admin && ! $user->entity)
752753
{
753754
$res = @dol_include_once("/multicompany/class/actions_multicompany.class.php");
754-
755+
755756
if ($res)
756757
{
757758
$mc = new ActionsMulticompany($db);
758-
759+
759760
if($mc->switchEntity(GETPOST('entity')) > 0)
760761
{
761762
Header("Location: ".DOL_URL_ROOT.'/');
@@ -872,15 +873,15 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
872873
// Output style sheets (optioncss='print' or '')
873874
$themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1);
874875
//print 'themepath='.$themepath;exit;
875-
print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.'?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'').'">'."\n";
876+
print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.'?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'').'">'."\n";
876877
// CSS forced by modules (relative url starting with /)
877878
if (is_array($conf->css_modules))
878879
{
879880
foreach($conf->css_modules as $cssfile)
880881
{ // cssfile is an absolute path
881882
print '<link rel="stylesheet" type="text/css" title="default" href="'.dol_buildpath($cssfile,1);
882883
// We add params only if page is not static, because some web server setup does not return content type text/css if url has parameters and browser cache is not used.
883-
if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'');
884+
if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'');
884885
print '">'."\n";
885886
}
886887
}
@@ -891,7 +892,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
891892
{
892893
print '<link rel="stylesheet" type="text/css" title="default" href="'.dol_buildpath($cssfile,1);
893894
// We add params only if page is not static, because some web server setup does not return content type text/css if url has parameters and browser cache is not used.
894-
if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'');
895+
if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'');
895896
print '">'."\n";
896897
}
897898
}

Diff for: htdocs/user/group/index.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@
3333

3434
$langs->load("users");
3535

36-
$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
36+
$sall=GETPOST("sall");
3737

3838
$sortfield = GETPOST("sortfield",'alpha');
3939
$sortorder = GETPOST("sortorder",'alpha');
@@ -61,9 +61,9 @@
6161
$sql.= " WHERE g.entity IN (0,".$conf->entity.")";
6262
if ($_POST["search_group"])
6363
{
64-
$sql .= " AND (g.nom like '%".$_POST["search_group"]."%' OR g.note like '%".$_POST["search_group"]."%')";
64+
$sql .= " AND (g.nom like '%".$db->escape($_POST["search_group"])."%' OR g.note like '%".$db->escape($_POST["search_group"])."%')";
6565
}
66-
if ($sall) $sql.= " AND (g.nom like '%".$sall."%' OR g.note like '%".$sall."%')";
66+
if ($sall) $sql.= " AND (g.nom like '%".$db->escape($sall)."%' OR g.note like '%".$db->escape($sall)."%')";
6767
$sql.= " GROUP BY g.rowid, g.nom, g.entity, g.datec";
6868
$sql.= $db->order($sortfield,$sortorder);
6969

@@ -73,7 +73,7 @@
7373
$num = $db->num_rows($resql);
7474
$i = 0;
7575

76-
$param="search_group=$search_group&amp;sall=$sall";
76+
$param="search_group=".$search_group."&amp;sall=".$sall;
7777
print "<table class=\"noborder\" width=\"100%\">";
7878
print '<tr class="liste_titre">';
7979
print_liste_field_titre($langs->trans("Group"),$_SERVER["PHP_SELF"],"g.nom",$param,"","",$sortfield,$sortorder);

0 commit comments

Comments
 (0)