fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-4122 When "Manager_Approval" is set like a variable name, this breaks the url encode/decode function used by ABE

Browse Source 
- Change sign plus in function encrypt and decrypt
This commit is contained in:
Marco Antonio Nina Mena
2017-11-24 13:39:33 -04:00
parent 0c22077c4d
commit 9cff70c5b3
3 changed files with 59 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
gulliver/system/class.g.php
View File

@@ -390,62 +390,77 @@ class G
/** /**
* * Encrypt and decrypt functions *** * * Encrypt and decrypt functions ***
*/ */
/** /**
* Encrypt string * Encrypt string
* *
* @author Fernando Ontiveros Lira <fernando@colosa.com>
* @access public * @access public
*
* @param string $string * @param string $string
* @param string $key * @param string $key
* @param bool $urlSafe if it is used in url
*
* @return string * @return string
*/ */
public static function encrypt ($string, $key) public static function encrypt ($string, $key, $urlSafe = false)
{ {
//print $string; if (strpos($string, '|', 0) !== false) {
// if ( defined ( 'ENABLE_ENCRYPT' ) && ENABLE_ENCRYPT == 'yes' ) {
if (strpos( $string, '|', 0 ) !== false) {
return $string; return $string;
} }
$result = ''; $result = '';
for ($i = 0; $i < strlen( $string ); $i ++) { for ($i = 0; $i < strlen($string); $i++) {
$char = substr( $string, $i, 1 ); $char = substr($string, $i, 1);
$keychar = substr( $key, ($i % strlen( $key )) - 1, 1 ); $keychar = substr($key, ($i % strlen($key)) - 1, 1);
$char = chr( ord( $char ) + ord( $keychar ) ); $char = chr(ord($char) + ord($keychar));
$result .= $char; $result .= $char;
} }
$result = base64_encode( $result ); $result = base64_encode($result);
$result = str_replace( '/', '°', $result ); $search = ['/', '='];
$result = str_replace( '=', '', $result ); $replace = ['°', ''];
return $result;
if ($urlSafe) {
$search[] = '+';
$replace[] = '_';
}
return str_replace($search, $replace, $result);
} }
/** /**
* Decrypt string * Decrypt string
* *
* @author Fernando Ontiveros Lira <fernando@colosa.com>
* @access public * @access public
*
* @param string $string * @param string $string
* @param string $key * @param string $key
* @param bool $urlSafe if it is used in url
*
* @return string * @return string
*/ */
public static function decrypt($string, $key) public static function decrypt($string, $key, $urlSafe = false)
{ {
// if ( defined ( 'ENABLE_ENCRYPT' ) && ENABLE_ENCRYPT == 'yes' ) {
//if (strpos($string, '|', 0) !== false) return $string;
$result = ''; $result = '';
$string = str_replace( '°', '/', $string ); $search = ['°'];
$string_jhl = explode( "?", $string ); $replace = ['/'];
$string = base64_decode( $string );
$string = base64_decode( $string_jhl[0] );
for ($i = 0; $i < strlen( $string ); $i ++) { if ($urlSafe) {
$char = substr( $string, $i, 1 ); $search[] = '_';
$keychar = substr( $key, ($i % strlen( $key )) - 1, 1 ); $replace[] = '+';
$char = chr( ord( $char ) - ord( $keychar ) ); }
$string = str_replace($search, $replace, $string);
$string_jhl = explode("?", $string);
$string = base64_decode($string);
$string = base64_decode($string_jhl[0]);
for ($i = 0; $i < strlen($string); $i++) {
$char = substr($string, $i, 1);
$keychar = substr($key, ($i % strlen($key)) - 1, 1);
$char = chr(ord($char) - ord($keychar));
$result .= $char; $result .= $char;
} }
if (! empty( $string_jhl[1] )) { if (!empty($string_jhl[1])) {
$result .= '?' . $string_jhl[1]; $result .= '?' . $string_jhl[1];
} }
return $result; return $result;

26
workflow/engine/classes/ActionsByEmailCoreClass.php
View File

@@ -180,17 +180,17 @@ class ActionsByEmailCoreClass extends PMPlugin
$__ABE__ .= '<td><table align="left" cellpadding="2"><tr>'; $__ABE__ .= '<td><table align="left" cellpadding="2"><tr>';
foreach ($customGrid as $key => $value) { foreach ($customGrid as $key => $value) {
$__ABE__ .= '<td align="center"><a style="' . $value['abe_custom_format'] . '" '; $__ABE__ .= '<td align="center"><a style="' . $value['abe_custom_format'] . '" ';
$__ABE__ .= 'href="' . urldecode(urlencode($link)) . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID='; $__ABE__ .= 'href="' . urldecode(urlencode($link)) . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=';
$__ABE__ .= G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY); $__ABE__ .= G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY);
$__ABE__ .= '&FIELD=' . G::encrypt($actionField, URL_KEY) . '&VALUE=' . G::encrypt($value['abe_custom_value'], URL_KEY); $__ABE__ .= '&FIELD=' . G::encrypt($actionField, URL_KEY, true) . '&VALUE=' . G::encrypt($value['abe_custom_value'], URL_KEY, true);
$__ABE__ .= '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank" >' . $value['abe_custom_label']; $__ABE__ .= '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank" >' . $value['abe_custom_label'];
$__ABE__ .= '</a></td>' . (($index % 5 == 0) ? '</tr><tr>' : ' '); $__ABE__ .= '</a></td>' . (($index % 5 == 0) ? '</tr><tr>' : ' ');
$index++; $index++;
} }
$__ABE__ .= '</tr></table></div>'; $__ABE__ .= '</tr></table></div>';
break; break;
case 'LINK': case 'LINK':
$__ABE__ .= '<a href="' . $link . 'DataForm?APP_UID=' . G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY) . '&DYN_UID=' . G::encrypt($configuration['DYN_UID'], URL_KEY) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank">Please complete this form</a>'; $__ABE__ .= '<a href="' . $link . 'DataForm?APP_UID=' . G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY, true) . '&DYN_UID=' . G::encrypt($configuration['DYN_UID'], URL_KEY, true) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank">Please complete this form</a>';
break; break;
// coment // coment
case 'FIELD': case 'FIELD':
@@ -242,10 +242,10 @@ class ActionsByEmailCoreClass extends PMPlugin
$__ABE__ .= 'background-image: -o-linear-gradient(top, #EFEFEF, #BCBCBC); border: 1px solid #AAAAAA; '; $__ABE__ .= 'background-image: -o-linear-gradient(top, #EFEFEF, #BCBCBC); border: 1px solid #AAAAAA; ';
$__ABE__ .= 'border-radius: 4px; -moz-border-radius: 4px; -webkit-border-radius: 4px; box-shadow: 0 1px 2px rgba(0, 0, 0, 0.2); '; $__ABE__ .= 'border-radius: 4px; -moz-border-radius: 4px; -webkit-border-radius: 4px; box-shadow: 0 1px 2px rgba(0, 0, 0, 0.2); ';
$__ABE__ .= 'font-family: Arial,serif; font-size: 9pt; font-weight: 400; line-height: 14px; margin: 2px 0; padding: 2px 7px; '; $__ABE__ .= 'font-family: Arial,serif; font-size: 9pt; font-weight: 400; line-height: 14px; margin: 2px 0; padding: 2px 7px; ';
$__ABE__ .= 'text-decoration: none; text-transform: capitalize;" href="' .urldecode(urlencode($link)). '?ACTION='.G::encrypt('processABE', URL_KEY).'&APP_UID='; $__ABE__ .= 'text-decoration: none; text-transform: capitalize;" href="' .urldecode(urlencode($link)). '?ACTION='.G::encrypt('processABE', URL_KEY, true).'&APP_UID=';
$__ABE__ .= G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY); $__ABE__ .= G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY, true);
$__ABE__ .= '&FIELD=' . G::encrypt($actionField, URL_KEY) . '&VALUE=' . G::encrypt($optValue, URL_KEY); $__ABE__ .= '&FIELD=' . G::encrypt($actionField, URL_KEY, true) . '&VALUE=' . G::encrypt($optValue, URL_KEY, true);
$__ABE__ .= '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank" >' . $optName; $__ABE__ .= '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank" >' . $optName;
$__ABE__ .= '</a></td>' . (($index % 5 == 0) ? '</tr><tr>' : ' '); $__ABE__ .= '</a></td>' . (($index % 5 == 0) ? '</tr><tr>' : ' ');
$index++; $index++;
} }
@@ -253,12 +253,12 @@ class ActionsByEmailCoreClass extends PMPlugin
$__ABE__.='</tr></table></td>'; $__ABE__.='</tr></table></td>';
break; break;
case 'yesno': case 'yesno':
$__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=' . urlencode(G::encrypt($data->APP_UID, URL_KEY)) . '&DEL_INDEX=' . urlencode(G::encrypt($data->DEL_INDEX, URL_KEY)). '&FIELD=' . urlencode(G::encrypt($actionField, URL_KEY)) . '&VALUE=' . urlencode(G::encrypt(1, URL_KEY)) . '&ABER=' . urlencode(G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY)) . '" target="_blank">' . G::LoadTranslation('ID_YES_VALUE') . '</a></td>'; $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=' . urlencode(G::encrypt($data->APP_UID, URL_KEY, true)) . '&DEL_INDEX=' . urlencode(G::encrypt($data->DEL_INDEX, URL_KEY, true)). '&FIELD=' . urlencode(G::encrypt($actionField, URL_KEY, true)) . '&VALUE=' . urlencode(G::encrypt(1, URL_KEY, true)) . '&ABER=' . urlencode(G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true, true)) . '" target="_blank">' . G::LoadTranslation('ID_YES_VALUE') . '</a></td>';
$__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=' . urlencode(G::encrypt($data->APP_UID, URL_KEY)) . '&DEL_INDEX=' . urlencode(G::encrypt($data->DEL_INDEX, URL_KEY)) . '&FIELD=' . urlencode(G::encrypt($actionField, URL_KEY)) . '&VALUE=' . urlencode(G::encrypt(0, URL_KEY)) . '&ABER=' . urlencode(G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY)) . '" target="_blank">' . G::LoadTranslation('ID_NO_VALUE') . '</a></td>'; $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=' . urlencode(G::encrypt($data->APP_UID, URL_KEY, true)) . '&DEL_INDEX=' . urlencode(G::encrypt($data->DEL_INDEX, URL_KEY, true)) . '&FIELD=' . urlencode(G::encrypt($actionField, URL_KEY, true)) . '&VALUE=' . urlencode(G::encrypt(0, URL_KEY, true)) . '&ABER=' . urlencode(G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true, true)) . '" target="_blank">' . G::LoadTranslation('ID_NO_VALUE') . '</a></td>';
break; break;
case 'checkbox': case 'checkbox':
$__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=' . G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY) . '&FIELD=' . G::encrypt($actionField, URL_KEY) . '&VALUE=' . G::encrypt($field->value, URL_KEY) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank">Check</a></td>'; $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=' . G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY, true) . '&FIELD=' . G::encrypt($actionField, URL_KEY, true) . '&VALUE=' . G::encrypt($field->value, URL_KEY, true) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank">Check</a></td>';
$__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY) . '&APP_UID=' . G::encrypt($data->APP_UID, URL_KEY) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY) . '&FIELD=' . G::encrypt($actionField, URL_KEY) . '&VALUE=' . G::encrypt($field->value, URL_KEY) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY) . '" target="_blank">Uncheck</a></td>'; $__ABE__ .= '<td align="center"><a href="' . $link . '?ACTION=' . G::encrypt('processABE', URL_KEY, true) . '&APP_UID=' . G::encrypt($data->APP_UID, URL_KEY, true) . '&DEL_INDEX=' . G::encrypt($data->DEL_INDEX, URL_KEY, true) . '&FIELD=' . G::encrypt($actionField, URL_KEY, true) . '&VALUE=' . G::encrypt($field->value, URL_KEY, true) . '&ABER=' . G::encrypt($abeRequest['ABE_REQ_UID'], URL_KEY, true) . '" target="_blank">Uncheck</a></td>';
break; break;
} }
$__ABE__ .= '</tr></table>'; $__ABE__ .= '</tr></table>';

10
workflow/engine/methods/services/ActionsByEmail.php
View File

@@ -29,11 +29,11 @@ if (isset($_GET['BROWSER_TIME_ZONE_OFFSET'])) {
throw new Exception('The parameter DEL_INDEX is empty.'); throw new Exception('The parameter DEL_INDEX is empty.');
} }
$_REQUEST['APP_UID'] = G::decrypt(urldecode(utf8_encode($_REQUEST['APP_UID'])), URL_KEY); $_REQUEST['APP_UID'] = G::decrypt(urldecode(utf8_encode($_REQUEST['APP_UID'])), URL_KEY, true);
$_REQUEST['DEL_INDEX'] = G::decrypt(urldecode(utf8_encode($_REQUEST['DEL_INDEX'])), URL_KEY); $_REQUEST['DEL_INDEX'] = G::decrypt(urldecode(utf8_encode($_REQUEST['DEL_INDEX'])), URL_KEY, true);
$_REQUEST['FIELD'] = G::decrypt(urldecode(utf8_encode($_REQUEST['FIELD'])), URL_KEY); $_REQUEST['FIELD'] = G::decrypt(rawurldecode(utf8_encode($_REQUEST['FIELD'])), URL_KEY, true);
$_REQUEST['VALUE'] = G::decrypt(urldecode(utf8_encode($_REQUEST['VALUE'])), URL_KEY); $_REQUEST['VALUE'] = G::decrypt(urldecode(utf8_encode($_REQUEST['VALUE'])), URL_KEY, true);
$_REQUEST['ABER'] = G::decrypt(urldecode(utf8_encode($_REQUEST['ABER'])), URL_KEY); $_REQUEST['ABER'] = G::decrypt(urldecode(utf8_encode($_REQUEST['ABER'])), URL_KEY, true);
$case = new Cases(); $case = new Cases();
$actionsByEmail = new \ProcessMaker\BusinessModel\ActionsByEmail(); $actionsByEmail = new \ProcessMaker\BusinessModel\ActionsByEmail();