Merged in release/3.2 (pull request #5414)

Release/3.2 Approved-by: Paula Quispe
2017-02-13 19:33:00 +00:00
parent 45a67da61e dcd576f365
commit 8a3044ce53
17 changed files with 274 additions and 101 deletions
--- a/workflow/engine/classes/class.case.php
+++ b/workflow/engine/classes/class.case.php
@@ -5230,7 +5230,7 @@ class Cases
                $dataLastEmail['configuration'] = $aConfiguration;
                $dataLastEmail['subject'] = $sSubject;
                $dataLastEmail['pathEmail'] = $pathEmail;
-                $dataLastEmail['swtplDeafault'] = $swtplDefault;
+                $dataLastEmail['swtplDefault'] = $swtplDefault;
                $dataLastEmail['body'] = $sBody;
                $dataLastEmail['from'] = $from;
                break;
@@ -5298,7 +5298,7 @@ class Cases
                $dataLastEmail['configuration'] = $aConfiguration;
                $dataLastEmail['subject'] = $sSubject;
                $dataLastEmail['pathEmail'] = $pathEmail;
-                $dataLastEmail['swtplDeafault'] = $swtplDefault;
+                $dataLastEmail['swtplDefault'] = $swtplDefault;
                $dataLastEmail['body'] = $sBody;
                $dataLastEmail['from'] = $from;
                break;
--- a/workflow/engine/classes/class.derivation.php
+++ b/workflow/engine/classes/class.derivation.php
@@ -1211,6 +1211,19 @@ class Derivation
                                $this->case->closeAppThread( $currentDelegation['APP_UID'], $iAppThreadIndex );
                                break;
                            default:
+                                if ($nextDel['ROU_PREVIOUS_TYPE'] == 'SEC-JOIN') {
+                                    $criteria = new Criteria('workflow');
+                                    $criteria->clearSelectColumns();
+                                    $criteria->addSelectColumn(AppThreadPeer::APP_THREAD_PARENT);
+                                    $criteria->add(AppThreadPeer::APP_UID, $appFields['APP_UID']);
+                                    $criteria->add(AppThreadPeer::APP_THREAD_STATUS, 'OPEN');
+                                    $criteria->add(AppThreadPeer::APP_THREAD_INDEX, $iAppThreadIndex);
+                                    $rsCriteria = AppThreadPeer::doSelectRS($criteria);
+                                    $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
+                                    if ($rsCriteria->next()) {
+                                        $this->case->closeAppThread($currentDelegation['APP_UID'], $iAppThreadIndex);
+                                    }
+                                }
                                if ($currentDelegation['TAS_ASSIGN_TYPE'] == 'STATIC_MI' || $currentDelegation['TAS_ASSIGN_TYPE'] == 'CANCEL_MI') {
                                    $this->case->closeAppThread( $currentDelegation['APP_UID'], $iAppThreadIndex );
                                }
--- a/workflow/engine/classes/class.system.php
+++ b/workflow/engine/classes/class.system.php
@@ -78,7 +78,8 @@ class System
        'leave_case_warning' => 0,
        'server_hostname_requests_frontend' => '',
        'load_headers_ie' => 0,
-        'redirect_to_mobile' => 0
+        'redirect_to_mobile' => 0,
+        'disable_php_upload_execution' => 0
    );

    /**
--- a/workflow/engine/content/translations/english/processmaker.en.po
+++ b/workflow/engine/content/translations/english/processmaker.en.po
@@ -27419,6 +27419,18 @@ msgstr "External Registration"
 msgid "Filter By"
 msgstr "Filter By"

+# TRANSLATION
+# LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED
+#: LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED
+msgid "The upload of PHP files was disabled please contact the system administrator."
+msgstr "The upload of PHP files was disabled please contact the system administrator."
+
+# TRANSLATION
+# LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED
+#: LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED
+msgid "The PHP files execution was disabled please contact the system administrator."
+msgstr "The PHP files execution was disabled please contact the system administrator."
+
 # TRANSLATION
 # LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837
 #: LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837
--- a/workflow/engine/methods/appFolder/appFolderAjax.php
+++ b/workflow/engine/methods/appFolder/appFolderAjax.php
@@ -1534,6 +1534,18 @@ function uploadExternalDocument()

        //Read. Instance Document classes
        if (!empty($quequeUpload)) {
+            foreach ($quequeUpload as $key => $fileObj) {
+                $extension = pathinfo($fileObj['fileName'], PATHINFO_EXTENSION);
+                if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extension === 'php') {
+                    $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
+                    \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileObj['fileName']);
+                    $response['error'] = $message;
+                    $response['message'] = $message;
+                    $response['success'] = false;
+                    print_r(G::json_encode($response));
+                    exit();
+                }
+            }
            $docUid=$_POST['docUid'];
            $appDocUid=isset($_POST['APP_DOC_UID'])?$_POST['APP_DOC_UID']:"";
            $docVersion=isset($_POST['docVersion'])?$_POST['docVersion']:"";
--- a/workflow/engine/methods/cases/proxyNewCasesList.php
+++ b/workflow/engine/methods/cases/proxyNewCasesList.php
@@ -10,9 +10,6 @@ if (!isset($_SESSION['USER_LOGGED'])) {

 G::LoadSystem('inputfilter');
 $filter = new InputFilter();
-$_GET = $filter->xssFilterHard($_GET);
-$_REQUEST = $filter->xssFilterHard($_REQUEST);
-$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);

 try {
    $userUid = $_SESSION['USER_LOGGED'];
@@ -195,8 +192,6 @@ try {
    $response['filters']        = $filtersData;
    $response['totalCount']     = $list->countTotal($userUid, $filtersData);

-    $response = $filter->xssFilterHard($response);
-
    $response['data'] = \ProcessMaker\Util\DateTime::convertUtcToTimeZone($result);

    echo G::json_encode($response);
--- a/workflow/engine/methods/setup/pluginsChange.php
+++ b/workflow/engine/methods/setup/pluginsChange.php
@@ -92,16 +92,12 @@ if ($handle = opendir( PATH_PLUGINS )) {
    /**
     * Calls PMExtensionClass Builder to include Plugins changes.
     */
-    $config = Bootstrap::getSystemConfiguration();
-
-    if (!empty($config['experimental_features'])) {
-        $phpBuilder = new ProcessMakerPhpBuilderHelper();
-        $phpBuilder->enabledExtensions = $oPluginRegistry->getEnabledPlugins();
-        if (!empty($phpBuilder->enabledExtensions)) {
-            $phpBuilder->extension = true;
-        }
-        $phpBuilder->buildAll();
+    $phpBuilder = new ProcessMakerPhpBuilderHelper();
+    $phpBuilder->enabledExtensions = $oPluginRegistry->getEnabledPlugins();
+    if (!empty($phpBuilder->enabledExtensions)) {
+        $phpBuilder->extension = true;
    }
+    $phpBuilder->buildAll();
 }

  //$oPluginRegistry->showArrays();
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php
@@ -971,6 +971,16 @@ class InputDocument
                        $aFields = array("APP_UID" => $appUid, "DEL_INDEX" => $delIndex, "USR_UID" => $userUid, "DOC_UID" => -1, "APP_DOC_TYPE" => "ATTACHED", "APP_DOC_CREATE_DATE" => date("Y-m-d H:i:s"), "APP_DOC_COMMENT" => "", "APP_DOC_TITLE" => "", "APP_DOC_FILENAME" => $arrayFileName[$i], "APP_DOC_FIELDNAME" => $fieldName);
                    }

+                    $sExtension = pathinfo($aFields["APP_DOC_FILENAME"]);
+                    if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $sExtension["extension"] === 'php') {
+                        $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
+                        \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $sFileName);
+                        \G::SendMessageText($message, "ERROR");
+                        $backUrlObj = explode("sys" . SYS_SYS, $_SERVER['HTTP_REFERER']);
+                        \G::header("location: " . "/sys" . SYS_SYS . $backUrlObj[1]);
+                        die();
+                    }
+
                    $oAppDocument = new \AppDocument();
                    $oAppDocument->create($aFields);

--- a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
@@ -187,6 +187,11 @@ class FilesManager
                    if ($extention == '.exe') {
                        throw new \Exception(\G::LoadTranslation('ID_FILE_UPLOAD_INCORRECT_EXTENSION'));
                    }
+                    if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extention === '.php') {
+                        $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
+                        \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $aData['prf_filename']);
+                        throw new \Exception($message);
+                    }
                    break;
                default:
                    $sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . $sSubDirectory . $aData['prf_filename'];
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Light.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Light.php
@@ -902,6 +902,16 @@ class Light
        $response = array();
        if (is_array($request_data)) {
            foreach ($request_data as $k => $file) {
+                $ext = pathinfo($file['name'], PATHINFO_EXTENSION);
+                if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $ext === 'php') {
+                    $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
+                    \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $file['name']);
+                    $response[$k]['error'] = array(
+                        "code" => "400",
+                        "message" => $message
+                    );
+                    continue;
+                }
                $oCase = new \Cases();
                $delIndex = $oCase->getCurrentDelegation($app_uid, $userUid);
                $docUid = !empty($file['docUid']) ? $file['docUid'] : -1;
--- a/workflow/public_html/sysGeneric.php
+++ b/workflow/public_html/sysGeneric.php
@@ -337,6 +337,7 @@ define ('WS_IN_LOGIN', isset($config['WS_IN_LOGIN']) ? $config['WS_IN_LOGIN'] :
 define('LOAD_HEADERS_IE', $config['load_headers_ie']);
 define('LEAVE_CASE_WARNING', $config['leave_case_warning']);
 define('REDIRECT_TO_MOBILE', $config['redirect_to_mobile']);
+define('DISABLE_PHP_UPLOAD_EXECUTION', $config['disable_php_upload_execution']);

 // IIS Compatibility, SERVER_ADDR doesn't exist on that env, so we need to define it.
 $_SERVER['SERVER_ADDR'] = isset( $_SERVER['SERVER_ADDR'] ) ? $_SERVER['SERVER_ADDR'] : $_SERVER['SERVER_NAME'];
@@ -801,6 +802,17 @@ if (substr( SYS_COLLECTION, 0, 8 ) === 'gulliver') {
            die();
        }

+        Bootstrap::initVendors();
+        Bootstrap::LoadSystem( 'monologProvider' );
+        if (\Bootstrap::getDisablePhpUploadExecution() === 1) {
+            $message = \G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED');
+            \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $phpFile);
+            echo $message;
+            die();
+        } else {
+            \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $phpFile);
+        }
+
        $avoidChangedWorkspaceValidation = true;
        $bWE = true;
        //$phpFile = PATH_DATA_SITE . 'public' . PATH_SEP .  SYS_COLLECTION . PATH_SEP . $auxPart[ count($auxPart)-1];