Merged master into dashboards2

2015-04-08 15:48:40 -04:00
parent 6febb11930 c59bbc53b6
commit 046e08939e
47 changed files with 266 additions and 119 deletions
--- a/workflow/engine/classes/class.case.php
+++ b/workflow/engine/classes/class.case.php
@@ -3797,6 +3797,10 @@ class Cases
                if (!is_dir($strPathName)) {
                    G::verifyPath($strPathName, true);
                }
+                
+                G::LoadSystem('inputfilter');
+                $filter = new InputFilter();
+                $file = $filter->xssFilterHard($file, 'path');

                copy($file, $strPathName . $strFileName);
                chmod($strPathName . $strFileName, 0666);
--- a/workflow/engine/classes/class.pmLicenseManager.php
+++ b/workflow/engine/classes/class.pmLicenseManager.php
@@ -442,6 +442,10 @@ class pmLicenseManager
            $LicenseStatus = $this->lookForStatusLicense(); //we're looking for a status ACTIVE

            //getting the content from file
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $path = $filter->xssFilterHard($path, 'path');
+                
            $handle = fopen ( $path, "r" );
            $contents = fread ( $handle, filesize ( $path ) );
            fclose ( $handle );
--- a/workflow/engine/classes/class.system.php
+++ b/workflow/engine/classes/class.system.php
@@ -287,6 +287,7 @@ class System
        $tempFilename = isset( $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] ) ? $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] : '';
        $this->sRevision = str_replace( '.tar.gz', '', str_replace( 'pmos-patch-', '', $upgradeFilename ) );
        $sTemFilename = $tempFilename;
+        $sTemFilename = $filter->xssFilterHard($sTemFilename, 'path');
        $pathFile = $filter->xssFilterHard(PATH_DATA . 'upgrade' . PATH_SEP . $upgradeFilename, 'path');
        $this->sFilename = $pathFile;
        $this->sPath = dirname( $this->sFilename ) . PATH_SEP;
--- a/workflow/engine/controllers/adminProxy.php
+++ b/workflow/engine/controllers/adminProxy.php
@@ -1086,6 +1086,8 @@ class adminProxy extends HttpProxyController
        } elseif ($files_img_type != '') {
            $failed = "1";
        }
+        $uploaded = $filter->validateInput($uploaded,'int');
+        $files_img_type = $filter->xssFilterHard($files_img_type);
        echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $files_img_type . '"}';
        exit();
    }
--- a/workflow/engine/controllers/pmTablesProxy.php
+++ b/workflow/engine/controllers/pmTablesProxy.php
@@ -669,10 +669,12 @@ class pmTablesProxy extends HttpProxyController
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $countRow = 250;
-        if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
+        $tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE'];
+        $tmpfilename = $filter->xssFilterHard($tmpfilename, 'path');
+        if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) {
            $filename = $_FILES['form']['name']['CSV_FILE'];
            $filename = $filter->xssFilterHard($filename, 'path');
-            if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
+            if ($oFile = fopen( $tmpfilename, 'r' )) {
                require_once 'classes/model/AdditionalTables.php';
                $oAdditionalTables = new AdditionalTables();
                $aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true );
@@ -767,10 +769,12 @@ class pmTablesProxy extends HttpProxyController
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
-        if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
+        $tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE'];
+        $tmpfilename = $filter->xssFilterHard($tmpfilename, 'path');
+        if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) {
            $filename = $_FILES['form']['name']['CSV_FILE'];
            $filename = $filter->xssFilterHard($filename, 'path');
-            if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
+            if ($oFile = fopen( $tmpfilename, 'r' )) {
                require_once 'classes/model/AdditionalTables.php';
                $oAdditionalTables = new AdditionalTables();
                $aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true );
--- a/workflow/engine/menus/processmaker.php
+++ b/workflow/engine/menus/processmaker.php
@@ -52,7 +52,6 @@ if ($RBAC->userCanAccess('PM_SETUP') == 1 || $RBAC->userCanAccess('PM_USERS') ==
 }

 /*----------------------------------********---------------------------------*/
-/*NEW DASHBOARD MODULE*/
 $licensedFeatures = & PMLicensedFeatures::getSingleton();
 if ($licensedFeatures->verifyfeature('r19Vm5DK1UrT09MenlLYjZxejlhNUZ1b1NhV0JHWjBsZEJ6dnpJa3dTeWVLVT0=') && ($RBAC->userCanAccess('PM_SETUP') == 1 || $RBAC->userCanAccess('PM_USERS') == 1)) {
    $G_TMP_MENU->AddIdRawOption('DASHBOARD+', 'strategicDashboard/main', G::LoadTranslation('ID_STRATEGIC_DASHBOARD'), '', '', '', 'x-pm-dashboard');
--- a/workflow/engine/methods/controls/buscador.php
+++ b/workflow/engine/methods/controls/buscador.php
@@ -1,53 +0,0 @@
-<?php
-/**
- * buscador.php
- *
- * ProcessMaker Open Source Edition
- * Copyright (C) 2004 - 2008 Colosa Inc.23
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
- * Coral Gables, FL, 33134, USA, or email info@colosa.com.
- */
-$frm = $HTTP_GET_VARS;
-
-?>
-
-<h1>demo de buscador</h1>
-<form method=post action="buscador2.php">
-	<input type=hidden name=ticket value="<?php echo $frm['ticket'] ?>"> <input
-		type=hidden name=tipo value="<?php echo $frm['tipo'] ?>">
-Buscador tipo : <?php echo $frm['tipo'] ?><br>
-
-	<table>
-		<tr>
-			<td>curso</td>
-			<td><select name=curso>
-					<option value="curso1">Curso 1</option>
-					<option value="curso2">Curso 2</option>
-					<option value="curso3">Curso 3</option>
-					<option value="curso4">Curso 4</4option>
-
-					<option value="curso5">Curso 5</option></td>
-		</tr>
-		<tr>
-			<td colspan=2><input type=submit></td>
-		</tr>
-	</table>
-</form>
-</body>
-</html>
-<?php
-
--- a/workflow/engine/methods/oauth2/grant.php
+++ b/workflow/engine/methods/oauth2/grant.php
@@ -14,7 +14,7 @@ $code = empty($_GET['code']) ? 'NN' : $_GET['code'];

 $clientId = 'x-pm-local-client';
 $secret = '179ad45c6ce2cb97cf1029e212046e81';
-
+$userPwd = $clientId.':'.$secret;
 $data = array(
    'grant_type' => 'authorization_code',
    'code' => $code
@@ -23,7 +23,7 @@ $data = array(
 $ch = curl_init($endpoint);

 curl_setopt($ch, CURLOPT_HEADER, false);
-curl_setopt($ch, CURLOPT_USERPWD, $clientId.':'.$secret);
+curl_setopt($ch, CURLOPT_USERPWD, $userPwd);
 curl_setopt($ch, CURLOPT_TIMEOUT, 30);
 curl_setopt($ch, CURLOPT_POST, 1);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
--- a/workflow/engine/methods/services/login_getStarted.php
+++ b/workflow/engine/methods/services/login_getStarted.php
@@ -42,7 +42,7 @@ $oTemplatePower->assign('USR_UID', $aUser['USR_UID']);
 $oTemplatePower->assign('USR_FULLNAME', $aData['USR_FIRSTNAME'] . ' ' . $aData['USR_LASTNAME'] . ' (' . $aData['USR_USERNAME'] . ')');
 */
 $userName = 'admin';
-$userPass = 'The password introduced at the time of installing the application. (If you did not change the password by default is "admin")';
+$userPass = "The password introduced at the time of installing the application. (If you did not change the password by default is $userName)";
 if(isset($_SESSION['NW_PASSWORD'])){
  if($_SESSION['NW_PASSWORD'] != ''){
    $userPass = $_SESSION['NW_PASSWORD'];
--- a/workflow/engine/methods/setup/languages_Import.php
+++ b/workflow/engine/methods/setup/languages_Import.php
@@ -61,6 +61,7 @@ try {

    $languageFile = $_FILES['form']['tmp_name']['LANGUAGE_FILENAME'];
    $languageFilename = $_FILES['form']['name']['LANGUAGE_FILENAME'];
+    $languageFile = $filter->xssFilterHard($languageFile, 'path');
    $languageFilename = $filter->xssFilterHard($languageFilename, 'path');
    if (substr_compare( $languageFilename, ".gz", - 3, 3, true ) == 0) {
        $zp = gzopen( $languageFile, "r" );
--- a/workflow/engine/methods/setup/webServicesAjax.php
+++ b/workflow/engine/methods/setup/webServicesAjax.php
@@ -1510,8 +1510,8 @@ try {
                die();
                break;
            default:
-                $_POST = $filter->xssFilterHard($_POST);
-                print_r( $_POST );
+                $post = $filter->xssFilterHard($_POST);
+                print_r( $post );
        }
    }