From 2b088a73c121a52e006c0d76ea4da7ffeb7b4f4a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 22 Dec 2018 17:16:08 +0100 Subject: [PATCH] FIX CVE-2018-19998 --- htdocs/user/card.php | 2 +- htdocs/user/class/user.class.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/user/card.php b/htdocs/user/card.php index 6743078c9d2..f0b3fb819f2 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -350,7 +350,7 @@ if (empty($reshook)) { $object->accountancy_code = GETPOST("accountancy_code",'alpha'); $object->openid = GETPOST("openid",'alpha'); $object->fk_user = GETPOST("fk_user",'int') > 0 ? GETPOST("fk_user",'int') : 0; - $object->employee = GETPOST('employee','alphanothtml'); + $object->employee = GETPOST('employee','int'); $object->thm = GETPOST("thm",'alphanohtml') != '' ? GETPOST("thm",'alphanohtml') : ''; $object->tjm = GETPOST("tjm",'alphanohtml') != '' ? GETPOST("tjm",'alphanohtml') : ''; diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 161cea20e77..ef2b828f6e5 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -1405,12 +1405,12 @@ class User extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."user SET"; $sql.= " lastname = '".$this->db->escape($this->lastname)."'"; $sql.= ", firstname = '".$this->db->escape($this->firstname)."'"; - $sql.= ", employee = ".$this->employee; + $sql.= ", employee = ".(int) $this->employee; $sql.= ", login = '".$this->db->escape($this->login)."'"; $sql.= ", api_key = ".($this->api_key ? "'".$this->db->escape($this->api_key)."'" : "null"); $sql.= ", gender = ".($this->gender != -1 ? "'".$this->db->escape($this->gender)."'" : "null"); // 'man' or 'woman' $sql.= ", birth=".(strval($this->birth)!='' ? "'".$this->db->idate($this->birth)."'" : 'null'); - if (! empty($user->admin)) $sql.= ", admin = ".$this->admin; // admin flag can be set/unset only by an admin user + if (! empty($user->admin)) $sql.= ", admin = ".(int) $this->admin; // admin flag can be set/unset only by an admin user $sql.= ", address = '".$this->db->escape($this->address)."'"; $sql.= ", zip = '".$this->db->escape($this->zip)."'"; $sql.= ", town = '".$this->db->escape($this->town)."'"; @@ -1502,7 +1502,7 @@ class User extends CommonObject $adh->zip=$this->zip; $adh->state_id=$this->state_id; $adh->country_id=$this->country_id; - + $adh->email=$this->email; $adh->skype=$this->skype; $adh->phone=$this->office_phone;