2.1.27

Improved security regarding uploading files
Fixed issue while restoring DB from administration page

admin.settings.load.php

@@ -252,7 +252,10 @@ function LaunchAdminActions(action, option)
     if (action === "admin_action_db_backup") {
         option = $("#result_admin_action_db_backup_key").val();
     } else if (action === "admin_action_db_restore") {
-        $("#restore_bck_encryption_key_dialog_error").html("").hide();
+        $("#restore_bck_encryption_key_dialog_error")
+            .html("<span class='fa fa-cog fa-spin fa'>&nbsp;</span><?php echo addslashes($LANG['please_wait']); ?>")
+            .attr("class","ui-corner-all ui-state-focus")
+            .show();
     } else if (action === "admin_action_backup_decrypt") {
         option = $("#bck_script_decrypt_file").val();
     } else if (action === "admin_action_change_salt_key") {
@@ -293,6 +296,7 @@ function LaunchAdminActions(action, option)
         // convert to json string
         option = prepareExchangedData(JSON.stringify(option) , "encode", "<?php echo $_SESSION['key']; ?>");
     }
+
     //Lauchn ajax query
     $.post(
         "sources/admin.queries.php",
@@ -309,7 +313,10 @@ function(data) {
                     $("#result_admin_action_check_pf").html("<span class='fa fa-check mi-green'></span>").show();
                 } else if (data[0].result == "db_restore") {
                     if (data[0].message !== "") {
-                        $("#restore_bck_encryption_key_dialog_error").html(data[0].message).show();
+                        $("#restore_bck_encryption_key_dialog_error")
+                            .html(data[0].message)
+                            .attr("class","ui-corner-all ui-state-error")
+                            .show();
                     } else {
                         $("#restore_bck_encryption_key_dialog").dialog("close");
                         $("#result_admin_action_db_restore").html("<span class='fa fa-check mi-green'></span>").show();
@@ -834,6 +841,7 @@ function(data) {
     });
 
     // SQL IMPORT FOR RESTORING
+    var restore_operation_id = '';
     var uploader_restoreDB = new plupload.Uploader({
         runtimes : "gears,html5,flash,silverlight,browserplus",
         browse_button : "pickfiles_restoreDB",
@@ -876,17 +884,15 @@ function(data) {
             BeforeUpload: function (up, file) {
                 $("#import_status_ajax_loader").show();
                 up.settings.multipart_params = {
-                    "PHPSESSID":"'.$_SESSION['user_id'].'",
+                    "PHPSESSID":"<?php echo $_SESSION['user_id']; ?>",
                     "File":file.name,
                     "type_upload":"restore_db",
                     "user_token": $("#user_token").val()
                 };
             },
             UploadComplete: function(up, files) {
-                $.each(files, function(i, file) {
-                    $("#restore_bck_fileObj").val(file.name);
-                    $("#restore_bck_encryption_key_dialog").dialog("open");
-                });
+                $("#restore_bck_fileObj").val(restore_operation_id);
+                $("#restore_bck_encryption_key_dialog").dialog("open");
             }
         }
     });
@@ -905,6 +911,11 @@ function(data) {
     uploader_restoreDB.bind("+", function(up, file) {
         $("#" + file.id + " b").html("100%");
     });
+    uploader_restoreDB.bind('FileUploaded', function(upldr, file, object) {
+        var myData = prepareExchangedData(object.response, "decode", "<?php echo $_SESSION['key']; ?>");
+
+        restore_operation_id = myData.operation_id;
+    });
     // Load CSV click
     $("#uploadfiles_restoreDB").click(function(e) {
         uploader_restoreDB.start();

admin.settings.php

@@ -1618,6 +1618,6 @@
 <div id="restore_bck_encryption_key_dialog" style="display:none; text-align:center;">
     <input id="restore_bck_encryption_key" name="restore_bck_encryption_key" type="text" value="" />
     <br>
-    <div class=ui-state-error ui-corner-all" style="display:none;padding:5px;display:none;margin:2px;" id="restore_bck_encryption_key_dialog_error"></div>
+    <div class="ui-state-error ui-corner-all" style="display:none;padding:5px;display:none;margin:2px;" id="restore_bck_encryption_key_dialog_error"></div>
 </div>';
 include "admin.settings.load.php";

api/functions.php

@@ -188,16 +188,16 @@ function rest_delete()
                     for ($i = count($array_category); $i > 0; $i--) {
                         $slot = $i - 1;
                         if (!$slot) {
-                            $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[$slot]."' AND parent_id = 0";
+                            $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[$slot], FILTER_SANITIZE_STRING)."' AND parent_id = 0";
                         } else {
-                            $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[$slot]."' AND parent_id = (";
+                            $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[$slot], FILTER_SANITIZE_STRING)."' AND parent_id = (";
                         }
                     }
                     for ($i = 1; $i < count($array_category); $i++) {
                         $category_query .= ")";
                     }
                 } elseif (count($array_category) == 1) {
-                    $category_query = "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[0]."' AND parent_id = 0";
+                    $category_query = "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[0], FILTER_SANITIZE_STRING)."' AND parent_id = 0";
                 } else {
                     rest_error('NO_CATEGORY');
                 }
@@ -236,22 +236,22 @@ function rest_delete()
                     for ($i = count($array_category); $i > 0; $i--) {
                         $slot = $i - 1;
                         if (!$slot) {
-                            $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[$slot]."' AND parent_id = 0";
+                            $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[$slot], FILTER_SANITIZE_STRING)."' AND parent_id = 0";
                         } else {
-                            $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[$slot]."' AND parent_id = (";
+                            $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[$slot], FILTER_SANITIZE_STRING)."' AND parent_id = (";
                         }
                     }
                     for ($i = 1; $i < count($array_category); $i++) {
                         $category_query .= ")";
                     }
                 } elseif (count($array_category) == 1) {
-                    $category_query = "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[0]."' AND parent_id = 0";
+                    $category_query = "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[0], FILTER_SANITIZE_STRING)."' AND parent_id = 0";
                 } else {
                     rest_error('NO_CATEGORY');
                 }
 
                 // Delete item
-                $response = DB::delete(prefix_table("items"), "id_tree = (".$category_query.") and label LIKE '".$item."'");
+                $response = DB::delete(prefix_table("items"), "id_tree = (".$category_query.") and label LIKE '".filter_var($item, FILTER_SANITIZE_STRING)."'");
                 $json['type'] = 'item';
                 $json['item'] = $item;
                 $json['category'] = $GLOBALS['request'][2];
@@ -382,7 +382,12 @@ function rest_get()
                 if (strcmp($username, "admin") == 0) {
                     // forbid admin access
                 }
-                $response = DB::query("SELECT fonction_id FROM ".prefix_table("users")." WHERE login='".$username."'");
+                $response = DB::query(
+                    "SELECT fonction_id
+                    FROM ".prefix_table("users")."
+                    WHERE login = %s'",
+                    $username
+                );
                 if (count($response) === 0) {
                     rest_error('USER_NOT_EXISTS');
                 }
@@ -392,7 +397,12 @@ function rest_get()
                 $folder_arr = array();
                 $roles = explode(";", $role_str);
                 foreach ($roles as $role) {
-                    $response = DB::query("SELECT folder_id FROM ".prefix_table("roles_values")." WHERE role_id='".$role."'");
+                    $response = DB::query(
+                        "SELECT folder_id
+                        FROM ".prefix_table("roles_values")."
+                        WHERE role_id = %i",
+                        $role
+                    );
                     foreach ($response as $data) {
                         $folder_id = $data['folder_id'];
                         if (!array_key_exists($folder_id, $folder_arr)) {
@@ -456,7 +466,12 @@ function rest_get()
                 if (strcmp($username, "admin") == 0) {
                     // forbid admin access
                 }
-                $response = DB::query("SELECT fonction_id FROM ".prefix_table("users")." WHERE login='".$username."'");
+                $response = DB::query(
+                    "SELECT fonction_id
+                    FROM ".prefix_table("users")."
+                    WHERE login = %s",
+                    $username
+                );
                 if (count($response) === 0) {
                     rest_error('USER_NOT_EXISTS');
                 }
@@ -468,13 +483,23 @@ function rest_get()
                 $roles = explode(";", $role_str);
                 $inc = 0;
                 foreach ($roles as $role) {
-                    $response = DB::query("SELECT folder_id, type FROM ".prefix_table("roles_values")." WHERE role_id='".$role."'");
+                    $response = DB::query(
+                        "SELECT folder_id, type
+                        FROM ".prefix_table("roles_values")."
+                        WHERE role_id = %i",
+                        $role
+                    );
                     foreach ($response as $data) {
                         $folder_id = $data['folder_id'];
                         if (!array_key_exists($folder_id, $folder_arr)) {
                             array_push($folder_arr, $folder_id);
 
-                            $response2 = DB::queryFirstRow("SELECT title, nlevel FROM ".prefix_table("nested_tree")." WHERE id='".$folder_id."'");
+                            $response2 = DB::queryFirstRow(
+                                "SELECT title, nlevel
+                                FROM ".prefix_table("nested_tree")."
+                                WHERE id = %i",
+                                $folder_id
+                            );
 
                             if (!empty($response2['title'])) {
                                 $json[$folder_id]['id'] = $folder_id;
@@ -667,7 +692,13 @@ function rest_get()
                     // check if element doesn't already exist
                     $item_duplicate_allowed = getSettingValue("duplicate_item");
                     if ($item_duplicate_allowed !== "1") {
-                        DB::query("SELECT * FROM ".prefix_table("items")." WHERE label = %s AND inactif = %i", addslashes($item_label), "0");
+                        DB::query(
+                            "SELECT *
+                            FROM ".prefix_table("items")."
+                            WHERE label = %s AND inactif = %i",
+                            addslashes($item_label),
+                            "0"
+                        );
                         $counter = DB::count();
                         if ($counter != 0) {
                             $itemExists = 1;
@@ -804,8 +835,9 @@ function rest_get()
                 }
                 // Check if user already exists
                 $data = DB::query(
-                    "SELECT id, fonction_id, groupes_interdits, groupes_visibles FROM ".prefix_table("users")."
-            WHERE login LIKE %ss",
+                    "SELECT id, fonction_id, groupes_interdits, groupes_visibles
+                    FROM ".prefix_table("users")."
+                    WHERE login LIKE %ss",
                     mysqli_escape_string($link, stripslashes($login))
                 );
 
@@ -821,7 +853,9 @@ function rest_get()
 
                         // get default language
                         $lang = DB::queryFirstRow(
-                            "SELECT `valeur` FROM ".prefix_table("misc")." WHERE type = %s AND intitule = %s",
+                            "SELECT `valeur`
+                            FROM ".prefix_table("misc")."
+                            WHERE type = %s AND intitule = %s",
                             "admin",
                             "default_language"
                         );
@@ -830,7 +864,9 @@ function rest_get()
                         $rolesList = "";
                         foreach (explode(',', $roles) as $role) {//echo $role."-";
                             $tmp = DB::queryFirstRow(
-                                "SELECT `id` FROM ".prefix_table("roles_title")." WHERE title = %s",
+                                "SELECT `id`
+                                FROM ".prefix_table("roles_title")."
+                                WHERE title = %s",
                                 $role
                             );
                             if (empty($rolesList)) {
@@ -944,7 +980,12 @@ function rest_get()
                         );
                         // if valeur = 0 then duplicate folders not allowed
                         if ($data === 0) {
-                            DB::query("SELECT * FROM ".prefix_table("nested_tree")." WHERE title = %s", $params[0]);
+                            DB::query(
+                                "SELECT *
+                                FROM ".prefix_table("nested_tree")."
+                                WHERE title = %s",
+                                $params[0]
+                            );
                             $counter = DB::count();
                             if ($counter != 0) {
                                 rest_error('ALREADY_EXISTS');
@@ -1035,15 +1076,22 @@ function rest_get()
                         }
 
                         // Check Folder ID
-                        DB::query("SELECT * FROM ".prefix_table("nested_tree")." WHERE id = %i", $params[3]);
+                        DB::query(
+                            "SELECT *
+                            FROM ".prefix_table("nested_tree")."
+                            WHERE id = %i",
+                            $params[3]
+                        );
                         $counter = DB::count();
                         if ($counter == 0) {
                             rest_error('NOSUCHFOLDER');
                         }
 
                         // check if item exists
                         DB::query(
-                            "SELECT * FROM ".prefix_table("items")." WHERE id = %i",
+                            "SELECT *
+                            FROM ".prefix_table("items")."
+                            WHERE id = %i",
                             $GLOBALS['request'][2]
                         );
                         $counter = DB::count();
@@ -1094,7 +1142,9 @@ function rest_get()
                                     if (!empty($tag)) {
                                         // check if already exists
                                         DB::query(
-                                            "SELECT * FROM ".prefix_table("tags")." WHERE tag = %s AND item_id = %i",
+                                            "SELECT *
+                                            FROM ".prefix_table("tags")."
+                                            WHERE tag = %s AND item_id = %i",
                                             strtolower($tag),
                                             $GLOBALS['request'][2]
                                         );
@@ -1163,7 +1213,12 @@ function rest_get()
                         }
 
                         // check if folder exists and get folder data
-                        $data_folder = DB::queryfirstrow("SELECT * FROM ".prefix_table("nested_tree")." WHERE id = %s", $GLOBALS['request'][2]);
+                        $data_folder = DB::queryfirstrow(
+                            "SELECT *
+                            FROM ".prefix_table("nested_tree")."
+                            WHERE id = %s",
+                            $GLOBALS['request'][2]
+                        );
                         $counter = DB::count();
                         if ($counter === 0) {
                             rest_error('NO_DATA_EXIST');
@@ -1252,7 +1307,9 @@ function rest_get()
                 if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2])) {
                     // is user granted?
                     $userData = DB::queryFirstRow(
-                        "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM ".$pre."users WHERE login = %s",
+                        "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`
+                        FROM ".$pre."users
+                        WHERE login = %s",
                         $GLOBALS['request'][3]
                     );
 
@@ -1345,7 +1402,9 @@ function rest_get()
                     // is user granted?
                     //db::debugMode(true);
                     $userData = DB::queryFirstRow(
-                        "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`, `encrypted_psk` FROM ".$pre."users WHERE login = %s",
+                        "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`, `encrypted_psk`
+                        FROM ".$pre."users
+                        WHERE login = %s",
                         $GLOBALS['request'][2]
                     );
 
@@ -1463,7 +1522,9 @@ function rest_get()
                 if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2]) && isset($GLOBALS['request'][3])) {
                     // is user granted?
                     $userData = DB::queryFirstRow(
-                        "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM ".$pre."users WHERE login = %s",
+                        "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`
+                        FROM ".$pre."users
+                        WHERE login = %s",
                         $GLOBALS['request'][4]
                     );
                     if (DB::count() == 0) {
@@ -1596,7 +1657,9 @@ function rest_get()
                 if (isset($GLOBALS['request'][1])) {
                     // is user granted?
                     $userData = DB::queryFirstRow(
-                        "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`, `encrypted_psk` FROM ".$pre."users WHERE login = %s",
+                        "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`, `encrypted_psk`
+                        FROM ".$pre."users
+                        WHERE login = %s",
                         $GLOBALS['request'][2]
                     );
                     if (DB::count() == 0) {

changelog.md

@@ -7,6 +7,8 @@
  	> a user could potentially act on Items he should not have access to
  Securized script.backup.php by adding a security key
  Fixed some other security failures (credit to ​security at Amossys)
+ Improved security regarding uploading files
+ Fixed issue while restoring DB from administration page
  #1945 Cannot delete items
  #1944 File upload results in error
  #1941 Visualisation problems