diff --git a/ChangeLog b/ChangeLog
index 090dd07be6f79403aa12bd52ecef1ec02629604a..f5449a0172e31e8c8e11fa88965771f65bf84e9e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,17 @@ English Dolibarr ChangeLog
--------------------------------------------------------------
+***** ChangeLog for 3.6.6 compared to 3.6.5 *****
+FIX: #3734 Do not show empty links of deleted source objects in stock movement list
+FIX: #4081 Added missing translation
+FIX: #4097 Public holiday calculation
+FIX: #4242 Allow disabling dashes in documents
+FIX: #4243 sql injection
+FIX: Add a protection to not make release if ChangeLog was not generated. Prepare package 3.6.5
+FIX: export with category contact extrafields
+FIX: Not delete a product when have customer price
+FIX: Not deleting contrats on element_element table
+
***** ChangeLog for 3.6.5 compared to 3.6.4 *****
FIX: #2957 : missing $langs object for trigger
FIX: #2983 Load gravatar avatar images securely over HTTPS
diff --git a/build/debian/copyright b/build/debian/copyright
index ad66ed16bfe00855cc0ccc51379b1e48d5cb9fc0..761f8b5b63aae580ab7285fafa5919ed79c1c362 100644
--- a/build/debian/copyright
+++ b/build/debian/copyright
@@ -159,7 +159,7 @@ Comments:
Those files are not shipped in the binary package as we
configure Dolibarr to use Dejavu fonts from "fonts-dejavu-core".
-Files: docs/images/*
+Files: doc/images/*
Copyright: Laurent Destailleur
License: CC-BY-SA-3.0
You are free:
@@ -176,7 +176,7 @@ License: CC-BY-SA-3.0
.
For more information, see http://creativecommons.org/licenses/by-sa/3.0/
-Files: htdocs/includes/fpdi/*
+Files: htdocs/includes/fpdfi/*
Copyright: 2004-2011 Setasign - Jan Slabon
License: GPL-2+
This program is free software; you can redistribute it
diff --git a/htdocs/admin/agenda_extsites.php b/htdocs/admin/agenda_extsites.php
index 371854410b0e319cafac79e0fd504ab235129d23..375d0af3adfb9995d1516d653b807b0fa7734b0f 100644
--- a/htdocs/admin/agenda_extsites.php
+++ b/htdocs/admin/agenda_extsites.php
@@ -1,6 +1,7 @@
<?php
-/* Copyright (C) 2008-2011 Laurent Destailleur <eldy@users.sourceforge.net>
- * Copyright (C) 2011-2014 Juanjo Menent <jmenent@2byte.es>
+/* Copyright (C) 2008-2011 Laurent Destailleur <eldy@users.sourceforge.net>
+ * Copyright (C) 2011-2014 Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2016 Raphaƫl Doursenaud <rdoursenaud@gpcsolutions.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -88,7 +89,7 @@ if ($actionsave)
// Save nb of agenda
if (! $error)
{
- $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
+ $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
if (! $res > 0) $error++;
if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
@@ -201,9 +202,9 @@ while ($i <= $MAXAGENDA)
// Nb
print '<td width="180" class="nowrap">'.$langs->trans("AgendaExtNb",$key)."</td>";
// Name
- print '<td><input type="text" class="flat hideifnotset" name="agenda_ext_name'.$key.'" value="'. (GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key):$conf->global->$name) . '" size="28"></td>';
+ print '<td><input type="text" class="flat hideifnotset" name="agenda_ext_name'.$key.'" value="'. (GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key, 'alpha'):$conf->global->$name) . '" size="28"></td>';
// URL
- print '<td><input type="url" class="flat hideifnotset" name="agenda_ext_src'.$key.'" value="'. (GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key):$conf->global->$src) . '" size="60"></td>';
+ print '<td><input type="url" class="flat hideifnotset" name="agenda_ext_src'.$key.'" value="'. (GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key, 'alpha'):$conf->global->$src) . '" size="60"></td>';
// Color (Possible colors are limited by Google)
print '<td class="nowrap" align="right">';
//print $formadmin->selectColor($conf->global->$color, "google_agenda_color".$key, $colorlist);
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 1220f69483e61637c84162f3f249f4fca920a016..c0413372e432e99dad867e24331ba96385774e78 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -1578,7 +1578,7 @@ class Form
$sql.= " WHERE fk_product='".$objp->rowid."'";
$sql.= " AND entity IN (".getEntity('productprice', 1).")";
$sql.= " AND price_level=".$price_level;
- $sql.= " ORDER BY date_price";
+ $sql.= " ORDER BY date_price, rowid";
$sql.= " DESC LIMIT 1";
dol_syslog(get_class($this).'::constructProductListOption search price for level '.$price_level.' sql='.$sql);
diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php
index 380ecd8094356885b2d6b096bd9fe6bea74fb286..7a7cd386f4f4e31cc30658fb790e3b051ed690fd 100644
--- a/htdocs/core/lib/company.lib.php
+++ b/htdocs/core/lib/company.lib.php
@@ -938,9 +938,9 @@ function show_actions_todo($conf,$langs,$db,$object,$objcon='',$noprint=0)
if (get_class($object) == 'Adherent') $sql.= ", m.lastname, m.firstname";
if (get_class($object) == 'Societe') $sql.= ", sp.lastname, sp.firstname";
$sql.= " FROM ".MAIN_DB_PREFIX."user as u, ".MAIN_DB_PREFIX."actioncomm as a";
- if (get_class($object) == 'Adherent') $sql.= ", ".MAIN_DB_PREFIX."adherent as m";
+ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."c_actioncomm as c ON a.fk_action = c.id";
if (get_class($object) == 'Societe') $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople as sp ON a.fk_contact = sp.rowid";
- $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_actioncomm as c ON a.fk_action = c.id ";
+ if (get_class($object) == 'Adherent') $sql.= ", ".MAIN_DB_PREFIX."adherent as m";
$sql.= " WHERE u.rowid = a.fk_user_author";
$sql.= " AND a.entity IN (".getEntity('agenda', 1).")";
if (get_class($object) == 'Adherent') {
diff --git a/htdocs/install/upgrade.php b/htdocs/install/upgrade.php
index 9b15d36ffe976861bf062f1c38c9947523ba2fdb..3def2eadc5e3133bb1f61e689005ec070496d59e 100644
--- a/htdocs/install/upgrade.php
+++ b/htdocs/install/upgrade.php
@@ -19,7 +19,7 @@
* Upgrade scripts can be ran from command line with syntax:
*
* cd htdocs/install
- * php upgrade.php 3.4.0 3.5.0
+ * php upgrade.php 3.4.0 3.5.0 [dirmodule|ignoredbversion]
* php upgrade2.php 3.4.0 3.5.0
*
* Return code is 0 if OK, >0 if error
@@ -54,7 +54,8 @@ $setuplang=GETPOST("selectlang",'',3)?GETPOST("selectlang",'',3):'auto';
$langs->setDefaultLang($setuplang);
$versionfrom=GETPOST("versionfrom",'',3)?GETPOST("versionfrom",'',3):(empty($argv[1])?'':$argv[1]);
$versionto=GETPOST("versionto",'',3)?GETPOST("versionto",'',3):(empty($argv[2])?'':$argv[2]);
-$versionmodule=GETPOST("versionmodule",'',3)?GETPOST("versionmodule",'',3):(empty($argv[3])?'':$argv[3]);
+$versionmodule=(GETPOST("versionmodule",'',3) && GETPOST("versionmodule",'',3) != 'ignoredbversion')?GETPOST("versionmodule",'',3):((empty($argv[3]) || $argv[3] == 'ignoredbversion')?'':$argv[3]);
+$ignoredbversion=(GETPOST('ignoredbversion','',3)=='ignoredbversion')?GETPOST('ignoredbversion','',3):((empty($argv[3]) || $argv[3] != 'ignoredbversion')?'':$argv[3]);
$langs->load("admin");
$langs->load("install");
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index b45d672b385b93bdad0da25bb8c04a7580ced2df..9bb4e9aacdf0a654c6ec52fdab75199e78247e76 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -88,6 +88,7 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/union.+select/i', $val);
$sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+ $sql_inj += preg_match('/onerror=/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
@@ -95,7 +96,8 @@ function test_sql_and_script_inject($val, $type)
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
- $sql_inj += preg_match('/base[\s]+href/i', $val);
+ $sql_inj += preg_match('/base[\s]+href/si', $val);
+ $sql_inj += preg_match('/<.*onmouse/si', $val); // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);
diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index 0fc074e05d84d52f3f8660640c727c9e099684ce..cdcca8b2e0ad32ea7a37ebd4e24501700f47656f 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -1453,7 +1453,7 @@ class Product extends CommonObject
$sql.= " WHERE entity IN (".getEntity('productprice', 1).")";
$sql.= " AND price_level=".$i;
$sql.= " AND fk_product = '".$this->id."'";
- $sql.= " ORDER BY date_price DESC";
+ $sql.= " ORDER BY date_price DESC, rowid DESC";
$sql.= " LIMIT 1";
$resql = $this->db->query($sql);
if ($resql)
@@ -1514,7 +1514,7 @@ class Product extends CommonObject
$sql.= " price_base_type, tva_tx, tosell, price_by_qty, rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."product_price";
$sql.= " WHERE fk_product = '".$this->id."'";
- $sql.= " ORDER BY date_price DESC";
+ $sql.= " ORDER BY date_price DESC, rowid DESC";
$sql.= " LIMIT 1";
$resql = $this->db->query($sql);
if ($resql)
diff --git a/htdocs/product/price.php b/htdocs/product/price.php
index 052b82c94e05e2ea9c4baa2ada43bf7a65a9f3ac..90a9facd8522d790166d8abe08d010e310c34168 100644
--- a/htdocs/product/price.php
+++ b/htdocs/product/price.php
@@ -687,7 +687,7 @@ $sql .= " WHERE fk_product = " . $object->id;
$sql .= " AND p.entity IN (" . getEntity('productprice', 1) . ")";
$sql .= " AND p.fk_user_author = u.rowid";
if (! empty($socid) && ! empty($conf->global->PRODUIT_MULTIPRICES)) $sql .= " AND p.price_level = " . $soc->price_level;
-$sql .= " ORDER BY p.date_price DESC, p.price_level ASC, p.rowid DESC";
+$sql .= " ORDER BY p.date_price DESC, p.rowid DESC, p.price_level ASC";
// $sql .= $db->plimit();
dol_syslog("sql=" . $sql);