projects / fa-stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 86e4d16)
Some security fixes backported from unstable code.
authorJanusz Dobrowolski <janusz@frontaccounting.eu>
Mon, 12 Oct 2009 11:13:20 +0000 (11:13 +0000)
committerJanusz Dobrowolski <janusz@frontaccounting.eu>
Mon, 12 Oct 2009 11:13:20 +0000 (11:13 +0000)
CHANGELOG.txt patch | blob | history
admin/db/maintenance_db.inc patch | blob | history
admin/db/users_db.inc patch | blob | history
includes/db/connect_db.inc patch | blob | history
reporting/includes/tcpdf.php patch | blob | history
sales/includes/cart_class.inc patch | blob | history
sales/inquiry/customer_inquiry.php patch | blob | history

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 8364b3677a2060e87f1bccad31d28890955e5282..8901f8c8a1fba9edc85f63524318adb0d6e3a1f0 100644 (file)
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -19,6 +19,15 @@ Legend:
 ! -> Note
 $ -> Affected files
 
+12-Oct-2009 Janusz Dobrowolski
+# Fixed sql injection vulnerability on some php/mysql configurations
+$ /admin/db/users_db.inc
+! Single quotes also encoded before database data insert
+$ /admin/db/maintenance_db.inc
+  /includes/db/connect_db.inc
+  /reporting/includes/tcpdf.php
+  /sales/includes/cart_class.inc
+
 ------------------------------- Release 2.1.6 ----------------------------------
 ! Final Final release of the 2.1. series.
 $ config.php
diff --git a/admin/db/maintenance_db.inc b/admin/db/maintenance_db.inc
index 29790b6658ad29bebd26aa92dbd8d7fae718c479..829328e87b16b17b36ab22fe69422fb0c5c366eb 100644 (file)
--- a/admin/db/maintenance_db.inc
+++ b/admin/db/maintenance_db.inc
@@ -325,7 +325,7 @@ function db_export($conn, $filename, $zip='no', $comment='', $tbpref = TB_PREF)
     $out.="# Backup Date and Time: ".date("Y-m-d H:i")."\n";
     $out.="# Built by " . $app_title . " " . $version ."\n";
     $out.="# ".$power_url."\n";
-    $out.="# Company: ". @html_entity_decode($company, ENT_COMPAT, $_SESSION['language']->encoding)."\n";
+    $out.="# Company: ". @html_entity_decode($company, ENT_QUOTES, $_SESSION['language']->encoding)."\n";
     $out.="# User: ".$_SESSION["wa_current_user"]->name."\n\n";
 
        // write users comment
@@ -423,7 +423,7 @@ function db_export($conn, $filename, $zip='no', $comment='', $tbpref = TB_PREF)
                                        // run through each field
                                        for ($k = 0; $k < $nf = db_num_fields($res2); $k++)
                                        {
-                                               $out .= db_escape(@html_entity_decode($row2[$k], ENT_COMPAT, $_SESSION['language']->encoding));
+                                               $out .= db_escape(@html_entity_decode($row2[$k], ENT_QUOTES, $_SESSION['language']->encoding));
                                                if ($k < ($nf - 1))
                                                        $out .= ", ";
                                        }
diff --git a/admin/db/users_db.inc b/admin/db/users_db.inc
index 5200f2c99933bb0d104270218ff587d7bac652b7..e9ea2e8ff9f5a0b213b60d3fca7dee5afd59e0ce 100644 (file)
--- a/admin/db/users_db.inc
+++ b/admin/db/users_db.inc
@@ -14,11 +14,12 @@ function add_user($user_id, $real_name, $password, $phone, $email, $full_access,
        $language, $profile, $rep_popup, $pos)
 {
        $sql = "INSERT INTO ".TB_PREF."users (user_id, real_name, password"
-               .", phone, email, full_access, language, pos, print_profile, rep_popup)
+               .", phone, email, role_id, language, pos, print_profile, rep_popup)
                VALUES (".db_escape($user_id).", 
-               ".db_escape($real_name).", ".db_escape($password) .",".db_escape($phone).",
-                ".db_escape($email).", $full_access, ".db_escape($language).",
-                $pos,".db_escape($profile).",$rep_popup)";
+               ".db_escape($real_name).", ".db_escape($password) .",".db_escape($phone)
+               .",".db_escape($email).", ".db_escape($role_id).", ".db_escape($language)
+               .", ".db_escape($pos).",".db_escape($profile).",".db_escape($rep_popup)
+               ." )";
 
        db_query($sql, "could not add user for $user_id");
 }
@@ -70,11 +71,11 @@ function update_user_display_prefs($user_id, $price_dec, $qty_dec, $exrate_dec,
                dec_sep=".db_escape($dec_sep).",
                theme=".db_escape($theme).",
                page_size=".db_escape($pagesize).",
-               show_hints=$show_hints,
+               show_hints=".db_escape($show_hints).",
                print_profile=".db_escape($profile).",
-               rep_popup=$rep_popup,
-               query_size=$query_size,
-               graphic_links=$graphic_links,
+               rep_popup=".db_escape($rep_popup).",
+               query_size=".db_escape($query_size).",
+               graphic_links=".db_escape($graphic_links).",
                language=".db_escape($lang)."
                WHERE user_id = ".db_escape($user_id);
 
@@ -117,7 +118,8 @@ function get_user_for_login($user_id, $password)
 {
        set_global_connection();
 
-       $sql = "SELECT * FROM ".TB_PREF."users WHERE user_id = '$user_id' AND password='$password'";
+       $sql = "SELECT * FROM ".TB_PREF."users WHERE user_id = ".db_escape($user_id)
+               ." AND password=".db_escape($password);
 
        return db_query($sql, "could not get validate user login for $user_id");
 }
diff --git a/includes/db/connect_db.inc b/includes/db/connect_db.inc
index fa57b678fc4d530e3f98961a96725ee93cb74487..f848f900081bc78fe71c60b78abb66d6ac32dd36 100644 (file)
--- a/includes/db/connect_db.inc
+++ b/includes/db/connect_db.inc
@@ -99,7 +99,7 @@ function db_num_fields ($result)
 
 function db_escape($value = "", $nullify = false)
 {
-       $value = @htmlspecialchars($value, ENT_COMPAT, $_SESSION['language']->encoding);
+       $value = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
 
        //reset default if second parameter is skipped
        $nullify = ($nullify === null) ? (false) : ($nullify);
diff --git a/reporting/includes/tcpdf.php b/reporting/includes/tcpdf.php
index 48504eb945a7db15c5e70b8cb009410b583e87ee..ba54e66a3ea08b8a96f70a25d25fb50be43c1516 100644 (file)
--- a/reporting/includes/tcpdf.php
+++ b/reporting/includes/tcpdf.php
@@ -5729,7 +5729,7 @@ if (!class_exists('TCPDF')) {
                 */
                function unhtmlentities($text_to_convert) {
                        if (!$this->isunicode) {
-                               return html_entity_decode($text_to_convert);
+                               return html_entity_decode($text_to_convert, ENT_QUOTES);
                        }
                        return html_entity_decode_php4($text_to_convert);
                }
diff --git a/sales/includes/cart_class.inc b/sales/includes/cart_class.inc
index 286ada110dfad40eee5c2133c843f1e84eb6111d..45ca476cf6dde1121f6941fcabd747bf01e717d0 100644 (file)
--- a/sales/includes/cart_class.inc
+++ b/sales/includes/cart_class.inc
@@ -222,11 +222,11 @@ class cart
                        $this->trans_no = 0;
                        $this->order_no= $this->trans_type==13 ? key($src->trans_no) : $src->order_no;
                }
-               $this->reference = @html_entity_decode($this->reference);
-               $this->Comments = @html_entity_decode($this->Comments);
+               $this->reference = @html_entity_decode($this->reference, ENT_QUOTES);
+               $this->Comments = @html_entity_decode($this->Comments, ENT_QUOTES);
                foreach($this->line_items as $lineno => $line) {
-                       $this->line_items[$lineno]->stock_id = @html_entity_decode($line->stock_id);
-                       $this->line_items[$lineno]->item_description = @html_entity_decode($line->item_description);
+                       $this->line_items[$lineno]->stock_id = @html_entity_decode($line->stock_id, ENT_QUOTES);
+                       $this->line_items[$lineno]->item_description = @html_entity_decode($line->item_description, ENT_QUOTES);
                }
                switch($this->trans_type) {
                        case 10:
diff --git a/sales/inquiry/customer_inquiry.php b/sales/inquiry/customer_inquiry.php
index 90ac0da6313f05ac905f895a8f825938bf3d495c..85a8d70da85f158148da96426edd489406d5fb14 100644 (file)
--- a/sales/inquiry/customer_inquiry.php
+++ b/sales/inquiry/customer_inquiry.php
@@ -214,6 +214,7 @@ function check_overdue($row)
                debtor.name, 
                branch.br_name,
                debtor.curr_code,
+               @bal := @bal+trans.ov_amount,
                (trans.ov_amount + trans.ov_gst + trans.ov_freight 
                        + trans.ov_freight_tax + trans.ov_discount)     AS TotalAmount, 
                trans.alloc AS Allocated,
@@ -265,6 +266,7 @@ function check_overdue($row)
        }
 
 //------------------------------------------------------------------------------------------------
+db_query("set @bal:=0");
 
 $cols = array(
        _("Type") => array('fun'=>'systype_name', 'ord'=>''),
@@ -276,6 +278,7 @@ $cols = array(
        _("Customer") => array('ord'=>''), 
        _("Branch") => array('ord'=>''), 
        _("Currency") => array('align'=>'center'),
+       _("RB"),
        _("Debit") => array('align'=>'right', 'fun'=>'fmt_debit'), 
        _("Credit") => array('align'=>'right','insert'=>true, 'fun'=>'fmt_credit'), 
                array('insert'=>true, 'fun'=>'gl_view'),
FrontAccounting stable branch