From 05f0481e5264c2a9154297adec74b4a64259e562 Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Mon, 12 Oct 2009 11:13:20 +0000
Subject: [PATCH 1/1] Some security fixes backported from unstable code.

---
 CHANGELOG.txt                      |  9 +++++++++
 admin/db/maintenance_db.inc        |  4 ++--
 admin/db/users_db.inc              | 20 +++++++++++---------
 includes/db/connect_db.inc         |  2 +-
 reporting/includes/tcpdf.php       |  2 +-
 sales/includes/cart_class.inc      |  8 ++++----
 sales/inquiry/customer_inquiry.php |  3 +++
 7 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 8364b367..8901f8c8 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -19,6 +19,15 @@ Legend:
 ! -> Note
 $ -> Affected files
 
+12-Oct-2009 Janusz Dobrowolski
+# Fixed sql injection vulnerability on some php/mysql configurations
+$ /admin/db/users_db.inc
+! Single quotes also encoded before database data insert
+$ /admin/db/maintenance_db.inc
+  /includes/db/connect_db.inc
+  /reporting/includes/tcpdf.php
+  /sales/includes/cart_class.inc
+
 ------------------------------- Release 2.1.6 ----------------------------------
 ! Final Final release of the 2.1. series.
 $ config.php
diff --git a/admin/db/maintenance_db.inc b/admin/db/maintenance_db.inc
index 29790b66..829328e8 100644
--- a/admin/db/maintenance_db.inc
+++ b/admin/db/maintenance_db.inc
@@ -325,7 +325,7 @@ function db_export($conn, $filename, $zip='no', $comment='', $tbpref = TB_PREF)
     $out.="# Backup Date and Time: ".date("Y-m-d H:i")."\n";
     $out.="# Built by " . $app_title . " " . $version ."\n";
     $out.="# ".$power_url."\n";
-    $out.="# Company: ". @html_entity_decode($company, ENT_COMPAT, $_SESSION['language']->encoding)."\n";
+    $out.="# Company: ". @html_entity_decode($company, ENT_QUOTES, $_SESSION['language']->encoding)."\n";
     $out.="# User: ".$_SESSION["wa_current_user"]->name."\n\n";
 
 	// write users comment
@@ -423,7 +423,7 @@ function db_export($conn, $filename, $zip='no', $comment='', $tbpref = TB_PREF)
 					// run through each field
 					for ($k = 0; $k < $nf = db_num_fields($res2); $k++)
 					{
-						$out .= db_escape(@html_entity_decode($row2[$k], ENT_COMPAT, $_SESSION['language']->encoding));
+						$out .= db_escape(@html_entity_decode($row2[$k], ENT_QUOTES, $_SESSION['language']->encoding));
 						if ($k < ($nf - 1))
 							$out .= ", ";
 					}
diff --git a/admin/db/users_db.inc b/admin/db/users_db.inc
index 5200f2c9..e9ea2e8f 100644
--- a/admin/db/users_db.inc
+++ b/admin/db/users_db.inc
@@ -14,11 +14,12 @@ function add_user($user_id, $real_name, $password, $phone, $email, $full_access,
 	$language, $profile, $rep_popup, $pos)
 {
 	$sql = "INSERT INTO ".TB_PREF."users (user_id, real_name, password"
-		.", phone, email, full_access, language, pos, print_profile, rep_popup)
+		.", phone, email, role_id, language, pos, print_profile, rep_popup)
 		VALUES (".db_escape($user_id).", 
-		".db_escape($real_name).", ".db_escape($password) .",".db_escape($phone).",
-		 ".db_escape($email).", $full_access, ".db_escape($language).",
-		 $pos,".db_escape($profile).",$rep_popup)";
+		".db_escape($real_name).", ".db_escape($password) .",".db_escape($phone)
+		.",".db_escape($email).", ".db_escape($role_id).", ".db_escape($language)
+		.", ".db_escape($pos).",".db_escape($profile).",".db_escape($rep_popup)
+		." )";
 
 	db_query($sql, "could not add user for $user_id");
 }
@@ -70,11 +71,11 @@ function update_user_display_prefs($user_id, $price_dec, $qty_dec, $exrate_dec,
 		dec_sep=".db_escape($dec_sep).",
 		theme=".db_escape($theme).",
 		page_size=".db_escape($pagesize).",
-		show_hints=$show_hints,
+		show_hints=".db_escape($show_hints).",
 		print_profile=".db_escape($profile).",
-		rep_popup=$rep_popup,
-		query_size=$query_size,
-		graphic_links=$graphic_links,
+		rep_popup=".db_escape($rep_popup).",
+		query_size=".db_escape($query_size).",
+		graphic_links=".db_escape($graphic_links).",
 		language=".db_escape($lang)."
 		WHERE user_id = ".db_escape($user_id);
 
@@ -117,7 +118,8 @@ function get_user_for_login($user_id, $password)
 {
 	set_global_connection();
 
-	$sql = "SELECT * FROM ".TB_PREF."users WHERE user_id = '$user_id' AND password='$password'";
+	$sql = "SELECT * FROM ".TB_PREF."users WHERE user_id = ".db_escape($user_id)
+		." AND password=".db_escape($password);
 
 	return db_query($sql, "could not get validate user login for $user_id");
 }
diff --git a/includes/db/connect_db.inc b/includes/db/connect_db.inc
index fa57b678..f848f900 100644
--- a/includes/db/connect_db.inc
+++ b/includes/db/connect_db.inc
@@ -99,7 +99,7 @@ function db_num_fields ($result)
 
 function db_escape($value = "", $nullify = false)
 {
-	$value = @htmlspecialchars($value, ENT_COMPAT, $_SESSION['language']->encoding);
+	$value = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
 
   	//reset default if second parameter is skipped
 	$nullify = ($nullify === null) ? (false) : ($nullify);
diff --git a/reporting/includes/tcpdf.php b/reporting/includes/tcpdf.php
index 48504eb9..ba54e66a 100644
--- a/reporting/includes/tcpdf.php
+++ b/reporting/includes/tcpdf.php
@@ -5729,7 +5729,7 @@ if (!class_exists('TCPDF')) {
 		 */
 		function unhtmlentities($text_to_convert) {
 			if (!$this->isunicode) {
-				return html_entity_decode($text_to_convert);
+				return html_entity_decode($text_to_convert, ENT_QUOTES);
 			}
 			return html_entity_decode_php4($text_to_convert);
 		}
diff --git a/sales/includes/cart_class.inc b/sales/includes/cart_class.inc
index 286ada11..45ca476c 100644
--- a/sales/includes/cart_class.inc
+++ b/sales/includes/cart_class.inc
@@ -222,11 +222,11 @@ class cart
 			$this->trans_no = 0;
 			$this->order_no= $this->trans_type==13 ? key($src->trans_no) : $src->order_no;
 		}
-		$this->reference = @html_entity_decode($this->reference);
-		$this->Comments = @html_entity_decode($this->Comments);
+		$this->reference = @html_entity_decode($this->reference, ENT_QUOTES);
+		$this->Comments = @html_entity_decode($this->Comments, ENT_QUOTES);
 		foreach($this->line_items as $lineno => $line) {
-			$this->line_items[$lineno]->stock_id = @html_entity_decode($line->stock_id);
-			$this->line_items[$lineno]->item_description = @html_entity_decode($line->item_description);
+			$this->line_items[$lineno]->stock_id = @html_entity_decode($line->stock_id, ENT_QUOTES);
+			$this->line_items[$lineno]->item_description = @html_entity_decode($line->item_description, ENT_QUOTES);
 		}
 		switch($this->trans_type) {
 			case 10:
diff --git a/sales/inquiry/customer_inquiry.php b/sales/inquiry/customer_inquiry.php
index 90ac0da6..85a8d70d 100644
--- a/sales/inquiry/customer_inquiry.php
+++ b/sales/inquiry/customer_inquiry.php
@@ -214,6 +214,7 @@ function check_overdue($row)
 		debtor.name, 
 		branch.br_name,
 		debtor.curr_code,
+		@bal := @bal+trans.ov_amount,
 		(trans.ov_amount + trans.ov_gst + trans.ov_freight 
 			+ trans.ov_freight_tax + trans.ov_discount)	AS TotalAmount, 
 		trans.alloc AS Allocated,
@@ -265,6 +266,7 @@ function check_overdue($row)
    	}
 
 //------------------------------------------------------------------------------------------------
+db_query("set @bal:=0");
 
 $cols = array(
 	_("Type") => array('fun'=>'systype_name', 'ord'=>''),
@@ -276,6 +278,7 @@ $cols = array(
 	_("Customer") => array('ord'=>''), 
 	_("Branch") => array('ord'=>''), 
 	_("Currency") => array('align'=>'center'),
+	_("RB"),
 	_("Debit") => array('align'=>'right', 'fun'=>'fmt_debit'), 
 	_("Credit") => array('align'=>'right','insert'=>true, 'fun'=>'fmt_credit'), 
 		array('insert'=>true, 'fun'=>'gl_view'),
-- 
2.30.2