fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
Gustavo Cruz
2015-03-19 12:51:23 -04:00
parent d1ea4faf95 cc60afe9b0
commit e26da50743
49 changed files with 446 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
gulliver/bin/tasks/pakeGulliver.php
View File

@@ -920,6 +920,8 @@ function run_create_poedit_file($task, $args) {
G::LoadSystem('xmlform');
G::LoadSystem('xmlformExtension');
G::LoadSystem('form');
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$langIdOut = $langId; //the output language, later we'll include the country too.
$exceptionFields = array (
@@ -993,21 +995,28 @@ function run_create_poedit_file($task, $args) {
}
else {
$xmlfile = $filter->xssFilterHard($xmlfile);
$exceptionFields = $filter->xssFilterHard($exceptionFields);
if( is_object($node) && ! in_array($node->type, $exceptionFields) ) {
if( isset($node->value) && strpos($node->value, 'G::LoadTranslation') !== false ) {
$exceptIndex ++;
//print ($node->value);
} else {
$node->name = $filter->xssFilterHard($node->name);
$node->type = $filter->xssFilterHard($node->type);
printf("Error: xmlform %s has no english definition for %s [%s]\n", pakeColor::colorize($xmlfile, 'ERROR'), pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($node->type, 'INFO'));
$xmlError ++;
}
} else {
$exceptIndex ++;
if( $verboseFlag )
if( $verboseFlag ){
$node->name = $filter->xssFilterHard($node->name);
$node->type = $filter->xssFilterHard($node->type);
printf("%s %s in %s\n", $node->type, pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($xmlfile, 'INFO'));
}
}
}
}
unset($form->fields);
unset($form->tree);
unset($form);

2
gulliver/js/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/window.css vendored
View File

@@ -4,7 +4,7 @@
.clearlooks2, .clearlooks2 div, .clearlooks2 span, .clearlooks2 a {vertical-align:baseline; text-align:left; position:absolute; border:0; padding:0; margin:0; background:transparent; font-family:Arial,Verdana; font-size:11px; color:#000; text-decoration:none; font-weight:normal; width:auto; height:auto; overflow:hidden; display:block}
/* General */
.clearlooks2 {position:absolute; direction:ltr}
.clearlooks2 {position:fixed !important; direction:ltr; top:20px !important;height:552px !important;}
.clearlooks2 .mceWrapper {position:static}
.mceEventBlocker {position:fixed; left:0; top:0; background:url(img/horizontal.gif) no-repeat 0 -75px; width:100%; height:100%}
.clearlooks2 .mcePlaceHolder {border:1px solid #000; background:#888; top:0; left:0; opacity:0.5; -ms-filter:'alpha(opacity=50)'; filter:alpha(opacity=50)}

2
gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/js/source_editor.js vendored
View File

@@ -73,6 +73,6 @@ function resizeInputs() {
if (el) {
el.style.width = (vp.w - 20) + 'px';
el.style.height = (vp.h - 65) + 'px';
el.style.height = (vp.h - 122) + 'px';
}
}

8
gulliver/methods/controls/calendar.php
View File

@@ -25,6 +25,9 @@
td {font-family: Tahoma, Verdana, sans-serif; font-size: 11px;}
</style>
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$ARR_MONTHS = array ( "January", "February", "March", "April", "May", "June",
"July", "August", "September", "October", "November", "December");
@@ -109,6 +112,11 @@
}
$numWeeks = ( $end_date - $start_date )/3600/24/7 ;
$dtmin_value = $filter->xssFilterHard($dtmin_value);
$dtmax_value = $filter->xssFilterHard($dtmax_value);
$dt_currentYear = $filter->xssFilterHard($dt_currentYear);
$dt_currentMonth = $filter->xssFilterHard($dt_currentMonth);
//print date('Y-m-d', $start_date ) . " $dtmin_value $dtmax_value ";
?>
<input type='hidden' name='dtmin_value' id='dtmin_value' value='<?php echo $dtmin_value ?>' >

6
gulliver/system/class.dbconnection.php
View File

@@ -186,6 +186,10 @@ class DBConnection
{
global $_SESSION;
global $_SERVER;
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_SERVER = $filter->xssFilterHard($_SERVER);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (is_null( $errorLevel ))
if (isset( $this->errorLevel )) {
$errorLevel = $this->errorLevel;
@@ -207,7 +211,7 @@ class DBConnection
print "</textarea></td></tr></table>";
}
//G::setErrorHandler ( );
G::customErrorLog( 'DB_Error', $obj->code . ' ' . $obj->message . '-' . $obj->userinfo, '', '' );
//G::customErrorLog( 'DB_Error', $obj->code . ' ' . $obj->message . '-' . $obj->userinfo, '', '' );
if ($errorLevel == DB_ERROR_SHOW_AND_STOP || $errorLevel == DB_ERROR_SHOWALL_AND_STOP) {
die(); //stop
}

13
gulliver/system/class.g.php
View File

@@ -1073,6 +1073,12 @@ class G
*/
public static function streamFile ($file, $download = false, $downloadFileName = '')
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$file = $filter->xssFilterHard($file);
if(isset($_SERVER['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] = $filter->xssFilterHard($_SERVER['REQUEST_URI'],"url");
}
require_once (PATH_THIRDPARTY . 'jsmin/jsmin.php');
$folderarray = explode( '/', $file );
$typearray = explode( '.', basename( $file ) );
@@ -1081,8 +1087,11 @@ class G
//trick to generate the translation.language.js file , merging two files
if (strtolower( $typefile ) == 'js' && $typearray[0] == 'translation') {
$download = $filter->xssFilterHard($download);
$downloadFileName = $filter->xssFilterHard($downloadFileName);
G::sendHeaders( $filename, 'text/javascript', $download, $downloadFileName );
$output = G::streamJSTranslationFile( $filename, $typearray[1] );
$output = $filter->xssFilterHard($output);
print $output;
return;
}
@@ -1091,6 +1100,7 @@ class G
if (strtolower( $typefile ) == 'css' && $folderarray[count( $folderarray ) - 2] == 'css') {
G::sendHeaders( $filename, 'text/css', $download, $downloadFileName );
$output = G::streamCSSBigFile( $typearray[0] );
$output = $filter->xssFilterHard($output);
print $output;
return;
}
@@ -3140,6 +3150,9 @@ class G
*/
public function pr ($var)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$var = $filter->xssFilterHard($var);
print ("<pre>") ;
print_r( $var );
print ("</pre>") ;

4
workflow/engine/classes/class.processMap.php
View File

@@ -2356,7 +2356,11 @@ class processMap
$G_PUBLISH->AddContent('propeltable', 'paged-table', '/cases/cases_Scheduler_List', $oCriteria, array('CONFIRM' => G::LoadTranslation('ID_MSG_CONFIRM_DELETE_CASE_SCHEDULER')));
G::RenderPage('publish');
//return true; */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$schedulerPath = SYS_URI . "cases/cases_Scheduler_List";
$schedulerPath = $filter->xssFilterHard($schedulerPath);
$sProcessUID = $filter->xssFilterHard($sProcessUID);
$html = "<iframe WIDTH=820 HEIGHT=530 FRAMEBORDER=0 src='" . $schedulerPath . '?PRO_UID=' . $sProcessUID . "'></iframe>";
echo $html;
} catch (Exception $oError) {

17
workflow/engine/classes/class.propelTable.php
View File

@@ -560,6 +560,12 @@ class propelTable
*/
public function renderTable ($block = '', $fields = '')
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$fields = $filter->xssFilterHard($fields);
$this->orderBy = $filter->xssFilterHard($this->orderBy);
$this->currentPage = $filter->xssFilterHard($this->currentPage);
//Render Title
$thereisnotitle = true;
foreach ($this->fields as $r => $rval) {
@@ -603,6 +609,11 @@ class propelTable
$this->tpl->assign( 'pagedTable_Name', $this->name );
$this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
$this->tpl->assign( "title", $this->title );
$this->xmlForm->home = $filter->xssFilterHard($this->xmlForm->home);
$this->filterForm = $filter->xssFilterHard($this->filterForm);
$this->menu = $filter->xssFilterHard($this->menu);
if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
$filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
if ($this->menu === '') {
@@ -839,6 +850,12 @@ class propelTable
}
$this->tpl->assign( "pagesEnum", $pagesEnum );
}
$this->name = $filter->xssFilterHard($this->name);
$this->orderBy = $filter->xssFilterHard($this->orderBy);
$this->currentPage = $filter->xssFilterHard($this->currentPage);
$this->id = $filter->xssFilterHard($this->id);
?>
<script language='JavaScript'>

6
workflow/engine/classes/class.webdav.php
View File

@@ -967,11 +967,15 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
*/
public function checkLock($path)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$path = $filter->validateInput($path, 'nosql');
$result = false;
$query = "SELECT owner, token, expires, exclusivelock
FROM locks
WHERE path = '$path' ";
WHERE path = '%s' ";
$query = $filter->preventSqlInjection($query, array($path));
$res = mysql_query($query);
if ($res) {

2
workflow/engine/classes/model/AdditionalTables.php
View File

@@ -447,10 +447,10 @@ class AdditionalTables extends BaseAdditionalTables
}
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$sort = $filter->validateInput($_POST['sort']);
$sClassPeerName = $filter->validateInput($sClassPeerName);
if (isset($_POST['sort'])) {
$_POST['sort'] = $filter->validateInput($_POST['sort']);
if ($_POST['dir'] == 'ASC') {
if ($keyOrderUppercase) {
eval('$oCriteria->addAscendingOrderByColumn("' . $sort . '");');

16
workflow/engine/controllers/adminProxy.php
View File

@@ -1009,6 +1009,12 @@ class adminProxy extends HttpProxyController
public function uploadImage()
{
//!dataSystem
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_SERVER["REQUEST_URI"] = $filter->xssFilterHard($_SERVER["REQUEST_URI"]);
$_FILES = $filter->xssFilterHard($_FILES);
$ainfoSite = explode("/", $_SERVER["REQUEST_URI"]);
$dir = PATH_DATA."sites".PATH_SEP.str_replace("sys","",$ainfoSite[1]).PATH_SEP."files/logos";
global $_FILES;
@@ -1036,7 +1042,9 @@ class adminProxy extends HttpProxyController
$uploaded = 0;
$failed = 0;
if (in_array($_FILES['img']['type'], $allowedType)) {
$files_img_type = $filter->xssFilterHard($_FILES['img']['type']);
if (in_array($files_img_type, $allowedType)) {
// max upload file is 500 KB
if ($_FILES['img']['size'] <= 500000) {
$formf = $_FILES['img'];
@@ -1055,7 +1063,7 @@ class adminProxy extends HttpProxyController
$arrayInfo = getimagesize($dir . '/' . 'tmp' . $fileName);
$typeMime = $arrayInfo[2];
}
if ($typeMime == $allowedTypeArray['index' . base64_encode($_FILES['img']['type'])]) {
if ($typeMime == $allowedTypeArray['index' . base64_encode($files_img_type)]) {
$error = false;
try {
list($imageWidth, $imageHeight, $imageType) = @getimagesize($dir . '/' . 'tmp' . $fileName);
@@ -1075,10 +1083,10 @@ class adminProxy extends HttpProxyController
} else {
$failed = "2";
}
} elseif ($_FILES['img']['type'] != '') {
} elseif ($files_img_type != '') {
$failed = "1";
}
echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $_FILES['img']['type'] . '"}';
echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $files_img_type . '"}';
exit();
}

42
workflow/engine/controllers/installer.php
View File

@@ -433,6 +433,9 @@ class Installer extends Controller
*/
public function mysqlQuery ($sql)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$sql = $filter->preventSqlInjection($sql, Array());
$this->installLog( $sql );
$query = @mysql_query( $sql, $this->link );
if (! $query) {
@@ -450,6 +453,9 @@ class Installer extends Controller
*/
public function mssqlQuery ($sql)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$sql = $filter->preventSqlInjection($sql, Array());
$this->installLog( $sql );
$query = @mssql_query( $sql, $this->link );
if (! $query) {
@@ -587,9 +593,13 @@ class Installer extends Controller
*/
public function setGrantPrivilegesMySQL ($psUser, $psPassword, $psDatabase, $host)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$host = ($host == 'localhost' || $host == '127.0.0.1' ? 'localhost' : '%');
$sql = sprintf( "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%s' IDENTIFIED BY '%s' WITH GRANT OPTION", $psDatabase, $psUser, $host, $psPassword );
$query = "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%s' IDENTIFIED BY '%s' WITH GRANT OPTION";
$sql = sprintf( $query, $psDatabase, $psUser, $host, $psPassword );
$sql = $filter->preventSqlInjection($query, array($psDatabase, $psUser, $host, $psPassword ));
$query = @mysql_query( $sql, $this->link );
if (! $query) {
@@ -1201,25 +1211,39 @@ class Installer extends Controller
public function checkDatabases ()
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$this->setResponseType( 'json' );
$info = new stdclass();
if ($_REQUEST['db_engine'] == 'mysql') {
$link = @mysql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
$dataset = @mysql_query( "show databases like '" . $_REQUEST['wfDatabase'] . "'", $link );
$_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "show databases like '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
$dataset = @mysql_query( $query, $link );
$info->wfDatabaseExists = (@mysql_num_rows( $dataset ) > 0);
} else if ($_REQUEST['db_engine'] == 'mssql') {
$link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
$dataset = @mssql_query( "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'", $link );
$_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
$dataset = @mssql_query( $query , $link );
$info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
} else if ($_REQUEST['db_engine'] == 'sqlsrv') {
$arguments = array("UID" => $_REQUEST['db_username'], "PWD" => $_REQUEST['db_password']);
$link = @sqlsrv_connect( $_REQUEST['db_hostname'], $arguments);
$dataset = @sqlsrv_query( $link, "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'");
$_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
$dataset = @sqlsrv_query( $link, $query );
$info->wfDatabaseExists = (@sqlsrv_num_rows( $dataset ) > 0);
} else {
$link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
$dataset = @mssql_query( "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'", $link );
$_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
$query = "select * from sys.databases where name = '%s' ";
$query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
$dataset = @mssql_query( $query , $link );
$info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
}
@@ -1234,6 +1258,8 @@ class Installer extends Controller
private function testMySQLconnection ()
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$info = new StdClass();
$info->result = false;
$info->message = '';
@@ -1257,7 +1283,11 @@ class Installer extends Controller
$info->message .= G::LoadTranslation('ID_MYSQL_CREDENTIALS_WRONG');
return $info;
}
$res = @mysql_query( "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'$db_username'@'$db_hostname'\" OR GRANTEE = \"'$db_username'@'%'\") ", $link );
$db_username = $filter->validateInput($db_username, 'nosql');
$db_hostname = $filter->validateInput($db_hostname, 'nosql');
$query = "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'%s'@'%s'\" OR GRANTEE = \"'%s'@'%'\") ";
$query = $filter->preventSqlInjection($query, array($db_username, $db_hostname, $db_username));
$res = @mysql_query( $query, $link );
$row = @mysql_fetch_array( $res );
$hasSuper = is_array( $row );
@mysql_free_result( $res );

5
workflow/engine/methods/appFolder/appFolderAjax.php
View File

@@ -1,4 +1,9 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
if (! isset ($_SESSION ['USER_LOGGED'])) {
$res ['success'] = false;
$res ['error'] = G::LoadTranslation('ID_LOGIN_AGAIN');

6
workflow/engine/methods/cases/ajaxListener.php
View File

@@ -33,6 +33,12 @@
//require_once 'classes/model/AppDelay.php';
//require_once 'classes/model/Process.php';
//require_once 'classes/model/Task.php';
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_POST = $filter->xssFilterHard($_POST);
if(isset($_REQUEST['action']) && $_REQUEST['action'] == "verifySession" ) {
if (!isset($_SESSION['USER_LOGGED'])) {
$response = new stdclass();

8
workflow/engine/methods/cases/caseMessageHistory_Ajax.php
View File

@@ -21,6 +21,10 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$arrayToTranslation = array(
"TRIGGER" => G::LoadTranslation("ID_TRIGGER_DB"),
@@ -31,11 +35,11 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
if ($actionAjax == 'messageHistoryGridList_JXP') {
if (!isset($_REQUEST['start'])) {
if (!isset($_REQUEST['start']) || $_REQUEST['start'] =='') {
$_REQUEST['start'] = 0;
}
if (!isset($_REQUEST['limit'])) {
if (!isset($_REQUEST['limit']) || $_REQUEST['limit'] =='') {
$_REQUEST['limit'] = 20;
}

7
workflow/engine/methods/cases/casesHistoryDynaformPage_Ajax.php
View File

@@ -22,6 +22,13 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
$actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
if ($actionAjax == "historyDynaformPage") {

1
workflow/engine/methods/cases/casesListExtJs.php
View File

@@ -213,7 +213,6 @@ $menuPerms = $menuPerms . ($RBAC->userCanAccess( 'PM_REASSIGNCASE' ) == 1) ? 'R'
$oHeadPublisher->assign( '___p34315105', $menuPerms ); // user menu permissions
G::LoadClass( 'configuration' );
$c = new Configurations();
//$oHeadPublisher->addExtJsScript('cases/caseUtils', true);
$oHeadPublisher->addExtJsScript( 'app/main', true );
$oHeadPublisher->addExtJsScript( 'cases/casesList', false ); //adding a javascript file .js

6
workflow/engine/methods/cases/casesList_Ajax.php
View File

@@ -40,6 +40,12 @@ require_once ("classes/model/AdditionalTables.php");
require_once ("classes/model/AppDelay.php");*/
G::LoadClass( 'case' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
$actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
function filterUserListArray($users = array(), $filter = '')

4
workflow/engine/methods/cases/casesStreamingFile.php
View File

@@ -24,8 +24,8 @@ if ($actionAjax == "streaming") {
$file = \G::getPathFromFileUID($oAppDocument->Fields['APP_UID'], $sAppDocUid);
$realPath = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext;
$realPath1 = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '.' . $ext;
$realPath = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext;
$realPath1 = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '.' . $ext;
if (file_exists( $realPath )) {
$finfo = finfo_open(FILEINFO_MIME_TYPE);

19
workflow/engine/methods/cases/cases_Ajax.php
View File

@@ -1,4 +1,11 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (!isset($_SESSION['USER_LOGGED'])) {
$response = new stdclass();
$response->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -243,12 +250,16 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
G::RenderPage( 'publish', 'raw' );
break;
case 'showUsers':
$_POST['TAS_ASSIGN_TYPE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_TYPE']);
switch ($_POST['TAS_ASSIGN_TYPE']) {
// switch verify $_POST['TAS_ASSIGN_TYPE']
case 'BALANCED':
$_POST['USR_UID'] = $filter->xssFilterHard($_POST['USR_UID']);
G::LoadClass( 'user' );
$oUser = new User( new DBConnection() );
$oUser->load( $_POST['USR_UID'] );
$oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']);
$oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']);
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $_POST['USR_UID'] . '">';
break;
case 'MANUAL':
@@ -300,6 +311,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
echo $sAux;
break;
case 'EVALUATE':
$_POST['TAS_ASSIGN_VARIABLE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_VARIABLE']);
$_SESSION['APPLICATION'] = $filter->xssFilterHard($_SESSION['APPLICATION']);
G::LoadClass( 'application' );
$oApplication = new Application( new DBConnection() );
$oApplication->load( $_SESSION['APPLICATION'] );
@@ -315,7 +328,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
$oUser->load( $sUser );
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">';
} else {
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . G::LoadTranslation( 'ID_EMPTY' );
$ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' ));
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . $ID_EMPTY;
echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">';
}
break;
@@ -447,6 +461,9 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
$cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] );
break;
case 'toRevisePanel':
$_POST['APP_UID'] = $filter->xssFilterHard($_POST['APP_UID']);
$_POST['DEL_INDEX'] = $filter->xssFilterHard($_POST['DEL_INDEX']);
$_GET['APP_UID'] = $_POST['APP_UID'];
$_GET['DEL_INDEX'] = $_POST['DEL_INDEX'];
$G_PUBLISH = new Publisher();

8
workflow/engine/methods/cases/cases_Step.php
View File

@@ -130,7 +130,13 @@ if (isset( $oProcessFieds['PRO_DEBUG'] ) && $oProcessFieds['PRO_DEBUG']) {
}
//cleaning debug variables
if (! isset( $_GET['breakpoint'] )) {
$flagExecuteBeforeTriggers = !isset($_GET["breakpoint"]);
if (isset($_GET["TYPE"]) && $_GET["TYPE"] == "OUTPUT_DOCUMENT" && isset($_GET["ACTION"]) && $_GET["ACTION"] != "GENERATE") {
$flagExecuteBeforeTriggers = false;
}
if ($flagExecuteBeforeTriggers) {
if (isset( $_SESSION['TRIGGER_DEBUG']['info'] )) {
unset( $_SESSION['TRIGGER_DEBUG']['info'] );
}

6
workflow/engine/methods/cases/cases_StepToRevise.php
View File

@@ -23,6 +23,9 @@
*/
// die("first");
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
if ((int) $_SESSION['INDEX'] < 1) {
$_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
die();

6
workflow/engine/methods/cases/cases_StepToReviseInputs.php
View File

@@ -23,6 +23,9 @@
*/
//die("second");
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
if ((int) $_SESSION['INDEX'] < 1) {
$_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
die();

5
workflow/engine/methods/cases/cases_StepToReviseOutputs.php
View File

@@ -23,6 +23,9 @@
*/
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
/* Includes */
G::LoadClass( 'case' );

5
workflow/engine/methods/cases/cases_ToReviseOutputDocView.php
View File

@@ -23,6 +23,9 @@
*/
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
/* Includes */
G::LoadClass( 'case' );

3
workflow/engine/methods/cases/cases_generatePMTable.php
View File

@@ -4,6 +4,9 @@
* and open the template in the editor.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
require_once ("classes/model/AdditionalTables.php");
require_once ("classes/model/Fields.php");
// passing the parameters

30
workflow/engine/methods/controls/varsAjax.php
View File

@@ -22,11 +22,19 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SERVER["QUERY_STRING"] = isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:'';
$_REQUEST["sProcess"] = isset($_REQUEST["sProcess"])?$_REQUEST["sProcess"]:'';
$_REQUEST["sFieldName"] = isset($_REQUEST["sFieldName"])?$_REQUEST["sFieldName"]:'';
$_REQUEST['sSymbol']= isset($_REQUEST["sSymbol"])?$_REQUEST["sSymbol"]:'';
$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"]);
$html = '<form action="uploader.php?'.$_SERVER["QUERY_STRING"].'&q=upload" onLoad="onLoad()" method="post" enctype="multipart/form-data" onsubmit="">';
$html .= '<div id="d_variables">';
$html .= '<table width="90%" align="center">';
@@ -40,24 +48,24 @@ $html .= '</tr>';
$html .= '<tr>';
$html .= '<td width="50%">';
$html .= '<label for="type_label">'.G::LoadTranslation('ID_TINY_TYPE_VARIABLE').'</label>';
$html .= '<label for="type_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_TINY_TYPE_VARIABLE')).'</label>';
$html .= '</td>';
$html .= '<td width="25%">';
$html .= '<label for="prefix_label">'.G::LoadTranslation('ID_PREFIX').'</label>';
$html .= '<label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_PREFIX')).'</label>';
$html .= '</td>';
$html .= '<td width="25%">';
$html .= '<label for="variables_label">'.G::LoadTranslation( 'ID_SEARCH').'</label>';
$html .= '<label for="variables_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_SEARCH')).'</label>';
$html .= '</td>';
$html .= '</tr>';
$html .= '<tr>';
$html .= '<td width="25%">';
$html .= '<select name="type_variables" id="type_variables">';
$html .= '<option value="all">'.G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' ).'</option>';
$html .= '<option value="system">'.G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' ).'</option>';
$html .= '<option value="process">'.G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' ).'</option>';
$html .= '<option value="all">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' )).'</option>';
$html .= '<option value="system">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' )).'</option>';
$html .= '<option value="process">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' )).'</option>';
$html .= '</select> &nbsp;&nbsp;&nbsp;&nbsp;';
$html .= '</td>';
@@ -79,7 +87,7 @@ $html .= '<input type="text" id="search" size="15">';
$html .= '</td>';
$html .= '</tr>';
$html .= '<tr>';
$html .= '<tr><td><label for="prefix_label">'.G::LoadTranslation( 'ID_VARIABLES' ).'</label></td></tr>';
$html .= '<tr><td><label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_VARIABLES' )).'</label></td></tr>';
$html .= '<tr>';
$html .= '<td colspan="3">';
@@ -114,19 +122,19 @@ $html .= '</div>';
$html .= '<br>';
$html .= '<table border="1" width="90%" align="center">';
$html .= '<tr width="40%">';
$html .= '<td>'.G::LoadTranslation('ID_RESULT').'</td>';
$html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_RESULT')).'</td>';
$html .= '<td><span id="selectedVariableLabel">@@SYS_LANG</span></td>';
$html .= '</tr>';
$html .= '<tr width="60%">';
$html .= '<td>'.G::LoadTranslation('ID_DESCRIPTION').'</td>';
$html .= '<td><span id="desc_variables">'.G::LoadTranslation('ID_SYSTEM').'</span></td>';
$html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_DESCRIPTION')).'</td>';
$html .= '<td><span id="desc_variables">'.$filter->xssFilterHard(G::LoadTranslation('ID_SYSTEM')).'</span></td>';
$html .= '</tr>';
$html .= '</table>';
$html .= '</div>';
$html .= '<br>';
$html .= '<table width="90%" align="center">';
$html .= '<tr><td>';
$html .= '<label for="desc_prefix">*<span id="desc_prefix">' . G::LoadTranslation( 'ID_TO_STRING' ) . '</span></label>';
$html .= '<label for="desc_prefix">*<span id="desc_prefix">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TO_STRING' )).'</span></label>';
$html .= '</td></tr>';
$html .= '</div>';

10
workflow/engine/methods/dynaforms/dynaforms_Editor.php
View File

@@ -21,6 +21,12 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
if (($RBAC_Response = $RBAC->userCanAccess( "PM_FACTORY" )) != 1) {
return $RBAC_Response;
}
@@ -38,6 +44,9 @@ $G_SUB_MENU = 'processes';
$G_ID_MENU_SELECTED = 'PROCESSES';
$G_ID_SUB_MENU_SELECTED = 'FIELDS';
$_GET['PRO_UID'] = $filter->xssFilterHard($_GET['PRO_UID']);
$_GET['DYN_UID'] = $filter->xssFilterHard($_GET['DYN_UID']);
$PRO_UID = isset( $_GET['PRO_UID'] ) ? $_GET['PRO_UID'] : '0';
$DYN_UID = (isset( $_GET['DYN_UID'] )) ? urldecode( $_GET['DYN_UID'] ) : '0';
$_SESSION['PROCESS'] = $_GET['PRO_UID'];
@@ -50,6 +59,7 @@ if ($process->exists( $PRO_UID )) {
$process->load( $PRO_UID );
} else {
//TODO
$PRO_UID = $filter->xssFilterHard($PRO_UID);
print ("$PRO_UID doesn't exist, continue? yes") ;
}

14
workflow/engine/methods/outputdocs/outputdocs_Ajax.php
View File

@@ -1,4 +1,7 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] :'';
@@ -9,6 +12,7 @@ if ($action == '') {
switch ($action) {
case 'setTemplateFile':
$_FILES = $filter->xssFilterHard($_FILES);
//print_r($_FILES);
$_SESSION['outpudocs_tmpFile'] = PATH_DATA . $_FILES['templateFile']['name'];
// file_put_contents($_FILES['templateFile']['name'], file_get_contents($_FILES['templateFile']['tmp_name']));
@@ -21,6 +25,7 @@ switch ($action) {
break;
case 'getTemplateFile':
$_SESSION['outpudocs_tmpFile'] = $filter->xssFilterHard($_SESSION['outpudocs_tmpFile']);
$aExtensions = array ("exe","com","dll","ocx","fon","ttf","doc","xls","mdb","rtf","bin","jpeg","jpg","jif","jfif","gif","tif","tiff","png","bmp","pdf","aac","mp3","mp3pro","vorbis","realaudio","vqf","wma","aiff","flac","wav","midi","mka","ogg","jpeg","ilbm","tar","zip","rar","arj","gzip","bzip2","afio","kgb","gz","asf","avi","mov","iff","ogg","ogm","mkv","3gp"
);
$sFileName = strtolower( $_SESSION['outpudocs_tmpFile'] );
@@ -28,11 +33,15 @@ switch ($action) {
$searchPos = strpos( $strRev, '.' );
$pos = (strlen( $sFileName ) - 1) - $searchPos;
$sExtension = substr( $sFileName, $pos + 1, strlen( $sFileName ) );
if (! in_array( $sExtension, $aExtensions ))
echo $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
if (! in_array( $sExtension, $aExtensions )) {
$content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
$content = $filter->xssFilterHard($content);
echo $content;
}
break;
case 'loadTemplateContent':
$_POST = $filter->xssFilterHard($_POST);
require_once 'classes/model/OutputDocument.php';
$ooutputDocument = new OutputDocument();
if (isset( $_POST['OUT_DOC_UID'] )) {
@@ -43,6 +52,7 @@ switch ($action) {
break;
case 'lookForNameOutput':
$_POST = $filter->xssFilterHard($_POST);
require_once ('classes/model/Content.php');
require_once ("classes/model/OutputDocument.php");

15
workflow/engine/methods/processes/processes_Ajax.php
View File

@@ -39,6 +39,13 @@ try {
} */
//$oJSON = new Services_JSON();
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
//$_SESSION = $filter->xssFilterHard($_SESSION);
if (isset($_REQUEST['data'])) {
if($_REQUEST['action']=="addText"||$_REQUEST['action']=="updateText") {
$oData = Bootstrap::json_decode($_REQUEST['data']);
@@ -741,6 +748,8 @@ try {
// G::RenderPage( 'publish', 'blank' );
break;
case 'saveFile':
$_REQUEST['pro_uid'] = $filter->xssFilterHard($_REQUEST['pro_uid']);
$_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
global $G_PUBLISH;
$G_PUBLISH = new Publisher();
global $RBAC;
@@ -754,6 +763,7 @@ try {
$sDir = "";
if (isset($_REQUEST['MAIN_DIRECTORY'])) {
$_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
$sDir = $_REQUEST['MAIN_DIRECTORY'];
}
switch ($sDir) {
@@ -775,6 +785,7 @@ try {
$content = base64_decode($content);
fwrite($fp, $content);
fclose($fp);
$sDirectory = $filter->xssFilterHard($sDirectory);
echo 'saved: ' . $sDirectory;
}
break;
@@ -830,8 +841,10 @@ try {
*
*/
case 'getVariablePrefix':
$_REQUEST['prefix'] = $filter->xssFilterHard($_REQUEST['prefix']);
$_REQUEST['prefix'] = $_REQUEST['prefix'] != null ? $_REQUEST['prefix'] : 'ID_TO_STRING';
echo G::LoadTranslation($_REQUEST['prefix']);
$prefix = $filter->xssFilterHard(G::LoadTranslation($_REQUEST['prefix']));
echo G::LoadTranslation($prefix);
break;
/**
* return an array with all Variables of Grid type

2
workflow/engine/methods/services/login_getStarted.php
View File

@@ -42,7 +42,7 @@ $oTemplatePower->assign('USR_UID', $aUser['USR_UID']);
$oTemplatePower->assign('USR_FULLNAME', $aData['USR_FIRSTNAME'] . ' ' . $aData['USR_LASTNAME'] . ' (' . $aData['USR_USERNAME'] . ')');
*/
$userName = 'admin';
$userPass = 'The password introduced at the time of installing the application';
$userPass = 'The password introduced at the time of installing the application (admin: if you do not put or changed the password)';
if(isset($_SESSION['NW_PASSWORD'])){
if($_SESSION['NW_PASSWORD'] != ''){
$userPass = $_SESSION['NW_PASSWORD'];

5
workflow/engine/methods/setup/appCacheViewAjax.php
View File

@@ -1,6 +1,9 @@
<?php
require_once ('classes/model/AppCacheView.php');
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
$request = isset( $_POST['request'] ) ? $_POST['request'] : (isset( $_GET['request'] ) ? $_GET['request'] : null);
function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName = "")

7
workflow/engine/methods/setup/emails_Ajax.php
View File

@@ -22,6 +22,13 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if(isset($_SERVER['SERVER_NAME'])) {
$_SERVER['SERVER_NAME'] = $filter->xssFilterHard($_SERVER['SERVER_NAME']);
}
global $RBAC;
$RBAC->requirePermissions( 'PM_SETUP_ADVANCE' );

5
workflow/engine/methods/setup/language_Ajax.php
View File

@@ -23,11 +23,16 @@
*/
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
G::LoadInclude( 'ajax' );
if (isset( $_POST['form'] )) {
$_POST = $_POST['form'];
}
$_POST['function'] = get_ajax_value( 'function' );
$_POST['function'] = $filter->xssFilterHard($_POST['function']);
switch ($_POST['function']) {
case 'savePredetermined':
require_once "classes/model/Translation.php";

8
workflow/engine/methods/setup/skin_Ajax.php
View File

@@ -1,4 +1,8 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
if (! isset( $_REQUEST['action'] )) {
$res['success'] = false;
$res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION');
@@ -360,6 +364,10 @@ function exportSkin ($skinToExport = "")
function deleteSkin ()
{
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']);
if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) {
throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) ));
}

8
workflow/engine/methods/setup/webServicesAjax.php
View File

@@ -23,6 +23,10 @@
*/
ini_set( "soap.wsdl_cache_enabled", "0" ); // enabling WSDL cache
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
//$_SESSION = $filter->xssFilterHard($_SESSION);
G::LoadClass( 'ArrayPeer' );
if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) {
@@ -38,6 +42,8 @@ if ($_POST['action'] == '') {
$_POST['action'] = (isset( $_GET['action'] )) ? $_GET['action'] : '';
}
$_POST = $filter->xssFilterHard($_POST);
switch ($_POST['action']) {
case 'showForm':
global $G_PUBLISH;
@@ -1504,7 +1510,7 @@ try {
die();
break;
default:
$_POST = $filter->xssFilterHard($_POST);
print_r( $_POST );
}
}

4
workflow/engine/methods/tracker/tracker_Ajax.php
View File

@@ -22,6 +22,10 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if (isset( $_POST['form']['action'] )) {
$_POST['action'] = $_POST['form']['action'];
}

9
workflow/engine/methods/users/usersAjax.php
View File

@@ -1,4 +1,13 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if(isset($_SESSION['USER_LOGGED'])) {
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
}
if(isset($_SESSION['USR_USERNAME'])) {
$_SESSION['USR_USERNAME'] = $filter->xssFilterHard($_SESSION['USR_USERNAME']);
}
global $RBAC;
$result = new StdClass();

6
workflow/engine/methods/users/users_Ajax.php
View File

@@ -23,6 +23,12 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
global $RBAC;
switch ($RBAC->userCanAccess('PM_LOGIN')) {
case - 2:

36
workflow/engine/src/ProcessMaker/BusinessModel/Light.php
View File

@@ -403,8 +403,8 @@ class Light
//$app_uid = \G::getPathFromUID($oAppDocument->Fields['APP_UID']);
$file = \G::getPathFromFileUID($oAppDocument->Fields['APP_UID'], $sAppDocUid);
$realPath = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext;
$realPath1 = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '.' . $ext;
$realPath = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext;
$realPath1 = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '.' . $ext;
$width = isset($fileData['width']) ? $fileData['width']:null;
$height = isset($fileData['height']) ? $fileData['height']:null;
@@ -604,8 +604,9 @@ class Light
*/
public function getInformation($userUid, $type, $app_uid)
{
//$response = array();
$response = array();
switch ($type) {
case 'unassigned':
case 'paused':
case 'participated':
$oCase = new \Cases();
@@ -723,6 +724,7 @@ class Light
*/
public function documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data)
{
$response = array("status" => "fail");
if (isset( $_FILES["form"]["name"] ) && count( $_FILES["form"]["name"] ) > 0) {
$arrayField = array ();
$arrayFileName = array ();
@@ -773,6 +775,7 @@ class Light
$sPathName = PATH_DOCUMENT . $pathUID . PATH_SEP;
$sFileName = $sAppDocUid . "_" . $iDocVersion . "." . $sExtension;
G::uploadFile( $arrayFileTmpName[$i], $sPathName, $sFileName );
$response = array("status" => "ok");
}
}
}
@@ -780,4 +783,31 @@ class Light
return $response;
}
/**
* claim case
*
* @param $userUid
* @param $Fields
* @param $type
* @throws \Exception
*/
public function claimCaseUser($userUid, $sAppUid)
{
$response = array("status" => "fail");
$oCase = new \Cases();
$iDelIndex = $oCase->getCurrentDelegation( $sAppUid, $userUid );
$oAppDelegation = new \AppDelegation();
$aDelegation = $oAppDelegation->load( $sAppUid, $iDelIndex );
//if there are no user in the delegation row, this case is still in selfservice
if ($aDelegation['USR_UID'] == "") {
$oCase->setCatchUser( $sAppUid,$iDelIndex, $userUid );
$response = array("status" => "ok");
} else {
//G::SendMessageText( G::LoadTranslation( 'ID_CASE_ALREADY_DERIVATED' ), 'error' );
}
return $response;
}
}

78
workflow/engine/src/ProcessMaker/Services/Api/Light.php
View File

@@ -611,52 +611,18 @@ class Light extends Api
}
/**
* @url POST /case/:app_uid/input-document
* @url POST /case/:app_uid/upload/location
*
* @param string $app_uid { @min 32}{@max 32}
* @param string $tas_uid {@min 32}{@max 32}
* @param string $app_doc_comment
* @param string $inp_doc_uid {@min 32}{@max 32}
*/
public function doPostInputDocument($app_uid, $tas_uid, $app_doc_comment, $inp_doc_uid)
{
try {
$userUid = $this->getUserId();
$inputDocument = new \ProcessMaker\BusinessModel\Cases\InputDocument();
$file = $inputDocument->addCasesInputDocument($app_uid, $tas_uid, $app_doc_comment, $inp_doc_uid, $userUid);
$response = $this->parserInputDocument($file);
} catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
}
return $response;
}
public function parserInputDocument ($data)
{
$structure = array(
'app_doc_uid' => 'fileId',
'app_doc_filename' => 'fileName',
'app_doc_version' => 'version'
);
$response = $this->replaceFields($data, $structure);
return $response;
}
/**
* @url POST /case/:app_uid/input-document/location
*
* @param string $app_uid { @min 32}{@max 32}
* @param string $tas_uid {@min 32}{@max 32}
* @param string $app_doc_comment
* @param string $inp_doc_uid {@min 32}{@max 32}
* @param float $latitude {@min -90}{@max 90}
* @param float $longitude {@min -180}{@max 180}
*/
public function postInputDocumentLocation($app_uid, $tas_uid, $app_doc_comment, $inp_doc_uid, $latitude, $longitude)
public function postInputDocumentLocation($app_uid, $latitude, $longitude)
{
try {
$userUid = $this->getUserId();
$inputDocument = new \ProcessMaker\BusinessModel\Cases\InputDocument();
$oMobile = new \ProcessMaker\BusinessModel\Light();
$url = "http://maps.googleapis.com/maps/api/staticmap?center=".$latitude.','.$longitude."&format=jpg&size=600x600&zoom=15&markers=color:blue%7Clabel:S%7C".$latitude.','.$longitude;
$imageLocation = imagecreatefromjpeg($url);
$tmpfname = tempnam("php://temp","pmm");
@@ -668,17 +634,21 @@ class Light extends Api
$_FILES["form"]["error"] = 0;
$sizes = getimagesize($tmpfname);
$_FILES["form"]["size"] = ($sizes['0'] * $sizes['1']);
$file = $inputDocument->addCasesInputDocument($app_uid, $tas_uid, $app_doc_comment, $inp_doc_uid, $userUid);
$request_data = array(array('name' => $_FILES["form"]["name"]));
$file = $oMobile->postUidUploadFiles($userUid, $app_uid, $request_data);
$strPathName = PATH_DOCUMENT . G::getPathFromUID($app_uid) . PATH_SEP;
$strFileName = $file->app_doc_uid . "_" . $file->app_doc_version . ".jpg";
copy($tmpfname, $strPathName . "/" . $strFileName);
$response = $this->parserInputDocument($file);
$strFileName = $file[0]['appDocUid'] . "_" . $file[0]['docVersion'] . ".jpg";
if (! is_dir( $strPathName )) {
G::verifyPath( $strPathName, true );
}
copy($tmpfname, $strPathName . $strFileName);
unlink($tmpfname);
} catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
}
return $response;
return $file;
}
/**
@@ -794,10 +764,28 @@ class Light extends Api
try {
$userUid = $this->getUserId();
$oMobile = new \ProcessMaker\BusinessModel\Light();
$filesUids = $oMobile->documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data);
$response = $oMobile->documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data);
} catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
}
return $filesUids;
return $response;
}
/**
* @url POST /case/:app_uid/claim
*
* @param $app_uid
* @return mixed
*/
public function claimCaseUser($app_uid)
{
try {
$userUid = $this->getUserId();
$oMobile = new \ProcessMaker\BusinessModel\Light();
$response = $oMobile->claimCaseUser($userUid, $app_uid);
} catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
}
return $response;
}
}

4
workflow/engine/templates/appFolder/appFolderTree.php
View File

@@ -56,7 +56,9 @@ $html = '
}
return 'Unknown';
}
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_SERVER['HTTP_USER_AGENT'] = $filter->xssFilterHard($_SERVER['HTTP_USER_AGENT']);
if((looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 8')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 7')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 6')){
$html.="
<div class='content' style='width:360px;height: expression( this.scrollHeight > 319 ? \'320px\' : \'auto\' ); /* sets max-height for IE */ max-height: 320px; /* sets max-height value for all standards-compliant browsers */ overflow:hidden;'>

22
workflow/engine/templates/cases/casesDocuments.js
View File

@@ -1739,6 +1739,16 @@ function copymoveCtx(e) {
copymove('moveExecute');
}
var loader = new Ext.tree.TreeLoader({
preloadChildren : true,
dataUrl : '../appFolder/appFolderAjax.php',
baseParams : {
action : 'expandNode',
sendWhat : 'dirs',
renderTree : 1
}
});
var documentsTab = {
id : 'documents',
// title : 'Documents',
@@ -1772,15 +1782,7 @@ var documentsTab = {
}
],
// rootVisible: false,
loader : new Ext.tree.TreeLoader({
preloadChildren : true,
dataUrl : '../appFolder/appFolderAjax.php',
baseParams : {
action : 'expandNode',
sendWhat : 'dirs',
renderTree : 1
}
}),
loader : loader,
containerScroll : true,
enableDD : true,
ddGroup : 'TreeDD',
@@ -1834,7 +1836,7 @@ var documentsTab = {
return true;
}
},
'beforenodedrop' : {
'nodedrop' : {
fn : function(e) {
dropEvent = e;
copymoveCtx(e);

5
workflow/engine/templates/cases/cases_Load.php
View File

@@ -1,3 +1,8 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST['qs'] = $filter->xssFilterHard($_POST['qs']);
?>
<html>
<style type="text/css">
.Footer .content {

6
workflow/engine/templates/designer/index.html
View File

@@ -82,12 +82,14 @@
<nav>
<ul>
<li><a href="#" ><span class="mafe-button-close" ></span></a></li>
<li><a href="#" class="mafe-button-save"></a></li>
<li class="mafe-save-process"><a href="#" class="mafe-button-save"></a></li>
<li><a href="#" class="mafe-button-export-process"></a></li>
<li><a class="mafe-button-export-bpmn-process"></a></li>
<li><a href="#" class="mafe-button-undo"></a> <a href="#" class="mafe-button-redo"></a></li>
<li></li>
<li class="mafe-undo"><a href="#"><span class="mafe-button-undo"></span></a></li>
<li class="mafe-redo"><a href="#"><span class="mafe-button-redo"></span></a></li>
<li><a href="#" title="" class="mafe-button-fullscreen"></a></li>
<li></li>
</ul>
</nav>

7
workflow/engine/templates/oauth2/authorize.php
View File

@@ -1,6 +1,9 @@
<?php
require_once PATH_CORE . 'src/ProcessMaker/Services/OAuth2/PmPdo.php';
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"],"url");
list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
$port = empty($port) ? '' : ";port=$port";
@@ -34,7 +37,7 @@ $response = array(
'supportedScope' => $this->scope,
'requestedScope' => $requestedScope
);
$response = $filter->xssFilterHard($response,"url");
?>
<table width="100%" cellspacing="0" cellpadding="0" border="0">

21
workflow/engine/templates/oauth2/clientSetup.js
View File

@@ -289,7 +289,11 @@ clientSetup.application = {
id: "txtName",
name: "txtName",
fieldLabel: "Name"
fieldLabel: "Name",
validator: function(value){
var val = (value=='')? false: true;
return val;
}
},
{
xtype: "label",
@@ -321,7 +325,14 @@ clientSetup.application = {
name: "txtWebSite",
fieldLabel: "Web Site",
vtype: "url"
validator: function (value){
var regexpUrl = /[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
var regexStringIp = new RegExp(regexpUrl);
var regexpIpAdress = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/g;
var regexNumberIp = new RegExp(regexpIpAdress);
var result = (value.match(regexStringIp) || value.match(regexNumberIp))? true : false;
return result;
}
},
{
xtype: "label",
@@ -345,7 +356,7 @@ clientSetup.application = {
fieldLabel: "&nbsp;",
labelSeparator: "",
html: "<span style=\"font-size: 11px;\">" + "here should we return after successfully authenticating? For @Anywhere applications, only the domain specified in the callback will be used. OAuth 1.0a applications should explicitly specify their oauth_callback URL on the request token step, regardless of the value given here. To restrict your application from using callbacks, leave this field blank." + "</span>"
html: "<span style=\"font-size: 11px;\">" + "URL where redirected after successfully authenticating (calling the {workspace}/oauth2/authorize endpoint). This URL typically contains code to get the access token from the {workspace}/oauth2/token endpoint. To prevent your application from using callbacks, leave this field blank." + "</span>"
}
]
})
@@ -499,7 +510,7 @@ clientSetup.application = {
var btnDetail = new Ext.Action({
id: "btnDetail",
text: _("ID_DETAIL"),
text: _("ID_DETAILS"),
iconCls: "button_menu_ext ss_sprite ss_zoom",
handler: function ()
@@ -695,7 +706,7 @@ clientSetup.application = {
items: [grdpnlMain]
});
}
}
Ext.onReady(clientSetup.application.init, clientSetup.application);

18
workflow/engine/templates/setup/main.js
View File

@@ -4,6 +4,8 @@
*/
var _NODE_SELECTED;
var flagRenderTabLog = false;
var main = function(){
var cookiep = new Ext.state.CookieProvider();
@@ -130,7 +132,19 @@ var main = function(){
activeTab:this.items.indexOf(this.getActiveTab())
};
},
items: items
items: items,
listeners: {
tabchange: function (tabpanel, tab)
{
if (tab.id == "logs" && flagRenderTabLog) {
tab.getLoader().load(tab.root);
}
if (tab.id == "logs") {
flagRenderTabLog = true;
}
}
}
}),
{
region: 'center',
@@ -166,5 +180,3 @@ new Ext.KeyMap(document, {
});
Ext.onReady(main);

2
workflow/engine/xmlform/dynaforms/dynaforms_WebEntry.xml
View File

@@ -171,7 +171,7 @@ var webEntry_generate = function(PRO_UID, TASKS, DYNAFORM) {
if(getField('WE_TYPE').value=='SINGLE')
{ oPanel1 = new leimnud.module.panel();
oPanel1.options = {
size :{w:600,h:400},
size :{w:500,h:390},
position:{x:0,y:0,center:true},
title :"Web Entry",
statusBar:true,