From 9cff70c5b3b1c63ca50c9460c4fc5966fd3f2ce4 Mon Sep 17 00:00:00 2001
From: Marco Antonio Nina Mena <marco.antonio.nina@processmaker.com>
Date: Fri, 24 Nov 2017 13:39:33 -0400
Subject: [PATCH] HOR-4122 When "Manager_Approval" is set like a variable name,
 this breaks the url encode/decode function used by ABE

- Change sign plus in function encrypt and decrypt
---
 gulliver/system/class.g.php                   | 67 ++++++++++++-------
 .../classes/ActionsByEmailCoreClass.php       | 26 +++----
 .../methods/services/ActionsByEmail.php       | 10 +--
 3 files changed, 59 insertions(+), 44 deletions(-)

diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php
index c9776460b..fd530e099 100644
--- a/gulliver/system/class.g.php
+++ b/gulliver/system/class.g.php
@@ -390,62 +390,77 @@ class G
     /**
      * * Encrypt and decrypt functions ***
      */
+
     /**
      * Encrypt string
      *
-     * @author Fernando Ontiveros Lira <fernando@colosa.com>
      * @access public
+     * 
      * @param string $string
      * @param string $key
+     * @param bool $urlSafe if it is used in url
+     *
      * @return string
      */
-    public static function encrypt ($string, $key)
+    public static function encrypt ($string, $key, $urlSafe = false)
     {
-        //print $string;
-        //    if ( defined ( 'ENABLE_ENCRYPT' ) && ENABLE_ENCRYPT == 'yes' ) {
-        if (strpos( $string, '|', 0 ) !== false) {
+        if (strpos($string, '|', 0) !== false) {
             return $string;
         }
         $result = '';
-        for ($i = 0; $i < strlen( $string ); $i ++) {
-            $char = substr( $string, $i, 1 );
-            $keychar = substr( $key, ($i % strlen( $key )) - 1, 1 );
-            $char = chr( ord( $char ) + ord( $keychar ) );
+        for ($i = 0; $i < strlen($string); $i++) {
+            $char = substr($string, $i, 1);
+            $keychar = substr($key, ($i % strlen($key)) - 1, 1);
+            $char = chr(ord($char) + ord($keychar));
             $result .= $char;
         }
 
-        $result = base64_encode( $result );
-        $result = str_replace( '/', '°', $result );
-        $result = str_replace( '=', '', $result );
-        return $result;
+        $result = base64_encode($result);
+        $search = ['/', '='];
+        $replace = ['°', ''];
+
+        if ($urlSafe) {
+            $search[] = '+';
+            $replace[] = '_';
+        }
+
+        return str_replace($search, $replace, $result);
     }
 
     /**
      * Decrypt string
      *
-     * @author Fernando Ontiveros Lira <fernando@colosa.com>
      * @access public
+     * 
      * @param string $string
      * @param string $key
+     * @param bool $urlSafe if it is used in url
+     *
      * @return string
      */
-    public static function decrypt($string, $key)
+    public static function decrypt($string, $key, $urlSafe = false)
     {
-        //   if ( defined ( 'ENABLE_ENCRYPT' ) && ENABLE_ENCRYPT == 'yes' ) {
-        //if (strpos($string, '|', 0) !== false) return $string;
         $result = '';
-        $string = str_replace( '°', '/', $string );
-        $string_jhl = explode( "?", $string );
-        $string = base64_decode( $string );
-        $string = base64_decode( $string_jhl[0] );
+        $search = ['°'];
+        $replace = ['/'];
 
-        for ($i = 0; $i < strlen( $string ); $i ++) {
-            $char = substr( $string, $i, 1 );
-            $keychar = substr( $key, ($i % strlen( $key )) - 1, 1 );
-            $char = chr( ord( $char ) - ord( $keychar ) );
+        if ($urlSafe) {
+            $search[] = '_';
+            $replace[] = '+';
+        }
+
+        $string = str_replace($search, $replace, $string);
+        $string_jhl = explode("?", $string);
+        $string = base64_decode($string);
+        $string = base64_decode($string_jhl[0]);
+
+        for ($i = 0; $i < strlen($string); $i++) {
+            $char = substr($string, $i, 1);
+            $keychar = substr($key, ($i % strlen($key)) - 1, 1);
+            $char = chr(ord($char) - ord($keychar));
             $result .= $char;
         }
-        if (! empty( $string_jhl[1] )) {
+        if (!empty($string_jhl[1])) {
             $result .= '?' . $string_jhl[1];
         }
         return $result;
diff --git a/workflow/engine/classes/ActionsByEmailCoreClass.php b/workflow/engine/classes/ActionsByEmailCoreClass.php
index 8fec488f0..520e0dd87 100644
--- a/workflow/engine/classes/ActionsByEmailCoreClass.php
+++ b/workflow/engine/classes/ActionsByEmailCoreClass.php
@@ -180,17 +180,17 @@ class ActionsByEmailCoreClass extends PMPlugin
                                     $__ABE__ .= '<td><table align="left" cellpadding="2"><tr>';
                                     foreach ($customGrid as $key => $value) {
                                         $__ABE__ .= '<td align="center"><a style="' . $value['abe_custom_format'] . '" ';
-                                        $__ABE__ .= 'href="' . urldecode(urlencode($link)) . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=';
-                                        $__ABE__ .= G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY);
-                                        $__ABE__ .= '&FIELD=' . G::encrypt($actionField, URL_KEY) . '&VALUE=' . G::encrypt($value['abe_custom_value'], URL_KEY);
-                                        $__ABE__ .= '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank" >' . $value['abe_custom_label'];
+                                        $__ABE__ .= 'href="' . urldecode(urlencode($link)) . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=';
+                                        $__ABE__ .= G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY);
+                                        $__ABE__ .= '&FIELD=' . G::encrypt($actionField, URL_KEY, true) . '&VALUE=' . G::encrypt($value['abe_custom_value'], URL_KEY, true);
+                                        $__ABE__ .= '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank" >' . $value['abe_custom_label'];
                                         $__ABE__ .= '</a></td>' . (($index % 5 == 0) ? '</tr><tr>' : '  ');
                                         $index++;
                                     }
                                     $__ABE__ .= '</tr></table></div>';
                                     break;
                                 case 'LINK':
-                                    $__ABE__ .= '<a href="' . $link . 'DataForm?APP_UID=' . G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY) . '&DYN_UID=' . G::encrypt($configuration['DYN_UID'], URL_KEY) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank">Please complete this form</a>';
+                                    $__ABE__ .= '<a href="' . $link . 'DataForm?APP_UID=' . G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY, true) . '&DYN_UID=' . G::encrypt($configuration['DYN_UID'], URL_KEY, true) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank">Please complete this form</a>';
                                     break;
                                 // coment
                                 case 'FIELD':
@@ -242,10 +242,10 @@ class ActionsByEmailCoreClass extends PMPlugin
                                                     $__ABE__ .= 'background-image: -o-linear-gradient(top, #EFEFEF, #BCBCBC); border: 1px solid #AAAAAA; ';
                                                     $__ABE__ .= 'border-radius: 4px; -moz-border-radius: 4px; -webkit-border-radius: 4px; box-shadow: 0 1px 2px rgba(0, 0, 0, 0.2); ';
                                                     $__ABE__ .= 'font-family: Arial,serif; font-size: 9pt; font-weight: 400; line-height: 14px; margin: 2px 0; padding: 2px 7px; ';
-                                                    $__ABE__ .= 'text-decoration: none; text-transform: capitalize;" href="' .urldecode(urlencode($link)). '?ACTION='.G::encrypt('processABE', URL_KEY).'&APP_UID=';
-                                                    $__ABE__ .= G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY);
-                                                    $__ABE__ .= '&FIELD=' . G::encrypt($actionField, URL_KEY) . '&VALUE=' . G::encrypt($optValue, URL_KEY);
-                                                    $__ABE__ .= '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank" >' . $optName;
+                                                    $__ABE__ .= 'text-decoration: none; text-transform: capitalize;" href="' .urldecode(urlencode($link)). '?ACTION='.G::encrypt('processABE', URL_KEY, true).'&APP_UID=';
+                                                    $__ABE__ .= G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY, true);
+                                                    $__ABE__ .= '&FIELD=' . G::encrypt($actionField, URL_KEY, true) . '&VALUE=' . G::encrypt($optValue, URL_KEY, true);
+                                                    $__ABE__ .= '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank" >' . $optName;
                                                     $__ABE__ .= '</a></td>' . (($index % 5 == 0) ? '</tr><tr>' : '  ');
                                                     $index++;
                                                 }
@@ -253,12 +253,12 @@ class ActionsByEmailCoreClass extends PMPlugin
                                                 $__ABE__.='</tr></table></td>';
                                                 break;
                                             case 'yesno':
-                                                $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=' . urlencode(G::encrypt($data->APP_UID, URL_KEY)) . '&DEL_INDEX=' . urlencode(G::encrypt($data->DEL_INDEX, URL_KEY)). '&FIELD=' . urlencode(G::encrypt($actionField, URL_KEY)) . '&VALUE=' . urlencode(G::encrypt(1, URL_KEY)) . '&ABER=' . urlencode(G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY)) . '" target="_blank">' . G::LoadTranslation('ID_YES_VALUE') . '</a></td>';
-                                                $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=' . urlencode(G::encrypt($data->APP_UID, URL_KEY)) . '&DEL_INDEX=' . urlencode(G::encrypt($data->DEL_INDEX, URL_KEY)) . '&FIELD=' . urlencode(G::encrypt($actionField, URL_KEY)) . '&VALUE=' . urlencode(G::encrypt(0, URL_KEY)) . '&ABER=' . urlencode(G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY)) . '" target="_blank">' . G::LoadTranslation('ID_NO_VALUE') . '</a></td>';
+                                                $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=' . urlencode(G::encrypt($data->APP_UID, URL_KEY, true)) . '&DEL_INDEX=' . urlencode(G::encrypt($data->DEL_INDEX, URL_KEY, true)). '&FIELD=' . urlencode(G::encrypt($actionField, URL_KEY, true)) . '&VALUE=' . urlencode(G::encrypt(1, URL_KEY, true)) . '&ABER=' . urlencode(G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true, true)) . '" target="_blank">' . G::LoadTranslation('ID_YES_VALUE') . '</a></td>';
+                                                $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=' . urlencode(G::encrypt($data->APP_UID, URL_KEY, true)) . '&DEL_INDEX=' . urlencode(G::encrypt($data->DEL_INDEX, URL_KEY, true)) . '&FIELD=' . urlencode(G::encrypt($actionField, URL_KEY, true)) . '&VALUE=' . urlencode(G::encrypt(0, URL_KEY, true)) . '&ABER=' . urlencode(G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true, true)) . '" target="_blank">' . G::LoadTranslation('ID_NO_VALUE') . '</a></td>';
                                                 break;
                                             case 'checkbox':
-                                                $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=' . G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY) . '&FIELD=' . G::encrypt($actionField, URL_KEY) . '&VALUE=' . G::encrypt($field->value, URL_KEY) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank">Check</a></td>';
-                                                $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=' . G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY) . '&FIELD=' . G::encrypt($actionField, URL_KEY) . '&VALUE=' . G::encrypt($field->value, URL_KEY) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank">Uncheck</a></td>';
+                                                $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=' . G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY, true) . '&FIELD=' . G::encrypt($actionField, URL_KEY, true) . '&VALUE=' . G::encrypt($field->value, URL_KEY, true) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank">Check</a></td>';
+                                                $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=' . G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY, true) . '&FIELD=' . G::encrypt($actionField, URL_KEY, true) . '&VALUE=' . G::encrypt($field->value, URL_KEY, true) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank">Uncheck</a></td>';
                                                 break;
                                         }
                                         $__ABE__ .= '</tr></table>';
diff --git a/workflow/engine/methods/services/ActionsByEmail.php b/workflow/engine/methods/services/ActionsByEmail.php
index 0b74dd7f2..340d4e0e7 100644
--- a/workflow/engine/methods/services/ActionsByEmail.php
+++ b/workflow/engine/methods/services/ActionsByEmail.php
@@ -29,11 +29,11 @@ if (isset($_GET['BROWSER_TIME_ZONE_OFFSET'])) {
                         throw new Exception('The parameter DEL_INDEX is empty.');
                     }
 
-                    $_REQUEST['APP_UID'] = G::decrypt(urldecode(utf8_encode($_REQUEST['APP_UID'])), URL_KEY);
-                    $_REQUEST['DEL_INDEX'] = G::decrypt(urldecode(utf8_encode($_REQUEST['DEL_INDEX'])), URL_KEY);
-                    $_REQUEST['FIELD'] = G::decrypt(urldecode(utf8_encode($_REQUEST['FIELD'])), URL_KEY);
-                    $_REQUEST['VALUE'] = G::decrypt(urldecode(utf8_encode($_REQUEST['VALUE'])), URL_KEY);
-                    $_REQUEST['ABER'] = G::decrypt(urldecode(utf8_encode($_REQUEST['ABER'])), URL_KEY);
+                    $_REQUEST['APP_UID'] = G::decrypt(urldecode(utf8_encode($_REQUEST['APP_UID'])), URL_KEY, true);
+                    $_REQUEST['DEL_INDEX'] = G::decrypt(urldecode(utf8_encode($_REQUEST['DEL_INDEX'])), URL_KEY, true);
+                    $_REQUEST['FIELD'] = G::decrypt(rawurldecode(utf8_encode($_REQUEST['FIELD'])), URL_KEY, true);
+                    $_REQUEST['VALUE'] = G::decrypt(urldecode(utf8_encode($_REQUEST['VALUE'])), URL_KEY, true);
+                    $_REQUEST['ABER'] = G::decrypt(urldecode(utf8_encode($_REQUEST['ABER'])), URL_KEY, true);
 
                     $case = new Cases();
                     $actionsByEmail = new \ProcessMaker\BusinessModel\ActionsByEmail();