From 3a06caf5554093214523aad5c1e616ad2186ac36 Mon Sep 17 00:00:00 2001 From: "marcelo.cuiza" Date: Mon, 11 May 2015 16:36:07 -0400 Subject: [PATCH 1/3] validaciones veracode del reporte del 11-05-15 --- gulliver/system/class.g.php | 14 +++++++++++--- .../pear/HTTP/WebDAV/Server/Filesystem.php | 18 ++++++++++++++++-- workflow/engine/classes/class.webdav.php | 9 +++++++-- workflow/engine/controllers/installer.php | 12 ++++++++++-- 4 files changed, 44 insertions(+), 9 deletions(-) diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index a96b5977a..69feae7d6 100644 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -463,10 +463,17 @@ class G * @return void */ public static function LoadSystem ($strClass) - { require_once (PATH_GULLIVER . 'class.inputfilter.php'); - $filter = new InputFilter(); + { $path = PATH_GULLIVER . 'class.' . $strClass . '.php'; - $path = $filter->validateInput($path, 'path'); + if(file_exists(PATH_GULLIVER . 'class.inputfilter.php')) { + require_once (PATH_GULLIVER . 'class.inputfilter.php'); + $filter = new InputFilter(); + $path = $filter->validateInput($path, 'path'); + } else { + if(!file_exists($path)) { + $path = ''; + } + } require_once ($path); } @@ -2656,6 +2663,7 @@ class G $path = $filter->validateInput($path, "path"); move_uploaded_file( $file, $path . "/" . $nameToSave ); + $nameToSave = $filter->validateInput($nameToSave, "path"); @chmod( $path . "/" . $nameToSave, $permission ); umask( $oldumask ); diff --git a/gulliver/thirdparty/pear/HTTP/WebDAV/Server/Filesystem.php b/gulliver/thirdparty/pear/HTTP/WebDAV/Server/Filesystem.php index ae87e5462..41dbdf521 100755 --- a/gulliver/thirdparty/pear/HTTP/WebDAV/Server/Filesystem.php +++ b/gulliver/thirdparty/pear/HTTP/WebDAV/Server/Filesystem.php @@ -634,15 +634,29 @@ $dir = dirname($path)."/"; $base = basename($path); + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + foreach($options["props"] as $key => $prop) { if ($prop["ns"] == "DAV:") { $options["props"][$key]['status'] = "403 Forbidden"; } else { if (isset($prop["val"])) { - $query = "REPLACE INTO properties SET path = '$options[path]', name = '$prop[name]', ns= '$prop[ns]', value = '$prop[val]'"; + $query = "REPLACE INTO properties SET path = '%s', name = '%s', ns= '%s', value = '%s'"; + $query = $filter->preventSqlInjection($query, Array($options['path'],$prop['name'],$prop['ns'],$prop['val'])); error_log($query); } else { - $query = "DELETE FROM properties WHERE path = '$options[path]' AND name = '$prop[name]' AND ns = '$prop[ns]'"; + $query = "DELETE FROM properties WHERE path = '%s' AND name = '%s' AND ns = '%s'"; + $query = $filter->preventSqlInjection($query, Array($options['path'],$prop['name'],$prop['ns'])); } mysql_query($query); } diff --git a/workflow/engine/classes/class.webdav.php b/workflow/engine/classes/class.webdav.php index bc56cca59..3b56c1068 100755 --- a/workflow/engine/classes/class.webdav.php +++ b/workflow/engine/classes/class.webdav.php @@ -902,16 +902,21 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server $dir = dirname($path) . "/"; $base = basename($path); + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); foreach ($options["props"] as $key => $prop) { if ($prop["ns"] == "DAV:") { $options["props"][$key]['status'] = "403 Forbidden"; } else { if (isset($prop["val"])) { - $query = "REPLACE INTO properties SET path = '$options[path]', name = '$prop[name]', ns= '$prop[ns]', value = '$prop[val]'"; + $query = "REPLACE INTO properties SET path = '%s', name = '%s', ns= '%s', value = '%s'"; + $query = $filter->preventSqlInjection($query, Array($options['path'],$prop['name'],$prop['ns'],$prop['val'])); error_log($query); } else { - $query = "DELETE FROM properties WHERE path = '$options[path]' AND name = '$prop[name]' AND ns = '$prop[ns]'"; + $query = "DELETE FROM properties WHERE path = '%s' AND name = '%s' AND ns = '%s'"; + $query = $filter->preventSqlInjection($query, Array($options['path'],$prop['name'],$prop['ns'])); } mysql_query($query); } diff --git a/workflow/engine/controllers/installer.php b/workflow/engine/controllers/installer.php index 706c405c5..fd7df39a4 100644 --- a/workflow/engine/controllers/installer.php +++ b/workflow/engine/controllers/installer.php @@ -315,6 +315,10 @@ class Installer extends Controller $info->success = false; } } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $pathShared = $filter->validateInput($_REQUEST['pathShared'], 'path'); if ($info->pathShared->result) { $aux = pathinfo( $_REQUEST['pathLogFile'] ); @@ -322,7 +326,7 @@ class Installer extends Controller if (is_dir( $aux['dirname'] )) { if (! file_exists( $_REQUEST['pathLogFile'] )) { @file_put_contents( $_REQUEST['pathLogFile'], '' ); - @chmod($_REQUEST['pathShared'], 0770); + @chmod($pathShared , 0770); } } } @@ -388,7 +392,11 @@ class Installer extends Controller return $false; } } - + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $logFile = $filter->validateInput($logFile, 'path'); + $fpt = fopen( $logFile, 'a' ); fwrite( $fpt, sprintf( "%s %s\n", date( 'Y:m:d H:i:s' ), trim( $text ) ) ); fclose( $fpt ); From c24abfbf154c0b4415675c1ead94867d38fb3c99 Mon Sep 17 00:00:00 2001 From: Victor Saisa Lopez Date: Mon, 18 May 2015 14:13:06 -0400 Subject: [PATCH 2/3] PM-00000 "Fix to import process" SOLVED Issue: Fix to import process Cause: No import correctly attribute "taskExtraProperties" Solution: Fix to export and import the attribute "taskExtraProperties" of a project --- workflow/engine/classes/class.processes.php | 12 +++++ workflow/engine/classes/class.tasks.php | 21 +++++++-- .../engine/classes/model/Configuration.php | 46 ++++++++++++------- 3 files changed, 58 insertions(+), 21 deletions(-) diff --git a/workflow/engine/classes/class.processes.php b/workflow/engine/classes/class.processes.php index 3f0d72746..0ef82788e 100755 --- a/workflow/engine/classes/class.processes.php +++ b/workflow/engine/classes/class.processes.php @@ -969,6 +969,18 @@ class Processes } } + if (isset($oData->taskExtraProperties)) { + foreach ($oData->taskExtraProperties as $key => $value) { + $record = $value; + + if (isset($map[$record["OBJ_UID"]])) { + $newUid = $map[$record["OBJ_UID"]]; + + $oData->taskExtraProperties[$key]["OBJ_UID"] = $newUid; + } + } + } + if (isset($oData->webEntry)) { foreach ($oData->webEntry as $key => $value) { $record = $value; diff --git a/workflow/engine/classes/class.tasks.php b/workflow/engine/classes/class.tasks.php index e464bfb7b..a276e2e5d 100755 --- a/workflow/engine/classes/class.tasks.php +++ b/workflow/engine/classes/class.tasks.php @@ -391,12 +391,23 @@ class Tasks $oCriteria = new Criteria('workflow'); $oCriteria->add(ObjectPermissionPeer::OP_TASK_SOURCE, $sTaskUID); ObjectPermissionPeer::doDelete($oCriteria); + + //Delete Cases Schedulers + $criteria = new Criteria("workflow"); + + $criteria->add(CaseSchedulerPeer::TAS_UID, $sTaskUID, Criteria::EQUAL); + + $result = CaseSchedulerPeer::doDelete($criteria); + + //Delete Configuration + $criteria = new Criteria("workflow"); + + $criteria->add(ConfigurationPeer::OBJ_UID, $sTaskUID, Criteria::EQUAL); + + $result = ConfigurationPeer::doDelete($criteria); + //Delete task $oTask->remove($sTaskUID); - //Delete cases schedulers added by krlos - $oCriteria = new Criteria('workflow'); - $oCriteria->add(CaseSchedulerPeer::TAS_UID, $sTaskUID); - CaseSchedulerPeer::doDelete($oCriteria); } catch (Exception $oError) { throw ($oError); } @@ -855,4 +866,4 @@ class Tasks } } } - \ No newline at end of file + diff --git a/workflow/engine/classes/model/Configuration.php b/workflow/engine/classes/model/Configuration.php index 50fd285a1..51c8fb86c 100755 --- a/workflow/engine/classes/model/Configuration.php +++ b/workflow/engine/classes/model/Configuration.php @@ -1,28 +1,42 @@ begin(); - $this->setCfgUid($aData['CFG_UID']); - $this->setObjUid($aData['OBJ_UID']); - $this->setCfgValue(isset($aData['CFG_VALUE'])?$aData['CFG_VALUE']:''); - $this->setProUid($aData['PRO_UID']); - $this->setUsrUid($aData['USR_UID']); - $this->setAppUid($aData['APP_UID']); - if ($this->validate()) { - $result=$this->save(); - $con->commit(); + $configuration = new Configuration(); + + $configuration->setCfgUid($arrayData["CFG_UID"]); + $configuration->setObjUid($arrayData["OBJ_UID"]); + $configuration->setCfgValue((isset($arrayData["CFG_VALUE"]))? $arrayData["CFG_VALUE"] : ""); + $configuration->setProUid($arrayData["PRO_UID"]); + $configuration->setUsrUid($arrayData["USR_UID"]); + $configuration->setAppUid($arrayData["APP_UID"]); + + if ($configuration->validate()) { + $cnn->begin(); + + $result = $configuration->save(); + + $cnn->commit(); + + //Return return $result; } else { - $con->rollback(); - throw(new Exception("Failed Validation in class ".get_class($this).".")); + $msg = ""; + + foreach ($configuration->getValidationFailures() as $validationFailure) { + $msg = $msg . (($msg != "")? "\n" : "") . $validationFailure->getMessage(); + } + + throw new Exception(G::LoadTranslation("ID_RECORD_CANNOT_BE_CREATED") . (($msg != "")? "\n" . $msg : "")); } } catch (Exception $e) { - $con->rollback(); - throw($e); + $cnn->rollback(); + + throw $e; } } From 3f246694045c44ad5e53c6c737d04bc800153d0e Mon Sep 17 00:00:00 2001 From: Victor Saisa Lopez Date: Tue, 19 May 2015 12:34:08 -0400 Subject: [PATCH 3/3] PM-2753 "Al editar la fecha final de un CaseScheduler y..." SOLVED Issue: Al editar la fecha final de un CaseScheduler y dejarla vacia, estos cambios no son guardados Cause: validacion invalida para el campo "SCH_END_DATE" Solution: Se elimina validacion --- .../engine/src/ProcessMaker/BusinessModel/CaseScheduler.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/CaseScheduler.php b/workflow/engine/src/ProcessMaker/BusinessModel/CaseScheduler.php index 4377d8198..d55c30b65 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/CaseScheduler.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/CaseScheduler.php @@ -1005,9 +1005,7 @@ class CaseScheduler case "UPD": $arrayDataAux = $caseScheduler->load($caseSchedulerUid); - if ($arrayData["SCH_END_DATE"] != "") { - $arrayCaseSchedulerData["SCH_END_DATE"] = $arrayData["SCH_END_DATE"]; - } + $arrayCaseSchedulerData["SCH_END_DATE"] = $arrayData["SCH_END_DATE"]; //If the start date has changed then recalculate the next run time $recalculateDate = ($arrayData["SCH_START_DATE"] == $arrayData["PREV_SCH_START_DATE"])? false : true;