Compare revisions

ca4ac7ed · 5b23defb · d5394383 · b9c5cd78 · 85ca4368 · 8813d10c
--- a/PEAR.php
+++ b/PEAR.php
@@ -99,6 +99,7 @@ $GLOBALS['_PEAR_error_handler_stack']    = array();
 * @since      Class available since PHP 4.0.2
 * @link        http://pear.php.net/manual/en/core.pear.php#core.pear.pear
 */
+#[\AllowDynamicProperties]
 class PEAR
 {
    // {{{ properties
@@ -814,6 +815,7 @@ function _PEAR_call_destructors()
 * @see        PEAR::raiseError(), PEAR::throwError()
 * @since      Class available since PHP 4.0.2
 */
+#[\AllowDynamicProperties]
 class PEAR_Error
 {
    // {{{ properties

--- a/composer.json
+++ b/composer.json
@@ -22,6 +22,9 @@
        "dg/rss-php": "^1.5",
        "ezyang/htmlpurifier": "^4.16",
        "tecnickcom/tcpdf": "^6.6",
-	"monolog/monolog": "^3.5"
+	"monolog/monolog": "^3.5",
+        "league/oauth2-client": "^2.7",
+        "phpmailer/phpmailer": "^6.9",
+        "league/oauth2-google": "^4.0"
    }
 }
--- a/composer.lock
+++ b/composer.lock
--- a/config.template.php
+++ b/config.template.php
@@ -111,7 +111,7 @@ $allow_exports = 'all';

 // files with one of these extensions will have '.txt' appended to their filename on upload
 // upload_badext default value = php, php3, php4, php5, pl, cgi, py, asp, cfm, js, vbs, html, htm
-$upload_badext = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py', 'asp', 'cfm', 'js', 'vbs', 'html', 'htm', 'exe', 'bin', 'bat', 'sh', 'dll', 'phps', 'phtml', 'xhtml', 'rb', 'msi', 'jsp', 'shtml', 'sth', 'shtm', 'htaccess');
+$upload_badext = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py', 'asp', 'cfm', 'js', 'vbs', 'html', 'htm', 'exe', 'bin', 'bat', 'sh', 'dll', 'phps', 'phtml', 'xhtml', 'rb', 'msi', 'jsp', 'shtml', 'sth', 'shtm', 'htaccess', 'phar');

 // list_max_entries_per_page default value = 20
 $list_max_entries_per_page = '20';

--- a/cron/SendReminder.service
+++ b/cron/SendReminder.service
@@ -22,8 +22,8 @@
 //file modified by richie

 require_once('include/utils/utils.php');
-require_once("modules/Emails/class.smtp.php");
-require_once("modules/Emails/class.phpmailer.php");
+//require_once("modules/Emails/class.smtp.php");
+//require_once("modules/Emails/class.phpmailer.php");
 require_once("modules/Emails/mail.php");
 require_once('include/logging.php');
 require_once("config.php");
@@ -232,7 +232,7 @@ function send_email($to,$from,$subject,$contents,$mail_server,$mail_server_usern
 	$log->info("This is send_mail function in SendReminder.php(vtiger home).");
 	global $root_directory;

-	$mail = new PHPMailer();
+	$mail = new PHPMailer\PHPMailer\PHPMailer();


 	$mail->Subject	= $subject;

--- a/cron/modules/Oauth2/TokenRefresher.service
+++ b/cron/modules/Oauth2/TokenRefresher.service
+<?php
+/*+***********************************************************************************
+ * The contents of this file are subject to the vtiger CRM Public License Version 1.0
+ * ("License"); You may not use this file except in compliance with the License
+ * The Original Code is:  vtiger CRM Open Source
+ * The Initial Developer of the Original Code is vtiger.
+ * Portions created by vtiger are Copyright (C) vtiger.
+ * All Rights Reserved.
+ *************************************************************************************/
+
+require_once 'modules/Oauth2/handlers/TokenRefresher.php';
+
+$tokenRefresher = new Oauth2_TokenRefresher_Handler();
+$tokenRefresher->refreshAll();
\ No newline at end of file
--- a/cron/send_mail.php
+++ b/cron/send_mail.php
@@ -22,13 +22,13 @@
 //file modified by richie


-require_once("modules/Emails/class.smtp.php");
-require_once("modules/Emails/class.phpmailer.php");
+// require_once("modules/Emails/class.smtp.php");
+// require_once("modules/Emails/class.phpmailer.php");
 require_once 'include/utils/CommonUtils.php';

 function sendmail($to,$from,$subject,$contents,$mail_server,$mail_server_username,$mail_server_password,$filename,$smtp_auth='')
 {
-  $mail = new PHPMailer();
+  $mail = new PHPMailer\PHPMailer\PHPMailer();
  $mail->Subject = $subject;
 	$mail->Body    = $contents;//"This is the HTML message body <b>in bold!</b>";


--- a/data/CRMEntity.php
+++ b/data/CRMEntity.php
@@ -959,6 +959,13 @@ class CRMEntity {
 					if (isset($resultrow[$fieldkey])) {
 						$fieldvalue = $resultrow[$fieldkey];
 					}
+
+					// load picklist value with umlatus with explict decoding
+					// required for field-value strict check during save.
+					if ($fieldinfo["uitype"] == 15 || $fieldinfo["uitype"] == 16) {
+						$fieldvalue = decode_html($fieldvalue);
+					}
+
 					$this->column_fields[$fieldinfo['fieldname']] = $fieldvalue;
 				}
 			}
@@ -2787,7 +2794,7 @@ class CRMEntity {
 	 * @param <type> $userGroups
 	 */
 	function getNonAdminUserGroupAccessQuery($userGroups) {
-		$query .= " UNION (SELECT groupid FROM vtiger_groups WHERE groupid IN (".implode(",", $userGroups)."))";
+		$query = " UNION (SELECT groupid FROM vtiger_groups WHERE groupid IN (".implode(",", $userGroups)."))";
 		return $query;
 	}

@@ -2800,7 +2807,7 @@ class CRMEntity {
 		require('user_privileges/sharing_privileges_' . $user->id . '.php');
 		$tabId = getTabid($module);
 		$sharingRuleInfoVariable = $module . '_share_read_permission';
-		$sharingRuleInfo = $$sharingRuleInfoVariable;
+		$sharingRuleInfo = isset($$sharingRuleInfoVariable) ? $$sharingRuleInfoVariable : array();
 		$sharedTabId = null;
 		$query = '';
 		if (!empty($sharingRuleInfo) && (php7_count($sharingRuleInfo['ROLE']) > 0 ||

--- a/include/InventoryPDFController.php
+++ b/include/InventoryPDFController.php
@@ -114,7 +114,7 @@ class Vtiger_InventoryPDFController {
 			$taxable_total = number_format($taxable_total, $no_of_decimal_places,'.','');
 			$producttotal = $taxable_total;
 			if($this->focus->column_fields["hdnTaxType"] == "individual") {
-				for($tax_count=0;$tax_count<php7_count($productLineItem['taxes']);$tax_count++) {
+				foreach($productLineItem['taxes'] as $tax_count => $productLinetItemTaxInfo) {
 					$tax_percent = $productLineItem['taxes'][$tax_count]['percentage'];
 					$total_tax_percent += $tax_percent;
 					$tax_amount = (($taxable_total*$tax_percent)/100);
@@ -201,14 +201,14 @@ class Vtiger_InventoryPDFController {
 		//To calculate the group tax amount
 		if($final_details['taxtype'] == 'group') {
 			$group_tax_details = $final_details['taxes'];
-			for($i=0;$i<php7_count($group_tax_details);$i++) {
+			foreach($group_tax_details as $i => $group_tax_info) {
 				$group_total_tax_percent += isset($group_tax_details[$i]['percentage']) ? $group_tax_details[$i]['percentage'] : 0.00;
 			}
 			$summaryModel->set(getTranslatedString("Tax:", $this->moduleName)."($group_total_tax_percent%)", $this->formatPrice($final_details['tax_totalamount']));
 		}
 		//Shipping & Handling taxes
 		$sh_tax_details = $final_details['sh_taxes'];
-		for($i=0;$i<php7_count($sh_tax_details);$i++) {
+		foreach($sh_tax_details as $i => $sh_tax_info) {
 			$sh_tax_percent = $sh_tax_percent + $sh_tax_details[$i]['percentage'];
 		}
 		//obtain the Currency Symbol
@@ -429,4 +429,4 @@ class Vtiger_InventoryPDFController {
 	}

 }
-?>
\ No newline at end of file
+?>
--- a/include/Webservices/ConvertLead.php
+++ b/include/Webservices/ConvertLead.php
@@ -145,18 +145,25 @@ function vtws_convertlead($entityvalues, $user) {


 	try {
-		$accountIdComponents = vtws_getIdComponents($entityIds['Accounts']);
-		$accountId = $accountIdComponents[1];
-
-		$contactIdComponents = vtws_getIdComponents($entityIds['Contacts']);
-		$contactId = $contactIdComponents[1];
-
-		if(!empty($entityIds['Potentials'])){
+		$accountId = null;
+		if (isset($entityIds['Accounts']) && $entityIds['Accounts']) {
+			$accountIdComponents = vtws_getIdComponents($entityIds['Accounts']);
+			$accountId = $accountIdComponents[1];
+		}
+		
+		$contactId = null;		
+		if (isset($entityIds['Contacts']) && $entityIds['Contacts']) {
+			$contactIdComponents = vtws_getIdComponents($entityIds['Contacts']);
+			$contactId = $contactIdComponents[1];
+		}
+		
+		$potentialId = null;
+		if(isset($entityIds['Potentials']) && $entityIds['Potentials']){
 			$potentialIdComponents = vtws_getIdComponents($entityIds['Potentials']);
 			$potentialId = $potentialIdComponents[1];
 		}

-		if (!empty($accountId) && !empty($contactId) && !empty($potentialId)) {
+		if (!empty($contactId) && !empty($potentialId)) {
 			$sql = "insert into vtiger_contpotentialrel values(?,?)";
 			$result = $adb->pquery($sql, array($contactId, $potentialId));
 			if ($result === false) {

--- a/include/Webservices/DataTransform.php
+++ b/include/Webservices/DataTransform.php
@@ -139,6 +139,7 @@

 			$row = DataTransform::sanitizeDateFieldsForInsert($row,$meta);
 			$row = DataTransform::sanitizeCurrencyFieldsForInsert($row,$meta);
+			$row = DataTransform::sanitizeStringFields($row,$meta);

 			// New field added to store Source of Created Record
 			if (!isset($row['source'])) {
@@ -332,5 +333,16 @@
 			}
 			return $row;
 		}
+
+		static function sanitizeStringFields($row,$meta){
+			if(in_array($meta->getEntityName(),array('Groups', 'Currency', 'Tax', 'ProductTaxes'))){
+				foreach ($row as $field => $value) {
+					if(is_string($value)){
+						$row[$field] = vtlib_purify($value);
+					}
+				}
+			}
+			return $row;
+		}
 	}	
 ?>
--- a/include/Webservices/Utils.php
+++ b/include/Webservices/Utils.php
@@ -117,11 +117,19 @@ function vtws_getUserWebservicesGroups($tabId,$user){
 }

 function vtws_getIdComponents($elementid){
-	return explode("x",(string)$elementid);
+	$elementid = (string)$elementid;
+	if ($elementid && is_numeric($elementid)) return array($elementid); // during (UserId permission check)
+	if (!$elementid || !preg_match("/[0-9]+x[0-9]+/", $elementid)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
+	return explode("x",$elementid);
 }

 function vtws_getId($objId, $elemId){
 	if(is_array($elemId)){$elemId=implode(' ',$elemId);}
+	if(!is_numeric($objId) || !is_numeric($elemId)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
 	return $objId."x".$elemId;
 }

@@ -695,7 +703,7 @@ function vtws_getFieldfromFieldId($fieldId, $fieldObjectList){
 */
 function vtws_getRelatedActivities($leadId,$accountId,$contactId,$relatedId) {

-	if(empty($leadId) || empty($relatedId) || (empty($accountId) && empty($contactId))){
+	if(empty($leadId) || empty($relatedId) || empty($contactId)){
 		throw new WebServiceException(WebServiceErrorCode::$LEAD_RELATED_UPDATE_FAILED,
 			"Failed to move related Activities/Emails");
 	}

--- a/include/Webservices/VtigerCRMObject.php
+++ b/include/Webservices/VtigerCRMObject.php
@@ -199,7 +199,7 @@ class VtigerCRMObject{
 		global $adb;
 		
 		$exists = false;
-		$sql = "select * from vtiger_crmentity where crmid=? and deleted=0";
+		$sql = "select 1 from vtiger_crmentity where crmid=? and deleted=0";
 		$result = $adb->pquery($sql , array($id));
 		if($result != null && isset($result)){
 			if($adb->num_rows($result)>0){
@@ -213,7 +213,7 @@ class VtigerCRMObject{
 		global $adb;
 		
 		$seType = null;
-		$sql = "select * from vtiger_crmentity where crmid=? and deleted=0";
+		$sql = "select setype from vtiger_crmentity where crmid=? and deleted=0";
 		$result = $adb->pquery($sql , array($id));
 		if($result != null && isset($result)){
 			if($adb->num_rows($result)>0){

--- a/include/fields/CurrencyField.php
+++ b/include/fields/CurrencyField.php
@@ -198,7 +198,7 @@ class CurrencyField {
     * @return Formatted Currency
     */
 	private function _formatCurrencyValue($value) {
-        if(empty($value)) {
+        if(empty($value) || !is_numeric($value)) {
            $value = 0;
        }
        $currencyPattern = $this->currencyFormat;

--- a/include/fields/DateTimeField.php
+++ b/include/fields/DateTimeField.php
@@ -379,7 +379,7 @@ class DateTimeField {

 		/* If date-value is other than yyyy-mm-dd */
 		if(strpos($value, "-") < 4 && isset($user->date_format) && $user->date_format) {
-			list($date, $time) = explode(' ', $value);
+			list($date, $time) = explode(' ', strpos($value, ' ') ? $value : "$value ");
 			if(!empty($date)) {
 				switch ($user->date_format) {
 					case 'mm.dd.yyyy': list($m, $d, $y) = explode('.', $date); break;
@@ -391,7 +391,7 @@ class DateTimeField {
 				}
 			}
 			if ($y) {
-				$value = "$y-$m-$d ".rtrim($time);
+				$value = "$y-$m-$d ".rtrim($time ? $time : '');
 			}
 		}
 		return $value;

--- a/include/utils/InventoryUtils.php
+++ b/include/utils/InventoryUtils.php
@@ -201,7 +201,7 @@ function getProductTaxPercentage($type,$productid,$default='')
 		$taxpercentage = decimalFormat($taxpercentage);
 	}
 	$regions=$adb->query_result($res,0, 'regions');
-	return array('percentage' => $taxpercentage, 'regions' => Zend_Json::decode(html_entity_decode(!empty($regions) ? $regions : '')));
+	return array('percentage' => $taxpercentage, 'regions' => Zend_Json::decode(html_entity_decode(!empty($regions) ? $regions : '[]')));
 }

 /**	Function used to add the history entry in the relevant tables for PO, SO, Quotes and Invoice modules
@@ -784,12 +784,12 @@ function saveInventoryProductDetails(&$focus, $module, $update_prod_stock='false
 				$taxName = $all_available_taxes[$taxCount]['taxname'];
 				$requestTaxName = $taxName.'_group_percentage';
 				$taxValue = 0;
-				if(isset($_REQUEST[$requestTaxName])) {
+				if(isset($_REQUEST[$requestTaxName]) && !empty($_REQUEST[$requestTaxName])) {
 					$taxValue = vtlib_purify($_REQUEST[$requestTaxName]);
 				}

 				$updatequery .= " $taxName = ?,";
-				array_push($updateparams, (-$taxValue));
+				array_push($updateparams, (-1 * $taxValue));
 			}
 		}


--- a/include/utils/UserInfoUtil.php
+++ b/include/utils/UserInfoUtil.php
@@ -352,21 +352,21 @@ function isPermitted($module,$actionname,$record_id='')
 			}
 		}
 		//Checking for vtiger_tab permission
-		if($profileTabsPermission[$tabid] !=0)
+		if(isset($profileTabsPermission[$tabid]) && $profileTabsPermission[$tabid] !=0)
 		{
 			$permission = "no";
 			$log->debug("Exiting isPermitted method ...");
 			return $permission;
 		}
 		//Checking for Action Permission
-		if(strlen($profileActionPermission[$tabid][$actionid]) <  1 && $profileActionPermission[$tabid][$actionid] == '')
+		if(isset($profileActionPermission[$tabid][$actionid]) && strlen($profileActionPermission[$tabid][$actionid]) <  1 && $profileActionPermission[$tabid][$actionid] == '')
 		{
 			$permission = "yes";
 			$log->debug("Exiting isPermitted method ...");
 			return $permission;
 		}

-		if($profileActionPermission[$tabid][$actionid] != 0 && $profileActionPermission[$tabid][$actionid] != '')
+		if(isset($profileActionPermission[$tabid][$actionid]) && $profileActionPermission[$tabid][$actionid] != 0 && $profileActionPermission[$tabid][$actionid] != '')
 		{
 			$permission = "no";
 			$log->debug("Exiting isPermitted method ...");
@@ -2132,7 +2132,7 @@ function getPermittedModuleNames()
 	{
 		foreach($tab_seq_array as $tabid=>$seq_value)
 		{
-			if($seq_value === 0 && $profileTabsPermission[$tabid] === 0)
+			if($seq_value === 0 && (isset($profileTabsPermission[$tabid]) && $profileTabsPermission[$tabid] === 0))
 			{
 				$permittedModules[]=getTabModuleName($tabid);
 			}
@@ -2171,7 +2171,7 @@ function getPermittedModuleIdList() {
 	if($is_admin == false && $profileGlobalPermission[1] == 1 &&
 			$profileGlobalPermission[2] == 1) {
 		foreach($tab_seq_array as $tabid=>$seq_value) {
-			if($seq_value === 0 && $profileTabsPermission[$tabid] === 0) {
+			if($seq_value === 0 && isset($profileTabsPermission[$tabid]) && $profileTabsPermission[$tabid] === 0) {
 				$permittedModules[]=($tabid);
 			}
 		}

--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -822,15 +822,16 @@ function purifyHtmlEventAttributes($value,$replaceAll = false){
 	$value = Vtiger_Functions::stripInlineOffice365Image($value,true,$office365ImageMarkers);		
 	$tmp_markers = array_merge($tmp_markers, $office365ImageMarkers);
    // remove malicious html attributes with its value.
+	$pattern='/\b(alert|on\w+)\s*\([^)]*\)|\s*(?:on\w+)=(".*?"|\'.*?\'|[^\'">\s]+)\s*/';
    if ($replaceAll) {
-        $value = preg_replace('/\b(alert|on\w+)\s*\([^)]*\)|\s*(?:on\w+)=(".*?"|\'.*?\'|[^\'">\s]+)\s*/', '', $value);
+        $value = preg_replace($pattern, '', $value);
        //remove script tag with contents
        $value = purifyScript($value);
        //purify javascript alert from the tag contents
        $value = purifyJavascriptAlert($value);
 	
    } else {
-        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*=/i", $value)) {
+        if (preg_match($pattern, $value)) {
            $value = str_replace("=", "&equals;", $value);
        }
    }
@@ -1054,4 +1055,3 @@ function php7_htmlentities($str) {
 	return $str == null ? $str : htmlentities($str);
 }

-
--- a/include/utils/utils.php
+++ b/include/utils/utils.php
@@ -126,7 +126,7 @@ function get_user_array($add_blank=true, $status="Active", $assigned_user="",$pr
 	}
 	static $user_array = null;
 	if(!$module){
-        $module=$_REQUEST['module'];
+        $module=isset($_REQUEST['module']) ? $_REQUEST['module'] : "";
    }


@@ -197,7 +197,7 @@ function get_group_array($add_blank=true, $status="Active", $assigned_user="",$p
 	}
 	static $group_array = null;
 	if(!$module){
-        $module=$_REQUEST['module'];
+        $module=isset($_REQUEST['module']) ? $_REQUEST['module'] : "";
    }

 	if($group_array == null)

--- a/includes/runtime/Controller.php
+++ b/includes/runtime/Controller.php
@@ -201,7 +201,7 @@ abstract class Vtiger_View_Controller extends Vtiger_Action_Controller {
 			$viewer->assign('NO_EDIT', '');
 			$viewer->assign('SOURCE_MODULE', '');
 			$viewer->assign('OPERATOR', '');
-			$viewer->assign('LISTVIEW_COUNT', 0);
+			$viewer->assign('LISTVIEW_COUNT', '');
 			$viewer->assign('FOLDER_ID', 0);
 			$viewer->assign('FOLDER_VALUE', '');
 			$viewer->assign('VIEWTYPE', '');
No results found