From 45c1ceffcc566cd466ed28a558be6c54e73578af Mon Sep 17 00:00:00 2001 From: Roly Rudy Gutierrez Pinto Date: Tue, 8 Aug 2017 09:53:00 -0400 Subject: [PATCH] HOR-3627 --- gulliver/bin/tasks/templates/pluginClass.tpl | 1 - .../bin/tasks/templates/pluginMainFile.tpl | 1 - .../templates/pluginOnTransitList.php.tpl | 2 - gulliver/bin/tasks/templates/pluginStep.tpl | 1 - .../pluginStepApplicationAjax.php.tpl | 2 - .../bin/tasks/templates/pluginWelcome.php.tpl | 1 - .../tasks/templates/skinPluginMainClass.tpl | 2 - .../bin/tasks/templates/sysGeneric.php.tpl | 2 +- .../bin/tasks/templates/usersList.php.tpl | 2 +- gulliver/bin/tasks/templates/welcome.php.tpl | 1 - gulliver/js/grid/core/grid.js | 1 + gulliver/methods/errors/block.php | 2 +- gulliver/methods/errors/error403.php | 2 +- gulliver/system/class.database_mysql.php | 14 +++-- gulliver/system/class.dbMaintenance.php | 63 ++++++++++++++++++- gulliver/system/class.g.php | 51 ++++++++++++--- gulliver/system/class.menu.php | 2 +- gulliver/system/class.monologProvider.php | 2 + gulliver/system/class.rbac.php | 16 ++--- 19 files changed, 128 insertions(+), 40 deletions(-) diff --git a/gulliver/bin/tasks/templates/pluginClass.tpl b/gulliver/bin/tasks/templates/pluginClass.tpl index 1cc103337..64e9de169 100644 --- a/gulliver/bin/tasks/templates/pluginClass.tpl +++ b/gulliver/bin/tasks/templates/pluginClass.tpl @@ -83,7 +83,6 @@ $_DBArray['users'] = $aUsers; $_SESSION['_DBArray'] = $_DBArray; -; $oCriteria = new Criteria('dbarray'); $oCriteria->setDBArrayTable('users'); $oCriteria->addDescendingOrderByColumn('USR_USERNAME'); diff --git a/gulliver/bin/tasks/templates/pluginMainFile.tpl b/gulliver/bin/tasks/templates/pluginMainFile.tpl index 0128ee1dc..b1b438ca3 100644 --- a/gulliver/bin/tasks/templates/pluginMainFile.tpl +++ b/gulliver/bin/tasks/templates/pluginMainFile.tpl @@ -1,5 +1,4 @@ userCanAccess("PM_CASES"))!=1) return $RBAC_Response; /* Includes */ -; -; /* GET , POST & $_SESSION Vars */ $conf = new Configurations(); diff --git a/gulliver/bin/tasks/templates/pluginStep.tpl b/gulliver/bin/tasks/templates/pluginStep.tpl index 9626e1149..0dae49698 100644 --- a/gulliver/bin/tasks/templates/pluginStep.tpl +++ b/gulliver/bin/tasks/templates/pluginStep.tpl @@ -1,5 +1,4 @@ setDBArrayTable('user'); //$c->add ( 'user.age', 122 , Criteria::GREATER_EQUAL ); diff --git a/gulliver/bin/tasks/templates/skinPluginMainClass.tpl b/gulliver/bin/tasks/templates/skinPluginMainClass.tpl index 5f16a8bb0..a2ff85666 100644 --- a/gulliver/bin/tasks/templates/skinPluginMainClass.tpl +++ b/gulliver/bin/tasks/templates/skinPluginMainClass.tpl @@ -4,8 +4,6 @@ * */ -; - class {className}Plugin extends PMPlugin { function {className}Plugin($sNamespace, $sFilename = null) { diff --git a/gulliver/bin/tasks/templates/sysGeneric.php.tpl b/gulliver/bin/tasks/templates/sysGeneric.php.tpl index f004d854c..abe03b7fd 100644 --- a/gulliver/bin/tasks/templates/sysGeneric.php.tpl +++ b/gulliver/bin/tasks/templates/sysGeneric.php.tpl @@ -198,7 +198,7 @@ $docuroot = explode ( PATH_SEP , $_SERVER['DOCUMENT_ROOT'] ); //***************** Plugins ************************** -; + // //here we are loading all plugins registered // //the singleton has a list of enabled plugins diff --git a/gulliver/bin/tasks/templates/usersList.php.tpl b/gulliver/bin/tasks/templates/usersList.php.tpl index 38bd54af5..4983ba6c5 100644 --- a/gulliver/bin/tasks/templates/usersList.php.tpl +++ b/gulliver/bin/tasks/templates/usersList.php.tpl @@ -21,7 +21,7 @@ $G_ID_SUB_MENU_SELECTED = 'USERS'; $_DBArray['user'] = $rows; $_SESSION['_DBArray'] = $_DBArray; -; + $c = new Criteria ('dbarray'); $c->setDBArrayTable('user'); diff --git a/gulliver/bin/tasks/templates/welcome.php.tpl b/gulliver/bin/tasks/templates/welcome.php.tpl index bf7a94c94..b5e180c61 100644 --- a/gulliver/bin/tasks/templates/welcome.php.tpl +++ b/gulliver/bin/tasks/templates/welcome.php.tpl @@ -23,7 +23,6 @@ $_DBArray['user'] = $rows; $_SESSION['_DBArray'] = $_DBArray; //krumo ( $_DBArray ); -; $c = new Criteria ('dbarray'); $c->setDBArrayTable('user'); //$c->add ( 'user.age', 122 , Criteria::GREATER_EQUAL ); diff --git a/gulliver/js/grid/core/grid.js b/gulliver/js/grid/core/grid.js index b386a0120..f1e4eebd7 100644 --- a/gulliver/js/grid/core/grid.js +++ b/gulliver/js/grid/core/grid.js @@ -563,6 +563,7 @@ var G_Grid = function(oForm, sGridName){ case 'textarea': //TEXTAREA aObjects = oNewRow.getElementsByTagName('td')[i].getElementsByTagName('textarea'); if (aObjects){ + aObjects[0].value = ''; aObjects[0].className = "module_app_input___gray"; newID = aObjects[0].id.replace(/\[1\]/g, '\[' + currentRow + '\]'); diff --git a/gulliver/methods/errors/block.php b/gulliver/methods/errors/block.php index 19b4a3106..05dd1aebe 100644 --- a/gulliver/methods/errors/block.php +++ b/gulliver/methods/errors/block.php @@ -3,7 +3,7 @@ if (function_exists("http_response_code")) { http_response_code(200); } -$http = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? "https" : "http"; +$http = G::is_https() ? "https" : "http"; $host = $_SERVER["SERVER_NAME"] . (($_SERVER["SERVER_PORT"] != "80") ? ":" . $_SERVER["SERVER_PORT"] : ""); $urlLogin = $http . "://" . $host . "/sys/en/neoclassic/login/login"; diff --git a/gulliver/methods/errors/error403.php b/gulliver/methods/errors/error403.php index c47080475..bc91e6f9d 100644 --- a/gulliver/methods/errors/error403.php +++ b/gulliver/methods/errors/error403.php @@ -1,6 +1,6 @@ sQuoteCharacter . $sTable . $this->sQuoteCharacter . - ' ADD PRIMARY KEY (' . $this->sQuoteCharacter . $sColumn . $this->sQuoteCharacter . ')' . $this->sEndLine; - }*/ + if (isset( $aParameters['PrimaryKey'] ) && $aParameters['PrimaryKey']) { + $sSQL .= ' PRIMARY KEY'; + } + if (isset( $aParameters['Unique'] ) && $aParameters['Unique']) { + $sSQL .= ' UNIQUE'; + } + + //we need to check the property AI if (isset( $aParameters['AI'] )) { if ($aParameters['AI'] == 1) { $sSQL .= ' AUTO_INCREMENT'; diff --git a/gulliver/system/class.dbMaintenance.php b/gulliver/system/class.dbMaintenance.php index 496fd6e1c..8251a57f8 100644 --- a/gulliver/system/class.dbMaintenance.php +++ b/gulliver/system/class.dbMaintenance.php @@ -49,6 +49,7 @@ class DataBaseMaintenance protected $tmpDir; protected $outfile; protected $infile; + protected $isWindows; /** * __construct @@ -64,7 +65,7 @@ class DataBaseMaintenance $this->tmpDir = './'; $this->link = null; $this->dbName = null; - + $this->isWindows = strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'; if (isset( $host ) && isset( $user ) && isset( $passwd )) { $this->host = $host; $this->user = $user; @@ -399,13 +400,22 @@ class DataBaseMaintenance */ function backupDataBase ($outfile) { + $password = escapeshellarg($this->passwd); + + //On Windows, escapeshellarg() instead replaces percent signs, exclamation + //marks (delayed variable substitution) and double quotes with spaces and + //adds double quotes around the string. + //See: http://php.net/manual/en/function.escapeshellarg.php + if ($this->isWindows) { + $password = $this->escapeshellargCustom($this->passwd); + } $aHost = explode(':', $this->host); $dbHost = $aHost[0]; if (isset($aHost[1])) { $dbPort = $aHost[1]; $command = 'mysqldump' . ' --user=' . $this->user - . ' --password=' . escapeshellarg($this->passwd) + . ' --password=' . $password . ' --host=' . $dbHost . ' --port=' . $dbPort . ' --opt' @@ -418,13 +428,60 @@ class DataBaseMaintenance . ' --user=' . $this->user . ' --opt' . ' --skip-comments' - . ' --password=' . escapeshellarg($this->passwd) + . ' --password=' . $password . ' ' . $this->dbName . ' > ' . $outfile; } shell_exec($command); } + /** + * string escapeshellargCustom ( string $arg , character $quotes) + * + * escapeshellarg() adds single quotes around a string and quotes/escapes any + * existing single quotes allowing you to pass a string directly to a shell + * function and having it be treated as a single safe argument. This function + * should be used to escape individual arguments to shell functions coming + * from user input. The shell functions include exec(), system() and the + * backtick operator. + * + * On Windows, escapeshellarg() instead replaces percent signs, exclamation + * marks (delayed variable substitution) and double quotes with spaces and + * adds double quotes around the string. + */ + private function escapeshellargCustom($string, $quotes = "") + { + if ($quotes === "") { + $quotes = $this->isWindows ? "\"" : "'"; + } + $n = strlen($string); + $special = ["!", "%", "\""]; + $substring = ""; + $result1 = []; + $result2 = []; + for ($i = 0; $i < $n; $i++) { + if (in_array($string[$i], $special, true)) { + $result2[] = $string[$i]; + $result1[] = $substring; + $substring = ""; + } else { + $substring = $substring . $string[$i]; + } + } + $result1[] = $substring; + //Rebuild the password string + $n = count($result1); + for ($i = 0; $i < $n; $i++) { + $result1[$i] = trim(escapeshellarg($result1[$i]), $quotes); + if (isset($result2[$i])) { + $result1[$i] = $result1[$i] . $result2[$i]; + } + } + //add simple quotes, see escapeshellarg function + $newString = $quotes . implode("", $result1) . $quotes; + return $newString; + } + /** * restoreFromSql * diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index 4332c12fa..ebe424741 100644 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -187,7 +187,7 @@ class G * @param string $symbol * @return string */ - public function generate_password($length = 15, $availableSets = "luns", $symbol = "_-+=!@#$%*&,.") + public function generate_password($length = 15, $availableSets = "luns", $symbol = "_-$!") { $chars = ""; if (strpos($availableSets, "l") !== false) { @@ -1825,6 +1825,14 @@ class G $arrayGrid = array_unique($arrayGrid); + //Given the set: 'valueOne', 'valueOneTwo', where the second string + //contains the first string, this causes the larger string to take + //the second, resulting in a delimitation error, to avoid this problem + //we first search the string larger size. + usort($arrayGrid, function($a, $b) { + return strlen($b) - strlen($a); + }); + foreach ($arrayGrid as $index => $value) { if($value !== "") { $grdName = $value; @@ -2912,6 +2920,16 @@ class G return (bool) preg_match( '/^[0-9A-Za-z]{14,}/', $uid ); } + /** + * Verify if the input string is a valid UID of size 32 + * @param string $uid + * @return boolean + */ + public static function verifyUniqueID32($uid) + { + return (bool) preg_match('/^[0-9A-Za-z]{32,32}$/', $uid); + } + /** * is_utf8 * @@ -2921,11 +2939,10 @@ class G */ public function is_utf8 ($string) { - if (is_array( $string )) { - $enc = implode( '', $string ); - return @! ((ord( $enc[0] ) != 239) && (ord( $enc[1] ) != 187) && (ord( $enc[2] ) != 191)); + if (preg_match('//u', $string)) { + return true; } else { - return (utf8_encode( utf8_decode( $string ) ) == $string); + return false; } } @@ -5408,6 +5425,12 @@ class G } /** + * This function save history about some actions in the file audit.log + * The data is used in the Audit Log functionality + * + * @param string $actionToLog + * @param string $valueToLog + * @return void */ public static function auditLog($actionToLog, $valueToLog = "") { @@ -5416,13 +5439,25 @@ class G $sflag = $conf->getConfiguration('AUDIT_LOG', 'log'); $sflagAudit = $sflag == 'true' ? true : false; $ipClient = G::getIpAddress(); + $userUid = 'Unknow User'; + $fullName = '-'; /*----------------------------------********---------------------------------*/ $licensedFeatures = PMLicensedFeatures::getSingleton(); if ($sflagAudit && $licensedFeatures->verifyfeature('vtSeHNhT0JnSmo1bTluUVlTYUxUbUFSVStEeXVqc1pEUG5EeXc0MGd2Q3ErYz0=')) { - $username = isset($_SESSION['USER_LOGGED']) && $_SESSION['USER_LOGGED'] != '' ? $_SESSION['USER_LOGGED'] : 'Unknow User'; - $fullname = isset($_SESSION['USR_FULLNAME']) && $_SESSION['USR_FULLNAME'] != '' ? $_SESSION['USR_FULLNAME'] : '-'; - G::log("|". $workspace ."|". $ipClient ."|". $username . "|" . $fullname ."|" . $actionToLog . "|" . $valueToLog, PATH_DATA, "audit.log"); + if (isset($_SESSION['USER_LOGGED']) && $_SESSION['USER_LOGGED'] != '') { + $userUid = $_SESSION['USER_LOGGED']; + } else { + //Get the usrUid related to the accessToken + $userUid = \ProcessMaker\Services\OAuth2\Server::getUserId(); + if (!empty($userUid)) { + $oUserLogged = new \Users(); + $user = $oUserLogged->loadDetails($userUid); + $fullName = $user['USR_FULLNAME']; + } + } + $fullName = isset($_SESSION['USR_FULLNAME']) && $_SESSION['USR_FULLNAME'] != '' ? $_SESSION['USR_FULLNAME'] : $fullName; + G::log("|". $workspace ."|". $ipClient ."|". $userUid . "|" . $fullName ."|" . $actionToLog . "|" . $valueToLog, PATH_DATA, "audit.log"); } /*----------------------------------********---------------------------------*/ } diff --git a/gulliver/system/class.menu.php b/gulliver/system/class.menu.php index 82ce5fa03..e539f2417 100644 --- a/gulliver/system/class.menu.php +++ b/gulliver/system/class.menu.php @@ -283,7 +283,7 @@ class Menu */ public function DisableOptionId($id) { - if (array_search($id, $this->Id)) { + if (array_search($id, $this->Id) !== FALSE) { $this->Enabled[array_search($id, $this->Id)] = 0; } } diff --git a/gulliver/system/class.monologProvider.php b/gulliver/system/class.monologProvider.php index f0b519211..9840834cb 100644 --- a/gulliver/system/class.monologProvider.php +++ b/gulliver/system/class.monologProvider.php @@ -106,11 +106,13 @@ class MonologProvider break; case 400://ERROR $this->registerLogger->addError($message, $context); + break; case 500://CRITICAL $this->registerLogger->addCritical($message, $context); break; case 550://ALERT $this->registerLogger->addAlert($message, $context); + break; case 600://EMERGENCY $this->registerLogger->addEmergency($message, $context); break; diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index c4749221e..93440d716 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -70,6 +70,7 @@ class RBAC public $singleSignOn = false; private static $instance = null; + public $authorizedActions = array(); public function __construct () { @@ -110,11 +111,11 @@ class RBAC 'downloadFileHash' => array('PM_FACTORY') ), 'processProxy.php' => array( - 'categoriesList' => array('PM_SETUP_PROCESS_CATEGORIES'), - 'getCategoriesList' => array('PM_FACTORY'), + 'categoriesList' => array(), + 'getCategoriesList' => array(), 'saveProcess' => array('PM_FACTORY'), - 'changeStatus' => array('PM_FACTORY'), - 'changeDebugMode' => array('PM_FACTORY'), + 'changeStatus' => array(), + 'changeDebugMode' => array(), 'getUsers' => array(), 'getGroups' => array(), 'assignActorsTask' => array(), @@ -125,7 +126,7 @@ class RBAC 'saveProperties' => array(), 'getCaledarList' => array(), 'getPMVariables' => array(), - 'generateBpmn' => array('PM_FACTORY') + 'generateBpmn' => array() ), 'home.php' => array( 'login' => array('PM_LOGIN'), @@ -144,9 +145,6 @@ class RBAC 'getProcessArray' => array('PM_ALLCASES'), 'getProcesses' => array('PM_ALLCASES'), 'getUsers' => array('PM_ALLCASES') - ), - 'newSite.php' => array( - 'newSite.php' => array('PM_SETUP_ADVANCE') ) ); @@ -359,6 +357,8 @@ class RBAC "PER_NAME" => "Edit User profile Default Cases Menu Options" ), array("PER_UID" => "00000000000000000000000000000064", "PER_CODE" => "PM_REASSIGNCASE_SUPERVISOR", "PER_NAME" => "Reassign case supervisor" + ), array("PER_UID" => "00000000000000000000000000000065", "PER_CODE" => "PM_SETUP_CUSTOM_CASES_LIST", + "PER_NAME" => "Setup Custom Cases List" ) ); return $permissionsAdmin;