mirror of
https://github.com/Combodo/iTop.git
synced 2026-02-13 07:24:13 +01:00
N°7374 - Security hardening
This commit is contained in:
jf-cbd
@@ -32,11 +32,37 @@ abstract class CellChangeSpec
|
||||
return $this->m_proposedValue;
|
||||
}
|
||||
|
||||
public function GetDisplayableValue()
|
||||
/**
|
||||
* @throws \Exception
|
||||
* @since 3.2.0
|
||||
*/
|
||||
public function GetCLIValue(bool $bLocalizedValues = false): string
|
||||
{
|
||||
if (is_object($this->m_proposedValue)) {
|
||||
if ($this->m_proposedValue instanceof ReportValue) {
|
||||
return $this->m_proposedValue->GetAsCSV($bLocalizedValues, ',', '"');
|
||||
}
|
||||
throw new Exception('Unexpected class : '. get_class($this->m_proposedValue));
|
||||
}
|
||||
return $this->m_proposedValue;
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws \Exception
|
||||
* @since 3.2.0
|
||||
*/
|
||||
public function GetHTMLValue(bool $bLocalizedValues = false): string
|
||||
{
|
||||
if (is_object($this->m_proposedValue)) {
|
||||
if ($this->m_proposedValue instanceof ReportValue) {
|
||||
return $this->m_proposedValue->GetAsHTML($bLocalizedValues);
|
||||
}
|
||||
throw new Exception('Unexpected class : '. get_class($this->m_proposedValue));
|
||||
}
|
||||
return utils::EscapeHtml($this->m_proposedValue);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @since 3.1.0 N°5305
|
||||
*/
|
||||
@@ -51,12 +77,12 @@ abstract class CellChangeSpec
|
||||
}
|
||||
|
||||
/**
|
||||
* @since 3.1.0 N°5305
|
||||
* @since 3.2.0
|
||||
*/
|
||||
public function GetDisplayableValueAndDescription(): string
|
||||
public function GetCLIValueAndDescription(): string
|
||||
{
|
||||
return sprintf("%s%s",
|
||||
$this->GetDisplayableValue(),
|
||||
$this->GetCLIValue(),
|
||||
$this->GetDescription()
|
||||
);
|
||||
}
|
||||
@@ -105,13 +131,25 @@ class CellStatus_Issue extends CellStatus_Modify
|
||||
parent::__construct($proposedValue, $previousValue);
|
||||
}
|
||||
|
||||
public function GetDisplayableValue()
|
||||
public function GetCLIValue(bool $bLocalizedValues = false): string
|
||||
{
|
||||
if (is_null($this->m_proposedValue)) {
|
||||
return Dict::Format('UI:CSVReport-Value-SetIssue');
|
||||
}
|
||||
return Dict::Format('UI:CSVReport-Value-ChangeIssue',$this->m_proposedValue);
|
||||
}
|
||||
|
||||
public function GetHTMLValue(bool $bLocalizedValues = false): string
|
||||
{
|
||||
if (is_null($this->m_proposedValue))
|
||||
{
|
||||
return Dict::Format('UI:CSVReport-Value-SetIssue');
|
||||
}
|
||||
return Dict::Format('UI:CSVReport-Value-ChangeIssue', \utils::EscapeHtml($this->m_proposedValue));
|
||||
if ($this->m_proposedValue instanceof ReportValue)
|
||||
{
|
||||
return Dict::Format('UI:CSVReport-Value-ChangeIssue', $this->m_proposedValue->GetAsHTML($bLocalizedValues));
|
||||
}
|
||||
return Dict::Format('UI:CSVReport-Value-ChangeIssue',utils::EscapeHtml($this->m_proposedValue));
|
||||
}
|
||||
|
||||
public function GetDescription()
|
||||
@@ -119,12 +157,12 @@ class CellStatus_Issue extends CellStatus_Modify
|
||||
return $this->m_sReason;
|
||||
}
|
||||
/*
|
||||
* @since 3.1.0 N°5305
|
||||
* @since 3.2.0
|
||||
*/
|
||||
public function GetDisplayableValueAndDescription(): string
|
||||
public function GetCLIValueAndDescription(): string
|
||||
{
|
||||
return sprintf("%s. %s",
|
||||
$this->GetDisplayableValue(),
|
||||
$this->GetCLIValue(),
|
||||
$this->GetDescription()
|
||||
);
|
||||
}
|
||||
@@ -169,7 +207,7 @@ class CellStatus_SearchIssue extends CellStatus_Issue
|
||||
$this->sAllowedValuesSearch = $sAllowedValuesSearch;
|
||||
}
|
||||
|
||||
public function GetDisplayableValue()
|
||||
public function GetCLIValue(bool $bLocalizedValues = false): string
|
||||
{
|
||||
if (null === $this->m_sReason) {
|
||||
return Dict::Format('UI:CSVReport-Value-NoMatch', '');
|
||||
@@ -178,6 +216,15 @@ class CellStatus_SearchIssue extends CellStatus_Issue
|
||||
return $this->m_sReason;
|
||||
}
|
||||
|
||||
public function GetHTMLValue(bool $bLocalizedValues = false): string
|
||||
{
|
||||
if (null === $this->m_sReason) {
|
||||
return Dict::Format('UI:CSVReport-Value-NoMatch', '');
|
||||
}
|
||||
|
||||
return utils::EscapeHtml($this->m_sReason);
|
||||
}
|
||||
|
||||
public function GetDescription()
|
||||
{
|
||||
if (\utils::IsNullOrEmptyString($this->m_sAllowedValues) ||
|
||||
@@ -224,6 +271,33 @@ class CellStatus_NullIssue extends CellStatus_Issue
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Class to differ formatting depending on the caller
|
||||
*/
|
||||
class ReportValue
|
||||
{
|
||||
/**
|
||||
* @param DBObject $oObject
|
||||
* @param string $sAttCode
|
||||
* @param bool $bOriginal
|
||||
*/
|
||||
public function __construct(protected DBObject $oObject, protected string $sAttCode, protected bool $bOriginal){}
|
||||
|
||||
public function GetAsHTML(bool $bLocalizedValues)
|
||||
{
|
||||
if ($this->bOriginal) {
|
||||
return $this->oObject->GetOriginalAsHTML($this->sAttCode, $bLocalizedValues);
|
||||
}
|
||||
return $this->oObject->GetAsHTML($this->sAttCode, $bLocalizedValues);
|
||||
}
|
||||
public function GetAsCSV (bool $bLocalizedValues, string $sCsvSep, string $sCsvDelimiter) {
|
||||
if ($this->bOriginal) {
|
||||
return $this->oObject->GetOriginalAsCSV($this->sAttCode, $sCsvSep, $sCsvDelimiter, $bLocalizedValues);
|
||||
}
|
||||
return $this->oObject->GetAsCSV($this->sAttCode, $sCsvSep, $sCsvDelimiter, $bLocalizedValues);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class CellStatus_Ambiguous extends CellStatus_Issue
|
||||
{
|
||||
@@ -410,22 +484,6 @@ class BulkChange
|
||||
$this->m_aExtKeysMappingCache = array();
|
||||
}
|
||||
|
||||
protected $m_bReportHtml = false;
|
||||
protected $m_sReportCsvSep = ',';
|
||||
protected $m_sReportCsvDelimiter = '"';
|
||||
|
||||
public function SetReportHtml()
|
||||
{
|
||||
$this->m_bReportHtml = true;
|
||||
}
|
||||
|
||||
public function SetReportCsv($sSeparator = ',', $sDelimiter = '"')
|
||||
{
|
||||
$this->m_bReportHtml = false;
|
||||
$this->m_sReportCsvSep = $sSeparator;
|
||||
$this->m_sReportCsvDelimiter = $sDelimiter;
|
||||
}
|
||||
|
||||
protected function ResolveExternalKey($aRowData, $sAttCode, &$aResults)
|
||||
{
|
||||
$oExtKey = MetaModel::GetAttributeDef($this->m_sClass, $sAttCode);
|
||||
@@ -443,7 +501,7 @@ class BulkChange
|
||||
$value = $oForeignAtt->MakeValueFromString($aRowData[$iCol], $this->m_bLocalizedValues);
|
||||
}
|
||||
$oReconFilter->AddCondition($sReconKeyAttCode, $value, '=');
|
||||
$aResults[$iCol] = new CellStatus_Void(utils::HtmlEntities($aRowData[$iCol]));
|
||||
$aResults[$iCol] = new CellStatus_Void($aRowData[$iCol]);
|
||||
}
|
||||
|
||||
$oExtObjects = new CMDBObjectSet($oReconFilter);
|
||||
@@ -467,7 +525,7 @@ class BulkChange
|
||||
}
|
||||
|
||||
/**
|
||||
* @param \DBObject $oTargetObj
|
||||
* @param DBObject $oTargetObj
|
||||
* @param array $aRowData
|
||||
* @param array $aErrors
|
||||
*
|
||||
@@ -530,7 +588,7 @@ class BulkChange
|
||||
}
|
||||
$aCacheKeys[] = $value;
|
||||
$oReconFilter->AddCondition($sReconKeyAttCode, $value, '=');
|
||||
$aResults[$iCol] = new CellStatus_Void(utils::HtmlEntities($aRowData[$iCol]));
|
||||
$aResults[$iCol] = new CellStatus_Void($aRowData[$iCol]);
|
||||
}
|
||||
$sCacheKey = implode('_|_', $aCacheKeys); // Unique key for this query...
|
||||
$iForeignKey = null;
|
||||
@@ -599,7 +657,7 @@ class BulkChange
|
||||
foreach ($aReconKeys as $sReconKeyAttCode => $iCol)
|
||||
{
|
||||
// Report the change on reconciliation values as well
|
||||
$aResults[$iCol] = new CellStatus_Modify(utils::HtmlEntities($aRowData[$iCol]));
|
||||
$aResults[$iCol] = new CellStatus_Modify($aRowData[$iCol]);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -677,50 +735,32 @@ class BulkChange
|
||||
// Reporting on fields
|
||||
//
|
||||
$aChangedFields = $oTargetObj->ListChanges();
|
||||
foreach ($this->m_aAttList as $sAttCode => $iCol)
|
||||
{
|
||||
if ($sAttCode == 'id')
|
||||
{
|
||||
$aResults[$iCol]= new CellStatus_Void(utils::HtmlEntities($aRowData[$iCol]));
|
||||
foreach ($this->m_aAttList as $sAttCode => $iCol) {
|
||||
if ($sAttCode == 'id') {
|
||||
$aResults[$iCol]= new CellStatus_Void($aRowData[$iCol]);
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($this->m_bReportHtml)
|
||||
{
|
||||
$sCurValue = $oTargetObj->GetAsHTML($sAttCode, $this->m_bLocalizedValues);
|
||||
$sOrigValue = $oTargetObj->GetOriginalAsHTML($sAttCode, $this->m_bLocalizedValues);
|
||||
else {
|
||||
$sCurValue = new ReportValue($oTargetObj, $sAttCode, false);
|
||||
$sOrigValue = new ReportValue($oTargetObj, $sAttCode, true);
|
||||
if (isset($aErrors[$sAttCode])) {
|
||||
$aResults[$iCol]= new CellStatus_Issue($aRowData[$iCol], $sOrigValue, $aErrors[$sAttCode]);
|
||||
}
|
||||
else
|
||||
{
|
||||
$sCurValue = $oTargetObj->GetAsCSV($sAttCode, $this->m_sReportCsvSep, $this->m_sReportCsvDelimiter, $this->m_bLocalizedValues);
|
||||
$sOrigValue = $oTargetObj->GetOriginalAsCSV($sAttCode, $this->m_sReportCsvSep, $this->m_sReportCsvDelimiter, $this->m_bLocalizedValues);
|
||||
}
|
||||
if (isset($aErrors[$sAttCode]))
|
||||
{
|
||||
$aResults[$iCol]= new CellStatus_Issue(utils::HtmlEntities($aRowData[$iCol]), $sOrigValue, $aErrors[$sAttCode]);
|
||||
}
|
||||
elseif (array_key_exists($sAttCode, $aChangedFields))
|
||||
{
|
||||
if ($oTargetObj->IsNew())
|
||||
{
|
||||
elseif (array_key_exists($sAttCode, $aChangedFields)){
|
||||
if ($oTargetObj->IsNew()) {
|
||||
$aResults[$iCol]= new CellStatus_Void($sCurValue);
|
||||
}
|
||||
else
|
||||
{
|
||||
else {
|
||||
$aResults[$iCol]= new CellStatus_Modify($sCurValue, $sOrigValue);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
else {
|
||||
// By default... nothing happens
|
||||
$oAttDef = MetaModel::GetAttributeDef($this->m_sClass, $sAttCode);
|
||||
if ($oAttDef instanceof AttributeDateTime)
|
||||
{
|
||||
if ($oAttDef instanceof AttributeDateTime) {
|
||||
$aResults[$iCol]= new CellStatus_Void($oAttDef->GetFormat()->Format($aRowData[$iCol]));
|
||||
}
|
||||
else
|
||||
{
|
||||
$aResults[$iCol]= new CellStatus_Void(utils::HtmlEntities($aRowData[$iCol]));
|
||||
else {
|
||||
$aResults[$iCol]= new CellStatus_Void($aRowData[$iCol]);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -785,7 +825,7 @@ class BulkChange
|
||||
// Possibles values are displayed to UI user. we have to limit the amount of displayed values
|
||||
$oExtObjectSetWithCurrentUserPermissions->SetLimit(4);
|
||||
for($i = 0; $i < 3; $i++){
|
||||
/** @var \DBObject $oVisibleObject */
|
||||
/** @var DBObject $oVisibleObject */
|
||||
$oVisibleObject = $oExtObjectSetWithCurrentUserPermissions->Fetch();
|
||||
if (is_null($oVisibleObject)){
|
||||
break;
|
||||
@@ -1152,7 +1192,7 @@ class BulkChange
|
||||
if (!preg_match($sRegExp, $sValue))
|
||||
{
|
||||
$aResult[$iRow]["__STATUS__"]= new RowStatus_Issue(Dict::S('UI:CSVReport-Row-Issue-DateFormat'));
|
||||
$aResult[$iRow][$iCol] = new CellStatus_Issue(utils::HtmlEntities($sValue), null, $sErrorMsg);
|
||||
$aResult[$iRow][$iCol] = new CellStatus_Issue($sValue, null, $sErrorMsg);
|
||||
|
||||
}
|
||||
else
|
||||
@@ -1165,6 +1205,7 @@ class BulkChange
|
||||
}
|
||||
else
|
||||
{
|
||||
// almost impossible ti reproduce since even incorrect dates with correct formats are formated and $oDate will not be false
|
||||
// Leave the cell unchanged
|
||||
$aResult[$iRow]["__STATUS__"]= new RowStatus_Issue(Dict::S('UI:CSVReport-Row-Issue-DateFormat'));
|
||||
$aResult[$iRow][$iCol] = new CellStatus_Issue($sValue, null, $sErrorMsg);
|
||||
@@ -1304,7 +1345,7 @@ class BulkChange
|
||||
{
|
||||
if (!array_key_exists($iCol, $aResult[$iRow]))
|
||||
{
|
||||
$aResult[$iRow][$iCol] = new CellStatus_Void(utils::HtmlEntities($aRowData[$iCol]));
|
||||
$aResult[$iRow][$iCol] = new CellStatus_Void($aRowData[$iCol]);
|
||||
}
|
||||
}
|
||||
foreach($this->m_aExtKeys as $sAttCode => $aForeignAtts)
|
||||
@@ -1318,7 +1359,7 @@ class BulkChange
|
||||
if (!array_key_exists($iCol, $aResult[$iRow]))
|
||||
{
|
||||
// The foreign attribute is one of our reconciliation key
|
||||
$aResult[$iRow][$iCol] = new CellStatus_Void(utils::HtmlEntities($aRowData[$iCol]));
|
||||
$aResult[$iRow][$iCol] = new CellStatus_Void($aRowData[$iCol]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user