diff --git a/.gitignore b/.gitignore index ba9c3510667..20db4cc312c 100755 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,7 @@ upload/* !upload/index.html # Ignore some files and directories from the custom directory. custom/history/* +custom/blowfish/* custom/modulebuilder/* custom/working/* custom/modules/*/Ext/ diff --git a/ModuleInstall/ModuleScanner.php b/ModuleInstall/ModuleScanner.php index e67eb184be7..38d1fa300de 100755 --- a/ModuleInstall/ModuleScanner.php +++ b/ModuleInstall/ModuleScanner.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -211,6 +211,7 @@ class ModuleScanner{ 'sugar_fopen', 'sugar_mkdir', 'sugar_file_put_contents', + 'sugar_file_put_contents_atomic', 'sugar_chgrp', 'sugar_chmod', 'sugar_touch', @@ -649,29 +650,66 @@ public function scanFile($file){ return $issues; } + /** + * checks files.md5 file to see if the file is from sugar + * ONLY WORKS ON FILES + * + * @param string $path + * @return bool + */ + public function sugarFileExists($path) + { + static $md5 = array(); + if (empty($md5) && file_exists('files.md5')) { + include ('files.md5'); + $md5 = $md5_string; + } + if ($path[0] != '.' || $path[1] != '/') { + $path = './' . $path; + } + if (isset($md5[$path])) { + return true; + } - /* - * checks files.md5 file to see if the file is from sugar - * ONLY WORKS ON FILES - */ - public function sugarFileExists($path){ - static $md5 = array(); - if(empty($md5) && file_exists('files.md5')) - { - include('files.md5'); - $md5 = $md5_string; - } - if(isset($md5['./' . $path]))return true; - + return false; + } - } + /** + * Normalize a path to not contain dots & multiple slashes + * + * @param string $path + * @return string false + */ + public function normalizePath($path) + { + if (DIRECTORY_SEPARATOR != '/') { + // convert to / for OSes that use other separators + $path = str_replace(DIRECTORY_SEPARATOR, '/', $path); + } + $res = array(); + foreach (explode("/", $path) as $component) { + if (empty($component)) { + continue; + } + if ($component == '.') { + continue; + } + if ($component == '..') { + // this is not allowed, bail + return false; + } + $res[] = $component; + } + return join("/", $res); + } /** *This function will scan the Manifest for disabled actions specified in $GLOBALS['sugar_config']['moduleInstaller']['disableActions'] *if $GLOBALS['sugar_config']['moduleInstaller']['disableRestrictedCopy'] is set to false or not set it will call on scanCopy to ensure that it is not overriding files */ - public function scanManifest($manifestPath){ + public function scanManifest($manifestPath) + { $issues = array(); if(!file_exists($manifestPath)){ $this->issues['manifest'][$manifestPath] = translate('ML_NO_MANIFEST'); @@ -698,70 +736,65 @@ public function scanManifest($manifestPath){ } } - //now lets scan for files that will override our files - if(empty($this->config['disableRestrictedCopy']) && isset($installdefs['copy'])){ - foreach($installdefs['copy'] as $copy){ - $from = str_replace('', $this->pathToModule, $copy['from']); - $to = $copy['to']; - if(substr_count($from, '..')){ - $this->issues['copy'][$from] = translate('ML_PATH_MAY_NOT_CONTAIN').' ".." -' . $from; - } - if(substr_count($to, '..')){ - $this->issues['copy'][$to] = translate('ML_PATH_MAY_NOT_CONTAIN'). ' ".." -' . $to; - } - while(substr_count($from, '//')){ - $from = str_replace('//', '/', $from); - } - while(substr_count($to, '//')){ - $to = str_replace('//', '/', $to); - } - $this->scanCopy($from, $to); - } - } - if(!empty($issues)){ - $this->issues['manifest'][$manifestPath] = $issues; - } - - - + // now lets scan for files that will override our files + if (empty($this->config['disableRestrictedCopy']) && isset($installdefs['copy'])) { + foreach ($installdefs['copy'] as $copy) { + $from = $this->normalizePath($copy['from']); + if ($from === false) { + $this->issues['copy'][$copy['from']] = translate('ML_PATH_MAY_NOT_CONTAIN') .' ".." -' . $copy['from']; + continue; + } + $from = str_replace('', $this->pathToModule, $from); + $to = $this->normalizePath($copy['to']); + if ($to === false) { + $this->issues['copy'][$copy['to']] = translate('ML_PATH_MAY_NOT_CONTAIN') . ' ".." -' . $copy['to']; + continue; + } + if ($to === '') { + $to = "."; + } + $this->scanCopy($from, $to); + } + } + if (!empty($issues)) { + $this->issues['manifest'][$manifestPath] = $issues; + } } + /** + * Takes in where the file will is specified to be copied from and to + * and ensures that there is no official sugar file there. + * If the file exists it will check + * against the MD5 file list to see if Sugar Created the file + * @param string $from source filename + * @param string $to destination filename + */ + public function scanCopy($from, $to) + { + // if the file doesn't exist for the $to then it is not overriding anything + if (!file_exists($to)) { + return; + } + if (is_dir($from)) { + $d = dir($from); + while ($e = $d->read()) { + if ($e == '.' || $e == '..') { + continue; + } + $this->scanCopy($from . '/' . $e, $to . '/' . $e); + } + return; + } + // if $to is a dir and $from is a file then make $to a full file path as well + if (is_dir($to) && is_file($from)) { + $to = rtrim($to, '/'). '/' . basename($from); + } + // if the $to is a file and it is found in sugarFileExists then don't allow overriding it + if (is_file($to) && $this->sugarFileExists($to)) { + $this->issues['copy'][$from] = translate('ML_OVERRIDE_CORE_FILES') . '(' . $to . ')'; + } - - /** - * Takes in where the file will is specified to be copied from and to - * and ensures that there is no official sugar file there. If the file exists it will check - * against the MD5 file list to see if Sugar Created the file - * - */ - function scanCopy($from, $to){ - //if the file doesn't exist for the $to then it is not overriding anything - if(!file_exists($to))return; - //if $to is a dir and $from is a file then make $to a full file path as well - if(is_dir($to) && is_file($from)){ - if(substr($to,-1) === '/'){ - $to = substr($to, 0 , strlen($to) - 1); - } - $to .= '/'. basename($from); - } - //if the $to is a file and it is found in sugarFileExists then don't allow overriding it - if(is_file($to) && $this->sugarFileExists($to)){ - $this->issues['copy'][$from] = translate('ML_OVERRIDE_CORE_FILES') . '(' . $to . ')'; - } - - if(is_dir($from)){ - $d = dir($from); - while($e = $d->read()){ - if($e == '.' || $e == '..')continue; - $this->scanCopy($from .'/'. $e, $to .'/' . $e); - } - } - - - - - - } + } /** diff --git a/Zend/Oauth/Token.php b/Zend/Oauth/Token.php index c706699d181..b22868d552e 100755 --- a/Zend/Oauth/Token.php +++ b/Zend/Oauth/Token.php @@ -278,8 +278,6 @@ public function __sleep() */ public function __wakeup() { - if ($this->_httpUtility === null) { - $this->_httpUtility = new Zend_Oauth_Http_Utility; - } + $this->_httpUtility = new Zend_Oauth_Http_Utility; } } diff --git a/files.md5 b/files.md5 index fc22dcdf69c..92f45f51917 100755 --- a/files.md5 +++ b/files.md5 @@ -1,8 +1,8 @@ 'd3f150e4a5bed444763ebe8a81742a95', - './sugar_version.json' => 'a171e8fa5d087136e3c79a2dc2d8cf32', + './sugar_version.json' => '6f644dbc844a77b2cc6ebfc5436c04e8', './.htaccess' => 'd41d8cd98f00b204e9800998ecf8427e', './config_override.php' => 'd41d8cd98f00b204e9800998ecf8427e', './config.php' => 'd41d8cd98f00b204e9800998ecf8427e', @@ -500,7 +500,7 @@ $md5_string = array ( './include/utils/LogicHook.php' => 'bcce19899ef75439237ffcc54e5d6229', './include/utils/external_cache.php' => 'ecfe00c0a67e9540bb8fbe12dede5f7b', './include/utils/file_utils.php' => 'cdfb4a8fff71d65fdb43ed9615c5bb5c', - './include/utils/array_utils.php' => 'c03d8d4e81065e4c307421b555a5f516', + './include/utils/array_utils.php' => '3d79a0467c03c996a0d8bdfc5cf41c42', './include/utils/sugar_file_utils.php' => '24145be30268bf9d49e5e57a040f858c', './include/utils/security_utils.php' => 'bbb90067f557ba011a47cb9c1138bf6a', './include/utils/autoloader.php' => '51bb490bcd106c650a2af611486f665b', @@ -669,7 +669,7 @@ $md5_string = array ( './include/SugarTinyMCE.php' => 'b8af5072ddbdfb2b26e34da6b74cdf11', './include/tabs.php' => '45b4cecd7fcd0eed024d748c1caad884', './include/SugarOAuthServer.php' => '8f3738e36c51a920d0b69bd6e90516f6', - './include/modules.php' => 'b4c765d1ec2e198fa4f54484bb97a8c2', + './include/modules.php' => '8cf807662e8ad05ddb7998438ffe8d0c', './include/ytree/treeutil.js' => '93ce34059934f0cdc8b8b1eafab1b0bc', './include/ytree/Node.php' => '9f9049c894f5cd84e8142830f2ea4cf5', './include/ytree/Tree.php' => 'd2acdbb71a5ecc77fb82c21aa416aa83', @@ -2565,8 +2565,8 @@ $md5_string = array ( './include/MVC/View/views/view.noaccess.php' => 'dcfb8bcccc856e03150bbe4287df4b69', './include/MVC/View/views/view.vcard.php' => '179462d5a2bd63cc947514bc5b4d5f0d', './include/MVC/View/views/view.multiedit.php' => '6304a43da7a60cd7e10e45e9b70a752b', - './include/MVC/View/views/view.list.php' => '9f03520865fc8f21df3b8ff7a832a8b2', - './include/MVC/View/views/view.popup.php' => '9b14b0bf5413919adeb2eaf3a27e904c', + './include/MVC/View/views/view.list.php' => '15d69bbb0733c78dcfbb141b7dca3a08', + './include/MVC/View/views/view.popup.php' => 'b37536220880f1a9484f1d734a7e761d', './include/MVC/View/views/view.quick.php' => '903361c65cb2a303512f4c1b61907114', './include/MVC/View/views/view.xml.php' => '915fb80385c6357b3368891dfdd4dcb6', './include/MVC/View/views/view.sugarpdf.config.php' => 'a8b5a369c54618e94065de2527866cd8', @@ -2589,7 +2589,7 @@ $md5_string = array ( './include/MVC/SugarModule.php' => 'd20c55c66b345634e9cfe1360998faf5', './include/MVC/SugarApplication.php' => 'a4dceec0466f3811805e1cbf4233020c', './include/MVC/Controller/file_access_control_map.php' => '973ffb0c666e5e252a7563a4dbfa0e60', - './include/MVC/Controller/entry_point_registry.php' => '8f30e68f35d444a9fc110febdd7ae3dd', + './include/MVC/Controller/entry_point_registry.php' => '0c96ff89e006d7ff76173ee2a4cc05a6', './include/MVC/Controller/SugarController.php' => '065844716d72aac4355d3a90b9ed8361', './include/MVC/Controller/action_file_map.php' => '341c47830c5235c35586a637f9f50130', './include/MVC/Controller/action_view_map.php' => 'f9da4a6f0f4905ea87361903e4671910', @@ -2603,7 +2603,7 @@ $md5_string = array ( './include/SearchForm/SugarSpot.php' => 'd8449360de3e2907dae694c8c984f40b', './include/SearchForm/SearchForm.php' => 'bb489966e170ef2b9782cdeffaf8f2eb', './include/SearchForm/SearchForm2.php' => '11935484201d176875b2641a468858b2', - './include/Dashlets/DashletRssFeedTitle.php' => 'a47b01bb0712af9ed5c9cf86de254252', + './include/Dashlets/DashletRssFeedTitle.php' => 'f0f47e061e0db02f001ad00c6da0cb16', './include/Dashlets/DashletGenericAutoRefreshDynamic.tpl' => '2dafbe3aeb4faac8dda04fdc7153ac45', './include/Dashlets/DashletCacheBuilder.php' => '0c919c1e633ce4d3c8782f36c7a23642', './include/Dashlets/DashletGenericConfigure.tpl' => 'ceba10c6938ee0374075dd502918e872', @@ -2641,6 +2641,7 @@ $md5_string = array ( './include/resource/Observers/ResourceObserver.php' => '77d273ea39b8e2abe026f1f8c515408b', './include/resource/Observers/SoapResourceObserver.php' => '8966a226d081e396d109d1e13dd6e6e0', './include/language/jsLanguage.php' => 'c5d5b59aa6c5c5a52e96c8758fc5a14e', + './include/language/getJSLanguage.php' => 'd3067216c7b48ca6f90d5ca8b9e14cd9', './include/language/en_us.lang.php' => '3b6f51be8855558178f266126b0047ac', './include/language/en_us.notify_template.html' => 'b885a3d87060bee2226369fa918e77f3', './include/pclzip/readme.txt' => '2265cad9ccb84cfcd4093ce26b22dc97', @@ -2710,7 +2711,7 @@ $md5_string = array ( './include/Smarty/plugins/modifier.lower.php' => '014241bdc9356e4db65ff84902e868d2', './include/Smarty/plugins/function.html_image.php' => '06abba1563143b4b1190ca07d53b0a0d', './include/Smarty/plugins/function.config_load.php' => '752a15886ca6ee831f2ab650ab09fe4e', - './include/Smarty/plugins/function.sugar_button.php' => '8df59ad4424dd32178bc34cd4da80cc5', + './include/Smarty/plugins/function.sugar_button.php' => 'c2fd1466b4c372bf5baf45c0e43d5f09', './include/Smarty/plugins/function.sugar_ajax_url.php' => '40b41d0fff29b81d4fe8b431a7b24bb0', './include/Smarty/plugins/function.popup.php' => 'cf231d09647d1b1cf0adf5904b66b6a6', './include/Smarty/plugins/function.sugar_variable_constructor.php' => '6561cdb5987f989d18090a4713c9a27a', @@ -2739,7 +2740,7 @@ $md5_string = array ( './include/Smarty/plugins/function.sugar_button_slider.php' => '6152ab8014fecf6fa1b6af75c28af497', './include/Smarty/plugins/modifier.spacify.php' => 'caaa7bc654d20b7a34670ffaf4810a16', './include/Smarty/plugins/modifier.count_paragraphs.php' => '094571a25323b4a624339c510c235e23', - './include/Smarty/plugins/function.sugar_actions_link.php' => '618049c67e273e5f045a6a30979fae5b', + './include/Smarty/plugins/function.sugar_actions_link.php' => '78f3c450388b1ca9ce345935da0795eb', './include/Smarty/plugins/modifier.count_sentences.php' => 'ce2aa6fd44be95bbca2f9fa405184476', './include/Smarty/plugins/function.sugar_field.php' => 'fa680cca3af159b3f462e942c13e2204', './include/Smarty/plugins/modifier.strip.php' => 'd37cbead10b238172272e54a5cd9c691', @@ -2888,7 +2889,7 @@ $md5_string = array ( './dictionary.php' => '2c944c4e9de0ad7ee323dbbfb2388764', './HandleAjaxCall.php' => '52ec9af41f1f3b3787c02fafa4ba4da1', './ModuleInstall/extensions.php' => '34bab7a46f584229895919f6783429e0', - './ModuleInstall/ModuleScanner.php' => '20364e032fc79402652801b3afcede69', + './ModuleInstall/ModuleScanner.php' => 'b543fd276d29708bbad0e72771547ea0', './ModuleInstall/ModuleInstaller.php' => '78ffa995728557e195ecba6929041fed', './ModuleInstall/PackageManager/tpls/PackageForm.tpl' => '1c0ab9066a5bd2597ade0fb345f8537a', './ModuleInstall/PackageManager/tpls/PackageManagerScripts.tpl' => '72add280abe1587ee92f106896c88d99', @@ -2917,7 +2918,7 @@ $md5_string = array ( './Zend/Oauth/Http/Utility.php' => 'b423ef547710255a45cac24c0f2212b6', './Zend/Oauth/Http/RequestToken.php' => 'a601ddf2a654043d45c8850970c3f81d', './Zend/Oauth/Client.php' => '45f14e23ad50d4d85b1656681d81d487', - './Zend/Oauth/Token.php' => '66c75d877789a6c9f76fcb56eca8f69f', + './Zend/Oauth/Token.php' => '18e9e84e55bf3c8c5342d5eed99df718', './Zend/Oauth/Signature/Hmac.php' => '7de78bcbd009391679c290259d4f0b7e', './Zend/Oauth/Signature/Plaintext.php' => '172f0dbf4ffed18d6aa136bbe752c4d2', './Zend/Oauth/Signature/Rsa.php' => '1c34a9f3ba22e92181fd20635bd165a0', @@ -3404,7 +3405,7 @@ $md5_string = array ( './modules/Leads/tpls/ConvertLeadFooter.tpl' => '2ea6576f9fe58d92409a9c6b97b94d3b', './modules/Leads/Menu.php' => 'ed395651f15ffd38d41ca964c664de2a', './modules/Leads/vardefs.php' => '883dbb8538ecbb3124bd6ddf4fbda659', - './modules/Leads/views/view.showduplicates.php' => '8aab3c88d7f9693a22a3bc407fd6e2c5', + './modules/Leads/views/view.showduplicates.php' => '3feba86a3af990a27b263447ac564461', './modules/Leads/views/view.list.php' => 'c48c873cc327566d9f2f52c16105aef6', './modules/Leads/views/view.edit.php' => '1e52112d67afec904f3ac40d24b86784', './modules/Leads/views/view.detail.php' => '5f56eedf44fbea3e82b9fc6fdf1f39c2', @@ -3431,7 +3432,7 @@ $md5_string = array ( './modules/Leads/metadata/studio.php' => 'c8a69534746c4f195b2368b1c4118e48', './modules/Leads/metadata/detailviewdefs.php' => '28cd25c6a2b904bf3650a9ff6718bb3a', './modules/Leads/action_view_map.php' => '00c3a0dd64243387ec93a8322cf0b25b', - './modules/Leads/LeadFormBase.php' => 'c9fcaf9326bf825a576e8ca9d36391cd', + './modules/Leads/LeadFormBase.php' => 'b4c3bde9a78938e0e87fd11f843e41e6', './modules/Leads/Dashlets/MyLeadsDashlet/MyLeadsDashlet.data.php' => '152ed2eb0ba4718b91172e3f64699c38', './modules/Leads/Dashlets/MyLeadsDashlet/MyLeadsDashlet.meta.php' => '7f55f94342cb4ba4a797f96f54942455', './modules/Leads/Dashlets/MyLeadsDashlet/MyLeadsDashlet.php' => 'ac4d3464dc844dbb13bbbfd2fd62316b', @@ -4295,7 +4296,7 @@ $md5_string = array ( './modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php' => 'cc0c692cdafcff493f07703670e0279a', './modules/Users/authentication/EmailAuthenticate/EmailAuthenticate.php' => 'dcb2393e1e3f8df433022c34b94ef125', './modules/Users/authentication/EmailAuthenticate/EmailAuthenticateUser.php' => '2e4bc38ede9a48f9d1d073d087355fc1', - './modules/Users/authentication/SAMLAuthenticate/SAMLAuthenticateUser.php' => 'b4de0d81cff814b52f3b10691d2f82a9', + './modules/Users/authentication/SAMLAuthenticate/SAMLAuthenticateUser.php' => '8f962090ca55c1c82278485607a8c75f', './modules/Users/authentication/SAMLAuthenticate/SAMLAuthenticate.php' => '1bab62c2ca674666ac622832aa6b493f', './modules/Users/authentication/SAMLAuthenticate/settings.php' => 'ea1c15daa6961ce1aa44a86c8a709fb4', './modules/Users/authentication/SAMLAuthenticate/lib/xmlseclibs/CHANGELOG.txt' => '113d14ef4333039359236ffed624fb85', @@ -4304,7 +4305,7 @@ $md5_string = array ( './modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/settings.php' => 'bf420ca408bb2c25ee04d6d24651306c', './modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/xmlsec.php' => '0804d079f7dd5b88a810d3b2f13b54a1', './modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/authrequest.php' => '96705df3ae615cdb2c75b2ca6bed6d05', - './modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/response.php' => 'fe50684dde6449668ec090969855ed59', + './modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/response.php' => '30887f37b969ad4eb249ccc02603b442', './modules/Users/authentication/SAMLAuthenticate/index.php' => 'c576340598c48831d9f63bd10a650bf7', './modules/Users/authentication/AuthenticationController.php' => '6927215b40c1efc62775f5754a532c95', './modules/Users/authentication/LDAPAuthenticate/LDAPAuthenticateUser.php' => '2800f31d9157ce0ab8cd07503d8d28ce', @@ -4546,7 +4547,7 @@ $md5_string = array ( './modules/Connectors/views/view.modifyproperties.php' => '72d868871f0cef9073c1004c24dde337', './modules/Connectors/views/view.modifysearch.php' => '85e92155ee8744e54b09b65c355697aa', './modules/Connectors/views/view.connectorsettings.php' => '234863c9e8d5a116cdbdf6cc8a844ad7', - './modules/Connectors/controller.php' => 'c925f4d8dd9d6639ae3aec9c77f9cc68', + './modules/Connectors/controller.php' => 'dcea21b21e9191c108a911790906598f', './modules/Connectors/ConnectorRecord.php' => '4b048a11ea21e312548a6d407d0951ee', './modules/Connectors/connectors/sources/ext/rest/insideview/config.php' => 'c1390b4a5617d593fe3980857aae7aa9', './modules/Connectors/connectors/sources/ext/rest/insideview/InsideViewLogicHook.php' => '8b96abc620afdde0979054a34805ef44', @@ -4599,7 +4600,7 @@ $md5_string = array ( './modules/Accounts/views/view.detail.php' => '4285c8a454f12fb9790fa3a97bce8d21', './modules/Accounts/field_arrays.php' => 'ff94a2454b5dec219fae92c743c8a590', './modules/Accounts/Account.php' => 'ad9b14808ec955851cc899c3f680ad89', - './modules/Accounts/ShowDuplicates.php' => '6eb62df94c2d1328c33d3faec8dd116a', + './modules/Accounts/ShowDuplicates.php' => '0285cf58f0e998bdbc7903a487c65254', './modules/Accounts/metadata/searchdefs.php' => 'd220a2b9ef4a377825675e0f3db3d820', './modules/Accounts/metadata/fieldGroups.php' => '385d62115fd9616fda262306689c4d85', './modules/Accounts/metadata/subpaneldefs.php' => 'ac71ce15bf229964137f271237a07183', @@ -4620,7 +4621,7 @@ $md5_string = array ( './modules/Accounts/Dashlets/MyAccountsDashlet/MyAccountsDashlet.php' => 'ec76cb988bc1b77823b2e732c376996d', './modules/Accounts/Dashlets/MyAccountsDashlet/MyAccountsDashlet.data.php' => 'cb80a1dbcba6494feffea740dcbc0385', './modules/Accounts/Popup_picker.html' => '1b5e8424ad1dd267f89b221e9c9d9fb9', - './modules/Accounts/AccountFormBase.php' => 'e10ef6d736c72768b0e4e79cae520db1', + './modules/Accounts/AccountFormBase.php' => 'fa3e37f9e3c0595866e31ebbebc75b5e', './modules/Accounts/language/en_us.lang.php' => '28b830b635b5d4239a94a84902524841', './modules/MySettings/TabController.php' => 'ce1c43b9ee76cb1fc6aaa72e3bd87a8a', './modules/MySettings/LoadTabSubpanels.php' => 'd9b0ec6322db7e5188f0082b8f6ebe92', @@ -4816,7 +4817,7 @@ $md5_string = array ( './modules/Contacts/tpls/QuickCreate.tpl' => 'b0ec6ed8d21111a38ac6768912d62336', './modules/Contacts/Menu.php' => 'a4b78115e73168cbce32bae2806ccfad', './modules/Contacts/vardefs.php' => 'b796b6b1f2fa8452f53c00a78d93bc6c', - './modules/Contacts/ContactFormBase.php' => 'ed2034ac43e33267a5564f52ca6d4243', + './modules/Contacts/ContactFormBase.php' => 'a21abbb73cd2d7533bfe85cabdf249d2', './modules/Contacts/ShowDuplicates.html' => 'e7c155a7e02ed4990c46366e14ce1719', './modules/Contacts/views/view.closecontactaddresspopup.php' => '63fbacd0bedb183a7314ec33a5207b2b', './modules/Contacts/views/view.quickcreate.php' => '92eaefb9a12f4dbf7d7a27c2215802cb', @@ -4833,7 +4834,7 @@ $md5_string = array ( './modules/Contacts/Address_picker.html' => 'e9534d233422bf5874d0f5f92af29c84', './modules/Contacts/field_arrays.php' => '69f8c591d76b332b740f7810d73ab0db', './modules/Contacts/ContactOpportunityRelationshipEdit.html' => 'afdde9f65b057d6f73935a9e79725012', - './modules/Contacts/ShowDuplicates.php' => 'a6a6833d6f1f826a06c061ff8a41bf99', + './modules/Contacts/ShowDuplicates.php' => '6063c669e48f45dde6e19f09c5d0fa6b', './modules/Contacts/metadata/searchdefs.php' => '45ef3707e19c0fc60ef90f0b8b5a0a91', './modules/Contacts/metadata/subpaneldefs.php' => '1592e817f1555b73ade4ee7a7721ceef', './modules/Contacts/metadata/popupdefsEmail.php' => 'a697d8537c41062b210dda73fc371132', @@ -5037,18 +5038,18 @@ $md5_string = array ( './modules/Administration/QuickRepairAndRebuild.php' => 'eb44553463e1171cedb778806b7b077e', './modules/Administration/DiagnosticDelete.php' => 'c10059ee4c18aefda8ad47571a935219', './modules/Administration/Save.php' => 'b210810462de7e2e2dbfa73f00a493a8', - './modules/Administration/UpgradeWizard.php' => '1c5f0a838d3694371ed13db9edbfd503', + './modules/Administration/UpgradeWizard.php' => '16f46b172ce9b446440aee3ab5428dfd', './modules/Administration/ncc_config.php' => '97936b852ddf286b636fd3e9f75e6a7b', './modules/Administration/Menu.php' => '1f52f739f9c710425e195b3b7b853686', './modules/Administration/vardefs.php' => 'dfe1547500d1eabd7fb9051c08122e30', './modules/Administration/Upgrade.php' => '568160231f61863d3f4afe1fa410bf41', './modules/Administration/SugarSpriteBuilder.php' => '5773eadcbe1f32601cf9fdbf288edd5f', - './modules/Administration/UpgradeWizardCommon.php' => '5932a06429114505ccfd48125e27f61c', + './modules/Administration/UpgradeWizardCommon.php' => '48943807d1a7f2bbc68c609d151b7984', './modules/Administration/index.tpl' => 'faea1e09be764e5cedac1cdd9f5c832e', './modules/Administration/ExportCustomFieldStructure.php' => 'b4e65a394493b90fe7bf790dfa558fc6', './modules/Administration/RebuildConfig.php' => '3429553bbb4a4be1e7f70fd50d2b6803', './modules/Administration/expandDatabase.php' => '2b16f81a38a338277a1ff554a59f5051', - './modules/Administration/UpgradeWizard_commit.php' => 'a090a83a49365126305c7cd11e236d1b', + './modules/Administration/UpgradeWizard_commit.php' => '1763d483d885f80b200641591ece13a2', './modules/Administration/RebuildSchedulers.php' => '0e8e55663d78e481a94d88657544eec4', './modules/Administration/RebuildJSLang.php' => 'f1827f4ef922e8deb2b015db621379f4', './modules/Administration/Administration.php' => 'afeb756b6fd4fac0f4cfc9e58ab3f6d8', @@ -5067,7 +5068,7 @@ $md5_string = array ( './modules/Administration/RebuildAudit.php' => 'dc319d489e62622ca92c55a90417df78', './modules/Administration/Updater.html' => 'aa678db329bc0799f6f17b21ce3a19d7', './modules/Administration/Diagnostic.tpl' => '4ee2b91556ae6e01afd9ab4fa87bf3ca', - './modules/Administration/UpgradeAccess.php' => '72e105aceb518969714c594ffd6934ad', + './modules/Administration/UpgradeAccess.php' => '363cb81b9c82fa609d992e403e2341cc', './modules/Administration/Development.php' => '0c1acca9461db023b9e2963f28cc3b8d', './modules/Administration/RepairIE.php' => 'bfbffdeaadc940821724c696fca2e88f', './modules/Administration/templates/RepairXSS.tpl' => '6302d76f3bf9d259d6331cb141f61c63', @@ -5105,7 +5106,7 @@ $md5_string = array ( './modules/Administration/language/en_us.lang.php' => 'd8fc04e654b025e166ff2dc7a1df8aad', './modules/Administration/UpgradeHistory.php' => '32542b41029818c2ad89053c7d6dfaad', './modules/Administration/upgrade_custom_relationships.php' => '49cd673c257d91d5e7d6d38f05139dd9', - './modules/Administration/ImportCustomFieldStructure.php' => 'ae698c924ae4f2ba29d6198746ca0977', + './modules/Administration/ImportCustomFieldStructure.php' => '134fed732bd5beabb5d826c1ed538b59', './modules/Administration/Updater.php' => '5ca15c32868cf4815330e2f51f8a6a5c', './modules/Administration/undoupdateclass.php' => '7d505297d6b5276a2dfe43a12f0467a3', './modules/Administration/Forms.php' => 'b09b7ce5860644e4677fdc87830b4b60', @@ -5350,7 +5351,7 @@ $md5_string = array ( './metadata/prospect_lists_prospectsMetaData.php' => '7e3faa998b4fab3e2235775744413cc9', './metadata/inboundEmail_autoreplyMetaData.php' => 'a48873b7d72942a2ce8c75519e210ebd', './metadata/acl_roles_actionsMetaData.php' => '4d6ecdbf5b06104a468ec955616121e3', - './sugar_version.php' => '5526040567bcba7654ce40841ef57bb5', + './sugar_version.php' => '376769cf33724de7336d0b05b3e6e935', './cron.php' => 'a130498059ba9e03ad8c32a9cc79faca', './log4php/LoggerManager.php' => 'fa34194306cd50c01b71d8d5060ee362', './TreeData.php' => '261ed723f457b1fabd1c33ae230120e4', @@ -7483,7 +7484,7 @@ $md5_string = array ( './install/installDisabled.php' => 'd481e5e8ee76592093ccf2088e728f2b', './install/performSetup.php' => 'c54a900b0fb524e90e0254e8f598a198', './install/install_defaults.php' => '8348319cb1bb18fdc79d16cf65ab3a5a', - './install/install_utils.php' => '38384ec3efecbc12a41dd1cb976e64e2', + './install/install_utils.php' => '5028f022dcebb9c169e63902b29a5b3b', './install/UserDemoData.php' => '351e14a692915a88c7a1a3b08ca5f693', './install/demoData.en_us.php' => '454614d42a71a0258c452326812d4406', './install/UploadLangFileCheck.php' => 'c5742cf00377fb55f25955cb6dba5bea', diff --git a/include/Dashlets/DashletRssFeedTitle.php b/include/Dashlets/DashletRssFeedTitle.php index e617316ba97..045f642797f 100755 --- a/include/Dashlets/DashletRssFeedTitle.php +++ b/include/Dashlets/DashletRssFeedTitle.php @@ -12,24 +12,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -73,6 +73,9 @@ public function generateTitle() { */ public function readFeed() { if ($this->url) { + if (!in_array(strtolower(parse_url($this->url, PHP_URL_SCHEME)), array("http", "https"), true)) { + return false; + } $fileOpen = @fopen($this->url, 'r'); if ($fileOpen) { $this->fileOpen = true; @@ -115,4 +118,4 @@ public function convertEncoding() { $this->title = iconv($this->xmlEncoding, $this->defaultEncoding, $this->title); } } -} \ No newline at end of file +} diff --git a/include/MVC/Controller/entry_point_registry.php b/include/MVC/Controller/entry_point_registry.php index c971f0b97cc..e48e1dbddc4 100755 --- a/include/MVC/Controller/entry_point_registry.php +++ b/include/MVC/Controller/entry_point_registry.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -74,5 +74,6 @@ 'getYUIComboFile' => array('file' => 'include/javascript/getYUIComboFile.php', 'auth' => false), 'UploadFileCheck' => array('file' => 'modules/Configurator/UploadFileCheck.php', 'auth' => true), 'SAML'=> array('file' => 'modules/Users/authentication/SAMLAuthenticate/index.php', 'auth' => false), + 'jslang'=> array('file' => 'include/language/getJSLanguage.php', 'auth' => true), ); ?> diff --git a/include/MVC/View/views/view.list.php b/include/MVC/View/views/view.list.php index 91266865e56..4dc15d435e6 100755 --- a/include/MVC/View/views/view.list.php +++ b/include/MVC/View/views/view.list.php @@ -12,24 +12,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -87,11 +87,11 @@ function listViewPrepare(){ foreach($current_query_by_page as $search_key=>$search_value) { if($search_key != $module.'2_'.strtoupper($this->bean->object_name).'_offset' && !in_array($search_key, $blockVariables)) { if (!is_array($search_value)) { - $_REQUEST[$search_key] = $GLOBALS['db']->quote($search_value); + $_REQUEST[$search_key] = securexss($search_value); } else { foreach ($search_value as $key=>&$val) { - $val = $GLOBALS['db']->quote($val); + $val = securexss($val); } $_REQUEST[$search_key] = $search_value; } diff --git a/include/MVC/View/views/view.popup.php b/include/MVC/View/views/view.popup.php index 68f2d0c3d9a..2cf49da3287 100755 --- a/include/MVC/View/views/view.popup.php +++ b/include/MVC/View/views/view.popup.php @@ -12,24 +12,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -107,11 +107,11 @@ function display(){ if($search_key != $this->module.'2_'.strtoupper($this->bean->object_name).'_offset' && !in_array($search_key, $blockVariables)) { if (!is_array($search_value)) { - $_REQUEST[$search_key] = $GLOBALS['db']->quote($search_value); + $_REQUEST[$search_key] = securexss($search_value); } else { foreach ($search_value as $key=>&$val) { - $val = $GLOBALS['db']->quote($val); + $val = securexss($val); } $_REQUEST[$search_key] = $search_value; } diff --git a/include/Smarty/plugins/function.sugar_actions_link.php b/include/Smarty/plugins/function.sugar_actions_link.php index 27cca2c8776..49c9179292d 100755 --- a/include/Smarty/plugins/function.sugar_actions_link.php +++ b/include/Smarty/plugins/function.sugar_actions_link.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -72,13 +72,13 @@ function smarty_function_sugar_actions_link($params, &$smarty) case "CANCEL": $cancelButton = '{if !empty($smarty.request.return_action) && ($smarty.request.return_action == "DetailView" && !empty($smarty.request.return_id))}'; $cancelButton = '{if !empty($smarty.request.return_action) && ($smarty.request.return_action == "DetailView" && !empty($smarty.request.return_id))}'; - $cancelButton .= ' '; + $cancelButton .= ' '; $cancelButton .= '{elseif !empty($smarty.request.return_action) && ($smarty.request.return_action == "DetailView" && !empty($fields.id.value))}'; - $cancelButton .= ' '; + $cancelButton .= ' '; $cancelButton .= '{elseif empty($smarty.request.return_action) || empty($smarty.request.return_id) && !empty($fields.id.value)}'; $cancelButton .= ' '; $cancelButton .= '{else}'; - $cancelButton .= ' '; + $cancelButton .= ' '; $cancelButton .= '{/if}'; return $cancelButton; break; @@ -119,7 +119,7 @@ function smarty_function_sugar_actions_link($params, &$smarty) return $html; case "DCMENUCANCEL": return ' '; - + case "DCMENUSAVE": if ($view == 'QuickCreate') { $view = "form_DCQuickCreate_{$module}"; @@ -130,20 +130,20 @@ function smarty_function_sugar_actions_link($params, &$smarty) case "DCMENUFULLFORM": $html = ' '; $html .= ''; - return $html; + return $html; case "POPUPSAVE": $view = $view == 'QuickCreate' ? "form_QuickCreate_{$module}" : $view; return '{if $bean->aclAccess("save")}{/if} '; case "POPUPCANCEL": - return ' '; - + case "AUDIT": $popup_request_data = array( 'call_back_function' => 'set_return', diff --git a/include/Smarty/plugins/function.sugar_button.php b/include/Smarty/plugins/function.sugar_button.php index 7f52a621d73..36a8f192f8e 100755 --- a/include/Smarty/plugins/function.sugar_button.php +++ b/include/Smarty/plugins/function.sugar_button.php @@ -64,19 +64,19 @@ r53116 - 2009-12-09 17:24:37 -0800 (Wed, 09 Dec 2009) - mitani - Merge Kobe into Windex Revision 51633 to 53087 -r52448 - 2009-11-13 02:21:35 -0800 (Fri, 13 Nov 2009) - mitani - Fixes issues with quick create buttons, removes buttons from the top of the quick create form for productivity bar, aligns navigation buttons with other buttons on detail and edit views fixes an issue with calls edit view still calling on leads +r52448 - 2009-11-13 02:21:35 -0800 (Fri, 13 Nov 2009) - mitani - Fixes issues with quick create buttons, removes buttons from the top of the quick create form for productivity bar, aligns navigation buttons with other buttons on detail and edit views fixes an issue with calls edit view still calling on leads -r52277 - 2009-11-06 12:41:42 -0800 (Fri, 06 Nov 2009) - mitani - Updates the Productivity Bar UI and adds Spot :) +r52277 - 2009-11-06 12:41:42 -0800 (Fri, 06 Nov 2009) - mitani - Updates the Productivity Bar UI and adds Spot :) r52120 - 2009-11-02 14:45:24 -0800 (Mon, 02 Nov 2009) - clee - Fixed errors with default connector buttons/hover buttons not appearing in default install for sales edition. -r51719 - 2009-10-22 10:18:00 -0700 (Thu, 22 Oct 2009) - mitani - Converted to Build 3 tags and updated the build system +r51719 - 2009-10-22 10:18:00 -0700 (Thu, 22 Oct 2009) - mitani - Converted to Build 3 tags and updated the build system r51634 - 2009-10-19 13:32:22 -0700 (Mon, 19 Oct 2009) - mitani - Windex is the branch for Sugar Sales 1.0 development r50375 - 2009-08-24 18:07:43 -0700 (Mon, 24 Aug 2009) - dwong - branch kobe2 from tokyo r50372 -r48227 - 2009-06-08 14:59:16 -0700 (Mon, 08 Jun 2009) - tyoung - 23828: replaced the PHP mechanism to calculate the subpanel name based on the module name, which failed as a result of the switch from module-based subpanel names to relationship-based names, which a javascript mechanism embedded in the two affected methods in SubpanelUtils - inlineSave() and cancelCreate(). +r48227 - 2009-06-08 14:59:16 -0700 (Mon, 08 Jun 2009) - tyoung - 23828: replaced the PHP mechanism to calculate the subpanel name based on the module name, which failed as a result of the switch from module-based subpanel names to relationship-based names, which a javascript mechanism embedded in the two affected methods in SubpanelUtils - inlineSave() and cancelCreate(). The new mechanism works out from the save or cancel button, respectively, until it encounters a subpanel (marked by a new CSS class 'quickcreate'). It then uses that subpanel name in later operations. This mechanism is now reliable for relationship-based subpanel names. Furthermore, it does not require modifications to the method-chain. To fix this issue by passing the subpanel name along the method-chain would require changing the method signature of the smarty method, sugar_button, which would be very broad-ranging. r45148 - 2009-03-16 07:43:29 -0700 (Mon, 16 Mar 2009) - clee - Bug:28522 @@ -115,7 +115,7 @@ r39146 - 2008-08-26 17:16:04 -0700 (Tue, 26 Aug 2008) - awu - Merging pre_5_1_0 to trunk r38393 - 2008-07-29 12:44:00 -0700 (Tue, 29 Jul 2008) - Collin Lee - Bug:23873 -Spoke with Ran more about this issue. It turns out the "Select" button was not the only button that needed to have a unique id. All subpanel and subpanel quick create buttons where no unique id exists for the element are candidates for change. Modified sugar widget subpanel classes to use a unique id for "Create" and "Select" buttons. Modified function.sugar_button.php to uniquely identify subpanel buttons as well. +Spoke with Ran more about this issue. It turns out the "Select" button was not the only button that needed to have a unique id. All subpanel and subpanel quick create buttons where no unique id exists for the element are candidates for change. Modified sugar widget subpanel classes to use a unique id for "Create" and "Select" buttons. Modified function.sugar_button.php to uniquely identify subpanel buttons as well. r37505 - 2008-07-02 10:12:55 -0700 (Wed, 02 Jul 2008) - roger - bug: 23283 - buttons in EditView were grouped together without spacing. @@ -176,12 +176,12 @@ r28643 - 2007-10-22 13:58:23 -0700 (Mon, 22 Oct 2007) - majed - bug #16757 fixes duplicate so it returns to the detail view of the new record instead of the index page -r28573 - 2007-10-21 01:24:14 -0700 (Sun, 21 Oct 2007) - majed - adds support for metadata driven quick creates and adds the ability to create from subpanels for any module +r28573 - 2007-10-21 01:24:14 -0700 (Sun, 21 Oct 2007) - majed - adds support for metadata driven quick creates and adds the ability to create from subpanels for any module bug # 16541 -r28324 - 2007-10-17 16:24:57 -0700 (Wed, 17 Oct 2007) - majed - bug #13311 fixes delete button showing up when it shouldn't in most scenarios some places the button may be disabled instead of disappearing and in worst case it should display you do not have access if you don't +r28324 - 2007-10-17 16:24:57 -0700 (Wed, 17 Oct 2007) - majed - bug #13311 fixes delete button showing up when it shouldn't in most scenarios some places the button may be disabled instead of disappearing and in worst case it should display you do not have access if you don't -r28178 - 2007-10-15 16:56:47 -0700 (Mon, 15 Oct 2007) - majed - Checkin to add first side quick create for meta data driven ui. +r28178 - 2007-10-15 16:56:47 -0700 (Mon, 15 Oct 2007) - majed - Checkin to add first side quick create for meta data driven ui. r25427 - 2007-08-11 13:52:09 -0700 (Sat, 11 Aug 2007) - clee - Added empty id check so we do not show the audit button when creating a new record. @@ -304,13 +304,13 @@ function smarty_function_sugar_button($params, &$smarty) case "CANCEL": $cancelButton = '{if !empty($smarty.request.return_action) && ($smarty.request.return_action == "DetailView" && !empty($smarty.request.return_id))}'; - $cancelButton .= ' '; + $cancelButton .= ' '; $cancelButton .= '{elseif !empty($smarty.request.return_action) && ($smarty.request.return_action == "DetailView" && !empty($fields.id.value))}'; - $cancelButton .= ' '; + $cancelButton .= ' '; $cancelButton .= '{elseif empty($smarty.request.return_action) || empty($smarty.request.return_id) && !empty($fields.id.value)}'; $cancelButton .= ' '; $cancelButton .= '{else}'; - $cancelButton .= ' '; + $cancelButton .= ' '; $cancelButton .= '{/if}'; $output = $cancelButton; diff --git a/include/language/getJSLanguage.php b/include/language/getJSLanguage.php new file mode 100644 index 00000000000..cbad750f81f --- /dev/null +++ b/include/language/getJSLanguage.php @@ -0,0 +1,72 @@ +"; + } else { + echo "$lang was not in list . 
" . print_r($languages, true) . "
"; + } + echo "Invalid language specified"; + + return; + } + if (empty($_REQUEST['module']) || $_REQUEST['module'] === 'app_strings') { + $file = sugar_cached('jsLanguage/') . $lang . '.js'; + if (!sugar_is_file($file)) { + jsLanguage::createAppStringsCache($lang); + } + } else { + $module = clean_path($_REQUEST['module']); + $fullModuleList = array_merge($GLOBALS['moduleList'], $GLOBALS['modInvisList']); + if (!isset($app_list_strings['moduleList'][$module]) && !in_array($module, $fullModuleList)) { + echo "Invalid module specified"; + + return; + } + $file = sugar_cached('jsLanguage/') . $module . "/" . $lang . '.js'; + if (!sugar_is_file($file)) { + jsLanguage::createModuleStringsCache($module, $lang); + } + } + + //Setup cache headers + header("Content-Type: application/javascript"); + header("Cache-Control: max-age=31556940, private"); + header("Pragma: "); + header("Expires: " . gmdate('D, d M Y H:i:s \G\M\T', time() + 31556940)); + + readfile($file); +} + +getJSLanguage(); diff --git a/include/modules.php b/include/modules.php index 8377a304415..3d60a411c55 100755 --- a/include/modules.php +++ b/include/modules.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -232,6 +232,7 @@ 'ACLActions', 'ACLRoles', 'DocumentRevisions', 'ProjectTask', + 'ModuleBuilder', ); $adminOnlyList = array( //module => list of actions (all says all actions are admin only) diff --git a/include/utils/array_utils.php b/include/utils/array_utils.php index a98da6d3a49..fdeba492dae 100755 --- a/include/utils/array_utils.php +++ b/include/utils/array_utils.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -100,9 +100,10 @@ function override_recursive_helper($key_names, $array_name, $value){ } function override_value_to_string_recursive2($array_name, $value_name, $value, $save_empty = true) { + $quoted_vname = var_export($value_name, true); if (is_array($value)) { $str = ''; - $newArrayName = $array_name . "['$value_name']"; + $newArrayName = $array_name . "[$quoted_vname]"; foreach($value as $key=>$val) { $str.= override_value_to_string_recursive2($newArrayName, $key, $val, $save_empty); } @@ -111,7 +112,7 @@ function override_value_to_string_recursive2($array_name, $value_name, $value, $ if(!$save_empty && empty($value)){ return; }else{ - return "\$$array_name" . "['$value_name'] = " . var_export($value, true) . ";\n"; + return "\$$array_name" . "[$quoted_vname] = " . var_export($value, true) . ";\n"; } } } @@ -293,4 +294,3 @@ private function _getRecursive($raw_config, $children, $default) { } } -?> diff --git a/install/install_utils.php b/install/install_utils.php index 49ffd45cfe6..4a4d3956961 100755 --- a/install/install_utils.php +++ b/install/install_utils.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -915,9 +915,12 @@ function getFtsSettings() */ function handleHtaccess(){ global $mod_strings; +global $sugar_config; $ignoreCase = (substr_count(strtolower($_SERVER['SERVER_SOFTWARE']), 'apache/2') > 0)?'(?i)':''; $htaccess_file = ".htaccess"; $contents = ''; +$basePath = parse_url($sugar_config['site_url'], PHP_URL_PATH); +if(empty($basePath)) $basePath = '/'; $restrict_str = << + Options +FollowSymLinks + RewriteEngine On + RewriteBase {$basePath} + RewriteRule ^cache/jsLanguage/(.._..).js$ index.php?entryPoint=jslang&module=app_strings&lang=$1 [L,QSA] + RewriteRule ^cache/jsLanguage/(\w*)/(.._..).js$ index.php?entryPoint=jslang&module=$1&lang=$2 [L,QSA] + Header set ETag "" @@ -1169,7 +1179,7 @@ function insert_default_settings(){ $db->query("INSERT INTO config (category, name, value) VALUES ('notify', 'fromaddress', 'do_not_reply@example.com')"); - $db->query("INSERT INTO config (category, name, value) VALUES ('notify', 'fromname', 'SuiteCRM')"); + $db->query("INSERT INTO config (category, name, value) VALUES ('notify', 'fromname', 'SugarCRM')"); $db->query("INSERT INTO config (category, name, value) VALUES ('notify', 'send_by_default', '1')"); $db->query("INSERT INTO config (category, name, value) VALUES ('notify', 'on', '1')"); $db->query("INSERT INTO config (category, name, value) VALUES ('notify', 'send_from_assigning_user', '0')"); @@ -2061,7 +2071,7 @@ function post_install_modules(){ } function get_help_button_url(){ - $help_url = 'http://www.suitecrm.com/forum/index'; + $help_url = 'http://www.sugarcrm.com/docs/Administration_Guides/CommunityEdition_Admin_Guide_5.0/toc.html'; return $help_url; } diff --git a/modules/Accounts/AccountFormBase.php b/modules/Accounts/AccountFormBase.php index c918aa6b2f9..9206eaaa2b3 100755 --- a/modules/Accounts/AccountFormBase.php +++ b/modules/Accounts/AccountFormBase.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -468,16 +468,14 @@ function handleSave($prefix,$redirect=true, $useRequired=false){ } //add return_module, return_action, and return_id to redirect get string - $get .= '&return_module='; - if(!empty($_POST['return_module'])) $get .= $_POST['return_module']; - else $get .= 'Accounts'; - $get .= '&return_action='; - if(!empty($_POST['return_action'])) $get .= $_POST['return_action']; - //else $get .= 'DetailView'; - if(!empty($_POST['return_id'])) $get .= '&return_id='.$_POST['return_id']; - if(!empty($_POST['popup'])) $get .= '&popup='.$_POST['popup']; - if(!empty($_POST['create'])) $get .= '&create='.$_POST['create']; - + $urlData = array('return_module' => 'Accounts', 'return_action' => ''); + foreach (array('return_module', 'return_action', 'return_id', 'popup', 'create') as $var) { + if (!empty($_POST[$var])) { + $urlData[$var] = $_POST[$var]; + } + } + $get .= "&".http_build_query($urlData); + $_SESSION['SHOW_DUPLICATES'] = $get; //now redirect the post to modules/Accounts/ShowDuplicates.php if (!empty($_POST['is_ajax_call']) && $_POST['is_ajax_call'] == '1') @@ -492,7 +490,7 @@ function handleSave($prefix,$redirect=true, $useRequired=false){ } else { if(!empty($_POST['to_pdf'])) - $location .= '&to_pdf='.$_POST['to_pdf']; + $location .= '&to_pdf='.urlencode($_POST['to_pdf']); header("Location: index.php?$location"); } return null; @@ -531,20 +529,20 @@ function handleSave($prefix,$redirect=true, $useRequired=false){ return null; } - if(isset($_POST['popup']) && $_POST['popup'] == 'true') { - $get = '&module='; - if(!empty($_POST['return_module'])) $get .= $_POST['return_module']; - else $get .= 'Accounts'; - $get .= '&action='; - if(!empty($_POST['return_action'])) $get .= $_POST['return_action']; - else $get .= 'Popup'; - if(!empty($_POST['return_id'])) $get .= '&return_id='.$_POST['return_id']; - if(!empty($_POST['popup'])) $get .= '&popup='.$_POST['popup']; - if(!empty($_POST['create'])) $get .= '&create='.$_POST['create']; - if(!empty($_POST['to_pdf'])) $get .= '&to_pdf='.$_POST['to_pdf']; - $get .= '&name=' . $focus->name; - $get .= '&query=true'; - header("Location: index.php?$get"); + if (isset($_POST['popup']) && $_POST['popup'] == 'true') { + $urlData = array("query" => true, "name" => $focus->name, "module" => 'Accounts', 'action' => 'Popup'); + if (!empty($_POST['return_module'])) { + $urlData['module'] = $_POST['return_module']; + } + if (!empty($_POST['return_action'])) { + $urlData['action'] = $_POST['return_action']; + } + foreach (array('return_id', 'popup', 'create', 'to_pdf') as $var) { + if (!empty($_POST[$var])) { + $urlData[$var] = $_POST[$var]; + } + } + header("Location: index.php?".http_build_query($urlData)); return; } if($redirect){ diff --git a/modules/Accounts/ShowDuplicates.php b/modules/Accounts/ShowDuplicates.php index fe2a0078963..0c6fe50d452 100755 --- a/modules/Accounts/ShowDuplicates.php +++ b/modules/Accounts/ShowDuplicates.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -45,6 +45,10 @@ // retrieve $_POST values out of the $_SESSION variable - placed in there by AccountFormBase to avoid the length limitations on URLs implicit with GETS //$GLOBALS['log']->debug('ShowDuplicates.php: _POST = '.print_r($_SESSION['SHOW_DUPLICATES'],true)); parse_str($_SESSION['SHOW_DUPLICATES'],$_POST); +$post = array_map("securexss", $_POST); +foreach ($post as $k => $v) { + $_POST[$k] = $v; +} unset($_SESSION['SHOW_DUPLICATES']); //$GLOBALS['log']->debug('ShowDuplicates.php: _POST = '.print_r($_POST,true)); @@ -77,13 +81,13 @@ $GLOBALS['check_notify'] = FALSE; $query = 'select id, name, website, billing_address_city from accounts where deleted=0 '; -$duplicates = $_POST['duplicate']; +$duplicates = $_POST['duplicate']; $count = count($duplicates); if ($count > 0) { $query .= "and ("; - $first = true; - foreach ($duplicates as $duplicate_id) + $first = true; + foreach ($duplicates as $duplicate_id) { if (!$first) $query .= ' OR '; $first = false; @@ -106,14 +110,14 @@ $input = ''; foreach ($account->column_fields as $field) -{ +{ if (!empty($_POST['Accounts'.$field])) { $value = urldecode($_POST['Accounts'.$field]); $input .= "\n"; } } foreach ($account->additional_column_fields as $field) -{ +{ if (!empty($_POST['Accounts'.$field])) { $value = urldecode($_POST['Accounts'.$field]); $input .= "\n"; @@ -140,19 +144,19 @@ else $get .= "DetailView"; if(!empty($_POST['return_id'])) $xtpl->assign('RETURN_ID', $_POST['return_id']); -if(!empty($_POST['popup'])) +if(!empty($_POST['popup'])) $input .= ''; -else +else $input .= ''; -if(!empty($_POST['to_pdf'])) +if(!empty($_POST['to_pdf'])) $input .= ''; -else +else $input .= ''; - -if(!empty($_POST['create'])) + +if(!empty($_POST['create'])) $input .= ''; -else +else $input .= ''; $xtpl->assign('INPUT_FIELDS',$input); diff --git a/modules/Administration/ImportCustomFieldStructure.php b/modules/Administration/ImportCustomFieldStructure.php index 7c31bc0852e..3540bbf5704 100755 --- a/modules/Administration/ImportCustomFieldStructure.php +++ b/modules/Administration/ImportCustomFieldStructure.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -38,9 +38,13 @@ * display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM". ********************************************************************************/ - if(empty($_FILES)){ -echo $mod_strings['LBL_IMPORT_CUSTOM_FIELDS_DESC']; -echo <<
@@ -50,40 +54,35 @@
EOQ; +} else { + $fmd = BeanFactory::getBean('EditCustomFields'); - - }else{ - - $fmd = new FieldsMetaData(); - - echo $mod_strings['LBL_ICF_DROPPING'] . '
'; - $lines = file($_FILES['sugfile']['tmp_name']); - $cur = array(); - foreach($lines as $line){ - - if(trim($line) == 'DONE'){ - $fmd->new_with_id = true; - echo 'Adding:'.$fmd->custom_module . '-'. $fmd->name. '
'; - $fmd->db->query("DELETE FROM $fmd->table_name WHERE id='$fmd->id'"); - $fmd->save(false); - $fmd = new FieldsMetaData(); - - - - }else{ + echo $mod_strings['LBL_ICF_DROPPING'] . '
'; + $lines = file($_FILES['sugfile']['tmp_name']); + $cur = array(); + foreach ($lines as $line) { + if (trim($line) == 'DONE') { + $fmd->new_with_id = true; + echo $mod_strings['LBL_IMPORT_CUSTOM_FIELDS_ADDING'] . ':' . $fmd->custom_module . '-' . + $fmd->name . '
'; + $fmd->db->query("DELETE FROM $fmd->table_name WHERE id=".$fmd->db->quoted($fmd->id)); + $fmd->save(false); + $fmd = BeanFactory::getBean('EditCustomFields'); + } else { - $ln = explode(':::', $line ,2); - if(sizeof($ln) == 2){ - $KEY = trim($ln[0]); - $fmd->$KEY = trim($ln[1]); - } - } - - } + $ln = explode(':::', $line, 2); + if (sizeof($ln) == 2) { + $KEY = trim($ln[0]); + if ($KEY === 'table_name') { + continue; + } + $fmd->$KEY = trim($ln[1]); + } + } + } $_REQUEST['run'] = true; $result = $fmd->db->query("SELECT count(*) field_count FROM $fmd->table_name"); $row = $fmd->db->fetchByAssoc($result); echo 'Total Custom Fields :' . $row['field_count'] . '
'; include('modules/Administration/UpgradeFields.php'); - } -?> +} diff --git a/modules/Administration/UpgradeAccess.php b/modules/Administration/UpgradeAccess.php index a6dfb226b60..f0bda33a8cf 100755 --- a/modules/Administration/UpgradeAccess.php +++ b/modules/Administration/UpgradeAccess.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -47,6 +47,8 @@ $ignoreCase = (substr_count(strtolower($_SERVER['SERVER_SOFTWARE']), 'apache/2') > 0)?'(?i)':''; $htaccess_file = getcwd() . "/.htaccess"; $contents = ''; +$basePath = parse_url($sugar_config['site_url'], PHP_URL_PATH); +if(empty($basePath)) $basePath = '/'; $restrict_str = << + Options +FollowSymLinks + RewriteEngine On + RewriteBase {$basePath} + RewriteRule ^cache/jsLanguage/(.._..).js$ index.php?entryPoint=jslang&module=app_strings&lang=$1 [L,QSA] + RewriteRule ^cache/jsLanguage/(\w*)/(.._..).js$ index.php?entryPoint=jslang&module=$1&lang=$2 [L,QSA] + # END SUGARCRM RESTRICTIONS EOQ; @@ -136,4 +145,4 @@ * echo "\n" . $mod_strings['LBL_HT_DONE']. "
\n"; */ -?> \ No newline at end of file +?> diff --git a/modules/Administration/UpgradeWizard.php b/modules/Administration/UpgradeWizard.php index 0c312bc39d2..c6306eb26e0 100755 --- a/modules/Administration/UpgradeWizard.php +++ b/modules/Administration/UpgradeWizard.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -39,10 +39,6 @@ ********************************************************************************/ - -if(!is_admin($GLOBALS['current_user'])){ - sugar_die($GLOBALS['app_strings']['ERR_NOT_ADMIN']); -} require_once('modules/Administration/UpgradeWizardCommon.php'); require_once('ModuleInstall/PackageManager/PackageManagerDisplay.php'); require_once('ModuleInstall/ModuleScanner.php'); diff --git a/modules/Administration/UpgradeWizardCommon.php b/modules/Administration/UpgradeWizardCommon.php index 39ca010c019..15c5e7b3574 100755 --- a/modules/Administration/UpgradeWizardCommon.php +++ b/modules/Administration/UpgradeWizardCommon.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -39,7 +39,9 @@ ********************************************************************************/ - +if (!is_admin($GLOBALS['current_user'])) { + sugar_die($GLOBALS['app_strings']['ERR_NOT_ADMIN']); +} require_once('include/utils/db_utils.php'); require_once('include/utils/zip_utils.php'); @@ -247,5 +249,3 @@ function getDiffFiles($unzip_dir, $install_file, $is_install = true, $previous_v }//fi return $modified_files; } - -?> diff --git a/modules/Connectors/controller.php b/modules/Connectors/controller.php index 125f209da59..5e3736b1a73 100755 --- a/modules/Connectors/controller.php +++ b/modules/Connectors/controller.php @@ -14,24 +14,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -42,13 +42,12 @@ require_once('include/connectors/sources/SourceFactory.php'); require_once('include/connectors/ConnectorFactory.php'); require_once('include/MVC/Controller/SugarController.php'); -require_once('modules/Connectors/Forms.php'); -class CustomConnectorsController extends ConnectorsController { +class ConnectorsController extends SugarController { var $admin_actions = array('ConnectorSettings', 'DisplayProperties', 'MappingProperties', 'ModifyMapping', 'ModifyDisplay', 'ModifyProperties', 'ModifySearch', 'SearchProperties', 'SourceProperties', - 'SavedModifyDisplay', 'SaveModifyProperties', 'SaveModifySearch'); + 'SavedModifyDisplay', 'SaveModifyProperties', 'SaveModifySearch', 'RunTest'); function process() { diff --git a/modules/Contacts/ContactFormBase.php b/modules/Contacts/ContactFormBase.php index c186877a3fd..b5871307265 100755 --- a/modules/Contacts/ContactFormBase.php +++ b/modules/Contacts/ContactFormBase.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -534,21 +534,15 @@ function handleSave($prefix, $redirect=true, $useRequired=false){ } //add return_module, return_action, and return_id to redirect get string - $get .= "&return_module="; - if(!empty($_POST['return_module'])) $get .= $_POST['return_module']; - else $get .= "Contacts"; - $get .= "&return_action="; - if(!empty($_POST['return_action'])) $get .= $_POST['return_action']; - //else $get .= "DetailView"; - if(!empty($_POST['return_id'])) $get .= "&return_id=".$_POST['return_id']; - if(!empty($_POST['popup'])) $get .= '&popup='.$_POST['popup']; - if(!empty($_POST['create'])) $get .= '&create='.$_POST['create']; - - // for InboundEmail flow - if(!empty($_POST['start'])) $get .= '&start='.$_POST['start']; - + $urlData = array('return_module' => 'Contacts', 'return_action' => ''); + foreach (array('return_module', 'return_action', 'return_id', 'popup', 'create', 'start') as $var) { + if (!empty($_POST[$var])) { + $urlData[$var] = $_POST[$var]; + } + } + $get .= "&".http_build_query($urlData); + $_SESSION['SHOW_DUPLICATES'] = $get; - $_SESSION['SHOW_DUPLICATES'] = $get; //now redirect the post to modules/Contacts/ShowDuplicates.php if (!empty($_POST['is_ajax_call']) && $_POST['is_ajax_call'] == '1') { @@ -561,7 +555,7 @@ function handleSave($prefix, $redirect=true, $useRequired=false){ echo ""; } else { - if(!empty($_POST['to_pdf'])) $location .= '&to_pdf='.$_POST['to_pdf']; + if(!empty($_POST['to_pdf'])) $location .= '&to_pdf='.urlencode($_POST['to_pdf']); header("Location: index.php?$location"); } return null; @@ -627,20 +621,20 @@ function handleSave($prefix, $redirect=true, $useRequired=false){ } if($redirect && isset($_POST['popup']) && $_POST['popup'] == 'true') { - $get = '&module='; - if(!empty($_POST['return_module'])) $get .= $_POST['return_module']; - else $get .= 'Contacts'; - $get .= '&action='; - if(!empty($_POST['return_action'])) $get .= $_POST['return_action']; - else $get .= 'Popup'; - if(!empty($_POST['return_id'])) $get .= '&return_id='.$_POST['return_id']; - if(!empty($_POST['popup'])) $get .= '&popup='.$_POST['popup']; - if(!empty($_POST['create'])) $get .= '&create='.$_POST['create']; - if(!empty($_POST['to_pdf'])) $get .= '&to_pdf='.$_POST['to_pdf']; - $get .= '&first_name=' . urlencode($focus->first_name); - $get .= '&last_name=' . urlencode($focus->last_name); - $get .= '&query=true'; - header("Location: index.php?$get"); + $urlData = array("query" => true, "first_name" => $focus->first_name, "last_name" => $focus->last_name, + "module" => 'Accounts', 'action' => 'Popup'); + if (!empty($_POST['return_module'])) { + $urlData['module'] = $_POST['return_module']; + } + if (!empty($_POST['return_action'])) { + $urlData['action'] = $_POST['return_action']; + } + foreach(array('return_id', 'popup', 'create', 'to_pdf') as $var) { + if (!empty($_POST[$var])) { + $urlData[$var] = $_POST[$var]; + } + } + header("Location: index.php?".http_build_query($urlData)); return; } @@ -653,7 +647,7 @@ function handleSave($prefix, $redirect=true, $useRequired=false){ function handleRedirect($return_id){ if(isset($_POST['return_module']) && $_POST['return_module'] != "") { - $return_module = $_POST['return_module']; + $return_module = urlencode($_POST['return_module']); } else { $return_module = "Contacts"; @@ -661,14 +655,14 @@ function handleRedirect($return_id){ if(isset($_POST['return_action']) && $_POST['return_action'] != "") { if($_REQUEST['return_module'] == 'Emails') { - $return_action = $_REQUEST['return_action']; + $return_action = urlencode($_REQUEST['return_action']); } // if we create a new record "Save", we want to redirect to the DetailView elseif($_REQUEST['action'] == "Save" && $_REQUEST['return_module'] != "Home") { $return_action = 'DetailView'; } else { // if we "Cancel", we go back to the list view. - $return_action = $_REQUEST['return_action']; + $return_action = urlencode($_REQUEST['return_action']); } } else { @@ -676,7 +670,7 @@ function handleRedirect($return_id){ } if(isset($_POST['return_id']) && $_POST['return_id'] != "") { - $return_id = $_POST['return_id']; + $return_id = urlencode($_POST['return_id']); } //eggsurplus Bug 23816: maintain VCR after an edit/save. If it is a duplicate then don't worry about it. The offset is now worthless. @@ -702,5 +696,3 @@ protected function getContact() } } - -?> diff --git a/modules/Contacts/ShowDuplicates.php b/modules/Contacts/ShowDuplicates.php index 6bb5f5d469e..f2f07f031e1 100755 --- a/modules/Contacts/ShowDuplicates.php +++ b/modules/Contacts/ShowDuplicates.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -43,6 +43,10 @@ // retrieve $_POST values out of the $_SESSION variable - placed in there by ContactFormBase to avoid the length limitations on URLs implicit with GETS //$GLOBALS['log']->debug('ShowDuplicates.php: _POST = '.print_r($_SESSION['SHOW_DUPLICATES'],true)); parse_str($_SESSION['SHOW_DUPLICATES'],$_POST); +$post = array_map("securexss", $_POST); +foreach ($post as $k => $v) { + $_POST[$k] = $v; +} unset($_SESSION['SHOW_DUPLICATES']); //$GLOBALS['log']->debug('ShowDuplicates.php: _POST = '.print_r($_POST,true)); @@ -76,13 +80,13 @@ $query = 'select id, first_name, last_name, title from contacts where deleted=0 '; -$duplicates = $_POST['duplicate']; +$duplicates = $_POST['duplicate']; $count = count($duplicates); if ($count > 0) { $query .= "and ("; - $first = true; - foreach ($duplicates as $duplicate_id) + $first = true; + foreach ($duplicates as $duplicate_id) { if (!$first) $query .= ' OR '; $first = false; @@ -105,14 +109,14 @@ $input = ''; foreach ($contact->column_fields as $field) -{ +{ if (!empty($_POST['Contacts'.$field])) { $input .= "\n"; } } foreach ($contact->additional_column_fields as $field) -{ +{ if (!empty($_POST['Contacts'.$field])) { $input .= "\n"; } @@ -141,31 +145,31 @@ //// INBOUND EMAIL WORKFLOW if(isset($_REQUEST['inbound_email_id'])) { $xtpl->assign('INBOUND_EMAIL_ID', $_REQUEST['inbound_email_id']); - $xtpl->assign('RETURN_MODULE', 'Emails'); + $xtpl->assign('RETURN_MODULE', 'Emails'); $xtpl->assign('RETURN_ACTION', 'EditView'); if(isset($_REQUEST['start'])) { $xtpl->assign('START', $_REQUEST['start']); } - + } //// END INBOUND EMAIL WORKFLOW /////////////////////////////////////////////////////////////////////////////// -if(!empty($_POST['popup'])) +if(!empty($_POST['popup'])) $input .= ''; -else +else $input .= ''; -if(!empty($_POST['to_pdf'])) +if(!empty($_POST['to_pdf'])) $input .= ''; -else +else $input .= ''; - -if(!empty($_POST['create'])) + +if(!empty($_POST['create'])) $input .= ''; -else +else $input .= ''; if(!empty($_POST['return_id'])) $xtpl->assign('RETURN_ID', $_POST['return_id']); diff --git a/modules/Leads/LeadFormBase.php b/modules/Leads/LeadFormBase.php index 39264f6ffff..1435db812cb 100755 --- a/modules/Leads/LeadFormBase.php +++ b/modules/Leads/LeadFormBase.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -63,7 +63,7 @@ public function getDuplicateQuery($focus, $prefix='') // add team security $query .= " WHERE deleted != 1 AND (status <> 'Converted' OR status IS NULL) AND "; - + //Use the first and last name from the $_POST to filter. If only last name supplied use that if(isset($_POST[$prefix.'first_name']) && strlen($_POST[$prefix.'first_name']) != 0 && isset($_POST[$prefix.'last_name']) && strlen($_POST[$prefix.'last_name']) != 0) { $query .= " (first_name='". $_POST[$prefix.'first_name'] . "' AND last_name = '". $_POST[$prefix.'last_name'] ."')"; @@ -300,20 +300,19 @@ function handleSave($prefix,$redirect=true, $useRequired=false, $do_save=true, $ $get .= "Leads"; } - $get .= "&return_action="; - if(!empty($_POST['return_action'])) $get .= $_POST['return_action']; - if(!empty($_POST['return_id'])) $get .= "&return_id=".$_POST['return_id']; - if(!empty($_POST['popup'])) $get .= '&popup='.$_POST['popup']; - if(!empty($_POST['create'])) $get .= '&create='.$_POST['create']; - - // for InboundEmail flow - if(!empty($_POST['start'])) $get .= '&start='.$_POST['start']; - - $_SESSION['SHOW_DUPLICATES'] = $get; + //add return_module, return_action, and return_id to redirect get string + $urlData = array('return_module' => 'Leads', 'return_action' => ''); + foreach (array('return_module', 'return_action', 'return_id', 'popup', 'create', 'start') as $var) { + if (!empty($_POST[$var])) { + $urlData[$var] = $_POST[$var]; + } + } + $get .= "&".http_build_query($urlData); + $_SESSION['SHOW_DUPLICATES'] = $get; if (!empty($_POST['is_ajax_call']) && $_POST['is_ajax_call'] == '1') { - ob_clean(); + ob_clean(); $json = getJSONobj(); echo $json->encode(array('status' => 'dupe', 'get' => $location)); } else if(!empty($_REQUEST['ajax_load'])) { @@ -321,7 +320,7 @@ function handleSave($prefix,$redirect=true, $useRequired=false, $do_save=true, $ } else { if(!empty($_POST['to_pdf'])) { - $location .= '&to_pdf='.$_POST['to_pdf']; + $location .= '&to_pdf='.urlencode($_POST['to_pdf']); } header("Location: index.php?$location"); } @@ -381,11 +380,11 @@ function handleSave($prefix,$redirect=true, $useRequired=false, $do_save=true, $ $email->load_relationship('leads'); $email->leads->add($focus->id); - header("Location: index.php?&module=Emails&action=EditView&type=out&inbound_email_id=".$_REQUEST['inbound_email_id']."&parent_id=".$email->parent_id."&parent_type=".$email->parent_type.'&start='.$_REQUEST['start']); - exit(); - } - //// END INBOUND EMAIL HANDLING - /////////////////////////////////////////////////////////////////////////////// + header("Location: index.php?&module=Emails&action=EditView&type=out&inbound_email_id=".urlencode($_REQUEST['inbound_email_id'])."&parent_id=".$email->parent_id."&parent_type=".$email->parent_type.'&start='.urlencode($_REQUEST['start'])); + exit(); + } + //// END INBOUND EMAIL HANDLING + /////////////////////////////////////////////////////////////////////////////// $GLOBALS['log']->debug("Saved record with id of ".$return_id); if($redirect){ diff --git a/modules/Leads/views/view.showduplicates.php b/modules/Leads/views/view.showduplicates.php index 08c730c045b..41854e63a61 100755 --- a/modules/Leads/views/view.showduplicates.php +++ b/modules/Leads/views/view.showduplicates.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -63,6 +63,10 @@ function display() } parse_str($_SESSION['SHOW_DUPLICATES'],$_POST); + $post = array_map("securexss", $_POST); + foreach ($post as $k => $v) { + $_POST[$k] = $v; + } unset($_SESSION['SHOW_DUPLICATES']); diff --git a/modules/SecurityGroups/SecurityGroup.php b/modules/SecurityGroups/SecurityGroup.php index f185107902f..1093c3147d6 100755 --- a/modules/SecurityGroups/SecurityGroup.php +++ b/modules/SecurityGroups/SecurityGroup.php @@ -21,7 +21,8 @@ function SecurityGroup(){ */ function getGroupWhere($table_name,$module,$user_id) { - + + //need a different query if doing a securitygroups check if($module == "SecurityGroups") { return " $table_name.id in ( @@ -205,6 +206,13 @@ function assign_default_groups(&$focus,$isUpdate) global $sugar_config; global $current_user; if(!$isUpdate) { + //inherit only for those that support Security Groups + $groupFocus = new SecurityGroup(); + $security_modules = $groupFocus->getSecurityModules(); + if(!in_array($focus->module_dir,array_keys($security_modules))) { + return; + } + $defaultGroups = SecurityGroup::retrieveDefaultGroups(); foreach($defaultGroups as $default_id => $defaultGroup) { diff --git a/modules/Users/authentication/SAMLAuthenticate/SAMLAuthenticateUser.php b/modules/Users/authentication/SAMLAuthenticate/SAMLAuthenticateUser.php index a4a78343a85..97ae57403ee 100755 --- a/modules/Users/authentication/SAMLAuthenticate/SAMLAuthenticateUser.php +++ b/modules/Users/authentication/SAMLAuthenticate/SAMLAuthenticateUser.php @@ -13,24 +13,24 @@ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not @@ -75,7 +75,12 @@ function authenticateUser($name, $password) { require_once('modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml.php'); require(get_custom_file_if_exists('modules/Users/authentication/SAMLAuthenticate/settings.php')); - $samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']); + try { + $samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']); + } catch (Exception $e) { + $GLOBALS['log']->error("Unexpected exception: " . $e->getMessage()); + return ''; + } if ($samlresponse->is_valid()){ $GLOBALS['log']->debug('response is valid'); diff --git a/modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/response.php b/modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/response.php index 2f839e59987..41fec058289 100755 --- a/modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/response.php +++ b/modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml/response.php @@ -64,7 +64,7 @@ function __construct($settings, $assertion) { $this->settings = $settings; $this->assertion = base64_decode($assertion); $this->xml = new DOMDocument(); - $this->xml->loadXML($this->assertion); + $this->loadXML($this->xml, $this->assertion); } /** @@ -91,6 +91,37 @@ function get_nameid() { $entries = $xpath->query($query); return $entries->item(0)->nodeValue; } + + /** + * This function load an XML string in a save way. + * Prevent XEE/XXE Attacks + * + * @param DOMDocument $dom The document where load the xml. + * @param string $xml The XML string to be loaded. + * + * @throws DOMExceptions + * + * @return DOMDocument $dom The result of load the XML at the DomDocument + */ + public function loadXML($dom, $xml) + { + assert('$dom instanceof DOMDocument'); + assert('is_string($xml)'); + + if (strpos($xml, 'loadXML($xml); + libxml_disable_entity_loader($oldEntityLoader); + + if (!$res) { + return false; + } else { + return $dom; + } + } } ?> diff --git a/sugar_version.json b/sugar_version.json index 489b3674221..0930ee3e874 100755 --- a/sugar_version.json +++ b/sugar_version.json @@ -1,7 +1,7 @@ { - "sugar_version": "6.5.18", - "sugar_db_version": "6.5.18", + "sugar_version": "6.5.20", + "sugar_db_version": "6.5.20", "sugar_flavor": "CE", - "sugar_build": "1110", - "sugar_timestamp": "2014-09-23 12:53pm" + "sugar_build": "1001", + "sugar_timestamp": "2014-12-02 03:47pm" } \ No newline at end of file diff --git a/sugar_version.php b/sugar_version.php index 44635514a56..6b4bbf569ec 100755 --- a/sugar_version.php +++ b/sugar_version.php @@ -3,48 +3,45 @@ /********************************************************************************* * SugarCRM Community Edition is a customer relationship management program developed by * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc. - - * SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd. - * Copyright (C) 2011 - 2014 Salesagility Ltd. - * + * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU Affero General Public License version 3 as published by the * Free Software Foundation with the addition of the following permission added * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. - * + * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more * details. - * + * * You should have received a copy of the GNU Affero General Public License along with * this program; if not, see http://www.gnu.org/licenses or write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301 USA. - * + * * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com. - * + * * The interactive user interfaces in modified source and object code versions * of this program must display Appropriate Legal Notices, as required under * Section 5 of the GNU Affero General Public License version 3. - * + * * In accordance with Section 7(b) of the GNU Affero General Public License version 3, * these Appropriate Legal Notices must retain the display of the "Powered by - * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not - * reasonably feasible for technical reasons, the Appropriate Legal Notices must - * display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM". + * SugarCRM" logo. If the display of the logo is not reasonably feasible for + * technical reasons, the Appropriate Legal Notices must display the words + * "Powered by SugarCRM". ********************************************************************************/ -$sugar_version = '6.5.18'; -$sugar_db_version = '6.5.18'; +$sugar_version = '6.5.20'; +$sugar_db_version = '6.5.20'; $sugar_flavor = 'CE'; -$sugar_build = '1110'; -$sugar_timestamp = '2014-09-23 12:53pm'; +$sugar_build = '1001'; +$sugar_timestamp = '2014-12-02 03:47pm'; ?>