[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 58/218: Fix : security fixes see rapport exak
|
From: |
Dany De Bontridder |
|
Subject: |
[Noalyss-commit] [noalyss] 58/218: Fix : security fixes see rapport exakat (Damien Seguy) |
|
Date: |
Thu, 12 Sep 2019 15:58:40 -0400 (EDT) |
sparkyx pushed a commit to branch entreprise
in repository noalyss.
commit a93a5572fbdd16bf2739eb800efe3e723d1b9854
Author: Dany De Bontridder <address@hidden>
Date: Fri Jun 1 23:02:22 2018 +0200
Fix : security fixes see rapport exakat (Damien Seguy)
---
html/fid.php | 9 +++++----
html/index.php | 2 +-
include/action.common.inc.php | 10 +++++-----
include/ajax/ajax_history.php | 9 +++++----
include/ajax/ajax_todo_list.php | 6 ++++--
include/anc_od.inc.php | 6 +++---
include/category_card.inc.php | 4 +++-
7 files changed, 26 insertions(+), 20 deletions(-)
diff --git a/html/fid.php b/html/fid.php
index d8be465..124860c 100644
--- a/html/fid.php
+++ b/html/fid.php
@@ -48,13 +48,14 @@ $g_user=new User($cn);
$g_user->check();
$g_user->check_dossier(dossier::id());
set_language();
-$fLabel=(isset($_REQUEST['l']))?$_REQUEST['l']:'none';
-$fTva_id=(isset($_REQUEST['t']))?$_REQUEST['t']:'none';
-$fPrice_sale=(isset($_REQUEST['p']))?$_REQUEST['p']:'none';
-$fPrice_purchase=(isset($_REQUEST['b']))?$_REQUEST['b']:'none';
$hi=new HttpInput();
+$fLabel=$hi->request("l","string","none");
+$fTva_id=$hi->request("t","string","none");
+$fPrice_sale=$hi->request("p","string","none");
+$fPrice_purchase=$hi->request("b","string","none");
+
if ( isset($_SESSION['isValid']) && $_SESSION['isValid'] == 1)
{
$jrn=$hi->get('j', "number",'-1');
diff --git a/html/index.php b/html/index.php
index 9f6eb66..e69f47b 100644
--- a/html/index.php
+++ b/html/index.php
@@ -187,7 +187,7 @@ if (defined("RECOVER") && isset ($_REQUEST['recover']) )
// reconnect , create a variable to reconnect properly in login.php
$goto="";
if (isset ($_REQUEST['reconnect']) && isset ($_REQUEST['backurl'])) {
- $goto='<input type="hidden" value="'.$_REQUEST['backurl'].'"
name="backurl">';
+ $goto='<input type="hidden" value="'.strip_tags($_REQUEST['backurl']).'"
name="backurl">';
}
echo '
<span
style="background-color:#879ed4;color:white;padding-left:4px;padding-right:4px;">
diff --git a/include/action.common.inc.php b/include/action.common.inc.php
index 3ed4cdc..eb6ff97 100644
--- a/include/action.common.inc.php
+++ b/include/action.common.inc.php
@@ -186,7 +186,7 @@ if ($sub_action == "update")
$act->qcode_dest = $_REQUEST['qcode_dest'];
echo $act->Display('NEW', false, $base, $retour);
- echo '<input type="hidden" name="ac" value="' . $_REQUEST['ac']
. '">';
+ echo '<input type="hidden" name="ac" value="' .
$http->request('ac') . '">';
echo '<input type="hidden" name="sa" value="save_action_st2">';
echo '<input type="submit" class="button"
name="save_action_st2" value="' . _('Enregistrer') . '">';
echo '<input type="submit" class="button" name="generate"
value="' . _('Génère le document') . '"></p>';
@@ -243,9 +243,9 @@ if ($sub_action == 'delete')
// confirmed
$cn->start();
$act = new Follow_Up($cn);
- $act->ag_id = $_REQUEST['ag_id'];
+ $act->ag_id =$http->request("ag_id","number") ;
$act->get();
- if ($g_user->can_write_action($_REQUEST['ag_id'])==true)
$act->remove();
+ if ($g_user->can_write_action($act->ag_id)==true) $act->remove();
$sub_action = "list";
$cn->commit();
Follow_Up::show_action_list($cn, $base);
@@ -314,12 +314,12 @@ if ($sub_action == "add_action")
echo dossier::hidden();
- $act->ag_comment = (isset($_POST['ag_comment'])) ?
Decode($_POST['ag_comment']) : "";
+ $act->ag_comment =Decode($http->post("ag_comment","string",""));
if (isset($_REQUEST['qcode']))
$act->qcode_dest = $_REQUEST['qcode'];
echo $act->Display('NEW', false, $base, $retour);
- echo '<input type="hidden" name="ac" value="' . $_REQUEST["ac"] . '">';
+ echo '<input type="hidden" name="ac" value="' . $http->request("ac") .
'">';
echo '<input type="hidden" name="sa" value="save_action_st2">';
echo '<input type="hidden" name="save_action_st2"
value="save_action_st2">';
echo '<input type="submit" class="button" name="save_action_st2"
value="' . _('Enregistrer') . '">';
diff --git a/include/ajax/ajax_history.php b/include/ajax/ajax_history.php
index f3fb23b..904b71f 100644
--- a/include/ajax/ajax_history.php
+++ b/include/ajax/ajax_history.php
@@ -32,7 +32,7 @@ require_once NOALYSS_INCLUDE.'/class/periode.class.php';
require_once NOALYSS_INCLUDE.'/lib/html_input.class.php';
require_once NOALYSS_INCLUDE.'/class/acc_account.class.php';
require_once NOALYSS_INCLUDE.'/class/exercice.class.php';
-$div=$_REQUEST['div'];
+$div=$http->request('div');
mb_internal_encoding("UTF-8");
$http=new HttpInput();
/**
@@ -86,7 +86,7 @@ if ( isset($_GET['f_id']))
$dossier=dossier::id();
if ( $div != 'popup')
{
-
$obj="{op:'history',div:'$div',f_id:'".$_GET['f_id']."',gDossier:'$dossier',select:this,exercice:{$year}}";
+
$obj="{op:'history',div:'$div',f_id:'".$f_id."',gDossier:'$dossier',select:this,exercice:{$year}}";
$is=$exercice->select('p_exercice',$default,'
onchange="update_history_card('.$obj.');"');
$old=_("Autre exercice")." ".$is->input();
}
@@ -137,7 +137,8 @@ if ( isset($_GET['f_id']))
///////////////////////////////////////////////////////////////////////////
if ( isset($_REQUEST['pcm_val']))
{
- $poste=new Acc_Account_Ledger($cn,$_REQUEST['pcm_val']);
+ $pcm_val=$http->request("pcm_val");
+ $poste=new Acc_Account_Ledger($cn,$pcm_val);
$poste->load();
$year=$http->get("exercice","string","");
if ( $year == "") $year=$g_user->get_exercice();
@@ -172,7 +173,7 @@ if ( isset($_REQUEST['pcm_val']))
$dossier=dossier::id();
if ( $div != 'popup')
{
-
$obj="{op:'history',div:'$div',pcm_val:'".$_GET['pcm_val']."',gDossier:'$dossier',select:this,exercice:{$year}}";
+
$obj="{op:'history',div:'$div',pcm_val:'".$pcm_val."',gDossier:'$dossier',select:this,exercice:{$year}}";
$is=$exercice->select('p_exercice',$default,'
onchange="update_history_account('.$obj.');"');
$old=_("Autre exercice")." ".$is->input();
}
diff --git a/include/ajax/ajax_todo_list.php b/include/ajax/ajax_todo_list.php
index 4c95df8..430014b 100644
--- a/include/ajax/ajax_todo_list.php
+++ b/include/ajax/ajax_todo_list.php
@@ -56,7 +56,8 @@ if (isset($_REQUEST['show']))
{
$cn=Dossier::connect();
$todo=new Todo_list($cn);
- $todo->set_parameter('id',$_REQUEST['id']);
+ $id=$http->request("id");
+ $todo->set_parameter('id',$id);
$todo->load();
$content=$todo->display();
header('Content-type: text/xml; charset=UTF-8');
@@ -79,9 +80,10 @@ if (isset($_REQUEST['show']))
////////////////////////////////////////////////////////////////////////////////
if (isset($_REQUEST['del']))
{
+ $id=$http->request("id");
$cn=Dossier::connect();
$todo=new Todo_list($cn);
- $todo->set_parameter('id',$_REQUEST['id']);
+ $todo->set_parameter('id',$id);
$todo->delete();
exit();
}
diff --git a/include/anc_od.inc.php b/include/anc_od.inc.php
index fec7618..65e7898 100644
--- a/include/anc_od.inc.php
+++ b/include/anc_od.inc.php
@@ -55,10 +55,10 @@ echo '
<table clsas="mtitle">
<tr>
<td class="mtitle" >
-<A class="mtitle" HREF="?ac='.$_REQUEST['ac'].'&new&'.$str_dossier.'">
'._('Nouveau').' </A>
+<A class="mtitle" HREF="?ac='.$http->request("ac").'&new&'.$str_dossier.'">
'._('Nouveau').' </A>
</td>
<td class="mtitle" >
-<A class="mtitle"
HREF="?ac='.$_REQUEST['ac'].'&see&'.$str_dossier.'">'._('Liste opérations').'
</A
+<A class="mtitle"
HREF="?ac='.$http->request("ac").'&see&'.$str_dossier.'">'._('Liste
opérations').' </A
</td>
</tr>
</table>
@@ -87,7 +87,7 @@ if ( isset($_GET['see']))
$hid=new IHidden();
$hid->name="ac";
- $hid->value=$_REQUEST['ac'];
+ $hid->value=$http->request("ac");
echo $hid->input();
$hid->name="see";
diff --git a/include/category_card.inc.php b/include/category_card.inc.php
index 4ba5274..4e1b993 100644
--- a/include/category_card.inc.php
+++ b/include/category_card.inc.php
@@ -33,7 +33,9 @@ require_once NOALYSS_INCLUDE.'/class/contact.class.php';
global $http;
$str_dossier=Dossier::get();
-$root='?ac='.$_REQUEST['ac']."&sb=detail&f_id=".$_REQUEST["f_id"].'&'.$str_dossier;
+
+$root="?".http_build_query(["ac"=>$http->request("ac"),"sb"=>"detail","f_id"=>$http->request("f_id")]);
+$root.="&".$str_dossier;
$ss_action=$http->request("sc", "string", "dc");
- [Noalyss-commit] [noalyss] 29/218: Task #448 : currency_id = 0 for the default currency + display currency rate in confirm operation, (continued)
- [Noalyss-commit] [noalyss] 29/218: Task #448 : currency_id = 0 for the default currency + display currency rate in confirm operation, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 34/218: Task #448 : Currency : purchase, fix bug for autoreverse VAT, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 40/218: Fix bug quant_purchase , private fee not saved, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 45/218: Fix todo_list : if list empty , gets an error in php 7.2, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 49/218: Update documentation, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 54/218: Bug 1600 : alphanumeric accounting must be case insensitive, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 59/218: Security fix : f_id is a number, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 67/218: Documentation, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 62/218: translation, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 61/218: Task #1619 : CFGLED change label for "Donner ici la fiche du compte en banque", Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 58/218: Fix : security fixes see rapport exakat (Damien Seguy),
Dany De Bontridder <=
- [Noalyss-commit] [noalyss] 46/218: Merge branch 'r700-currency' of ssh://ns3git/srv/git/noalyss into r700-currency, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 26/218: Task #448 : rounded problem add debug info, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 16/218: Currency : insert operation with currency in VEN and ACH, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 33/218: Task #448 : correct bug if VAT Rate = 0 , amount was reset, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 39/218: integrate fix for bug in insert_quant_purchase which cannot save private fee, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 41/218: Fix bug quant_purchase , private fee not saved, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 66/218: Remove the default "<div class=content>" which lead to cosmetic bug in the plugins, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 84/218: Style.css Ajout de nowrap, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 91/218: PHP 7.2 : fix incomptability, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 68/218: Documentation, Dany De Bontridder, 2019/09/12