PEAR.php

@@ -99,6 +99,7 @@ $GLOBALS['_PEAR_error_handler_stack']    = array();
  * @since      Class available since PHP 4.0.2
  * @link        http://pear.php.net/manual/en/core.pear.php#core.pear.pear
  */
+#[\AllowDynamicProperties]
 class PEAR
 {
     // {{{ properties
@@ -814,6 +815,7 @@ function _PEAR_call_destructors()
  * @see        PEAR::raiseError(), PEAR::throwError()
  * @since      Class available since PHP 4.0.2
  */
+#[\AllowDynamicProperties]
 class PEAR_Error
 {
     // {{{ properties

composer.json

@@ -22,6 +22,9 @@
         "dg/rss-php": "^1.5",
         "ezyang/htmlpurifier": "^4.16",
         "tecnickcom/tcpdf": "^6.6",
-	"monolog/monolog": "^3.5"
+	"monolog/monolog": "^3.5",
+        "league/oauth2-client": "^2.7",
+        "phpmailer/phpmailer": "^6.9",
+        "league/oauth2-google": "^4.0"
     }
 }

config.template.php

@@ -111,7 +111,7 @@ $allow_exports = 'all';
 
 // files with one of these extensions will have '.txt' appended to their filename on upload
 // upload_badext default value = php, php3, php4, php5, pl, cgi, py, asp, cfm, js, vbs, html, htm
-$upload_badext = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py', 'asp', 'cfm', 'js', 'vbs', 'html', 'htm', 'exe', 'bin', 'bat', 'sh', 'dll', 'phps', 'phtml', 'xhtml', 'rb', 'msi', 'jsp', 'shtml', 'sth', 'shtm', 'htaccess');
+$upload_badext = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py', 'asp', 'cfm', 'js', 'vbs', 'html', 'htm', 'exe', 'bin', 'bat', 'sh', 'dll', 'phps', 'phtml', 'xhtml', 'rb', 'msi', 'jsp', 'shtml', 'sth', 'shtm', 'htaccess', 'phar');
 
 // list_max_entries_per_page default value = 20
 $list_max_entries_per_page = '20';

cron/SendReminder.service

@@ -22,8 +22,8 @@
 //file modified by richie
 
 require_once('include/utils/utils.php');
-require_once("modules/Emails/class.smtp.php");
-require_once("modules/Emails/class.phpmailer.php");
+//require_once("modules/Emails/class.smtp.php");
+//require_once("modules/Emails/class.phpmailer.php");
 require_once("modules/Emails/mail.php");
 require_once('include/logging.php');
 require_once("config.php");
@@ -232,7 +232,7 @@ function send_email($to,$from,$subject,$contents,$mail_server,$mail_server_usern
 	$log->info("This is send_mail function in SendReminder.php(vtiger home).");
 	global $root_directory;
 
-	$mail = new PHPMailer();
+	$mail = new PHPMailer\PHPMailer\PHPMailer();
 
 
 	$mail->Subject	= $subject;

cron/modules/Oauth2/TokenRefresher.service

+<?php
+/*+***********************************************************************************
+ * The contents of this file are subject to the vtiger CRM Public License Version 1.0
+ * ("License"); You may not use this file except in compliance with the License
+ * The Original Code is:  vtiger CRM Open Source
+ * The Initial Developer of the Original Code is vtiger.
+ * Portions created by vtiger are Copyright (C) vtiger.
+ * All Rights Reserved.
+ *************************************************************************************/
+
+require_once 'modules/Oauth2/handlers/TokenRefresher.php';
+
+$tokenRefresher = new Oauth2_TokenRefresher_Handler();
+$tokenRefresher->refreshAll();
\ No newline at end of file

cron/send_mail.php

@@ -22,13 +22,13 @@
 //file modified by richie
 
 
-require_once("modules/Emails/class.smtp.php");
-require_once("modules/Emails/class.phpmailer.php");
+// require_once("modules/Emails/class.smtp.php");
+// require_once("modules/Emails/class.phpmailer.php");
 require_once 'include/utils/CommonUtils.php';
 
 function sendmail($to,$from,$subject,$contents,$mail_server,$mail_server_username,$mail_server_password,$filename,$smtp_auth='')
 {
-  $mail = new PHPMailer();
+  $mail = new PHPMailer\PHPMailer\PHPMailer();
   $mail->Subject = $subject;
 	$mail->Body    = $contents;//"This is the HTML message body <b>in bold!</b>";
 

data/CRMEntity.php

@@ -650,7 +650,7 @@ class CRMEntity {
 						if(php7_count($IMG_FILES)){
 							foreach($IMG_FILES as $fileIndex => $file) {
 								if($file['error'] == 0 && $file['name'] != '' && $file['size'] > 0) {
-									if(isset($_REQUEST[$fileIndex.'_hidden']) && $_REQUEST[$fileIndex] != '') {
+									if(isset($_REQUEST[$fileIndex.'_hidden']) && $_REQUEST[$fileIndex.'_hidden'] != '') {
 										$file['original_name'] = vtlib_purify($_REQUEST[$fileIndex.'_hidden']);
 									} else {
 										$file['original_name'] = stripslashes($file['name']);
@@ -959,6 +959,13 @@ class CRMEntity {
 					if (isset($resultrow[$fieldkey])) {
 						$fieldvalue = $resultrow[$fieldkey];
 					}
+
+					// load picklist value with umlatus with explict decoding
+					// required for field-value strict check during save.
+					if ($fieldinfo["uitype"] == 15 || $fieldinfo["uitype"] == 16) {
+						$fieldvalue = decode_html($fieldvalue);
+					}
+
 					$this->column_fields[$fieldinfo['fieldname']] = $fieldvalue;
 				}
 			}
@@ -2430,7 +2437,7 @@ class CRMEntity {
 			$fields[] = $value;
 		}
 		$pritablename = $tables[0];
-		$sectablename = $tables[1];
+		$sectablename = isset($tables[1]) ? $tables[1] : '';
 		$prifieldname = $fields[0][0];
 		$secfieldname = $fields[0][1];
 		$tmpname = $pritablename . 'tmp' . $secmodule;
@@ -2470,7 +2477,7 @@ class CRMEntity {
 
 		$secQuery = 'SELECT '.$selectColumns.' '.$secQueryFrom;
 
-		$secQueryTempTableQuery = $queryPlanner->registerTempTable($secQuery, array($column_name, $fields[1], $prifieldname),$secmodule);
+		$secQueryTempTableQuery = $queryPlanner->registerTempTable($secQuery, array($column_name, isset($fields[1]) ? $fields[1] : '', $prifieldname),$secmodule);
 
 		$query = '';
 		if ($pritablename == 'vtiger_crmentityrel') {
@@ -2787,7 +2794,7 @@ class CRMEntity {
 	 * @param <type> $userGroups
 	 */
 	function getNonAdminUserGroupAccessQuery($userGroups) {
-		$query .= " UNION (SELECT groupid FROM vtiger_groups WHERE groupid IN (".implode(",", $userGroups)."))";
+		$query = " UNION (SELECT groupid FROM vtiger_groups WHERE groupid IN (".implode(",", $userGroups)."))";
 		return $query;
 	}
 
@@ -2800,7 +2807,7 @@ class CRMEntity {
 		require('user_privileges/sharing_privileges_' . $user->id . '.php');
 		$tabId = getTabid($module);
 		$sharingRuleInfoVariable = $module . '_share_read_permission';
-		$sharingRuleInfo = $$sharingRuleInfoVariable;
+		$sharingRuleInfo = isset($$sharingRuleInfoVariable) ? $$sharingRuleInfoVariable : array();
 		$sharedTabId = null;
 		$query = '';
 		if (!empty($sharingRuleInfo) && (php7_count($sharingRuleInfo['ROLE']) > 0 ||

include/InventoryPDFController.php

@@ -114,7 +114,7 @@ class Vtiger_InventoryPDFController {
 			$taxable_total = number_format($taxable_total, $no_of_decimal_places,'.','');
 			$producttotal = $taxable_total;
 			if($this->focus->column_fields["hdnTaxType"] == "individual") {
-				for($tax_count=0;$tax_count<php7_count($productLineItem['taxes']);$tax_count++) {
+				foreach($productLineItem['taxes'] as $tax_count => $productLinetItemTaxInfo) {
 					$tax_percent = $productLineItem['taxes'][$tax_count]['percentage'];
 					$total_tax_percent += $tax_percent;
 					$tax_amount = (($taxable_total*$tax_percent)/100);
@@ -201,14 +201,14 @@ class Vtiger_InventoryPDFController {
 		//To calculate the group tax amount
 		if($final_details['taxtype'] == 'group') {
 			$group_tax_details = $final_details['taxes'];
-			for($i=0;$i<php7_count($group_tax_details);$i++) {
+			foreach($group_tax_details as $i => $group_tax_info) {
 				$group_total_tax_percent += isset($group_tax_details[$i]['percentage']) ? $group_tax_details[$i]['percentage'] : 0.00;
 			}
 			$summaryModel->set(getTranslatedString("Tax:", $this->moduleName)."($group_total_tax_percent%)", $this->formatPrice($final_details['tax_totalamount']));
 		}
 		//Shipping & Handling taxes
 		$sh_tax_details = $final_details['sh_taxes'];
-		for($i=0;$i<php7_count($sh_tax_details);$i++) {
+		foreach($sh_tax_details as $i => $sh_tax_info) {
 			$sh_tax_percent = $sh_tax_percent + $sh_tax_details[$i]['percentage'];
 		}
 		//obtain the Currency Symbol
@@ -429,4 +429,4 @@ class Vtiger_InventoryPDFController {
 	}
 
 }
-?>
+?>
\ No newline at end of file

include/Webservices/ConvertLead.php

@@ -145,18 +145,25 @@ function vtws_convertlead($entityvalues, $user) {
 
 
 	try {
-		$accountIdComponents = vtws_getIdComponents($entityIds['Accounts']);
-		$accountId = $accountIdComponents[1];
-
-		$contactIdComponents = vtws_getIdComponents($entityIds['Contacts']);
-		$contactId = $contactIdComponents[1];
-
-		if(!empty($entityIds['Potentials'])){
+		$accountId = null;
+		if (isset($entityIds['Accounts']) && $entityIds['Accounts']) {
+			$accountIdComponents = vtws_getIdComponents($entityIds['Accounts']);
+			$accountId = $accountIdComponents[1];
+		}
+		
+		$contactId = null;		
+		if (isset($entityIds['Contacts']) && $entityIds['Contacts']) {
+			$contactIdComponents = vtws_getIdComponents($entityIds['Contacts']);
+			$contactId = $contactIdComponents[1];
+		}
+		
+		$potentialId = null;
+		if(isset($entityIds['Potentials']) && $entityIds['Potentials']){
 			$potentialIdComponents = vtws_getIdComponents($entityIds['Potentials']);
 			$potentialId = $potentialIdComponents[1];
 		}
 
-		if (!empty($accountId) && !empty($contactId) && !empty($potentialId)) {
+		if (!empty($contactId) && !empty($potentialId)) {
 			$sql = "insert into vtiger_contpotentialrel values(?,?)";
 			$result = $adb->pquery($sql, array($contactId, $potentialId));
 			if ($result === false) {

include/Webservices/DataTransform.php

@@ -139,6 +139,7 @@
 
 			$row = DataTransform::sanitizeDateFieldsForInsert($row,$meta);
 			$row = DataTransform::sanitizeCurrencyFieldsForInsert($row,$meta);
+			$row = DataTransform::sanitizeStringFields($row,$meta);
 
 			// New field added to store Source of Created Record
 			if (!isset($row['source'])) {
@@ -332,5 +333,16 @@
 			}
 			return $row;
 		}
+
+		static function sanitizeStringFields($row,$meta){
+			if(in_array($meta->getEntityName(),array('Groups', 'Currency', 'Tax', 'ProductTaxes'))){
+				foreach ($row as $field => $value) {
+					if(is_string($value)){
+						$row[$field] = vtlib_purify($value);
+					}
+				}
+			}
+			return $row;
+		}
 	}	
 ?>

include/Webservices/Utils.php

@@ -117,11 +117,19 @@ function vtws_getUserWebservicesGroups($tabId,$user){
 }
 
 function vtws_getIdComponents($elementid){
-	return explode("x",(string)$elementid);
+	$elementid = (string)$elementid;
+	if ($elementid && is_numeric($elementid)) return array($elementid); // during (UserId permission check)
+	if (!$elementid || !preg_match("/[0-9]+x[0-9]+/", $elementid)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
+	return explode("x",$elementid);
 }
 
 function vtws_getId($objId, $elemId){
 	if(is_array($elemId)){$elemId=implode(' ',$elemId);}
+	if(!is_numeric($objId) || !is_numeric($elemId)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
 	return $objId."x".$elemId;
 }
 
@@ -695,7 +703,7 @@ function vtws_getFieldfromFieldId($fieldId, $fieldObjectList){
  */
 function vtws_getRelatedActivities($leadId,$accountId,$contactId,$relatedId) {
 
-	if(empty($leadId) || empty($relatedId) || (empty($accountId) && empty($contactId))){
+	if(empty($leadId) || empty($relatedId) || empty($contactId)){
 		throw new WebServiceException(WebServiceErrorCode::$LEAD_RELATED_UPDATE_FAILED,
 			"Failed to move related Activities/Emails");
 	}

include/Webservices/VTQL_Parser.php

@@ -298,7 +298,7 @@ function buildSelectStmt($sqlDump){
 				$this->query = $this->query.','.$columnTable[$fieldcol[$field]].".".$fieldcol[$field];
 			}
 		}
-		if($sqlDump['sortOrder']) {
+		if(isset($sqlDump['sortOrder'])) {
 			$this->query .= ' '.$sqlDump['sortOrder'];
 		}
 	}

include/Webservices/VtigerCRMObject.php

@@ -199,7 +199,7 @@ class VtigerCRMObject{
 		global $adb;
 		
 		$exists = false;
-		$sql = "select * from vtiger_crmentity where crmid=? and deleted=0";
+		$sql = "select 1 from vtiger_crmentity where crmid=? and deleted=0";
 		$result = $adb->pquery($sql , array($id));
 		if($result != null && isset($result)){
 			if($adb->num_rows($result)>0){
@@ -213,7 +213,7 @@ class VtigerCRMObject{
 		global $adb;
 		
 		$seType = null;
-		$sql = "select * from vtiger_crmentity where crmid=? and deleted=0";
+		$sql = "select setype from vtiger_crmentity where crmid=? and deleted=0";
 		$result = $adb->pquery($sql , array($id));
 		if($result != null && isset($result)){
 			if($adb->num_rows($result)>0){

include/Webservices/VtigerCRMObjectMeta.php

@@ -20,6 +20,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 	private $hasWriteAccess;//Edit Access
 	private $hasDeleteAccess;
 	private $assignUsers;
+	private $allowDuplicates;
 	
 	function __construct($webserviceObject,$user)
 	{
@@ -39,6 +40,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 		$this->hasCreateAccess = false;
 		$this->hasWriteAccess = false;
 		$this->hasDeleteAccess = false;
+		$this->allowDuplicates = null;
 		$instance = vtws_getModuleInstance($this->webserviceObject);
 		$this->idColumn = $instance->tab_name_index[$instance->table_name];
 		$this->baseTable = $instance->table_name;
@@ -396,7 +398,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 		
 		$heirarchyUsers = get_user_array(false,"ACTIVE",$this->user->id);
 		$groupUsers = vtws_getUsersInTheSameGroup($this->user->id);
-		$this->assignUsers = array_merge($heirarchyUsers, $groupUsers);
+		$this->assignUsers = $heirarchyUsers + $groupUsers;
 		$this->assign = true;
 	}
 	
@@ -567,7 +569,7 @@ class VtigerCRMObjectMeta extends EntityMeta {
 	}
 
 	public function isDuplicatesAllowed() {
-		if (!isset($this->allowDuplicates)) {
+		if (is_null($this->allowDuplicates) || $this->allowDuplicates === null) {
 			$this->allowDuplicates = vtws_isDuplicatesAllowed($this->webserviceObject);
 		}
 		return $this->allowDuplicates;

include/Webservices/VtigerWebserviceObject.php

@@ -92,7 +92,7 @@ class VtigerWebserviceObject{
 			}
 		}
 		
-		$rowData = self::$_fromIdCache[$entityId];
+		$rowData = isset(self::$_fromIdCache[$entityId]) ? self::$_fromIdCache[$entityId] : '';
 		
 		if($rowData) {
 			return new VtigerWebserviceObject($rowData['id'],$rowData['name'],
@@ -129,4 +129,4 @@ class VtigerWebserviceObject{
 	}
 	
 }
-?>
+?>
\ No newline at end of file

include/fields/CurrencyField.php

@@ -198,7 +198,7 @@ class CurrencyField {
      * @return Formatted Currency
      */
 	private function _formatCurrencyValue($value) {
-        if(empty($value)) {
+        if(empty($value) || !is_numeric($value)) {
             $value = 0;
         }
         $currencyPattern = $this->currencyFormat;

include/fields/DateTimeField.php

@@ -379,7 +379,7 @@ class DateTimeField {
 
 		/* If date-value is other than yyyy-mm-dd */
 		if(strpos($value, "-") < 4 && isset($user->date_format) && $user->date_format) {
-			list($date, $time) = explode(' ', $value);
+			list($date, $time) = explode(' ', strpos($value, ' ') ? $value : "$value ");
 			if(!empty($date)) {
 				switch ($user->date_format) {
 					case 'mm.dd.yyyy': list($m, $d, $y) = explode('.', $date); break;
@@ -391,7 +391,7 @@ class DateTimeField {
 				}
 			}
 			if ($y) {
-				$value = "$y-$m-$d ".rtrim($time);
+				$value = "$y-$m-$d ".rtrim($time ? $time : '');
 			}
 		}
 		return $value;

include/utils/EditViewUtils.php

@@ -236,7 +236,7 @@ function getAssociatedProducts($module, $focus, $seid = '', $refModuleName = fal
 			$product_Detail[$i]['delRow'.$i]="Del";
 		}
 
-		if (in_array($module, $lineItemSupportedModules) || $module === 'Vendors' || isset($focus->mode) && (!$focus->mode && $seid)) {
+		if (in_array($module, $lineItemSupportedModules) || $module === 'Vendors' || (!isset($focus->mode) && $seid) || (!$focus->mode && $seid)) {
 			$subProductsQuery = 'SELECT vtiger_seproductsrel.crmid AS prod_id, quantity FROM vtiger_seproductsrel
 								 INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_seproductsrel.crmid
 								 INNER JOIN vtiger_products ON vtiger_products.productid = vtiger_seproductsrel.crmid
@@ -627,4 +627,4 @@ function split_validationdataArray($validationData)
 }
 
 
-?>
+?>
\ No newline at end of file

include/utils/InventoryUtils.php

@@ -201,7 +201,7 @@ function getProductTaxPercentage($type,$productid,$default='')
 		$taxpercentage = decimalFormat($taxpercentage);
 	}
 	$regions=$adb->query_result($res,0, 'regions');
-	return array('percentage' => $taxpercentage, 'regions' => Zend_Json::decode(html_entity_decode(!empty($regions) ? $regions : '')));
+	return array('percentage' => $taxpercentage, 'regions' => Zend_Json::decode(html_entity_decode(!empty($regions) ? $regions : '[]')));
 }
 
 /**	Function used to add the history entry in the relevant tables for PO, SO, Quotes and Invoice modules
@@ -784,12 +784,12 @@ function saveInventoryProductDetails(&$focus, $module, $update_prod_stock='false
 				$taxName = $all_available_taxes[$taxCount]['taxname'];
 				$requestTaxName = $taxName.'_group_percentage';
 				$taxValue = 0;
-				if(isset($_REQUEST[$requestTaxName])) {
+				if(isset($_REQUEST[$requestTaxName]) && !empty($_REQUEST[$requestTaxName])) {
 					$taxValue = vtlib_purify($_REQUEST[$requestTaxName]);
 				}
 
 				$updatequery .= " $taxName = ?,";
-				array_push($updateparams, (-$taxValue));
+				array_push($updateparams, (-1 * $taxValue));
 			}
 		}
 
@@ -1200,7 +1200,7 @@ function getBaseConversionRateForProduct($productid, $mode='edit', $module='Prod
 	$res = $adb->pquery($sql, $params);
 	$conv_rate = $adb->query_result($res, 0, 'conversion_rate');
 
-	return 1 / $conv_rate;
+	return $conv_rate ? (1 / $conv_rate) : 1;
 }
 
 /**	Function used to get the prices for the given list of products based in the specified currency