diff --git a/admin.php b/admin.php
index a59623e6a..dfc19689b 100644
--- a/admin.php
+++ b/admin.php
@@ -42,8 +42,6 @@
diff --git a/admin.settings_api.php b/admin.settings_api.php
index a723c57f0..9ae409f76 100644
--- a/admin.settings_api.php
+++ b/admin.settings_api.php
@@ -230,7 +230,7 @@ function newIPDB()
function ip_update(id, value, ip)
{
- $("#api_db_type").val("admin_action_api_save_key");
+ $("#api_db_type").val("admin_action_api_save_ip");
$("#api_db_id").val(id);
$("#api_db_action").val("update");
$("#div_key").show();
@@ -261,6 +261,7 @@ function ip_update(id, value, ip)
$("#api_db_message").html("'.$txt['error_too_long'].'");
exit;
}
+
$("#div_loading").show();
var $this = $(this);
// send query
diff --git a/api/config.php b/api/config.php
deleted file mode 100644
index e1ac69d4a..000000000
--- a/api/config.php
+++ /dev/null
@@ -1,9 +0,0 @@
-
diff --git a/api/functions.php b/api/functions.php
index 39462dd9a..d53d503b4 100644
--- a/api/functions.php
+++ b/api/functions.php
@@ -1,4 +1,19 @@
0 && !array_search($_SERVER['REMOTE_ADDR'], $apiip_pool)) {
+ if (count($apiip_pool) > 0 && array_search($_SERVER['REMOTE_ADDR'], $apiip_pool) === false) {
rest_error('IPWHITELIST');
}
}
@@ -169,36 +184,19 @@ function rest_get () {
if ($GLOBALS['request'][0] == "read") {
if($GLOBALS['request'][1] == "category") {
- $array_category = explode(';',$GLOBALS['request'][2]);
-
- foreach($array_category as $category) {
- if(!preg_match_all("/^([\w\:\'\-\sà áâãäåçèéêëìÃîïðòóôõöùúûüýÿ]+)$/i", $category,$result)) {
- rest_error('CATEGORY_MALFORMED');
- }
- }
-
- if(count($array_category) > 1 && count($array_category) < 5) {
- for ($i = count($array_category); $i > 0; $i--) {
- $slot = $i - 1;
- if (!$slot) {
- $category_query .= "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[$slot]."' AND parent_id = 0";
- } else {
- $category_query .= "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[$slot]."' AND parent_id = (";
- }
- }
- for ($i = 1; $i < count($array_category); $i++) { $category_query .= ")"; }
- } elseif (count($array_category) == 1) {
- $category_query = "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[0]."' AND parent_id = 0";
+ // get ids
+ if (strpos($GLOBALS['request'][2],",") > 0) {
+ $condition = "id_tree IN (".$GLOBALS['request'][2].")";
} else {
- rest_error ('NO_CATEGORY');
+ $condition = "id_tree = '".$GLOBALS['request'][2]."'";
}
- $response = $bdd->query("select id,label,login,pw from ".$GLOBALS['pre']."items where id_tree = (".$category_query.")");
+ $response = $bdd->query("select id,label,login,pw from ".$GLOBALS['pre']."items where ".$condition);
while ($data = $response->fetch())
{
$id = $data['id'];
$json[$id]['label'] = utf8_encode($data['label']);
$json[$id]['login'] = utf8_encode($data['login']);
-// $json[$id]['pw'] = teampass_decrypt_pw($data['pw'],SALT,$rand_key);
+ $json[$id]['pw'] = teampass_decrypt_pw($data['pw'],SALT,$rand_key);
}
} elseif($GLOBALS['request'][1] == "item") {
$array_category = explode(';',$GLOBALS['request'][2]);
@@ -325,6 +323,4 @@ function teampass_decrypt_pw($encrypted, $salt, $rand_key, $itcount = 2072)
$encrypted = substr($encrypted, 0, -64);
if ($mac !== hash_hmac('sha256', $encrypted, $salt)) return null;
return substr(rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, 'ctr', $iv), "\0\4"), strlen($rand_key));
-}
-
-?>
+}
\ No newline at end of file
diff --git a/api/index.php b/api/index.php
index e4e7738e7..9611e88e3 100644
--- a/api/index.php
+++ b/api/index.php
@@ -1,6 +1,19 @@
'views.php',
'manage_main' => 'admin.php',
'manage_settings' => 'admin.settings.php'
-);
+);
\ No newline at end of file
diff --git a/items.load.php b/items.load.php
index cfe3b5458..727839114 100644
--- a/items.load.php
+++ b/items.load.php
@@ -2617,6 +2617,7 @@ function prepareOneTimeView()
function(data) {
//check if format error
if (data[0].error == "") {
+ $("#div_dialog_message").dialog({minHeight:500,minWidth:750});
$("#div_dialog_message").dialog('open');
$("#div_dialog_message_text").html(data[0].url);
} else {
diff --git a/items.php b/items.php
index 892307061..a1c379ae8 100644
--- a/items.php
+++ b/items.php
@@ -96,13 +96,13 @@
';
// Hidden objects for Item search
if (isset($_GET['group']) && isset($_GET['id'])) {
- echo '
';
- echo '
';
- echo '
';
+ echo '
';
+ echo '
';
+ echo '
';
} elseif (isset($_GET['group']) && !isset($_GET['id'])) {
- echo '
';
+ echo '
';
echo '
';
- echo '
';
+ echo '
';
} else {
echo '
';
echo '
';
@@ -230,7 +230,7 @@
}
// Prepare folder
$folderTxt = '
-
';
+ ';
if (in_array($folder->id, $_SESSION['groupes_visibles'])) {
$folderTxt .= '
'.$fldTitle.' ('.$itemsNb.' ';
@@ -358,7 +358,7 @@
'.$txt['label'].' :
-
+
';
@@ -367,7 +367,7 @@
'.$txt['description'].' :
-
+
';
// Line for PW
@@ -455,7 +455,7 @@
'.$field[1].' :
-
+
';
}
diff --git a/otv.php b/otv.php
index 3ab1ec37d..811c60574 100644
--- a/otv.php
+++ b/otv.php
@@ -70,6 +70,13 @@
// get data
$pw = decrypt($dataItem['pw']);
+
+ // get key for original pw
+ $originalKey = $db->queryFirst('SELECT rand_key FROM `'.$pre.'keys` WHERE `table` LIKE "items" AND `id` ='.intval($_GET['item_id']));
+ // unsalt previous pw
+ $pw = substr(decrypt($dataItem['pw']), strlen($originalKey['rand_key']));
+
+
$label = $dataItem['label'];
$email = $dataItem['email'];
$url = $dataItem['url'];
diff --git a/sources/admin.queries.php b/sources/admin.queries.php
index c7df3285e..af507c424 100644
--- a/sources/admin.queries.php
+++ b/sources/admin.queries.php
@@ -919,6 +919,7 @@
'api',
array(
'label' => $_POST['label'],
+ 'value' => $_POST['key'],
'timestamp' => time()
),
"id='".intval($_POST['id'])."'"
diff --git a/sources/datatable/datatable.item_edition.php b/sources/datatable/datatable.item_edition.php
index 322b3ed3c..4c736576d 100644
--- a/sources/datatable/datatable.item_edition.php
+++ b/sources/datatable/datatable.item_edition.php
@@ -31,6 +31,7 @@
//Columns name
$aColumns = array('e.timestamp', 'u.login', 'i.label', 'u.name', 'u.lastname');
+$aSortTypes = array('ASC', 'DESC');
//init SQL variables
$sOrder = $sLimit = $sWhere = "";
@@ -39,19 +40,30 @@
//Paging
$sLimit = "";
if (isset($_GET['iDisplayStart']) && $_GET['iDisplayLength'] != '-1') {
- $sLimit = "LIMIT ". $_GET['iDisplayStart'] .", ". $_GET['iDisplayLength'] ;
+ $sLimit = "LIMIT ". filter_var($_GET['iDisplayStart'], FILTER_SANITIZE_NUMBER_INT) .", ". filter_var($_GET['iDisplayLength'], FILTER_SANITIZE_NUMBER_INT)."";
}
//Ordering
-if (isset($_GET['iSortCol_0'])) {
+if (isset($_GET['iSortCol_0']) && in_array($_GET['iSortCol_0'], $aSortTypes)) {
$sOrder = "ORDER BY ";
- for ($i=0; $i ";
}
- $arrData['description'] = preg_replace('/(? 0 ? implode(";", $listRestrictionRoles).";" : "";
diff --git a/sources/users.queries.php b/sources/users.queries.php
index 83f79ec5b..d141ad1a4 100644
--- a/sources/users.queries.php
+++ b/sources/users.queries.php
@@ -373,8 +373,8 @@
'type' => 'user_mngt',
'date' => time(),
'label' => 'at_user_email_changed:'.$data[0],
- 'qui' => $_SESSION['user_id'],
- 'field_1' => $_POST['id']
+ 'qui' => intval($_SESSION['user_id']),
+ 'field_1' => intval($_POST['id'])
)
);
echo '[{"error" : "no"}]';