diff --git a/gulliver/system/class.dbMaintenance.php b/gulliver/system/class.dbMaintenance.php index dbe90bdb0..f4f849bbe 100755 --- a/gulliver/system/class.dbMaintenance.php +++ b/gulliver/system/class.dbMaintenance.php @@ -305,8 +305,12 @@ class DataBaseMaintenance function backupData () { $aTables = $this->getTablesList(); + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $aTables = $filter->xssFilterHard($aTables); foreach ($aTables as $table) { if ($this->dumpData( $table ) !== false) { + $this->outfile = $filter->xssFilterHard($this->outfile); printf( "%20s %s %s\n", 'Dump of table:', $table, " in file {$this->outfile}" ); } else { return false; @@ -343,6 +347,11 @@ class DataBaseMaintenance { $aTables = $this->getTablesList(); + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $aTables = $filter->xssFilterHard($aTables); + $this->tmpDir = $filter->xssFilterHard($this->tmpDir); + $this->infile = $filter->xssFilterHard($this->infile); foreach ($aTables as $table) { if (isset( $type ) && $type == 'sql') { @@ -467,6 +476,7 @@ class DataBaseMaintenance G::LoadSystem('inputfilter'); $filter = new InputFilter(); + $table = $filter->xssFilterHard($table); $table = $filter->validateInput($table, 'nosql'); $bytesSaved = 0; $query = "SELECT * FROM `%s`"; @@ -492,6 +502,7 @@ class DataBaseMaintenance $data .= ");\n"; } + $data = $filter->xssFilterHard($data); printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" ); return $data; } diff --git a/gulliver/system/class.pagedTable.php b/gulliver/system/class.pagedTable.php index 54a0a866b..9439bbcfe 100755 --- a/gulliver/system/class.pagedTable.php +++ b/gulliver/system/class.pagedTable.php @@ -778,6 +778,13 @@ class pagedTable */ public function renderTable ($block = '') { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $this->orderBy = $filter->xssFilterHard($this->orderBy); + $this->currentPage = $filter->xssFilterHard($this->currentPage); + $this->id = $filter->xssFilterHard($this->id); + $this->name = $filter->xssFilterHard($this->name); + $this->ownerPage = $filter->xssFilterHard($this->ownerPage); // DBConnection $this->prepareQuery(); //Query for get the number of rows @@ -797,6 +804,9 @@ class pagedTable $this->tpl->assign( 'pagedTable_Id', $this->id ); $this->tpl->assign( 'pagedTable_Name', $this->name ); $this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height ); + $this->xmlForm->home = $filter->xssFilterHard($this->xmlForm->home); + $this->filterForm = $filter->xssFilterHard($this->filterForm); + $this->menu = $filter->xssFilterHard($this->menu); if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) { $filterForm = new filterForm( $this->filterForm, $this->xmlForm->home ); if ($this->menu === '') { @@ -893,10 +903,14 @@ class pagedTable $this->tpl->assign( 'rowId', 'insertAtLast' ); if ($this->currentPage > 1) { $firstUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=1'; + $firstUrl = $filter->xssFilterHard($firstUrl); $firstAjax = $this->id . ".doGoToPage(1);return false;"; + $firstAjax = $filter->xssFilterHard($firstAjax); $prevpage = $this->currentPage - 1; $prevUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $prevpage; + $prevUrl = $filter->xssFilterHard($prevUrl); $prevAjax = $this->id . ".doGoToPage(" . $prevpage . ");return false;"; + $prevAjax = $filter->xssFilterHard($prevAjax); $first = " "; $prev = " "; } else { @@ -905,10 +919,14 @@ class pagedTable } if ($this->currentPage < $this->totpages) { $lastUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $this->totpages; + $lastUrl = $filter->xssFilterHard($lastUrl); $lastAjax = $this->id . ".doGoToPage(" . $this->totpages . ");return false;"; + $lastAjax = $filter->xssFilterHard($lastAjax); $nextpage = $this->currentPage + 1; $nextUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $nextpage; + $nextUrl = $filter->xssFilterHard($nextUrl); $nextAjax = $this->id . ".doGoToPage(" . $nextpage . ");return false;"; + $nextAjax = $filter->xssFilterHard($nextAjax); $next = " "; $last = " "; } else { @@ -919,7 +937,8 @@ class pagedTable for ($r = 1; $r <= $this->totpages; $r ++) { if (($r >= ($this->currentPage - 5)) && ($r <= ($this->currentPage + 5))) { $pageAjax = $this->id . ".doGoToPage(" . $r . ");return false;"; - if ($r != $this->currentPage) { + if ($r != $this->currentPage) { + $pageAjax = $filter->xssFilterHard($pageAjax); $pagesEnum .= " ownerPage . '?order=' . $this->orderBy . '&page=' . $r, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $pageAjax . "\">" . $r . ""; } else { $pagesEnum .= " " . $r . ""; diff --git a/rbac/engine/templates/testAuthenticationSource.php b/rbac/engine/templates/testAuthenticationSource.php index 53207e126..af7d92ceb 100755 --- a/rbac/engine/templates/testAuthenticationSource.php +++ b/rbac/engine/templates/testAuthenticationSource.php @@ -22,6 +22,10 @@ * Coral Gables, FL, 33134, USA, or email info@colosa.com. * */ + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS); + global $G_TABLE; global $G_CONTENT; global $HTTP_SESSION_VARS; @@ -88,7 +92,8 @@ $oResult = $oLdap->search($rootDn, $sFilter, $aParams); if (PEAR::isError($oResult)) { - print ( $oLdap->message); + $oLdap->message = $filter->xssFilterHard($oLdap->message); + print ( $oLdap->message); return $oResult; } /* diff --git a/workflow/engine/bin/tasks/cliMafe.php b/workflow/engine/bin/tasks/cliMafe.php index d0655eede..c326613a4 100644 --- a/workflow/engine/bin/tasks/cliMafe.php +++ b/workflow/engine/bin/tasks/cliMafe.php @@ -40,6 +40,10 @@ CLI::taskRun('run_create_translation'); function run_create_translation($args, $opts) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $opts = $filter->xssFilterHard($opts); + $args = $filter->xssFilterHard($args); $rootDir = realpath(__DIR__."/../../../../"); $app = new Maveriks\WebApplication(); $app->setRootDir($rootDir); @@ -53,7 +57,6 @@ function run_create_translation($args, $opts) foreach ($workspaces as $workspace) { try { echo "Updating labels for workspace " . pakeColor::colorize($workspace->name, "INFO") . "\n"; - $app->loadEnvironment($workspace->name, $loadConstants); $translation->generateTransaltionMafe($lang); } catch (Exception $e) { echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error($e->getMessage()) . "\n"; diff --git a/workflow/engine/bin/tasks/cliWorkspaces.php b/workflow/engine/bin/tasks/cliWorkspaces.php index 81958296f..3c4c0e8e6 100755 --- a/workflow/engine/bin/tasks/cliWorkspaces.php +++ b/workflow/engine/bin/tasks/cliWorkspaces.php @@ -228,6 +228,10 @@ function run_info($args, $opts) { } function run_workspace_upgrade($args, $opts) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $opts = $filter->xssFilterHard($opts); + $args = $filter->xssFilterHard($args); $workspaces = get_workspaces_from_args($args); $first = true; $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en'; @@ -242,6 +246,10 @@ function run_workspace_upgrade($args, $opts) { } function run_translation_upgrade($args, $opts) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $opts = $filter->xssFilterHard($opts); + $args = $filter->xssFilterHard($args); $workspaces = get_workspaces_from_args($args); $first = true; foreach ($workspaces as $workspace) { @@ -256,6 +264,10 @@ function run_translation_upgrade($args, $opts) { } function run_cacheview_upgrade($args, $opts) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $opts = $filter->xssFilterHard($opts); + $args = $filter->xssFilterHard($args); $workspaces = get_workspaces_from_args($args); $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en'; foreach ($workspaces as $workspace) { @@ -304,6 +316,10 @@ function run_migrate_new_cases_lists($args, $opts) { } function database_upgrade($command, $args) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $command = $filter->xssFilterHard($command); + $args = $filter->xssFilterHard($args); $workspaces = get_workspaces_from_args($args); $checkOnly = (strcmp($command, "check") == 0); foreach ($workspaces as $workspace) { @@ -587,6 +603,10 @@ function runStructureDirectories($command, $args) { function run_database_generate_self_service_by_value($args, $opts) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $opts = $filter->xssFilterHard($opts); + $args = $filter->xssFilterHard($args); try { $arrayWorkspace = get_workspaces_from_args($args); diff --git a/workflow/engine/classes/class.webdav.php b/workflow/engine/classes/class.webdav.php index f6ae9a789..bc56cca59 100755 --- a/workflow/engine/classes/class.webdav.php +++ b/workflow/engine/classes/class.webdav.php @@ -398,13 +398,18 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server */ public function GET(&$options) { - $paths = $this->paths; + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $options = $filter->xssFilterHard($options); + $paths = $filter->xssFilterHard($this->paths); $pathClasses = PATH_DB . SYS_SYS . PATH_SEP . 'classes' . PATH_SEP; if (count($paths) > 0 && $paths[0] == 'classes' && is_dir($pathClasses)) { $fsFile = $pathClasses . $paths[1]; + $fsFile = $filter->xssFilterHard($fsFile); if (count($paths) == 2 && file_exists($fsFile)) { $content = file_get_contents($fsFile); + $content = $filter->xssFilterHard($content); print $content; header("Content-Type: " . mime_content_type($fsFile)); header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT"); @@ -418,8 +423,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server if (count($paths) == 4 && $paths[2] == 'xmlforms') { $pathXmlform = $pathProcesses . 'xmlForms' . PATH_SEP . $paths[1] . PATH_SEP; $fsFile = $pathXmlform . $paths[3]; + $fsFile = $filter->xssFilterHard($fsFile); if (count($paths) == 4 && file_exists($fsFile)) { $content = file_get_contents($fsFile); + $content = $filter->xssFilterHard($content); print $content; header("Content-Type: " . mime_content_type($fsFile)); header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT"); @@ -431,8 +438,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server if (count($paths) == 4 && $paths[2] == 'mailTemplates') { $pathTemplates = $pathProcesses . 'mailTemplates' . PATH_SEP . $paths[1] . PATH_SEP; $fsFile = $pathTemplates . $paths[3]; + $fsFile = $filter->xssFilterHard($fsFile); if (count($paths) == 4 && file_exists($fsFile)) { $content = file_get_contents($fsFile); + $content = $filter->xssFilterHard($content); print $content; header("Content-Type: " . mime_content_type($fsFile)); header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT"); @@ -444,8 +453,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server if (count($paths) == 4 && $paths[2] == 'public_html') { $pathPublic = $pathProcesses . 'public' . PATH_SEP . $paths[1] . PATH_SEP; $fsFile = $pathPublic . $paths[3]; + $fsFile = $filter->xssFilterHard($fsFile); if (count($paths) == 4 && file_exists($fsFile)) { $content = file_get_contents($fsFile); + $content = $filter->xssFilterHard($content); print $content; header("Content-Type: " . mime_content_type($fsFile)); header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT"); diff --git a/workflow/engine/classes/class.wsTools.php b/workflow/engine/classes/class.wsTools.php index 08bc6c346..4a075a6f5 100755 --- a/workflow/engine/classes/class.wsTools.php +++ b/workflow/engine/classes/class.wsTools.php @@ -1842,12 +1842,14 @@ class workspaceTools throw $e; } } + /** * Migrate all cases to New list * * return all LIST TABLES with data */ - public function migrateList ($workSpace){ + public function migrateList ($workSpace) + { $this->initPropel(true); $appCache = new AppCacheView(); G::LoadClass("case"); @@ -1877,7 +1879,7 @@ class workspaceTools $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC); //Insert new data LIST_COMPLETED while ($rsCriteria->next()) { - $row = $rsCriteria->getRow(); + $row = $rsCriteria->getRow(); $listCompleted = new ListCompleted(); $listCompleted->remove($row["APP_UID"]); $listCompleted->setDeleted(false); @@ -1887,32 +1889,39 @@ class workspaceTools //Select data TO_DO OR DRAFT $inbCriteria = $appCache->getSelAllColumns(); - $inbCriteria->add(AppCacheViewPeer::APP_STATUS, "CANCELLED", CRITERIA::NOT_EQUAL); $rsCriteria = AppCacheViewPeer::doSelectRS($inbCriteria); $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC); + //Insert new data LIST_INBOX while ($rsCriteria->next()) { - $row = $rsCriteria->getRow(); - if($row["DEL_THREAD_STATUS"] == 'OPEN'){ - $listInbox = new ListInbox(); - $listInbox->remove($row["APP_UID"],$row["DEL_INDEX"]); - $listInbox->setDeleted(false); - $listInbox->create($row); - } else { - // create participated List when the thread is CLOSED - $listParticipatedHistory = new ListParticipatedHistory(); - $listParticipatedHistory->remove($row['APP_UID'],$row['DEL_INDEX']); - $listParticipatedHistory = new ListParticipatedHistory(); - $listParticipatedHistory->create($row); - $listParticipatedLast = new ListParticipatedLast(); - $listParticipatedLast->remove($row['APP_UID'], $row['USR_UID']); - $listParticipatedLast = new ListParticipatedLast(); - $listParticipatedLast->create($row); - $listParticipatedLast = new ListParticipatedLast(); - $listParticipatedLast->refresh($row); - } + $row = $rsCriteria->getRow(); + $isSelfService = ($row['USR_UID'] == '') ? true : false; + if($row["DEL_THREAD_STATUS"] == 'OPEN'){ + $row["DEL_PREVIOUS_USR_UID"] = $row["PREVIOUS_USR_UID"]; + $listInbox = new ListInbox(); + $listInbox->remove($row["APP_UID"],$row["DEL_INDEX"]); + $listInbox->setDeleted(false); + $listInbox->create($row, $isSelfService); + } else { + // create participated List when the thread is CLOSED + $listParticipatedHistory = new ListParticipatedHistory(); + $listParticipatedHistory->remove($row['APP_UID'], $row['DEL_INDEX']); + $listParticipatedHistory = new ListParticipatedHistory(); + $listParticipatedHistory->create($row); + + $oCriteria = new Criteria('workflow'); + $oCriteria->add(ListParticipatedLastPeer::APP_UID, $row['APP_UID']); + $oCriteria->add(ListParticipatedLastPeer::USR_UID, $row['USR_UID']); + ListParticipatedLastPeer::doDelete($oCriteria); + + $listParticipatedLast = new ListParticipatedLast(); + $listParticipatedLast->create($row); + $listParticipatedLast = new ListParticipatedLast(); + $listParticipatedLast->refresh($row); + } } + CLI::logging("> Completed table LIST_INBOX\n"); //With this List is populated the LIST_PARTICIPATED_HISTORY and LIST_PARTICIPATED_LAST CLI::logging("> Completed table LIST_PARTICIPATED_HISTORY\n"); @@ -1922,7 +1931,7 @@ class workspaceTools $myiCriteria = $appCache->getSelAllColumns(); $myiCriteria->add(AppCacheViewPeer::DEL_INDEX, "1", CRITERIA::EQUAL); $rsCriteria = AppCacheViewPeer::doSelectRS($myiCriteria); - $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC); + $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC); //Insert new data LIST_MY_INBOX while ($rsCriteria->next()) { $row = $rsCriteria->getRow(); @@ -1939,7 +1948,13 @@ class workspaceTools $delaycriteria->addSelectColumn(AppDelayPeer::PRO_UID); $delaycriteria->addSelectColumn(AppDelayPeer::APP_DEL_INDEX); $delaycriteria->addSelectColumn(AppCacheViewPeer::APP_NUMBER); - $delaycriteria->addJoin( AppCacheViewPeer::APP_UID, AppDelayPeer::APP_UID, Criteria::INNER_JOIN ); + $delaycriteria->addSelectColumn(AppCacheViewPeer::USR_UID); + $delaycriteria->addSelectColumn(AppCacheViewPeer::APP_STATUS); + $delaycriteria->addSelectColumn(AppCacheViewPeer::TAS_UID); + + $delaycriteria->addJoin( AppCacheViewPeer::APP_UID, AppDelayPeer::APP_UID . ' AND ' . AppCacheViewPeer::DEL_INDEX . ' = ' . AppDelayPeer::APP_DEL_INDEX, Criteria::INNER_JOIN ); + $delaycriteria->add(AppDelayPeer::APP_DISABLE_ACTION_USER, "0", CRITERIA::EQUAL); + $delaycriteria->add(AppDelayPeer::APP_TYPE, "PAUSE", CRITERIA::EQUAL); $rsCriteria = AppDelayPeer::doSelectRS($delaycriteria); $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC); //Insert new data LIST_PAUSED @@ -1948,7 +1963,6 @@ class workspaceTools $data = $row; $data["DEL_INDEX"] = $row["APP_DEL_INDEX"]; $listPaused = new ListPaused(); - $listPaused->remove($data["APP_UID"],$data["DEL_INDEX"]); $listPaused->setDeleted(false); $listPaused->create($data); } @@ -1965,7 +1979,7 @@ class workspaceTools $del->doDeleteAll(); while ($rsCriteria->next()) { $row = $rsCriteria->getRow(); - $listUnassigned = new ListUnassigned(); + $listUnassigned = new ListUnassigned(); $unaUid = $listUnassigned->generateData($row["APP_UID"],$row["PREVIOUS_USR_UID"]); } CLI::logging("> Completed table LIST_UNASSIGNED\n"); @@ -2005,7 +2019,8 @@ class workspaceTools } $this->listFirstExecution('insert'); return true; - } + } + /** * This function checks if List tables are going to migrated * diff --git a/workflow/engine/classes/model/ListInbox.php b/workflow/engine/classes/model/ListInbox.php index 05e2cd51f..68c1ac873 100644 --- a/workflow/engine/classes/model/ListInbox.php +++ b/workflow/engine/classes/model/ListInbox.php @@ -49,8 +49,11 @@ class ListInbox extends BaseListInbox // remove and create participated last if (!$isSelfService) { - $listParticipatedLast = new ListParticipatedLast(); - $listParticipatedLast->remove($data['APP_UID'], $data['USR_UID']); + $oCriteria = new Criteria('workflow'); + $oCriteria->add(ListParticipatedLastPeer::APP_UID, $data['APP_UID']); + $oCriteria->add(ListParticipatedLastPeer::USR_UID, $data['USR_UID']); + ListParticipatedLastPeer::doDelete($oCriteria); + $listParticipatedLast = new ListParticipatedLast(); $listParticipatedLast->create($data); $listParticipatedLast = new ListParticipatedLast(); @@ -367,6 +370,11 @@ class ListInbox extends BaseListInbox { $criteria = new Criteria(); $criteria->add( ListInboxPeer::USR_UID, $usr_uid, Criteria::EQUAL ); + if ($filters['action'] == 'draft') { + $criteria->add( ListInboxPeer::APP_STATUS, 'DRAFT', Criteria::EQUAL ); + } else { + $criteria->add( ListInboxPeer::APP_STATUS, 'TO_DO', Criteria::EQUAL ); + } self::loadFilters($criteria, $filters); $total = ListInboxPeer::doCount( $criteria ); return (int)$total; diff --git a/workflow/engine/classes/model/ListMyInbox.php b/workflow/engine/classes/model/ListMyInbox.php index 5a5aa3f36..3541d848d 100644 --- a/workflow/engine/classes/model/ListMyInbox.php +++ b/workflow/engine/classes/model/ListMyInbox.php @@ -123,6 +123,7 @@ class ListMyInbox extends BaseListMyInbox if ($data['DEL_INDEX'] == 1 && $data['APP_STATUS'] == 'TO_DO') { $data['APP_CREATE_DATE'] = $data['APP_UPDATE_DATE']; + $this->remove($data['APP_UID'], $data['USR_UID']); $this->create($data); } else { unset($data['USR_UID']); diff --git a/workflow/engine/classes/model/ListParticipatedLast.php b/workflow/engine/classes/model/ListParticipatedLast.php index ebcf6d959..72bea4e91 100644 --- a/workflow/engine/classes/model/ListParticipatedLast.php +++ b/workflow/engine/classes/model/ListParticipatedLast.php @@ -143,9 +143,9 @@ class ListParticipatedLast extends BaseListParticipatedLast * @throws type * */ - public function remove ($app_uid, $usr_uid) + public function remove ($app_uid, $usr_uid, $del_index) { - $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid); + $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid, $del_index); if (! is_null( $existField )) { $users = new Users(); $users->refreshTotal($usr_uid, 'removed', 'participated'); diff --git a/workflow/engine/classes/model/map/ListParticipatedLastMapBuilder.php b/workflow/engine/classes/model/map/ListParticipatedLastMapBuilder.php index a67b28884..62e4c7701 100644 --- a/workflow/engine/classes/model/map/ListParticipatedLastMapBuilder.php +++ b/workflow/engine/classes/model/map/ListParticipatedLastMapBuilder.php @@ -69,7 +69,7 @@ class ListParticipatedLastMapBuilder $tMap->addPrimaryKey('USR_UID', 'UsrUid', 'string', CreoleTypes::VARCHAR, true, 32); - $tMap->addColumn('DEL_INDEX', 'DelIndex', 'int', CreoleTypes::INTEGER, true, null); + $tMap->addPrimaryKey('DEL_INDEX', 'DelIndex', 'int', CreoleTypes::INTEGER, true, null); $tMap->addColumn('TAS_UID', 'TasUid', 'string', CreoleTypes::VARCHAR, true, 32); diff --git a/workflow/engine/classes/model/om/BaseListParticipatedLast.php b/workflow/engine/classes/model/om/BaseListParticipatedLast.php index 4344870fb..c06821fa7 100644 --- a/workflow/engine/classes/model/om/BaseListParticipatedLast.php +++ b/workflow/engine/classes/model/om/BaseListParticipatedLast.php @@ -1686,6 +1686,7 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent $criteria->add(ListParticipatedLastPeer::APP_UID, $this->app_uid); $criteria->add(ListParticipatedLastPeer::USR_UID, $this->usr_uid); + $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $this->del_index); return $criteria; } @@ -1703,6 +1704,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent $pks[1] = $this->getUsrUid(); + $pks[2] = $this->getDelIndex(); + return $pks; } @@ -1719,6 +1722,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent $this->setUsrUid($keys[1]); + $this->setDelIndex($keys[2]); + } /** @@ -1734,8 +1739,6 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent public function copyInto($copyObj, $deepCopy = false) { - $copyObj->setDelIndex($this->del_index); - $copyObj->setTasUid($this->tas_uid); $copyObj->setProUid($this->pro_uid); @@ -1781,6 +1784,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent $copyObj->setUsrUid(''); // this is a pkey column, so set to default value + $copyObj->setDelIndex('0'); // this is a pkey column, so set to default value + } /** diff --git a/workflow/engine/classes/model/om/BaseListParticipatedLastPeer.php b/workflow/engine/classes/model/om/BaseListParticipatedLastPeer.php index 777982e33..26fe8f6f3 100644 --- a/workflow/engine/classes/model/om/BaseListParticipatedLastPeer.php +++ b/workflow/engine/classes/model/om/BaseListParticipatedLastPeer.php @@ -487,6 +487,9 @@ abstract class BaseListParticipatedLastPeer $comparison = $criteria->getComparison(ListParticipatedLastPeer::USR_UID); $selectCriteria->add(ListParticipatedLastPeer::USR_UID, $criteria->remove(ListParticipatedLastPeer::USR_UID), $comparison); + $comparison = $criteria->getComparison(ListParticipatedLastPeer::DEL_INDEX); + $selectCriteria->add(ListParticipatedLastPeer::DEL_INDEX, $criteria->remove(ListParticipatedLastPeer::DEL_INDEX), $comparison); + } else { $criteria = $values->buildCriteria(); // gets full criteria $selectCriteria = $values->buildPkeyCriteria(); // gets criteria w/ primary key(s) @@ -560,10 +563,12 @@ abstract class BaseListParticipatedLastPeer $vals[0][] = $value[0]; $vals[1][] = $value[1]; + $vals[2][] = $value[2]; } $criteria->add(ListParticipatedLastPeer::APP_UID, $vals[0], Criteria::IN); $criteria->add(ListParticipatedLastPeer::USR_UID, $vals[1], Criteria::IN); + $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $vals[2], Criteria::IN); } // Set the correct dbName @@ -626,10 +631,11 @@ abstract class BaseListParticipatedLastPeer * Retrieve object using using composite pkey values. * @param string $app_uid * @param string $usr_uid + * @param int $del_index * @param Connection $con * @return ListParticipatedLast */ - public static function retrieveByPK($app_uid, $usr_uid, $con = null) + public static function retrieveByPK($app_uid, $usr_uid, $del_index, $con = null) { if ($con === null) { $con = Propel::getConnection(self::DATABASE_NAME); @@ -637,6 +643,7 @@ abstract class BaseListParticipatedLastPeer $criteria = new Criteria(); $criteria->add(ListParticipatedLastPeer::APP_UID, $app_uid); $criteria->add(ListParticipatedLastPeer::USR_UID, $usr_uid); + $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $del_index); $v = ListParticipatedLastPeer::doSelect($criteria, $con); return !empty($v) ? $v[0] : null; diff --git a/workflow/engine/classes/triggers/api/class.zimbraApi.php b/workflow/engine/classes/triggers/api/class.zimbraApi.php index b8fbccb6e..ea3b840a9 100644 --- a/workflow/engine/classes/triggers/api/class.zimbraApi.php +++ b/workflow/engine/classes/triggers/api/class.zimbraApi.php @@ -803,6 +803,9 @@ class Zimbra protected function message($message) { if ($this->debug) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $message = $filter->xssFilterHard($message); echo $message; } } @@ -823,6 +826,9 @@ class Zimbra */ protected function soapRequest($body, $header = false, $connecting = false) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + if (!$connecting && !$this->_connected) { throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server'); } @@ -842,7 +848,9 @@ class Zimbra curl_setopt($this->_curl, CURLOPT_POSTFIELDS, $soap_message); - if (!($response = curl_exec($this->_curl))) { + $this->_curl = $filter->xssFilterHard($this->_curl,"url"); + $response = curl_exec($this->_curl); + if (!$response) { $this->error = 'ERROR: curl_exec - (' . curl_errno($this->_curl) . ') ' . curl_error($this->_curl); return false; } elseif (strpos($response, '') !== false) { diff --git a/workflow/engine/config/schema.xml b/workflow/engine/config/schema.xml index 29559a34a..841d692f5 100755 --- a/workflow/engine/config/schema.xml +++ b/workflow/engine/config/schema.xml @@ -4017,7 +4017,7 @@ - + diff --git a/workflow/engine/data/mysql/schema.sql b/workflow/engine/data/mysql/schema.sql index a1e35e10c..bc52da229 100755 --- a/workflow/engine/data/mysql/schema.sql +++ b/workflow/engine/data/mysql/schema.sql @@ -2285,7 +2285,7 @@ CREATE TABLE `LIST_PARTICIPATED_LAST` `DEL_DUE_DATE` DATETIME, `DEL_PRIORITY` VARCHAR(32) default '3' NOT NULL, `DEL_THREAD_STATUS` VARCHAR(32) default 'OPEN' NOT NULL, - PRIMARY KEY (`APP_UID`,`USR_UID`) + PRIMARY KEY (`APP_UID`,`USR_UID`,`DEL_INDEX`) )ENGINE=InnoDB DEFAULT CHARSET='utf8' COMMENT='Participated last list'; #----------------------------------------------------------------------------- #-- LIST_COMPLETED diff --git a/workflow/engine/methods/cases/casesStartPage_Ajax.php b/workflow/engine/methods/cases/casesStartPage_Ajax.php index f5cdda0bc..16a9dec9b 100755 --- a/workflow/engine/methods/cases/casesStartPage_Ajax.php +++ b/workflow/engine/methods/cases/casesStartPage_Ajax.php @@ -1,4 +1,9 @@ xssFilterHard($_POST); +$_REQUEST = $filter->xssFilterHard($_REQUEST); +$_SESSION = $filter->xssFilterHard($_SESSION); if (!isset($_SESSION['USER_LOGGED'])) { $res = new stdclass(); $res->message = G::LoadTranslation('ID_LOGIN_AGAIN'); @@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid) function startCase () { G::LoadClass( 'case' ); + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $_POST = $filter->xssFilterHard($_POST); + $_REQUEST = $filter->xssFilterHard($_REQUEST); + $_SESSION = $filter->xssFilterHard($_SESSION); /* GET , POST & $_SESSION Vars */ /* unset any variable, because we are starting a new case */ @@ -241,6 +251,7 @@ function startCase () lookinginforContentProcess( $_POST['processId'] ); $aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] ); + $aData = $filter->xssFilterHard($aData); $_SESSION['APPLICATION'] = $aData['APPLICATION']; $_SESSION['INDEX'] = $aData['INDEX']; diff --git a/workflow/engine/methods/cases/proxyPMTablesFieldList.php b/workflow/engine/methods/cases/proxyPMTablesFieldList.php index 8c9634782..671ec382c 100644 --- a/workflow/engine/methods/cases/proxyPMTablesFieldList.php +++ b/workflow/engine/methods/cases/proxyPMTablesFieldList.php @@ -744,6 +744,7 @@ function xgetFieldsFromPMTable($tabUid) $oCriteria->addSelectColumn ( FieldsPeer::FLD_INDEX ); $oCriteria->add (FieldsPeer::ADD_TAB_UID, $tabUid , CRITERIA::EQUAL ); $oCriteria->add (FieldsPeer::FLD_NAME, 'APP_UID' , CRITERIA::NOT_EQUAL ); + $oCriteria->addAnd (FieldsPeer::FLD_NAME, 'APP_NUMBER' , CRITERIA::NOT_EQUAL ); $oCriteria->addDescendingOrderByColumn('FLD_INDEX'); $oDataset = FieldsPeer::doSelectRS($oCriteria); $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); diff --git a/workflow/engine/methods/dbConnections/dbConnectionsAjax.php b/workflow/engine/methods/dbConnections/dbConnectionsAjax.php index b30792b4a..2325d37da 100755 --- a/workflow/engine/methods/dbConnections/dbConnectionsAjax.php +++ b/workflow/engine/methods/dbConnections/dbConnectionsAjax.php @@ -30,6 +30,11 @@ * @Param var action from POST request */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); +$_SESSION = $filter->xssFilterHard($_SESSION); + if (isset( $_POST['action'] ) || isset( $_POST['function'] )) { $action = (isset( $_POST['action'] )) ? $_POST['action'] : $_POST['function']; } else { diff --git a/workflow/engine/methods/departments/departments_Ajax.php b/workflow/engine/methods/departments/departments_Ajax.php index 05940d560..531a08ceb 100755 --- a/workflow/engine/methods/departments/departments_Ajax.php +++ b/workflow/engine/methods/departments/departments_Ajax.php @@ -23,6 +23,11 @@ * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); +$_REQUEST = $filter->xssFilterHard($_REQUEST); + function LookForChildren ($parent, $level, $aDepUsers) { G::LoadClass( 'configuration' ); diff --git a/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php b/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php index 9d3b65193..b26680768 100755 --- a/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php +++ b/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php @@ -28,6 +28,10 @@ * also the functionality of dependent fields in grids doesn't depends in this * file so this is somewhat expendable. */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); + function subDependencies ($k, &$G_FORM, &$aux, $grid = '') { $myDependentFields = ''; diff --git a/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php b/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php index 01c8002c1..a5b1ddfc9 100755 --- a/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php +++ b/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php @@ -25,6 +25,9 @@ * @Date Aug 26th, 2009 */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); $request = $_POST['request']; switch ($request) { @@ -32,6 +35,7 @@ switch ($request) { if (isset( $_POST['items'] )) { $items = $_POST['items']; $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE']; + $tmpfilename = $filter->xssFilterHard($tmpfilename); G::LoadSystem( 'dynaformhandler' ); $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" ); @@ -53,6 +57,7 @@ switch ($request) { break; case 'saveHidden': $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE']; + $tmpfilename = $filter->xssFilterHard($tmpfilename); G::LoadSystem( 'dynaformhandler' ); $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" ); $hidden_items = Array (); diff --git a/workflow/engine/methods/dynaforms/test.php b/workflow/engine/methods/dynaforms/test.php index 4dfc23836..9999dc690 100755 --- a/workflow/engine/methods/dynaforms/test.php +++ b/workflow/engine/methods/dynaforms/test.php @@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) { xssFilterHard($test); foreach ($test as $t) { echo 'You selected ', $t, '
'; } diff --git a/workflow/engine/methods/roles/data_rolesList.php b/workflow/engine/methods/roles/data_rolesList.php index fdbf824fe..31742662d 100755 --- a/workflow/engine/methods/roles/data_rolesList.php +++ b/workflow/engine/methods/roles/data_rolesList.php @@ -24,6 +24,9 @@ require_once (PATH_RBAC . "model/RolesPeer.php"); G::LoadClass( 'ArrayPeer' ); +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); isset( $_POST['textFilter'] ) ? $filter = $_POST['textFilter'] : $filter = ''; diff --git a/workflow/engine/methods/roles/data_rolesPermissions.php b/workflow/engine/methods/roles/data_rolesPermissions.php index 40a545f00..3d368d765 100755 --- a/workflow/engine/methods/roles/data_rolesPermissions.php +++ b/workflow/engine/methods/roles/data_rolesPermissions.php @@ -22,6 +22,10 @@ * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_GET = $filter->xssFilterHard($_GET); +$_REQUEST = $filter->xssFilterHard($_REQUEST); $ROL_UID = $_GET['rUID']; $TYPE_DATA = $_GET["type"]; diff --git a/workflow/engine/methods/services/Rest/CURLMessage.php b/workflow/engine/methods/services/Rest/CURLMessage.php index 3017ade84..ac27b47a0 100644 --- a/workflow/engine/methods/services/Rest/CURLMessage.php +++ b/workflow/engine/methods/services/Rest/CURLMessage.php @@ -122,7 +122,10 @@ abstract class CURLMessage */ public function displayResponse () { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); $error = curl_error( $this->ch ); + $error = $filter->xssFilterHard($error); $result = array ('header' => '','body' => '','curl_error' => '','http_code' => '','last_url' => '' ); if ($error != "") { @@ -130,12 +133,15 @@ abstract class CURLMessage return $result; } $response = $this->output; + $response = $filter->xssFilterHard($response); $header_size = curl_getinfo( $this->ch, CURLINFO_HEADER_SIZE ); $result['header'] = substr( $response, 0, $header_size ); $result['body'] = substr( $response, $header_size ); $result['http_code'] = curl_getinfo( $this->ch, CURLINFO_HTTP_CODE ); $result['last_url'] = curl_getinfo( $this->ch, CURLINFO_EFFECTIVE_URL ); + $result = $filter->xssFilterHard($result); + $this->type = $filter->xssFilterHard($this->type); echo $this->type . " Response: " . $response . "
"; foreach ($result as $index => $data) { if ($data != "") { diff --git a/workflow/engine/methods/services/demoSoap.php b/workflow/engine/methods/services/demoSoap.php index 2604889e1..e468512df 100755 --- a/workflow/engine/methods/services/demoSoap.php +++ b/workflow/engine/methods/services/demoSoap.php @@ -61,12 +61,17 @@ a.krumo-name { xssFilterHard($_POST); +$_SESSION = $filter->xssFilterHard($_SESSION); if (isset( $_POST["epr"] )) { $_SESSION['END_POINT'] = $_POST["epr"]; } $endpoint = isset( $_SESSION['END_POINT'] ) ? $_SESSION['END_POINT'] : 'http://sugar.opensource.colosa.net/soap.php'; - +$endpoint = $filter->xssFilterHard($endpoint); $sessionId = isset( $_SESSION['SESSION_ID'] ) ? $_SESSION['SESSION_ID'] : ''; +$sessionId = $filter->xssFilterHard($sessionId); ?>
diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Lists.php b/workflow/engine/src/ProcessMaker/BusinessModel/Lists.php index 6ed830437..5c936080c 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Lists.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Lists.php @@ -176,6 +176,7 @@ class Lists { $filtersData['date_to'] = $filters["dateTo"]; $response['filters'] = $filtersData; $response['data'] = $result; + $filtersData['action'] = $filters["action"]; $response['totalCount'] = $list->countTotal($userUid, $filtersData); } else { $response = $result; diff --git a/workflow/engine/templates/groups/groups_Tree.php b/workflow/engine/templates/groups/groups_Tree.php index 53a2edc13..acccedc6f 100755 --- a/workflow/engine/templates/groups/groups_Tree.php +++ b/workflow/engine/templates/groups/groups_Tree.php @@ -29,6 +29,8 @@ $WIDTH_PANEL = 350; + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); G::LoadClass('groups'); $groups = new Groups(); @@ -47,6 +49,17 @@ $UID = htmlentities($group->getGrpUid()); //$GROUP_TITLE = htmlentities($group->getGrpTitle()); $GROUP_TITLE = strip_tags($group->getGrpTitle()); + $ID_NEW = G::LoadTranslation('ID_NEW'); + $ID_GROUPS = G::loadTranslation("ID_GROUPS"); + + $ID_EDIT = $filter->xssFilterHard($ID_EDIT); + $ID_MEMBERS = $filter->xssFilterHard($ID_MEMBERS); + $ID_DELETE = $filter->xssFilterHard($ID_DELETE); + $UID = $filter->xssFilterHard($UID); + $GROUP_TITLE = $filter->xssFilterHard($GROUP_TITLE); + $ID_NEW = $filter->xssFilterHard($ID_NEW); + $ID_GROUPS = $filter->xssFilterHard($ID_GROUPS); + $htmlGroup .=" @@ -68,13 +81,13 @@
- +
'.G::loadTranslation("ID_GROUPS").''.$ID_GROUPS.'
-
'.G::LoadTranslation('ID_NEW').'
+
'.$ID_NEW.'
'