FIX Better sanitizing of search all parameter.

2025-02-20 13:46:52 +01:00 · 2017-05-09 19:36:10 +02:00 · 2017-05-09 19:36:10 +02:00 · 6d01bd712d
commit 6d01bd712d
parent 667e3c2876
33 changed files with 54 additions and 43 deletions
--- a/htdocs/adherents/list.php
+++ b/htdocs/adherents/list.php
@ -57,7 +57,7 @@ $type=GETPOST("type");
 $search_email=GETPOST("search_email");
 $search_categ = GETPOST("search_categ",'int');
 $catid        = GETPOST("catid",'int');
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
 $optioncss = GETPOST('optioncss','alpha');

 if ($statut < -1) $statut = '';
--- a/htdocs/comm/mailing/list.php
+++ b/htdocs/comm/mailing/list.php
@ -41,8 +41,8 @@ $pagenext = $page + 1;
 if (! $sortorder) $sortorder="DESC";
 if (! $sortfield) $sortfield="m.date_creat";

-$sall=GETPOST("sall","alpha");
-$sref=GETPOST("sref","alpha");
+$sall=GETPOST('sall', 'alphanohtml');
+$sref=GETPOST("sref", "alpha");
 $filteremail=GETPOST('filteremail','alpha');

 // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
--- a/htdocs/comm/propal/list.php
+++ b/htdocs/comm/propal/list.php
@ -77,7 +77,7 @@ $viewstatut=GETPOST('viewstatut');
 $optioncss = GETPOST('optioncss','alpha');
 $object_statut=GETPOST('propal_statut');

-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
 $mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));

 $day=GETPOST("day","int");
--- a/htdocs/commande/list.php
+++ b/htdocs/commande/list.php
@ -71,7 +71,7 @@ $search_zip=GETPOST('search_zip','alpha');
 $search_state=trim(GETPOST("search_state"));
 $search_country=GETPOST("search_country",'int');
 $search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
 $socid=GETPOST('socid','int');
 $search_user=GETPOST('search_user','int');
 $search_sale=GETPOST('search_sale','int');
--- a/htdocs/commande/orderstoinvoice.php
+++ b/htdocs/commande/orderstoinvoice.php
@ -52,7 +52,7 @@ $action			= GETPOST('action','alpha');
 $confirm		= GETPOST('confirm','alpha');
 $sref			= GETPOST('sref');
 $sref_client	= GETPOST('sref_client');
-$sall			= GETPOST('sall');
+$sall			= GETPOST('sall', 'alphanohtml');
 $socid			= GETPOST('socid','int');
 $selected		= GETPOST('orders_to_invoice');
 $sortfield		= GETPOST("sortfield",'alpha');
--- a/htdocs/compta/facture/list.php
+++ b/htdocs/compta/facture/list.php
@ -52,7 +52,7 @@ $langs->load('bills');
 $langs->load('companies');
 $langs->load('products');

-$sall=trim(GETPOST('sall'));
+$sall=trim(GETPOST('sall', 'alphanohtml'));
 $projectid=(GETPOST('projectid')?GETPOST('projectid','int'):0);

 $id=(GETPOST('id','int')?GETPOST('id','int'):GETPOST('facid','int'));  // For backward compatibility
--- a/htdocs/contact/list.php
+++ b/htdocs/contact/list.php
@ -42,7 +42,7 @@ $ref = '';  // There is no ref for contacts
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'contact', $contactid,'');

-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
 $search_firstlast_only=GETPOST("search_firstlast_only");
 $search_lastname=GETPOST("search_lastname");
 $search_firstname=GETPOST("search_firstname");
--- a/htdocs/contrat/list.php
+++ b/htdocs/contrat/list.php
@ -53,7 +53,7 @@ $search_country=GETPOST("search_country",'int');
 $search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
 $search_contract=GETPOST('search_contract');
 $search_ref_supplier=GETPOST('search_ref_supplier','alpha');
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
 $search_status=GETPOST('search_status');
 $socid=GETPOST('socid');
 $search_user=GETPOST('search_user','int');
--- a/htdocs/don/list.php
+++ b/htdocs/don/list.php
@ -43,7 +43,7 @@ if (! $sortorder) $sortorder="DESC";
 if (! $sortfield) $sortfield="d.datedon";

 $statut=isset($_GET["statut"])?$_GET["statut"]:"-1";
-$search_all=GETPOST('sall','alpha');
+$search_all=GETPOST('sall', 'alphanohtml');
 $search_ref=GETPOST('search_ref','alpha');
 $search_company=GETPOST('search_company','alpha');
 $search_name=GETPOST('search_name','alpha');
--- a/htdocs/expedition/list.php
+++ b/htdocs/expedition/list.php
@ -50,7 +50,7 @@ $search_zip=GETPOST('search_zip','alpha');
 $search_state=trim(GETPOST("search_state"));
 $search_country=GETPOST("search_country",'int');
 $search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
 $optioncss = GETPOST('optioncss','alpha');

 $limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit;
--- a/htdocs/expensereport/list.php
+++ b/htdocs/expensereport/list.php
@ -63,7 +63,7 @@ if (!$sortorder) $sortorder="DESC";
 if (!$sortfield) $sortfield="d.date_debut";


-$sall         = GETPOST('sall');
+$sall         = GETPOST('sall', 'alphanohtml');
 $search_ref   = GETPOST('search_ref');
 $search_user  = GETPOST('search_user','int');
 $search_amount_ht = GETPOST('search_amount_ht','alpha');
--- a/htdocs/fichinter/list.php
+++ b/htdocs/fichinter/list.php
@ -62,7 +62,7 @@ $search_ref=GETPOST('search_ref')?GETPOST('search_ref','alpha'):GETPOST('search_
 $search_company=GETPOST('search_company','alpha');
 $search_desc=GETPOST('search_desc','alpha');
 $search_status=GETPOST('search_status');
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
 $optioncss = GETPOST('optioncss','alpha');

 // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@ -164,14 +164,17 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force
 // This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
 // when we post forms (we allow GET to allow direct link to access a particular page).
 // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
-if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)
-    && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
-    && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
+if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
 {
-	//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
-	print "Access refused by CSRF protection in main.inc.php.\n";
-	print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n";
-	die;
+    if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
+    && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
+    {
+    	//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
+    	print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
+        print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
+    	die;
+    }
+    // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on.
 }
 if (empty($dolibarr_main_db_host))
 {
--- a/htdocs/fourn/commande/list.php
+++ b/htdocs/fourn/commande/list.php
@ -54,6 +54,8 @@ $orderday=GETPOST("orderday","int");
 $deliveryyear=GETPOST("deliveryyear","int");
 $deliverymonth=GETPOST("deliverymonth","int");
 $deliveryday=GETPOST("deliveryday","int");
+
+$sall=GETPOST('search_all', 'alphanohtml');
 $search_product_category=GETPOST('search_product_category','int');
 $search_ref=GETPOST('search_ref');
 $search_refsupp=GETPOST('search_refsupp');
@ -69,7 +71,6 @@ $search_ht=GETPOST('search_ht');
 $search_ttc=GETPOST('search_ttc');
 $search_status=(GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha'));	// alpha and not intbecause it can be '6,7'
 $optioncss = GETPOST('optioncss','alpha');
-$sall=GETPOST('search_all');
 $socid = GETPOST('socid','int');
 $search_sale=GETPOST('search_sale','int');
 $search_total_ht=GETPOST('search_total_ht','alpha');
--- a/htdocs/fourn/commande/orderstoinvoice.php
+++ b/htdocs/fourn/commande/orderstoinvoice.php
@ -53,7 +53,7 @@ $action = GETPOST('action', 'alpha');
 $confirm = GETPOST('confirm', 'alpha');
 $sref = GETPOST('sref');
 $sref_client = GETPOST('sref_client');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
 $socid = GETPOST('socid', 'int');
 $selected = GETPOST('orders_to_invoice');
 $sortfield = GETPOST("sortfield", 'alpha');
--- a/htdocs/fourn/facture/list.php
+++ b/htdocs/fourn/facture/list.php
@ -88,7 +88,7 @@ $toselect = GETPOST('toselect', 'array');
 $option = GETPOST('option');
 if ($option == 'late') $filter = 'paye:0';

-$search_all = GETPOST('sall');
+$search_all = GETPOST('sall', 'alphanohtml');
 $search_label = GETPOST("search_label","alpha");
 $search_company = GETPOST("search_company","alpha");
 $search_amount_no_tax = GETPOST("search_amount_no_tax","alpha");
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@ -55,7 +55,7 @@ $pagenext = $page + 1;

 $id = GETPOST('id','int');

-$sall            = GETPOST('sall');
+$sall            = GETPOST('sall', 'alphanohtml');
 $search_ref      = GETPOST('search_ref');
 $month_create    = GETPOST('month_create');
 $year_create     = GETPOST('year_create');
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@ -298,16 +298,24 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V
 // Creation of a token against CSRF vulnerabilities
 if (! defined('NOTOKENRENEWAL'))
 {
-    $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
    // roulement des jetons car cree a chaque appel
    if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
+    
+    // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
+    $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
    $_SESSION['newtoken'] = $token;
 }
 if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))	// Check validity of token, only if option enabled (this option breaks some features sometimes)
 {
-    if ($_SERVER['REQUEST_METHOD'] === 'POST')
+    if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token')) // Note, offender can still send request by GET
    {
-        if (GETPOST('token') != $_SESSION['token'])
+        print "Access refused by CSRF protection in main.inc.php. Token not provided.\n";
+        print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
+        die;
+    }
+    if ($_SERVER['REQUEST_METHOD'] === 'POST')  // This test must be after loading $_SESSION['token'].
+    {
+        if (GETPOST('token', 'alpha') != $_SESSION['token'])
        {
            dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action').", _POST['token']=".GETPOST('token').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
            //print 'Unset POST by CSRF protection in main.inc.php.';	// Do not output anything because this create problems when using the BACK button on browsers.
--- a/htdocs/product/canvas/product/actions_card_product.class.php
+++ b/htdocs/product/canvas/product/actions_card_product.class.php
@ -326,7 +326,7 @@ class ActionsCardProduct
        $this->list_datas = array();

 		// Clean parameters
-		$sall=trim(GETPOST("sall"));
+		$sall=trim(GETPOST('sall', 'alphanohtml'));

 		foreach($this->field_list as $field)
 		{
--- a/htdocs/product/list.php
+++ b/htdocs/product/list.php
@ -49,7 +49,7 @@ $action = GETPOST('action');
 $sref=GETPOST("sref");
 $sbarcode=GETPOST("sbarcode");
 $snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
 $type=GETPOST("type","int");
 $search_sale = GETPOST("search_sale");
 $search_categ = GETPOST("search_categ",'int');
--- a/htdocs/product/reassort.php
+++ b/htdocs/product/reassort.php
@ -42,7 +42,7 @@ $result=restrictedArea($user,'produit|service');
 $action=GETPOST('action','alpha');
 $sref=GETPOST("sref");
 $snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
 $type=GETPOST("type","int");
 $sbarcode=GETPOST("sbarcode");
 $catid=GETPOST('catid','int');
--- a/htdocs/product/reassortlot.php
+++ b/htdocs/product/reassortlot.php
@ -44,7 +44,7 @@ $result=restrictedArea($user,'produit|service');
 $action=GETPOST('action','alpha');
 $sref=GETPOST("sref");
 $snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
 $type=GETPOST("type","int");
 $sbarcode=GETPOST("sbarcode",'alpha');
 $search_warehouse=GETPOST('search_warehouse','alpha');
--- a/htdocs/product/stock/list.php
+++ b/htdocs/product/stock/list.php
@ -32,9 +32,9 @@ $langs->load("stocks");
 // Security check
 $result=restrictedArea($user,'stock');

+$sall=GETPOST('sall', 'alphanohtml');
 $search_ref=GETPOST("sref","alpha")?GETPOST("sref","alpha"):GETPOST("search_ref","alpha");
 $search_label=GETPOST("snom","alpha")?GETPOST("snom","alpha"):GETPOST("search_label","alpha");
-$sall=GETPOST("sall","alpha");
 $search_status=GETPOST("search_status","int");

 $limit = GETPOST('limit')?GETPOST('limit','int'):$conf->liste_limit;
--- a/htdocs/product/stock/replenish.php
+++ b/htdocs/product/stock/replenish.php
@ -48,7 +48,7 @@ $result=restrictedArea($user,'produit|service');
 $action = GETPOST('action','alpha');
 $sref = GETPOST('sref', 'alpha');
 $snom = GETPOST('snom', 'alpha');
-$sall = GETPOST('sall', 'alpha');
+$sall = GETPOST('sall', 'alphanohtml');
 $type = GETPOST('type','int');
 $tobuy = GETPOST('tobuy', 'int');
 $salert = GETPOST('salert', 'alpha');
--- a/htdocs/product/stock/replenishorders.php
+++ b/htdocs/product/stock/replenishorders.php
@ -39,11 +39,11 @@ $langs->load("orders");
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit|service');

+$sall = GETPOST('search_all', 'alphanohtml');
 $sref = GETPOST('search_ref', 'alpha');
 $snom = GETPOST('search_nom', 'alpha');
 $suser = GETPOST('search_user', 'alpha');
 $sttc = GETPOST('search_ttc', 'alpha');
-$sall = GETPOST('search_all', 'alpha');
 $sdate = GETPOST('search_date', 'alpha');
 $page = GETPOST('page', 'int');
 $sproduct = GETPOST('sproduct', 'int');
--- a/htdocs/product/stock/valo.php
+++ b/htdocs/product/stock/valo.php
@ -33,7 +33,7 @@ $result=restrictedArea($user,'stock');

 $sref=GETPOST("sref");
 $snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');

 $sortfield = GETPOST("sortfield");
 $sortorder = GETPOST("sortorder");
--- a/htdocs/projet/list.php
+++ b/htdocs/projet/list.php
@ -62,13 +62,12 @@ $offset = $limit * $page ;
 $pageprev = $page - 1;
 $pagenext = $page + 1;

-$search_all=GETPOST("search_all");
+$search_all=GETPOST('search_all', 'alphanohtml');
 $search_categ=GETPOST("search_categ",'alpha');
 $search_ref=GETPOST("search_ref");
 $search_label=GETPOST("search_label");
 $search_societe=GETPOST("search_societe");
 $search_year=GETPOST("search_year");
-$search_all=GETPOST("search_all");
 $search_status=GETPOST("search_status",'int');
 $search_opp_status=GETPOST("search_opp_status",'alpha');
 $search_opp_percent=GETPOST("search_opp_percent",'alpha');
--- a/htdocs/projet/tasks/list.php
+++ b/htdocs/projet/tasks/list.php
@ -36,7 +36,7 @@ $langs->load('companies');

 $id=GETPOST('id','int');

-$search_all=GETPOST('search_all');
+$search_all=GETPOST('search_all', 'alphanohtml');
 $search_project=GETPOST('search_project');
 if (! isset($_GET['search_projectstatus']) && ! isset($_POST['search_projectstatus'])) 
 {
--- a/htdocs/societe/list.php
+++ b/htdocs/societe/list.php
@ -48,7 +48,7 @@ $socid = GETPOST('socid','int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user,'societe',$socid,'');

-$search_all=trim(GETPOST("sall"));
+$search_all=trim(GETPOST('sall', 'alphanohtml'));
 $search_nom=trim(GETPOST("search_nom"));
 $search_nom_only=trim(GETPOST("search_nom_only"));
 $search_barcode=trim(GETPOST("sbarcode"));
--- a/htdocs/supplier_proposal/list.php
+++ b/htdocs/supplier_proposal/list.php
@ -66,7 +66,7 @@ $search_author=GETPOST('search_author','alpha');
 $search_status=GETPOST('viewstatut','alpha')?GETPOST('viewstatut','alpha'):GETPOST('search_status','int');
 $object_statut=$db->escape(GETPOST('supplier_proposal_statut'));

-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
 $mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));
 $year=GETPOST("year");
 $month=GETPOST("month");
--- a/htdocs/user/group/index.php
+++ b/htdocs/user/group/index.php
@ -34,7 +34,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))

 $langs->load("users");

-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
 $search_group=GETPOST('search_group');
 $optioncss = GETPOST('optioncss','alpha');

--- a/htdocs/user/hierarchy.php
+++ b/htdocs/user/hierarchy.php
@ -39,7 +39,7 @@ $socid=0;
 if ($user->societe_id > 0)
 	$socid = $user->societe_id;

-$sall=GETPOST('sall','alpha');
+$sall=GETPOST('sall', 'alphanohtml');
 $search_user=GETPOST('search_user','alpha');

 $userstatic=new User($db);
--- a/htdocs/user/index.php
+++ b/htdocs/user/index.php
@ -110,7 +110,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab
 }

 // Init search fields
-$sall=GETPOST('sall','alpha');
+$sall=GETPOST('sall', 'alphanohtml');
 $search_user=GETPOST('search_user','alpha');
 $search_login=GETPOST('search_login','alpha');
 $search_lastname=GETPOST('search_lastname','alpha');