Merge remote-tracking branch 'origin/support/2.5' into release/2.6

# Conflicts: # application/utils.inc.php # js/dashboard.js # pages/ajax.render.php
2026-05-17 06:18:44 +02:00 · 2018-11-26 18:27:36 +01:00
parent c0cd450c5f d831549c7b
commit 5309aa225a
5 changed files with 74 additions and 55 deletions
--- a/application/loginwebpage.class.inc.php
+++ b/application/loginwebpage.class.inc.php
@@ -303,6 +303,9 @@ class LoginWebPage extends NiceWebPage
 		$sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
 		$sToken = utils::ReadParam('token', '', false, 'raw_data');

+		$sAuthUserForDisplay = utils::HtmlEntities($sAuthUser);
+		$sTokenForDisplay = utils::HtmlEntities($sToken);
+
 		UserRights::Login($sAuthUser); // Set the user's language
 		$oUser = UserRights::GetUserObject();

@@ -311,7 +314,7 @@ class LoginWebPage extends NiceWebPage
 		$this->add("<h1>".Dict::S('UI:ResetPwd-Title')."</h1>\n");
 		if ($oUser == null)
 		{
-			$this->add("<p>".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUser)."</p>\n");
+			$this->add("<p>".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUserForDisplay)."</p>\n");
 		}
 		else
 		{
@@ -323,7 +326,8 @@ class LoginWebPage extends NiceWebPage
 			}
 			else
 			{
-				$this->add("<p>".Dict::Format('UI:ResetPwd-Error-EnterPassword', $oUser->GetFriendlyName())."</p>\n");
+				$sUserNameForDisplay = utils::HtmlEntities($oUser->GetFriendlyName());
+				$this->add("<p>".Dict::Format('UI:ResetPwd-Error-EnterPassword', $sUserNameForDisplay)."</p>\n");
 	
 				$sInconsistenPwdMsg = Dict::S('UI:Login:RetypePwdDoesNotMatch');
 				$this->add_script(
@@ -346,8 +350,8 @@ EOF
 				$this->add("<tr><td colspan=\"2\" class=\"center v-spacer\"><span class=\"btn_border\"><input type=\"submit\" onClick=\"return DoCheckPwd();\" value=\"".Dict::S('UI:Button:ChangePassword')."\" /></span></td></tr>\n");
 				$this->add("</table>\n");
 				$this->add("<input type=\"hidden\" name=\"loginop\" value=\"do_reset_pwd\" />\n");
-				$this->add("<input type=\"hidden\" name=\"auth_user\" value=\"".htmlentities($sAuthUser, ENT_QUOTES, 'UTF-8')."\" />\n");
-				$this->add("<input type=\"hidden\" name=\"token\" value=\"".htmlentities($sToken, ENT_QUOTES, 'UTF-8')."\" />\n");
+				$this->add("<input type=\"hidden\" name=\"auth_user\" value=\"".$sAuthUserForDisplay."\" />\n");
+				$this->add("<input type=\"hidden\" name=\"token\" value=\"".$sTokenForDisplay."\" />\n");
 				$this->add("</form>\n");
 				$this->add("</div\n");
 			}
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -1111,10 +1111,11 @@ class utils
 				$sCloseBtn = addslashes(Dict::S('UI:Button:Cancel'));
 				$sDashboardFileJS = addslashes($sDashboardFile);
 				$sDashboardFileURL = urlencode($sDashboardFile);
+				$sUploadDashboardTransactId = utils::GetNewTransactionId();
 				$aResult = array(
 					new SeparatorPopupMenuItem(),
 					new URLPopupMenuItem('UI:ExportDashboard', Dict::S('UI:ExportDashBoard'), utils::GetAbsoluteUrlAppRoot().'pages/ajax.render.php?operation=export_dashboard&id='.$sDashboardId.'&file='.$sDashboardFileURL),
-					new JSPopupMenuItem('UI:ImportDashboard', Dict::S('UI:ImportDashBoard'), "UploadDashboard({dashboard_id: '$sDashboardId', file: '$sDashboardFileJS', title: '$sDlgTitle', text: '$sDlgText', close_btn: '$sCloseBtn' })"),
+					new JSPopupMenuItem('UI:ImportDashboard', Dict::S('UI:ImportDashBoard'), "UploadDashboard({dashboard_id: '$sDashboardId', file: '$sDashboardFileJS', title: '$sDlgTitle', text: '$sDlgText', close_btn: '$sCloseBtn', transaction: '$sUploadDashboardTransactId' })"),
 				);
 				if ($oDashboard->GetReloadURL())
 				{
@@ -1426,7 +1427,7 @@ class utils
 		asort($aPossibleEncodings);
 		return $aPossibleEncodings;
 	}
-	
+
 	/**
 	 * Helper to encapsulation iTop's htmlentities
 	 * @param string $sValue
@@ -1436,7 +1437,7 @@ class utils
 	{
 		return htmlentities($sValue, ENT_QUOTES, 'UTF-8');
 	}
-	
+
 	/**
 	 * Convert a string containing some (valid) HTML markup to plain text
 	 * @param string $sHtml
--- a/datamodels/2.x/itop-backup/check-backup.php
+++ b/datamodels/2.x/itop-backup/check-backup.php
@@ -212,56 +212,59 @@ catch(Exception $e)
 }

 $sZipArchiveFile = MakeArchiveFileName().'.tar.gz';
-echo date('Y-m-d H:i:s')." - Checking file: $sZipArchiveFile\n";
+$sZipArchiveFileForDisplay = utils::HtmlEntities($sZipArchiveFile);
+echo date('Y-m-d H:i:s')." - Checking file: $sZipArchiveFileForDisplay\n";

-if (file_exists($sZipArchiveFile))
+
+if (!file_exists($sZipArchiveFile))
 {
-	if ($aStat = stat($sZipArchiveFile))
-	{
-		$iSize = (int) $aStat['size'];
-		$iMIN = utils::ReadParam('check_size_min', 0);
-		if ($iSize > $iMIN)
-		{
-			echo "Found the archive\n";
-			$sOldArchiveFile = MakeArchiveFileName(time() - 86400).'.tar.gz'; // yesterday's archive
-			if (file_exists($sOldArchiveFile))
-			{
-				if ($aOldStat = stat($sOldArchiveFile))
-				{
-					echo "Comparing its size with older file: $sOldArchiveFile\n";
-					$iOldSize = (int) $aOldStat['size'];
-					$fVariationPercent = 100 * ($iSize - $iOldSize) / $iOldSize;
-					$sVariation = round($fVariationPercent, 2)." percent(s)";
+	RaiseAlarm("Missing backup file '$sZipArchiveFileForDisplay'");

-					$iREDUCTIONMAX = utils::ReadParam('check_size_reduction_max');
-					if ($fVariationPercent < -$iREDUCTIONMAX)
-					{
-						RaiseAlarm("Backup file '$sZipArchiveFile' changed by $sVariation, expecting a reduction limited to $iREDUCTIONMAX percents of the original size");
-					}
-					elseif ($fVariationPercent < 0)
-					{
-						echo "Size variation: $sVariation (the maximum allowed reduction is $iREDUCTIONMAX) \n";
-					}
-					else
-					{
-						echo "The archive grew by: $sVariation\n";
-					}
-				}
-			}
+	return;
+}
+
+$aStat = stat($sZipArchiveFile);
+if (!$aStat)
+{
+	RaiseAlarm("Failed to stat backup file '$sZipArchiveFileForDisplay'");
+
+	return;
+}
+
+$iSize = (int)$aStat['size'];
+$iMIN = utils::ReadParam('check_size_min', 0);
+if ($iSize <= $iMIN)
+{
+	RaiseAlarm("Backup file '$sZipArchiveFileForDisplay' too small (Found: $iSize, while expecting $iMIN bytes)");
+
+	return;
+}
+
+
+echo "Found the archive\n";
+$sOldArchiveFile = MakeArchiveFileName(time() - 86400).'.tar.gz'; // yesterday's archive
+$sOldArchiveFileForDisplay = utils::HtmlEntities($sOldArchiveFile);
+if (file_exists($sOldArchiveFile))
+{
+	if ($aOldStat = stat($sOldArchiveFile))
+	{
+		echo "Comparing its size with older file: $sOldArchiveFileForDisplay\n";
+		$iOldSize = (int)$aOldStat['size'];
+		$fVariationPercent = 100 * ($iSize - $iOldSize) / $iOldSize;
+		$sVariation = round($fVariationPercent, 2)." percent(s)";
+
+		$iREDUCTIONMAX = utils::ReadParam('check_size_reduction_max');
+		if ($fVariationPercent < -$iREDUCTIONMAX)
+		{
+			RaiseAlarm("Backup file '$sZipArchiveFileForDisplay' changed by $sVariation, expecting a reduction limited to $iREDUCTIONMAX percents of the original size");
+		}
+		elseif ($fVariationPercent < 0)
+		{
+			echo "Size variation: $sVariation (the maximum allowed reduction is $iREDUCTIONMAX) \n";
 		}
 		else
 		{
-			RaiseAlarm("Backup file '$sZipArchiveFile' too small (Found: $iSize, while expecting $iMIN bytes)");
+			echo "The archive grew by: $sVariation\n";
 		}
 	}
-	else
-	{
-		RaiseAlarm("Failed to stat backup file '$sZipArchiveFile'");
-	}
 }
-else
-{
-	RaiseAlarm("Missing backup file '$sZipArchiveFile'");
-}
-
-?>
--- a/js/dashboard.js
+++ b/js/dashboard.js
@@ -373,6 +373,7 @@ $(function()
 			dashboard_id: '',
 			file_id: '',
 			file: '',
+			transaction: '',
 			text: 'Select a dashboard file to import',
 			title: 'Dahsboard Import',
 			close_btn: 'Close',
@@ -390,7 +391,7 @@ $(function()
 				//me.onClose();
 			};
 			$('#'+this.options.file_id).fileupload({
-				url: me.options.submit_to+'&id='+me.options.dashboard_id+'&file='+me.options.file,
+				url: me.options.submit_to+'&id='+me.options.dashboard_id+'&file='+me.options.file+'&transaction_id='+me.options.transaction,
 		        dataType: 'json',
 				pasteZone: null, // Don't accept files via Chrome's copy/paste
 		        done: function (e, data) {
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -942,6 +942,11 @@ try
 			break;

 		case 'import_dashboard':
+			$sTransactionId = utils::ReadParam('transaction_id', '', false, 'raw_data');
+			if (!utils::IsTransactionValid($sTransactionId, true))
+			{
+				throw new SecurityException('ajax.render.php import_dashboard : invalid transaction_id');
+			}
 			$sDashboardId = utils::ReadParam('id', '', false, 'raw_data');
 			$sDashboardFile = utils::ReadParam('file', '', false, 'raw_data');
 			$oDashboard = RuntimeDashboard::GetDashboard($sDashboardFile, $sDashboardId);
@@ -2297,7 +2302,12 @@ EOF
 			try
 			{
 				$token = utils::ReadParam('token', null);
-				$aResult = array('code' => 'error', 'percentage' => 100, 'message' => "Export not found for token: '$token'"); // Fallback error, just in case
+				$sTokenForDisplay = utils::HtmlEntities($token);
+				$aResult = array( // Fallback error, just in case
+					'code' => 'error',
+					'percentage' => 100,
+					'message' => "Export not found for token: '$sTokenForDisplay'",
+				);
 				$data = '';
 				if ($token === null)
 				{
@@ -2372,11 +2382,11 @@ EOF
 				$oPage->add(json_encode($aResult));
 			} catch (BulkExportException $e)
 			{
-				$aResult = array('code' => 'error', 'percentage' => 100, 'message' => $e->GetLocalizedMessage());
+				$aResult = array('code' => 'error', 'percentage' => 100, 'message' => utils::HtmlEntities($e->GetLocalizedMessage()));
 				$oPage->add(json_encode($aResult));
 			} catch (Exception $e)
 			{
-				$aResult = array('code' => 'error', 'percentage' => 100, 'message' => $e->getMessage());
+				$aResult = array('code' => 'error', 'percentage' => 100, 'message' => utils::HtmlEntities($e->getMessage()));
 				$oPage->add(json_encode($aResult));
 			}
 			break;