From f7c739bba94e8d57524ec3fbc821e6a7b8efc4fe Mon Sep 17 00:00:00 2001 From: atm-quentin Date: Fri, 26 Jul 2019 12:12:08 +0200 Subject: [PATCH 01/11] FIX wrong path sociales/index.php doesnt exist anymore --- htdocs/compta/charges/index.php | 2 +- htdocs/compta/sociales/card.php | 2 +- htdocs/compta/sociales/list.php | 4 ++-- htdocs/compta/sociales/payments.php | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/htdocs/compta/charges/index.php b/htdocs/compta/charges/index.php index f0188c5ed94..2f5802da185 100644 --- a/htdocs/compta/charges/index.php +++ b/htdocs/compta/charges/index.php @@ -183,7 +183,7 @@ if (! empty($conf->tax->enabled) && $user->rights->tax->charges->lire) print $socialcontrib->getNomUrl(1,'20'); print ''; // Type - print ''.$obj->lib.''; + print ''.$obj->lib.''; // Expected to pay print ''.price($obj->total).''; // Ref payment diff --git a/htdocs/compta/sociales/card.php b/htdocs/compta/sociales/card.php index 6a0d53d6987..672b9003805 100644 --- a/htdocs/compta/sociales/card.php +++ b/htdocs/compta/sociales/card.php @@ -121,7 +121,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') $result=$object->delete($user); if ($result > 0) { - header("Location: index.php"); + header("Location: list.php"); exit; } else diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index be3e7ea5791..9b7dcbbe120 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -168,7 +168,7 @@ if ($resql) if ($year) { - $center=($year?"".img_previous()." ".$langs->trans("Year")." $year ".img_next()."":""); + $center=($year?"".img_previous()." ".$langs->trans("Year")." $year ".img_next()."":""); print_barre_liste($langs->trans("SocialContributions"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $center, $num, $totalnboflines, 'title_accountancy.png', 0, $newcardbutton, '', $limit); } else @@ -258,7 +258,7 @@ if ($resql) print ''; if ($obj->periode) { - print 'jdate($obj->periode)).'">'.dol_print_date($db->jdate($obj->periode),'day').''; + print 'jdate($obj->periode)).'">'.dol_print_date($db->jdate($obj->periode),'day').''; } else { diff --git a/htdocs/compta/sociales/payments.php b/htdocs/compta/sociales/payments.php index 936c2c9c0f2..4025f86ff01 100644 --- a/htdocs/compta/sociales/payments.php +++ b/htdocs/compta/sociales/payments.php @@ -90,7 +90,7 @@ print ''; if ($mode != 'sconly') { - $center=($year?''.img_previous($langs->trans("Previous"), 'class="valignbottom"')." ".$langs->trans("Year").' '.$year.' '.img_next($langs->trans("Next"), 'class="valignbottom"')."":""); + $center=($year?''.img_previous($langs->trans("Previous"), 'class="valignbottom"')." ".$langs->trans("Year").' '.$year.' '.img_next($langs->trans("Next"), 'class="valignbottom"')."":""); print_barre_liste($title,$page,$_SERVER["PHP_SELF"],$param,$sortfield,$sortorder,$center,$num,$totalnboflines, 'title_accountancy', 0, '', '', $limit, 1); } else @@ -181,7 +181,7 @@ if (! empty($conf->tax->enabled) && $user->rights->tax->charges->lire) print $socialcontrib->getNomUrl(1,'20'); print ''; // Type - print ''.$obj->lib.''; + print ''.$obj->lib.''; // Date $date=$obj->periode; if (empty($date)) $date=$obj->date_ech; From 37ad5308e6f3483ec84898b0b888af284c3935ce Mon Sep 17 00:00:00 2001 From: Maxime Kohlhaas Date: Sat, 27 Jul 2019 19:19:13 +0200 Subject: [PATCH 02/11] Fix holiday counter auto update --- htdocs/holiday/class/holiday.class.php | 59 ++++++++++---------------- 1 file changed, 22 insertions(+), 37 deletions(-) diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index 03b2491ab59..b01d3d45984 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -1132,45 +1132,30 @@ class Holiday extends CommonObject $result = $this->db->query($sql); $typeleaves=$this->getTypes(1,1); - foreach($typeleaves as $key => $val) - { - // On ajoute x jours à chaque utilisateurs - $nb_holiday = $val['newByMonth']; - if (empty($nb_holiday)) $nb_holiday=0; - if ($nb_holiday > 0) + // Update each user counter + foreach ($users as $userCounter) { + $nbDaysToAdd = $typeleaves[$userCounter['type']]['newByMonth']; + if(empty($nbDaysToAdd)) continue; + + dol_syslog("We update leave type id ".$userCounter['type']." for user id ".$userCounter['rowid'], LOG_DEBUG); + + $nowHoliday = $userCounter['nb_holiday']; + $newSolde = $nowHoliday + $nbDaysToAdd; + + // We add a log for each user + $this->addLogCP($user->id, $userCounter['rowid'], $langs->trans('HolidaysMonthlyUpdate'), $newSolde, $userCounter['type']); + + $result = $this->updateSoldeCP($userCounter['rowid'], $newSolde, $userCounter['type'], $langs->trans('HolidaysMonthlyUpdate')); + + if ($result < 0) { - dol_syslog("We update leavefor everybody for type ".$key, LOG_DEBUG); - - $i = 0; - while ($i < $nbUser) - { - $now_holiday = $this->getCPforUser($users[$i]['rowid'], $val['rowid']); - $new_solde = $now_holiday + $nb_holiday; - - // We add a log for each user - $this->addLogCP($user->id, $users[$i]['rowid'], $langs->trans('HolidaysMonthlyUpdate'), $new_solde, $val['rowid']); - - $i++; - } - - // Now we update counter for all users at once - $sql2 = "UPDATE ".MAIN_DB_PREFIX."holiday_users SET"; - $sql2.= " nb_holiday = nb_holiday + ".$nb_holiday; - $sql2.= " WHERE fk_type = ".$val['rowid']; - - $result= $this->db->query($sql2); - - if (! $result) - { - dol_print_error($this->db); - break; - } + $error++; + break; } - else dol_syslog("No change for leave of type ".$key, LOG_DEBUG); } - if ($result) + if (! $error) { $this->db->commit(); return 1; @@ -1522,7 +1507,7 @@ class Holiday extends CommonObject else { // List of vacation balance users - $sql = "SELECT cpu.fk_user, cpu.fk_type, cpu.nb_holiday, u.lastname, u.firstname, u.gender, u.photo, u.employee, u.statut, u.fk_user"; + $sql = "SELECT cpu.fk_user, cpu.fk_type, cpu.nb_holiday, u.lastname, u.firstname, u.gender, u.photo, u.employee, u.statut, u.fk_user as manager"; $sql.= " FROM ".MAIN_DB_PREFIX."holiday_users as cpu, ".MAIN_DB_PREFIX."user as u"; $sql.= " WHERE cpu.fk_user = u.rowid"; if ($filters) $sql.=$filters; @@ -1549,9 +1534,9 @@ class Holiday extends CommonObject $tab_result[$i]['status'] = $obj->statut; $tab_result[$i]['employee'] = $obj->employee; $tab_result[$i]['photo'] = $obj->photo; - $tab_result[$i]['fk_user'] = $obj->fk_user; + $tab_result[$i]['fk_user'] = $obj->manager; - $tab_result[$i]['type'] = $obj->type; + $tab_result[$i]['type'] = $obj->fk_type; $tab_result[$i]['nb_holiday'] = $obj->nb_holiday; $i++; From a2fc3689dace61795fd3761bb0f444fb34f5e92c Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Sun, 28 Jul 2019 22:59:43 +0200 Subject: [PATCH 03/11] Nowrap on amount --- htdocs/accountancy/bookkeeping/card.php | 6 +++--- htdocs/accountancy/bookkeeping/list.php | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/accountancy/bookkeeping/card.php b/htdocs/accountancy/bookkeeping/card.php index ad7a30603dc..6de7bbfe50e 100644 --- a/htdocs/accountancy/bookkeeping/card.php +++ b/htdocs/accountancy/bookkeeping/card.php @@ -641,8 +641,8 @@ if ($action == 'create') print '' . $accountingaccount->getNomUrl(0,1,1,'',0) . ''; print '' . length_accounta($line->subledger_account) . ''; print '' . $line->label_operation. ''; - print '' . price($line->debit) . ''; - print '' . price($line->credit) . ''; + print '' . price($line->debit) . ''; + print '' . price($line->credit) . ''; print ''; print 'id . '&piece_num=' . $line->piece_num . '&mode='.$mode.'">'; @@ -675,7 +675,7 @@ if ($action == 'create') print $formaccounting->select_account($accountingaccount_number, 'accountingaccount_number', 1, array (), 1, 1, ''); print ''; print ''; - // TODO For the moment we keep a fre input text instead of a combo. The select_auxaccount has problem because it does not + // TODO For the moment we keep a free input text instead of a combo. The select_auxaccount has problem because it does not // use setup of keypress to select thirdparty and this hang browser on large database. if (! empty($conf->global->ACCOUNTANCY_COMBO_FOR_AUX)) { diff --git a/htdocs/accountancy/bookkeeping/list.php b/htdocs/accountancy/bookkeeping/list.php index c8df00f6cdc..9fb1746ceac 100644 --- a/htdocs/accountancy/bookkeeping/list.php +++ b/htdocs/accountancy/bookkeeping/list.php @@ -683,7 +683,7 @@ if ($num > 0) // Amount debit if (! empty($arrayfields['t.debit']['checked'])) { - print '' . ($line->debit ? price($line->debit) : ''). ''; + print '' . ($line->debit ? price($line->debit) : ''). ''; if (! $i) $totalarray['nbfield']++; if (! $i) $totalarray['totaldebitfield']=$totalarray['nbfield']; $totalarray['totaldebit'] += $line->debit; @@ -692,7 +692,7 @@ if ($num > 0) // Amount credit if (! empty($arrayfields['t.credit']['checked'])) { - print '' . ($line->credit ? price($line->credit) : '') . ''; + print '' . ($line->credit ? price($line->credit) : '') . ''; if (! $i) $totalarray['nbfield']++; if (! $i) $totalarray['totalcreditfield']=$totalarray['nbfield']; $totalarray['totalcredit'] += $line->credit; @@ -754,8 +754,8 @@ if ($num > 0) if ($num < $limit && empty($offset)) print ''.$langs->trans("Total").''; else print ''.$langs->trans("Totalforthispage").''; } - elseif ($totalarray['totaldebitfield'] == $i) print ''.price($totalarray['totaldebit']).''; - elseif ($totalarray['totalcreditfield'] == $i) print ''.price($totalarray['totalcredit']).''; + elseif ($totalarray['totaldebitfield'] == $i) print ''.price($totalarray['totaldebit']).''; + elseif ($totalarray['totalcreditfield'] == $i) print ''.price($totalarray['totalcredit']).''; else print ''; } print ''; From cd22cc70c8a307f4feda0cde338b7a799712fdb3 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Mon, 29 Jul 2019 06:41:51 +0200 Subject: [PATCH 04/11] FIX FEC Format - Save translation of the journal --- htdocs/accountancy/class/bookkeeping.class.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php index 21e43b524d7..67633e828a5 100644 --- a/htdocs/accountancy/class/bookkeeping.class.php +++ b/htdocs/accountancy/class/bookkeeping.class.php @@ -472,14 +472,15 @@ class BookKeeping extends CommonObject */ public function createStd(User $user, $notrigger = false, $mode='') { - global $conf; + global $conf, $langs; + + $langs->loadLangs(array("accountancy", "bills", "compta")); dol_syslog(__METHOD__, LOG_DEBUG); $error = 0; // Clean parameters - if (isset($this->doc_type)) { $this->doc_type = trim($this->doc_type); } @@ -546,7 +547,7 @@ class BookKeeping extends CommonObject $now = dol_now(); // Check parameters - // Put here code to add control on parameters values + $this->journal_label = $langs->trans($this->journal_label); // Insert request $sql = 'INSERT INTO ' . MAIN_DB_PREFIX . $this->table_element . $mode.' ('; From 7a9f2b43c508958104281304c6215446c93cc4f6 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Mon, 29 Jul 2019 07:05:18 +0200 Subject: [PATCH 05/11] FIX Language key --- htdocs/adherents/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index f0d8df454cf..a86975b606f 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -1161,7 +1161,7 @@ else } // Morphy $morphys["phy"] = $langs->trans("Physical"); - $morphys["mor"] = $langs->trans("Morale"); + $morphys["mor"] = $langs->trans("Moral"); print ''.$langs->trans("Nature").''; print $form->selectarray("morphy", $morphys, (GETPOSTISSET("morphy")?GETPOST("morphy",'alpha'):$object->morphy)); print ""; From 87fc3c39689a35b872902e32aaba66850a81c663 Mon Sep 17 00:00:00 2001 From: Marc de Lima Lucio Date: Mon, 29 Jul 2019 13:54:48 +0200 Subject: [PATCH 06/11] FIX: expedition card: infinite loop for printObjectLine hook if return > 0 --- htdocs/expedition/card.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php index ae9ef67f755..326d378a199 100644 --- a/htdocs/expedition/card.php +++ b/htdocs/expedition/card.php @@ -1586,9 +1586,9 @@ if ($action == 'create') print $line->showOptionals($extrafieldsline, 'edit', array('style'=>$bc[$var], 'colspan'=>$colspan),$indiceAsked); print ''; } - - $indiceAsked++; } + + $indiceAsked++; } print ""; From 449ef9200752de8e3feea2eefd606de80c037ee0 Mon Sep 17 00:00:00 2001 From: Marc de Lima Lucio Date: Tue, 30 Jul 2019 12:31:03 +0200 Subject: [PATCH 07/11] FIX: categories import: prevent mismatch between category type and object type --- .../modules/import/import_csv.modules.php | 21 ++++++++++++++----- .../modules/import/import_xlsx.modules.php | 21 ++++++++++++++----- htdocs/core/modules/modCategorie.class.php | 14 +++++++++---- 3 files changed, 42 insertions(+), 14 deletions(-) diff --git a/htdocs/core/modules/import/import_csv.modules.php b/htdocs/core/modules/import/import_csv.modules.php index a6473eaeb8e..776d8dfa04f 100644 --- a/htdocs/core/modules/import/import_csv.modules.php +++ b/htdocs/core/modules/import/import_csv.modules.php @@ -493,15 +493,24 @@ class ImportCsv extends ModeleImports if (! empty($objimport->array_import_regex[0][$val]) && ($newval != '')) { // If test is "Must exist in a field@table" - if (preg_match('/^(.*)@(.*)$/',$objimport->array_import_regex[0][$val],$reg)) + if (preg_match('/^(.+)@([^:]+)(:.+)?$/',$objimport->array_import_regex[0][$val],$reg)) { $field=$reg[1]; $table=$reg[2]; + $filter=substr($reg[3], 1); + + $cachekey = $field.'@'.$table; + if(! empty($filter)) $cachekey.= ':'.$filter; // Load content of field@table into cache array - if (! is_array($this->cachefieldtable[$field.'@'.$table])) // If content of field@table not already loaded into cache + if (! is_array($this->cachefieldtable[$cachekey])) // If content of field@table not already loaded into cache { $sql="SELECT ".$field." as aliasfield FROM ".$table; + if(! empty($filter)) + { + $sql.= ' WHERE ' . $filter; + } + $resql=$this->db->query($sql); if ($resql) { @@ -510,7 +519,7 @@ class ImportCsv extends ModeleImports while ($i < $num) { $obj=$this->db->fetch_object($resql); - if ($obj) $this->cachefieldtable[$field.'@'.$table][]=$obj->aliasfield; + if ($obj) $this->cachefieldtable[$cachekey][]=$obj->aliasfield; $i++; } } @@ -521,9 +530,11 @@ class ImportCsv extends ModeleImports } // Now we check cache is not empty (should not) and key is into cache - if (! is_array($this->cachefieldtable[$field.'@'.$table]) || ! in_array($newval,$this->cachefieldtable[$field.'@'.$table])) + if (! is_array($this->cachefieldtable[$cachekey]) || ! in_array($newval,$this->cachefieldtable[$cachekey])) { - $this->errors[$error]['lib']=$langs->transnoentitiesnoconv('ErrorFieldValueNotIn',$key,$newval,$field,$table); + $tableforerror = $table; + if(! empty($filter)) $tableforerror.= ':'.$filter; + $this->errors[$error]['lib']=$langs->transnoentitiesnoconv('ErrorFieldValueNotIn',$key,$newval,$field,$tableforerror); $this->errors[$error]['type']='FOREIGNKEY'; $errorforthistable++; $error++; diff --git a/htdocs/core/modules/import/import_xlsx.modules.php b/htdocs/core/modules/import/import_xlsx.modules.php index 7f222f523ca..d58fd16cf2f 100644 --- a/htdocs/core/modules/import/import_xlsx.modules.php +++ b/htdocs/core/modules/import/import_xlsx.modules.php @@ -519,15 +519,24 @@ class ImportXlsx extends ModeleImports if (! empty($objimport->array_import_regex[0][$val]) && ($newval != '')) { // If test is "Must exist in a field@table" - if (preg_match('/^(.*)@(.*)$/',$objimport->array_import_regex[0][$val],$reg)) + if (preg_match('/^(.+)@([^:]+)(:.+)?$/',$objimport->array_import_regex[0][$val],$reg)) { $field=$reg[1]; $table=$reg[2]; + $filter=substr($reg[3], 1); + + $cachekey = $field.'@'.$table; + if(! empty($filter)) $cachekey.= ':'.$filter; // Load content of field@table into cache array - if (! is_array($this->cachefieldtable[$field.'@'.$table])) // If content of field@table not already loaded into cache + if (! is_array($this->cachefieldtable[$cachekey])) // If content of field@table not already loaded into cache { $sql="SELECT ".$field." as aliasfield FROM ".$table; + if(! empty($filter)) + { + $sql.= ' WHERE ' . $filter; + } + $resql=$this->db->query($sql); if ($resql) { @@ -536,7 +545,7 @@ class ImportXlsx extends ModeleImports while ($i < $num) { $obj=$this->db->fetch_object($resql); - if ($obj) $this->cachefieldtable[$field.'@'.$table][]=$obj->aliasfield; + if ($obj) $this->cachefieldtable[$cachekey][]=$obj->aliasfield; $i++; } } @@ -547,9 +556,11 @@ class ImportXlsx extends ModeleImports } // Now we check cache is not empty (should not) and key is into cache - if (! is_array($this->cachefieldtable[$field.'@'.$table]) || ! in_array($newval,$this->cachefieldtable[$field.'@'.$table])) + if (! is_array($this->cachefieldtable[$cachekey]) || ! in_array($newval,$this->cachefieldtable[$cachekey])) { - $this->errors[$error]['lib']=$langs->transnoentitiesnoconv('ErrorFieldValueNotIn',$key,$newval,$field,$table); + $tableforerror = $table; + if(! empty($filter)) $tableforerror.= ':'.$filter; + $this->errors[$error]['lib']=$langs->transnoentitiesnoconv('ErrorFieldValueNotIn',$key,$newval,$field,$tableforerror); $this->errors[$error]['type']='FOREIGNKEY'; $errorforthistable++; $error++; diff --git a/htdocs/core/modules/modCategorie.class.php b/htdocs/core/modules/modCategorie.class.php index 50074779955..668b0ac9014 100644 --- a/htdocs/core/modules/modCategorie.class.php +++ b/htdocs/core/modules/modCategorie.class.php @@ -422,8 +422,8 @@ class modCategorie extends DolibarrModules $this->import_icon[$r]=$this->picto; $this->import_entities_array[$r]=array(); // We define here only fields that use another icon that the one defined into import_icon $this->import_tables_array[$r]=array('cp'=>MAIN_DB_PREFIX.'categorie_product'); - $this->import_fields_array[$r]=array('cp.fk_categorie'=>"Category*",'cp.fk_product'=>"Product*" - ); + $this->import_fields_array[$r]=array('cp.fk_categorie'=>"Category*",'cp.fk_product'=>"Product*"); + $this->import_regex_array[$r]=array('cp.fk_categorie'=>'rowid@'.MAIN_DB_PREFIX.'categorie:type=0'); $this->import_convertvalue_array[$r]=array( 'cp.fk_categorie'=>array('rule'=>'fetchidfromref','classfile'=>'/categories/class/categorie.class.php','class'=>'Categorie','method'=>'fetch','element'=>'category'), @@ -441,7 +441,10 @@ class modCategorie extends DolibarrModules $this->import_icon[$r]=$this->picto; $this->import_entities_array[$r]=array(); // We define here only fields that use another icon that the one defined into import_icon $this->import_tables_array[$r]=array('cs'=>MAIN_DB_PREFIX.'categorie_societe'); - $this->import_fields_array[$r]=array('cs.fk_categorie'=>"Category*",'cs.fk_soc'=>"ThirdParty*" + $this->import_fields_array[$r]=array('cs.fk_categorie'=>"Category*",'cs.fk_soc'=>"ThirdParty*"); + $this->import_regex_array[$r]=array( + 'cs.fk_categorie'=>'rowid@'.MAIN_DB_PREFIX.'categorie:type=2', + 'cs.fk_soc'=>'rowid@'.MAIN_DB_PREFIX.'societe:client>0' ); $this->import_convertvalue_array[$r]=array( @@ -460,7 +463,10 @@ class modCategorie extends DolibarrModules $this->import_icon[$r]=$this->picto; $this->import_entities_array[$r]=array(); // We define here only fields that use another icon that the one defined into import_icon $this->import_tables_array[$r]=array('cs'=>MAIN_DB_PREFIX.'categorie_fournisseur'); - $this->import_fields_array[$r]=array('cs.fk_categorie'=>"Category*",'cs.fk_soc'=>"Supplier*" + $this->import_fields_array[$r]=array('cs.fk_categorie'=>"Category*",'cs.fk_soc'=>"Supplier*"); + $this->import_regex_array[$r]=array( + 'cs.fk_categorie'=>'rowid@'.MAIN_DB_PREFIX.'categorie:type=1', + 'cs.fk_soc'=>'rowid@'.MAIN_DB_PREFIX.'societe:fournisseur>0' ); $this->import_convertvalue_array[$r]=array( From 6aefa648e71a4f336c2f336be4c87f3bc0c92b71 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 30 Jul 2019 14:00:43 +0200 Subject: [PATCH 08/11] FIX CVE-2019-11199 --- htdocs/viewimage.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php index 073aaa9fb24..3db6e9fb803 100644 --- a/htdocs/viewimage.php +++ b/htdocs/viewimage.php @@ -170,7 +170,9 @@ if (GETPOST('type','alpha')) $type=GETPOST('type','alpha'); else $type=dol_mimetype($original_file); // Security: This wrapper is for images. We do not allow type/html -if (preg_match('/html/', $type)) accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 1, 1, 1); +if (preg_match('/html/i', $type)) accessforbidden('Error: Using the image wrapper to output a file with a mime type HTML is not possible.', 1, 1, 1); +// Security: This wrapper is for images. We do not allow files ending with .noexe +if (preg_match('/\.noexe$/i', $original_file)) accessforbidden('Error: Using the image wrapper to output a file ending with .noexe is not allowed.', 1, 1, 1); // Security: Delete string ../ into $original_file $original_file = str_replace("../","/", $original_file); From de293c4ef2ec2aa3a5c60eace86d448437facaf4 Mon Sep 17 00:00:00 2001 From: Florian Mortgat Date: Tue, 30 Jul 2019 14:09:03 +0200 Subject: [PATCH 09/11] FIX issue #9300: install error with PostgreSQL when using custom table prefix --- htdocs/install/step2.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/htdocs/install/step2.php b/htdocs/install/step2.php index 30b3ff7d64f..a53e5f07ee7 100644 --- a/htdocs/install/step2.php +++ b/htdocs/install/step2.php @@ -451,6 +451,11 @@ if ($action == "set") $buffer=trim($buffer); if ($buffer) { + // Replace the prefix in table names + if ($dolibarr_main_db_prefix != 'llx_') + { + $buffer=preg_replace('/llx_/i',$dolibarr_main_db_prefix,$buffer); + } dolibarr_install_syslog("step2: request: " . $buffer); print "\n"; $resql=$db->query($buffer,0,'dml'); From 703506c0e2674795fdf0dd2f9f78ee7f3c98b5b0 Mon Sep 17 00:00:00 2001 From: Marc de Lima Lucio Date: Tue, 30 Jul 2019 14:11:21 +0200 Subject: [PATCH 10/11] FIX: import filter error --- htdocs/core/modules/import/import_csv.modules.php | 2 +- htdocs/core/modules/import/import_xlsx.modules.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/modules/import/import_csv.modules.php b/htdocs/core/modules/import/import_csv.modules.php index 776d8dfa04f..e0ec89379af 100644 --- a/htdocs/core/modules/import/import_csv.modules.php +++ b/htdocs/core/modules/import/import_csv.modules.php @@ -497,7 +497,7 @@ class ImportCsv extends ModeleImports { $field=$reg[1]; $table=$reg[2]; - $filter=substr($reg[3], 1); + $filter=!empty($reg[3])?substr($reg[3], 1):''; $cachekey = $field.'@'.$table; if(! empty($filter)) $cachekey.= ':'.$filter; diff --git a/htdocs/core/modules/import/import_xlsx.modules.php b/htdocs/core/modules/import/import_xlsx.modules.php index d58fd16cf2f..7d850ccfb8b 100644 --- a/htdocs/core/modules/import/import_xlsx.modules.php +++ b/htdocs/core/modules/import/import_xlsx.modules.php @@ -523,7 +523,7 @@ class ImportXlsx extends ModeleImports { $field=$reg[1]; $table=$reg[2]; - $filter=substr($reg[3], 1); + $filter=!empty($reg[3])?substr($reg[3], 1):''; $cachekey = $field.'@'.$table; if(! empty($filter)) $cachekey.= ':'.$filter; From ea92ba2a78f0f0c12c06b2a4b6a4c7ad9eb9774c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 30 Jul 2019 20:11:43 +0200 Subject: [PATCH 11/11] Update holiday.class.php --- htdocs/holiday/class/holiday.class.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index b01d3d45984..db5ca0cf593 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -1480,7 +1480,7 @@ class Holiday extends CommonObject $obj = $this->db->fetch_object($resql); - $tab_result[$i]['rowid'] = $obj->rowid; + $tab_result[$i]['rowid'] = $obj->rowid; // rowid of user $tab_result[$i]['name'] = $obj->lastname; // deprecated $tab_result[$i]['lastname'] = $obj->lastname; $tab_result[$i]['firstname'] = $obj->firstname; @@ -1488,7 +1488,7 @@ class Holiday extends CommonObject $tab_result[$i]['status'] = $obj->statut; $tab_result[$i]['employee'] = $obj->employee; $tab_result[$i]['photo'] = $obj->photo; - $tab_result[$i]['fk_user'] = $obj->fk_user; + $tab_result[$i]['fk_user'] = $obj->fk_user; // rowid of manager //$tab_result[$i]['type'] = $obj->type; //$tab_result[$i]['nb_holiday'] = $obj->nb_holiday; @@ -1507,7 +1507,7 @@ class Holiday extends CommonObject else { // List of vacation balance users - $sql = "SELECT cpu.fk_user, cpu.fk_type, cpu.nb_holiday, u.lastname, u.firstname, u.gender, u.photo, u.employee, u.statut, u.fk_user as manager"; + $sql = "SELECT cpu.fk_user as rowid, cpu.fk_type, cpu.nb_holiday, u.lastname, u.firstname, u.gender, u.photo, u.employee, u.statut, u.fk_user"; $sql.= " FROM ".MAIN_DB_PREFIX."holiday_users as cpu, ".MAIN_DB_PREFIX."user as u"; $sql.= " WHERE cpu.fk_user = u.rowid"; if ($filters) $sql.=$filters; @@ -1526,7 +1526,7 @@ class Holiday extends CommonObject { $obj = $this->db->fetch_object($resql); - $tab_result[$i]['rowid'] = $obj->fk_user; + $tab_result[$i]['rowid'] = $obj->rowid; // rowid of user $tab_result[$i]['name'] = $obj->lastname; // deprecated $tab_result[$i]['lastname'] = $obj->lastname; $tab_result[$i]['firstname'] = $obj->firstname; @@ -1534,7 +1534,7 @@ class Holiday extends CommonObject $tab_result[$i]['status'] = $obj->statut; $tab_result[$i]['employee'] = $obj->employee; $tab_result[$i]['photo'] = $obj->photo; - $tab_result[$i]['fk_user'] = $obj->manager; + $tab_result[$i]['fk_user'] = $obj->fk_user; // rowid of manager $tab_result[$i]['type'] = $obj->fk_type; $tab_result[$i]['nb_holiday'] = $obj->nb_holiday;