diff --git a/ChangeLog b/ChangeLog
index 3eb284ccc801e261191dc9927af1303d7facfb7d..f48de97d970458dea70c5fcd8d72e61d49ec2ab8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,47 @@ Following changes may create regression for some external modules, but were nece
html.formmargin.class.php
* Removed Societe::set_commnucation_level (was deprecated in 4.0). Was not used.
+***** ChangeLog for 5.0.2 compared to 5.0.1 *****
+FIX: #6468 + Fix missing translation
+FIX: #6517 #6525 Autocompletion of thirdparty after n chars not implemented
+FIX: #6613 Default subject for Supplier proposal emails is filled with a non-existing key
+FIX: #6614
+FIX: #6619 Template invoices list do not respect restricted thirdparty user rights
+FIX: #6621 Documents tab shows greyed out upload form even if the option to show actions not available is disabled
+FIX: #6623 User card shows "Return to list" link even if the user has no rights to list users
+FIX: #6636 Complete fix
+FIX: #6669 User with no permission to edit customer invoices can see a edit button in project entry
+FIX: #6671 Cannot remove thirdparty type with "#" in its name
+FIX: #6673 Missing "nature" table header in thirdparty list
+FIX: #6675 Restricted user with no agenda permissions can see a button to create appointment in thirdparty contact list
+FIX: #6679 User with restricted supplier invoice permissions can edit project, payment conditions, payment mode
+FIX: #6680 User with restricted supplier invoice permissions sees "reopen" button even if he has no permission to do it
+FIX: #6718 Bug: Discount amount is not locally formatted in CommonObject View
+FIX: #6767 serious critical error, no login possible with postgresql and ipv6.
+FIX: #6795 #6796
+FIX: Add option MAIN_MAIL_USE_MULTI_PART to include text content into HTML email and add option MAIN_MAIL_ADD_INLINE_IMAGES_IF_IN_MEDIAS to restore the inline images feature.
+FIX: ajax autocomplete on clone
+FIX: A non admin user can not download files attached to user.
+FIX: Can't download delivery receipts (function dol_check_secure_access_document)
+FIX: complete hourly rate when not defined into table of time spent
+FIX: dont get empty "Incoterms : - " string if no incoterm
+FIX: dont lose supplier ref if no supplier price in database
+FIX: Enter a direct bank transaction
+FIX: extrafield css for boolean type
+FIX: forgotten parameter for right multicompany use
+FIX: Found duplicate line when it is not.
+FIX: global $dateSelector isn't the good one, then date selector on objectline_create tpl was hidden
+FIX: Journal code of bank must be visible of accountaing module on.
+FIX: length_accounta return variable name
+FIX: limit+1 dosn't show Total line
+FIX: No filter on company when showing the link to elements.
+FIX: overwrapping of weight/volume on rouget template
+FIX: Several bugs in accounting module.
+FIX: shared bank account with multicompany not visible in invoice setup
+FIX: spaces not allowed into vat code
+FIX: supplier default condition not retrieved on create
+FIX: supplier order line were always created with rang = 0
+
***** ChangeLog for 5.0.1 compared to 5.0.0 *****
FIX: #6503: SQL error in "Last pending payment invoices"
FIX: #6505 Project elements page shows greyed-out links even if the option to show actions not available is disabled
diff --git a/build/makepack-dolibarr.pl b/build/makepack-dolibarr.pl
index b1282719cda9eaca92fbdebce035a65f01e6d4a5..ff9e087875084a9c5d819f401ce0a0c4ab28b274 100755
--- a/build/makepack-dolibarr.pl
+++ b/build/makepack-dolibarr.pl
@@ -19,7 +19,7 @@ use Cwd;
# Change this to defined target for option 98 and 99
$PROJECT="dolibarr";
$PUBLISHSTABLE="eldy,dolibarr\@frs.sourceforge.net:/home/frs/project/dolibarr";
-$PUBLISHBETARC="ldestailleur\@asso.dolibarr.org:/home/dolibarr/dolibarr.org/httpdocs/files";
+$PUBLISHBETARC="ldestailleur\@vmprod.dolibarr.org:/home/dolibarr/dolibarr.org/httpdocs/files";
#@LISTETARGET=("TGZ","ZIP","RPM_GENERIC","RPM_FEDORA","RPM_MANDRIVA","RPM_OPENSUSE","DEB","APS","EXEDOLIWAMP","SNAPSHOT"); # Possible packages
@@ -509,7 +509,6 @@ if ($nboftargetok) {
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/documents`;
# Removed known external modules to avoid any error when packaging from env where external modules are tested
- #$ret=`find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \;`; # For custom we want to keep dir
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/allscreens*`;
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/ancotec*`;
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/cabinetmed*`;
@@ -572,6 +571,10 @@ if ($nboftargetok) {
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/fonts/utils`;
$ret=`rm -fr $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/tools`;
$ret=`rm -f $BUILDROOT/$PROJECT/htdocs/includes/tecnickcom/tcpdf/LICENSE.TXT`;
+
+ print "Remove subdir of custom dir\n";
+ print "find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \\;\n";
+ $ret=`find $BUILDROOT/$PROJECT/htdocs/custom/* -type d -exec rm -fr {} \\; >/dev/null 2>&1`; # For custom we want to keep dir
}
# Build package for each target
diff --git a/build/rpm/dolibarr_fedora.spec b/build/rpm/dolibarr_fedora.spec
index e65e6bc3b7dd10b7be8cbfd26d70536b119cede8..083c4eb8f14f6bfcc7efac7bcf8bec787a77f7c9 100755
--- a/build/rpm/dolibarr_fedora.spec
+++ b/build/rpm/dolibarr_fedora.spec
@@ -173,6 +173,7 @@ done >>%{name}.lang
%_datadir/dolibarr/htdocs/contrat
%_datadir/dolibarr/htdocs/core
%_datadir/dolibarr/htdocs/cron
+%_datadir/dolibarr/htdocs/custom
%_datadir/dolibarr/htdocs/don
%_datadir/dolibarr/htdocs/ecm
%_datadir/dolibarr/htdocs/expedition
diff --git a/build/rpm/dolibarr_generic.spec b/build/rpm/dolibarr_generic.spec
index 655ef87f9259d367438651efebbb79e1924ef1a5..b40a203a71f30cf1c60b796c00bafc29a0ef872f 100755
--- a/build/rpm/dolibarr_generic.spec
+++ b/build/rpm/dolibarr_generic.spec
@@ -253,6 +253,7 @@ done >>%{name}.lang
%_datadir/dolibarr/htdocs/contrat
%_datadir/dolibarr/htdocs/core
%_datadir/dolibarr/htdocs/cron
+%_datadir/dolibarr/htdocs/custom
%_datadir/dolibarr/htdocs/don
%_datadir/dolibarr/htdocs/ecm
%_datadir/dolibarr/htdocs/expedition
diff --git a/build/rpm/dolibarr_mandriva.spec b/build/rpm/dolibarr_mandriva.spec
index 55fb718373403f76a449bcb51a35533df2d9190d..fa3e39f8693c298f20e77bcdd52cd5a2a69d7838 100755
--- a/build/rpm/dolibarr_mandriva.spec
+++ b/build/rpm/dolibarr_mandriva.spec
@@ -170,6 +170,7 @@ done >>%{name}.lang
%_datadir/dolibarr/htdocs/contrat
%_datadir/dolibarr/htdocs/core
%_datadir/dolibarr/htdocs/cron
+%_datadir/dolibarr/htdocs/custom
%_datadir/dolibarr/htdocs/don
%_datadir/dolibarr/htdocs/ecm
%_datadir/dolibarr/htdocs/expedition
diff --git a/build/rpm/dolibarr_opensuse.spec b/build/rpm/dolibarr_opensuse.spec
index f7e29927ebb4938f5e7045bae807a6427936d107..b2f8cf6ede1f9ec4b28dbeaf878747d006f0bee8 100755
--- a/build/rpm/dolibarr_opensuse.spec
+++ b/build/rpm/dolibarr_opensuse.spec
@@ -181,6 +181,7 @@ done >>%{name}.lang
%_datadir/dolibarr/htdocs/contrat
%_datadir/dolibarr/htdocs/core
%_datadir/dolibarr/htdocs/cron
+%_datadir/dolibarr/htdocs/custom
%_datadir/dolibarr/htdocs/don
%_datadir/dolibarr/htdocs/ecm
%_datadir/dolibarr/htdocs/expedition
diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php
index e3aad3c4cccd4e5de0bb534bdcb006ea5015351f..7a6013b9b78ed1c74a9b2eb0d13b4830d8eaef1b 100644
--- a/htdocs/adherents/list.php
+++ b/htdocs/adherents/list.php
@@ -57,7 +57,7 @@ $type=GETPOST("type");
$search_email=GETPOST("search_email");
$search_categ = GETPOST("search_categ",'int');
$catid = GETPOST("catid",'int');
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$optioncss = GETPOST('optioncss','alpha');
if ($statut < -1) $statut = '';
diff --git a/htdocs/comm/mailing/list.php b/htdocs/comm/mailing/list.php
index 99af57499631fe3036508e9d7388cba5dac1b192..8a9c01787d1317d80f7e17e7b55992a59e487aad 100644
--- a/htdocs/comm/mailing/list.php
+++ b/htdocs/comm/mailing/list.php
@@ -41,8 +41,8 @@ $pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="m.date_creat";
-$sall=GETPOST("sall","alpha");
-$sref=GETPOST("sref","alpha");
+$sall=GETPOST('sall', 'alphanohtml');
+$sref=GETPOST("sref", "alpha");
$filteremail=GETPOST('filteremail','alpha');
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php
index ce6d6e2bc72e1a3cea6976de61f930134385fc03..f52641dc63a6e17aebe0533e304bdcb5e7e547cf 100644
--- a/htdocs/comm/propal/list.php
+++ b/htdocs/comm/propal/list.php
@@ -77,7 +77,7 @@ $viewstatut=GETPOST('viewstatut');
$optioncss = GETPOST('optioncss','alpha');
$object_statut=GETPOST('propal_statut');
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));
$day=GETPOST("day","int");
diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php
index 4185518b72110d62f88534082a8bf8abe18ddc2e..c88b3d552c1cfa848fdf5124e8b25b0c8470573d 100644
--- a/htdocs/commande/list.php
+++ b/htdocs/commande/list.php
@@ -66,7 +66,7 @@ $search_zip=GETPOST('search_zip','alpha');
$search_state=trim(GETPOST("search_state"));
$search_country=GETPOST("search_country",'int');
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
$socid=GETPOST('socid','int');
$search_user=GETPOST('search_user','int');
$search_sale=GETPOST('search_sale','int');
diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php
index c6b93cb8f0fb9a5c2d088569308b55ab9a696711..b05b6658ca76c543bb7ddae626befb2722b4a6ec 100644
--- a/htdocs/commande/orderstoinvoice.php
+++ b/htdocs/commande/orderstoinvoice.php
@@ -52,7 +52,7 @@ $action = GETPOST('action','alpha');
$confirm = GETPOST('confirm','alpha');
$sref = GETPOST('sref');
$sref_client = GETPOST('sref_client');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$socid = GETPOST('socid','int');
$selected = GETPOST('orders_to_invoice');
$sortfield = GETPOST("sortfield",'alpha');
diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php
index 562455e9e5ab37444b2f0da3e048cd6bb04fa589..8946dc84bd4d8e2b768405bfaa090d8a7589b57f 100644
--- a/htdocs/compta/facture/list.php
+++ b/htdocs/compta/facture/list.php
@@ -53,7 +53,7 @@ $langs->load('bills');
$langs->load('companies');
$langs->load('products');
-$sall=trim(GETPOST('sall'));
+$sall=trim(GETPOST('sall', 'alphanohtml'));
$projectid=(GETPOST('projectid')?GETPOST('projectid','int'):0);
$id=(GETPOST('id','int')?GETPOST('id','int'):GETPOST('facid','int')); // For backward compatibility
diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php
index ef26c9c80e2b3f863ea1a748e6992a50c770062e..929dbdc91e825fa6fb40c36c7ce27bdaacf93627 100644
--- a/htdocs/contact/list.php
+++ b/htdocs/contact/list.php
@@ -42,7 +42,7 @@ $ref = ''; // There is no ref for contacts
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'contact', $contactid,'');
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$search_firstlast_only=GETPOST("search_firstlast_only");
$search_lastname=GETPOST("search_lastname");
$search_firstname=GETPOST("search_firstname");
diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php
index be1b2e5fccf163f77ce1b26d417183f3701cc262..3bf4a45bb105b5e05b497d7c62d30ee74d000b70 100644
--- a/htdocs/contrat/list.php
+++ b/htdocs/contrat/list.php
@@ -53,7 +53,7 @@ $search_country=GETPOST("search_country",'int');
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
$search_contract=GETPOST('search_contract');
$search_ref_supplier=GETPOST('search_ref_supplier','alpha');
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
$search_status=GETPOST('search_status');
$socid=GETPOST('socid');
$search_user=GETPOST('search_user','int');
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 6a503b40975cdd4b9dfba7bbfd74dd12a10ac89a..6b92265aac97f0c4281e3e5074d4aa4fdc1bf5c8 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -1461,9 +1461,9 @@ class Form
{
if (! empty($conf->multicompany->transverse_mode))
{
- $sql.= ", ".MAIN_DB_PREFIX."usergroup_user as ug";
- $sql.= " WHERE ug.fk_user = u.rowid";
- $sql.= " AND ug.entity = ".$conf->entity;
+ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."usergroup_user as ug";
+ $sql.= " ON ug.fk_user = u.rowid";
+ $sql.= " WHERE ug.entity = ".$conf->entity;
}
else
{
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 8dbc705c5b24119c17b5e95a245c7741e8141d32..d7905b581fd2de1621f44cb8fbbb16d73dad4180 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -386,9 +386,17 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
if (! is_array($out) || empty($out)) $out=array();
break;
case 'nohtml':
- $out=dol_string_nohtmltag($out);
+ $out=dol_string_nohtmltag($out);
break;
- case 'custom':
+ case 'alphanohtml': // Recommended for search params
+ $out=trim($out);
+ // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
+ // '../' is dangerous because it allows dir transversals
+ if (preg_match('/"/',$out)) $out='';
+ else if (preg_match('/\.\.\//',$out)) $out='';
+ $out=dol_string_nohtmltag($out);
+ break;
+ case 'custom':
if (empty($filter)) return 'BadFourthParameterForGETPOST';
$out=filter_var($out, $filter, $options);
break;
diff --git a/htdocs/core/lib/geturl.lib.php b/htdocs/core/lib/geturl.lib.php
index da9e38e6daeb2715bca40319efae6ef16a7c4869..808e4f0ef092b1a8c05a598315d4b9ebb95ea038 100644
--- a/htdocs/core/lib/geturl.lib.php
+++ b/htdocs/core/lib/geturl.lib.php
@@ -59,9 +59,11 @@ function getURLContent($url,$postorget='GET',$param='',$followlocation=1,$addhea
if (count($addheaders)) curl_setopt($ch, CURLOPT_HTTPHEADER, $addheaders);
curl_setopt($ch, CURLINFO_HEADER_OUT, true); // To be able to retrieve request header and log it
- // TLSv1 by default or change to TLSv1.2 in module configuration
- //curl_setopt($ch, CURLOPT_SSLVERSION, (empty($conf->global->MAIN_CURL_SSLVERSION)?1:$conf->global->MAIN_CURL_SSLVERSION));
-
+ // By default use tls decied by PHP.
+ // You can force, if supported a version like TLSv1 or TLSv1.2
+ if (! empty($conf->global->MAIN_CURL_SSLVERSION)) curl_setopt($ch, CURLOPT_SSLVERSION, $conf->global->MAIN_CURL_SSLVERSION);
+ //curl_setopt($ch, CURLOPT_SSLVERSION, 6); for tls 1.2
+
//turning off the server and peer verification(TrustManager Concept).
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
diff --git a/htdocs/don/list.php b/htdocs/don/list.php
index 1e08cbae12154b05b6a363011df494f105c53cda..d271ea3e8945952c3231906a5d2515ea8e2901df 100644
--- a/htdocs/don/list.php
+++ b/htdocs/don/list.php
@@ -43,7 +43,7 @@ if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="d.datedon";
$statut=isset($_GET["statut"])?$_GET["statut"]:"-1";
-$search_all=GETPOST('sall','alpha');
+$search_all=GETPOST('sall', 'alphanohtml');
$search_ref=GETPOST('search_ref','alpha');
$search_company=GETPOST('search_company','alpha');
$search_name=GETPOST('search_name','alpha');
diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php
index b9ecc9e089cceb610563a859d799106bcfbd7c87..bff7991fdeb41ede48cfff29d11511fe2f9c0d26 100644
--- a/htdocs/expedition/list.php
+++ b/htdocs/expedition/list.php
@@ -50,7 +50,7 @@ $search_zip=GETPOST('search_zip','alpha');
$search_state=trim(GETPOST("search_state"));
$search_country=GETPOST("search_country",'int');
$search_type_thirdparty=GETPOST("search_type_thirdparty",'int');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$optioncss = GETPOST('optioncss','alpha');
$limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit;
diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php
index 7f7b633577ec9bff8f5fa5b1dfe3b51455917950..e9712816b34242b3afa7a9b249277dfc4c9ce405 100644
--- a/htdocs/expensereport/list.php
+++ b/htdocs/expensereport/list.php
@@ -63,7 +63,7 @@ if (!$sortorder) $sortorder="DESC";
if (!$sortfield) $sortfield="d.date_debut";
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$search_ref = GETPOST('search_ref');
$search_user = GETPOST('search_user','int');
$search_amount_ht = GETPOST('search_amount_ht','alpha');
diff --git a/htdocs/fichinter/list.php b/htdocs/fichinter/list.php
index 07ca1a02e9fb42fa63cd779aec862212052fb13b..3b6f1be10ffb2da755b03b879c352b739334b741 100644
--- a/htdocs/fichinter/list.php
+++ b/htdocs/fichinter/list.php
@@ -75,6 +75,13 @@ if (! $sortfield)
// Initialize technical object to manage context to save list fields
$contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'interventionlist';
+$sall=GETPOST('sall', 'alphanohtml');
+$search_ref=GETPOST('search_ref')?GETPOST('search_ref','alpha'):GETPOST('search_inter','alpha');
+$search_company=GETPOST('search_company','alpha');
+$search_desc=GETPOST('search_desc','alpha');
+$search_status=GETPOST('search_status');
+$optioncss = GETPOST('optioncss','alpha');
+
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
$hookmanager->initHooks(array($contextpage));
$extrafields = new ExtraFields($db);
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 958ac64573c0f4633ca233c47f230561c604f43d..c7268680f19adda88de437d5af6d7d6b6a042ac0 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -164,14 +164,17 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force
// This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST'])
// when we post forms (we allow GET to allow direct link to access a particular page).
// Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
-if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)
- && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
- && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
+if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
{
- //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
- print "Access refused by CSRF protection in main.inc.php.\n";
- print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n";
- die;
+ if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
+ && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
+ {
+ //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
+ print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
+ print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
+ die;
+ }
+ // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on.
}
if (empty($dolibarr_main_db_host))
{
diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php
index 8af15b92bc2d62772470091643c947b5d6015cf6..80a98cc5886fc39f3ae212e1c9d5b3c18ab47843 100644
--- a/htdocs/fourn/commande/list.php
+++ b/htdocs/fourn/commande/list.php
@@ -60,6 +60,8 @@ $orderday=GETPOST("orderday","int");
$deliveryyear=GETPOST("deliveryyear","int");
$deliverymonth=GETPOST("deliverymonth","int");
$deliveryday=GETPOST("deliveryday","int");
+
+$sall=GETPOST('search_all', 'alphanohtml');
$search_product_category=GETPOST('search_product_category','int');
$search_ref=GETPOST('search_ref');
$search_refsupp=GETPOST('search_refsupp');
@@ -75,7 +77,6 @@ $search_ht=GETPOST('search_ht');
$search_ttc=GETPOST('search_ttc');
$search_status=(GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha')); // alpha and not intbecause it can be '6,7'
$optioncss = GETPOST('optioncss','alpha');
-$sall=GETPOST('search_all');
$socid = GETPOST('socid','int');
$search_sale=GETPOST('search_sale','int');
$search_total_ht=GETPOST('search_total_ht','alpha');
diff --git a/htdocs/fourn/commande/orderstoinvoice.php b/htdocs/fourn/commande/orderstoinvoice.php
index f804a1d9ab7f0085c0deedc87cdca6e98cca2abf..32f1a5538b56334748fd9db59fae204333d0ecbf 100644
--- a/htdocs/fourn/commande/orderstoinvoice.php
+++ b/htdocs/fourn/commande/orderstoinvoice.php
@@ -53,7 +53,7 @@ $action = GETPOST('action', 'alpha');
$confirm = GETPOST('confirm', 'alpha');
$sref = GETPOST('sref');
$sref_client = GETPOST('sref_client');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$socid = GETPOST('socid', 'int');
$selected = GETPOST('orders_to_invoice');
$sortfield = GETPOST("sortfield", 'alpha');
diff --git a/htdocs/fourn/facture/document.php b/htdocs/fourn/facture/document.php
index ab56a66d8a7e77998a0a96b4c1261b2c5ae43186..6926770bd913650640525564bd5c78e4575db7f0 100644
--- a/htdocs/fourn/facture/document.php
+++ b/htdocs/fourn/facture/document.php
@@ -93,7 +93,7 @@ if ($object->id > 0)
$totalpaye = $object->getSommePaiement();
- $linkback = '<a href="' . DOL_URL_ROOT . '/compta/facture/list.php' . (! empty($socid) ? '?socid=' . $socid : '') . '">' . $langs->trans("BackToList") . '</a>';
+ $linkback = '<a href="' . DOL_URL_ROOT . '/fourn/facture/list.php' . (! empty($socid) ? '?socid=' . $socid : '') . '">' . $langs->trans("BackToList") . '</a>';
$morehtmlref='<div class="refidno">';
// Ref supplier
diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php
index ef0c0e6c6f60060b317ecb94fdef64b60e6efe4a..6ff901521c62b429943ec9bf0268206450611821 100644
--- a/htdocs/fourn/facture/list.php
+++ b/htdocs/fourn/facture/list.php
@@ -97,7 +97,7 @@ $toselect = GETPOST('toselect', 'array');
$option = GETPOST('option');
if ($option == 'late') $filter = 'paye:0';
-$search_all = GETPOST('sall');
+$search_all = GETPOST('sall', 'alphanohtml');
$search_label = GETPOST("search_label","alpha");
$search_company = GETPOST("search_company","alpha");
$search_amount_no_tax = GETPOST("search_amount_no_tax","alpha");
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index d35fa9293c375a2d4ef36a4dba810a2ed42a4f6f..ab8a89670ae9fabb37c03704ba125ccc3b87a628 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -55,7 +55,7 @@ $pagenext = $page + 1;
$id = GETPOST('id','int');
-$sall = GETPOST('sall');
+$sall = GETPOST('sall', 'alphanohtml');
$search_ref = GETPOST('search_ref');
$month_create = GETPOST('month_create');
$year_create = GETPOST('year_create');
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 11dccf47ade0772c65544d52059249868a56dc30..fe8990129834e09119824ec097b065bb0aa9209a 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -298,16 +298,24 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V
// Creation of a token against CSRF vulnerabilities
if (! defined('NOTOKENRENEWAL'))
{
- $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
// roulement des jetons car cree a chaque appel
if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
+
+ // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
+ $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
$_SESSION['newtoken'] = $token;
}
if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) // Check validity of token, only if option enabled (this option breaks some features sometimes)
{
- if ($_SERVER['REQUEST_METHOD'] === 'POST')
+ if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token')) // Note, offender can still send request by GET
+ {
+ print "Access refused by CSRF protection in main.inc.php. Token not provided.\n";
+ print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
+ die;
+ }
+ if ($_SERVER['REQUEST_METHOD'] === 'POST') // This test must be after loading $_SESSION['token'].
{
- if (GETPOST('token') != $_SESSION['token'])
+ if (GETPOST('token', 'alpha') != $_SESSION['token'])
{
dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action').", _POST['token']=".GETPOST('token').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
diff --git a/htdocs/product/canvas/product/actions_card_product.class.php b/htdocs/product/canvas/product/actions_card_product.class.php
index 06803e8239dabd5e62a5143e9af1edc59d942076..8db1ae21469e0f0f72dbbf7ae4cf4ed0078b637a 100644
--- a/htdocs/product/canvas/product/actions_card_product.class.php
+++ b/htdocs/product/canvas/product/actions_card_product.class.php
@@ -326,7 +326,7 @@ class ActionsCardProduct
$this->list_datas = array();
// Clean parameters
- $sall=trim(GETPOST("sall"));
+ $sall=trim(GETPOST('sall', 'alphanohtml'));
foreach($this->field_list as $field)
{
diff --git a/htdocs/product/list.php b/htdocs/product/list.php
index 10d819738ca1d442e1499ec71d32c78b097070a0..b779d4b7bfa83eebd02b91582a36e5beb4179ba5 100644
--- a/htdocs/product/list.php
+++ b/htdocs/product/list.php
@@ -51,11 +51,10 @@ $show_files=GETPOST('show_files','int');
$confirm=GETPOST('confirm','alpha');
$toselect = GETPOST('toselect', 'array');
+$sall=GETPOST('sall', 'alphanohtml');
$sref=GETPOST("sref");
$sbarcode=GETPOST("sbarcode");
$snom=GETPOST("snom");
-$sall=GETPOST("sall");
-$type= (int) GETPOST("type","int");
$search_sale = GETPOST("search_sale");
$search_categ = GETPOST("search_categ",'int');
$tosell = GETPOST("tosell", 'int');
@@ -66,6 +65,7 @@ $search_tobatch = GETPOST("search_tobatch",'int');
$search_accountancy_code_sell = GETPOST("search_accountancy_code_sell",'alpha');
$search_accountancy_code_buy = GETPOST("search_accountancy_code_buy",'alpha');
$optioncss = GETPOST('optioncss','alpha');
+$type= (int) GETPOST("type","int");
//Show/hide child products. Hidden by default
if (!$_POST) {
diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php
index 8e3d1aa198595aafc1ca032c3f43cd3e37a36026..ca335558899154bde1b4b2fdeaddb24d984d8159 100644
--- a/htdocs/product/reassort.php
+++ b/htdocs/product/reassort.php
@@ -42,7 +42,7 @@ $result=restrictedArea($user,'produit|service');
$action=GETPOST('action','alpha');
$sref=GETPOST("sref");
$snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$type=GETPOST("type","int");
$sbarcode=GETPOST("sbarcode");
$catid=GETPOST('catid','int');
diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php
index af1c6f2ec1513d5a49d4d4657df63889587dcb3c..183242c3c52de4fc4b4c611759d9355f63ae4326 100644
--- a/htdocs/product/reassortlot.php
+++ b/htdocs/product/reassortlot.php
@@ -44,7 +44,7 @@ $result=restrictedArea($user,'produit|service');
$action=GETPOST('action','alpha');
$sref=GETPOST("sref");
$snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$type=GETPOST("type","int");
$sbarcode=GETPOST("sbarcode",'alpha');
$search_warehouse=GETPOST('search_warehouse','alpha');
diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php
index f1c625308e737849402440227593c553478aad48..78b5b612da164d0b6db52efd7e279405288e5187 100644
--- a/htdocs/product/stock/list.php
+++ b/htdocs/product/stock/list.php
@@ -32,9 +32,9 @@ $langs->load("stocks");
// Security check
$result=restrictedArea($user,'stock');
+$sall=GETPOST('sall', 'alphanohtml');
$search_ref=GETPOST("sref","alpha")?GETPOST("sref","alpha"):GETPOST("search_ref","alpha");
$search_label=GETPOST("snom","alpha")?GETPOST("snom","alpha"):GETPOST("search_label","alpha");
-$sall=GETPOST("sall","alpha");
$search_status=GETPOST("search_status","int");
$limit = GETPOST('limit')?GETPOST('limit','int'):$conf->liste_limit;
diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php
index 2de8bbb19b7d044e2b2065aa38fccb44971e4930..fabfe736683d7f5b6ac93fd7347aacf3223ed6da 100644
--- a/htdocs/product/stock/replenish.php
+++ b/htdocs/product/stock/replenish.php
@@ -48,7 +48,7 @@ $result=restrictedArea($user,'produit|service');
$action = GETPOST('action','alpha');
$sref = GETPOST('sref', 'alpha');
$snom = GETPOST('snom', 'alpha');
-$sall = GETPOST('sall', 'alpha');
+$sall = GETPOST('sall', 'alphanohtml');
$type = GETPOST('type','int');
$tobuy = GETPOST('tobuy', 'int');
$salert = GETPOST('salert', 'alpha');
diff --git a/htdocs/product/stock/replenishorders.php b/htdocs/product/stock/replenishorders.php
index 607e28165ed1bd51c1181bd2b7f7e8fedc9965e6..8967fd672d6930fd57f5309eeb7e1c0cc599c407 100644
--- a/htdocs/product/stock/replenishorders.php
+++ b/htdocs/product/stock/replenishorders.php
@@ -39,11 +39,11 @@ $langs->load("orders");
if ($user->societe_id) $socid=$user->societe_id;
$result=restrictedArea($user,'produit|service');
+$sall = GETPOST('search_all', 'alphanohtml');
$sref = GETPOST('search_ref', 'alpha');
$snom = GETPOST('search_nom', 'alpha');
$suser = GETPOST('search_user', 'alpha');
$sttc = GETPOST('search_ttc', 'alpha');
-$sall = GETPOST('search_all', 'alpha');
$sdate = GETPOST('search_date', 'alpha');
$page = GETPOST('page', 'int');
$sproduct = GETPOST('sproduct', 'int');
diff --git a/htdocs/product/stock/valo.php b/htdocs/product/stock/valo.php
index a523e2c66fc303a85549345a25d4273d21366c92..0c71eb6ad1858286b455eac052c58b2bcd4bb58e 100644
--- a/htdocs/product/stock/valo.php
+++ b/htdocs/product/stock/valo.php
@@ -33,7 +33,7 @@ $result=restrictedArea($user,'stock');
$sref=GETPOST("sref");
$snom=GETPOST("snom");
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$sortfield = GETPOST("sortfield");
$sortorder = GETPOST("sortorder");
diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php
index 3310b6d8cf708cafa64491ab281e183a8420972b..e5cab88609a009ab8a33b58568ae25b1726f3027 100644
--- a/htdocs/projet/list.php
+++ b/htdocs/projet/list.php
@@ -67,13 +67,12 @@ $offset = $limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
-$search_all=GETPOST("search_all");
+$search_all=GETPOST('search_all', 'alphanohtml');
$search_categ=GETPOST("search_categ",'alpha');
$search_ref=GETPOST("search_ref");
$search_label=GETPOST("search_label");
$search_societe=GETPOST("search_societe");
$search_year=GETPOST("search_year");
-$search_all=GETPOST("search_all");
$search_status=GETPOST("search_status",'int');
$search_opp_status=GETPOST("search_opp_status",'alpha');
$search_opp_percent=GETPOST("search_opp_percent",'alpha');
diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php
index 59c6d1e6afa0be222a1ad9edb388250e7ff30d57..9450a2620ed4111c3f0a97c774479b9d9ccb972b 100644
--- a/htdocs/projet/tasks/list.php
+++ b/htdocs/projet/tasks/list.php
@@ -40,7 +40,7 @@ $toselect = GETPOST('toselect', 'array');
$id=GETPOST('id','int');
-$search_all=GETPOST('search_all');
+$search_all=GETPOST('search_all', 'alphanohtml');
$search_categ=GETPOST("search_categ",'alpha');
$search_project=GETPOST('search_project');
if (! isset($_GET['search_projectstatus']) && ! isset($_POST['search_projectstatus']))
diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php
index ef162beb750d5c05bec2b482229cb9c1d1f917a6..7693da9d8186225be094222084b681d3acfb2397 100644
--- a/htdocs/societe/list.php
+++ b/htdocs/societe/list.php
@@ -48,7 +48,7 @@ $socid = GETPOST('socid','int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user,'societe',$socid,'');
-$search_all=trim(GETPOST("sall"));
+$search_all=trim(GETPOST('sall', 'alphanohtml'));
$search_nom=trim(GETPOST("search_nom"));
$search_nom_only=trim(GETPOST("search_nom_only"));
$search_barcode=trim(GETPOST("sbarcode"));
diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php
index c0e9611e6b6fcb6e2abef33008e590a1ab8478b5..efd0ae16647f6769afb0ede82b81619c8fa1a539 100644
--- a/htdocs/supplier_proposal/list.php
+++ b/htdocs/supplier_proposal/list.php
@@ -66,7 +66,7 @@ $search_author=GETPOST('search_author','alpha');
$search_status=GETPOST('viewstatut','alpha')?GETPOST('viewstatut','alpha'):GETPOST('search_status','int');
$object_statut=$db->escape(GETPOST('supplier_proposal_statut'));
-$sall=GETPOST("sall");
+$sall=GETPOST('sall', 'alphanohtml');
$mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg"));
$year=GETPOST("year");
$month=GETPOST("month");
diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php
index 539c1f2be23ade630fee9ed4f5c5059a87a9d363..6956a1ad5ebee00b4ab3f19eec65be186423d6ef 100644
--- a/htdocs/user/group/index.php
+++ b/htdocs/user/group/index.php
@@ -34,7 +34,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
$langs->load("users");
-$sall=GETPOST('sall');
+$sall=GETPOST('sall', 'alphanohtml');
$search_group=GETPOST('search_group');
$optioncss = GETPOST('optioncss','alpha');
diff --git a/htdocs/user/hierarchy.php b/htdocs/user/hierarchy.php
index 734b1aa0d14bd9aff334afef29d1631b34f2c337..ef5380e967845c26aebabc8fe3612308e9ea9ddc 100644
--- a/htdocs/user/hierarchy.php
+++ b/htdocs/user/hierarchy.php
@@ -39,7 +39,7 @@ $socid=0;
if ($user->societe_id > 0)
$socid = $user->societe_id;
-$sall=GETPOST('sall','alpha');
+$sall=GETPOST('sall', 'alphanohtml');
$search_user=GETPOST('search_user','alpha');
$userstatic=new User($db);
diff --git a/htdocs/user/index.php b/htdocs/user/index.php
index c3a32ae02fc39f7d7bea9b5014e2f33f44a58083..9592eed863f7a8bb27ef8d0e83a314f1f19a6b54 100644
--- a/htdocs/user/index.php
+++ b/htdocs/user/index.php
@@ -110,7 +110,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab
}
// Init search fields
-$sall=GETPOST('sall','alpha');
+$sall=GETPOST('sall', 'alphanohtml');
$search_user=GETPOST('search_user','alpha');
$search_login=GETPOST('search_login','alpha');
$search_lastname=GETPOST('search_lastname','alpha');