From 04e84bd09e0c28a9449e207bbaad426ff3b84266 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Fri, 29 Aug 2008 19:01:20 +0000
Subject: [PATCH] Security: Remove, from memory, database password just after
 creating database connexion (the only place we need it).

---
 htdocs/admin/system/index.php                 |  8 ++---
 htdocs/fourn/product/liste.php                | 18 ++++++----
 htdocs/install/etape1.php                     |  4 +--
 htdocs/langs/en_US/suppliers.lang             |  3 +-
 htdocs/langs/fr_FR/suppliers.lang             |  3 +-
 htdocs/master.inc.php                         |  3 ++
 htdocs/public/bplc/bplc.php                   | 33 +++++--------------
 .../adherents/sync_member_dolibarr2ldap.php   |  7 ++--
 .../adherents/sync_member_ldap2dolibarr.php   |  1 -
 9 files changed, 35 insertions(+), 45 deletions(-)

diff --git a/htdocs/admin/system/index.php b/htdocs/admin/system/index.php
index 591933c5622..e12df95942d 100644
--- a/htdocs/admin/system/index.php
+++ b/htdocs/admin/system/index.php
@@ -89,10 +89,10 @@ print "<tr $bc[0]><td width=\"280\">".$langs->trans("Version")."</td><td>" . $db
 print "<tr $bc[1]><td>".$langs->trans("DatabaseServer")."</td><td>" . $conf->db->host . "</td></tr>\n";
 print "<tr $bc[0]><td>".$langs->trans("DatabaseName")."</td><td>" . $conf->db->name . "</td></tr>\n";
 print "<tr $bc[1]><td>".$langs->trans("DriverType")."</td><td>" . $conf->db->type . "</td></tr>\n";
-print "<tr $bc[0]><td>".$langs->trans("User")."</td><td>" . $conf->db->user . "&nbsp;</td></tr>\n";
-print "<tr $bc[1]><td>".$langs->trans("Password")."</td><td>" . ereg_replace(".","*",$conf->db->pass) . "&nbsp;</td></tr>\n";
-print "<tr $bc[0]><td>".$langs->trans("DBStoringCharset")."</td><td>" . $db->getDefaultCharacterSetDatabase() . "&nbsp;</td></tr>\n";
-print "<tr $bc[1]><td>".$langs->trans("DBSortingCharset")."</td><td>" . $db->getDefaultCollationDatabase() . "&nbsp;</td></tr>\n";
+print "<tr $bc[0]><td>".$langs->trans("User")."</td><td>" . $conf->db->user . "</td></tr>\n";
+print "<tr $bc[1]><td>".$langs->trans("Password")."</td><td>" . $langs->trans("NotAvailable") . "</td></tr>\n";
+print "<tr $bc[0]><td>".$langs->trans("DBStoringCharset")."</td><td>" . $db->getDefaultCharacterSetDatabase() . "</td></tr>\n";
+print "<tr $bc[1]><td>".$langs->trans("DBSortingCharset")."</td><td>" . $db->getDefaultCollationDatabase() . "</td></tr>\n";
 print '</table>';
 print '<br>';
 
diff --git a/htdocs/fourn/product/liste.php b/htdocs/fourn/product/liste.php
index 46d8e3ee8d5..a2fb4515202 100644
--- a/htdocs/fourn/product/liste.php
+++ b/htdocs/fourn/product/liste.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2006 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2007 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -16,16 +16,13 @@
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * $Id$
- * $Source$
  */
 
 /**
 		\file       htdocs/fourn/product/liste.php
 		\ingroup    produit
 		\brief      Page liste des produits ou services
-		\version    $Revision$
+		\version    $Id$
 */
 
 require("./pre.inc.php");
@@ -75,6 +72,12 @@ if (isset($_REQUEST['catid']))
 
 $title=$langs->trans("ProductsAndServices");
 
+if ($fourn_id)
+{
+	$supplier = new Fournisseur($db);
+	$supplier->fetch($fourn_id);
+}
+
 $sql = "SELECT p.rowid, p.label, p.ref, p.fk_product_type";
 $sql .= ", pf.fk_soc, pf.ref_fourn";
 $sql .= ", min(ppf.price) as price";
@@ -143,9 +146,12 @@ if ($resql)
 		exit;
 	}
 
-	$texte = $langs->trans("List");
+	if (! empty($supplier->id)) $texte = $langs->trans("ListOfSupplierProductForSupplier",$supplier->nom);
+	else $texte = $langs->trans("List"); 
+
 	llxHeader("","",$texte);
 
+	
 	$param="&envente=$envente&sref=$sref&snom=$snom&fourn_id=$fourn_id".(isset($type)?"&amp;type=$type":"");
 	print_barre_liste($texte, $page, "liste.php", $param, $sortfield, $sortorder,'',$num);
 
diff --git a/htdocs/install/etape1.php b/htdocs/install/etape1.php
index eef483ade16..ee267d5be65 100644
--- a/htdocs/install/etape1.php
+++ b/htdocs/install/etape1.php
@@ -285,7 +285,7 @@ if ($_POST["action"] == "set")
 		{
 			dolibarr_install_syslog("etape1: Creation de l'utilisateur: ".$dolibarr_main_db_user);
 
-			//print $conf->db->host." , ".$conf->db->name." , ".$conf->db->user." , ".$conf->db->pass." , ".$conf->db->port;
+			//print $conf->db->host." , ".$conf->db->name." , ".$conf->db->user." , ".$conf->db->port;
 			$databasefortest=$conf->db->name;
 			if ($conf->db->type == 'mysql' || $conf->db->type == 'mysqli')
 			{
@@ -502,7 +502,7 @@ if ($_POST["action"] == "set")
 				print "</td></tr>";
 
 				// Affiche aide diagnostique
-				print '<tr><td colspan="2"><br>Le serveur "<b>'.$conf->db->host.'</b>", nom de base "<b>'.$conf->db->name.'</b>", login "<b>'.$conf->db->user.'</b>", ou mot de passe <b>"'.$conf->db->pass.'</b>" de la base de donn�e est peut-�tre incorrect ou la version du client PHP trop ancienne par rapport � la version de la base de donn�e.<br>';
+				print '<tr><td colspan="2"><br>Le serveur "<b>'.$conf->db->host.'</b>", nom de base "<b>'.$conf->db->name.'</b>", login "<b>'.$conf->db->user.'</b>", ou mot de passe de la base de donn�e est peut-�tre incorrect ou la version du client PHP trop ancienne par rapport � la version de la base de donn�e.<br>';
 				print 'Si le login n\'existe pas encore, vous devez cocher l\'option "Cr�er l\'utilisateur".<br>';
 				print $langs->trans("ErrorGoBackAndCorrectParameters").'<br><br>';
 				print '</td></tr>';
diff --git a/htdocs/langs/en_US/suppliers.lang b/htdocs/langs/en_US/suppliers.lang
index e3d112be5fd..01994b83d60 100644
--- a/htdocs/langs/en_US/suppliers.lang
+++ b/htdocs/langs/en_US/suppliers.lang
@@ -30,4 +30,5 @@ ConfirmCancelThisOrder=Are you sure you want to cancel this order ?
 AddCustomerOrder=Create customer order
 AddCustomerInvoice=Create customer invoice
 AddSupplierOrder=Create supplier order
-AddSupplierInvoice=Create supplier invoice
\ No newline at end of file
+AddSupplierInvoice=Create supplier invoice
+ListOfSupplierProductForSupplier=List of products and prices for supplier <b>%s</b>
\ No newline at end of file
diff --git a/htdocs/langs/fr_FR/suppliers.lang b/htdocs/langs/fr_FR/suppliers.lang
index dd42e5126d6..b3822736d3b 100644
--- a/htdocs/langs/fr_FR/suppliers.lang
+++ b/htdocs/langs/fr_FR/suppliers.lang
@@ -30,4 +30,5 @@ ConfirmCancelThisOrder=Etes-vous s
 AddCustomerOrder=Cr�er commande client
 AddCustomerInvoice=Cr�er facture/avoir client
 AddSupplierOrder=Cr�er commande fournisseur
-AddSupplierInvoice=Cr�er facture fournisseur
\ No newline at end of file
+AddSupplierInvoice=Cr�er facture fournisseur
+ListOfSupplierProductForSupplier=Liste des produits et prix du fournisseurs <b>%s</b>
\ No newline at end of file
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 439f62817f0..8aac07c3ed6 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -181,6 +181,9 @@ if (! defined('NOREQUIREDB'))
 		exit;   
 	}
 }
+// Now database connexion is known we can forget password
+$dolibarr_main_db_pass='';
+$conf->db->pass='';
 
 /*
  * Creation objet $user
diff --git a/htdocs/public/bplc/bplc.php b/htdocs/public/bplc/bplc.php
index 8bc8cdabb67..988a931b0d4 100644
--- a/htdocs/public/bplc/bplc.php
+++ b/htdocs/public/bplc/bplc.php
@@ -14,36 +14,19 @@
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * $Id$
  */
 
-/*
- * Gestion du retour du syst�me de Cyberpaiement
- * Cette page est appell�e par le serveur de la BPLC lors de l'utilisation
- * su syst�me RSTS
- *
+/**
+ * 	\brief		Gestion du retour du systeme de Cyberpaiement
+ * 				Cette page est appellee par le serveur de la BPLC lors de l'utilisation
+ * 				au systeme RSTS
+ * 	\version	$Id$
  */
 
-require("../../conf/conf.class.php");
-require("./retourbplc.class.php");
-require("../../don.class.php");
-
-$conf = new Conf();
-$conf->db->type = $dolibarr_main_db_type;
-$conf->db->port = $dolibarr_main_db_port;
-$conf->db->host = $dolibarr_main_db_host;
-$conf->db->name = $dolibarr_main_db_name;
-$conf->db->user = $dolibarr_main_db_user;
-$conf->db->pass = $dolibarr_main_db_pass;
-
-// Si type non d�fini (pour compatibilit� avec ancienne install), on
-// travail avec mysql
-if (! $conf->db->type) { $conf->db->type = 'mysql'; }
-
-require_once(DOL_DOCUMENT_ROOT ."/lib/".$dolibarr_main_db_type.".lib.php");
+require("../../main.inc.php");
+require_once(DOL_DOCUMENT_ROOT."/public/bplc/retourbplc.class.php");
+require_once(DOL_DOCUMENT_ROOT."/don.class.php");
 
-$db = new DoliDb($conf->db->type,$conf->db->host,$conf->db->user,$conf->db->pass,$conf->db->name,$conf->db->port);
 
 $retbplc = new Retourbplc($db);
 
diff --git a/scripts/adherents/sync_member_dolibarr2ldap.php b/scripts/adherents/sync_member_dolibarr2ldap.php
index 8d5cc0ff91f..932f52f896d 100644
--- a/scripts/adherents/sync_member_dolibarr2ldap.php
+++ b/scripts/adherents/sync_member_dolibarr2ldap.php
@@ -1,6 +1,6 @@
 <?PHP
-/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2006 Laurent Destailleur  <eldy@users.sourceforge.net>
+/* Copyright (C) 2005      Rodolphe Quiedeville <rodolphe@quiedeville.org>
+ * Copyright (C) 2006-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -15,8 +15,6 @@
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * $Id$
  */
 
 /**
@@ -65,7 +63,6 @@ print "type=".$conf->db->type."\n";
 print "host=".$conf->db->host."\n";
 print "port=".$conf->db->port."\n";
 print "login=".$conf->db->user."\n";
-print "pass=".eregi_replace('.','*',$conf->db->pass)."\n";
 print "database=".$conf->db->name."\n";
 print "\n";
 print "----- To LDAP database:\n";
diff --git a/scripts/adherents/sync_member_ldap2dolibarr.php b/scripts/adherents/sync_member_ldap2dolibarr.php
index 3cd9bb6f9ec..d38a6b6c558 100644
--- a/scripts/adherents/sync_member_ldap2dolibarr.php
+++ b/scripts/adherents/sync_member_ldap2dolibarr.php
@@ -76,7 +76,6 @@ print "type=".$conf->db->type."\n";
 print "host=".$conf->db->host."\n";
 print "port=".$conf->db->port."\n";
 print "login=".$conf->db->user."\n";
-print "pass=".eregi_replace('.','*',$conf->db->pass)."\n";
 print "database=".$conf->db->name."\n";
 print "\n";
 print "Press a key to confirm...\n";
-- 
GitLab