diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..137d46b --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +cache/* +cache/**/* +test/* +test/**/* +Smarty/templates_c/* +storage/* +storage/**/* +logs/* +backup/* +user_privileges/* +config-dev.inc.php diff --git a/Popup.php b/Popup.php index 4ac345e..f4685e7 100644 --- a/Popup.php +++ b/Popup.php @@ -50,16 +50,16 @@ $smarty->assign("MAINTAB",$act_tab); // This is added to support the type of popup and callback if(isset($_REQUEST['popupmode']) && isset($_REQUEST['callback'])) { - $url = "&popupmode=".$_REQUEST['popupmode']."&callback=".$_REQUEST['callback']; - $smarty->assign("POPUPMODE", $_REQUEST['popupmode']); - $smarty->assign("CALLBACK", $_REQUEST['callback']); + $url = "&popupmode=".vtlib_purify($_REQUEST['popupmode'])."&callback=".vtlib_purify($_REQUEST['callback']); + $smarty->assign("POPUPMODE", vtlib_purify($_REQUEST['popupmode'])); + $smarty->assign("CALLBACK", vtlib_purify($_REQUEST['callback'])); } - + +$focus = CRMEntity::getInstance($currentModule); + switch($currentModule) { case 'Contacts': - require_once("modules/$currentModule/Contacts.php"); - $focus = new Contacts(); $log = LoggerManager::getLogger('contact_list'); $smarty->assign("SINGLE_MOD",'Contact'); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') @@ -70,8 +70,6 @@ switch($currentModule) $alphabetical = AlphabeticalSearch($currentModule,'Popup','lastname','true','basic',$popuptype,"","",$url); break; case 'Campaigns': - require_once("modules/$currentModule/Campaigns.php"); - $focus = new Campaigns(); $log = LoggerManager::getLogger('campaign_list'); $smarty->assign("SINGLE_MOD",'Campaign'); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') @@ -80,8 +78,6 @@ switch($currentModule) $alphabetical = AlphabeticalSearch($currentModule,'Popup','campaignname','true','basic',$popuptype,"","",$url); break; case 'Accounts': - require_once("modules/$currentModule/Accounts.php"); - $focus = new Accounts(); $log = LoggerManager::getLogger('account_list'); if (isset($_REQUEST['select'])) $smarty->assign("SELECT",'enable'); $smarty->assign("SINGLE_MOD",'Account'); @@ -92,8 +88,6 @@ switch($currentModule) $alphabetical = AlphabeticalSearch($currentModule,'Popup','accountname','true','basic',$popuptype,"","",$url); break; case 'Leads': - require_once("modules/$currentModule/Leads.php"); - $focus = new Leads(); $log = LoggerManager::getLogger('contact_list'); $smarty->assign("SINGLE_MOD",'Lead'); if (isset($_REQUEST['select'])) $smarty->assign("SELECT",'enable'); @@ -104,8 +98,6 @@ switch($currentModule) $alphabetical = AlphabeticalSearch($currentModule,'Popup','lastname','true','basic',$popuptype,"","",$url); break; case 'Potentials': - require_once("modules/$currentModule/Potentials.php"); - $focus = new Potentials(); $log = LoggerManager::getLogger('potential_list'); if (isset($_REQUEST['select'])) $smarty->assign("SELECT",'enable'); $smarty->assign("SINGLE_MOD",'Opportunity'); @@ -114,23 +106,17 @@ switch($currentModule) $alphabetical = AlphabeticalSearch($currentModule,'Popup','potentialname','true','basic',$popuptype,"","",$url); break; case 'Quotes': - require_once("modules/$currentModule/Quotes.php"); - $focus = new Quotes(); $log = LoggerManager::getLogger('quotes_list'); $smarty->assign("SINGLE_MOD",'Quote'); $alphabetical = AlphabeticalSearch($currentModule,'Popup','subject','true','basic',$popuptype,"","",$url); break; case 'Invoice': - require_once("modules/$currentModule/Invoice.php"); - $focus = new Invoice(); $smarty->assign("SINGLE_MOD",'Invoice'); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); $alphabetical = AlphabeticalSearch($currentModule,'Popup','subject','true','basic',$popuptype,"","",$url); break; case 'Products': - require_once("modules/$currentModule/$currentModule.php"); - $focus = new $currentModule(); $smarty->assign("SINGLE_MOD",getTranslatedString('SINGLE_'.$currentModule)); if(isset($_REQUEST['curr_row'])) { @@ -144,30 +130,24 @@ switch($currentModule) $alphabetical = AlphabeticalSearch($currentModule,'Popup','productname','true','basic',$popuptype,"","",$url); break; case 'Vendors': - require_once("modules/$currentModule/Vendors.php"); - $focus = new Vendors(); $smarty->assign("SINGLE_MOD",'Vendor'); + if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') + $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); $alphabetical = AlphabeticalSearch($currentModule,'Popup','vendorname','true','basic',$popuptype,"","",$url); break; case 'SalesOrder': - require_once("modules/$currentModule/SalesOrder.php"); - $focus = new SalesOrder(); $smarty->assign("SINGLE_MOD",'SalesOrder'); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); $alphabetical = AlphabeticalSearch($currentModule,'Popup','subject','true','basic',$popuptype,"","",$url); break; case 'PurchaseOrder': - require_once("modules/$currentModule/PurchaseOrder.php"); - $focus = new PurchaseOrder(); $smarty->assign("SINGLE_MOD",'PurchaseOrder'); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); $alphabetical = AlphabeticalSearch($currentModule,'Popup','subject','true','basic',$popuptype,"","",$url); break; case 'PriceBooks': - require_once("modules/$currentModule/PriceBooks.php"); - $focus = new PriceBooks(); $smarty->assign("SINGLE_MOD",'PriceBook'); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); @@ -184,17 +164,14 @@ switch($currentModule) $alphabetical = AlphabeticalSearch($currentModule,'Popup','bookname','true','basic',$popuptype,"","",$url); break; case 'Users': - require_once("modules/$currentModule/Users.php"); - $focus = new Users(); - $smarty->assign("SINGLE_MOD",'Users'); - if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') - $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); - $alphabetical = AlphabeticalSearch($currentModule,'Popup','user_name','true','basic',$popuptype,"","",$url); - if (isset($_REQUEST['select'])) $smarty->assign("SELECT",'enable'); - break; + $smarty->assign("SINGLE_MOD", 'Users'); + if (isset($_REQUEST['return_module']) && $_REQUEST['return_module'] != '') + $smarty->assign("RETURN_MODULE", vtlib_purify($_REQUEST['return_module'])); + $alphabetical = AlphabeticalSearch($currentModule, 'Popup', 'user_name', 'true', 'basic', $popuptype, "", "", $url); + if (isset($_REQUEST['select'])) + $smarty->assign("SELECT", 'enable'); + break; case 'HelpDesk': - require_once("modules/$currentModule/HelpDesk.php"); - $focus = new HelpDesk(); $smarty->assign("SINGLE_MOD",'HelpDesk'); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); @@ -203,8 +180,6 @@ switch($currentModule) break; case 'Documents': - require_once("modules/$currentModule/Documents.php"); - $focus = new Documents(); $smarty->assign("SINGLE_MOD",'Document'); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); @@ -224,9 +199,7 @@ switch($currentModule) } // vtlib customization: Generic hook for Popup selection default: - require_once("modules/$currentModule/$currentModule.php"); - $focus = new $currentModule(); - $smarty->assign("SINGLE_MOD", $currentModule); + $smarty->assign("SINGLE_MOD", $currentModule); if(isset($_REQUEST['return_module']) && $_REQUEST['return_module'] !='') $smarty->assign("RETURN_MODULE",vtlib_purify($_REQUEST['return_module'])); $alphabetical = AlphabeticalSearch($currentModule,'Popup',$focus->def_basicsearch_col,'true','basic',$popuptype,"","",$url); @@ -246,8 +219,8 @@ $smarty->assign("RETURN_ACTION",vtlib_purify($_REQUEST['return_action'])); //Retreive the list from Database if($currentModule == 'PriceBooks') { - $productid=$_REQUEST['productid']; - $currency_id=$_REQUEST['currencyid']; + $productid= vtlib_purify($_REQUEST['productid']); + $currency_id= vtlib_purify($_REQUEST['currencyid']); if($currency_id == null) $currency_id = fetchCurrency($current_user->id); $query = 'select vtiger_pricebook.*, vtiger_pricebookproductrel.productid, vtiger_pricebookproductrel.listprice, ' . 'vtiger_crmentity.crmid, vtiger_crmentity.smownerid, vtiger_crmentity.modifiedtime ' . @@ -289,7 +262,7 @@ else $smarty->assign("mod_var_value", vtlib_purify($_REQUEST['task_parent_module'])); $smarty->assign("recid_var_name", "task_relmod_id"); $smarty->assign("recid_var_value",vtlib_purify($_REQUEST['task_relmod_id'])); - $where_relquery.= getPopupCheckquery($currentModule,$_REQUEST['task_parent_module'],$_REQUEST['task_relmod_id']); + $where_relquery.= getPopupCheckquery($currentModule, vtlib_purify($_REQUEST['task_parent_module']), vtlib_purify($_REQUEST['task_relmod_id'])); } if($currentModule == 'Products' && !$_REQUEST['record_id'] && ($popuptype == 'inventory_prod' || $popuptype == 'inventory_prod_po')) $where_relquery .=" and vtiger_products.discontinued <> 0 AND (vtiger_products.productid NOT IN (SELECT crmid FROM vtiger_seproductsrel WHERE setype='Products'))"; @@ -326,7 +299,7 @@ else if($currentModule == 'Products' && $_REQUEST['record_id'] && ($popuptype == 'inventory_prod' || $popuptype == 'inventory_prod_po')) { - $product_name = getProductName($_REQUEST['record_id']); + $product_name = getProductName(vtlib_purify($_REQUEST['record_id'])); $smarty->assign("PRODUCT_NAME", $product_name); $smarty->assign("RECORD_ID", vtlib_purify($_REQUEST['record_id'])); } @@ -365,7 +338,7 @@ if(method_exists($focus, 'getQueryByModuleField')) { // END if(PerformancePrefs::getBoolean('LISTVIEW_COMPUTE_PAGE_COUNT', false) === true){ - $count_result = $adb->query( mkCountQuery( $query)); + $count_result = $adb->pquery( mkCountQuery( $query), array()); $noofrows = $adb->query_result($count_result,0,"count"); }else{ $noofrows = null; @@ -375,7 +348,7 @@ if(PerformancePrefs::getBoolean('LISTVIEW_COMPUTE_PAGE_COUNT', false) === true){ if(isset($_REQUEST['start']) && $_REQUEST['start'] != '') { $start = vtlib_purify($_REQUEST['start']); if($start == 'last'){ - $count_result = $adb->query( mkCountQuery($query)); + $count_result = $adb->pquery( mkCountQuery($query), array()); $noofrows = $adb->query_result($count_result,0,"count"); if($noofrows > 0){ $start = ceil($noofrows/$list_max_entries_per_page); @@ -392,7 +365,7 @@ if(isset($_REQUEST['start']) && $_REQUEST['start'] != '') { } $limstart=($start-1)*$list_max_entries_per_page; $query.=" LIMIT $limstart,$list_max_entries_per_page"; -$list_result = $adb->query($query); +$list_result = $adb->pquery($query, array()); //Retreive the Navigation array $navigation_array = VT_getSimpleNavigationValues($start, $list_max_entries_per_page,$noofrows); diff --git a/SendReminder.php b/SendReminder.php index a076162..3a2b460 100644 --- a/SendReminder.php +++ b/SendReminder.php @@ -231,7 +231,7 @@ function getParentMailId($returnmodule,$parentid) if($returnmodule == 'Contacts' || $returnmodule == 'HelpDesk') { if($returnmodule == 'HelpDesk') - $parentid = $_REQUEST['contact_id']; + $parentid = vtlib_purify ($_REQUEST['contact_id']); $tablename = 'vtiger_contactdetails'; $idname = 'contactid'; } diff --git a/Smarty/templates/Buttons_List.tpl b/Smarty/templates/Buttons_List.tpl index 7698e28..777aca9 100644 --- a/Smarty/templates/Buttons_List.tpl +++ b/Smarty/templates/Buttons_List.tpl @@ -116,7 +116,7 @@ {if $MODULE eq 'Contacts' || $MODULE eq 'Leads' || $MODULE eq 'Accounts'|| $MODULE eq 'Products'|| $MODULE eq 'Potentials'|| $MODULE eq 'HelpDesk'|| $MODULE eq 'Vendors' || $CUSTOM_MODULE eq 'true'} {if $CHECK.DuplicatesHandling eq 'yes'} -
{$_RELATED_MODULE|@getTranslatedString:$MODULE} |
{$_RELATED_MODULE|@getTranslatedString:$_RELATED_MODULE} |
+ |
diff --git a/Smarty/templates/ShowAuditTrail.tpl b/Smarty/templates/ShowAuditTrail.tpl
index fa8e658..149d4da 100644
--- a/Smarty/templates/ShowAuditTrail.tpl
+++ b/Smarty/templates/ShowAuditTrail.tpl
@@ -23,7 +23,7 @@
|
{include file='com_vtiger_workflow/ModuleTitle.tpl'}
-
|
www.vtiger.com | +
- | + |
www.vtiger.com | +
- | + |
- | + |
- vtigercrm-
+
@@ -121,9 +110,8 @@ if(isset($application_unique_key) && !empty($application_unique_key)) {
|
www.vtiger.com | | +
- | + |
www.vtiger.com | +
- | + |
www.vtiger.com | +
- | + |
www.vtiger.com | +
- | + |
www.vtiger.com | +
';print_r($_REQUEST);echo ''; if(isset($_REQUEST['flag']) && $_REQUEST['flag'] != '') { - $flag = $_REQUEST['flag']; + $flag = vtlib_purify($_REQUEST['flag']); switch($flag) { case 1: @@ -42,7 +42,7 @@ if(isset($_REQUEST['flag']) && $_REQUEST['flag'] != '') } } -$tempModule=$_REQUEST['tempModule']; +$tempModule= vtlib_purify($_REQUEST['tempModule']); $smarty->assign("MOD", return_module_language($current_language,'Settings')); $smarty->assign("THEME", $theme); $smarty->assign("IMAGE_PATH",$image_path); diff --git a/modules/Users/AddMailAccount.php b/modules/Users/AddMailAccount.php index ad404c0..1a4b5f8 100644 --- a/modules/Users/AddMailAccount.php +++ b/modules/Users/AddMailAccount.php @@ -30,7 +30,7 @@ $smarty->assign("IMAGE_PATH", $image_path); if(isset($_REQUEST['record']) && $_REQUEST['record']!='') { $sql = "select * from vtiger_mail_accounts where user_id=?"; - $result = $adb->pquery($sql, array($_REQUEST['record'])); + $result = $adb->pquery($sql, array(vtlib_purify($_REQUEST['record']))); $rowcount = $adb->num_rows($result); if ($rowcount!=0) diff --git a/modules/Users/Authenticate.php b/modules/Users/Authenticate.php index 1125d43..0a646de 100644 --- a/modules/Users/Authenticate.php +++ b/modules/Users/Authenticate.php @@ -30,8 +30,8 @@ global $mod_strings, $default_charset; $focus = new Users(); // Add in defensive code here. -$focus->column_fields["user_name"] = to_html($_REQUEST['user_name']); -$user_password = vtlib_purify($_REQUEST['user_password']); +$focus->column_fields["user_name"] = to_html(vtlib_purify($_REQUEST['user_name'])); +$user_password = $_REQUEST['user_password']; $focus->load_user($user_password); @@ -145,4 +145,4 @@ else header("Location: index.php"); } -?> \ No newline at end of file +?> diff --git a/modules/Users/CreateUserPrivilegeFile.php b/modules/Users/CreateUserPrivilegeFile.php index 48704b3..5c264ce 100644 --- a/modules/Users/CreateUserPrivilegeFile.php +++ b/modules/Users/CreateUserPrivilegeFile.php @@ -111,6 +111,7 @@ function createUserPrivilegesfile($userid) function createUserSharingPrivilegesfile($userid) { global $adb, $root_directory; + checkFileAccessForInclusion('user_privileges/user_privileges_'.$userid.'.php'); require('user_privileges/user_privileges_'.$userid.'.php'); $handle=@fopen($root_directory.'user_privileges/sharing_privileges_'.$userid.'.php',"w+"); @@ -1538,6 +1539,7 @@ function constructTwoDimensionalCharIntSingleValueArray($var) function populateSharingtmptables($userid) { global $adb; + checkFileAccessForInclusion('user_privileges/sharing_privileges_'.$userid.'.php'); require('user_privileges/sharing_privileges_'.$userid.'.php'); //Deleting from the existing vtiger_tables $table_arr=Array('vtiger_tmp_read_user_sharing_per', 'vtiger_tmp_write_user_sharing_per','vtiger_tmp_read_group_sharing_per','vtiger_tmp_write_group_sharing_per','vtiger_tmp_read_user_rel_sharing_per','vtiger_tmp_write_user_rel_sharing_per','vtiger_tmp_read_group_rel_sharing_per','vtiger_tmp_write_group_rel_sharing_per'); @@ -1594,6 +1596,7 @@ function populateSharingPrivileges($enttype,$userid,$module,$pertype, $var_name_ $tabid=getTabid($module); if(!$var_name_arr) { + checkFileAccessForInclusion('user_privileges/sharing_privileges_'.$userid.'.php'); require('user_privileges/sharing_privileges_'.$userid.'.php'); } @@ -1696,6 +1699,7 @@ function populateRelatedSharingPrivileges($enttype,$userid,$module,$relmodule,$p $reltabid=getTabid($relmodule); if(!$var_name_arr) { + checkFileAccessForInclusion('user_privileges/sharing_privileges_'.$userid.'.php'); require('user_privileges/sharing_privileges_'.$userid.'.php'); } diff --git a/modules/Users/DefaultDataPopulator.php b/modules/Users/DefaultDataPopulator.php index dec68f8..6994d9a 100644 --- a/modules/Users/DefaultDataPopulator.php +++ b/modules/Users/DefaultDataPopulator.php @@ -854,7 +854,7 @@ class DefaultDataPopulator extends CRMEntity { $this->db->query("insert into vtiger_field values (23," . $this->db->getUniqueID("vtiger_field") . ",'taxtype','vtiger_invoice',1,'16','hdnTaxType','Tax Type',1,2,'',100,13,$invoicebasicblock,3,'V~O',3,null,'BAS',1)"); $this->db->query("insert into vtiger_field values (23," . $this->db->getUniqueID("vtiger_field") . ",'discount_percent','vtiger_invoice',1,'1','hdnDiscountPercent','Discount Percent',1,2,'',100,13,$invoicebasicblock,3,'N~O',3,null,'BAS',1)"); $this->db->query("insert into vtiger_field values (23," . $this->db->getUniqueID("vtiger_field") . ",'discount_amount','vtiger_invoice',1,'72','hdnDiscountAmount','Discount Amount',1,2,'',100,13,$invoicebasicblock,3,'N~O',3,null,'BAS',1)"); - $this->db->query("insert into vtiger_field values (23," . $this->db->getUniqueID("vtiger_field") . ",'s_h_amount','vtiger_invoice',1,'72','hdnS_H_Amount','S&H Amount',1,2,'',100,14,57,3,'N~O',3,null,'BAS',1)"); + $this->db->query("insert into vtiger_field values (23," . $this->db->getUniqueID("vtiger_field") . ",'s_h_amount','vtiger_invoice',1,'72','hdnS_H_Amount','S&H Amount',1,2,'',100,14,67,3,'N~O',3,null,'BAS',1)"); $this->db->query("insert into vtiger_field values (23," . $this->db->getUniqueID("vtiger_field") . ",'accountid','vtiger_invoice',1,'73','account_id','Account Name',1,2,'',100,14,$invoicebasicblock,1,'I~M',3,null,'BAS',1)"); $this->db->query("insert into vtiger_field values (23," . $this->db->getUniqueID("vtiger_field") . ",'invoicestatus','vtiger_invoice',1,'15','invoicestatus','Status',1,2,'',100,15,$invoicebasicblock,1,'V~O',3,null,'BAS',1)"); @@ -1860,8 +1860,8 @@ Should any need arise,please do give us a call.'; //Insert into vtiger_organizationdetails vtiger_table $organizationId = $this->db->getUniqueID('vtiger_organizationdetails'); $this->db->query("insert into vtiger_organizationdetails(organization_id,organizationname,address,city,state,country,code,phone,fax,website,logoname) - values ($organizationId,'vtiger',' 40-41-42, Sivasundar Apartments, Flat D-II, Shastri Street, Velachery','Chennai', - 'Tamil Nadu','India','600 042','+91-44-5202-1990','+91-44-5202-1990','www.vtiger.com','vtiger-crm-logo.gif')"); + values ($organizationId,'Your Company',' Your Address','Your City', + 'Your State','Your Country','ZIP CODE','+99-98-7654-3210','+99-98-7654-3210','www.your-company.tld','app-logo.png')"); $this->db->query("insert into vtiger_actionmapping values(0,'Save',0)"); diff --git a/modules/Users/Delete.php b/modules/Users/Delete.php index 18080c3..4e04990 100755 --- a/modules/Users/Delete.php +++ b/modules/Users/Delete.php @@ -9,7 +9,7 @@ ********************************************************************************/ $sql= 'delete from vtiger_salesmanactivityrel where smid=? and activityid = ?'; -$adb->pquery($sql, array($_REQUEST['record'], $_REQUEST['return_id'])); +$adb->pquery($sql, array(vtlib_purify($_REQUEST['record']), vtlib_purify($_REQUEST['return_id']))); if($_REQUEST['return_module'] == 'Calendar') $mode ='&activity_mode=Events'; diff --git a/modules/Users/DeleteGroup.php b/modules/Users/DeleteGroup.php index e693df0..1e5b524 100755 --- a/modules/Users/DeleteGroup.php +++ b/modules/Users/DeleteGroup.php @@ -11,17 +11,17 @@ require_once('include/utils/UserInfoUtil.php'); global $adb; -$del_id = $_REQUEST['delete_group_id']; -$transfer_group_id = $_REQUEST['transfer_group_id']; -$assignType = $_REQUEST['assigntype']; +$del_id = vtlib_purify($_REQUEST['delete_group_id']); +$transfer_group_id = vtlib_purify($_REQUEST['transfer_group_id']); +$assignType = vtlib_purify($_REQUEST['assigntype']); if($assignType == 'T') { - $transferId = $_REQUEST['transfer_group_id']; + $transferId = vtlib_purify($_REQUEST['transfer_group_id']); } elseif($assignType == 'U') { - $transferId = $_REQUEST['transfer_user_id']; + $transferId = vtlib_purify($_REQUEST['transfer_user_id']); } //Updating the user2 vtiger_role vtiger_table diff --git a/modules/Users/DeleteRole.php b/modules/Users/DeleteRole.php index b5950e3..5846071 100755 --- a/modules/Users/DeleteRole.php +++ b/modules/Users/DeleteRole.php @@ -11,8 +11,8 @@ require_once 'modules/Users/Role.php'; require_once ('config.php'); global $adb; -$del_id = $_REQUEST['delete_role_id']; -$tran_id = $_REQUEST['user_role']; +$del_id = vtlib_purify($_REQUEST['delete_role_id']); +$tran_id = vtlib_purify($_REQUEST['user_role']); $role = Vtiger_Role::getInstanceById($del_id); $targetRole = Vtiger_Role::getInstanceById($tran_id); diff --git a/modules/Users/DeleteSharingRule.php b/modules/Users/DeleteSharingRule.php index fa99227..feba9d1 100755 --- a/modules/Users/DeleteSharingRule.php +++ b/modules/Users/DeleteSharingRule.php @@ -9,7 +9,7 @@ ********************************************************************************/ require_once('include/utils/UserInfoUtil.php'); global $adb; -$shareid = $_REQUEST['shareid']; +$shareid = vtlib_purify($_REQUEST['shareid']); deleteSharingRule($shareid); header("Location: index.php?module=Settings&action=OrgSharingDetailView&parenttab=Settings"); diff --git a/modules/Users/DeleteUser.php b/modules/Users/DeleteUser.php index da92f3f..a3aee2d 100644 --- a/modules/Users/DeleteUser.php +++ b/modules/Users/DeleteUser.php @@ -11,10 +11,10 @@ require_once 'modules/Users/Users.php'; global $adb; -$del_id = $_REQUEST['delete_user_id']; -$tran_id = $_REQUEST['transfer_user_id']; +$del_id = vtlib_purify($_REQUEST['delete_user_id']); +$tran_id = vtlib_purify($_REQUEST['transfer_user_id']); -$userObj = new Users(); +$userObj = new Users(); $userObj->transformOwnerShipAndDelete($del_id, $tran_id); //if check to delete user from detail view diff --git a/modules/Users/DetailView.php b/modules/Users/DetailView.php index 7365288..1ce0f22 100644 --- a/modules/Users/DetailView.php +++ b/modules/Users/DetailView.php @@ -41,8 +41,8 @@ $focus = new Users(); if(!empty($_REQUEST['record'])) { - $focus->retrieve_entity_info($_REQUEST['record'],'Users'); - $focus->id = $_REQUEST['record']; + $focus->retrieve_entity_info(vtlib_purify($_REQUEST['record']),'Users'); + $focus->id = vtlib_purify($_REQUEST['record']); } else { @@ -127,7 +127,7 @@ if(isset($focus->imagename) && $focus->imagename!='') if(isset($_REQUEST['modechk']) && $_REQUEST['modechk'] != '' ) { - $modepref = $_REQUEST['modechk']; + $modepref = vtlib_purify($_REQUEST['modechk']); } if($_REQUEST['modechk'] == 'prefview') $parenttab = ''; diff --git a/modules/Users/DetailViewAjax.php b/modules/Users/DetailViewAjax.php index 1fd8c9d..9b7154a 100644 --- a/modules/Users/DetailViewAjax.php +++ b/modules/Users/DetailViewAjax.php @@ -14,7 +14,7 @@ require_once('include/database/PearDatabase.php'); global $adb ,$mod_strings ; $local_log =& LoggerManager::getLogger('UsersAjax'); -$ajaxaction = $_REQUEST["ajxaction"]; +$ajaxaction = vtlib_purify($_REQUEST["ajxaction"]); if($ajaxaction == "DETAILVIEW") { if(empty($_SESSION['Users_FORM_TOKEN']) || $_SESSION['Users_FORM_TOKEN'] @@ -22,10 +22,10 @@ if($ajaxaction == "DETAILVIEW") echo ":#:ERR".($app_strings['LBL_PERMISSION']); die; } - $userid = $_REQUEST["recordid"]; - $tablename = $_REQUEST["tableName"]; - $fieldname = $_REQUEST["fldName"]; - $fieldvalue = utf8RawUrlDecode($_REQUEST["fieldValue"]); + $userid = vtlib_purify($_REQUEST["recordid"]); + $tablename = vtlib_purify($_REQUEST["tableName"]); + $fieldname = vtlib_purify($_REQUEST["fldName"]); + $fieldvalue = utf8RawUrlDecode(vtlib_purify($_REQUEST["fieldValue"])); if($userid != "") { $userObj = new Users(); diff --git a/modules/Users/EditView.php b/modules/Users/EditView.php index 2d3f72e..5bd5bab 100755 --- a/modules/Users/EditView.php +++ b/modules/Users/EditView.php @@ -41,7 +41,7 @@ if(isset($_REQUEST['record']) && isset($_REQUEST['record'])) { $smarty->assign("ID",vtlib_purify($_REQUEST['record'])); $mode='edit'; if (!is_admin($current_user) && $_REQUEST['record'] != $current_user->id) die ("Unauthorized access to user administration."); - $focus->retrieve_entity_info($_REQUEST['record'],'Users'); + $focus->retrieve_entity_info(vtlib_purify($_REQUEST['record']),'Users'); $smarty->assign("USERNAME", getFullNameFromArray('Users', $focus->column_fields)); }else { diff --git a/modules/Users/Forms.php b/modules/Users/Forms.php index 44cee95..a101330 100755 --- a/modules/Users/Forms.php +++ b/modules/Users/Forms.php @@ -30,7 +30,7 @@ require_once('include/Zend/Json.php'); function checkAsteriskDetails(){ global $adb,$current_user; $sql = "select * from vtiger_asterisk"; - $result = $adb->query($sql); + $result = $adb->pquery($sql, array()); $count = $adb->num_rows($result); if($count > 0){ diff --git a/modules/Users/Login.php b/modules/Users/Login.php index bbe98be..8307019 100644 --- a/modules/Users/Login.php +++ b/modules/Users/Login.php @@ -31,7 +31,7 @@ else $login_user_name = trim(vtlib_purify($_REQUEST['default_user_name']), '"\''); } elseif (isset($_REQUEST['ck_login_id_vtiger'])) { - $login_user_name = getUserName($_REQUEST['ck_login_id_vtiger']); + $login_user_name = getUserName(vtlib_purify($_REQUEST['ck_login_id_vtiger'])); } else { diff --git a/modules/Users/RenameProfile.php b/modules/Users/RenameProfile.php index 3f18c6f..f4e4a48 100644 --- a/modules/Users/RenameProfile.php +++ b/modules/Users/RenameProfile.php @@ -13,8 +13,8 @@ global $adb; $profileid = vtlib_purify($_REQUEST['profileid']); if(strtolower($default_charset) == 'utf-8') { - $profilename = $_REQUEST['profilename']; - $profileDesc = $_REQUEST['description']; + $profilename = vtlib_purify($_REQUEST['profilename']); + $profileDesc = vtlib_purify($_REQUEST['description']); } else { $profilename = utf8RawUrlDecode($_REQUEST['profilename']); $profileDesc = utf8RawUrlDecode($_REQUEST['description']); diff --git a/modules/Users/RoleDragDrop.php b/modules/Users/RoleDragDrop.php index ec6f96d..0c581a2 100644 --- a/modules/Users/RoleDragDrop.php +++ b/modules/Users/RoleDragDrop.php @@ -10,8 +10,8 @@ ********************************************************************************/ require_once('include/utils/UserInfoUtil.php'); -$toid=$_REQUEST['parentId']; -$fromid=$_REQUEST['childId']; +$toid= vtlib_purify($_REQUEST['parentId']); +$fromid= vtlib_purify($_REQUEST['childId']); global $adb,$mod_strings; diff --git a/modules/Users/RolePopup.php b/modules/Users/RolePopup.php index 3ccb432..accf700 100755 --- a/modules/Users/RolePopup.php +++ b/modules/Users/RolePopup.php @@ -76,7 +76,7 @@ $query = "select * from vtiger_role"; $result = $adb->pquery($query, array()); $num_rows=$adb->num_rows($result); $mask_roleid=Array(); -$del_roleid=$_REQUEST['maskid']; +$del_roleid= vtlib_purify($_REQUEST['maskid']); if($del_roleid != '' && strlen($del_roleid) >0) { $mask_roleid= getRoleAndSubordinatesRoleIds($del_roleid); @@ -124,7 +124,7 @@ function indent($hrarray,$roleout,$role_det,$mask_roleid='') } else { - $type =$_REQUEST['type']; + $type = vtlib_purify($_REQUEST['type']); if($type == '') { $roleout .= ' '.$rolename.''; diff --git a/modules/Users/Save.php b/modules/Users/Save.php index f982337..bfdf968 100644 --- a/modules/Users/Save.php +++ b/modules/Users/Save.php @@ -27,9 +27,9 @@ $log =& LoggerManager::getLogger('index'); global $adb; -$user_name = $_REQUEST['userName']; +$user_name = vtlib_purify($_REQUEST['userName']); if(isset($_REQUEST['status']) && $_REQUEST['status'] != '') - $_REQUEST['status']=$_REQUEST['status']; + $_REQUEST['status']= vtlib_purify ($_REQUEST['status']); else $_REQUEST['status']='Active'; @@ -51,6 +51,26 @@ if(isset($_REQUEST['dup_check']) && $_REQUEST['dup_check'] != '') die; } } +if($_REQUEST['user_role'] != '' && !is_admin($current_user) && $_REQUEST['user_role'] != $current_user->roleid){ + $log->fatal("SECURITY:Non-Admin user:". $current_user->id . " attempted to change user role"); + echo ""; + echo "
";
+ echo "
+ ";
+ echo "
|