From 81dd5f392e49a94960c250053e375ed135ac9bad Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Sat, 26 Apr 2014 00:01:46 +0200
Subject: [PATCH] A couple of security issues fixed.

---
 access/logout.php                  | 3 +++
 admin/create_coy.php               | 6 +++---
 admin/db/users_db.inc              | 4 ++--
 includes/current_user.inc          | 2 +-
 includes/session.inc               | 4 ++--
 inventory/includes/db/items_db.inc | 6 +++---
 taxes/db/tax_types_db.inc          | 4 ++--
 7 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/access/logout.php b/access/logout.php
index 3a8831a1..0e28a56d 100644
--- a/access/logout.php
+++ b/access/logout.php
@@ -9,6 +9,9 @@
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
     See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
+
+define("FA_LOGOUT_PHP_FILE","");
+
 $page_security = 'SA_OPEN';
 $path_to_root="..";
 include($path_to_root . "/includes/session.inc");
diff --git a/admin/create_coy.php b/admin/create_coy.php
index 128da260..db276a06 100644
--- a/admin/create_coy.php
+++ b/admin/create_coy.php
@@ -25,11 +25,11 @@ $comp_subdirs = array('images', 'pdf_files', 'backup','js_cache', 'reporting', '
 //---------------------------------------------------------------------------------------------
 if (isset($_GET['selected_id']))
 {
-	$selected_id = $_GET['selected_id'];
+	$selected_id = (int)$_GET['selected_id'];
 }
 elseif (isset($_POST['selected_id']))
 {
-	$selected_id = $_POST['selected_id'];
+	$selected_id = (int)$_POST['selected_id'];
 }
 else
 	$selected_id = -1;
@@ -172,7 +172,7 @@ function handle_delete()
 {
 	global $def_coy, $db_connections, $comp_subdirs, $path_to_root;
 
-	$id = $_GET['id'];
+	$id = (int)$_GET['id'];
 
 	// First make sure all company directories from the one under removal are writable. 
 	// Without this after operation we end up with changed per-company owners!
diff --git a/admin/db/users_db.inc b/admin/db/users_db.inc
index 267029c9..767dad30 100644
--- a/admin/db/users_db.inc
+++ b/admin/db/users_db.inc
@@ -197,7 +197,7 @@ function show_users_online()
 		}
 
 		// Add user to database
-		db_query("INSERT INTO ".TB_PREF."useronline (timestamp, ip, file) VALUES ('". $timestamp ."','". $ip ."','". $_SERVER['PHP_SELF'] ."')");
+		db_query("INSERT INTO ".TB_PREF."useronline (timestamp, ip, file) VALUES ('". $timestamp ."',". db_escape($ip) .",". db_escape($_SERVER['PHP_SELF']) .")");
 		//Remove users that were not online within $timeoutseconds.
 		db_query("DELETE FROM ".TB_PREF."useronline WHERE timestamp<". $timeout);
 
@@ -210,4 +210,4 @@ function show_users_online()
 	return "$users ".($users == 1 ? _("user online") : _("users online"));
 
 }
-?>
\ No newline at end of file
+?>
diff --git a/includes/current_user.inc b/includes/current_user.inc
index 76d52f2f..7c7592e8 100644
--- a/includes/current_user.inc
+++ b/includes/current_user.inc
@@ -54,7 +54,7 @@ class current_user
 
 	function set_company($company)
 	{
-		$this->company = $company;
+		$this->company = (int)$company;
 	}
 
 	function login($company, $loginname, $password)
diff --git a/includes/session.inc b/includes/session.inc
index 0089095b..869ce9a8 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -412,7 +412,7 @@ html_cleanup($_SERVER);
 
 // logout.php is the only page we should have always 
 // accessable regardless of access level and current login status.
-if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
+if (!defined('FA_LOGOUT_PHP_FILE')){
 
 	login_timeout();
 
@@ -481,4 +481,4 @@ $SysPrefs = &$_SESSION['SysPrefs'];
 // We quote all values later with db_escape() before db update.
 $_POST = strip_quotes($_POST);
 
-?>
\ No newline at end of file
+?>
diff --git a/inventory/includes/db/items_db.inc b/inventory/includes/db/items_db.inc
index de6ce056..b4666edb 100644
--- a/inventory/includes/db/items_db.inc
+++ b/inventory/includes/db/items_db.inc
@@ -29,10 +29,10 @@ function update_item($stock_id, $description, $long_description, $category_id,
 		editable=".db_escape($editable);
 
 	if ($units != '')
-		$sql .= ", units='$units'";
+		$sql .= ", units=".db_escape($units);
 
 	if ($mb_flag != '')
-		$sql .= ", mb_flag='$mb_flag'";
+		$sql .= ", mb_flag=".db_escape($mb_flag);
 
 	$sql .= " WHERE stock_id=".db_escape($stock_id);
 
@@ -158,4 +158,4 @@ function item_in_foreign_codes($stock_id)
 	}
 	return $msg;
 }
-?>
\ No newline at end of file
+?>
diff --git a/taxes/db/tax_types_db.inc b/taxes/db/tax_types_db.inc
index f42470ef..a9325b60 100644
--- a/taxes/db/tax_types_db.inc
+++ b/taxes/db/tax_types_db.inc
@@ -83,7 +83,7 @@ function delete_tax_type($type_id)
 	db_query($sql, "could not delete tax type");
 
 	// also delete any item tax exemptions associated with this type
-	$sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE tax_type_id=$type_id";
+	$sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE tax_type_id=".db_escape($type_id);
 
 	db_query($sql, "could not delete item tax type exemptions");
 
@@ -127,4 +127,4 @@ function is_tax_account($account_code)
 }
 
 
-?>
\ No newline at end of file
+?>
-- 
2.30.2