From 135211ed716af227527e02453d8af4acf61f8514 Mon Sep 17 00:00:00 2001 From: "Paula V. Quispe" Date: Tue, 21 Apr 2015 09:35:39 -0400 Subject: [PATCH 01/35] I solved some issues Cross-Site Scripting [April 18] --- gulliver/system/class.g.php | 3 +++ .../thirdparty/pear/PEAR/Frontend/CLI.php | 19 +++++++++++++++++++ .../pear/SOAP/Interop/interop_client_run.php | 13 +++++++++++-- .../methods/cases/cases_StepToRevise.php | 2 +- .../cases/cases_StepToReviseInputs.php | 2 +- .../cases/cases_StepToReviseOutputs.php | 2 +- .../cases/cases_ToReviseOutputDocView.php | 2 +- .../dynaforms/dynaforms_FlatEditor.php | 12 ++++++------ 8 files changed, 43 insertions(+), 12 deletions(-) diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index 846fbd558..b6298dab2 100755 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -3133,6 +3133,9 @@ class G */ public function evalJScript ($c) { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $c = $filter->xssFilterHard($c); print ("") ; } diff --git a/gulliver/thirdparty/pear/PEAR/Frontend/CLI.php b/gulliver/thirdparty/pear/PEAR/Frontend/CLI.php index 55ee979eb..67c15b9ea 100755 --- a/gulliver/thirdparty/pear/PEAR/Frontend/CLI.php +++ b/gulliver/thirdparty/pear/PEAR/Frontend/CLI.php @@ -72,6 +72,15 @@ class PEAR_Frontend_CLI extends PEAR function _displayLine($text) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.inputfilter.php'); + $filter = new InputFilter(); + $text = $filter->xssFilterHard($text); print "$this->lp$text\n"; } @@ -124,15 +133,25 @@ class PEAR_Frontend_CLI extends PEAR function userDialog($command, $prompts, $types = array(), $defaults = array()) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.inputfilter.php'); + $filter = new InputFilter(); $result = array(); if (is_array($prompts)) { $fp = fopen("php://stdin", "r"); foreach ($prompts as $key => $prompt) { $type = $types[$key]; $default = @$defaults[$key]; + $default = $filter->xssFilterHard($default); if ($type == 'password') { system('stty -echo'); } + $prompt = $filter->xssFilterHard($prompt); print "$this->lp$prompt "; if ($default) { print "[$default] "; diff --git a/gulliver/thirdparty/pear/SOAP/Interop/interop_client_run.php b/gulliver/thirdparty/pear/SOAP/Interop/interop_client_run.php index c77eb78f1..70f98dddb 100755 --- a/gulliver/thirdparty/pear/SOAP/Interop/interop_client_run.php +++ b/gulliver/thirdparty/pear/SOAP/Interop/interop_client_run.php @@ -82,10 +82,19 @@ function print_test_names() function print_endpoint_names() { global $iop; + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.inputfilter.php'); + $filter = new InputFilter(); + $currTest = $filter->xssFilterHard($iop->currentTest); if (!$iop->getEndpoints($iop->currentTest)) { - die("Unable to retrieve endpoints for $iop->currentTest\n"); + die("Unable to retrieve endpoints for $currTest\n"); } - print "Interop Servers for $iop->currentTest:\n"; + print "Interop Servers for $currTestt:\n"; foreach ($iop->endpoints as $server) { print " $server->name\n"; } diff --git a/workflow/engine/methods/cases/cases_StepToRevise.php b/workflow/engine/methods/cases/cases_StepToRevise.php index d693fae4c..dbf7e5f88 100755 --- a/workflow/engine/methods/cases/cases_StepToRevise.php +++ b/workflow/engine/methods/cases/cases_StepToRevise.php @@ -138,7 +138,7 @@ if (! isset( $_GET['ex'] )) { // DEPRECATED this JS section is marked for removal function setSelect() { - var ex=; + var ex=xssFilterHard($_GET['ex'])?>; try { for(i=1; i<50; i++) { if (i == ex) { diff --git a/workflow/engine/methods/cases/cases_StepToReviseInputs.php b/workflow/engine/methods/cases/cases_StepToReviseInputs.php index b4999f81e..07d45ca39 100755 --- a/workflow/engine/methods/cases/cases_StepToReviseInputs.php +++ b/workflow/engine/methods/cases/cases_StepToReviseInputs.php @@ -140,7 +140,7 @@ G::RenderPage( 'publish', 'blank' ); //Deprecated Section since the interface are now movig to ExtJS function setSelect() { - var ex=; + var ex=xssFilterHard($_GET['ex'])?>; try { for (i=1; i<50; i++) { if (i == ex) { diff --git a/workflow/engine/methods/cases/cases_StepToReviseOutputs.php b/workflow/engine/methods/cases/cases_StepToReviseOutputs.php index 976b75dc5..1a78eaf4f 100755 --- a/workflow/engine/methods/cases/cases_StepToReviseOutputs.php +++ b/workflow/engine/methods/cases/cases_StepToReviseOutputs.php @@ -84,7 +84,7 @@ if (! isset( $_GET['ex'] )) { //Deprecated Section since the interface are now movig to ExtJS function setSelect() { - var ex=; + var ex=xssFilterHard($_GET['ex'])?>; try{ for (i=1; i<50; i++) { if (i == ex) { diff --git a/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php b/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php index 351d778d9..b978b21e0 100755 --- a/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php +++ b/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php @@ -104,7 +104,7 @@ if (! isset( $_GET['ex'] )) { /*------------------------------ To Revise Routines ---------------------------*/ function setSelect() { - var ex=; + var ex=xssFilterHard($_GET['ex'])?>; try{ for(i=1; i<50; i++) { diff --git a/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php b/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php index 0014b64f9..b615b5005 100755 --- a/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php +++ b/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php @@ -170,12 +170,12 @@ G::RenderPage( "publish", "raw" ); + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - -
- For better compatibility with Internet Explorer, a new tab with the KPIs has been opened. Please select this tab on the tab list above to see all the KPI's functionality. -
+ + +
+
+
+
+ This is just a basic view of your indexes. For better compatibility with Internet Explorer, a new tab with the KPIs has been opened. Please select this new tab on the tab list above to see all our KPIs functionality. +
+ + + +
+
+
+ +
+
+ +
+
+ +
+
+ + + +
+
+
+
+
+
+
- From 8754c5243862eab37ef8533e9eee681ec6d477c5 Mon Sep 17 00:00:00 2001 From: Marco Antonio Nina Mena Date: Fri, 24 Apr 2015 13:25:56 -0400 Subject: [PATCH 23/35] schema xml --- workflow/engine/config/schema.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/engine/config/schema.xml b/workflow/engine/config/schema.xml index b999c0bf5..4245350f7 100755 --- a/workflow/engine/config/schema.xml +++ b/workflow/engine/config/schema.xml @@ -1,4 +1,4 @@ - + From 44d7a1e0eae2fb558c2f64c6b1b6ae8e4677b095 Mon Sep 17 00:00:00 2001 From: Victor Saisa Lopez Date: Fri, 24 Apr 2015 14:09:22 -0400 Subject: [PATCH 24/35] PM-2409 "No muestra ningun mensaje de error al ejecutar..." SOLVED Issue: No muestra ningun mensaje de error al ejecutar messageeventcron.php con un workspace inexistente Cause: No se valida el workspace Solution: Se agrega validacion para verificar si el workspace existe, esto para: - cron.php - messageeventcron.php --- workflow/engine/bin/cron.php | 8 ++++++-- workflow/engine/bin/messageeventcron.php | 4 ++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/workflow/engine/bin/cron.php b/workflow/engine/bin/cron.php index 4e0932e73..9ab67a4ad 100755 --- a/workflow/engine/bin/cron.php +++ b/workflow/engine/bin/cron.php @@ -5,7 +5,7 @@ */ if ( !defined('PATH_SEP') ) { - define('PATH_SEP', ( substr(PHP_OS, 0, 3) == 'WIN' ) ? '\\' : '/'); + define("PATH_SEP", (substr(PHP_OS, 0, 3) == "WIN")? "\\" : "/"); } $docuroot = explode(PATH_SEP, str_replace('engine' . PATH_SEP . 'methods' . PATH_SEP . 'services', '', dirname(__FILE__))); @@ -129,7 +129,7 @@ if ($force || !$bCronIsRunning) { $oDirectory = dir(PATH_DB); $cws = 0; - while($sObject = $oDirectory->read()) { + while (($sObject = $oDirectory->read()) !== false) { if (($sObject != ".") && ($sObject != "..")) { if (is_dir(PATH_DB . $sObject)) { if (file_exists(PATH_DB . $sObject . PATH_SEP . "db.php")) { @@ -141,6 +141,10 @@ if ($force || !$bCronIsRunning) { } } } else { + if (!is_dir(PATH_DB . $ws) || !file_exists(PATH_DB . $ws . PATH_SEP . "db.php")) { + throw new Exception("Error: The workspace \"$ws\" does not exist"); + } + $cws = 1; system("php -f \"" . dirname(__FILE__) . PATH_SEP . "cron_single.php\" $ws \"$sDate\" \"$dateSystem\" $argsx", $retval); diff --git a/workflow/engine/bin/messageeventcron.php b/workflow/engine/bin/messageeventcron.php index e8d1d9a50..4d884768d 100644 --- a/workflow/engine/bin/messageeventcron.php +++ b/workflow/engine/bin/messageeventcron.php @@ -114,6 +114,10 @@ try { } } } else { + if (!is_dir(PATH_DB . $workspace) || !file_exists(PATH_DB . $workspace . PATH_SEP . "db.php")) { + throw new Exception("Error: The workspace \"$workspace\" does not exist"); + } + $countw++; passthru("php -f \"$messageEventCronSinglePath\" $workspace \"" . base64_encode(PATH_HOME) . "\" \"" . base64_encode(PATH_TRUNK) . "\" \"" . base64_encode(PATH_OUTTRUNK) . "\""); From 1a8c76daba6df611e8c58e6410a75398196cb768 Mon Sep 17 00:00:00 2001 From: Brayan Pereyra Date: Fri, 24 Apr 2015 14:17:17 -0400 Subject: [PATCH 25/35] PM-2344 Adicion de validacion al momento de borrar un caso --- .../engine/methods/cases/casesListExtJs.php | 6 ++++++ .../src/ProcessMaker/BusinessModel/Cases.php | 20 ++++++++++++++++++- .../src/ProcessMaker/Services/Api/Cases.php | 3 ++- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/workflow/engine/methods/cases/casesListExtJs.php b/workflow/engine/methods/cases/casesListExtJs.php index 7d86cf9b0..48e7560e3 100755 --- a/workflow/engine/methods/cases/casesListExtJs.php +++ b/workflow/engine/methods/cases/casesListExtJs.php @@ -42,6 +42,12 @@ switch ($action) { $urlProxy = 'proxyCasesList'; $action = 'unassigned'; break; + case 'to_revise': + $urlProxy = 'proxyCasesList'; + break; + case 'to_reassign': + $urlProxy = 'proxyCasesList'; + break; } /*----------------------------------********---------------------------------*/ diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php b/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php index 60f790ddf..56a1ac627 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php @@ -861,15 +861,33 @@ class Cases * * @access public * @param string $app_uid, Uid for case + * @param string $usr_uid, Uid user * @return array * * @author Brayan Pereyra (Cochalo) * @copyright Colosa - Bolivia */ - public function deleteCase($app_uid) + public function deleteCase($app_uid, $usr_uid) { Validator::isString($app_uid, '$app_uid'); Validator::appUid($app_uid, '$app_uid'); + + $criteria = new \Criteria(); + $criteria->addSelectColumn( \ApplicationPeer::APP_STATUS ); + $criteria->addSelectColumn( \ApplicationPeer::APP_INIT_USER ); + $criteria->add( \ApplicationPeer::APP_UID, $app_uid, \Criteria::EQUAL ); + $dataset = \ApplicationPeer::doSelectRS($criteria); + $dataset->setFetchmode(\ResultSet::FETCHMODE_ASSOC); + $dataset->next(); + $aRow = $dataset->getRow(); + if ($aRow['APP_STATUS'] != 'DRAFT') { + throw (new \Exception(\G::LoadTranslation("ID_DELETE_CASE_NO_STATUS"))); + } + + if ($aRow['APP_INIT_USER'] != $usr_uid) { + throw (new \Exception(\G::LoadTranslation("ID_DELETE_CASE_NO_OWNER"))); + } + $case = new \Cases(); $case->removeCase( $app_uid ); } diff --git a/workflow/engine/src/ProcessMaker/Services/Api/Cases.php b/workflow/engine/src/ProcessMaker/Services/Api/Cases.php index 00c92a0f6..6a65fc7b4 100644 --- a/workflow/engine/src/ProcessMaker/Services/Api/Cases.php +++ b/workflow/engine/src/ProcessMaker/Services/Api/Cases.php @@ -809,8 +809,9 @@ class Cases extends Api public function doDeleteCase($cas_uid) { try { + $usr_uid = $this->getUserId(); $cases = new \ProcessMaker\BusinessModel\Cases(); - $cases->deleteCase($cas_uid); + $cases->deleteCase($cas_uid, $usr_uid); } catch (\Exception $e) { throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage())); } From d9b1c9b019a301a52c9634cfd6ff89cfae2a93b4 Mon Sep 17 00:00:00 2001 From: "marcelo.cuiza" Date: Fri, 24 Apr 2015 14:34:06 -0400 Subject: [PATCH 26/35] PM-2316 Admin>Settings>Users: En Grupos y Departamentos al querer crear con espacios en blanco no despliega mensaje de campos requerido se aumento validacion y mensaje --- workflow/engine/templates/departments/departmentList.js | 5 +++++ workflow/engine/templates/groups/groupsList.js | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/workflow/engine/templates/departments/departmentList.js b/workflow/engine/templates/departments/departmentList.js index 1d39938e4..a1e21b5ea 100755 --- a/workflow/engine/templates/departments/departmentList.js +++ b/workflow/engine/templates/departments/departmentList.js @@ -317,6 +317,11 @@ CloseWindow = function(){ Ext.getCmp('w').hide(); }; SaveNewDepartment = function(){ + if( newForm.getForm().findField('dep_name').getValue().trim() == "") { + Ext.Msg.alert(_('ID_WARNING'), _("ID_FIELD_REQUIRED", _("ID_DEPARTMENT_NAME"))); + newForm.getForm().findField('dep_name').setValue(""); + return false; + } waitLoading.show(); var dep_node = Ext.getCmp('treePanel').getSelectionModel().getSelectedNode(); if (dep_node) dep_node.unselect(); diff --git a/workflow/engine/templates/groups/groupsList.js b/workflow/engine/templates/groups/groupsList.js index 2844375d7..1b38439bc 100755 --- a/workflow/engine/templates/groups/groupsList.js +++ b/workflow/engine/templates/groups/groupsList.js @@ -182,7 +182,13 @@ Ext.onReady(function(){ text: _("ID_SAVE"), handler: function (btn, ev) { - Ext.getCmp("btnCreateSave").setDisabled(true); + if( newForm.getForm().findField('name').getValue().trim() == "") { + Ext.Msg.alert(_('ID_WARNING'), _("ID_FIELD_REQUIRED", _("ID_GROUP_NAME"))); + newForm.getForm().findField('name').setValue(""); + return false; + } else { + Ext.getCmp("btnCreateSave").setDisabled(true); + } SaveNewGroupAction(); } From ebb2c4534d308a1d311a758174f8d5cf3a77d950 Mon Sep 17 00:00:00 2001 From: rodrigo quelca Date: Fri, 24 Apr 2015 15:47:37 -0400 Subject: [PATCH 27/35] =?UTF-8?q?PM-2384=20Al=20importar=20un=20proceso=20?= =?UTF-8?q?que=20contiene=20elementos=20no=20soportados=20en=20IE=20se=20a?= =?UTF-8?q?bre=20en=20el=20mismo=20dise=C3=B1ador?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- workflow/engine/templates/processes/main.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/workflow/engine/templates/processes/main.js b/workflow/engine/templates/processes/main.js index ef7e95f59..81afbfe15 100755 --- a/workflow/engine/templates/processes/main.js +++ b/workflow/engine/templates/processes/main.js @@ -1402,7 +1402,11 @@ importProcessBpmnSubmit = function () { return; } Ext.getCmp('importProcessWindow').close(); - window.location.href = "../designer?prj_uid=" + resp_.prj_uid; + if (typeof(importProcessGlobal.processFileType) != "undefined" && importProcessGlobal.processFileType == "bpmn") { + openWindowIfIE("../designer?prj_uid=" + resp_.prj_uid); + } else { + window.location.href = "processes_Map?PRO_UID=" + resp_.prj_uid; + } }, failure: function (o, resp) { Ext.getCmp('importProcessWindow').close(); From 3e0fba2d2d445bb46e87624712384705e9905148 Mon Sep 17 00:00:00 2001 From: Brayan Pereyra Date: Fri, 24 Apr 2015 16:18:07 -0400 Subject: [PATCH 28/35] PM-2263 Se corregio el almacenado de un start event sin task --- .../src/ProcessMaker/Project/Adapter/BpmnWorkflow.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/workflow/engine/src/ProcessMaker/Project/Adapter/BpmnWorkflow.php b/workflow/engine/src/ProcessMaker/Project/Adapter/BpmnWorkflow.php index 0235e922c..cefb56f9f 100755 --- a/workflow/engine/src/ProcessMaker/Project/Adapter/BpmnWorkflow.php +++ b/workflow/engine/src/ProcessMaker/Project/Adapter/BpmnWorkflow.php @@ -497,7 +497,10 @@ class BpmnWorkflow extends Project\Bpmn //Setting as start Task //or //Remove as start Task - $this->wp->setStartTask($arrayFlowData["FLO_ELEMENT_DEST"], $flagStartTask); + $bwp = new self; + if ($bwp->getActivity($arrayFlowData["FLO_ELEMENT_DEST"])) { + $this->wp->setStartTask($arrayFlowData["FLO_ELEMENT_DEST"], $flagStartTask); + } break; } } @@ -1384,6 +1387,10 @@ class BpmnWorkflow extends Project\Bpmn $activity = $bwp->getActivity($activityData["ACT_UID"]); + if ($activity["BOU_CONTAINER"] != $activityData["BOU_CONTAINER"]) { + $activity = null; + } + if ($forceInsert || is_null($activity)) { if ($generateUid) { //Generate and update UID From 093f1079a57b836253bbdfb3ea90605c39cc0207 Mon Sep 17 00:00:00 2001 From: "Paula V. Quispe" Date: Fri, 24 Apr 2015 19:59:53 -0400 Subject: [PATCH 29/35] I solved some observations --- gulliver/system/class.bootstrap.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gulliver/system/class.bootstrap.php b/gulliver/system/class.bootstrap.php index 5b8de974d..367304ecb 100644 --- a/gulliver/system/class.bootstrap.php +++ b/gulliver/system/class.bootstrap.php @@ -1273,7 +1273,7 @@ class Bootstrap $checkSum = ''; foreach ($files as $file) { if (is_file($file)) { - $checkSum .= G::encryptFileOld($file); + $checkSum .= Bootstrap::encryptFileOld($file); } } return Bootstrap::encryptOld($checkSum . $key); From 34dd15070a14f1f9d607c9ad0388dfa88377883f Mon Sep 17 00:00:00 2001 From: "Paula V. Quispe" Date: Fri, 24 Apr 2015 20:13:02 -0400 Subject: [PATCH 30/35] PM-2378: I deleted the requerid field in licenseExpired --- workflow/engine/xmlform/login/licenseExpiredpm3.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/engine/xmlform/login/licenseExpiredpm3.html b/workflow/engine/xmlform/login/licenseExpiredpm3.html index 2f57e2d0f..3f5531645 100644 --- a/workflow/engine/xmlform/login/licenseExpiredpm3.html +++ b/workflow/engine/xmlform/login/licenseExpiredpm3.html @@ -16,7 +16,7 @@ {$form.updateButton} -
* Required Field
+