diff --git a/application/dashlet.class.inc.php b/application/dashlet.class.inc.php index bf61a2785..2ba7e3b78 100644 --- a/application/dashlet.class.inc.php +++ b/application/dashlet.class.inc.php @@ -262,7 +262,7 @@ abstract class Dashlet } } catch (OqlException $e) { $oDashletContainer->AddCSSClass("dashlet-content"); - $oDashletContainer->AddHtml('

'.$e->GetUserFriendlyDescription().'

'); + $oDashletContainer->AddHtml('

'.utils::HtmlEntities($e->GetUserFriendlyDescription()).'

'); } catch (Exception $e) { $oDashletContainer->AddCSSClass("dashlet-content"); $oDashletContainer->AddHtml('

'.$e->getMessage().'

'); diff --git a/application/utils.inc.php b/application/utils.inc.php index ee882b0d0..1cc893884 100644 --- a/application/utils.inc.php +++ b/application/utils.inc.php @@ -454,6 +454,11 @@ class utils $retValue = preg_replace('/[^a-zA-Z0-9_]/', '', $value); break; + // For URL + case 'url': + $retValue = filter_var($value, FILTER_SANITIZE_URL); + break; + default: case static::ENUM_SANITIZATION_FILTER_RAW_DATA: $retValue = $value; diff --git a/core/action.class.inc.php b/core/action.class.inc.php index e5ee3ad0b..2ff7ee69c 100644 --- a/core/action.class.inc.php +++ b/core/action.class.inc.php @@ -277,7 +277,7 @@ class ActionEmail extends ActionNotification protected function FindRecipients($sRecipAttCode, $aArgs) { $sOQL = $this->Get($sRecipAttCode); - if (strlen($sOQL) == '') return ''; + if (strlen($sOQL) === 0) return ''; try { diff --git a/core/dbobject.class.php b/core/dbobject.class.php index bd21dd356..526122e61 100644 --- a/core/dbobject.class.php +++ b/core/dbobject.class.php @@ -2026,9 +2026,9 @@ abstract class DBObject implements iDisplay /** * check attributes together * - * @overwritable-hook You can extend this method in order to provide your own logic. - * - * @return bool + * @overwritable-hook You can extend this method in order to provide your own logic. + * + * @return true|string true if successful, the error description otherwise */ public function CheckConsistency() { diff --git a/core/displayablegraph.class.inc.php b/core/displayablegraph.class.inc.php index fdf72bd64..330e585e8 100644 --- a/core/displayablegraph.class.inc.php +++ b/core/displayablegraph.class.inc.php @@ -1195,8 +1195,10 @@ class DisplayableGraph extends SimpleGraph * @param float $xMax Right coordinate of the bounding box to display the graph * @param float $yMin Top coordinate of the bounding box to display the graph * @param float $yMax Bottom coordinate of the bounding box to display the graph + * + * @since 2.7.7 3.0.2 3.1.0 N°4985 $sComments param is no longer optional */ - function RenderAsPDF(PDFPage $oPage, $sComments = '', $sContextKey, $xMin = -1, $xMax = -1, $yMin = -1, $yMax = -1) + function RenderAsPDF(PDFPage $oPage, $sComments, $sContextKey, $xMin = -1, $xMax = -1, $yMin = -1, $yMax = -1) { $aContextDefs = static::GetContextDefinitions($sContextKey, false); // No need to develop the parameters $oPdf = $oPage->get_tcpdf(); diff --git a/datamodels/2.x/itop-portal-base/portal/src/Brick/BrickCollection.php b/datamodels/2.x/itop-portal-base/portal/src/Brick/BrickCollection.php index a9d15e642..54e869e76 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/Brick/BrickCollection.php +++ b/datamodels/2.x/itop-portal-base/portal/src/Brick/BrickCollection.php @@ -162,12 +162,20 @@ class BrickCollection // - Home $this->aHomeOrdering = $this->aAllowedBricks; usort($this->aHomeOrdering, function (PortalBrick $a, PortalBrick $b) { - return $a->GetRankHome() > $b->GetRankHome(); + if ($a->GetRankHome() === $b->GetRankHome()) { + return 0; + } + + return $a->GetRankHome() > $b->GetRankHome() ? 1 : -1; }); // - Navigation menu $this->aNavigationMenuOrdering = $this->aAllowedBricks; usort($this->aNavigationMenuOrdering, function (PortalBrick $a, PortalBrick $b) { - return $a->GetRankNavigationMenu() > $b->GetRankNavigationMenu(); + if ($a->GetRankNavigationMenu() === $b->GetRankNavigationMenu()) { + return 0; + } + + return $a->GetRankNavigationMenu() > $b->GetRankNavigationMenu() ? 1 : -1; }); } diff --git a/datamodels/2.x/itop-portal-base/portal/src/Brick/ManageBrick.php b/datamodels/2.x/itop-portal-base/portal/src/Brick/ManageBrick.php index 917a515b9..79d3c45a4 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/Brick/ManageBrick.php +++ b/datamodels/2.x/itop-portal-base/portal/src/Brick/ManageBrick.php @@ -485,7 +485,11 @@ class ManageBrick extends PortalBrick if (!$this->IsGroupingByDistinctValues($sName)) { usort($this->aGrouping[$sName]['groups'], function ($a, $b) { - return $a['rank'] > $b['rank']; + if ($a['rank'] === $b['rank']) { + return 0; + } + + return $a['rank'] > $b['rank'] ? 1 : -1; }); } diff --git a/datamodels/2.x/itop-portal-base/portal/src/DependencyInjection/SilexCompatBootstrap/PortalXmlConfiguration/Lists.php b/datamodels/2.x/itop-portal-base/portal/src/DependencyInjection/SilexCompatBootstrap/PortalXmlConfiguration/Lists.php index 0bddf5f31..306e23d94 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/DependencyInjection/SilexCompatBootstrap/PortalXmlConfiguration/Lists.php +++ b/datamodels/2.x/itop-portal-base/portal/src/DependencyInjection/SilexCompatBootstrap/PortalXmlConfiguration/Lists.php @@ -91,7 +91,10 @@ class Lists extends AbstractConfiguration } // - Sorting list items by rank usort($aListItems, function ($a, $b) { - return $a['rank'] > $b['rank']; + if ($a['rank'] == $b['rank']) { + return 0; + } + return $a['rank'] > $b['rank'] ? 1 : -1; }); $aClassLists[$sListId] = $aListItems; } diff --git a/datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php b/datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php index 1c5fc46e7..66df5a2a9 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php +++ b/datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php @@ -703,7 +703,7 @@ class ObjectFormManager extends FormManager /** @var Field $oField */ $oField = null; - if (is_callable(get_class($oAttDef).'::MakeFormField')) + if (is_callable([$oAttDef, 'MakeFormField'])) { $oField = $oAttDef->MakeFormField($this->oObject); } diff --git a/pages/ajax.render.php b/pages/ajax.render.php index cc043316c..ed6c53786 100644 --- a/pages/ajax.render.php +++ b/pages/ajax.render.php @@ -932,7 +932,7 @@ try $aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data'); $sDashboardFile = utils::ReadParam('file', '', false, 'raw_data'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $oDashboard = RuntimeDashboard::GetDashboard($sDashboardFile, $sDashboardId); $aResult = array('error' => ''); if (!is_null($oDashboard)) @@ -950,7 +950,7 @@ try $sDashboardId = utils::ReadParam('dashboard_id', '', false, 'raw_data'); $aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data'); $sDashboardFile = utils::ReadParam('file', '', false, 'raw_data'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $oDashboard = RuntimeDashboard::GetDashboard($sDashboardFile, $sDashboardId); $aResult = array('error' => ''); if (!is_null($oDashboard)) @@ -967,7 +967,7 @@ try $sDashboardId = utils::ReadParam('dashboard_id', '', false, 'context_param'); $aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); appUserPreferences::SetPref('display_original_dashboard_'.$sDashboardId, false); $sJSExtraParams = json_encode($aExtraParams); $aParams = array(); @@ -1009,7 +1009,7 @@ JS case 'revert_dashboard': $sDashboardId = utils::ReadParam('dashboard_id', '', false, 'raw_data'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); appUserPreferences::UnsetPref('display_original_dashboard_'.$sDashboardId); $oDashboard = new RuntimeDashboard($sDashboardId); $oDashboard->Revert(); @@ -1039,7 +1039,7 @@ EOF $aParams['cells'] = utils::ReadParam('cells', array(), false, 'raw_data'); $aParams['auto_reload'] = utils::ReadParam('auto_reload', false); $aParams['auto_reload_sec'] = utils::ReadParam('auto_reload_sec', 300); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $oDashboard = new RuntimeDashboard($sDashboardId); $oDashboard->FromParams($aParams); $oDashboard->SetReloadURL($sReloadURL); @@ -1051,7 +1051,7 @@ EOF $aExtraParams = utils::ReadParam('extra_params', array(), false, 'raw_data'); $aExtraParams['dashboard_div_id'] = utils::Sanitize($sId, '', 'element_identifier'); $sDashboardFile = utils::ReadParam('file', '', false, 'string'); - $sReloadURL = utils::ReadParam('reload_url', '', false, 'raw_data'); + $sReloadURL = utils::ReadParam('reload_url', '', false, 'url'); $oDashboard = RuntimeDashboard::GetDashboardToEdit($sDashboardFile, $sId); if (!is_null($oDashboard)) { if (!empty($sReloadURL)) { diff --git a/pages/csvimport.php b/pages/csvimport.php index 886c16352..2fbd2afdd 100644 --- a/pages/csvimport.php +++ b/pages/csvimport.php @@ -237,6 +237,11 @@ try { throw new CoreException(Dict::S('UI:ActionNotAllowed')); } + // CSRF transaction id verification + if(!$bSimulate && !utils::IsTransactionValid(utils::ReadPostedParam('transaction_id', '', 'raw_data'))){ + throw new CoreException(Dict::S('UI:Error:InvalidToken')); + } + $aResult = array(); $sCSVData = utils::ReadParam('csvdata', '', false, 'raw_data'); $sCSVDataTruncated = utils::ReadParam('csvdata_truncated', '', false, 'raw_data'); @@ -523,6 +528,7 @@ try { $oForm = FormUIBlockFactory::MakeStandard('wizForm'); $oContainer->AddSubBlock($oForm); + $oForm->AddSubBlock(InputUIBlockFactory::MakeForHidden("transaction_id", utils::GetNewTransactionId())); $oForm->AddSubBlock(InputUIBlockFactory::MakeForHidden("step", ($iCurrentStep + 1))); $oForm->AddSubBlock(InputUIBlockFactory::MakeForHidden("separator", htmlentities($sSeparator, ENT_QUOTES, 'UTF-8'))); $oForm->AddSubBlock(InputUIBlockFactory::MakeForHidden("text_qualifier", htmlentities($sTextQualifier, ENT_QUOTES, 'UTF-8'))); @@ -682,7 +688,7 @@ EOF // Add graphs dependencies WebResourcesHelper::EnableC3JSToWebPage($oPage); - $oPage->add_script( + $oPage->add_script( <<< EOF function CSVGoBack() { @@ -1179,7 +1185,7 @@ EOF } $aGuesses = GuessParameters($sUTF8Data); // Try to predict the parameters, based on the input data - + $iSkippedLines = utils::ReadParam('nb_skipped_lines', ''); $bBoxSkipLines = utils::ReadParam('box_skiplines', 0); $sTextQualifier = utils::ReadParam('text_qualifier', '', false, 'raw_data'); diff --git a/test/phpunit.xml.dist b/test/phpunit.xml.dist index fa2d9d132..14bf874d7 100644 --- a/test/phpunit.xml.dist +++ b/test/phpunit.xml.dist @@ -44,12 +44,8 @@ application - - - - sources + + setup status diff --git a/test/phpunit_nightly.xml.dist b/test/phpunit_nightly.xml.dist new file mode 100644 index 000000000..684f4b6ba --- /dev/null +++ b/test/phpunit_nightly.xml.dist @@ -0,0 +1,42 @@ + + + + + + + + + + + + + OQL + + + + + + + ../core/apc-emulation.php + ../core/ormlinkset.class.inc.php + ../datamodels/2.x/itop-tickets/main.itop-tickets.php + + + +