Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX CVE-2018-19995 and CVE-2018-19998

Browse Source
This commit is contained in:
Laurent Destailleur 2018-12-22 17:08:55 +01:00
parent 850b939ffd
commit bacd5110fb
1 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
htdocs/user/card.php
View File

@ -191,31 +191,31 @@ if (empty($reshook)) {
$birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear'));
$object->birth = $birth;
$object->admin = GETPOST("admin", 'alpha');
$object->address = GETPOST('address', 'alpha');
$object->zip = GETPOST('zipcode', 'alpha');
$object->town = GETPOST('town', 'alpha');
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alphanohtml');
$object->town = GETPOST('town', 'alphanohtml');
$object->country_id = GETPOST('country_id', 'int');
$object->state_id = GETPOST('state_id', 'int');
$object->office_phone = GETPOST("office_phone", 'alpha');
$object->office_fax = GETPOST("office_fax", 'alpha');
$object->user_mobile = GETPOST("user_mobile");
$object->skype = GETPOST("skype", 'alpha');
$object->office_phone = GETPOST("office_phone", 'alphanohtml');
$object->office_fax = GETPOST("office_fax", 'alphanohtml');
$object->user_mobile = GETPOST("user_mobile", 'alphanohtml');
$object->skype = GETPOST("skype", 'alphanohtml');
$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha'));
$object->job = GETPOST("job", 'alpha');
$object->signature = GETPOST("signature");
$object->accountancy_code = GETPOST("accountancy_code");
$object->note = GETPOST("note");
$object->ldap_sid = GETPOST("ldap_sid");
$object->fk_user = GETPOST("fk_user") > 0 ? GETPOST("fk_user") : 0;
$object->employee = GETPOST('employee');
$object->signature = GETPOST("signature", 'none');
$object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml');
$object->note = GETPOST("note", 'none');
$object->ldap_sid = GETPOST("ldap_sid", 'alphanohtml');
$object->fk_user = GETPOST("fk_user", 'int') > 0 ? GETPOST("fk_user", 'int') : 0;
$object->employee = GETPOST('employee', 'alphanohtml');
$object->thm = GETPOST("thm") != '' ? GETPOST("thm") : '';
$object->tjm = GETPOST("tjm") != '' ? GETPOST("tjm") : '';
$object->salary = GETPOST("salary") != '' ? GETPOST("salary") : '';
$object->salaryextra = GETPOST("salaryextra") != '' ? GETPOST("salaryextra") : '';
$object->weeklyhours = GETPOST("weeklyhours") != '' ? GETPOST("weeklyhours") : '';
$object->thm = GETPOST("thm", 'alphanohtml') != '' ? GETPOST("thm", 'alphanohtml') : '';
$object->tjm = GETPOST("tjm", 'alphanohtml') != '' ? GETPOST("tjm", 'alphanohtml') : '';
$object->salary = GETPOST("salary", 'alphanohtml') != '' ? GETPOST("salary", 'alphanohtml') : '';
$object->salaryextra = GETPOST("salaryextra", 'alphanohtml') != '' ? GETPOST("salaryextra", 'alphanohtml') : '';
$object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : '';
$object->color = GETPOST("color") != '' ? GETPOST("color") : '';
$object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : '';
$dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth'), GETPOST('dateemploymentday'), GETPOST('dateemploymentyear'));
$object->dateemployment = $dateemployment;
@ -335,14 +335,14 @@ if (empty($reshook)) {
$object->pass = GETPOST("password",'none');
$object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key;
if (! empty($user->admin)) $object->admin = GETPOST("admin"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
$object->address = GETPOST('address', 'alpha');
$object->zip = GETPOST('zipcode', 'alpha');
$object->town = GETPOST('town', 'alpha');
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alphanohtml');
$object->town = GETPOST('town', 'alphanohtml');
$object->country_id = GETPOST('country_id', 'int');
$object->state_id = GETPOST('state_id', 'int');
$object->office_phone = GETPOST("office_phone", 'alpha');
$object->office_fax = GETPOST("office_fax", 'alpha');
$object->user_mobile = GETPOST("user_mobile");
$object->office_phone = GETPOST("office_phone", 'alphanohtml');
$object->office_fax = GETPOST("office_fax", 'alphanohtml');
$object->user_mobile = GETPOST("user_mobile", 'alphanohtml');
$object->skype = GETPOST("skype", 'alpha');
$object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha'));
$object->job = GETPOST("job", 'alpha');
@ -350,7 +350,7 @@ if (empty($reshook)) {
$object->accountancy_code = GETPOST("accountancy_code",'alpha');
$object->openid = GETPOST("openid",'alpha');
$object->fk_user = GETPOST("fk_user",'int') > 0 ? GETPOST("fk_user",'int') : 0;
$object->employee = GETPOST('employee');
$object->employee = GETPOST('employee','alphanothtml');
$object->thm = GETPOST("thm",'alphanohtml') != '' ? GETPOST("thm",'alphanohtml') : '';
$object->tjm = GETPOST("tjm",'alphanohtml') != '' ? GETPOST("tjm",'alphanohtml') : '';