fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
Gustavo Cruz
2015-03-19 12:51:23 -04:00
parent d1ea4faf95 cc60afe9b0
commit e26da50743
49 changed files with 446 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
gulliver/bin/tasks/pakeGulliver.php
View File

@@ -920,6 +920,8 @@ function run_create_poedit_file($task, $args) {
G::LoadSystem('xmlform'); G::LoadSystem('xmlform');
G::LoadSystem('xmlformExtension'); G::LoadSystem('xmlformExtension');
G::LoadSystem('form'); G::LoadSystem('form');
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$langIdOut = $langId; //the output language, later we'll include the country too. $langIdOut = $langId; //the output language, later we'll include the country too.
$exceptionFields = array ( $exceptionFields = array (
@@ -993,18 +995,25 @@ function run_create_poedit_file($task, $args) {
} }
else { else {
$xmlfile = $filter->xssFilterHard($xmlfile);
$exceptionFields = $filter->xssFilterHard($exceptionFields);
if( is_object($node) && ! in_array($node->type, $exceptionFields) ) { if( is_object($node) && ! in_array($node->type, $exceptionFields) ) {
if( isset($node->value) && strpos($node->value, 'G::LoadTranslation') !== false ) { if( isset($node->value) && strpos($node->value, 'G::LoadTranslation') !== false ) {
$exceptIndex ++; $exceptIndex ++;
//print ($node->value); //print ($node->value);
} else { } else {
$node->name = $filter->xssFilterHard($node->name);
$node->type = $filter->xssFilterHard($node->type);
printf("Error: xmlform %s has no english definition for %s [%s]\n", pakeColor::colorize($xmlfile, 'ERROR'), pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($node->type, 'INFO')); printf("Error: xmlform %s has no english definition for %s [%s]\n", pakeColor::colorize($xmlfile, 'ERROR'), pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($node->type, 'INFO'));
$xmlError ++; $xmlError ++;
} }
} else { } else {
$exceptIndex ++; $exceptIndex ++;
if( $verboseFlag ) if( $verboseFlag ){
$node->name = $filter->xssFilterHard($node->name);
$node->type = $filter->xssFilterHard($node->type);
printf("%s %s in %s\n", $node->type, pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($xmlfile, 'INFO')); printf("%s %s in %s\n", $node->type, pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($xmlfile, 'INFO'));
}
} }
} }
} }

2
gulliver/js/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/window.css vendored
View File

@@ -4,7 +4,7 @@
.clearlooks2, .clearlooks2 div, .clearlooks2 span, .clearlooks2 a {vertical-align:baseline; text-align:left; position:absolute; border:0; padding:0; margin:0; background:transparent; font-family:Arial,Verdana; font-size:11px; color:#000; text-decoration:none; font-weight:normal; width:auto; height:auto; overflow:hidden; display:block} .clearlooks2, .clearlooks2 div, .clearlooks2 span, .clearlooks2 a {vertical-align:baseline; text-align:left; position:absolute; border:0; padding:0; margin:0; background:transparent; font-family:Arial,Verdana; font-size:11px; color:#000; text-decoration:none; font-weight:normal; width:auto; height:auto; overflow:hidden; display:block}
/* General */ /* General */
.clearlooks2 {position:absolute; direction:ltr} .clearlooks2 {position:fixed !important; direction:ltr; top:20px !important;height:552px !important;}
.clearlooks2 .mceWrapper {position:static} .clearlooks2 .mceWrapper {position:static}
.mceEventBlocker {position:fixed; left:0; top:0; background:url(img/horizontal.gif) no-repeat 0 -75px; width:100%; height:100%} .mceEventBlocker {position:fixed; left:0; top:0; background:url(img/horizontal.gif) no-repeat 0 -75px; width:100%; height:100%}
.clearlooks2 .mcePlaceHolder {border:1px solid #000; background:#888; top:0; left:0; opacity:0.5; -ms-filter:'alpha(opacity=50)'; filter:alpha(opacity=50)} .clearlooks2 .mcePlaceHolder {border:1px solid #000; background:#888; top:0; left:0; opacity:0.5; -ms-filter:'alpha(opacity=50)'; filter:alpha(opacity=50)}

2
gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/js/source_editor.js vendored
View File

@@ -73,6 +73,6 @@ function resizeInputs() {
if (el) { if (el) {
el.style.width = (vp.w - 20) + 'px'; el.style.width = (vp.w - 20) + 'px';
el.style.height = (vp.h - 65) + 'px'; el.style.height = (vp.h - 122) + 'px';
} }
} }

8
gulliver/methods/controls/calendar.php
View File

@@ -25,6 +25,9 @@
td {font-family: Tahoma, Verdana, sans-serif; font-size: 11px;} td {font-family: Tahoma, Verdana, sans-serif; font-size: 11px;}
</style> </style>
<?php <?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$ARR_MONTHS = array ( "January", "February", "March", "April", "May", "June", $ARR_MONTHS = array ( "January", "February", "March", "April", "May", "June",
"July", "August", "September", "October", "November", "December"); "July", "August", "September", "October", "November", "December");
@@ -108,6 +111,11 @@
$end_date = mktime ( 0,0,0, $dt_currentMonth+1, + $i, $dt_currentYear ) ; $end_date = mktime ( 0,0,0, $dt_currentMonth+1, + $i, $dt_currentYear ) ;
} }
$numWeeks = ( $end_date - $start_date )/3600/24/7 ; $numWeeks = ( $end_date - $start_date )/3600/24/7 ;
$dtmin_value = $filter->xssFilterHard($dtmin_value);
$dtmax_value = $filter->xssFilterHard($dtmax_value);
$dt_currentYear = $filter->xssFilterHard($dt_currentYear);
$dt_currentMonth = $filter->xssFilterHard($dt_currentMonth);
//print date('Y-m-d', $start_date ) . " $dtmin_value $dtmax_value "; //print date('Y-m-d', $start_date ) . " $dtmin_value $dtmax_value ";
?> ?>

6
gulliver/system/class.dbconnection.php
View File

@@ -186,6 +186,10 @@ class DBConnection
{ {
global $_SESSION; global $_SESSION;
global $_SERVER; global $_SERVER;
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_SERVER = $filter->xssFilterHard($_SERVER);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (is_null( $errorLevel )) if (is_null( $errorLevel ))
if (isset( $this->errorLevel )) { if (isset( $this->errorLevel )) {
$errorLevel = $this->errorLevel; $errorLevel = $this->errorLevel;
@@ -207,7 +211,7 @@ class DBConnection
print "</textarea></td></tr></table>"; print "</textarea></td></tr></table>";
} }
//G::setErrorHandler ( ); //G::setErrorHandler ( );
G::customErrorLog( 'DB_Error', $obj->code . ' ' . $obj->message . '-' . $obj->userinfo, '', '' ); //G::customErrorLog( 'DB_Error', $obj->code . ' ' . $obj->message . '-' . $obj->userinfo, '', '' );
if ($errorLevel == DB_ERROR_SHOW_AND_STOP || $errorLevel == DB_ERROR_SHOWALL_AND_STOP) { if ($errorLevel == DB_ERROR_SHOW_AND_STOP || $errorLevel == DB_ERROR_SHOWALL_AND_STOP) {
die(); //stop die(); //stop
} }

13
gulliver/system/class.g.php
View File

@@ -1073,6 +1073,12 @@ class G
*/ */
public static function streamFile ($file, $download = false, $downloadFileName = '') public static function streamFile ($file, $download = false, $downloadFileName = '')
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$file = $filter->xssFilterHard($file);
if(isset($_SERVER['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] = $filter->xssFilterHard($_SERVER['REQUEST_URI'],"url");
}
require_once (PATH_THIRDPARTY . 'jsmin/jsmin.php'); require_once (PATH_THIRDPARTY . 'jsmin/jsmin.php');
$folderarray = explode( '/', $file ); $folderarray = explode( '/', $file );
$typearray = explode( '.', basename( $file ) ); $typearray = explode( '.', basename( $file ) );
@@ -1081,8 +1087,11 @@ class G
//trick to generate the translation.language.js file , merging two files //trick to generate the translation.language.js file , merging two files
if (strtolower( $typefile ) == 'js' && $typearray[0] == 'translation') { if (strtolower( $typefile ) == 'js' && $typearray[0] == 'translation') {
$download = $filter->xssFilterHard($download);
$downloadFileName = $filter->xssFilterHard($downloadFileName);
G::sendHeaders( $filename, 'text/javascript', $download, $downloadFileName ); G::sendHeaders( $filename, 'text/javascript', $download, $downloadFileName );
$output = G::streamJSTranslationFile( $filename, $typearray[1] ); $output = G::streamJSTranslationFile( $filename, $typearray[1] );
$output = $filter->xssFilterHard($output);
print $output; print $output;
return; return;
} }
@@ -1091,6 +1100,7 @@ class G
if (strtolower( $typefile ) == 'css' && $folderarray[count( $folderarray ) - 2] == 'css') { if (strtolower( $typefile ) == 'css' && $folderarray[count( $folderarray ) - 2] == 'css') {
G::sendHeaders( $filename, 'text/css', $download, $downloadFileName ); G::sendHeaders( $filename, 'text/css', $download, $downloadFileName );
$output = G::streamCSSBigFile( $typearray[0] ); $output = G::streamCSSBigFile( $typearray[0] );
$output = $filter->xssFilterHard($output);
print $output; print $output;
return; return;
} }
@@ -3140,6 +3150,9 @@ class G
*/ */
public function pr ($var) public function pr ($var)
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$var = $filter->xssFilterHard($var);
print ("<pre>") ; print ("<pre>") ;
print_r( $var ); print_r( $var );
print ("</pre>") ; print ("</pre>") ;

4
workflow/engine/classes/class.processMap.php
View File

@@ -2356,7 +2356,11 @@ class processMap
$G_PUBLISH->AddContent('propeltable', 'paged-table', '/cases/cases_Scheduler_List', $oCriteria, array('CONFIRM' => G::LoadTranslation('ID_MSG_CONFIRM_DELETE_CASE_SCHEDULER'))); $G_PUBLISH->AddContent('propeltable', 'paged-table', '/cases/cases_Scheduler_List', $oCriteria, array('CONFIRM' => G::LoadTranslation('ID_MSG_CONFIRM_DELETE_CASE_SCHEDULER')));
G::RenderPage('publish'); G::RenderPage('publish');
//return true; */ //return true; */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$schedulerPath = SYS_URI . "cases/cases_Scheduler_List"; $schedulerPath = SYS_URI . "cases/cases_Scheduler_List";
$schedulerPath = $filter->xssFilterHard($schedulerPath);
$sProcessUID = $filter->xssFilterHard($sProcessUID);
$html = "<iframe WIDTH=820 HEIGHT=530 FRAMEBORDER=0 src='" . $schedulerPath . '?PRO_UID=' . $sProcessUID . "'></iframe>"; $html = "<iframe WIDTH=820 HEIGHT=530 FRAMEBORDER=0 src='" . $schedulerPath . '?PRO_UID=' . $sProcessUID . "'></iframe>";
echo $html; echo $html;
} catch (Exception $oError) { } catch (Exception $oError) {

19
workflow/engine/classes/class.propelTable.php
View File

@@ -559,7 +559,13 @@ class propelTable
* @return string * @return string
*/ */
public function renderTable ($block = '', $fields = '') public function renderTable ($block = '', $fields = '')
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$fields = $filter->xssFilterHard($fields);
$this->orderBy = $filter->xssFilterHard($this->orderBy);
$this->currentPage = $filter->xssFilterHard($this->currentPage);
//Render Title //Render Title
$thereisnotitle = true; $thereisnotitle = true;
foreach ($this->fields as $r => $rval) { foreach ($this->fields as $r => $rval) {
@@ -603,6 +609,11 @@ class propelTable
$this->tpl->assign( 'pagedTable_Name', $this->name ); $this->tpl->assign( 'pagedTable_Name', $this->name );
$this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height ); $this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
$this->tpl->assign( "title", $this->title ); $this->tpl->assign( "title", $this->title );
$this->xmlForm->home = $filter->xssFilterHard($this->xmlForm->home);
$this->filterForm = $filter->xssFilterHard($this->filterForm);
$this->menu = $filter->xssFilterHard($this->menu);
if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) { if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
$filterForm = new filterForm( $this->filterForm, $this->xmlForm->home ); $filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
if ($this->menu === '') { if ($this->menu === '') {
@@ -839,6 +850,12 @@ class propelTable
} }
$this->tpl->assign( "pagesEnum", $pagesEnum ); $this->tpl->assign( "pagesEnum", $pagesEnum );
} }
$this->name = $filter->xssFilterHard($this->name);
$this->orderBy = $filter->xssFilterHard($this->orderBy);
$this->currentPage = $filter->xssFilterHard($this->currentPage);
$this->id = $filter->xssFilterHard($this->id);
?> ?>
<script language='JavaScript'> <script language='JavaScript'>

6
workflow/engine/classes/class.webdav.php
View File

@@ -967,11 +967,15 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
*/ */
public function checkLock($path) public function checkLock($path)
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$path = $filter->validateInput($path, 'nosql');
$result = false; $result = false;
$query = "SELECT owner, token, expires, exclusivelock $query = "SELECT owner, token, expires, exclusivelock
FROM locks FROM locks
WHERE path = '$path' "; WHERE path = '%s' ";
$query = $filter->preventSqlInjection($query, array($path));
$res = mysql_query($query); $res = mysql_query($query);
if ($res) { if ($res) {

4
workflow/engine/classes/model/AdditionalTables.php
View File

@@ -446,11 +446,11 @@ class AdditionalTables extends BaseAdditionalTables
eval('$count = ' . $sClassPeerName . '::doCount($oCriteria);'); eval('$count = ' . $sClassPeerName . '::doCount($oCriteria);');
} }
G::LoadSystem('inputfilter'); G::LoadSystem('inputfilter');
$filter = new InputFilter(); $filter = new InputFilter();
$sort = $filter->validateInput($_POST['sort']);
$sClassPeerName = $filter->validateInput($sClassPeerName); $sClassPeerName = $filter->validateInput($sClassPeerName);
if (isset($_POST['sort'])) { if (isset($_POST['sort'])) {
$_POST['sort'] = $filter->validateInput($_POST['sort']);
if ($_POST['dir'] == 'ASC') { if ($_POST['dir'] == 'ASC') {
if ($keyOrderUppercase) { if ($keyOrderUppercase) {
eval('$oCriteria->addAscendingOrderByColumn("' . $sort . '");'); eval('$oCriteria->addAscendingOrderByColumn("' . $sort . '");');

16
workflow/engine/controllers/adminProxy.php
View File

@@ -1009,6 +1009,12 @@ class adminProxy extends HttpProxyController
public function uploadImage() public function uploadImage()
{ {
//!dataSystem //!dataSystem
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_SERVER["REQUEST_URI"] = $filter->xssFilterHard($_SERVER["REQUEST_URI"]);
$_FILES = $filter->xssFilterHard($_FILES);
$ainfoSite = explode("/", $_SERVER["REQUEST_URI"]); $ainfoSite = explode("/", $_SERVER["REQUEST_URI"]);
$dir = PATH_DATA."sites".PATH_SEP.str_replace("sys","",$ainfoSite[1]).PATH_SEP."files/logos"; $dir = PATH_DATA."sites".PATH_SEP.str_replace("sys","",$ainfoSite[1]).PATH_SEP."files/logos";
global $_FILES; global $_FILES;
@@ -1035,8 +1041,10 @@ class adminProxy extends HttpProxyController
$uploaded = 0; $uploaded = 0;
$failed = 0; $failed = 0;
$files_img_type = $filter->xssFilterHard($_FILES['img']['type']);
if (in_array($_FILES['img']['type'], $allowedType)) { if (in_array($files_img_type, $allowedType)) {
// max upload file is 500 KB // max upload file is 500 KB
if ($_FILES['img']['size'] <= 500000) { if ($_FILES['img']['size'] <= 500000) {
$formf = $_FILES['img']; $formf = $_FILES['img'];
@@ -1055,7 +1063,7 @@ class adminProxy extends HttpProxyController
$arrayInfo = getimagesize($dir . '/' . 'tmp' . $fileName); $arrayInfo = getimagesize($dir . '/' . 'tmp' . $fileName);
$typeMime = $arrayInfo[2]; $typeMime = $arrayInfo[2];
} }
if ($typeMime == $allowedTypeArray['index' . base64_encode($_FILES['img']['type'])]) { if ($typeMime == $allowedTypeArray['index' . base64_encode($files_img_type)]) {
$error = false; $error = false;
try { try {
list($imageWidth, $imageHeight, $imageType) = @getimagesize($dir . '/' . 'tmp' . $fileName); list($imageWidth, $imageHeight, $imageType) = @getimagesize($dir . '/' . 'tmp' . $fileName);
@@ -1075,10 +1083,10 @@ class adminProxy extends HttpProxyController
} else { } else {
$failed = "2"; $failed = "2";
} }
} elseif ($_FILES['img']['type'] != '') { } elseif ($files_img_type != '') {
$failed = "1"; $failed = "1";
} }
echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $_FILES['img']['type'] . '"}'; echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $files_img_type . '"}';
exit(); exit();
} }

42
workflow/engine/controllers/installer.php
View File

@@ -433,6 +433,9 @@ class Installer extends Controller
*/ */
public function mysqlQuery ($sql) public function mysqlQuery ($sql)
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$sql = $filter->preventSqlInjection($sql, Array());
$this->installLog( $sql ); $this->installLog( $sql );
$query = @mysql_query( $sql, $this->link ); $query = @mysql_query( $sql, $this->link );
if (! $query) { if (! $query) {
@@ -450,6 +453,9 @@ class Installer extends Controller
*/ */
public function mssqlQuery ($sql) public function mssqlQuery ($sql)
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$sql = $filter->preventSqlInjection($sql, Array());
$this->installLog( $sql ); $this->installLog( $sql );
$query = @mssql_query( $sql, $this->link ); $query = @mssql_query( $sql, $this->link );
if (! $query) { if (! $query) {
@@ -587,9 +593,13 @@ class Installer extends Controller
*/ */
public function setGrantPrivilegesMySQL ($psUser, $psPassword, $psDatabase, $host) public function setGrantPrivilegesMySQL ($psUser, $psPassword, $psDatabase, $host)
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$host = ($host == 'localhost' || $host == '127.0.0.1' ? 'localhost' : '%'); $host = ($host == 'localhost' || $host == '127.0.0.1' ? 'localhost' : '%');
$sql = sprintf( "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%s' IDENTIFIED BY '%s' WITH GRANT OPTION", $psDatabase, $psUser, $host, $psPassword ); $query = "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%s' IDENTIFIED BY '%s' WITH GRANT OPTION";
$sql = sprintf( $query, $psDatabase, $psUser, $host, $psPassword );
$sql = $filter->preventSqlInjection($query, array($psDatabase, $psUser, $host, $psPassword ));
$query = @mysql_query( $sql, $this->link ); $query = @mysql_query( $sql, $this->link );
if (! $query) { if (! $query) {
@@ -1201,25 +1211,39 @@ class Installer extends Controller
public function checkDatabases () public function checkDatabases ()
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$this->setResponseType( 'json' ); $this->setResponseType( 'json' );
$info = new stdclass(); $info = new stdclass();
if ($_REQUEST['db_engine'] == 'mysql') { if ($_REQUEST['db_engine'] == 'mysql') {
$link = @mysql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); $link = @mysql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
$dataset = @mysql_query( "show databases like '" . $_REQUEST['wfDatabase'] . "'", $link ); $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "show databases like '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
$dataset = @mysql_query( $query, $link );
$info->wfDatabaseExists = (@mysql_num_rows( $dataset ) > 0); $info->wfDatabaseExists = (@mysql_num_rows( $dataset ) > 0);
} else if ($_REQUEST['db_engine'] == 'mssql') { } else if ($_REQUEST['db_engine'] == 'mssql') {
$link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); $link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
$dataset = @mssql_query( "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'", $link ); $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
$dataset = @mssql_query( $query , $link );
$info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0); $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
} else if ($_REQUEST['db_engine'] == 'sqlsrv') { } else if ($_REQUEST['db_engine'] == 'sqlsrv') {
$arguments = array("UID" => $_REQUEST['db_username'], "PWD" => $_REQUEST['db_password']); $arguments = array("UID" => $_REQUEST['db_username'], "PWD" => $_REQUEST['db_password']);
$link = @sqlsrv_connect( $_REQUEST['db_hostname'], $arguments); $link = @sqlsrv_connect( $_REQUEST['db_hostname'], $arguments);
$dataset = @sqlsrv_query( $link, "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'"); $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
$dataset = @sqlsrv_query( $link, $query );
$info->wfDatabaseExists = (@sqlsrv_num_rows( $dataset ) > 0); $info->wfDatabaseExists = (@sqlsrv_num_rows( $dataset ) > 0);
} else { } else {
$link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] ); $link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
$dataset = @mssql_query( "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'", $link ); $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
$dataset = @mssql_query( $query , $link );
$info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0); $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
} }
@@ -1234,6 +1258,8 @@ class Installer extends Controller
private function testMySQLconnection () private function testMySQLconnection ()
{ {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$info = new StdClass(); $info = new StdClass();
$info->result = false; $info->result = false;
$info->message = ''; $info->message = '';
@@ -1257,7 +1283,11 @@ class Installer extends Controller
$info->message .= G::LoadTranslation('ID_MYSQL_CREDENTIALS_WRONG'); $info->message .= G::LoadTranslation('ID_MYSQL_CREDENTIALS_WRONG');
return $info; return $info;
} }
$res = @mysql_query( "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'$db_username'@'$db_hostname'\" OR GRANTEE = \"'$db_username'@'%'\") ", $link ); $db_username = $filter->validateInput($db_username, 'nosql');
$db_hostname = $filter->validateInput($db_hostname, 'nosql');
$query = "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'%s'@'%s'\" OR GRANTEE = \"'%s'@'%'\") ";
$query = $filter->preventSqlInjection($query, array($db_username, $db_hostname, $db_username));
$res = @mysql_query( $query, $link );
$row = @mysql_fetch_array( $res ); $row = @mysql_fetch_array( $res );
$hasSuper = is_array( $row ); $hasSuper = is_array( $row );
@mysql_free_result( $res ); @mysql_free_result( $res );

5
workflow/engine/methods/appFolder/appFolderAjax.php
View File

@@ -1,4 +1,9 @@
<?php <?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
if (! isset ($_SESSION ['USER_LOGGED'])) { if (! isset ($_SESSION ['USER_LOGGED'])) {
$res ['success'] = false; $res ['success'] = false;
$res ['error'] = G::LoadTranslation('ID_LOGIN_AGAIN'); $res ['error'] = G::LoadTranslation('ID_LOGIN_AGAIN');

6
workflow/engine/methods/cases/ajaxListener.php
View File

@@ -33,6 +33,12 @@
//require_once 'classes/model/AppDelay.php'; //require_once 'classes/model/AppDelay.php';
//require_once 'classes/model/Process.php'; //require_once 'classes/model/Process.php';
//require_once 'classes/model/Task.php'; //require_once 'classes/model/Task.php';
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_POST = $filter->xssFilterHard($_POST);
if(isset($_REQUEST['action']) && $_REQUEST['action'] == "verifySession" ) { if(isset($_REQUEST['action']) && $_REQUEST['action'] == "verifySession" ) {
if (!isset($_SESSION['USER_LOGGED'])) { if (!isset($_SESSION['USER_LOGGED'])) {
$response = new stdclass(); $response = new stdclass();

8
workflow/engine/methods/cases/caseMessageHistory_Ajax.php
View File

@@ -21,6 +21,10 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd., * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$arrayToTranslation = array( $arrayToTranslation = array(
"TRIGGER" => G::LoadTranslation("ID_TRIGGER_DB"), "TRIGGER" => G::LoadTranslation("ID_TRIGGER_DB"),
@@ -31,11 +35,11 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
if ($actionAjax == 'messageHistoryGridList_JXP') { if ($actionAjax == 'messageHistoryGridList_JXP') {
if (!isset($_REQUEST['start'])) { if (!isset($_REQUEST['start']) || $_REQUEST['start'] =='') {
$_REQUEST['start'] = 0; $_REQUEST['start'] = 0;
} }
if (!isset($_REQUEST['limit'])) { if (!isset($_REQUEST['limit']) || $_REQUEST['limit'] =='') {
$_REQUEST['limit'] = 20; $_REQUEST['limit'] = 20;
} }

7
workflow/engine/methods/cases/casesHistoryDynaformPage_Ajax.php
View File

@@ -21,6 +21,13 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd., * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
$actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null; $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;

1
workflow/engine/methods/cases/casesListExtJs.php
View File

@@ -213,7 +213,6 @@ $menuPerms = $menuPerms . ($RBAC->userCanAccess( 'PM_REASSIGNCASE' ) == 1) ? 'R'
$oHeadPublisher->assign( '___p34315105', $menuPerms ); // user menu permissions $oHeadPublisher->assign( '___p34315105', $menuPerms ); // user menu permissions
G::LoadClass( 'configuration' ); G::LoadClass( 'configuration' );
$c = new Configurations(); $c = new Configurations();
//$oHeadPublisher->addExtJsScript('cases/caseUtils', true); //$oHeadPublisher->addExtJsScript('cases/caseUtils', true);
$oHeadPublisher->addExtJsScript( 'app/main', true ); $oHeadPublisher->addExtJsScript( 'app/main', true );
$oHeadPublisher->addExtJsScript( 'cases/casesList', false ); //adding a javascript file .js $oHeadPublisher->addExtJsScript( 'cases/casesList', false ); //adding a javascript file .js

6
workflow/engine/methods/cases/casesList_Ajax.php
View File

@@ -40,6 +40,12 @@ require_once ("classes/model/AdditionalTables.php");
require_once ("classes/model/AppDelay.php");*/ require_once ("classes/model/AppDelay.php");*/
G::LoadClass( 'case' ); G::LoadClass( 'case' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
$actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null; $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
function filterUserListArray($users = array(), $filter = '') function filterUserListArray($users = array(), $filter = '')

4
workflow/engine/methods/cases/casesStreamingFile.php
View File

@@ -24,8 +24,8 @@ if ($actionAjax == "streaming") {
$file = \G::getPathFromFileUID($oAppDocument->Fields['APP_UID'], $sAppDocUid); $file = \G::getPathFromFileUID($oAppDocument->Fields['APP_UID'], $sAppDocUid);
$realPath = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext; $realPath = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext;
$realPath1 = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '.' . $ext; $realPath1 = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '.' . $ext;
if (file_exists( $realPath )) { if (file_exists( $realPath )) {
$finfo = finfo_open(FILEINFO_MIME_TYPE); $finfo = finfo_open(FILEINFO_MIME_TYPE);

19
workflow/engine/methods/cases/cases_Ajax.php
View File

@@ -1,4 +1,11 @@
<?php <?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (!isset($_SESSION['USER_LOGGED'])) { if (!isset($_SESSION['USER_LOGGED'])) {
$response = new stdclass(); $response = new stdclass();
$response->message = G::LoadTranslation('ID_LOGIN_AGAIN'); $response->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -243,12 +250,16 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
G::RenderPage( 'publish', 'raw' ); G::RenderPage( 'publish', 'raw' );
break; break;
case 'showUsers': case 'showUsers':
$_POST['TAS_ASSIGN_TYPE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_TYPE']);
switch ($_POST['TAS_ASSIGN_TYPE']) { switch ($_POST['TAS_ASSIGN_TYPE']) {
// switch verify $_POST['TAS_ASSIGN_TYPE'] // switch verify $_POST['TAS_ASSIGN_TYPE']
case 'BALANCED': case 'BALANCED':
$_POST['USR_UID'] = $filter->xssFilterHard($_POST['USR_UID']);
G::LoadClass( 'user' ); G::LoadClass( 'user' );
$oUser = new User( new DBConnection() ); $oUser = new User( new DBConnection() );
$oUser->load( $_POST['USR_UID'] ); $oUser->load( $_POST['USR_UID'] );
$oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']);
$oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']);
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $_POST['USR_UID'] . '">'; echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $_POST['USR_UID'] . '">';
break; break;
case 'MANUAL': case 'MANUAL':
@@ -300,6 +311,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
echo $sAux; echo $sAux;
break; break;
case 'EVALUATE': case 'EVALUATE':
$_POST['TAS_ASSIGN_VARIABLE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_VARIABLE']);
$_SESSION['APPLICATION'] = $filter->xssFilterHard($_SESSION['APPLICATION']);
G::LoadClass( 'application' ); G::LoadClass( 'application' );
$oApplication = new Application( new DBConnection() ); $oApplication = new Application( new DBConnection() );
$oApplication->load( $_SESSION['APPLICATION'] ); $oApplication->load( $_SESSION['APPLICATION'] );
@@ -315,7 +328,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
$oUser->load( $sUser ); $oUser->load( $sUser );
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">'; echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">';
} else { } else {
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . G::LoadTranslation( 'ID_EMPTY' ); $ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' ));
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . $ID_EMPTY;
echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">'; echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">';
} }
break; break;
@@ -447,6 +461,9 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
$cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] ); $cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] );
break; break;
case 'toRevisePanel': case 'toRevisePanel':
$_POST['APP_UID'] = $filter->xssFilterHard($_POST['APP_UID']);
$_POST['DEL_INDEX'] = $filter->xssFilterHard($_POST['DEL_INDEX']);
$_GET['APP_UID'] = $_POST['APP_UID']; $_GET['APP_UID'] = $_POST['APP_UID'];
$_GET['DEL_INDEX'] = $_POST['DEL_INDEX']; $_GET['DEL_INDEX'] = $_POST['DEL_INDEX'];
$G_PUBLISH = new Publisher(); $G_PUBLISH = new Publisher();

8
workflow/engine/methods/cases/cases_Step.php
View File

@@ -130,7 +130,13 @@ if (isset( $oProcessFieds['PRO_DEBUG'] ) && $oProcessFieds['PRO_DEBUG']) {
} }
//cleaning debug variables //cleaning debug variables
if (! isset( $_GET['breakpoint'] )) { $flagExecuteBeforeTriggers = !isset($_GET["breakpoint"]);
if (isset($_GET["TYPE"]) && $_GET["TYPE"] == "OUTPUT_DOCUMENT" && isset($_GET["ACTION"]) && $_GET["ACTION"] != "GENERATE") {
$flagExecuteBeforeTriggers = false;
}
if ($flagExecuteBeforeTriggers) {
if (isset( $_SESSION['TRIGGER_DEBUG']['info'] )) { if (isset( $_SESSION['TRIGGER_DEBUG']['info'] )) {
unset( $_SESSION['TRIGGER_DEBUG']['info'] ); unset( $_SESSION['TRIGGER_DEBUG']['info'] );
} }

6
workflow/engine/methods/cases/cases_StepToRevise.php
View File

@@ -23,6 +23,9 @@
*/ */
// die("first"); // die("first");
/* Permissions */ /* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2: case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die(); die();
break; break;
} }
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
if ((int) $_SESSION['INDEX'] < 1) { if ((int) $_SESSION['INDEX'] < 1) {
$_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
G::header( 'location: ' . $_SERVER['HTTP_REFERER'] ); G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
die(); die();

6
workflow/engine/methods/cases/cases_StepToReviseInputs.php
View File

@@ -23,6 +23,9 @@
*/ */
//die("second"); //die("second");
/* Permissions */ /* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2: case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die(); die();
break; break;
} }
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
if ((int) $_SESSION['INDEX'] < 1) { if ((int) $_SESSION['INDEX'] < 1) {
$_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
G::header( 'location: ' . $_SERVER['HTTP_REFERER'] ); G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
die(); die();

5
workflow/engine/methods/cases/cases_StepToReviseOutputs.php
View File

@@ -23,6 +23,9 @@
*/ */
/* Permissions */ /* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2: case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die(); die();
break; break;
} }
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
/* Includes */ /* Includes */
G::LoadClass( 'case' ); G::LoadClass( 'case' );

5
workflow/engine/methods/cases/cases_ToReviseOutputDocView.php
View File

@@ -23,6 +23,9 @@
*/ */
/* Permissions */ /* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2: case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die(); die();
break; break;
} }
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
/* Includes */ /* Includes */
G::LoadClass( 'case' ); G::LoadClass( 'case' );

3
workflow/engine/methods/cases/cases_generatePMTable.php
View File

@@ -4,6 +4,9 @@
* and open the template in the editor. * and open the template in the editor.
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
require_once ("classes/model/AdditionalTables.php"); require_once ("classes/model/AdditionalTables.php");
require_once ("classes/model/Fields.php"); require_once ("classes/model/Fields.php");
// passing the parameters // passing the parameters

32
workflow/engine/methods/controls/varsAjax.php
View File

@@ -22,11 +22,19 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
* *
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SERVER["QUERY_STRING"] = isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:''; $_SERVER["QUERY_STRING"] = isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:'';
$_REQUEST["sProcess"] = isset($_REQUEST["sProcess"])?$_REQUEST["sProcess"]:''; $_REQUEST["sProcess"] = isset($_REQUEST["sProcess"])?$_REQUEST["sProcess"]:'';
$_REQUEST["sFieldName"] = isset($_REQUEST["sFieldName"])?$_REQUEST["sFieldName"]:''; $_REQUEST["sFieldName"] = isset($_REQUEST["sFieldName"])?$_REQUEST["sFieldName"]:'';
$_REQUEST['sSymbol']= isset($_REQUEST["sSymbol"])?$_REQUEST["sSymbol"]:''; $_REQUEST['sSymbol']= isset($_REQUEST["sSymbol"])?$_REQUEST["sSymbol"]:'';
$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"]);
$html = '<form action="uploader.php?'.$_SERVER["QUERY_STRING"].'&q=upload" onLoad="onLoad()" method="post" enctype="multipart/form-data" onsubmit="">'; $html = '<form action="uploader.php?'.$_SERVER["QUERY_STRING"].'&q=upload" onLoad="onLoad()" method="post" enctype="multipart/form-data" onsubmit="">';
$html .= '<div id="d_variables">'; $html .= '<div id="d_variables">';
$html .= '<table width="90%" align="center">'; $html .= '<table width="90%" align="center">';
@@ -40,24 +48,24 @@ $html .= '</tr>';
$html .= '<tr>'; $html .= '<tr>';
$html .= '<td width="50%">'; $html .= '<td width="50%">';
$html .= '<label for="type_label">'.G::LoadTranslation('ID_TINY_TYPE_VARIABLE').'</label>'; $html .= '<label for="type_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_TINY_TYPE_VARIABLE')).'</label>';
$html .= '</td>'; $html .= '</td>';
$html .= '<td width="25%">'; $html .= '<td width="25%">';
$html .= '<label for="prefix_label">'.G::LoadTranslation('ID_PREFIX').'</label>'; $html .= '<label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_PREFIX')).'</label>';
$html .= '</td>'; $html .= '</td>';
$html .= '<td width="25%">'; $html .= '<td width="25%">';
$html .= '<label for="variables_label">'.G::LoadTranslation( 'ID_SEARCH').'</label>'; $html .= '<label for="variables_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_SEARCH')).'</label>';
$html .= '</td>'; $html .= '</td>';
$html .= '</tr>'; $html .= '</tr>';
$html .= '<tr>'; $html .= '<tr>';
$html .= '<td width="25%">'; $html .= '<td width="25%">';
$html .= '<select name="type_variables" id="type_variables">'; $html .= '<select name="type_variables" id="type_variables">';
$html .= '<option value="all">'.G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' ).'</option>'; $html .= '<option value="all">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' )).'</option>';
$html .= '<option value="system">'.G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' ).'</option>'; $html .= '<option value="system">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' )).'</option>';
$html .= '<option value="process">'.G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' ).'</option>'; $html .= '<option value="process">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' )).'</option>';
$html .= '</select> &nbsp;&nbsp;&nbsp;&nbsp;'; $html .= '</select> &nbsp;&nbsp;&nbsp;&nbsp;';
$html .= '</td>'; $html .= '</td>';
@@ -79,7 +87,7 @@ $html .= '<input type="text" id="search" size="15">';
$html .= '</td>'; $html .= '</td>';
$html .= '</tr>'; $html .= '</tr>';
$html .= '<tr>'; $html .= '<tr>';
$html .= '<tr><td><label for="prefix_label">'.G::LoadTranslation( 'ID_VARIABLES' ).'</label></td></tr>'; $html .= '<tr><td><label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_VARIABLES' )).'</label></td></tr>';
$html .= '<tr>'; $html .= '<tr>';
$html .= '<td colspan="3">'; $html .= '<td colspan="3">';
@@ -114,19 +122,19 @@ $html .= '</div>';
$html .= '<br>'; $html .= '<br>';
$html .= '<table border="1" width="90%" align="center">'; $html .= '<table border="1" width="90%" align="center">';
$html .= '<tr width="40%">'; $html .= '<tr width="40%">';
$html .= '<td>'.G::LoadTranslation('ID_RESULT').'</td>'; $html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_RESULT')).'</td>';
$html .= '<td><span id="selectedVariableLabel">@@SYS_LANG</span></td>'; $html .= '<td><span id="selectedVariableLabel">@@SYS_LANG</span></td>';
$html .= '</tr>'; $html .= '</tr>';
$html .= '<tr width="60%">'; $html .= '<tr width="60%">';
$html .= '<td>'.G::LoadTranslation('ID_DESCRIPTION').'</td>'; $html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_DESCRIPTION')).'</td>';
$html .= '<td><span id="desc_variables">'.G::LoadTranslation('ID_SYSTEM').'</span></td>'; $html .= '<td><span id="desc_variables">'.$filter->xssFilterHard(G::LoadTranslation('ID_SYSTEM')).'</span></td>';
$html .= '</tr>'; $html .= '</tr>';
$html .= '</table>'; $html .= '</table>';
$html .= '</div>'; $html .= '</div>';
$html .= '<br>'; $html .= '<br>';
$html .= '<table width="90%" align="center">'; $html .= '<table width="90%" align="center">';
$html .= '<tr><td>'; $html .= '<tr><td>';
$html .= '<label for="desc_prefix">*<span id="desc_prefix">' . G::LoadTranslation( 'ID_TO_STRING' ) . '</span></label>'; $html .= '<label for="desc_prefix">*<span id="desc_prefix">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TO_STRING' )).'</span></label>';
$html .= '</td></tr>'; $html .= '</td></tr>';
$html .= '</div>'; $html .= '</div>';
@@ -147,4 +155,4 @@ if (isset($_REQUEST['displayOption'])) {
echo $html; echo $html;
G::RenderPage( 'publish', $display ); G::RenderPage( 'publish', $display );

10
workflow/engine/methods/dynaforms/dynaforms_Editor.php
View File

@@ -21,6 +21,12 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd., * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
if (($RBAC_Response = $RBAC->userCanAccess( "PM_FACTORY" )) != 1) { if (($RBAC_Response = $RBAC->userCanAccess( "PM_FACTORY" )) != 1) {
return $RBAC_Response; return $RBAC_Response;
} }
@@ -38,6 +44,9 @@ $G_SUB_MENU = 'processes';
$G_ID_MENU_SELECTED = 'PROCESSES'; $G_ID_MENU_SELECTED = 'PROCESSES';
$G_ID_SUB_MENU_SELECTED = 'FIELDS'; $G_ID_SUB_MENU_SELECTED = 'FIELDS';
$_GET['PRO_UID'] = $filter->xssFilterHard($_GET['PRO_UID']);
$_GET['DYN_UID'] = $filter->xssFilterHard($_GET['DYN_UID']);
$PRO_UID = isset( $_GET['PRO_UID'] ) ? $_GET['PRO_UID'] : '0'; $PRO_UID = isset( $_GET['PRO_UID'] ) ? $_GET['PRO_UID'] : '0';
$DYN_UID = (isset( $_GET['DYN_UID'] )) ? urldecode( $_GET['DYN_UID'] ) : '0'; $DYN_UID = (isset( $_GET['DYN_UID'] )) ? urldecode( $_GET['DYN_UID'] ) : '0';
$_SESSION['PROCESS'] = $_GET['PRO_UID']; $_SESSION['PROCESS'] = $_GET['PRO_UID'];
@@ -50,6 +59,7 @@ if ($process->exists( $PRO_UID )) {
$process->load( $PRO_UID ); $process->load( $PRO_UID );
} else { } else {
//TODO //TODO
$PRO_UID = $filter->xssFilterHard($PRO_UID);
print ("$PRO_UID doesn't exist, continue? yes") ; print ("$PRO_UID doesn't exist, continue? yes") ;
} }

14
workflow/engine/methods/outputdocs/outputdocs_Ajax.php
View File

@@ -1,4 +1,7 @@
<?php <?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] :''; $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] :'';
@@ -9,6 +12,7 @@ if ($action == '') {
switch ($action) { switch ($action) {
case 'setTemplateFile': case 'setTemplateFile':
$_FILES = $filter->xssFilterHard($_FILES);
//print_r($_FILES); //print_r($_FILES);
$_SESSION['outpudocs_tmpFile'] = PATH_DATA . $_FILES['templateFile']['name']; $_SESSION['outpudocs_tmpFile'] = PATH_DATA . $_FILES['templateFile']['name'];
// file_put_contents($_FILES['templateFile']['name'], file_get_contents($_FILES['templateFile']['tmp_name'])); // file_put_contents($_FILES['templateFile']['name'], file_get_contents($_FILES['templateFile']['tmp_name']));
@@ -21,6 +25,7 @@ switch ($action) {
break; break;
case 'getTemplateFile': case 'getTemplateFile':
$_SESSION['outpudocs_tmpFile'] = $filter->xssFilterHard($_SESSION['outpudocs_tmpFile']);
$aExtensions = array ("exe","com","dll","ocx","fon","ttf","doc","xls","mdb","rtf","bin","jpeg","jpg","jif","jfif","gif","tif","tiff","png","bmp","pdf","aac","mp3","mp3pro","vorbis","realaudio","vqf","wma","aiff","flac","wav","midi","mka","ogg","jpeg","ilbm","tar","zip","rar","arj","gzip","bzip2","afio","kgb","gz","asf","avi","mov","iff","ogg","ogm","mkv","3gp" $aExtensions = array ("exe","com","dll","ocx","fon","ttf","doc","xls","mdb","rtf","bin","jpeg","jpg","jif","jfif","gif","tif","tiff","png","bmp","pdf","aac","mp3","mp3pro","vorbis","realaudio","vqf","wma","aiff","flac","wav","midi","mka","ogg","jpeg","ilbm","tar","zip","rar","arj","gzip","bzip2","afio","kgb","gz","asf","avi","mov","iff","ogg","ogm","mkv","3gp"
); );
$sFileName = strtolower( $_SESSION['outpudocs_tmpFile'] ); $sFileName = strtolower( $_SESSION['outpudocs_tmpFile'] );
@@ -28,11 +33,15 @@ switch ($action) {
$searchPos = strpos( $strRev, '.' ); $searchPos = strpos( $strRev, '.' );
$pos = (strlen( $sFileName ) - 1) - $searchPos; $pos = (strlen( $sFileName ) - 1) - $searchPos;
$sExtension = substr( $sFileName, $pos + 1, strlen( $sFileName ) ); $sExtension = substr( $sFileName, $pos + 1, strlen( $sFileName ) );
if (! in_array( $sExtension, $aExtensions )) if (! in_array( $sExtension, $aExtensions )) {
echo $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] ); $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
$content = $filter->xssFilterHard($content);
echo $content;
}
break; break;
case 'loadTemplateContent': case 'loadTemplateContent':
$_POST = $filter->xssFilterHard($_POST);
require_once 'classes/model/OutputDocument.php'; require_once 'classes/model/OutputDocument.php';
$ooutputDocument = new OutputDocument(); $ooutputDocument = new OutputDocument();
if (isset( $_POST['OUT_DOC_UID'] )) { if (isset( $_POST['OUT_DOC_UID'] )) {
@@ -43,6 +52,7 @@ switch ($action) {
break; break;
case 'lookForNameOutput': case 'lookForNameOutput':
$_POST = $filter->xssFilterHard($_POST);
require_once ('classes/model/Content.php'); require_once ('classes/model/Content.php');
require_once ("classes/model/OutputDocument.php"); require_once ("classes/model/OutputDocument.php");

15
workflow/engine/methods/processes/processes_Ajax.php
View File

@@ -38,6 +38,13 @@ try {
break; break;
} */ } */
//$oJSON = new Services_JSON(); //$oJSON = new Services_JSON();
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
//$_SESSION = $filter->xssFilterHard($_SESSION);
if (isset($_REQUEST['data'])) { if (isset($_REQUEST['data'])) {
if($_REQUEST['action']=="addText"||$_REQUEST['action']=="updateText") { if($_REQUEST['action']=="addText"||$_REQUEST['action']=="updateText") {
@@ -741,6 +748,8 @@ try {
// G::RenderPage( 'publish', 'blank' ); // G::RenderPage( 'publish', 'blank' );
break; break;
case 'saveFile': case 'saveFile':
$_REQUEST['pro_uid'] = $filter->xssFilterHard($_REQUEST['pro_uid']);
$_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
global $G_PUBLISH; global $G_PUBLISH;
$G_PUBLISH = new Publisher(); $G_PUBLISH = new Publisher();
global $RBAC; global $RBAC;
@@ -754,6 +763,7 @@ try {
$sDir = ""; $sDir = "";
if (isset($_REQUEST['MAIN_DIRECTORY'])) { if (isset($_REQUEST['MAIN_DIRECTORY'])) {
$_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
$sDir = $_REQUEST['MAIN_DIRECTORY']; $sDir = $_REQUEST['MAIN_DIRECTORY'];
} }
switch ($sDir) { switch ($sDir) {
@@ -775,6 +785,7 @@ try {
$content = base64_decode($content); $content = base64_decode($content);
fwrite($fp, $content); fwrite($fp, $content);
fclose($fp); fclose($fp);
$sDirectory = $filter->xssFilterHard($sDirectory);
echo 'saved: ' . $sDirectory; echo 'saved: ' . $sDirectory;
} }
break; break;
@@ -830,8 +841,10 @@ try {
* *
*/ */
case 'getVariablePrefix': case 'getVariablePrefix':
$_REQUEST['prefix'] = $filter->xssFilterHard($_REQUEST['prefix']);
$_REQUEST['prefix'] = $_REQUEST['prefix'] != null ? $_REQUEST['prefix'] : 'ID_TO_STRING'; $_REQUEST['prefix'] = $_REQUEST['prefix'] != null ? $_REQUEST['prefix'] : 'ID_TO_STRING';
echo G::LoadTranslation($_REQUEST['prefix']); $prefix = $filter->xssFilterHard(G::LoadTranslation($_REQUEST['prefix']));
echo G::LoadTranslation($prefix);
break; break;
/** /**
* return an array with all Variables of Grid type * return an array with all Variables of Grid type

2
workflow/engine/methods/services/login_getStarted.php
View File

@@ -42,7 +42,7 @@ $oTemplatePower->assign('USR_UID', $aUser['USR_UID']);
$oTemplatePower->assign('USR_FULLNAME', $aData['USR_FIRSTNAME'] . ' ' . $aData['USR_LASTNAME'] . ' (' . $aData['USR_USERNAME'] . ')'); $oTemplatePower->assign('USR_FULLNAME', $aData['USR_FIRSTNAME'] . ' ' . $aData['USR_LASTNAME'] . ' (' . $aData['USR_USERNAME'] . ')');
*/ */
$userName = 'admin'; $userName = 'admin';
$userPass = 'The password introduced at the time of installing the application'; $userPass = 'The password introduced at the time of installing the application (admin: if you do not put or changed the password)';
if(isset($_SESSION['NW_PASSWORD'])){ if(isset($_SESSION['NW_PASSWORD'])){
if($_SESSION['NW_PASSWORD'] != ''){ if($_SESSION['NW_PASSWORD'] != ''){
$userPass = $_SESSION['NW_PASSWORD']; $userPass = $_SESSION['NW_PASSWORD'];

5
workflow/engine/methods/setup/appCacheViewAjax.php
View File

@@ -1,6 +1,9 @@
<?php <?php
require_once ('classes/model/AppCacheView.php'); require_once ('classes/model/AppCacheView.php');
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
$request = isset( $_POST['request'] ) ? $_POST['request'] : (isset( $_GET['request'] ) ? $_GET['request'] : null); $request = isset( $_POST['request'] ) ? $_POST['request'] : (isset( $_GET['request'] ) ? $_GET['request'] : null);
function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName = "") function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName = "")

7
workflow/engine/methods/setup/emails_Ajax.php
View File

@@ -21,6 +21,13 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd., * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if(isset($_SERVER['SERVER_NAME'])) {
$_SERVER['SERVER_NAME'] = $filter->xssFilterHard($_SERVER['SERVER_NAME']);
}
global $RBAC; global $RBAC;
$RBAC->requirePermissions( 'PM_SETUP_ADVANCE' ); $RBAC->requirePermissions( 'PM_SETUP_ADVANCE' );

25
workflow/engine/methods/setup/language_Ajax.php
View File

@@ -23,11 +23,16 @@
*/ */
try { try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
G::LoadInclude( 'ajax' ); G::LoadInclude( 'ajax' );
if (isset( $_POST['form'] )) { if (isset( $_POST['form'] )) {
$_POST = $_POST['form']; $_POST = $_POST['form'];
} }
$_POST['function'] = get_ajax_value( 'function' ); $_POST['function'] = get_ajax_value( 'function' );
$_POST['function'] = $filter->xssFilterHard($_POST['function']);
switch ($_POST['function']) { switch ($_POST['function']) {
case 'savePredetermined': case 'savePredetermined':
require_once "classes/model/Translation.php"; require_once "classes/model/Translation.php";
@@ -155,16 +160,16 @@ try {
if($locale != "en"){ //Default Lengage 'en' if($locale != "en"){ //Default Lengage 'en'
if($locale != SYS_LANG){ //Current lenguage if($locale != SYS_LANG){ //Current lenguage
//THERE IS NO ANY CASE STARTED FROM THES LANGUAGE //THERE IS NO ANY CASE STARTED FROM THES LANGUAGE
if ($aRow[0] == 0) { //so we can delete this language if ($aRow[0] == 0) { //so we can delete this language
try { try {
Content::removeLanguageContent( $locale ); Content::removeLanguageContent( $locale );
$trn->removeTranslationEnvironment( $locale ); $trn->removeTranslationEnvironment( $locale );
echo G::LoadTranslation( 'ID_LANGUAGE_DELETED_SUCCESSFULLY' ); echo G::LoadTranslation( 'ID_LANGUAGE_DELETED_SUCCESSFULLY' );
} catch (Exception $e) { } catch (Exception $e) {
echo $e->getMessage(); echo $e->getMessage();
} }
} else { } else {
echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE' ) ); echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE' ) );
} }
} else { } else {
echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE_CURRENTLY' ) ); echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE_CURRENTLY' ) );

10
workflow/engine/methods/setup/skin_Ajax.php
View File

@@ -1,4 +1,8 @@
<?php <?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
if (! isset( $_REQUEST['action'] )) { if (! isset( $_REQUEST['action'] )) {
$res['success'] = false; $res['success'] = false;
$res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION'); $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION');
@@ -162,7 +166,7 @@ function newSkin ($baseSkin = 'classic')
$configFileFinal = PATH_CUSTOM_SKINS . $skinFolder . PATH_SEP . 'config.xml'; $configFileFinal = PATH_CUSTOM_SKINS . $skinFolder . PATH_SEP . 'config.xml';
$xmlConfiguration = file_get_contents( $configFileOriginal ); $xmlConfiguration = file_get_contents( $configFileOriginal );
$workspace = ($_REQUEST['workspace'] == 'global') ? '' : SYS_SYS; $workspace = ($_REQUEST['workspace'] == 'global') ? '' : SYS_SYS;
$xmlConfigurationObj = G::xmlParser($xmlConfiguration); $xmlConfigurationObj = G::xmlParser($xmlConfiguration);
@@ -360,6 +364,10 @@ function exportSkin ($skinToExport = "")
function deleteSkin () function deleteSkin ()
{ {
try { try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']);
if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) { if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) {
throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) )); throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) ));
} }

8
workflow/engine/methods/setup/webServicesAjax.php
View File

@@ -23,6 +23,10 @@
*/ */
ini_set( "soap.wsdl_cache_enabled", "0" ); // enabling WSDL cache ini_set( "soap.wsdl_cache_enabled", "0" ); // enabling WSDL cache
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
//$_SESSION = $filter->xssFilterHard($_SESSION);
G::LoadClass( 'ArrayPeer' ); G::LoadClass( 'ArrayPeer' );
if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) { if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) {
@@ -38,6 +42,8 @@ if ($_POST['action'] == '') {
$_POST['action'] = (isset( $_GET['action'] )) ? $_GET['action'] : ''; $_POST['action'] = (isset( $_GET['action'] )) ? $_GET['action'] : '';
} }
$_POST = $filter->xssFilterHard($_POST);
switch ($_POST['action']) { switch ($_POST['action']) {
case 'showForm': case 'showForm':
global $G_PUBLISH; global $G_PUBLISH;
@@ -1504,7 +1510,7 @@ try {
die(); die();
break; break;
default: default:
$_POST = $filter->xssFilterHard($_POST);
print_r( $_POST ); print_r( $_POST );
} }
} }

4
workflow/engine/methods/tracker/tracker_Ajax.php
View File

@@ -22,6 +22,10 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
try { try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if (isset( $_POST['form']['action'] )) { if (isset( $_POST['form']['action'] )) {
$_POST['action'] = $_POST['form']['action']; $_POST['action'] = $_POST['form']['action'];
} }

9
workflow/engine/methods/users/usersAjax.php
View File

@@ -1,4 +1,13 @@
<?php <?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if(isset($_SESSION['USER_LOGGED'])) {
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
}
if(isset($_SESSION['USR_USERNAME'])) {
$_SESSION['USR_USERNAME'] = $filter->xssFilterHard($_SESSION['USR_USERNAME']);
}
global $RBAC; global $RBAC;
$result = new StdClass(); $result = new StdClass();

6
workflow/engine/methods/users/users_Ajax.php
View File

@@ -23,6 +23,12 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
try { try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
global $RBAC; global $RBAC;
switch ($RBAC->userCanAccess('PM_LOGIN')) { switch ($RBAC->userCanAccess('PM_LOGIN')) {
case - 2: case - 2:

36
workflow/engine/src/ProcessMaker/BusinessModel/Light.php
View File

@@ -403,8 +403,8 @@ class Light
//$app_uid = \G::getPathFromUID($oAppDocument->Fields['APP_UID']); //$app_uid = \G::getPathFromUID($oAppDocument->Fields['APP_UID']);
$file = \G::getPathFromFileUID($oAppDocument->Fields['APP_UID'], $sAppDocUid); $file = \G::getPathFromFileUID($oAppDocument->Fields['APP_UID'], $sAppDocUid);
$realPath = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext; $realPath = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext;
$realPath1 = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '.' . $ext; $realPath1 = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '.' . $ext;
$width = isset($fileData['width']) ? $fileData['width']:null; $width = isset($fileData['width']) ? $fileData['width']:null;
$height = isset($fileData['height']) ? $fileData['height']:null; $height = isset($fileData['height']) ? $fileData['height']:null;
@@ -604,8 +604,9 @@ class Light
*/ */
public function getInformation($userUid, $type, $app_uid) public function getInformation($userUid, $type, $app_uid)
{ {
//$response = array(); $response = array();
switch ($type) { switch ($type) {
case 'unassigned':
case 'paused': case 'paused':
case 'participated': case 'participated':
$oCase = new \Cases(); $oCase = new \Cases();
@@ -723,6 +724,7 @@ class Light
*/ */
public function documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data) public function documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data)
{ {
$response = array("status" => "fail");
if (isset( $_FILES["form"]["name"] ) && count( $_FILES["form"]["name"] ) > 0) { if (isset( $_FILES["form"]["name"] ) && count( $_FILES["form"]["name"] ) > 0) {
$arrayField = array (); $arrayField = array ();
$arrayFileName = array (); $arrayFileName = array ();
@@ -773,6 +775,7 @@ class Light
$sPathName = PATH_DOCUMENT . $pathUID . PATH_SEP; $sPathName = PATH_DOCUMENT . $pathUID . PATH_SEP;
$sFileName = $sAppDocUid . "_" . $iDocVersion . "." . $sExtension; $sFileName = $sAppDocUid . "_" . $iDocVersion . "." . $sExtension;
G::uploadFile( $arrayFileTmpName[$i], $sPathName, $sFileName ); G::uploadFile( $arrayFileTmpName[$i], $sPathName, $sFileName );
$response = array("status" => "ok");
} }
} }
} }
@@ -780,4 +783,31 @@ class Light
return $response; return $response;
} }
/**
* claim case
*
* @param $userUid
* @param $Fields
* @param $type
* @throws \Exception
*/
public function claimCaseUser($userUid, $sAppUid)
{
$response = array("status" => "fail");
$oCase = new \Cases();
$iDelIndex = $oCase->getCurrentDelegation( $sAppUid, $userUid );
$oAppDelegation = new \AppDelegation();
$aDelegation = $oAppDelegation->load( $sAppUid, $iDelIndex );
//if there are no user in the delegation row, this case is still in selfservice
if ($aDelegation['USR_UID'] == "") {
$oCase->setCatchUser( $sAppUid,$iDelIndex, $userUid );
$response = array("status" => "ok");
} else {
//G::SendMessageText( G::LoadTranslation( 'ID_CASE_ALREADY_DERIVATED' ), 'error' );
}
return $response;
}
} }

82
workflow/engine/src/ProcessMaker/Services/Api/Light.php
View File

@@ -611,52 +611,18 @@ class Light extends Api
} }
/** /**
* @url POST /case/:app_uid/input-document * @url POST /case/:app_uid/upload/location
* *
* @param string $app_uid { @min 32}{@max 32} * @param string $app_uid { @min 32}{@max 32}
* @param string $tas_uid {@min 32}{@max 32} * @param float $latitude {@min -90}{@max 90}
* @param string $app_doc_comment
* @param string $inp_doc_uid {@min 32}{@max 32}
*/
public function doPostInputDocument($app_uid, $tas_uid, $app_doc_comment, $inp_doc_uid)
{
try {
$userUid = $this->getUserId();
$inputDocument = new \ProcessMaker\BusinessModel\Cases\InputDocument();
$file = $inputDocument->addCasesInputDocument($app_uid, $tas_uid, $app_doc_comment, $inp_doc_uid, $userUid);
$response = $this->parserInputDocument($file);
} catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
}
return $response;
}
public function parserInputDocument ($data)
{
$structure = array(
'app_doc_uid' => 'fileId',
'app_doc_filename' => 'fileName',
'app_doc_version' => 'version'
);
$response = $this->replaceFields($data, $structure);
return $response;
}
/**
* @url POST /case/:app_uid/input-document/location
*
* @param string $app_uid { @min 32}{@max 32}
* @param string $tas_uid {@min 32}{@max 32}
* @param string $app_doc_comment
* @param string $inp_doc_uid {@min 32}{@max 32}
* @param float $latitude {@min -90}{@max 90}
* @param float $longitude {@min -180}{@max 180} * @param float $longitude {@min -180}{@max 180}
*/ */
public function postInputDocumentLocation($app_uid, $tas_uid, $app_doc_comment, $inp_doc_uid, $latitude, $longitude) public function postInputDocumentLocation($app_uid, $latitude, $longitude)
{ {
try { try {
$userUid = $this->getUserId(); $userUid = $this->getUserId();
$inputDocument = new \ProcessMaker\BusinessModel\Cases\InputDocument(); $oMobile = new \ProcessMaker\BusinessModel\Light();
$url = "http://maps.googleapis.com/maps/api/staticmap?center=".$latitude.','.$longitude."&format=jpg&size=600x600&zoom=15&markers=color:blue%7Clabel:S%7C".$latitude.','.$longitude; $url = "http://maps.googleapis.com/maps/api/staticmap?center=".$latitude.','.$longitude."&format=jpg&size=600x600&zoom=15&markers=color:blue%7Clabel:S%7C".$latitude.','.$longitude;
$imageLocation = imagecreatefromjpeg($url); $imageLocation = imagecreatefromjpeg($url);
$tmpfname = tempnam("php://temp","pmm"); $tmpfname = tempnam("php://temp","pmm");
@@ -668,17 +634,21 @@ class Light extends Api
$_FILES["form"]["error"] = 0; $_FILES["form"]["error"] = 0;
$sizes = getimagesize($tmpfname); $sizes = getimagesize($tmpfname);
$_FILES["form"]["size"] = ($sizes['0'] * $sizes['1']); $_FILES["form"]["size"] = ($sizes['0'] * $sizes['1']);
$file = $inputDocument->addCasesInputDocument($app_uid, $tas_uid, $app_doc_comment, $inp_doc_uid, $userUid);
$request_data = array(array('name' => $_FILES["form"]["name"]));
$file = $oMobile->postUidUploadFiles($userUid, $app_uid, $request_data);
$strPathName = PATH_DOCUMENT . G::getPathFromUID($app_uid) . PATH_SEP; $strPathName = PATH_DOCUMENT . G::getPathFromUID($app_uid) . PATH_SEP;
$strFileName = $file->app_doc_uid . "_" . $file->app_doc_version . ".jpg"; $strFileName = $file[0]['appDocUid'] . "_" . $file[0]['docVersion'] . ".jpg";
copy($tmpfname, $strPathName . "/" . $strFileName); if (! is_dir( $strPathName )) {
$response = $this->parserInputDocument($file); G::verifyPath( $strPathName, true );
}
copy($tmpfname, $strPathName . $strFileName);
unlink($tmpfname); unlink($tmpfname);
} catch (\Exception $e) { } catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage())); throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
} }
return $response; return $file;
} }
/** /**
@@ -794,10 +764,28 @@ class Light extends Api
try { try {
$userUid = $this->getUserId(); $userUid = $this->getUserId();
$oMobile = new \ProcessMaker\BusinessModel\Light(); $oMobile = new \ProcessMaker\BusinessModel\Light();
$filesUids = $oMobile->documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data); $response = $oMobile->documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data);
} catch (\Exception $e) { } catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage())); throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
} }
return $filesUids; return $response;
}
/**
* @url POST /case/:app_uid/claim
*
* @param $app_uid
* @return mixed
*/
public function claimCaseUser($app_uid)
{
try {
$userUid = $this->getUserId();
$oMobile = new \ProcessMaker\BusinessModel\Light();
$response = $oMobile->claimCaseUser($userUid, $app_uid);
} catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
}
return $response;
} }
} }

4
workflow/engine/templates/appFolder/appFolderTree.php
View File

@@ -56,7 +56,9 @@ $html = '
} }
return 'Unknown'; return 'Unknown';
} }
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_SERVER['HTTP_USER_AGENT'] = $filter->xssFilterHard($_SERVER['HTTP_USER_AGENT']);
if((looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 8')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 7')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 6')){ if((looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 8')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 7')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 6')){
$html.=" $html.="
<div class='content' style='width:360px;height: expression( this.scrollHeight > 319 ? \'320px\' : \'auto\' ); /* sets max-height for IE */ max-height: 320px; /* sets max-height value for all standards-compliant browsers */ overflow:hidden;'> <div class='content' style='width:360px;height: expression( this.scrollHeight > 319 ? \'320px\' : \'auto\' ); /* sets max-height for IE */ max-height: 320px; /* sets max-height value for all standards-compliant browsers */ overflow:hidden;'>

28
workflow/engine/templates/cases/casesDocuments.js
View File

@@ -1739,6 +1739,16 @@ function copymoveCtx(e) {
copymove('moveExecute'); copymove('moveExecute');
} }
var loader = new Ext.tree.TreeLoader({
preloadChildren : true,
dataUrl : '../appFolder/appFolderAjax.php',
baseParams : {
action : 'expandNode',
sendWhat : 'dirs',
renderTree : 1
}
});
var documentsTab = { var documentsTab = {
id : 'documents', id : 'documents',
// title : 'Documents', // title : 'Documents',
@@ -1772,15 +1782,7 @@ var documentsTab = {
} }
], ],
// rootVisible: false, // rootVisible: false,
loader : new Ext.tree.TreeLoader({ loader : loader,
preloadChildren : true,
dataUrl : '../appFolder/appFolderAjax.php',
baseParams : {
action : 'expandNode',
sendWhat : 'dirs',
renderTree : 1
}
}),
containerScroll : true, containerScroll : true,
enableDD : true, enableDD : true,
ddGroup : 'TreeDD', ddGroup : 'TreeDD',
@@ -1834,10 +1836,10 @@ var documentsTab = {
return true; return true;
} }
}, },
'beforenodedrop' : { 'nodedrop' : {
fn : function(e) { fn : function(e) {
dropEvent = e; dropEvent = e;
copymoveCtx(e); copymoveCtx(e);
datastore.reload(); datastore.reload();
} }
}, },

5
workflow/engine/templates/cases/cases_Load.php
View File

@@ -1,3 +1,8 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST['qs'] = $filter->xssFilterHard($_POST['qs']);
?>
<html> <html>
<style type="text/css"> <style type="text/css">
.Footer .content { .Footer .content {

6
workflow/engine/templates/designer/index.html
View File

@@ -82,12 +82,14 @@
<nav> <nav>
<ul> <ul>
<li><a href="#" ><span class="mafe-button-close" ></span></a></li> <li><a href="#" ><span class="mafe-button-close" ></span></a></li>
<li><a href="#" class="mafe-button-save"></a></li> <li class="mafe-save-process"><a href="#" class="mafe-button-save"></a></li>
<li><a href="#" class="mafe-button-export-process"></a></li> <li><a href="#" class="mafe-button-export-process"></a></li>
<li><a class="mafe-button-export-bpmn-process"></a></li> <li><a class="mafe-button-export-bpmn-process"></a></li>
<li><a href="#" class="mafe-button-undo"></a> <a href="#" class="mafe-button-redo"></a></li>
<li></li> <li></li>
<li class="mafe-undo"><a href="#"><span class="mafe-button-undo"></span></a></li>
<li class="mafe-redo"><a href="#"><span class="mafe-button-redo"></span></a></li>
<li><a href="#" title="" class="mafe-button-fullscreen"></a></li> <li><a href="#" title="" class="mafe-button-fullscreen"></a></li>
<li></li>
</ul> </ul>
</nav> </nav>

7
workflow/engine/templates/oauth2/authorize.php
View File

@@ -1,6 +1,9 @@
<?php <?php
require_once PATH_CORE . 'src/ProcessMaker/Services/OAuth2/PmPdo.php'; require_once PATH_CORE . 'src/ProcessMaker/Services/OAuth2/PmPdo.php';
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"],"url");
list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, ''); list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
$port = empty($port) ? '' : ";port=$port"; $port = empty($port) ? '' : ";port=$port";
@@ -34,7 +37,7 @@ $response = array(
'supportedScope' => $this->scope, 'supportedScope' => $this->scope,
'requestedScope' => $requestedScope 'requestedScope' => $requestedScope
); );
$response = $filter->xssFilterHard($response,"url");
?> ?>
<table width="100%" cellspacing="0" cellpadding="0" border="0"> <table width="100%" cellspacing="0" cellpadding="0" border="0">

27
workflow/engine/templates/oauth2/clientSetup.js
View File

@@ -254,7 +254,7 @@ clientSetup.application = {
data: [["20"], ["30"], ["40"], ["50"], ["100"]], data: [["20"], ["30"], ["40"], ["50"], ["100"]],
autoLoad: true autoLoad: true
}); });
//Components //Components
var winData = new Ext.Window({ var winData = new Ext.Window({
layout: "fit", layout: "fit",
@@ -289,7 +289,11 @@ clientSetup.application = {
id: "txtName", id: "txtName",
name: "txtName", name: "txtName",
fieldLabel: "Name" fieldLabel: "Name",
validator: function(value){
var val = (value=='')? false: true;
return val;
}
}, },
{ {
xtype: "label", xtype: "label",
@@ -320,8 +324,15 @@ clientSetup.application = {
id: "txtWebSite", id: "txtWebSite",
name: "txtWebSite", name: "txtWebSite",
fieldLabel: "Web Site", fieldLabel: "Web Site",
vtype: "url" validator: function (value){
var regexpUrl = /[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
var regexStringIp = new RegExp(regexpUrl);
var regexpIpAdress = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/g;
var regexNumberIp = new RegExp(regexpIpAdress);
var result = (value.match(regexStringIp) || value.match(regexNumberIp))? true : false;
return result;
}
}, },
{ {
xtype: "label", xtype: "label",
@@ -345,7 +356,7 @@ clientSetup.application = {
fieldLabel: "&nbsp;", fieldLabel: "&nbsp;",
labelSeparator: "", labelSeparator: "",
html: "<span style=\"font-size: 11px;\">" + "here should we return after successfully authenticating? For @Anywhere applications, only the domain specified in the callback will be used. OAuth 1.0a applications should explicitly specify their oauth_callback URL on the request token step, regardless of the value given here. To restrict your application from using callbacks, leave this field blank." + "</span>" html: "<span style=\"font-size: 11px;\">" + "URL where redirected after successfully authenticating (calling the {workspace}/oauth2/authorize endpoint). This URL typically contains code to get the access token from the {workspace}/oauth2/token endpoint. To prevent your application from using callbacks, leave this field blank." + "</span>"
} }
] ]
}) })
@@ -499,7 +510,7 @@ clientSetup.application = {
var btnDetail = new Ext.Action({ var btnDetail = new Ext.Action({
id: "btnDetail", id: "btnDetail",
text: _("ID_DETAIL"), text: _("ID_DETAILS"),
iconCls: "button_menu_ext ss_sprite ss_zoom", iconCls: "button_menu_ext ss_sprite ss_zoom",
handler: function () handler: function ()
@@ -695,7 +706,7 @@ clientSetup.application = {
items: [grdpnlMain] items: [grdpnlMain]
}); });
} }
} }
Ext.onReady(clientSetup.application.init, clientSetup.application); Ext.onReady(clientSetup.application.init, clientSetup.application);

18
workflow/engine/templates/setup/main.js
View File

@@ -4,6 +4,8 @@
*/ */
var _NODE_SELECTED; var _NODE_SELECTED;
var flagRenderTabLog = false;
var main = function(){ var main = function(){
var cookiep = new Ext.state.CookieProvider(); var cookiep = new Ext.state.CookieProvider();
@@ -130,7 +132,19 @@ var main = function(){
activeTab:this.items.indexOf(this.getActiveTab()) activeTab:this.items.indexOf(this.getActiveTab())
}; };
}, },
items: items items: items,
listeners: {
tabchange: function (tabpanel, tab)
{
if (tab.id == "logs" && flagRenderTabLog) {
tab.getLoader().load(tab.root);
}
if (tab.id == "logs") {
flagRenderTabLog = true;
}
}
}
}), }),
{ {
region: 'center', region: 'center',
@@ -166,5 +180,3 @@ new Ext.KeyMap(document, {
}); });
Ext.onReady(main); Ext.onReady(main);

2
workflow/engine/xmlform/dynaforms/dynaforms_WebEntry.xml
View File

@@ -171,7 +171,7 @@ var webEntry_generate = function(PRO_UID, TASKS, DYNAFORM) {
if(getField('WE_TYPE').value=='SINGLE') if(getField('WE_TYPE').value=='SINGLE')
{ oPanel1 = new leimnud.module.panel(); { oPanel1 = new leimnud.module.panel();
oPanel1.options = { oPanel1.options = {
size :{w:600,h:400}, size :{w:500,h:390},
position:{x:0,y:0,center:true}, position:{x:0,y:0,center:true},
title :"Web Entry", title :"Web Entry",
statusBar:true, statusBar:true,