diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php index 2f763c4e576..b5f772212b9 100644 --- a/htdocs/core/ajax/ajaxdirpreview.php +++ b/htdocs/core/ajax/ajaxdirpreview.php @@ -117,14 +117,14 @@ if (empty($url)) { // autoset $url but it is better to have it defined before in // Load translation files required by the page $langs->loadLangs(array("ecm", "companies", "other")); +if (empty($modulepart)) { + $modulepart = $module; +} + // Security check if ($user->socid > 0) { $socid = $user->socid; } - -//print 'xxx'.$upload_dir; - -// Security: // On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers. if (preg_match('/\.\./', $upload_dir) || preg_match('/[<>|]/', $upload_dir)) { dol_syslog("Refused to deliver file ".$upload_dir); @@ -132,11 +132,6 @@ if (preg_match('/\.\./', $upload_dir) || preg_match('/[<>|]/', $upload_dir)) { dol_print_error(0, $langs->trans("ErrorFileNameInvalid", $upload_dir)); exit; } - -if (empty($modulepart)) { - $modulepart = $module; -} - // Check permissions if ($modulepart == 'ecm') { if (!$user->hasRight('ecm', 'read')) { diff --git a/htdocs/core/ajax/ajaxdirtree.php b/htdocs/core/ajax/ajaxdirtree.php index 61fdabb70c3..5c281eff5ca 100644 --- a/htdocs/core/ajax/ajaxdirtree.php +++ b/htdocs/core/ajax/ajaxdirtree.php @@ -103,7 +103,7 @@ if (empty($modulepart)) { $modulepart = $module; } -// Check permissions +// Security check if ($modulepart == 'ecm') { if (!$user->hasRight('ecm', 'read')) { accessforbidden(); diff --git a/htdocs/core/ajax/bankconciliate.php b/htdocs/core/ajax/bankconciliate.php index 5407c30545d..c340dd47a06 100644 --- a/htdocs/core/ajax/bankconciliate.php +++ b/htdocs/core/ajax/bankconciliate.php @@ -44,6 +44,9 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; $action = GETPOST('action', 'aZ09'); +// Security check +// Checks are done later + /* * View diff --git a/htdocs/core/ajax/box.php b/htdocs/core/ajax/box.php index b08b1cd81c0..621d6878098 100644 --- a/htdocs/core/ajax/box.php +++ b/htdocs/core/ajax/box.php @@ -46,16 +46,16 @@ $boxorder = GETPOST('boxorder'); $zone = GETPOST('zone', 'int'); $userid = GETPOST('userid', 'int'); +// Security check +if ($userid != $user->id) { + httponly_accessforbidden('Bad userid parameter. Must match logged user.'); +} + /* * View */ -// Ajout directives pour resoudre bug IE -//header('Cache-Control: Public, must-revalidate'); -//header('Pragma: public'); - -//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); print ''."\n"; diff --git a/htdocs/core/ajax/check_notifications.php b/htdocs/core/ajax/check_notifications.php index 344a2b19229..18c1a1ece79 100644 --- a/htdocs/core/ajax/check_notifications.php +++ b/htdocs/core/ajax/check_notifications.php @@ -44,6 +44,9 @@ $time = dol_now(); $action = GETPOST('action', 'aZ09'); $listofreminderids = GETPOST('listofreminderids', 'aZ09'); +// Security check +// No permission check at top, but action later are all done with a test on $user->id. + /* * Actions @@ -68,6 +71,7 @@ if ($action == 'stopreminder') { // Clean database $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'actioncomm_reminder'; $sql .= " WHERE dateremind < '".$db->idate(dol_time_plus_duree(dol_now(), -1, 'm'))."'"; + $sql .= " AND fk_user = ".((int) $user->id).' AND entity = '.((int) $conf->entity); $resql = $db->query($sql); if (!$resql) { dol_print_error($db); @@ -124,18 +128,10 @@ if (empty($_SESSION['auto_check_events_not_before']) || $time >= $_SESSION['auto $sql = 'SELECT a.id as id_agenda, a.code, a.datep, a.label, a.location, ar.rowid as id_reminder, ar.dateremind, ar.fk_user as id_user_reminder'; $sql .= ' FROM '.MAIN_DB_PREFIX.'actioncomm as a'; - if (!empty($user->conf->MAIN_USER_WANT_ALL_EVENTS_NOTIFICATIONS)) { - $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id); - $sql .= ' WHERE a.code <> "AC_OTH_AUTO"'; - $sql .= ' AND ('; - $sql .= " ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".$conf->entity; - $sql .= ' )'; - } else { - $sql .= ' JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id); - $sql .= " AND ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".$conf->entity; - } + $sql .= ' INNER JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id); + $sql .= " AND ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".((int) $conf->entity); // No sharing of entity for alerts $sql .= $db->order('datep', 'ASC'); - $sql .= ' LIMIT 10'; // Avoid too many notification at once + $sql .= $db->plimit(10); // Avoid too many notification at once $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index aff62dc6f6b..603de7408c0 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -52,6 +52,11 @@ $name = GETPOST('name', 'alpha'); $entity = GETPOST('entity', 'int'); $value = (GETPOST('value', 'aZ09') != '' ? GETPOST('value', 'aZ09') : 1); +// Security check +if (empty($user->admin)) { + httponly_accessforbidden('This ajax component can be called by admin user only'); +} + /* * View @@ -63,12 +68,10 @@ top_httphead(); // Registering the new value of constant if (!empty($action) && !empty($name)) { - if ($user->admin) { - if ($action == 'set') { - dolibarr_set_const($db, $name, $value, 'chaine', 0, '', $entity); - } elseif ($action == 'del') { - dolibarr_del_const($db, $name, $entity); - } + if ($action == 'set') { + dolibarr_set_const($db, $name, $value, 'chaine', 0, '', $entity); + } elseif ($action == 'del') { + dolibarr_del_const($db, $name, $entity); } } else { http_response_code(403); diff --git a/htdocs/core/ajax/extraparams.php b/htdocs/core/ajax/extraparams.php index ccd8d1bc2ce..80f280e7a06 100644 --- a/htdocs/core/ajax/extraparams.php +++ b/htdocs/core/ajax/extraparams.php @@ -17,7 +17,8 @@ /** * \file /htdocs/core/ajax/extraparams.php - * \brief File to make Ajax action on setting extra parameters of elements + * \brief File to make Ajax action on setting extra parameters of elements. + * Called bu bloc_showhide.tpl.php, itself called when MAIN_DISABLE_CONTACTS_TAB or MAIN_DISABLE_NOTES_TAB are set */ if (!defined('NOTOKENRENEWAL')) { @@ -39,10 +40,29 @@ if (!defined('NOREQUIRESOC')) { include '../../main.inc.php'; $id = GETPOST('id', 'int'); -$element = GETPOST('element', 'alpha'); +$element = GETPOST('element', 'aZ09arobase'); $htmlelement = GETPOST('htmlelement', 'alpha'); $type = GETPOST('type', 'alpha'); +// Load object according to $id and $element +$object = fetchObjectByElement($id, $element); + +$module = $object->module; +$element = $object->element; +$usesublevelpermission = ($module != $element ? $element : ''); +if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly + $usesublevelpermission = ''; +} + +//print $object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n"; + +// Security check +$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return +if (!$result) { + httponly_accessforbidden('Not allowed by restrictArea'); +} + + /* * View */ @@ -57,47 +77,10 @@ if (!empty($id) && !empty($element) && !empty($htmlelement) && !empty($type)) { dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG); - $classpath = $subelement = $element; + if (is_object($object)) { + $params[$htmlelement] = array($type => $value); + $object->extraparams = array_merge($object->extraparams, $params); - // For compatibility - if ($element == 'order' || $element == 'commande') { - $classpath = $subelement = 'commande'; - } elseif ($element == 'propal') { - $classpath = 'comm/propal'; - $subelement = 'propal'; - } elseif ($element == 'facture') { - $classpath = 'compta/facture'; - $subelement = 'facture'; - } elseif ($element == 'contract') { - $classpath = $subelement = 'contrat'; - } elseif ($element == 'shipping') { - $classpath = $subelement = 'expedition'; - } elseif ($element == 'deplacement') { - $classpath = 'compta/deplacement'; - $subelement = 'deplacement'; - } elseif ($element == 'order_supplier') { - $classpath = 'fourn'; - $subelement = 'fournisseur.commande'; - } elseif ($element == 'invoice_supplier') { - $classpath = 'fourn'; - $subelement = 'fournisseur.facture'; + $result = $object->setExtraParameters(); } - - dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php'); - - if ($element == 'order_supplier') { - $classname = 'CommandeFournisseur'; - } elseif ($element == 'invoice_supplier') { - $classname = 'FactureFournisseur'; - } else { - $classname = ucfirst($subelement); - } - - $object = new $classname($db); - $object->fetch($id); - - $params[$htmlelement] = array($type => $value); - $object->extraparams = array_merge($object->extraparams, $params); - - $result = $object->setExtraParameters(); } diff --git a/htdocs/core/ajax/fetchKnowledgeRecord.php b/htdocs/core/ajax/fetchKnowledgeRecord.php index d4113d626f8..6e4f1ddd953 100644 --- a/htdocs/core/ajax/fetchKnowledgeRecord.php +++ b/htdocs/core/ajax/fetchKnowledgeRecord.php @@ -55,7 +55,7 @@ $idticketgroup = GETPOST('idticketgroup', 'aZ09'); $lang = GETPOST('lang', 'aZ09'); // Security check -if (!defined("NOLOGIN")) { // No need for restrictedArea if not logged. Later the select will filter on public articles only if not logged. +if (!defined("NOLOGIN")) { // No need of restrictedArea if not logged: Later the select will filter on public articles only if not logged. restrictedArea($user, 'knowledgemanagement', 0, 'knowledgemanagement_knowledgerecord', 'knowledgerecord'); } diff --git a/htdocs/core/ajax/fileupload.php b/htdocs/core/ajax/fileupload.php index 4a817d22f10..963fa60b05b 100644 --- a/htdocs/core/ajax/fileupload.php +++ b/htdocs/core/ajax/fileupload.php @@ -70,18 +70,17 @@ if (!empty($user->socid)) { } $result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return - if (!$result) { - header('HTTP/1.0 403 Forbidden'); - exit; + httponly_accessforbidden('Not allowed by restrictArea'); } -$upload_handler = new FileUpload(null, $id, $elementupload); /* * View */ +$upload_handler = new FileUpload(null, $id, $elementupload); + top_httphead(); header('Pragma: no-cache'); diff --git a/htdocs/core/ajax/flowjs-server.php b/htdocs/core/ajax/flowjs-server.php index d520c57c9c5..901d119332f 100644 --- a/htdocs/core/ajax/flowjs-server.php +++ b/htdocs/core/ajax/flowjs-server.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2023 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -16,8 +16,8 @@ */ /** - * \file htdocs/core/ajax/bankconciliate.php - * \brief File to set data for bank concilation + * \file htdocs/core/ajax/flowjs-server.php + * \brief File to upload very large file, higher than PHP limit. Using flowjs library. */ if (!defined('NOTOKENRENEWAL')) { @@ -46,20 +46,33 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $action = GETPOST('action', 'aZ09'); -$module = GETPOST('module', 'aZ09'); -$upload_dir = GETPOST('upload_dir', 'alpha'); + +$module = GETPOST('module', 'aZ09arobase'); + $flowFilename = GETPOST('flowFilename', 'alpha'); $flowIdentifier = GETPOST('flowIdentifier', 'alpha'); $flowChunkNumber = GETPOST('flowChunkNumber', 'alpha'); $flowChunkSize = GETPOST('flowChunkSize', 'alpha'); $flowTotalSize = GETPOST('flowTotalSize', 'alpha'); +$result = restrictedArea($user, $module, 0, '', 0, 'fk_soc', 'rowid', 0, 1); // Call with mode return + +if ($action != 'upload') { + httponly_accessforbidden("Param action must be 'upload'"); +} + +if (!empty($conf->$module->dir_temp)) { + $upload_dir = $conf->$module->dir_temp; +} else { + httponly_accessforbidden("Param module does not has a dir_temp directory. Module does not exists or is not activated."); +} + /* * Action */ - top_httphead(); + dol_syslog(join(',', $_GET)); $result = false; @@ -123,19 +136,19 @@ if ($result) { /** - * Check if all the parts exist, and - * gather all the parts of the file together - * @param string $temp_dir - the temporary directory holding all the parts of the file - * @param string $upload_dir - the temporary directory to create file - * @param string $fileName - the original file name - * @param string $chunkSize - each chunk size (in bytes) - * @param string $totalSize - original file size (in bytes) - * @return bool true if Ok false else + * Check if all the parts exist, and gather all the parts of the file together. + * + * @param string $temp_dir the temporary directory holding all the parts of the file + * @param string $upload_dir the temporary directory to create file + * @param string $fileName the original file name + * @param string $chunkSize each chunk size (in bytes) + * @param string $totalSize original file size (in bytes) + * @return bool true if Ok false else */ function createFileFromChunks($temp_dir, $upload_dir, $fileName, $chunkSize, $totalSize) { - dol_syslog(__METHOD__, LOG_DEBUG); + // count all the parts of this file $total_files = 0; $files = dol_dir_list($temp_dir, 'files'); @@ -164,5 +177,6 @@ function createFileFromChunks($temp_dir, $upload_dir, $fileName, $chunkSize, $to // concurrent chunks uploads) @rename($temp_dir, $temp_dir.'_UNUSED'); } + return true; } diff --git a/htdocs/core/ajax/getaccountcurrency.php b/htdocs/core/ajax/getaccountcurrency.php index ff27812aaa2..20061dcdf2b 100644 --- a/htdocs/core/ajax/getaccountcurrency.php +++ b/htdocs/core/ajax/getaccountcurrency.php @@ -35,6 +35,9 @@ require '../../main.inc.php'; $id = GETPOST('id', 'int'); +// Security check +$result = restrictedArea($user, 'banque', $id, 'bank_account&bank_account'); + /* * View diff --git a/htdocs/core/ajax/loadinplace.php b/htdocs/core/ajax/loadinplace.php index 59306740334..415e51af8e5 100644 --- a/htdocs/core/ajax/loadinplace.php +++ b/htdocs/core/ajax/loadinplace.php @@ -17,7 +17,7 @@ /** * \file htdocs/core/ajax/loadinplace.php - * \brief File to load field value + * \brief File to load field value. used only when option "Edit In Place" is set (MAIN_USE_JQUERY_JEDITABLE). */ if (!defined('NOTOKENRENEWAL')) { @@ -41,6 +41,30 @@ $field = GETPOST('field', 'alpha'); $element = GETPOST('element', 'alpha'); $table_element = GETPOST('table_element', 'alpha'); $fk_element = GETPOST('fk_element', 'alpha'); +$id = $fk_element; + +// Load object according to $id and $element +$object = fetchObjectByElement($id, $element); + +$module = $object->module; +$element = $object->element; +$usesublevelpermission = ($module != $element ? $element : ''); +if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly + $usesublevelpermission = ''; +} + +//print $object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n"; + +// Security check +$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return +if (!$result) { + httponly_accessforbidden('Not allowed by restrictArea'); +} + +if (!getDolGlobalString('MAIN_USE_JQUERY_JEDITABLE')) { + httponly_accessforbidden('Can be used only when option MAIN_USE_JQUERY_JEDITABLE is set'); +} + /* * View diff --git a/htdocs/core/ajax/locationincoterms.php b/htdocs/core/ajax/locationincoterms.php index b6138c1e950..f3e621abc85 100644 --- a/htdocs/core/ajax/locationincoterms.php +++ b/htdocs/core/ajax/locationincoterms.php @@ -43,9 +43,12 @@ if (!defined('NOREQUIRESOC')) { require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php'; +// Security check if (!isModEnabled('incoterm')) { httponly_accessforbidden("Module incoterm not enabled"); // This includes the exit. } +// There is no other permission on this component. Everybody connected can read content of the incoterm table + /* * View @@ -73,12 +76,12 @@ if (GETPOST('location_incoterms')) { if (!empty($conf->global->MAIN_USE_LOCATION_INCOTERMS_DICTIONNARY)) { // Use location_incoterms $sql = "SELECT z.location as location_incoterms, z.label as label"; $sql .= " FROM ".MAIN_DB_PREFIX."c_location_incoterms as z"; - $sql .= " WHERE z.active = 1 AND UPPER(z.location) LIKE UPPER('%".$db->escape($db->escapeforlike($location_incoterms))."%')"; + $sql .= " WHERE z.active = 1 AND z.location LIKE '%".$db->escape($db->escapeforlike($location_incoterms))."%'"; $sql .= " ORDER BY z.location"; $sql .= $db->plimit(100); // Avoid pb with bad criteria } else { // Use table of sale orders $sql = "SELECT DISTINCT s.location_incoterms FROM ".MAIN_DB_PREFIX.'commande as s'; - $sql .= " WHERE UPPER(s.location_incoterms) LIKE UPPER('%".$db->escape($db->escapeforlike($location_incoterms))."%')"; + $sql .= " WHERE s.location_incoterms LIKE '%".$db->escape($db->escapeforlike($location_incoterms))."%'"; //Todo: merge with data from table of supplier order /* $sql .=" UNION"; diff --git a/htdocs/core/ajax/onlineSign.php b/htdocs/core/ajax/onlineSign.php index ea5c33092ca..f45c511a917 100644 --- a/htdocs/core/ajax/onlineSign.php +++ b/htdocs/core/ajax/onlineSign.php @@ -66,7 +66,7 @@ $response = ""; $type = $mode; -// Check securitykey +// Security check $securekeyseed = ''; if ($type == 'proposal') { $securekeyseed = getDolGlobalString('PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN'); diff --git a/htdocs/core/ajax/pingresult.php b/htdocs/core/ajax/pingresult.php index 73b740bdfaf..854188f7d6e 100644 --- a/htdocs/core/ajax/pingresult.php +++ b/htdocs/core/ajax/pingresult.php @@ -50,15 +50,16 @@ $hash_algo = GETPOST('hash_algo', 'alpha'); // Security check -// None. +// None. Beeing connected is enough. -$now = dol_now(); /* * View */ +$now = dol_now(); + top_httphead(); print ''."\n"; diff --git a/htdocs/core/ajax/price.php b/htdocs/core/ajax/price.php index 283afb77653..e2a8829fc14 100644 --- a/htdocs/core/ajax/price.php +++ b/htdocs/core/ajax/price.php @@ -40,6 +40,10 @@ $output = GETPOST('output', 'alpha'); $amount = price2num(GETPOST('amount', 'alpha')); $tva_tx = str_replace('*', '', GETPOST('tva_tx', 'alpha')); +// Security check +// None. This is a formatting only component. + + /* * View */ diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php index ec3ee105420..a20034ba0fe 100644 --- a/htdocs/core/ajax/row.php +++ b/htdocs/core/ajax/row.php @@ -49,7 +49,9 @@ if (!defined('NOREQUIRETRAN')) { // Load Dolibarr environment require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php'; + $hookmanager->initHooks(array('rowinterface')); + // Security check // This is done later into view. diff --git a/htdocs/core/ajax/saveinplace.php b/htdocs/core/ajax/saveinplace.php index 32fdae72835..9cbecc8e9c7 100644 --- a/htdocs/core/ajax/saveinplace.php +++ b/htdocs/core/ajax/saveinplace.php @@ -17,7 +17,7 @@ /** * \file htdocs/core/ajax/saveinplace.php - * \brief File to save field value + * \brief File to load field value. used only when option "Edit In Place" is set (MAIN_USE_JQUERY_JEDITABLE). */ if (!defined('NOTOKENRENEWAL')) { @@ -41,6 +41,7 @@ $field = GETPOST('field', 'alpha', 2); $element = GETPOST('element', 'alpha', 2); $table_element = GETPOST('table_element', 'alpha', 2); $fk_element = GETPOST('fk_element', 'alpha', 2); +$id = $fk_element; /* Example: field:editval_ref_customer (8 first chars will removed to know name of property) @@ -54,6 +55,28 @@ savemethod: savemethodname: */ +// Load object according to $id and $element +$object = fetchObjectByElement($id, $element); + +$module = $object->module; +$element = $object->element; +$usesublevelpermission = ($module != $element ? $element : ''); +if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly + $usesublevelpermission = ''; +} + +//print $object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n"; + +// Security check +$result = restrictedArea($user, $object->module, $object, $object->table_element, $usesublevelpermission, 'fk_soc', 'rowid', 0, 1); // Call with mode return +if (!$result) { + httponly_accessforbidden('Not allowed by restrictArea'); +} + +if (!getDolGlobalString('MAIN_USE_JQUERY_JEDITABLE')) { + httponly_accessforbidden('Can be used only when option MAIN_USE_JQUERY_JEDITABLE is set'); +} + /* * View diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php index 2a836359e1c..8602190db73 100644 --- a/htdocs/core/ajax/security.php +++ b/htdocs/core/ajax/security.php @@ -17,8 +17,8 @@ /** * \file htdocs/core/ajax/security.php - * \brief This ajax component is used to generated hash keys for security purposes - * like key to use into URL to protect them. + * \brief This ajax component is used to generated hash keys for security purposes, + * like the key to use into URL to protect them. */ if (!defined('NOTOKENRENEWAL')) { @@ -46,6 +46,9 @@ require '../../main.inc.php'; $action = GETPOST('action'); +// Security check +// None. This is public component with no effect on data. + /* * View diff --git a/htdocs/core/ajax/selectobject.php b/htdocs/core/ajax/selectobject.php index 079224c62a2..14372a405b4 100644 --- a/htdocs/core/ajax/selectobject.php +++ b/htdocs/core/ajax/selectobject.php @@ -38,33 +38,18 @@ if (!defined('NOREQUIRESOC')) { // Load Dolibarr environment require '../../main.inc.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php'; $objectdesc = GETPOST('objectdesc', 'alpha'); $htmlname = GETPOST('htmlname', 'aZ09'); $outjson = (GETPOST('outjson', 'int') ? GETPOST('outjson', 'int') : 0); $id = GETPOST('id', 'int'); -$filter = GETPOST('filter', 'alphanohtml'); - - -/* - * View - */ - -//print ''."\n"; -//print_r($_GET); - -require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php'; -$form = new Form($db); - -//$langs->load("companies"); - -top_httphead(); +$filter = GETPOST('filter', 'alphanohtml'); // Universal Syntax filter if (empty($htmlname)) { - return; + httponly_accessforbidden('Bad value for param htmlname'); } - $InfoFieldList = explode(":", $objectdesc); $classname = $InfoFieldList[0]; $classpath = $InfoFieldList[1]; @@ -75,16 +60,41 @@ if (!empty($classpath)) { } } if (!is_object($objecttmp)) { - dol_syslog('Error bad param objectdesc', LOG_WARNING); - print 'Error bad param objectdesc'; + httponly_accessforbidden('Bad value for param objectdesc'); } +/* +// Load object according to $id and $element +$object = fetchObjectByElement($id, $element); + +$module = $object->module; +$element = $object->element; +$usesublevelpermission = ($module != $element ? $element : ''); +if ($usesublevelpermission && !isset($user->rights->$module->$element)) { // There is no permission on object defined, we will check permission on module directly + $usesublevelpermission = ''; +} +*/ + // When used from jQuery, the search term is added as GET param "term". $searchkey = (($id && GETPOST($id, 'alpha')) ? GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ? GETPOST($htmlname, 'alpha') : '')); // Add a security test to avoid to get content of all tables restrictedArea($user, $objecttmp->element, $id); + +/* + * View + */ + +//print ''."\n"; +//print_r($_GET); + +//$langs->load("companies"); + +$form = new Form($db); + +top_httphead($outjson ? 'application/json' : 'text/html'); + $arrayresult = $form->selectForFormsList($objecttmp, $htmlname, '', 0, $searchkey, '', '', '', 0, 1, 0, '', $filter); $db->close(); diff --git a/htdocs/core/ajax/selectsearchbox.php b/htdocs/core/ajax/selectsearchbox.php index d2379f46966..615872eb101 100644 --- a/htdocs/core/ajax/selectsearchbox.php +++ b/htdocs/core/ajax/selectsearchbox.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2015-2023 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -18,7 +18,7 @@ /** * \file htdocs/core/ajax/selectsearchbox.php * \ingroup core - * \brief This script returns content of possible search + * \brief This script returns json array of possible searches or just set the array if called by an include */ // This script is called with a POST method or as an include. @@ -43,6 +43,9 @@ if (!isset($usedbyinclude) || empty($usedbyinclude)) { $res = @include '../../main.inc.php'; + // Security check + // None. Beeing connected is enough. + top_httphead('application/json'); if ($res == 'ERROR_NOT_LOGGED') { diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php index 56cb4c788e3..1b4a0c79c80 100644 --- a/htdocs/core/ajax/vatrates.php +++ b/htdocs/core/ajax/vatrates.php @@ -17,7 +17,7 @@ /** * \file htdocs/core/ajax/vatrates.php - * \brief File to load vat rates combobox + * \brief File to load vat rates combobox according to thirdparty ID. Values are returned in JSON format. */ if (!defined('NOTOKENRENEWAL')) { @@ -34,16 +34,20 @@ if (!defined('NOREQUIREAJAX')) { require '../../main.inc.php'; $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'aZ09'); +$action = GETPOST('action', 'aZ09'); // 'getSellerVATRates' or 'getBuyerVATRates' $htmlname = GETPOST('htmlname', 'alpha'); $selected = (GETPOST('selected') ?GETPOST('selected') : '-1'); $productid = (GETPOST('productid', 'int') ?GETPOST('productid', 'int') : 0); +// Security check +$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0); + + /* * View */ -top_httphead(); +top_httphead('application/json'); //print ''."\n"; @@ -63,7 +67,6 @@ if (!empty($id) && !empty($action) && !empty($htmlname)) { } $return = array(); - $return['value'] = $form->load_tva('tva_tx', $selected, $seller, $buyer, $productid, 0, '', true); $return['num'] = $form->num; $return['error'] = $form->error; diff --git a/htdocs/core/ajax/ziptown.php b/htdocs/core/ajax/ziptown.php index f6869e9ffcf..92db98c250d 100644 --- a/htdocs/core/ajax/ziptown.php +++ b/htdocs/core/ajax/ziptown.php @@ -42,6 +42,11 @@ if (!defined('NOREQUIRESOC')) { require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php'; +// Security check +if (!getDolGlobalString('MAIN_USE_ZIPTOWN_DICTIONNARY')) { + // If MAIN_USE_ZIPTOWN_DICTIONNARY is set, we make a search into a public page. If not we search into societe so we must check we have read permission. + $result = restrictedArea($user, 'societe', 0, '&societe', '', 'fk_soc', 'rowid', 0); +} /* @@ -53,11 +58,11 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php'; //header('Pragma: public'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. -top_httphead(); +top_httphead('application/json'); //print ''."\n"; -dol_syslog('ziptown call with MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY) ? '' : $conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)); +dol_syslog('ziptown call with MAIN_USE_ZIPTOWN_DICTIONNARY='.getDolGlobalString('MAIN_USE_ZIPTOWN_DICTIONNARY')); //var_dump($_GET); // Generation of list of zip-town @@ -69,7 +74,7 @@ if (GETPOST('zipcode') || GETPOST('town')) { $zipcode = GETPOST('zipcode'); $town = GETPOST('town'); - if (!empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)) { // Use zip-town table + if (getDolGlobalString('MAIN_USE_ZIPTOWN_DICTIONNARY')) { // Use zip-town table $sql = "SELECT z.rowid, z.zip, z.town, z.fk_county, z.fk_pays as fk_country"; $sql .= ", c.rowid as fk_country, c.code as country_code, c.label as country"; $sql .= ", d.rowid as fk_county, d.code_departement as county_code, d.nom as county"; @@ -80,15 +85,14 @@ if (GETPOST('zipcode') || GETPOST('town')) { $sql .= " WHERE z.fk_pays = c.rowid"; $sql .= " AND z.active = 1 AND c.active = 1"; if ($zipcode) { - $sql .= " AND z.zip LIKE '".$db->escape($zipcode)."%'"; + $sql .= " AND z.zip LIKE '".$db->escape($db->escapeforlike($zipcode))."%'"; } if ($town) { - $sql .= " AND z.town LIKE '%".$db->escape($town)."%'"; + $sql .= " AND z.town LIKE '%".$db->escape($db->escapeforlike($town))."%'"; } $sql .= " ORDER BY z.zip, z.town"; $sql .= $db->plimit(100); // Avoid pb with bad criteria - } else // Use table of third parties - { + } else { // Use table of third parties $sql = "SELECT DISTINCT s.zip, s.town, s.fk_departement as fk_county, s.fk_pays as fk_country"; $sql .= ", c.code as country_code, c.label as country"; $sql .= ", d.code_departement as county_code , d.nom as county"; @@ -97,10 +101,10 @@ if (GETPOST('zipcode') || GETPOST('town')) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX.'c_country as c ON s.fk_pays = c.rowid'; $sql .= " WHERE"; if ($zipcode) { - $sql .= " s.zip LIKE '".$db->escape($zipcode)."%'"; + $sql .= " s.zip LIKE '".$db->escape($db->escapeforlike($zipcode))."%'"; } if ($town) { - $sql .= " s.town LIKE '%".$db->escape($town)."%'"; + $sql .= " s.town LIKE '%".$db->escape($db->escapeforlike($town))."%'"; } $sql .= " ORDER BY s.fk_pays, s.zip, s.town"; $sql .= $db->plimit(100); // Avoid pb with bad criteria diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 4de09846e76..d176d0c56a4 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -7879,20 +7879,20 @@ class Form * Output html form to select an object. * Note, this function is called by selectForForms or by ajax selectobject.php * - * @param Object $objecttmp Object to knwo the table to scan for combo. - * @param string $htmlname Name of HTML select component - * @param int $preselectedvalue Preselected value (ID of element) - * @param string $showempty ''=empty values not allowed, 'string'=value show if we allow empty values (for example 'All', ...) - * @param string $searchkey Search value - * @param string $placeholder Place holder - * @param string $morecss More CSS - * @param string $moreparams More params provided to ajax call - * @param int $forcecombo Force to load all values and output a standard combobox (with no beautification) - * @param int $outputmode 0=HTML select string, 1=Array - * @param int $disabled 1=Html component is disabled - * @param string $sortfield Sort field - * @param string $filter Add more filter - * @return string|array Return HTML string + * @param Object $objecttmp Object to knwo the table to scan for combo. + * @param string $htmlname Name of HTML select component + * @param int $preselectedvalue Preselected value (ID of element) + * @param string $showempty ''=empty values not allowed, 'string'=value show if we allow empty values (for example 'All', ...) + * @param string $searchkey Search value + * @param string $placeholder Place holder + * @param string $morecss More CSS + * @param string $moreparams More params provided to ajax call + * @param int $forcecombo Force to load all values and output a standard combobox (with no beautification) + * @param int $outputmode 0=HTML select string, 1=Array + * @param int $disabled 1=Html component is disabled + * @param string $sortfield Sort field + * @param string $filter Add more filter + * @return string|array Return HTML string * @see selectForForms() */ public function selectForFormsList($objecttmp, $htmlname, $preselectedvalue, $showempty = '', $searchkey = '', $placeholder = '', $morecss = '', $moreparams = '', $forcecombo = 0, $outputmode = 0, $disabled = 0, $sortfield = '', $filter = '') diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 21e5b608a41..118e75773c1 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1289,18 +1289,21 @@ class FormOther containment: \'document\', connectWith: \'#boxhalfleft, #boxhalfright\', stop: function(event, ui) { + console.log("We moved box so we call updateBoxOrder with ajax actions"); updateBoxOrder(1); /* 1 to avoid message after a move */ } }); jQuery(".boxclose").click(function() { var self = this; // because JQuery can modify this - var boxid=self.id.substring(8); - var label=jQuery(\'#boxlabelentry\'+boxid).val(); - console.log("We close box "+boxid); - jQuery(\'#boxto_\'+boxid).remove(); - if (boxid > 0) jQuery(\'#boxcombo\').append(new Option(label, boxid)); - updateBoxOrder(1); /* 1 to avoid message after a remove */ + var boxid = self.id.substring(8); + if (boxid > 0) { + var label = jQuery(\'#boxlabelentry\'+boxid).val(); + console.log("We close box "+boxid); + jQuery(\'#boxto_\'+boxid).remove(); + jQuery(\'#boxcombo\').append(new Option(label, boxid)); + updateBoxOrder(1); /* 1 to avoid message after a remove */ + } }); });'."\n"; diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index cebcbfe373f..5371fc09aaf 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -3199,41 +3199,45 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, // Define $accessallowed $reg = array(); if (preg_match('/^([a-z]+)_user_temp$/i', $modulepart, $reg)) { - if (empty($conf->{$reg[1]}->dir_temp)) { // modulepart not supported + $tmpmodule = $reg[1]; + if (empty($conf->$tmpmodule->dir_temp)) { // modulepart not supported dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')'); exit; } - if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) { + if ($fuser->hasRight($tmpmodule, $lire) || $fuser->hasRight($tmpmodule, $read) || $fuser->hasRight($tmpmodule, $download)) { $accessallowed = 1; } $original_file = $conf->{$reg[1]}->dir_temp.'/'.$fuser->id.'/'.$original_file; } elseif (preg_match('/^([a-z]+)_temp$/i', $modulepart, $reg)) { - if (empty($conf->{$reg[1]}->dir_temp)) { // modulepart not supported + $tmpmodule = $reg[1]; + if (empty($conf->$tmpmodule->dir_temp)) { // modulepart not supported dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')'); exit; } - if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) { + if ($fuser->hasRight($tmpmodule, $lire) || $fuser->hasRight($tmpmodule, $read) || $fuser->hasRight($tmpmodule, $download)) { $accessallowed = 1; } - $original_file = $conf->{$reg[1]}->dir_temp.'/'.$original_file; + $original_file = $conf->$tmpmodule->dir_temp.'/'.$original_file; } elseif (preg_match('/^([a-z]+)_user$/i', $modulepart, $reg)) { - if (empty($conf->{$reg[1]}->dir_output)) { // modulepart not supported + $tmpmodule = $reg[1]; + if (empty($conf->$tmpmodule->dir_output)) { // modulepart not supported dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')'); exit; } - if ($fuser->rights->{$reg[1]}->{$lire} || $fuser->rights->{$reg[1]}->{$read} || ($fuser->rights->{$reg[1]}->{$download})) { + if ($fuser->hasRight($tmpmodule, $lire) || $fuser->hasRight($tmpmodule, $read) || $fuser->hasRight($tmpmodule, $download)) { $accessallowed = 1; } - $original_file = $conf->{$reg[1]}->dir_output.'/'.$fuser->id.'/'.$original_file; + $original_file = $conf->$tmpmodule->dir_output.'/'.$fuser->id.'/'.$original_file; } elseif (preg_match('/^massfilesarea_([a-z]+)$/i', $modulepart, $reg)) { - if (empty($conf->{$reg[1]}->dir_output)) { // modulepart not supported + $tmpmodule = $reg[1]; + if (empty($conf->$tmpmodule->dir_output)) { // modulepart not supported dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.')'); exit; } - if ($fuser->rights->{$reg[1]}->{$lire} || preg_match('/^specimen/i', $original_file)) { + if ($fuser->hasRight($tmpmodule, $lire) || preg_match('/^specimen/i', $original_file)) { $accessallowed = 1; } - $original_file = $conf->{$reg[1]}->dir_output.'/temp/massgeneration/'.$user->id.'/'.$original_file; + $original_file = $conf->$tmpmodule->dir_output.'/temp/massgeneration/'.$user->id.'/'.$original_file; } else { if (empty($conf->$modulepart->dir_output)) { // modulepart not supported dol_print_error('', 'Error call dol_check_secure_access_document with not supported value for modulepart parameter ('.$modulepart.'). The module for this modulepart value may not be activated.'); @@ -3248,7 +3252,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, $accessallowed = 1; } } - if (!empty($fuser->rights->$modulepart->{$lire}) || !empty($fuser->rights->$modulepart->{$read})) { + if ($fuser->hasRight($modulepart, $lire) || $fuser->hasRight($modulepart, $read)) { $accessallowed = 1; } diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 7091eb2ca81..cd64c04e57d 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -548,7 +548,7 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '', // Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files) $createok = 1; $nbko = 0; - $wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || in_array(GETPOST('action', 'aZ09'), array('create', 'update', 'set', 'add_element_resource', 'confirm_delete_linked_resource')) || GETPOST('roworder', 'alpha', 2)); + $wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || in_array(GETPOST('action', 'aZ09'), array('create', 'update', 'set', 'upload', 'add_element_resource', 'confirm_delete_linked_resource')) || GETPOST('roworder', 'alpha', 2)); $wemustcheckpermissionfordeletedraft = ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete'); if ($wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft) { diff --git a/htdocs/core/tpl/bloc_showhide.tpl.php b/htdocs/core/tpl/bloc_showhide.tpl.php index ee67fa6b74a..047e09a1e93 100644 --- a/htdocs/core/tpl/bloc_showhide.tpl.php +++ b/htdocs/core/tpl/bloc_showhide.tpl.php @@ -52,9 +52,9 @@ print ' $("#hide-'.$blocname.'").show();'."\n"; print '});'."\n"; print 'function setShowHide(status) {'."\n"; -print ' var id = '.$object->id.";\n"; -print " var element = '".$object->element."';\n"; -print " var htmlelement = '".$blocname."';\n"; +print ' var id = '.((int) $object->id).";\n"; +print " var element = '".dol_escape_js($object->element)."';\n"; +print " var htmlelement = '".dol_escape_js($blocname)."';\n"; print ' var type = "showhide";'."\n"; print ' $.get("'.dol_buildpath('/core/ajax/extraparams.php', 1); print '?id="+id+"&element="+element+"&htmlelement="+htmlelement+"&type="+type+"&value="+status);'."\n"; diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index e7e532d666d..38933d291e7 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -250,4 +250,3 @@ if (!defined('NOREQUIRETRAN')) { if (!defined('MAIN_LABEL_MENTION_NPR')) { define('MAIN_LABEL_MENTION_NPR', 'NPR'); } -//if (! defined('PCLZIP_TEMPORARY_DIR')) define('PCLZIP_TEMPORARY_DIR', $conf->user->dir_temp);