Start fix [ bug #1437 ] Securitu Issue

Some of them can be fix, because GETPOST even with 'alpha' test do not
warn if input is
"2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e"
for exemple

I don't have magical solution for this kind of security issue

htdocs/core/lib/security2.lib.php

@@ -292,11 +292,11 @@ function dol_loginfunction($langs,$conf,$mysoc)
 	if (! empty($conf->global->MAIN_USE_JQUERY_THEME)) $jquerytheme = $conf->global->MAIN_USE_JQUERY_THEME;
 
 	// Set dol_hide_topmenu, dol_hide_leftmenu, dol_optimize_smallscreen, dol_nomousehover
-	$dol_hide_topmenu=GETPOST('dol_hide_topmenu');
-	$dol_hide_leftmenu=GETPOST('dol_hide_leftmenu');
-	$dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen');
-	$dol_no_mouse_hover=GETPOST('dol_no_mouse_hover');
-	$dol_use_jmobile=GETPOST('dol_use_jmobile');
+	$dol_hide_topmenu=GETPOST('dol_hide_topmenu','int');
+	$dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int');
+	$dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int');
+	$dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int');
+	$dol_use_jmobile=GETPOST('dol_use_jmobile','int');
 
 	// Include login page template
 	include $template_dir.'login.tpl.php';

htdocs/main.inc.php

@@ -360,16 +360,16 @@ if (! defined('NOLOGIN'))
         // It is not already authenticated and it requests the login / password
         include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
 
-        $dol_dst_observed=GETPOST("dst_observed",3);
-        $dol_dst_first=GETPOST("dst_first",3);
-        $dol_dst_second=GETPOST("dst_second",3);
-        $dol_screenwidth=GETPOST("screenwidth",3);
-        $dol_screenheight=GETPOST("screenheight",3);
-        $dol_hide_topmenu=GETPOST('dol_hide_topmenu',3);
-        $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu',3);
-        $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen',3);
-        $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover',3);
-        $dol_use_jmobile=GETPOST('dol_use_jmobile',3);
+        $dol_dst_observed=GETPOST("dst_observed",'int',3);
+        $dol_dst_first=GETPOST("dst_first",'int',3);
+        $dol_dst_second=GETPOST("dst_second",'int',3);
+        $dol_screenwidth=GETPOST("screenwidth",'int',3);
+        $dol_screenheight=GETPOST("screenheight",'int',3);
+        $dol_hide_topmenu=GETPOST('dol_hide_topmenu','int',3);
+        $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int',3);
+        $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int',3);
+        $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int',3);
+        $dol_use_jmobile=GETPOST('dol_use_jmobile','int',3);
         //dol_syslog("POST key=".join(array_keys($_POST),',').' value='.join($_POST,','));
 
         // If in demo mode, we check we go to home page through the public/demo/index.php page
@@ -1035,11 +1035,11 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
         $themeparam='?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'').'&userid='.$user->id.'&entity='.$conf->entity;
         $themeparam.=($ext?'&'.$ext:'');
         if (! empty($_SESSION['dol_resetcache'])) $themeparam.='&dol_resetcache='.$_SESSION['dol_resetcache'];
-        if (GETPOST('dol_hide_topmenu'))           { $themeparam.='&dol_hide_topmenu='.GETPOST('dol_hide_topmenu'); }
-        if (GETPOST('dol_hide_leftmenu'))          { $themeparam.='&dol_hide_leftmenu='.GETPOST('dol_hide_leftmenu'); }
-        if (GETPOST('dol_optimize_smallscreen'))   { $themeparam.='&dol_optimize_smallscreen='.GETPOST('dol_optimize_smallscreen'); }
-        if (GETPOST('dol_no_mouse_hover'))         { $themeparam.='&dol_no_mouse_hover='.GETPOST('dol_no_mouse_hover'); }
-        if (GETPOST('dol_use_jmobile'))            { $themeparam.='&dol_use_jmobile='.GETPOST('dol_use_jmobile'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile'); }
+        if (GETPOST('dol_hide_topmenu'))           { $themeparam.='&dol_hide_topmenu='.GETPOST('dol_hide_topmenu','int'); }
+        if (GETPOST('dol_hide_leftmenu'))          { $themeparam.='&dol_hide_leftmenu='.GETPOST('dol_hide_leftmenu','int'); }
+        if (GETPOST('dol_optimize_smallscreen'))   { $themeparam.='&dol_optimize_smallscreen='.GETPOST('dol_optimize_smallscreen','int'); }
+        if (GETPOST('dol_no_mouse_hover'))         { $themeparam.='&dol_no_mouse_hover='.GETPOST('dol_no_mouse_hover','int'); }
+        if (GETPOST('dol_use_jmobile'))            { $themeparam.='&dol_use_jmobile='.GETPOST('dol_use_jmobile','int'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int'); }
         //print 'themepath='.$themepath.' themeparam='.$themeparam;exit;
         print '<link rel="stylesheet" type="text/css" title="default" href="'.$themepath.$themeparam.'">'."\n";
 

htdocs/public/demo/index.php

@@ -33,11 +33,11 @@ $langs->load("main");
 $langs->load("install");
 $langs->load("other");
 
-$conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu');
-$conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu');
-$conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen');
-$conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover');
-$conf->dol_use_jmobile=GETPOST('dol_use_jmobile');
+$conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu','int');
+$conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int');
+$conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int');
+$conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int');
+$conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int');
 
 // Security check
 global $dolibarr_main_demo;

htdocs/user/class/user.class.php

@@ -806,7 +806,7 @@ class User extends CommonObject
 
 		$sql = "SELECT login FROM ".MAIN_DB_PREFIX."user";
 		$sql.= " WHERE login ='".$this->db->escape($this->login)."'";
-		$sql.= " AND entity IN (0,".$conf->entity.")";
+		$sql.= " AND entity IN (0,".$this->db->escape($conf->entity).")";
 
 		dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
 		$resql=$this->db->query($sql);
@@ -825,7 +825,7 @@ class User extends CommonObject
 			else
 			{
 				$sql = "INSERT INTO ".MAIN_DB_PREFIX."user (datec,login,ldap_sid,entity)";
-				$sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->entity.")";
+				$sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->db->escape($this->entity).")";
 				$result=$this->db->query($sql);
 
 				dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
@@ -922,7 +922,7 @@ class User extends CommonObject
 		$this->lastname		= $contact->lastname;
 		$this->firstname	= $contact->firstname;
 		$this->email		= $contact->email;
-    $this->skype 		= $contact->skype;
+    	$this->skype 		= $contact->skype;
 		$this->office_phone	= $contact->phone_pro;
 		$this->office_fax	= $contact->fax;
 		$this->user_mobile	= $contact->phone_mobile;

htdocs/user/class/usergroup.class.php

@@ -589,7 +589,7 @@ class UserGroup extends CommonObject
 		$sql.= ") VALUES (";
 		$sql.= "'".$this->db->idate($now)."'";
 		$sql.= ",'".$this->db->escape($this->nom)."'";
-		$sql.= ",".$entity;
+		$sql.= ",".$this->db->escape($entity);
 		$sql.= ")";
 
 		dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG);
@@ -640,7 +640,7 @@ class UserGroup extends CommonObject
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."usergroup SET ";
 		$sql.= " nom = '" . $this->db->escape($this->nom) . "'";
-		$sql.= ", entity = " . $entity;
+		$sql.= ", entity = " . $this->db->escape($entity);
 		$sql.= ", note = '" . $this->db->escape($this->note) . "'";
 		$sql.= " WHERE rowid = " . $this->id;
 

htdocs/user/fiche.php

@@ -178,16 +178,16 @@ if ($action == 'add' && $canadduser)
 
     if (! $message)
     {
-        $object->lastname		= GETPOST("lastname");
-        $object->firstname	    = GETPOST("firstname");
-        $object->login		    = GETPOST("login");
-        $object->admin		    = GETPOST("admin");
-        $object->office_phone	= GETPOST("office_phone");
-        $object->office_fax	    = GETPOST("office_fax");
+        $object->lastname		= GETPOST("lastname",'alpha');
+        $object->firstname	    = GETPOST("firstname",'alpha');
+        $object->login		    = GETPOST("login",'alpha');
+        $object->admin		    = GETPOST("admin",'alpha');
+        $object->office_phone	= GETPOST("office_phone",'alpha');
+        $object->office_fax	    = GETPOST("office_fax",'alpha');
         $object->user_mobile	= GETPOST("user_mobile");
         $object->skype          = GETPOST("skype");
-        $object->email		    = GETPOST("email");
-        $object->job			= GETPOST("job");
+        $object->email		    = GETPOST("email",'alpha');
+        $object->job			= GETPOST("job",'alpha');
         $object->signature	    = GETPOST("signature");
         $object->accountancy_code = GETPOST("accountancy_code");
         $object->note			= GETPOST("note");
@@ -200,6 +200,7 @@ if ($action == 'add' && $canadduser)
         // If multicompany is off, admin users must all be on entity 0.
         if (! empty($conf->multicompany->enabled))
         {
+        	$entity=GETPOST('entity','int');
         	if (! empty($_POST["superadmin"]))
         	{
         		$object->entity = 0;
@@ -210,12 +211,12 @@ if ($action == 'add' && $canadduser)
         	}
         	else
         	{
-        		$object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]);
+        		$object->entity = (empty($entity) ? 0 : $entity);
         	}
         }
         else
         {
-        	$object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]);
+        	$object->entity = (empty($entity) ? 0 : $entity);
         }
 
         $db->begin();
@@ -316,17 +317,17 @@ if ($action == 'update' && ! $_POST["cancel"])
 
             $object->oldcopy=dol_clone($object);
 
-            $object->lastname	= GETPOST("lastname");
-            $object->firstname	= GETPOST("firstname");
-            $object->login		= GETPOST("login");
+            $object->lastname	= GETPOST("lastname",'alpha');
+            $object->firstname	= GETPOST("firstname",'alpha');
+            $object->login		= GETPOST("login",'alpha');
             $object->pass		= GETPOST("password");
             $object->admin		= empty($user->admin)?0:GETPOST("admin"); // A user can only be set admin by an admin
-            $object->office_phone=GETPOST("office_phone");
-            $object->office_fax	= GETPOST("office_fax");
+            $object->office_phone=GETPOST("office_phone",'alpha');
+            $object->office_fax	= GETPOST("office_fax",'alpha');
             $object->user_mobile= GETPOST("user_mobile");
-            $object->skype    =GETPOST("skype");
-            $object->email		= GETPOST("email");
-            $object->job		= GETPOST("job");
+            $object->skype    	= GETPOST("skype");
+            $object->email		= GETPOST("email",'alpha');
+            $object->job		= GETPOST("job",'alpha');
             $object->signature	= GETPOST("signature");
             $object->accountancy_code	= GETPOST("accountancy_code");
             $object->openid		= GETPOST("openid");
@@ -384,8 +385,8 @@ if ($action == 'update' && ! $_POST["cancel"])
 	            	$contact->fetch($contactid);
 
 	            	$sql = "UPDATE ".MAIN_DB_PREFIX."user";
-	            	$sql.= " SET fk_socpeople=".$contactid;
-	            	if ($contact->socid) $sql.=", fk_societe=".$contact->socid;
+	            	$sql.= " SET fk_socpeople=".$db->escape($contactid);
+	            	if ($contact->socid) $sql.=", fk_societe=".$db->escape($contact->socid);
 	            	$sql.= " WHERE rowid=".$object->id;
             	}
             	else