Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Debug v16

Browse Source
This commit is contained in:
Laurent Destailleur 2022-07-12 10:56:03 +02:00
parent 7ac00bfec9
commit cf5825687e
5 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/class/rssparser.class.php
View File

@ -49,6 +49,8 @@ class RssParser
private $_lastfetchdate; // Last successful fetch
private $_rssarray = array();
private $current_namespace;
// For parsing with xmlparser
public $stack = array(); // parser stack
private $_CONTENT_CONSTRUCTS = array('content', 'summary', 'info', 'title', 'tagline', 'copyright');

22
htdocs/core/lib/admin.lib.php
View File

@ -324,10 +324,11 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
$keyforsql = md5($sqlfile);
foreach ($arraysql as $i => $sql) {
if ($sql) {
// Test if sql is allowed
// Test if th SQL is allowed SQL
if ($onlysqltoimportwebsite) {
$newsql = str_replace(array("\'"), '__BACKSLASHQUOTE__', $sql);
// Remove all strings contents
$newsql = str_replace(array("\'"), '__BACKSLASHQUOTE__', $sql); // Replace the \' seque,ce
// Remove all strings contents including the ' so we can analyse SQL instruction only later
$l = strlen($newsql);
$is = 0;
$quoteopen = 0;
@ -348,11 +349,12 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
$newsqlclean = str_replace(array("null"), '__000__', $newsqlclean);
//print $newsqlclean."<br>\n";
// A very small control. This can still by bypassed by adding a second SQL request concatenated
$qualified = 0;
// A very small control. This can still by bypassed by adding a second SQL request concatenated
if (preg_match('/^--/', $newsqlclean)) {
$qualified = 1;
} elseif (preg_match('/^UPDATE llx_website SET fk_default_home = \d+\+\d+ WHERE rowid = \d+;$/', $newsqlclean)) {
} elseif (preg_match('/^UPDATE llx_website SET \w+ = \d+\+\d+ WHERE rowid = \d+;$/', $newsqlclean)) {
$qualified = 1;
} elseif (preg_match('/^INSERT INTO llx_website_page\([a-z0-9_\s,]+\) VALUES\([0-9_\s,\+]+\);$/', $newsqlclean)) {
// Insert must match
@ -360,11 +362,18 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
$qualified = 1;
}
// Another check to allow some legitimate original urls
if (!$qualified) {
if (preg_match('/^UPDATE llx_website SET \w+ = \'[a-zA-Z,\s]*\' WHERE rowid = \d+;$/', $sql)) {
$qualified = 1;
}
}
if (!$qualified) {
$error++;
//print 'Request '.($i + 1)." contains non allowed instructions.<br>\n";
//print "newsqlclean = ".$newsqlclean."<br>\n";
dol_syslog('Admin.lib::run_sql Request '.($i + 1)." contains non allowed instructions.", LOG_DEBUG);
dol_syslog('Admin.lib::run_sql Request '.($i + 1)." contains non allowed instructions.", LOG_WARNING);
dol_syslog('$newsqlclean='.$newsqlclean, LOG_DEBUG);
break;
}
@ -424,6 +433,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
$error++;
break;
}
$from = '__'.$cursor.'__';
$to = $listofinsertedrowid[$cursor];
$newsql = str_replace($from, $to, $newsql);

10
htdocs/website/class/website.class.php
View File

@ -1103,7 +1103,7 @@ class Website extends CommonObject
}
$line = "\n-- For Dolibarr v14+ --;\n";
$line .= "UPDATE llx_website SET lang = '".$this->db->escape($this->fk_default_lang)."' WHERE rowid = __WEBSITE_ID__;\n";
$line .= "UPDATE llx_website SET lang = '".$this->db->escape($this->lang)."' WHERE rowid = __WEBSITE_ID__;\n";
$line .= "UPDATE llx_website SET otherlang = '".$this->db->escape($this->otherlang)."' WHERE rowid = __WEBSITE_ID__;\n";
$line .= "\n";
fputs($fp, $line);
@ -1146,7 +1146,7 @@ class Website extends CommonObject
$object = $this;
if (empty($object->ref)) {
$this->error = 'Function importWebSite called on object not loaded (object->ref is empty)';
return -1;
return -2;
}
dol_delete_dir_recursive($conf->website->dir_temp."/".$object->ref);
@ -1155,14 +1155,14 @@ class Website extends CommonObject
$filename = basename($pathtofile);
if (!preg_match('/^website_(.*)-(.*)$/', $filename, $reg)) {
$this->errors[] = 'Bad format for filename '.$filename.'. Must be website_XXX-VERSION.';
return -1;
return -3;
}
$result = dol_uncompress($pathtofile, $conf->website->dir_temp.'/'.$object->ref);
if (!empty($result['error'])) {
$this->errors[] = 'Failed to unzip file '.$pathtofile.'.';
return -1;
return -4;
}
$arrayreplacement = array();
@ -1211,7 +1211,7 @@ class Website extends CommonObject
// Load sql record
$runsql = run_sql($sqlfile, 1, '', 0, '', 'none', 0, 1, 0, 0, 1); // The maxrowid of table is searched into this function two
if ($runsql <= 0) {
$this->errors[] = 'Failed to load sql file '.$sqlfile;
$this->errors[] = 'Failed to load sql file '.$sqlfile.' (ret='.$runsql.')';
$error++;
}

2
htdocs/website/class/websitepage.class.php
View File

@ -612,6 +612,8 @@ class WebsitePage extends CommonObject
*/
public function delete(User $user, $notrigger = false)
{
global $conf;
$error = 0;
// Delete all child tables

3
htdocs/website/index.php
View File

@ -2307,6 +2307,7 @@ if ($action == 'importsiteconfirm' && $usercanedit) {
if (!$error) {
$result = $object->importWebSite($fileofzip);
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
$action = 'importsite';
@ -4686,7 +4687,7 @@ if ($action == 'preview' || $action == 'createfromclone' || $action == 'createpa
try {
$res = include $filephp;
if (empty($res)) {
print "ERROR: Failed to include file '".$filephp."'. Try to edit and save page.";
print "ERROR: Failed to include file '".$filephp."'. Try to edit and re-save page ith this ID.";
}
} catch (Exception $e) {
print $e->getMessage();