diff --git a/maarch_entreprise/trunk/class/contacts_controler.php b/maarch_entreprise/trunk/class/contacts_controler.php
index 3679a5eec5d782f45188d6133d29377d36c3916e..4881dafdb60e48bc4580716fb1875dec58bcbc6a 100644
--- a/maarch_entreprise/trunk/class/contacts_controler.php
+++ b/maarch_entreprise/trunk/class/contacts_controler.php
@@ -15,62 +15,6 @@ try {
*/
class contacts_controler extends ObjectControler implements ObjectControlerIF
{
- public function listContacts($whereClause) {
- $listResult = array();
- try {
- $db = new Database();
- $cpt = 0;
- if (
- isset($whereClause->whereClause)
- && !empty($whereClause->whereClause)
- ) {
- $sqlQuery = "SELECT * FROM contacts WHERE "
- . $whereClause->whereClause . " ORDER BY contact_id ASC";
- } else {
- $sqlQuery = "SELECT * FROM contacts ORDER BY contact_id ASC";
- }
-
- $stmt = $db->query($sqlQuery);
-
- if ($stmt->rowCount() > 0) {
- while ($line = $stmt->fetchObject()) {
- $listResult[$cpt]['contact_id'] = $line->contact_id;
- $listResult[$cpt]['lastname'] = $line->lastname;
- $listResult[$cpt]['firstname'] = $line->firstname;
- $listResult[$cpt]['society'] = $line->society;
- $listResult[$cpt]['function'] = $line->function;
- $listResult[$cpt]['address_num'] = $line->address_num;
- $listResult[$cpt]['address_street'] = $line->address_street;
- $listResult[$cpt]['address_complement'] = $line->address_complement;
- $listResult[$cpt]['address_town'] = $line->address_town;
- $listResult[$cpt]['address_postal_code'] = $line->address_postal_code;
- $listResult[$cpt]['address_country'] = $line->address_country;
- $listResult[$cpt]['email'] = $line->email;
- $listResult[$cpt]['phone'] = $line->phone;
- $listResult[$cpt]['other_data'] = $line->other_data;
- $listResult[$cpt]['is_corporate_person'] = $line->is_corporate_person;
- $listResult[$cpt]['user_id'] = $line->user_id;
- $listResult[$cpt]['title'] = $line->title;
- $listResult[$cpt]['enabled'] = $line->enabled;
- $cpt++;
- }
- } else {
- $error = 'Aucun Contacts dans la base';
- }
- } catch (Exception $e) {
- $fault = new SOAP_Fault($e->getMessage(), '1');
- return $fault->message();
- }
- $func = new functions();
- $resultArray = array();
- $resultArray = $func->object2array($listResult);
- $return = array(
- 'status' => $sqlQuery,
- 'value' => $resultArray,
- 'error' => $error,
- );
- return $return;
- }
/**
* Save given object in database.
diff --git a/maarch_entreprise/trunk/class/ws.php b/maarch_entreprise/trunk/class/ws.php
index 78838f4a627e14c6d2c19399794e29753507ea85..3b8ced4f595cb7522d7c9d7949941f05c0d86ef8 100644
--- a/maarch_entreprise/trunk/class/ws.php
+++ b/maarch_entreprise/trunk/class/ws.php
@@ -16,44 +16,6 @@ $SOAP_dispatch_map['addContact'] = Array(
'out' => Array('out' => 'string'),
'method' => "apps#contacts::save"
);
-/*
- * Récupère la liste des contacts
- */
-
-$SOAP_typedef['searchParams'] = array(
- 'whereClause' => 'string'
-);
-
-$SOAP_typedef['complexContactOut'] = array( 'status'=>'string',
- 'value'=>'{urn:MaarchSoapServer}listOfContacts',
- 'error'=>'string'
- );
-
-$SOAP_typedef['listOfContacts'] = array( 'contact_id'=>'long',
- 'lastname'=>'string',
- 'firstname'=>'string',
- 'society'=>'string',
- 'function'=>'string',
- 'address_num'=>'string',
- 'address_street'=>'string',
- 'address_complement'=>'string',
- 'address_town'=>'string',
- 'address_postal_code'=>'string',
- 'address_country'=>'string',
- 'email'=>'string',
- 'phone'=>'string',
- 'other_data'=>'string',
- 'is_corporate_person'=>'string',
- 'user_id'=>'string',
- 'title'=>'string',
- 'enabled'=>'string'
- );
-
-$SOAP_dispatch_map['listContacts'] = Array(
- 'in' => Array('searchParams'=>'{urn:MaarchSoapServer}searchParams'),
- 'out' => Array('out'=> '{urn:MaarchSoapServer}complexContactOut'),
- 'method' => "apps#contacts::listContacts"
- );
$SOAP_typedef['returnId'] = array( 'returnCode'=>'int',
'contactId'=>'string',
diff --git a/maarch_entreprise/trunk/get_content_js.php b/maarch_entreprise/trunk/get_content_js.php
index 38088eb7f75c9716f963f70c90b2affe581c07ed..06095022f5b4cceab06e3658d7302823e8e54b17 100644
--- a/maarch_entreprise/trunk/get_content_js.php
+++ b/maarch_entreprise/trunk/get_content_js.php
@@ -32,20 +32,19 @@
header('content-type: text/javascript');
-if(empty($_REQUEST['scripts']))
-{
+if (empty($_REQUEST['scripts'])) {
echo '';
exit();
}
$arr_scripts = explode('$$', $_REQUEST['scripts']);
-//print_r($arr_scripts);
-for($i=0; $i<count($arr_scripts ); $i++)
-{
- if($arr_scripts[$i] <> '')
- {
+for ($i=0; $i<count($arr_scripts ); $i++) {
+ if ($arr_scripts[$i] <> '') {
+ $arr_scripts[$i] = str_replace("\\", "", $arr_scripts[$i]);
+ $arr_scripts[$i] = str_replace("/", "", $arr_scripts[$i]);
+ $arr_scripts[$i] = str_replace("..", "", $arr_scripts[$i]);
echo file_get_contents($arr_scripts[$i]);
}
}
exit();
-?>
+
diff --git a/maarch_entreprise/trunk/index.php b/maarch_entreprise/trunk/index.php
index 7c4d9336457e27aa8c5a867390eda52125f829d8..c010ce20d34525240c6ea2288f585f55c05d482d 100644
--- a/maarch_entreprise/trunk/index.php
+++ b/maarch_entreprise/trunk/index.php
@@ -104,6 +104,20 @@ if (!$valid) {
$error .= $validOutpout['validationErrors'][$cptV]->parameter . PHP_EOL;
$error .= $validOutpout['validationErrors'][$cptV]->value . PHP_EOL;
}
+ foreach ($_REQUEST as $name => $value) {
+ if (is_string($value) && strpos($value, "<") !== false) {
+ $value = preg_replace('/(<\/?script[^>]*>|<\?php|<\?[\s|\n|\r])/i', "", $value);
+ $_REQUEST[$name] = $value;
+ $_GET[$name] = $value;
+ $_POST[$name] = $value;
+ }
+ $value = str_replace("\\", "", $value);
+ $value = str_replace("/", "", $value);
+ $value = str_replace("..", "", $value);
+ $_REQUEST[$name] = $value;
+ $_GET[$name] = $value;
+ $_POST[$name] = $value;
+ }
//process error for ajax request
if (
array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER)
diff --git a/maarch_entreprise/trunk/static.php b/maarch_entreprise/trunk/static.php
index bf28b0e977987e7de5227de9508cf2bd6b6a6207..f4ab0722f0ee759e68641214e4a9863c7f313e4f 100644
--- a/maarch_entreprise/trunk/static.php
+++ b/maarch_entreprise/trunk/static.php
@@ -3,6 +3,9 @@ include_once('../../core/init.php');
if(isset($_GET['filename']) && !empty($_GET['filename']))
{
+ $_GET['filename'] = str_replace("\\", "", $_GET['filename']);
+ $_GET['filename'] = str_replace("/", "", $_GET['filename']);
+ $_GET['filename'] = str_replace("..", "", $_GET['filename']);
$filename = trim($_GET['filename']);
$items = explode('.', $filename);
$ext = array_pop($items);
diff --git a/maarch_entreprise/trunk/xml/IVS/data_types.xml b/maarch_entreprise/trunk/xml/IVS/data_types.xml
index dcfafa42607de9ebd524928d7cb17b451e7275f2..c33e6aff48032ca929aa58fa24e54f81cab0d9d8 100755
--- a/maarch_entreprise/trunk/xml/IVS/data_types.xml
+++ b/maarch_entreprise/trunk/xml/IVS/data_types.xml
@@ -122,4 +122,7 @@
<dataType name="identifierPoint" base="graph">
<pattern value="/^[\w.]+$/" />
</dataType>
+ <dataType name="filename_secure" base="string">
+ <pattern value="/^[A-z0-9.]+$/" />
+ </dataType>
</dataTypes>
diff --git a/maarch_entreprise/trunk/xml/IVS/requests_definitions.xml b/maarch_entreprise/trunk/xml/IVS/requests_definitions.xml
index 229f5d2b043949c9b43a3f28e6ef0beb3e4b007d..5831c12c2d00e524c36155c681a816761ebefc9a 100755
--- a/maarch_entreprise/trunk/xml/IVS/requests_definitions.xml
+++ b/maarch_entreprise/trunk/xml/IVS/requests_definitions.xml
@@ -701,12 +701,6 @@
<parameter name="Input"/>
</requestDefinition>
- <requestDefinition method="GET" path="/apps/maarch_entreprise/index.php" validationRule="static_filename" >
- <parameter name="page" value="static"/>
- <parameter name="display" value="true"/>
- <parameter name="filename"/>
- </requestDefinition>
-
<requestDefinition method="POST" path="/apps/maarch_entreprise/index.php" validationRule="select_address" >
<parameter name="page" value="select_attachedAddress"/>
<parameter name="display" value="true"/>
@@ -722,6 +716,46 @@
<parameter name="display" value="true"/>
</requestDefinition>
+ <requestDefinition method="POST" path="/apps/maarch_entreprise/index.php" validationRule="get_content_js" >
+ <parameter name="page" value="get_content_js"/>
+ <parameter name="display" value="true"/>
+ </requestDefinition>
+
+ <requestDefinition method="GET" path="/apps/maarch_entreprise/index.php" validationRule="get_content_js" >
+ <parameter name="page" value="get_content_js"/>
+ </requestDefinition>
+
+ <requestDefinition method="POST" path="/apps/maarch_entreprise/index.php" validationRule="get_content_js" >
+ <parameter name="page" value="get_content_js"/>
+ </requestDefinition>
+
+ <requestDefinition method="GET" path="/apps/maarch_entreprise/index.php" validationRule="get_content_js" >
+ <parameter name="page" value="get_content_js"/>
+ </requestDefinition>
+
+ <requestDefinition method="POST" path="/apps/maarch_entreprise/index.php" validationRule="static_filename" >
+ <parameter name="filename" value="static"/>
+ <parameter name="display" value="true"/>
+ </requestDefinition>
+
+ <requestDefinition method="GET" path="/apps/maarch_entreprise/index.php" validationRule="static_filename" >
+ <parameter name="filename" value="static"/>
+ </requestDefinition>
+
+ <requestDefinition method="POST" path="/apps/maarch_entreprise/index.php" validationRule="static_filename" >
+ <parameter name="filename" value="static"/>
+ </requestDefinition>
+
+ <requestDefinition method="GET" path="/apps/maarch_entreprise/index.php" validationRule="static_filename" >
+ <parameter name="filename" value="static"/>
+ </requestDefinition>
+
+ <requestDefinition method="GET" path="/apps/maarch_entreprise/index.php" validationRule="static_filename" >
+ <parameter name="page" value="static"/>
+ <parameter name="display" value="true"/>
+ <parameter name="filename"/>
+ </requestDefinition>
+
<!-- CORE PART -->
<xi:include href="../../../../core/xml/IVS/requests_definitions.xml"/>
<!-- MODULES PART -->
diff --git a/maarch_entreprise/trunk/xml/IVS/validation_rules.xml b/maarch_entreprise/trunk/xml/IVS/validation_rules.xml
index a826dfc5f2f88de88f00f4f404b95e12d096aa51..42d02f07d24eb6e578430f9bc89070e38883600f 100755
--- a/maarch_entreprise/trunk/xml/IVS/validation_rules.xml
+++ b/maarch_entreprise/trunk/xml/IVS/validation_rules.xml
@@ -10,6 +10,7 @@
<parameter name="order_field" type="string" />
<parameter name="module" type="identifier" />
<parameter name="level" type="identifier" />
+ <parameter name="dir" type="identifier" />
</validationRule>
<validationRule name="admin_users_update" extends="standardForm" mode="error">
@@ -719,10 +720,6 @@
<parameter name="Input" type="string" />
</validationRule>
- <validationRule name="static_filename" extends="standardForm" mode="error">
- <parameter name="filename" type="filename" />
- </validationRule>
-
<validationRule name="select_address" extends="standardForm" mode="error">
<parameter name="contact_id" type="identifier" />
<parameter name="select" type="integer" />
@@ -752,4 +749,13 @@
<validationRule name="baseExample" >
<parameter name="param1" type="string" />
</validationRule>
+
+ <validationRule name="get_content_js" extends="standardForm" mode="error">
+ <parameter name="scripts" type="filename_secure" />
+ </validationRule>
+
+ <validationRule name="static_filename" extends="standardForm" mode="error">
+ <parameter name="filename" type="boolean" />
+ </validationRule>
+
</validationRules>