From 77a9d4eb71a7ede8e503e42104edb33035ad54ee Mon Sep 17 00:00:00 2001
From: Florian HENRY <florian.henry@open-concept.pro>
Date: Mon, 9 Jun 2014 12:34:10 +0200
Subject: [PATCH] Start fix [ bug #1437 ] Securitu Issue
Some of them can be fix, because GETPOST even with 'alpha' test do not
warn if input is
"2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e"
for exemple
I don't have magical solution for this kind of security issue
---
htdocs/core/lib/security2.lib.php | 10 +++----
htdocs/main.inc.php | 30 ++++++++++----------
htdocs/public/demo/index.php | 10 +++----
htdocs/user/class/user.class.php | 6 ++--
htdocs/user/class/usergroup.class.php | 4 +--
htdocs/user/fiche.php | 41 ++++++++++++++-------------
6 files changed, 51 insertions(+), 50 deletions(-)
diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php
index a95d7a52356..315e7a8b391 100644
--- a/htdocs/core/lib/security2.lib.php
+++ b/htdocs/core/lib/security2.lib.php
@@ -292,11 +292,11 @@ function dol_loginfunction($langs,$conf,$mysoc)
if (! empty($conf->global->MAIN_USE_JQUERY_THEME)) $jquerytheme = $conf->global->MAIN_USE_JQUERY_THEME;
// Set dol_hide_topmenu, dol_hide_leftmenu, dol_optimize_smallscreen, dol_nomousehover
- $dol_hide_topmenu=GETPOST('dol_hide_topmenu');
- $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu');
- $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen');
- $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover');
- $dol_use_jmobile=GETPOST('dol_use_jmobile');
+ $dol_hide_topmenu=GETPOST('dol_hide_topmenu','int');
+ $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int');
+ $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int');
+ $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int');
+ $dol_use_jmobile=GETPOST('dol_use_jmobile','int');
// Include login page template
include $template_dir.'login.tpl.php';
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 12dbfee552d..45ddc3d8734 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -360,16 +360,16 @@ if (! defined('NOLOGIN'))
// It is not already authenticated and it requests the login / password
include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
- $dol_dst_observed=GETPOST("dst_observed",3);
- $dol_dst_first=GETPOST("dst_first",3);
- $dol_dst_second=GETPOST("dst_second",3);
- $dol_screenwidth=GETPOST("screenwidth",3);
- $dol_screenheight=GETPOST("screenheight",3);
- $dol_hide_topmenu=GETPOST('dol_hide_topmenu',3);
- $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu',3);
- $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen',3);
- $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover',3);
- $dol_use_jmobile=GETPOST('dol_use_jmobile',3);
+ $dol_dst_observed=GETPOST("dst_observed",'int',3);
+ $dol_dst_first=GETPOST("dst_first",'int',3);
+ $dol_dst_second=GETPOST("dst_second",'int',3);
+ $dol_screenwidth=GETPOST("screenwidth",'int',3);
+ $dol_screenheight=GETPOST("screenheight",'int',3);
+ $dol_hide_topmenu=GETPOST('dol_hide_topmenu','int',3);
+ $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int',3);
+ $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int',3);
+ $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int',3);
+ $dol_use_jmobile=GETPOST('dol_use_jmobile','int',3);
//dol_syslog("POST key=".join(array_keys($_POST),',').' value='.join($_POST,','));
// If in demo mode, we check we go to home page through the public/demo/index.php page
@@ -1035,11 +1035,11 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
$themeparam='?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'').'&userid='.$user->id.'&entity='.$conf->entity;
$themeparam.=($ext?'&'.$ext:'');
if (! empty($_SESSION['dol_resetcache'])) $themeparam.='&dol_resetcache='.$_SESSION['dol_resetcache'];
- if (GETPOST('dol_hide_topmenu')) { $themeparam.='&dol_hide_topmenu='.GETPOST('dol_hide_topmenu'); }
- if (GETPOST('dol_hide_leftmenu')) { $themeparam.='&dol_hide_leftmenu='.GETPOST('dol_hide_leftmenu'); }
- if (GETPOST('dol_optimize_smallscreen')) { $themeparam.='&dol_optimize_smallscreen='.GETPOST('dol_optimize_smallscreen'); }
- if (GETPOST('dol_no_mouse_hover')) { $themeparam.='&dol_no_mouse_hover='.GETPOST('dol_no_mouse_hover'); }
- if (GETPOST('dol_use_jmobile')) { $themeparam.='&dol_use_jmobile='.GETPOST('dol_use_jmobile'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile'); }
+ if (GETPOST('dol_hide_topmenu')) { $themeparam.='&dol_hide_topmenu='.GETPOST('dol_hide_topmenu','int'); }
+ if (GETPOST('dol_hide_leftmenu')) { $themeparam.='&dol_hide_leftmenu='.GETPOST('dol_hide_leftmenu','int'); }
+ if (GETPOST('dol_optimize_smallscreen')) { $themeparam.='&dol_optimize_smallscreen='.GETPOST('dol_optimize_smallscreen','int'); }
+ if (GETPOST('dol_no_mouse_hover')) { $themeparam.='&dol_no_mouse_hover='.GETPOST('dol_no_mouse_hover','int'); }
+ if (GETPOST('dol_use_jmobile')) { $themeparam.='&dol_use_jmobile='.GETPOST('dol_use_jmobile','int'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int'); }
//print 'themepath='.$themepath.' themeparam='.$themeparam;exit;
print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.$themeparam.'">'."\n";
diff --git a/htdocs/public/demo/index.php b/htdocs/public/demo/index.php
index 0948be50631..2b36e6c9d5c 100644
--- a/htdocs/public/demo/index.php
+++ b/htdocs/public/demo/index.php
@@ -33,11 +33,11 @@ $langs->load("main");
$langs->load("install");
$langs->load("other");
-$conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu');
-$conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu');
-$conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen');
-$conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover');
-$conf->dol_use_jmobile=GETPOST('dol_use_jmobile');
+$conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu','int');
+$conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int');
+$conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int');
+$conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int');
+$conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int');
// Security check
global $dolibarr_main_demo;
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index 00bf221d339..74902878c63 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -806,7 +806,7 @@ class User extends CommonObject
$sql = "SELECT login FROM ".MAIN_DB_PREFIX."user";
$sql.= " WHERE login ='".$this->db->escape($this->login)."'";
- $sql.= " AND entity IN (0,".$conf->entity.")";
+ $sql.= " AND entity IN (0,".$this->db->escape($conf->entity).")";
dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
$resql=$this->db->query($sql);
@@ -825,7 +825,7 @@ class User extends CommonObject
else
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."user (datec,login,ldap_sid,entity)";
- $sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->entity.")";
+ $sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->db->escape($this->entity).")";
$result=$this->db->query($sql);
dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
@@ -922,7 +922,7 @@ class User extends CommonObject
$this->lastname = $contact->lastname;
$this->firstname = $contact->firstname;
$this->email = $contact->email;
- $this->skype = $contact->skype;
+ $this->skype = $contact->skype;
$this->office_phone = $contact->phone_pro;
$this->office_fax = $contact->fax;
$this->user_mobile = $contact->phone_mobile;
diff --git a/htdocs/user/class/usergroup.class.php b/htdocs/user/class/usergroup.class.php
index debf67f95eb..7820e40a395 100644
--- a/htdocs/user/class/usergroup.class.php
+++ b/htdocs/user/class/usergroup.class.php
@@ -589,7 +589,7 @@ class UserGroup extends CommonObject
$sql.= ") VALUES (";
$sql.= "'".$this->db->idate($now)."'";
$sql.= ",'".$this->db->escape($this->nom)."'";
- $sql.= ",".$entity;
+ $sql.= ",".$this->db->escape($entity);
$sql.= ")";
dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
@@ -640,7 +640,7 @@ class UserGroup extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."usergroup SET ";
$sql.= " nom = '" . $this->db->escape($this->nom) . "'";
- $sql.= ", entity = " . $entity;
+ $sql.= ", entity = " . $this->db->escape($entity);
$sql.= ", note = '" . $this->db->escape($this->note) . "'";
$sql.= " WHERE rowid = " . $this->id;
diff --git a/htdocs/user/fiche.php b/htdocs/user/fiche.php
index 32a4e9d25ec..d9ff9c7c71d 100644
--- a/htdocs/user/fiche.php
+++ b/htdocs/user/fiche.php
@@ -178,16 +178,16 @@ if ($action == 'add' && $canadduser)
if (! $message)
{
- $object->lastname = GETPOST("lastname");
- $object->firstname = GETPOST("firstname");
- $object->login = GETPOST("login");
- $object->admin = GETPOST("admin");
- $object->office_phone = GETPOST("office_phone");
- $object->office_fax = GETPOST("office_fax");
+ $object->lastname = GETPOST("lastname",'alpha');
+ $object->firstname = GETPOST("firstname",'alpha');
+ $object->login = GETPOST("login",'alpha');
+ $object->admin = GETPOST("admin",'alpha');
+ $object->office_phone = GETPOST("office_phone",'alpha');
+ $object->office_fax = GETPOST("office_fax",'alpha');
$object->user_mobile = GETPOST("user_mobile");
$object->skype = GETPOST("skype");
- $object->email = GETPOST("email");
- $object->job = GETPOST("job");
+ $object->email = GETPOST("email",'alpha');
+ $object->job = GETPOST("job",'alpha');
$object->signature = GETPOST("signature");
$object->accountancy_code = GETPOST("accountancy_code");
$object->note = GETPOST("note");
@@ -200,6 +200,7 @@ if ($action == 'add' && $canadduser)
// If multicompany is off, admin users must all be on entity 0.
if (! empty($conf->multicompany->enabled))
{
+ $entity=GETPOST('entity','int');
if (! empty($_POST["superadmin"]))
{
$object->entity = 0;
@@ -210,12 +211,12 @@ if ($action == 'add' && $canadduser)
}
else
{
- $object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]);
+ $object->entity = (empty($entity) ? 0 : $entity);
}
}
else
{
- $object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]);
+ $object->entity = (empty($entity) ? 0 : $entity);
}
$db->begin();
@@ -316,17 +317,17 @@ if ($action == 'update' && ! $_POST["cancel"])
$object->oldcopy=dol_clone($object);
- $object->lastname = GETPOST("lastname");
- $object->firstname = GETPOST("firstname");
- $object->login = GETPOST("login");
+ $object->lastname = GETPOST("lastname",'alpha');
+ $object->firstname = GETPOST("firstname",'alpha');
+ $object->login = GETPOST("login",'alpha');
$object->pass = GETPOST("password");
$object->admin = empty($user->admin)?0:GETPOST("admin"); // A user can only be set admin by an admin
- $object->office_phone=GETPOST("office_phone");
- $object->office_fax = GETPOST("office_fax");
+ $object->office_phone=GETPOST("office_phone",'alpha');
+ $object->office_fax = GETPOST("office_fax",'alpha');
$object->user_mobile= GETPOST("user_mobile");
- $object->skype =GETPOST("skype");
- $object->email = GETPOST("email");
- $object->job = GETPOST("job");
+ $object->skype = GETPOST("skype");
+ $object->email = GETPOST("email",'alpha');
+ $object->job = GETPOST("job",'alpha');
$object->signature = GETPOST("signature");
$object->accountancy_code = GETPOST("accountancy_code");
$object->openid = GETPOST("openid");
@@ -384,8 +385,8 @@ if ($action == 'update' && ! $_POST["cancel"])
$contact->fetch($contactid);
$sql = "UPDATE ".MAIN_DB_PREFIX."user";
- $sql.= " SET fk_socpeople=".$contactid;
- if ($contact->socid) $sql.=", fk_societe=".$contact->socid;
+ $sql.= " SET fk_socpeople=".$db->escape($contactid);
+ if ($contact->socid) $sql.=", fk_societe=".$db->escape($contact->socid);
$sql.= " WHERE rowid=".$object->id;
}
else
--
GitLab