diff --git a/gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/skins/o2k7/ui.css b/gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/skins/o2k7/ui.css
index e54326fa3..6f63fd352 100644
--- a/gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/skins/o2k7/ui.css
+++ b/gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/skins/o2k7/ui.css
@@ -15,6 +15,7 @@
/* Layout */
.o2k7Skin table.mceLayout {border:0; border-left:1px solid #ABC6DD; border-right:1px solid #ABC6DD}
+.o2k7Skin table.mceLayout tr.mceLast {height:1px !important}
.o2k7Skin table.mceLayout tr.mceFirst td {border-top:1px solid #ABC6DD}
.o2k7Skin table.mceLayout tr.mceLast td {border-bottom:1px solid #ABC6DD}
.o2k7Skin table.mceToolbar, .o2k7Skin tr.mceFirst .mceToolbar tr td, .o2k7Skin tr.mceLast .mceToolbar tr td {border:0; margin:0; padding:0}
diff --git a/gulliver/system/class.database_mssql.php b/gulliver/system/class.database_mssql.php
index e631f6bf2..da3b157fa 100755
--- a/gulliver/system/class.database_mssql.php
+++ b/gulliver/system/class.database_mssql.php
@@ -747,11 +747,14 @@ class database extends database_base
public function getServerVersion ($driver, $dbIP, $dbPort, $dbUser, $dbPasswd, $dbSourcename)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $DB_NAME = $filter->validateInput(DB_NAME);
if (strlen( trim( $dbIP ) ) <= 0) {
$dbIP = DB_HOST;
}
if ($link = @mssql_connect( $dbIP, $dbUser, $dbPasswd )) {
- @mssql_select_db( DB_NAME, $link );
+ @mssql_select_db( $DB_NAME, $link );
$oResult = @mssql_query( "select substring(@@version, 21, 6) + ' (' + CAST(SERVERPROPERTY ('productlevel') as varchar(10)) + ') ' + CAST(SERVERPROPERTY('productversion') AS VARCHAR(15)) + ' ' + CAST(SERVERPROPERTY ('edition') AS VARCHAR(25)) as version; ", $link );
$aResult = @mssql_fetch_array( $oResult );
@mssql_free_result( $oResult );
@@ -813,9 +816,12 @@ class database extends database_base
*/
public function reportTableExist ()
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $DB_NAME = $filter->validateInput(DB_NAME);
$bExists = true;
$oConnection = mssql_connect( DB_HOST, DB_USER, DB_PASS );
- mssql_select_db( DB_NAME );
+ mssql_select_db( $DB_NAME );
$oDataset = mssql_query( 'SELECT COUNT(*) FROM REPORT_TABLE' ) || ($bExists = false);
return $bExists;
@@ -835,10 +841,13 @@ class database extends database_base
*/
public function tableExists ($table, $db)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $DB_NAME = $filter->validateInput(DB_NAME);
$sql = "SELECT * FROM sysobjects WHERE name='" . $table . "' AND type='u'";
$bExists = true;
$oConnection = mssql_connect( DB_HOST, DB_USER, DB_PASS );
- mssql_select_db( DB_NAME );
+ mssql_select_db( $DB_NAME );
$oDataset = mssql_query( $sql ) || ($bExists = false);
return $bExists;
}
diff --git a/gulliver/system/class.database_mysql.php b/gulliver/system/class.database_mysql.php
index 44bf43ec6..658330431 100755
--- a/gulliver/system/class.database_mysql.php
+++ b/gulliver/system/class.database_mysql.php
@@ -853,9 +853,12 @@ class database extends database_base
*/
public function reportTableExist ()
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $DB_NAME = $filter->validateInput(DB_NAME);
$bExists = true;
$oConnection = mysql_connect( DB_HOST, DB_USER, DB_PASS );
- mysql_select_db( DB_NAME );
+ mysql_select_db( $DB_NAME );
$oDataset = mysql_query( 'SELECT COUNT(*) FROM REPORT_TABLE' ) || ($bExists = false);
return $bExists;
diff --git a/gulliver/system/class.dbMaintenance.php b/gulliver/system/class.dbMaintenance.php
index f4f849bbe..5dbac67aa 100755
--- a/gulliver/system/class.dbMaintenance.php
+++ b/gulliver/system/class.dbMaintenance.php
@@ -502,7 +502,7 @@ class DataBaseMaintenance
$data .= ");\n";
}
- $data = $filter->xssFilterHard($data);
+ $data = $filter->preventSqlInjection($data);
printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" );
return $data;
}
diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php
index 3c0e050f3..38acc65a0 100755
--- a/gulliver/system/class.g.php
+++ b/gulliver/system/class.g.php
@@ -2635,9 +2635,15 @@ class G
if (! is_dir( $path )) {
G::verifyPath( $path, true );
}
+
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $file = $filter->validateInput($file, "path");
+
move_uploaded_file( $file, $path . "/" . $nameToSave );
@chmod( $path . "/" . $nameToSave, $permission );
umask( $oldumask );
+
} catch (Exception $oException) {
throw $oException;
}
diff --git a/gulliver/system/class.inputfilter.php b/gulliver/system/class.inputfilter.php
index 87c790a7c..e4c34b9a2 100644
--- a/gulliver/system/class.inputfilter.php
+++ b/gulliver/system/class.inputfilter.php
@@ -413,7 +413,7 @@ class InputFilter
* @author Marcelo Cuiza
* @access protected
* @param Array or String $input
- * @param String $type
+ * @param String $type (url)
* @return Array or String $input
*/
function xssFilterHard($input, $type = "")
@@ -514,7 +514,7 @@ class InputFilter
* @param Array $values
* @return String $query
*/
- function preventSqlInjection($query, $values = Array(), &$con = NULL)
+ function preventSqlInjection($query, $values = Array(), $con = NULL)
{
if(is_array($values) && sizeof($values)) {
foreach($values as $k1 => $val1) {
@@ -535,12 +535,12 @@ class InputFilter
}
/**
- * Internal method: protect against SQL injenction
+ * Internal method: validate user input
* @author Marcelo Cuiza
* @access protected
- * @param String $value
- * @param String or Array $types
- * @param String $valType
+ * @param String $value (required)
+ * @param Array or String $types ( string | int | float | boolean | path | nosql )
+ * @param String $valType ( validate | sanitize )
* @return String $value
*/
function validateInput($value, $types = 'string', $valType = 'sanitize')
@@ -596,7 +596,7 @@ class InputFilter
}
break;
default:
- $value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+ $value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
}
return $value;
diff --git a/workflow/engine/classes/class.derivation.php b/workflow/engine/classes/class.derivation.php
index 155aec556..7e81cab80 100755
--- a/workflow/engine/classes/class.derivation.php
+++ b/workflow/engine/classes/class.derivation.php
@@ -593,6 +593,7 @@ class Derivation
//Count how many tasks should be derivated.
//$countNextTask = count($nextDelegations);
+ $removeList = true;
foreach ($nextDelegations as $nextDel) {
//BpmnEvent - END-MESSAGE-EVENT - Check and get unique id
if (preg_match("/^(.{32})\/(\-1)$/", $nextDel["TAS_UID"], $arrayMatch)) {
@@ -745,16 +746,46 @@ class Derivation
} //switch
}
}
+
//SETS THE APP_PROC_CODE
//if (isset($nextDel['TAS_DEF_PROC_CODE']))
//$appFields['APP_PROC_CODE'] = $nextDel['TAS_DEF_PROC_CODE'];
/*----------------------------------********---------------------------------*/
- if (!empty($iNewDelIndex) && empty($aSP)) {
- $oAppDel = AppDelegationPeer::retrieveByPK( $appFields['APP_UID'], $iNewDelIndex );
- $aFields = $oAppDel->toArray( BasePeer::TYPE_FIELDNAME );
- $aFields['APP_STATUS'] = $currentDelegation['APP_STATUS'];
- $inbox = new ListInbox();
- $inbox->newRow($aFields, $appFields['CURRENT_USER_UID'], false, array(), ($nextDel['TAS_ASSIGN_TYPE'] == 'SELF_SERVICE' ? true : false));
+ if ($nextDel['TAS_UID'] != '-1') {
+ $taskCur = TaskPeer::retrieveByPK($nextDel['TAS_UID']);
+ $aTask = $taskCur->toArray( BasePeer::TYPE_FIELDNAME );
+ $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
+ if (!in_array($aTask['TAS_TYPE'], $arrayTaskTypeToExclude)) {
+ if (!empty($iNewDelIndex) && empty($aSP)) {
+ $oAppDel = AppDelegationPeer::retrieveByPK( $appFields['APP_UID'], $iNewDelIndex );
+ $aFields = $oAppDel->toArray( BasePeer::TYPE_FIELDNAME );
+ $aFields['APP_STATUS'] = $currentDelegation['APP_STATUS'];
+ $aFields['REMOVED_LIST'] = $removeList;
+ $inbox = new ListInbox();
+ $inbox->newRow($aFields, $appFields['CURRENT_USER_UID'], false, array(), ($nextDel['TAS_ASSIGN_TYPE'] == 'SELF_SERVICE' ? true : false));
+ $removeList = false;
+ } else {
+ if (empty($aSP)) {
+ $oRow = ApplicationPeer::retrieveByPK($appFields['APP_UID']);
+ $aFields = $oRow->toArray( BasePeer::TYPE_FIELDNAME );
+ $users = new Users();
+ if ($aFields['APP_STATUS'] == 'DRAFT') {
+ $users->refreshTotal($appFields['CURRENT_USER_UID'], 'remove', 'draft');
+ } else {
+ $users->refreshTotal($appFields['CURRENT_USER_UID'], 'remove', 'inbox');
+ }
+ }
+ }
+ } else {
+ $oRow = ApplicationPeer::retrieveByPK($appFields['APP_UID']);
+ $aFields = $oRow->toArray( BasePeer::TYPE_FIELDNAME );
+ $users = new Users();
+ if ($aFields['APP_STATUS'] == 'DRAFT') {
+ $users->refreshTotal($appFields['CURRENT_USER_UID'], 'remove', 'draft');
+ } else {
+ $users->refreshTotal($appFields['CURRENT_USER_UID'], 'remove', 'inbox');
+ }
+ }
}
/*----------------------------------********---------------------------------*/
unset( $aSP );
diff --git a/workflow/engine/classes/class.dynaformEditor.php b/workflow/engine/classes/class.dynaformEditor.php
index f59ae7c9d..b87f488d9 100755
--- a/workflow/engine/classes/class.dynaformEditor.php
+++ b/workflow/engine/classes/class.dynaformEditor.php
@@ -515,6 +515,8 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
*/
public function restore_html($A)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$script = null;
$fileTmp = G::decrypt($A, URL_KEY);
$form = new Form($fileTmp, PATH_DYNAFORM, SYS_LANG, true);
@@ -527,10 +529,11 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
$form->enableTemplate = false;
$html = $form->printTemplate($form->template, $script);
$html = str_replace('{$form_className}', 'formDefault', $html);
- if (file_exists(PATH_DYNAFORM . $fileTmp . '.html')) {
- unlink(PATH_DYNAFORM . $fileTmp . '.html');
+ $pathTmp = $filter->xssFilterHard(PATH_DYNAFORM . $fileTmp . '.html', 'path');
+ if (file_exists($pathTmp)) {
+ unlink($pathTmp);
}
- $fp = fopen(PATH_DYNAFORM . $fileTmp . '.html', 'w');
+ $fp = fopen($pathTmp, 'w');
fwrite($fp, $html);
fclose($fp);
@@ -546,6 +549,8 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
public function set_htmlcode($A, $htmlcode)
{
try {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$iOcurrences = preg_match_all('/\{\$.*?\}/im', $htmlcode, $matches);
if ($iOcurrences) {
if (isset($matches[0])) {
@@ -561,6 +566,7 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
$file = G::decrypt($A, URL_KEY);
$form = new Form($file, PATH_DYNAFORM, SYS_LANG, true);
$filename = substr($form->fileName, 0, - 3) . ($form->type === 'xmlform' ? '' : '.' . $form->type) . 'html';
+ $filename = $filter->xssFilterHard($filename, 'path');
$fp = fopen($filename, 'w');
fwrite($fp, $htmlcode);
fclose($fp);
@@ -598,10 +604,13 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
*/
public function set_xmlcode($A, $xmlcode)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$xmlcode = urldecode($xmlcode);
$file = G::decrypt($A, URL_KEY);
$xmlcode = str_replace(' ', ' ', trim($xmlcode));
- $fp = fopen(PATH_DYNAFORM . $file . '.xml', 'w');
+ $pathFile = $filter->xssFilterHard(PATH_DYNAFORM . $file . '.xml', "path");
+ $fp = fopen($pathFile, 'w');
fwrite($fp, $xmlcode);
fclose($fp);
return "";
@@ -647,6 +656,9 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
*/
public function set_javascript($A, $fieldName, $sCode, $meta = '')
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $fieldName = $filter->xssFilterHard($fieldName, 'path');
if ($fieldName == '___pm_boot_strap___') {
return 0;
}
@@ -661,8 +673,8 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
*/
G::LoadSystem('dynaformhandler');
-
- $dynaform = new dynaFormHandler(PATH_DYNAFORM . "{$file}.xml");
+ $pathFile = $filter->xssFilterHard(PATH_DYNAFORM . "{$file}.xml", 'path');
+ $dynaform = new dynaFormHandler($pathFile);
$dynaform->replace($fieldName, $fieldName, Array('type' => 'javascript', 'meta' => $meta, '#cdata' => $sCode
));
@@ -716,6 +728,8 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
public function set_properties($A, $DYN_UID, $getFields)
{
try {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$post = array();
parse_str($getFields, $post);
$Fields = $post['form'];
@@ -729,8 +743,9 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
$tmp['Properties'] = $Fields;
self::_setTmpData($tmp);
}
- $dynaform = new dynaFormHandler(PATH_DYNAFORM . "{$file}.xml");
- $dbc2 = new DBConnection(PATH_DYNAFORM . $file . '.xml', '', '', '', 'myxml');
+ $pathFile = $filter->xssFilterHard(PATH_DYNAFORM . "{$file}.xml", 'path');
+ $dynaform = new dynaFormHandler($pathFile);
+ $dbc2 = new DBConnection($pathFile, '', '', '', 'myxml');
$ses2 = new DBSession($dbc2);
//if (!isset($Fields['ENABLETEMPLATE'])) $Fields['ENABLETEMPLATE'] ="0";
@@ -791,13 +806,15 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
*/
public function set_enabletemplate($A, $value)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$file = G::decrypt($A, URL_KEY);
$value = $value == "1" ? "1" : "0";
// $dbc2 = new DBConnection( PATH_DYNAFORM . $file . '.xml', '', '', '', 'myxml' );
// $ses2 = new DBSession( $dbc2 );
// $ses2->execute( "UPDATE . SET ENABLETEMPLATE = '$value'" );
-
- $dynaform = new dynaFormHandler(PATH_DYNAFORM . "{$file}.xml");
+ $pathFile = $filter->xssFilterHard(PATH_DYNAFORM . "{$file}.xml", 'path');
+ $dynaform = new dynaFormHandler($pathFile);
$dynaform->modifyHeaderAttribute('enabletemplate', $value);
return $value;
diff --git a/workflow/engine/classes/class.net.php b/workflow/engine/classes/class.net.php
index 78e3e2e0a..4091f5ffe 100755
--- a/workflow/engine/classes/class.net.php
+++ b/workflow/engine/classes/class.net.php
@@ -208,6 +208,13 @@ class NET
*/
public function tryConnectServer($pDbDriver, array $arrayServerData = array())
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $this->ip = $filter->validateInput($this->ip);
+ $this->db_port = $filter->validateInput($this->db_port,'int');
+ $this->db_user = $filter->validateInput($this->db_user);
+ $this->db_passwd = $filter->validateInput($this->db_passwd);
+ $this->db_sourcename = $filter->validateInput($this->db_sourcename);
if ($this->errno != 0) {
return 0;
}
@@ -324,6 +331,13 @@ class NET
*/
public function tryOpenDataBase($pDbDriver, array $arrayServerData = array())
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $this->ip = $filter->validateInput($this->ip);
+ $this->db_port = $filter->validateInput($this->db_port,'int');
+ $this->db_user = $filter->validateInput($this->db_user);
+ $this->db_passwd = $filter->validateInput($this->db_passwd);
+ $this->db_sourcename = $filter->validateInput($this->db_sourcename);
if ($this->errno != 0) {
return 0;
}
diff --git a/workflow/engine/classes/class.pmDynaform.php b/workflow/engine/classes/class.pmDynaform.php
index 084576f90..6bb42a18b 100644
--- a/workflow/engine/classes/class.pmDynaform.php
+++ b/workflow/engine/classes/class.pmDynaform.php
@@ -35,6 +35,9 @@ class pmDynaform
public function getDynaform()
{
+ if (!isset($this->fields["CURRENT_DYNAFORM"])) {
+ return;
+ }
if ($this->record != null) {
return $this->record;
}
@@ -56,6 +59,9 @@ class pmDynaform
public function getCredentials()
{
+ if (!isset($_SESSION['USER_LOGGED'])) {
+ return;
+ }
if ($this->credentials != null) {
return $this->credentials;
}
@@ -430,3 +436,4 @@ class pmDynaform
}
}
+
diff --git a/workflow/engine/classes/class.system.php b/workflow/engine/classes/class.system.php
index 4e11f5f96..a1c1f4175 100755
--- a/workflow/engine/classes/class.system.php
+++ b/workflow/engine/classes/class.system.php
@@ -281,11 +281,14 @@ class System
*/
public function verifyFileForUpgrade ()
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$upgradeFilename = isset( $_FILES['form']['name']['UPGRADE_FILENAME'] ) ? $_FILES['form']['name']['UPGRADE_FILENAME'] : '';
$tempFilename = isset( $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] ) ? $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] : '';
$this->sRevision = str_replace( '.tar.gz', '', str_replace( 'pmos-patch-', '', $upgradeFilename ) );
$sTemFilename = $tempFilename;
- $this->sFilename = PATH_DATA . 'upgrade' . PATH_SEP . $upgradeFilename;
+ $pathFile = $filter->xssFilterHard(PATH_DATA . 'upgrade' . PATH_SEP . $upgradeFilename, 'path');
+ $this->sFilename = $pathFile;
$this->sPath = dirname( $this->sFilename ) . PATH_SEP;
G::mk_dir( PATH_DATA . 'upgrade' );
if (! move_uploaded_file( $sTemFilename, $this->sFilename )) {
@@ -615,8 +618,12 @@ class System
}
}
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+
//clean up xmlform folders
$sDir = PATH_C . 'xmlform';
+ $sDir = $filter->xssFilterHard($sDir, 'path');
if (file_exists( $sDir ) && is_dir( $sDir )) {
$oDirectory = dir( $sDir );
while ($sObjectName = $oDirectory->read()) {
@@ -729,8 +736,11 @@ class System
*/
public static function getPluginSchema ($pluginName)
{
- if (file_exists( PATH_PLUGINS . $pluginName . "/config/schema.xml" )) {
- return System::getSchema( PATH_PLUGINS . $pluginName . "/config/schema.xml" );
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $pathFile = $filter->xssFilterHard(PATH_PLUGINS . $pluginName . "/config/schema.xml", 'path');
+ if (file_exists( $pathFile )) {
+ return System::getSchema( $pathFile );
} else {
return false;
}
diff --git a/workflow/engine/classes/class.wsTools.php b/workflow/engine/classes/class.wsTools.php
index 4a075a6f5..828c01560 100755
--- a/workflow/engine/classes/class.wsTools.php
+++ b/workflow/engine/classes/class.wsTools.php
@@ -1387,6 +1387,9 @@ class workspaceTools
static public function dirPerms($filename, $owner, $group, $perms)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $filename = $filter->xssFilterHard($filename, 'path');
$chown = @chown($filename, $owner);
$chgrp = @chgrp($filename, $group);
$chmod = @chmod($filename, $perms);
diff --git a/workflow/engine/classes/model/AddonsManager.php b/workflow/engine/classes/model/AddonsManager.php
index 7eb78f9a9..ada2ffb3e 100644
--- a/workflow/engine/classes/model/AddonsManager.php
+++ b/workflow/engine/classes/model/AddonsManager.php
@@ -215,7 +215,7 @@ class AddonsManager extends BaseAddonsManager
$var = explode("&", $aux[1]);
///////
- $boundary = "---------------------" . substr(md5(rand(0, 32000)), 0, 10);
+ $boundary = "---------------------" . substr(G::encryptOld(rand(0, 32000)), 0, 10);
$data = null;
for ($i = 0; $i <= count($var) - 1; $i++) {
diff --git a/workflow/engine/classes/model/ListCanceled.php b/workflow/engine/classes/model/ListCanceled.php
index f00fb46d7..e653de866 100644
--- a/workflow/engine/classes/model/ListCanceled.php
+++ b/workflow/engine/classes/model/ListCanceled.php
@@ -272,12 +272,6 @@ class ListCanceled extends BaseListCanceled {
$criteria->addSelectColumn(ListCanceledPeer::DEL_INIT_DATE);
$criteria->addSelectColumn(ListCanceledPeer::DEL_DUE_DATE);
$criteria->addSelectColumn(ListCanceledPeer::DEL_PRIORITY);
-
- $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
-
- $criteria->addJoin(ListCanceledPeer::TAS_UID, TaskPeer::TAS_UID, Criteria::LEFT_JOIN);
- $criteria->add(TaskPeer::TAS_TYPE, $arrayTaskTypeToExclude, Criteria::NOT_IN);
-
$criteria->add( ListCanceledPeer::USR_UID, $usr_uid, Criteria::EQUAL );
self::loadFilters($criteria, $filters);
diff --git a/workflow/engine/classes/model/ListCompleted.php b/workflow/engine/classes/model/ListCompleted.php
index ddbbf299b..3dd20d539 100644
--- a/workflow/engine/classes/model/ListCompleted.php
+++ b/workflow/engine/classes/model/ListCompleted.php
@@ -264,12 +264,6 @@ class ListCompleted extends BaseListCompleted
$criteria->addSelectColumn(ListCompletedPeer::DEL_CURRENT_USR_FIRSTNAME);
$criteria->addSelectColumn(ListCompletedPeer::DEL_CURRENT_USR_LASTNAME);
$criteria->addSelectColumn(ListCompletedPeer::DEL_CURRENT_USR_USERNAME);
-
- $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
-
- $criteria->addJoin(ListCompletedPeer::TAS_UID, TaskPeer::TAS_UID, Criteria::LEFT_JOIN);
- $criteria->add(TaskPeer::TAS_TYPE, $arrayTaskTypeToExclude, Criteria::NOT_IN);
-
$criteria->add( ListCompletedPeer::USR_UID, $usr_uid, Criteria::EQUAL );
self::loadFilters($criteria, $filters);
diff --git a/workflow/engine/classes/model/ListInbox.php b/workflow/engine/classes/model/ListInbox.php
index 9e7416336..bd4190073 100644
--- a/workflow/engine/classes/model/ListInbox.php
+++ b/workflow/engine/classes/model/ListInbox.php
@@ -192,6 +192,11 @@ class ListInbox extends BaseListInbox
public function newRow ($data, $delPreviusUsrUid, $isInitSubprocess = false, $dataPreviusApplication = array(), $isSelfService = false)
{
+ $removeList = true;
+ if (isset($data['REMOVED_LIST'])) {
+ $removeList = $data['REMOVED_LIST'];
+ unset($data['REMOVED_LIST']);
+ }
$data['DEL_PREVIOUS_USR_UID'] = $delPreviusUsrUid;
if (isset($data['DEL_TASK_DUE_DATE'])) {
$data['DEL_DUE_DATE'] = $data['DEL_TASK_DUE_DATE'];
@@ -281,18 +286,20 @@ class ListInbox extends BaseListInbox
} else {
$oRow = ApplicationPeer::retrieveByPK($data['APP_UID']);
$aFields = $oRow->toArray( BasePeer::TYPE_FIELDNAME );
- if ($data['DEL_INDEX'] == 2 || $aFields['APP_STATUS'] == 'DRAFT') {
- $criteria = new Criteria();
- $criteria->addSelectColumn(SubApplicationPeer::APP_UID);
- $criteria->add( SubApplicationPeer::APP_UID, $data['APP_UID'], Criteria::EQUAL );
- $dataset = SubApplicationPeer::doSelectRS($criteria);
- if ($dataset->next()) {
- $users->refreshTotal($delPreviusUsrUid, 'remove', 'inbox');
+ if ($removeList) {
+ if ($data['DEL_INDEX'] == 2 || $aFields['APP_STATUS'] == 'DRAFT') {
+ $criteria = new Criteria();
+ $criteria->addSelectColumn(SubApplicationPeer::APP_UID);
+ $criteria->add( SubApplicationPeer::APP_UID, $data['APP_UID'], Criteria::EQUAL );
+ $dataset = SubApplicationPeer::doSelectRS($criteria);
+ if ($dataset->next()) {
+ $users->refreshTotal($delPreviusUsrUid, 'remove', 'inbox');
+ } else {
+ $users->refreshTotal($delPreviusUsrUid, 'remove', 'draft');
+ }
} else {
- $users->refreshTotal($delPreviusUsrUid, 'remove', 'draft');
+ $users->refreshTotal($delPreviusUsrUid, 'remove', 'inbox');
}
- } else {
- $users->refreshTotal($delPreviusUsrUid, 'remove', 'inbox');
}
if (!$isSelfService) {
$users->refreshTotal($data['USR_UID'], 'add', 'inbox');
@@ -411,12 +418,6 @@ class ListInbox extends BaseListInbox
$criteria->addSelectColumn(ListInboxPeer::DEL_INIT_DATE);
$criteria->addSelectColumn(ListInboxPeer::DEL_DUE_DATE);
$criteria->addSelectColumn(ListInboxPeer::DEL_PRIORITY);
-
- $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
-
- $criteria->addJoin(ListInboxPeer::TAS_UID, TaskPeer::TAS_UID, Criteria::LEFT_JOIN);
- $criteria->add(TaskPeer::TAS_TYPE, $arrayTaskTypeToExclude, Criteria::NOT_IN);
-
$criteria->add( ListInboxPeer::USR_UID, $usr_uid, Criteria::EQUAL );
self::loadFilters($criteria, $filters);
diff --git a/workflow/engine/classes/model/ListMyInbox.php b/workflow/engine/classes/model/ListMyInbox.php
index 3541d848d..b2cc4860b 100644
--- a/workflow/engine/classes/model/ListMyInbox.php
+++ b/workflow/engine/classes/model/ListMyInbox.php
@@ -123,7 +123,10 @@ class ListMyInbox extends BaseListMyInbox
if ($data['DEL_INDEX'] == 1 && $data['APP_STATUS'] == 'TO_DO') {
$data['APP_CREATE_DATE'] = $data['APP_UPDATE_DATE'];
- $this->remove($data['APP_UID'], $data['USR_UID']);
+ $oCriteria = new Criteria('workflow');
+ $oCriteria->add(ListMyInboxPeer::APP_UID, $data['APP_UID']);
+ $oCriteria->add(ListMyInboxPeer::USR_UID, $data['USR_UID']);
+ ListMyInboxPeer::doDelete($oCriteria);
$this->create($data);
} else {
unset($data['USR_UID']);
@@ -236,12 +239,6 @@ class ListMyInbox extends BaseListMyInbox
$criteria->addSelectColumn(ListMyInboxPeer::DEL_INIT_DATE);
$criteria->addSelectColumn(ListMyInboxPeer::DEL_DUE_DATE);
$criteria->addSelectColumn(ListMyInboxPeer::DEL_PRIORITY);
-
- $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
-
- $criteria->addJoin(ListMyInboxPeer::TAS_UID, TaskPeer::TAS_UID, Criteria::LEFT_JOIN);
- $criteria->add(TaskPeer::TAS_TYPE, $arrayTaskTypeToExclude, Criteria::NOT_IN);
-
$criteria->add( ListMyInboxPeer::USR_UID, $usr_uid, Criteria::EQUAL );
self::loadFilters($criteria, $filters);
diff --git a/workflow/engine/classes/model/ListParticipatedHistory.php b/workflow/engine/classes/model/ListParticipatedHistory.php
index 8384e1c76..6f8a9276f 100644
--- a/workflow/engine/classes/model/ListParticipatedHistory.php
+++ b/workflow/engine/classes/model/ListParticipatedHistory.php
@@ -194,12 +194,6 @@ class ListParticipatedHistory extends BaseListParticipatedHistory
$criteria->addSelectColumn(ListParticipatedHistoryPeer::DEL_INIT_DATE);
$criteria->addSelectColumn(ListParticipatedHistoryPeer::DEL_DUE_DATE);
$criteria->addSelectColumn(ListParticipatedHistoryPeer::DEL_PRIORITY);
-
- $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
-
- $criteria->addJoin(ListParticipatedHistoryPeer::TAS_UID, TaskPeer::TAS_UID, Criteria::LEFT_JOIN);
- $criteria->add(TaskPeer::TAS_TYPE, $arrayTaskTypeToExclude, Criteria::NOT_IN);
-
$criteria->add( ListParticipatedHistoryPeer::USR_UID, $usr_uid, Criteria::EQUAL );
self::loadFilters($criteria, $filters);
diff --git a/workflow/engine/classes/model/ListParticipatedLast.php b/workflow/engine/classes/model/ListParticipatedLast.php
index 72bea4e91..48335a04d 100644
--- a/workflow/engine/classes/model/ListParticipatedLast.php
+++ b/workflow/engine/classes/model/ListParticipatedLast.php
@@ -265,12 +265,6 @@ class ListParticipatedLast extends BaseListParticipatedLast
$criteria->addSelectColumn(ListParticipatedLastPeer::DEL_DUE_DATE);
$criteria->addSelectColumn(ListParticipatedLastPeer::DEL_PRIORITY);
$criteria->addSelectColumn(ListParticipatedLastPeer::DEL_THREAD_STATUS);
-
- $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
-
- $criteria->addJoin(ListParticipatedLastPeer::TAS_UID, TaskPeer::TAS_UID, Criteria::LEFT_JOIN);
- $criteria->add(TaskPeer::TAS_TYPE, $arrayTaskTypeToExclude, Criteria::NOT_IN);
-
$criteria->add( ListParticipatedLastPeer::USR_UID, $usr_uid, Criteria::EQUAL );
self::loadFilters($criteria, $filters);
diff --git a/workflow/engine/classes/model/ListPaused.php b/workflow/engine/classes/model/ListPaused.php
index b029ba692..eb8b87896 100644
--- a/workflow/engine/classes/model/ListPaused.php
+++ b/workflow/engine/classes/model/ListPaused.php
@@ -308,12 +308,6 @@ class ListPaused extends BaseListPaused {
$criteria->addSelectColumn(ListPausedPeer::DEL_INIT_DATE);
$criteria->addSelectColumn(ListPausedPeer::DEL_DUE_DATE);
$criteria->addSelectColumn(ListPausedPeer::DEL_PRIORITY);
-
- $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
-
- $criteria->addJoin(ListPausedPeer::TAS_UID, TaskPeer::TAS_UID, Criteria::LEFT_JOIN);
- $criteria->add(TaskPeer::TAS_TYPE, $arrayTaskTypeToExclude, Criteria::NOT_IN);
-
$criteria->add( ListPausedPeer::USR_UID, $usr_uid, Criteria::EQUAL );
self::loadFilters($criteria, $filters);
diff --git a/workflow/engine/classes/model/ListUnassigned.php b/workflow/engine/classes/model/ListUnassigned.php
index f091480fc..32411825b 100644
--- a/workflow/engine/classes/model/ListUnassigned.php
+++ b/workflow/engine/classes/model/ListUnassigned.php
@@ -263,12 +263,6 @@ class ListUnassigned extends BaseListUnassigned
$criteria->addSelectColumn(ListUnassignedPeer::DEL_DELEGATE_DATE);
$criteria->addSelectColumn(ListUnassignedPeer::DEL_DUE_DATE);
$criteria->addSelectColumn(ListUnassignedPeer::DEL_PRIORITY);
-
- $arrayTaskTypeToExclude = array("WEBENTRYEVENT", "END-MESSAGE-EVENT", "START-MESSAGE-EVENT", "INTERMEDIATE-THROW-MESSAGE-EVENT", "INTERMEDIATE-CATCH-MESSAGE-EVENT");
-
- $criteria->addJoin(ListUnassignedPeer::TAS_UID, TaskPeer::TAS_UID, Criteria::LEFT_JOIN);
- $criteria->add(TaskPeer::TAS_TYPE, $arrayTaskTypeToExclude, Criteria::NOT_IN);
-
$aConditions = array();
$aConditions[] = array(ListUnassignedPeer::UNA_UID, ListUnassignedGroupPeer::UNA_UID);
$aConditions[] = array(ListUnassignedGroupPeer::USR_UID, "'" . $usr_uid . "'");
diff --git a/workflow/engine/controllers/adminProxy.php b/workflow/engine/controllers/adminProxy.php
index 33a7965a9..ef89aa853 100644
--- a/workflow/engine/controllers/adminProxy.php
+++ b/workflow/engine/controllers/adminProxy.php
@@ -1,4 +1,4 @@
-xssFilterHard($_FILES['img']['type']);
+ $files_img_type = $_FILES['img']['type'];
if (in_array($files_img_type, $allowedType)) {
// max upload file is 500 KB
diff --git a/workflow/engine/controllers/installer.php b/workflow/engine/controllers/installer.php
index d1c19d0a1..76b32e2ce 100755
--- a/workflow/engine/controllers/installer.php
+++ b/workflow/engine/controllers/installer.php
@@ -658,6 +658,8 @@ class Installer extends Controller
public function createMySQLWorkspace ()
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
ini_set( 'max_execution_time', '0' );
$info = new StdClass();
$info->result = false;
@@ -666,8 +668,11 @@ class Installer extends Controller
$db_hostname = trim( $_REQUEST['db_hostname'] );
$db_port = trim( $_REQUEST['db_port'] );
+ $db_port = $filter->validateInput($db_port);
$db_username = trim( $_REQUEST['db_username'] );
+ $db_username = $filter->validateInput($db_username);
$db_password = trim( $_REQUEST['db_password'] );
+ $db_password = $filter->validateInput($db_password);
$wf = trim( $_REQUEST['wfDatabase'] );
$rb = trim( $_REQUEST['wfDatabase'] );
$rp = trim( $_REQUEST['wfDatabase'] );
@@ -678,9 +683,12 @@ class Installer extends Controller
$pathShared = trim( $_REQUEST['pathShared'] );
$pathXmlforms = trim( $_REQUEST['pathXmlforms'] );
$adminPassword = trim( $_REQUEST['adminPassword'] );
+ $adminPassword = $filter->validateInput($adminPassword);
$adminUsername = trim( $_REQUEST['adminUsername'] );
+ $adminUsername = $filter->validateInput($adminUsername);
$deleteDB = ($_REQUEST['deleteDB'] == 'true');
$userLogged = (isset($_REQUEST['userLogged']) ? ($_REQUEST['userLogged'] == 'true') : false);
+ $userLogged = $filter->validateInput($userLogged);
if (substr( $pathShared, - 1 ) != '/') {
$pathShared .= '/';
@@ -986,6 +994,8 @@ class Installer extends Controller
public function createMSSQLWorkspace ()
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
ini_set( 'max_execution_time', '0' );
$info = new stdClass();
@@ -993,9 +1003,13 @@ class Installer extends Controller
$info->message = '';
$db_hostname = trim( $_REQUEST['db_hostname'] );
+ $db_hostname = $filter->validateInput($db_hostname);
$db_port = trim( $_REQUEST['db_port'] );
+ $db_port = $filter->validateInput($db_port);
$db_username = trim( $_REQUEST['db_username'] );
+ $db_username = $filter->validateInput($db_username);
$db_password = trim( $_REQUEST['db_password'] );
+ $db_password = $filter->validateInput($db_password);
$wf = trim( $_REQUEST['wfDatabase'] );
$rb = trim( $_REQUEST['wfDatabase'] );
$rp = trim( $_REQUEST['wfDatabase'] );
@@ -1268,9 +1282,13 @@ class Installer extends Controller
return $info;
}
$db_hostname = $_REQUEST['db_hostname'];
- $db_port = $_REQUEST['db_port'];
+ $db_hostname = $filter->validateInput($db_hostname);
+ $db_port = $_REQUEST['db_port'];
+ $db_port = $filter->validateInput($db_port);
$db_username = $_REQUEST['db_username'];
+ $db_username = $filter->validateInput($db_username);
$db_password = $_REQUEST['db_password'];
+ $db_password = $filter->validateInput($db_password);
$fp = @fsockopen( $db_hostname, $db_port, $errno, $errstr, 30 );
if (! $fp) {
$info->message .= G::LoadTranslation('ID_CONNECTION_ERROR', SYS_LANG, Array("$errstr ($errno)"));
@@ -1303,6 +1321,8 @@ class Installer extends Controller
private function testMSSQLconnection ()
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$info = new stdClass();
$info->result = false;
$info->message = '';
@@ -1313,9 +1333,13 @@ class Installer extends Controller
}
$db_hostname = $_REQUEST['db_hostname'];
- $db_port = $_REQUEST['db_port'];
+ $db_hostname = $filter->validateInput($db_hostname);
+ $db_port = $_REQUEST['db_port'];
+ $db_port = $filter->validateInput($db_port);
$db_username = $_REQUEST['db_username'];
+ $db_username = $filter->validateInput($db_username);
$db_password = $_REQUEST['db_password'];
+ $db_password = $filter->validateInput($db_password);
$fp = @fsockopen( $db_hostname, $db_port, $errno, $errstr, 30 );
if (! $fp) {
@@ -1483,6 +1507,8 @@ class Installer extends Controller
public function buildParternExtras($username, $password, $workspace, $lang, $skinName)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
ini_set('max_execution_time', '0');
ini_set('memory_limit', '256M');
@@ -1503,8 +1529,11 @@ class Installer extends Controller
chmod($cookiefile, 0777);
$user = urlencode($username);
+ $user = $filter->validateInput($user);
$pass = urlencode($password);
+ $pass = $filter->validateInput($pass);
$lang = urlencode($lang);
+ $lang = $filter->validateInput($lang);
$ch = curl_init();
@@ -1622,9 +1651,13 @@ class Installer extends Controller
$namePlugin = $dataPlugin['filename'];
if ($value != 'enterprise') {
$db_hostname = trim( $_REQUEST['db_hostname'] );
+ $db_hostname = $filter->validateInput($db_hostname);
$db_port = trim( $_REQUEST['db_port'] );
+ $db_port = $filter->validateInput($db_port);
$db_username = trim( $_REQUEST['db_username'] );
+ $db_username = $filter->validateInput($db_username);
$db_password = trim( $_REQUEST['db_password'] );
+ $db_password = $filter->validateInput($db_password);
$wf = trim( $_REQUEST['wfDatabase'] );
$db_host = ($db_port != '' && $db_port != 3306) ? $db_hostname . ':' . $db_port : $db_hostname;
diff --git a/workflow/engine/controllers/pmTablesProxy.php b/workflow/engine/controllers/pmTablesProxy.php
index 147d3d131..12d67de42 100755
--- a/workflow/engine/controllers/pmTablesProxy.php
+++ b/workflow/engine/controllers/pmTablesProxy.php
@@ -666,9 +666,12 @@ class pmTablesProxy extends HttpProxyController
public function importCSV ($httpData)
{
G::LoadClass('pmFunctions');
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$countRow = 250;
if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
$filename = $_FILES['form']['name']['CSV_FILE'];
+ $filename = $filter->xssFilterHard($filename, 'path');
if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
require_once 'classes/model/AdditionalTables.php';
$oAdditionalTables = new AdditionalTables();
@@ -762,8 +765,11 @@ class pmTablesProxy extends HttpProxyController
*/
public function importCSVDeprecated ($httpData)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
$filename = $_FILES['form']['name']['CSV_FILE'];
+ $filename = $filter->xssFilterHard($filename, 'path');
if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
require_once 'classes/model/AdditionalTables.php';
$oAdditionalTables = new AdditionalTables();
diff --git a/workflow/engine/menus/cases.php b/workflow/engine/menus/cases.php
index 2a22e0e1b..4445714e4 100755
--- a/workflow/engine/menus/cases.php
+++ b/workflow/engine/menus/cases.php
@@ -30,7 +30,10 @@ $G_TMP_MENU->AddIdRawOption('CASES_START_CASE', 'casesStartPage?action=startCase
G::LoadTranslation('ID_NEW_CASE'), '');
/*----------------------------------********---------------------------------*/
-$G_TMP_MENU->AddIdRawOption('CASE_CONSOLIDATED_1', 'casesConsolidatedListExtJs?action=consolidated', 'Batch Routing', '');
+$licensedFeatures = & PMLicensedFeatures::getSingleton();
+if ($licensedFeatures->verifyfeature('7TTeDBQeWRoZTZKYjh4eFpYUlRDUUEyVERPU3FxellWank=')) {
+ $G_TMP_MENU->AddIdRawOption('CONSOLIDATED_CASES', 'casesConsolidatedListExtJs?action=consolidated', 'Batch Routing', '');
+}
/*----------------------------------********---------------------------------*/
$G_TMP_MENU->AddIdRawOption('CASES_INBOX', 'casesListExtJs?action=todo', G::LoadTranslation('ID_INBOX'),
diff --git a/workflow/engine/methods/cases/casesStreamingFile.php b/workflow/engine/methods/cases/casesStreamingFile.php
index fdc5c1ffb..66dc2bc17 100644
--- a/workflow/engine/methods/cases/casesStreamingFile.php
+++ b/workflow/engine/methods/cases/casesStreamingFile.php
@@ -54,6 +54,9 @@ exit;
function rangeDownload($location,$mimeType)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $location = $filter->xssFilterHard($location, "path");
if (!file_exists($location))
{
header ("HTTP/1.0 404 Not Found");
diff --git a/workflow/engine/methods/cases/cases_Step.php b/workflow/engine/methods/cases/cases_Step.php
index 3b0e14ba9..df4224e1e 100755
--- a/workflow/engine/methods/cases/cases_Step.php
+++ b/workflow/engine/methods/cases/cases_Step.php
@@ -518,16 +518,22 @@ try {
$util = new Java( "com.processmaker.util.pmutils" );
$util->setInputPath( $javaInput );
$util->setOutputPath( $javaOutput );
+
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
//$content = file_get_contents ( PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.jrxml' );
//$iSize = file_put_contents ( $javaInput . $aOD['OUT_DOC_UID'] . '.jrxml', $content );
- copy( PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.jrxml', $javaInput . $aOD['OUT_DOC_UID'] . '.jrxml' );
+ $locationFrom = PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.jrxml';
+ $locationFrom = $filter->validateInput($locationFrom, "path");
+ copy( $locationFrom, $javaInput . $aOD['OUT_DOC_UID'] . '.jrxml' );
$outputFile = $javaOutput . $sFilename . '.pdf';
print $util->jrxml2pdf( $aOD['OUT_DOC_UID'] . '.jrxml', basename( $outputFile ) );
//$content = file_get_contents ( $outputFile );
//$iSize = file_put_contents ( $pathOutput . $sFilename . '.pdf' , $content );
+ $outputFile = $filter->validateInput($outputFile, "path");
copy( $outputFile, $pathOutput . $sFilename . '.pdf' );
//die;
break;
@@ -547,13 +553,20 @@ try {
$util = new Java( "com.processmaker.util.pmutils" );
$util->setInputPath( $javaInput );
$util->setOutputPath( $javaOutput );
-
- copy( PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.pdf', $javaInput . $aOD['OUT_DOC_UID'] . '.pdf' );
+
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+
+ $locationFrom = PATH_DYNAFORM . $aOD['PRO_UID'] . PATH_SEP . $aOD['OUT_DOC_UID'] . '.pdf';
+ $locationFrom = $filter->validateInput($locationFrom, "path");
+ copy( $locationFrom, $javaInput . $aOD['OUT_DOC_UID'] . '.pdf' );
$outputFile = $javaOutput . $sFilename . '.pdf';
print $util->writeVarsToAcroFields( $aOD['OUT_DOC_UID'] . '.pdf', $xmlData );
-
- copy( $javaOutput . $aOD['OUT_DOC_UID'] . '.pdf', $pathOutput . $sFilename . '.pdf' );
+
+ $locationFrom = $javaOutput . $aOD['OUT_DOC_UID'] . '.pdf';
+ $locationFrom = $filter->validateInput($locationFrom, "path");
+ copy( $locationFrom, $pathOutput . $sFilename . '.pdf' );
break;
default:
diff --git a/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php b/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php
index af692fa04..0014b64f9 100755
--- a/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php
@@ -33,6 +33,8 @@ G::LoadClass( 'dynaFormField' );
G::LoadClass( 'process' );
G::LoadClass( 'dynaform' );
//G::LoadClass('configuration');
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
$G_MAIN_MENU = 'processmaker';
@@ -73,9 +75,10 @@ if (! file_exists( PATH_DYNAFORM . $file . '.xml' )) {
/* End Comment */
/* Start Comment: Create and temporal copy. */
- $copy = implode( '', file( PATH_DYNAFORM . $file . '.xml' ) );
+$pathFile = $filter->xssFilterHard(PATH_DYNAFORM . $file . '.xml', 'path');
+$copy = implode( '', file( $pathFile ) );
$file .= '_tmp0';
-$fcopy = fopen( PATH_DYNAFORM . $file . '.xml', "w" );
+$fcopy = fopen( $pathFile , "w" );
fwrite( $fcopy, $copy );
fclose( $fcopy );
/* End Comment */
diff --git a/workflow/engine/methods/dynaforms/dynaforms_Save_as.php b/workflow/engine/methods/dynaforms/dynaforms_Save_as.php
index 50954023e..89625d5b2 100755
--- a/workflow/engine/methods/dynaforms/dynaforms_Save_as.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_Save_as.php
@@ -36,6 +36,8 @@ if (! class_exists( "FieldCondition" )) {
try {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$frm = $_POST['form'];
$PRO_UID = $frm['PRO_UID'];
$DYN_UID = $frm['DYN_UID'];
@@ -62,6 +64,7 @@ try {
$hd = fopen( PATH_DYNAFORM . $PRO_UID . '/' . $DYN_UID . '.xml', "r" );
$hd1 = fopen( PATH_DYNAFORM . $PRO_UID . '/' . $dynUid . '.xml', "w" );
$templateFilename = PATH_DYNAFORM . $PRO_UID . '/' . $DYN_UID . '.html';
+ $templateFilename = $filter->xssFilterHard($templateFilename, 'path');
// also make a copy of the template file in case that the html edition is enabled
if (file_exists( $templateFilename )) {
diff --git a/workflow/engine/methods/setup/languages_Import.php b/workflow/engine/methods/setup/languages_Import.php
index b79c233ae..1ea43988a 100755
--- a/workflow/engine/methods/setup/languages_Import.php
+++ b/workflow/engine/methods/setup/languages_Import.php
@@ -56,10 +56,12 @@ try {
$sMaxExecutionTime = ini_get( 'max_execution_time' );
ini_set( 'max_execution_time', '0' );
G::LoadClass( 'configuration' );
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
$languageFile = $_FILES['form']['tmp_name']['LANGUAGE_FILENAME'];
$languageFilename = $_FILES['form']['name']['LANGUAGE_FILENAME'];
-
+ $languageFilename = $filter->xssFilterHard($languageFilename, 'path');
if (substr_compare( $languageFilename, ".gz", - 3, 3, true ) == 0) {
$zp = gzopen( $languageFile, "r" );
$languageFile = tempnam( __FILE__, '' );
diff --git a/workflow/engine/methods/setup/skin_Ajax.php b/workflow/engine/methods/setup/skin_Ajax.php
index 8339d0528..b6578b3e3 100755
--- a/workflow/engine/methods/setup/skin_Ajax.php
+++ b/workflow/engine/methods/setup/skin_Ajax.php
@@ -320,6 +320,8 @@ function importSkin ()
function exportSkin ($skinToExport = "")
{
try {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
if (! isset( $_REQUEST['SKIN_FOLDER_ID'] )) {
throw (new Exception( G::LoadTranslation( 'ID_SKIN_NAME_REQUIRED' ) ));
}
@@ -329,6 +331,7 @@ function exportSkin ($skinToExport = "")
$skinFolderBase = PATH_CUSTOM_SKINS . $skinName;
$skinFolder = $skinFolderBase . PATH_SEP;
$skinTar = PATH_CUSTOM_SKINS . $skinName . '.tar';
+ $skinTar = $filter->xssFilterHard($skinTar, 'path');
if (! is_dir( $skinFolder )) {
throw (new Exception( G::LoadTranslation( 'ID_SKIN_DOESNT_EXIST' ) ));
}
diff --git a/workflow/engine/methods/users/users_ViewPhoto.php b/workflow/engine/methods/users/users_ViewPhoto.php
index b4fc4cc66..2f2ffd03b 100755
--- a/workflow/engine/methods/users/users_ViewPhoto.php
+++ b/workflow/engine/methods/users/users_ViewPhoto.php
@@ -91,6 +91,9 @@ function DumpHeaders ($filename)
}
//$filename = PATH_UPLOAD . "$filename";
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $filename = $filter->xssFilterHard($filename, 'path');
readfile( $filename );
}
diff --git a/workflow/engine/skinEngine/neoclassic/css/pmos-xtheme-gray.css b/workflow/engine/skinEngine/neoclassic/css/pmos-xtheme-gray.css
index 6dcbbd266..2f58ea405 100644
--- a/workflow/engine/skinEngine/neoclassic/css/pmos-xtheme-gray.css
+++ b/workflow/engine/skinEngine/neoclassic/css/pmos-xtheme-gray.css
@@ -438,12 +438,12 @@ button.x-btn-text:focus,
background-image: url(/skins/neoclassic/images/icons_silk/sprites.png) !important;
background-position: 0 -8497px !important;
}
-.ICON_CONSOLIDATED_CASES {
+.ICON_CONSOLIDATED_CASES{
/*ss_consolidated_cases*/
-
- background-image: url(/skins/neoclassic/images/icons_silk/sprites.png) !important;
- background-position: 0 -18500px !important;
+ background-image:url(/images/icons_silk/sprites.png) !important;
+ background-position:0 -18500px !important
}
+
.ICON_CASES_DELETE {
background-image: url(/skins/neoclassic/images/delete-16x16.gif) !important;
}
diff --git a/workflow/engine/skinEngine/skinEngine.php b/workflow/engine/skinEngine/skinEngine.php
index 41e655874..e910c0137 100755
--- a/workflow/engine/skinEngine/skinEngine.php
+++ b/workflow/engine/skinEngine/skinEngine.php
@@ -392,7 +392,7 @@ class SkinEngine
if (file_exists($fileFooter)) {
$footer .= file_get_contents($fileFooter);
} else {
- $footer .= "Colosa, Inc. All rights reserved.ProcessMaker Inc. All rights reserved.Colosa, Inc. All rights reserved.ProcessMaker Inc. All rights reserved.Colosa, Inc. All rights reserved.ProcessMaker Inc. All rights reserved.
Web Site
- Your application's publicly accessible home page, where users can go to download, make use of, or find out more information about your application. This fully-qualified URL is used in the source attribution for request created by your application and will be shown in user-facing authorization screens.
(If you don't have a URL yet, just put a placeholder here but remember to change it later.)
@@ -58,7 +58,7 @@
Callback URL
- here should we return after successfully authenticating? For @Anywhere applications, only the domain specified in the callback will be used. OAuth 1.0a applications should explicitly specify their oauth_callback URL on the request token step, regardless of the value given here. To restrict your application from using callbacks, leave this field blank.
diff --git a/workflow/public_html/images/PowerdbyProcessMaker.png b/workflow/public_html/images/PowerdbyProcessMaker.png
index d4f356d2b..02372534c 100755
Binary files a/workflow/public_html/images/PowerdbyProcessMaker.png and b/workflow/public_html/images/PowerdbyProcessMaker.png differ
diff --git a/workflow/public_html/images/favicon.ico b/workflow/public_html/images/favicon.ico
index bc0b311cd..fe367787c 100755
Binary files a/workflow/public_html/images/favicon.ico and b/workflow/public_html/images/favicon.ico differ
diff --git a/workflow/public_html/images/faviconpm.png b/workflow/public_html/images/faviconpm.png
index 7e77a48e4..dde6d671b 100755
Binary files a/workflow/public_html/images/faviconpm.png and b/workflow/public_html/images/faviconpm.png differ
diff --git a/workflow/public_html/images/get_started.png b/workflow/public_html/images/get_started.png
index 75fc396d3..0640226d7 100755
Binary files a/workflow/public_html/images/get_started.png and b/workflow/public_html/images/get_started.png differ
diff --git a/workflow/public_html/images/icon-pmlogo-15x15.png b/workflow/public_html/images/icon-pmlogo-15x15.png
index 10ebba29e..8df65f8c4 100755
Binary files a/workflow/public_html/images/icon-pmlogo-15x15.png and b/workflow/public_html/images/icon-pmlogo-15x15.png differ
diff --git a/workflow/public_html/images/icon-pmlogo.png b/workflow/public_html/images/icon-pmlogo.png
index 3576c24cd..6f084ab08 100755
Binary files a/workflow/public_html/images/icon-pmlogo.png and b/workflow/public_html/images/icon-pmlogo.png differ
diff --git a/workflow/public_html/images/pm.gif b/workflow/public_html/images/pm.gif
index ae7864adf..d2735ed21 100755
Binary files a/workflow/public_html/images/pm.gif and b/workflow/public_html/images/pm.gif differ
diff --git a/workflow/public_html/images/processmaker.logo.jpg b/workflow/public_html/images/processmaker.logo.jpg
index e8b1265be..e3a200330 100755
Binary files a/workflow/public_html/images/processmaker.logo.jpg and b/workflow/public_html/images/processmaker.logo.jpg differ
diff --git a/workflow/public_html/skins/neoclassic/images/icon-pmlogo-15x15.png b/workflow/public_html/skins/neoclassic/images/icon-pmlogo-15x15.png
index 2f9ce0653..8df65f8c4 100644
Binary files a/workflow/public_html/skins/neoclassic/images/icon-pmlogo-15x15.png and b/workflow/public_html/skins/neoclassic/images/icon-pmlogo-15x15.png differ