Browse files

Security: More security holes fixed

  • Loading branch information...
1 parent 63820ab commit c539155d6ac2f5b6ea75b87a16f298c0090e535a @eldy eldy committed Nov 2, 2011
Showing with 23 additions and 22 deletions.
  1. +11 −10 htdocs/admin/boxes.php
  2. +1 −2 htdocs/admin/ihm.php
  3. +1 −1 htdocs/lib/usergroups.lib.php
  4. +6 −5 htdocs/main.inc.php
  5. +4 −4 htdocs/user/group/index.php
View
21 htdocs/admin/boxes.php
@@ -29,8 +29,9 @@
$langs->load("admin");
-if (!$user->admin)
- accessforbidden();
+$id=GETPOST('rowid','int');
+
+if (!$user->admin) accessforbidden();
// Definition des positions possibles pour les boites
$pos_array = array(0); // Positions possibles pour une boite (0,1,2,...)
@@ -101,7 +102,7 @@
$db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes";
- $sql.= " WHERE rowid=".$_GET["rowid"];
+ $sql.= " WHERE rowid=".$id;
$resql = $db->query($sql);
// Remove all personalized setup when a box is activated or disabled
@@ -288,7 +289,7 @@
dol_include_once($sourcefile);
$box=new $boxname($db,$obj->note);
-
+
$enabled=true;
if ($box->depends && sizeof($box->depends) > 0)
{
@@ -297,7 +298,7 @@
if (empty($conf->$module->enabled)) $enabled=false;
}
}
-
+
if ($enabled)
{
//if (in_array($obj->rowid, $actives) && $box->box_multiple <> 1)
@@ -308,7 +309,7 @@
else
{
$var=!$var;
-
+
if (preg_match('/^([^@]+)@([^@]+)$/i',$box->boximg))
{
$logo = $box->boximg;
@@ -317,14 +318,14 @@
{
$logo=preg_replace("/^object_/i","",$box->boximg);
}
-
+
print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<tr '.$bc[$var].'>';
print '<td>'.img_object("",$logo).' '.$box->boxlabel.'</td>';
print '<td>' . ($obj->note?$obj->note:'&nbsp;') . '</td>';
print '<td>' . $sourcefile . '</td>';
-
+
// Pour chaque position possible, on affiche un lien
// d'activation si boite non deja active pour cette position
print '<td>';
@@ -333,11 +334,11 @@
print '<input type="hidden" name="boxid" value="'.$obj->rowid.'">';
print ' <input type="submit" class="button" name="button" value="'.$langs->trans("Activate").'">';
print '</td>';
-
+
print '</tr></form>';
}
}
-
+
$i++;
}
View
3 htdocs/admin/ihm.php
@@ -38,8 +38,7 @@
$langs->load("products");
$langs->load("members");
-if (!$user->admin)
- accessforbidden();
+if (!$user->admin) accessforbidden();
if (! defined("MAIN_MOTD")) define("MAIN_MOTD","");
View
2 htdocs/lib/usergroups.lib.php
@@ -234,7 +234,7 @@ function show_theme($fuser,$edit=0,$foruserprofile=false)
$url=$urltheme."/".$subdir."/thumb.png";
if (! file_exists($file)) $url=$urltheme."/common/nophoto.jpg";
print '<table><tr><td>';
- print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(! empty($_GET["optioncss"])?'&optioncss='.$_GET["optioncss"]:'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
+ print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(GETPOST("optioncss")?'&optioncss='.GETPOST("optioncss",'alpha',1):'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
if ($subdir == $conf->global->MAIN_THEME) $title=$langs->trans("ThemeCurrentlyActive");
else $title=$langs->trans("ShowPreview");
print '<img src="'.$url.'" border="0" width="80" height="60" alt="'.$title.'" title="'.$title.'">';
View
11 htdocs/main.inc.php
@@ -76,6 +76,7 @@ function test_sql_and_script_inject($val,$get)
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
// For XSS Injection done by adding javascript with script
$sql_inj += preg_match('/<script/i', $val);
+ if ($get) $sql_inj += preg_match('/javascript:/i', $val);
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
return $sql_inj;
@@ -751,11 +752,11 @@ function analyse_sql_and_script(&$var,$get)
if (GETPOST('action') == 'switchentity' && $user->admin && ! $user->entity)
{
$res = @dol_include_once("/multicompany/class/actions_multicompany.class.php");
-
+
if ($res)
{
$mc = new ActionsMulticompany($db);
-
+
if($mc->switchEntity(GETPOST('entity')) > 0)
{
Header("Location: ".DOL_URL_ROOT.'/');
@@ -872,15 +873,15 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
// Output style sheets (optioncss='print' or '')
$themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1);
//print 'themepath='.$themepath;exit;
- print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.'?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'').'">'."\n";
+ print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.'?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'').'">'."\n";
// CSS forced by modules (relative url starting with /)
if (is_array($conf->css_modules))
{
foreach($conf->css_modules as $cssfile)
{ // cssfile is an absolute path
print '<link rel="stylesheet" type="text/css" title="default" href="'.dol_buildpath($cssfile,1);
// We add params only if page is not static, because some web server setup does not return content type text/css if url has parameters and browser cache is not used.
- if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'');
+ if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'');
print '">'."\n";
}
}
@@ -891,7 +892,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
{
print '<link rel="stylesheet" type="text/css" title="default" href="'.dol_buildpath($cssfile,1);
// We add params only if page is not static, because some web server setup does not return content type text/css if url has parameters and browser cache is not used.
- if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss'):'');
+ if (!preg_match('/\.css$/i',$cssfile)) print '?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'');
print '">'."\n";
}
}
View
8 htdocs/user/group/index.php
@@ -33,7 +33,7 @@
$langs->load("users");
-$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
+$sall=GETPOST("sall");
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
@@ -61,9 +61,9 @@
$sql.= " WHERE g.entity IN (0,".$conf->entity.")";
if ($_POST["search_group"])
{
- $sql .= " AND (g.nom like '%".$_POST["search_group"]."%' OR g.note like '%".$_POST["search_group"]."%')";
+ $sql .= " AND (g.nom like '%".$db->escape($_POST["search_group"])."%' OR g.note like '%".$db->escape($_POST["search_group"])."%')";
}
-if ($sall) $sql.= " AND (g.nom like '%".$sall."%' OR g.note like '%".$sall."%')";
+if ($sall) $sql.= " AND (g.nom like '%".$db->escape($sall)."%' OR g.note like '%".$db->escape($sall)."%')";
$sql.= " GROUP BY g.rowid, g.nom, g.entity, g.datec";
$sql.= $db->order($sortfield,$sortorder);
@@ -73,7 +73,7 @@
$num = $db->num_rows($resql);
$i = 0;
- $param="search_group=$search_group&amp;sall=$sall";
+ $param="search_group=".$search_group."&amp;sall=".$sall;
print "<table class=\"noborder\" width=\"100%\">";
print '<tr class="liste_titre">';
print_liste_field_titre($langs->trans("Group"),$_SERVER["PHP_SELF"],"g.nom",$param,"","",$sortfield,$sortorder);

0 comments on commit c539155

Please sign in to comment.