Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Multiple directory traversal vulnerabilities with document.php

Browse Source
This commit is contained in:
Regis Houssin 2012-02-27 17:02:56 +01:00
parent 1d0d820221
commit 8f9b9987ff
10 changed files with 70 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/comm/action/document.php
View File

@ -2,7 +2,7 @@
/* Copyright (C) 2003-2004 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2010 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005 Marc Barilley / Ocebo <marc@ocebo.com>
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005 Simon TOSSER <simon@kornog-computing.com>
*
* This program is free software; you can redistribute it and/or modify

26
htdocs/comm/action/fiche.php
View File

@ -2,7 +2,7 @@
/* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005 Simon TOSSER <simon@kornog-computing.com>
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
@ -43,11 +43,12 @@ $langs->load("bills");
$langs->load("orders");
$langs->load("agenda");
$action=GETPOST("action");
$action=GETPOST('action','alpha');
$backtopage=GETPOST('backtopage','alpha');
// Security check
$socid = GETPOST('socid');
$id = GETPOST('id');
$socid = GETPOST('socid','int');
$id = GETPOST('id','int');
if ($user->societe_id) $socid=$user->societe_id;
//$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id');
@ -66,9 +67,7 @@ if ($action == 'add_action')
{
$error=0;
$backtopage='';
if (! empty($_POST["backtopage"])) $backtopage=$_POST["backtopage"];
if (! $backtopage)
if (empty($backtopage))
{
if ($socid > 0) $backtopage = DOL_URL_ROOT.'/societe/agenda.php?socid='.$socid;
else $backtopage=DOL_URL_ROOT.'/comm/action/index.php';
@ -339,14 +338,9 @@ if ($action == 'update')
}
else
{
if (! empty($_POST["from"])) // deprecated. Use backtopage instead
{
header("Location: ".$_POST["from"]);
exit;
}
if (! empty($_POST["backtopage"]))
if (! empty($backtopage))
{
header("Location: ".$_POST["backtopage"]);
header("Location: ".$backtopage);
exit;
}
}
@ -426,7 +420,7 @@ if ($action == 'create')
print '<form name="formaction" action="'.DOL_URL_ROOT.'/comm/action/fiche.php" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add_action">';
if (GETPOST("backtopage")) print '<input type="hidden" name="backtopage" value="'.(GETPOST("backtopage") != 1 ? GETPOST("backtopage") : $_SERVER["HTTP_REFERER"]).'">';
print '<input type="hidden" name="backtopage" value="'.(! empty($backtopage) ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
if (GETPOST("actioncode") == 'AC_RDV') print_fiche_titre($langs->trans("AddActionRendezVous"));
else print_fiche_titre($langs->trans("AddAnAction"));
@ -679,7 +673,7 @@ if ($id)
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="ref_ext" value="'.$act->ref_ext.'">';
if (GETPOST("backtopage")) print '<input type="hidden" name="backtopage" value="'.(GETPOST("backtopage") ? GETPOST("backtopage") : $_SERVER["HTTP_REFERER"]).'">';
print '<input type="hidden" name="backtopage" value="'.(! empty($backtopage) ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
print '<table class="border" width="100%">';

16
htdocs/comm/remise.php
View File

@ -30,21 +30,23 @@ $langs->load("companies");
$langs->load("orders");
$langs->load("bills");
$socid = GETPOST("id");
$socid = GETPOST('id','int');
// Security check
if ($user->societe_id > 0)
{
$socid = $user->societe_id;
}
$backtopage = GETPOST('backtopage','alpha');
/*
* Actions
*/
if (GETPOST('cancel') && GETPOST('backtopage'))
if (GETPOST('cancel') && ! empty($backtopage))
{
Header("Location: ".GETPOST("backtopage"));
Header("Location: ".$backtopage);
exit;
}
@ -56,9 +58,9 @@ if (GETPOST("action") == 'setremise')
if ($result > 0)
{
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
Header("Location: ".GETPOST('backtopage'));
Header("Location: ".$backtopage);
exit;
}
else
@ -122,7 +124,7 @@ if ($socid > 0)
print '<form method="POST" action="remise.php?id='.$objsoc->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="setremise">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';
@ -138,7 +140,7 @@ if ($socid > 0)
print '<center>';
print '<input type="submit" class="button" value="'.$langs->trans("Modify").'">';
if (GETPOST("backtopage"))
if (! empty($backtopage))
{
print '&nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';

15
htdocs/comm/remx.php
View File

@ -32,7 +32,8 @@ $langs->load("orders");
$langs->load("bills");
$langs->load("companies");
$action=GETPOST('action');
$action=GETPOST('action','alpha');
$backtopage=GETPOST('backtopage','alpha');
// Security check
$socid = GETPOST("id");
@ -46,9 +47,9 @@ if ($user->societe_id > 0)
* Actions
*/
if (GETPOST('cancel') && GETPOST('backtopage'))
if (GETPOST('cancel') && ! empty($backtopage))
{
Header("Location: ".GETPOST("backtopage"));
Header("Location: ".$backtopage);
exit;
}
@ -151,9 +152,9 @@ if ($action == 'setremise')
if ($discountid > 0)
{
if (GETPOST("backtopage"))
if (! empty($backtopage))
{
Header("Location: ".GETPOST("backtopage").'&discountid='.$discountid);
Header("Location: ".$backtopage.'&discountid='.$discountid);
exit;
}
else
@ -228,7 +229,7 @@ if ($socid > 0)
print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'?id='.$objsoc->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="setremise">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';
@ -280,7 +281,7 @@ if ($socid > 0)
print '<center>';
print '<input type="submit" class="button" name="submit" value="'.$langs->trans("AddGlobalDiscount").'">';
if (GETPOST("backtopage"))
if (! empty($backtopage))
{
print '&nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';

27
htdocs/contact/fiche.php
View File

@ -39,10 +39,11 @@ $langs->load("commercial");
$mesg=''; $error=0; $errors=array();
$action = (GETPOST('action') ? GETPOST('action') : 'view');
$confirm = GETPOST('confirm');
$id = GETPOST("id");
$socid = GETPOST("socid");
$action = (GETPOST('action','alpha') ? GETPOST('action','alpha') : 'view');
$confirm = GETPOST('confirm','alpha');
$backtopage = GETPOST('backtopage','alpha');
$id = GETPOST('id','int');
$socid = GETPOST('socid','int');
if ($user->societe_id) $socid=$user->societe_id;
$object = new Contact($db);
@ -76,9 +77,9 @@ $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action);
if (empty($reshook))
{
// Cancel
if (GETPOST("cancel") && GETPOST('backtopage'))
if (GETPOST("cancel") && ! empty($backtopage))
{
header("Location: ".GETPOST('backtopage'));
header("Location: ".$backtopage);
exit;
}
@ -86,7 +87,7 @@ if (empty($reshook))
if ($action == 'confirm_create_user' && $confirm == 'yes' && $user->rights->user->user->creer)
{
// Recuperation contact actuel
$result = $object->fetch($_GET["id"]);
$result = $object->fetch($id);
if ($result > 0)
{
@ -172,7 +173,7 @@ if (empty($reshook))
if (! $error && $id > 0)
{
$db->commit();
if (GETPOST('backtopage')) $url=GETPOST('backtopage');
if (! empty($backtopage)) $url=$backtopage;
else $url='fiche.php?id='.$id;
Header("Location: ".$url);
exit;
@ -368,7 +369,7 @@ else
print '<form method="post" name="formsoc" action="'.$_SERVER["PHP_SELF"].'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';
// Name
@ -497,7 +498,7 @@ else
print '<center>';
print '<input type="submit" class="button" name="add" value="'.$langs->trans("Add").'">';
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
print ' &nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
@ -537,11 +538,11 @@ else
print '</script>';
}
print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?id='.GETPOST("id").'" name="formsoc">';
print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" name="formsoc">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="id" value="'.GETPOST("id").'">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<input type="hidden" name="contactid" value="'.$object->id.'">';
print '<input type="hidden" name="old_name" value="'.$object->name.'">';
print '<input type="hidden" name="old_firstname" value="'.$object->firstname.'">';

6
htdocs/core/lib/functions.lib.php
View File

@ -257,7 +257,11 @@ function GETPOST($paramname,$check='',$method=0)
// Check if alpha
//if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
if ($check == 'alpha')
{
if (preg_match('/"/',trim($out))) $out='';
else if (preg_match('/(\.\.\/)+/',trim($out))) $out='';
}
}
return $out;

12
htdocs/document.php
View File

@ -2,7 +2,7 @@
/* Copyright (C) 2004-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005 Simon Tosser <simon@kornog-computing.com>
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2010 Pierre Morin <pierre.morin@auguria.net>
* Copyright (C) 2010 Juanjo Menent <jmenent@2byte.es>
*
@ -50,10 +50,10 @@ require("./main.inc.php"); // Load $user and permissions
require_once(DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php');
$encoding = '';
$action = GETPOST("action");
$original_file = GETPOST("file"); // Do not use urldecode here ($_GET are already decoded by PHP).
$modulepart = GETPOST("modulepart");
$urlsource = GETPOST("urlsource");
$action = GETPOST('action','alpha');
$original_file = GETPOST('file','alpha'); // Do not use urldecode here ($_GET are already decoded by PHP).
$modulepart = GETPOST('modulepart','alpha');
$urlsource = GETPOST('urlsource','alpha');
// Security check
if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
@ -72,7 +72,7 @@ if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
// Define mime type
$type = 'application/octet-stream';
if (GETPOST('type')) $type=GETPOST('type');
if (GETPOST('type','alpha')) $type=GETPOST('type','alpha');
else $type=dol_mimetype($original_file);
//print 'X'.$type.'-'.$original_file;exit;

13
htdocs/projet/fiche.php
View File

@ -34,8 +34,9 @@ $langs->load("projects");
$langs->load('companies');
$id=GETPOST('id','int');
$ref = GETPOST('ref');
$action=GETPOST('action');
$ref = GETPOST('ref','alpha');
$action=GETPOST('action','alpha');
$backtopage=GETPOST('backtopage','alpha');
if ($id == '' && $ref == '' && ($action != "create" && $action != "add" && $action != "update" && ! $_POST["cancel"])) accessforbidden();
@ -55,9 +56,9 @@ $result = restrictedArea($user, 'projet', $id);
*/
// Cancel
if (GETPOST("cancel") && GETPOST('backtopage'))
if (GETPOST("cancel") && ! empty($backtopage))
{
header("Location: ".GETPOST('backtopage'));
header("Location: ".$backtopage);
exit;
}
@ -276,7 +277,7 @@ if ($action == 'create' && $user->rights->projet->creer)
print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="add">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
print '<table class="border" width="100%">';
@ -332,7 +333,7 @@ if ($action == 'create' && $user->rights->projet->creer)
print '<br><center>';
print '<input type="submit" class="button" value="'.$langs->trans("Create").'">';
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
print ' &nbsp; &nbsp; ';
print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';

11
htdocs/projet/tasks.php
View File

@ -36,6 +36,7 @@ $langs->load("projects");
$action = GETPOST('action', 'alpha');
$id = GETPOST('id', 'int');
$ref = GETPOST('ref', 'alpha');
$backtopage=GETPOST('backtopage','alpha');
$mode = GETPOST('mode', 'alpha');
$mine = ($mode == 'mine' ? 1 : 0);
@ -111,9 +112,9 @@ if ($action == 'createtask' && $user->rights->projet->creer)
if (! $error)
{
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
Header("Location: ".GETPOST('backtopage'));
Header("Location: ".$backtopage);
exit;
}
else if (empty($projectid))
@ -125,9 +126,9 @@ if ($action == 'createtask' && $user->rights->projet->creer)
}
else
{
if (GETPOST('backtopage'))
if (! empty($backtopage))
{
Header("Location: ".GETPOST('backtopage'));
Header("Location: ".$backtopage);
exit;
}
else if (empty($id))
@ -219,7 +220,7 @@ if ($action == 'create' && $user->rights->projet->creer && (empty($object->socie
print '<form action="'.$_SERVER['PHP_SELF'].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="createtask">';
print '<input type="hidden" name="backtopage" value="'.GETPOST('backtopage').'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
if (! empty($object->id)) print '<input type="hidden" name="id" value="'.$object->id.'">';
if (! empty($mode)) print '<input type="hidden" name="mode" value="'.$mode.'">';

8
htdocs/public/members/new.php
View File

@ -47,8 +47,8 @@ require_once(DOL_DOCUMENT_ROOT."/core/lib/company.lib.php");
$errmsg='';
$num=0;
$error=0;
$backtopage=GETPOST('backtopage');
$action=GETPOST('action');
$backtopage=GETPOST('backtopage','alpha');
$action=GETPOST('action','alpha');
// Load translation files
$langs->load("main");
@ -255,7 +255,7 @@ if ($action == 'add')
$result=$adh->send_an_email($conf->global->ADHERENT_AUTOREGISTER_MAIL,$conf->global->ADHERENT_AUTOREGISTER_MAIL_SUBJECT,array(),array(),array(),"","",0,-1);
}
if ($backtopage) $urlback=$backtopage;
if (! empty($backtopage)) $urlback=$backtopage;
else if ($conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION)
{
$urlback=$conf->global->MEMBER_URL_REDIRECT_SUBSCRIPTION;
@ -545,7 +545,7 @@ print "</table>\n";
// Save
print '<br><center>';
print '<input type="submit" value="'.$langs->trans("Save").'" id="submitsave" class="button">';
if ($backtopage)
if (! empty($backtopage))
{
print ' &nbsp; &nbsp; <input type="submit" value="'.$langs->trans("Cancel").'" id="submitcancel" class="button">';
}