diff --git a/admin.php b/admin.php index a59623e6a..dfc19689b 100644 --- a/admin.php +++ b/admin.php @@ -42,8 +42,6 @@

Some instructions

  Access to TeamPass website
-   - For any kind of Help and Support, please use the Forum
  You discovered a Bug or you have an improvement Proposal, please use the Github channel. If you are not sure, always use the Forum before to obtain a confirmation. This will prevent having to much open tickets at Github.
diff --git a/admin.settings_api.php b/admin.settings_api.php index a723c57f0..9ae409f76 100644 --- a/admin.settings_api.php +++ b/admin.settings_api.php @@ -230,7 +230,7 @@ function newIPDB() function ip_update(id, value, ip) { - $("#api_db_type").val("admin_action_api_save_key"); + $("#api_db_type").val("admin_action_api_save_ip"); $("#api_db_id").val(id); $("#api_db_action").val("update"); $("#div_key").show(); @@ -261,6 +261,7 @@ function ip_update(id, value, ip) $("#api_db_message").html("'.$txt['error_too_long'].'"); exit; } + $("#div_loading").show(); var $this = $(this); // send query diff --git a/api/config.php b/api/config.php deleted file mode 100644 index e1ac69d4a..000000000 --- a/api/config.php +++ /dev/null @@ -1,9 +0,0 @@ - diff --git a/api/functions.php b/api/functions.php index 39462dd9a..d53d503b4 100644 --- a/api/functions.php +++ b/api/functions.php @@ -1,4 +1,19 @@ 0 && !array_search($_SERVER['REMOTE_ADDR'], $apiip_pool)) { + if (count($apiip_pool) > 0 && array_search($_SERVER['REMOTE_ADDR'], $apiip_pool) === false) { rest_error('IPWHITELIST'); } } @@ -169,36 +184,19 @@ function rest_get () { if ($GLOBALS['request'][0] == "read") { if($GLOBALS['request'][1] == "category") { - $array_category = explode(';',$GLOBALS['request'][2]); - - foreach($array_category as $category) { - if(!preg_match_all("/^([\w\:\'\-\sàáâãäåçèéêëìíîïðòóôõöùúûüýÿ]+)$/i", $category,$result)) { - rest_error('CATEGORY_MALFORMED'); - } - } - - if(count($array_category) > 1 && count($array_category) < 5) { - for ($i = count($array_category); $i > 0; $i--) { - $slot = $i - 1; - if (!$slot) { - $category_query .= "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[$slot]."' AND parent_id = 0"; - } else { - $category_query .= "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[$slot]."' AND parent_id = ("; - } - } - for ($i = 1; $i < count($array_category); $i++) { $category_query .= ")"; } - } elseif (count($array_category) == 1) { - $category_query = "select id from ".$GLOBALS['pre']."nested_tree where title LIKE '".$array_category[0]."' AND parent_id = 0"; + // get ids + if (strpos($GLOBALS['request'][2],",") > 0) { + $condition = "id_tree IN (".$GLOBALS['request'][2].")"; } else { - rest_error ('NO_CATEGORY'); + $condition = "id_tree = '".$GLOBALS['request'][2]."'"; } - $response = $bdd->query("select id,label,login,pw from ".$GLOBALS['pre']."items where id_tree = (".$category_query.")"); + $response = $bdd->query("select id,label,login,pw from ".$GLOBALS['pre']."items where ".$condition); while ($data = $response->fetch()) { $id = $data['id']; $json[$id]['label'] = utf8_encode($data['label']); $json[$id]['login'] = utf8_encode($data['login']); -// $json[$id]['pw'] = teampass_decrypt_pw($data['pw'],SALT,$rand_key); + $json[$id]['pw'] = teampass_decrypt_pw($data['pw'],SALT,$rand_key); } } elseif($GLOBALS['request'][1] == "item") { $array_category = explode(';',$GLOBALS['request'][2]); @@ -325,6 +323,4 @@ function teampass_decrypt_pw($encrypted, $salt, $rand_key, $itcount = 2072) $encrypted = substr($encrypted, 0, -64); if ($mac !== hash_hmac('sha256', $encrypted, $salt)) return null; return substr(rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, 'ctr', $iv), "\0\4"), strlen($rand_key)); -} - -?> +} \ No newline at end of file diff --git a/api/index.php b/api/index.php index e4e7738e7..9611e88e3 100644 --- a/api/index.php +++ b/api/index.php @@ -1,6 +1,19 @@ 'views.php', 'manage_main' => 'admin.php', 'manage_settings' => 'admin.settings.php' -); +); \ No newline at end of file diff --git a/items.load.php b/items.load.php index cfe3b5458..727839114 100644 --- a/items.load.php +++ b/items.load.php @@ -2617,6 +2617,7 @@ function prepareOneTimeView() function(data) { //check if format error if (data[0].error == "") { + $("#div_dialog_message").dialog({minHeight:500,minWidth:750}); $("#div_dialog_message").dialog('open'); $("#div_dialog_message_text").html(data[0].url); } else { diff --git a/items.php b/items.php index 892307061..a1c379ae8 100644 --- a/items.php +++ b/items.php @@ -96,13 +96,13 @@ '; // Hidden objects for Item search if (isset($_GET['group']) && isset($_GET['id'])) { - echo ''; - echo ''; - echo ''; + echo ''; + echo ''; + echo ''; } elseif (isset($_GET['group']) && !isset($_GET['id'])) { - echo ''; + echo ''; echo ''; - echo ''; + echo ''; } else { echo ''; echo ''; @@ -230,7 +230,7 @@ } // Prepare folder $folderTxt = ' -
  • '; +
  • '; if (in_array($folder->id, $_SESSION['groupes_visibles'])) { $folderTxt .= ' '.$fldTitle.' ('.$itemsNb.''; @@ -358,7 +358,7 @@  '.$txt['label'].' : - +
    '; @@ -367,7 +367,7 @@  '.$txt['description'].' : -
    +
    '; // Line for PW @@ -455,7 +455,7 @@    '.$field[1].' : -
    +
    '; } diff --git a/otv.php b/otv.php index 3ab1ec37d..811c60574 100644 --- a/otv.php +++ b/otv.php @@ -70,6 +70,13 @@ // get data $pw = decrypt($dataItem['pw']); + + // get key for original pw + $originalKey = $db->queryFirst('SELECT rand_key FROM `'.$pre.'keys` WHERE `table` LIKE "items" AND `id` ='.intval($_GET['item_id'])); + // unsalt previous pw + $pw = substr(decrypt($dataItem['pw']), strlen($originalKey['rand_key'])); + + $label = $dataItem['label']; $email = $dataItem['email']; $url = $dataItem['url']; diff --git a/sources/admin.queries.php b/sources/admin.queries.php index c7df3285e..af507c424 100644 --- a/sources/admin.queries.php +++ b/sources/admin.queries.php @@ -919,6 +919,7 @@ 'api', array( 'label' => $_POST['label'], + 'value' => $_POST['key'], 'timestamp' => time() ), "id='".intval($_POST['id'])."'" diff --git a/sources/datatable/datatable.item_edition.php b/sources/datatable/datatable.item_edition.php index 322b3ed3c..4c736576d 100644 --- a/sources/datatable/datatable.item_edition.php +++ b/sources/datatable/datatable.item_edition.php @@ -31,6 +31,7 @@ //Columns name $aColumns = array('e.timestamp', 'u.login', 'i.label', 'u.name', 'u.lastname'); +$aSortTypes = array('ASC', 'DESC'); //init SQL variables $sOrder = $sLimit = $sWhere = ""; @@ -39,19 +40,30 @@ //Paging $sLimit = ""; if (isset($_GET['iDisplayStart']) && $_GET['iDisplayLength'] != '-1') { - $sLimit = "LIMIT ". $_GET['iDisplayStart'] .", ". $_GET['iDisplayLength'] ; + $sLimit = "LIMIT ". filter_var($_GET['iDisplayStart'], FILTER_SANITIZE_NUMBER_INT) .", ". filter_var($_GET['iDisplayLength'], FILTER_SANITIZE_NUMBER_INT).""; } //Ordering -if (isset($_GET['iSortCol_0'])) { +if (isset($_GET['iSortCol_0']) && in_array($_GET['iSortCol_0'], $aSortTypes)) { $sOrder = "ORDER BY "; - for ($i=0; $i    "; } - $arrData['description'] = preg_replace('/(? 0 ? implode(";", $listRestrictionRoles).";" : ""; diff --git a/sources/users.queries.php b/sources/users.queries.php index 83f79ec5b..d141ad1a4 100644 --- a/sources/users.queries.php +++ b/sources/users.queries.php @@ -373,8 +373,8 @@ 'type' => 'user_mngt', 'date' => time(), 'label' => 'at_user_email_changed:'.$data[0], - 'qui' => $_SESSION['user_id'], - 'field_1' => $_POST['id'] + 'qui' => intval($_SESSION['user_id']), + 'field_1' => intval($_POST['id']) ) ); echo '[{"error" : "no"}]';