Compare commits

..

6 Commits

Author SHA1 Message Date
Denis Flaven
02a678efe0 N°1912: 🐛 text written in white in the PDF export of the impact analysis. 2018-12-26 15:33:27 +01:00
Denis Flaven
888f14ee36 Setup hardening. 2018-12-13 17:31:21 +01:00
Pierre Goiffon
553d60ab16 (Retrofit from trunk) N°1328 Fix CSV import : check if user has rights on imported class (r5597)
SVN:2.3[5602]
2018-04-04 07:37:10 +00:00
Guillaume Lajarige
cf973961bf (Retrofit from trunk) N°1038 Fatal error on transition with AttributeBlob or AttributeCaseLog
SVN:2.3[4909]
2017-09-13 16:10:05 +00:00
Guillaume Lajarige
789dd53743 (Retrofit from trunk) N°829 Portal: AttributeUrl was not clickable in the new portal
SVN:2.3[4687]
2017-04-19 15:37:32 +00:00
Guillaume Lajarige
a3dda04961 (Retrofit from trunk) Portal: Refactor a security check to remove unnecessary security messages in error.log
SVN:2.3[4685]
2017-04-18 13:58:51 +00:00
11 changed files with 300 additions and 190 deletions

View File

@@ -4859,6 +4859,25 @@ class AttributeURL extends AttributeString
{
return $this->GetOptional('validation_pattern', '^'.utils::GetConfig()->Get('url_validation_pattern').'$');
}
static public function GetFormFieldClass()
{
return '\\Combodo\\iTop\\Form\\Field\\UrlField';
}
public function MakeFormField(DBObject $oObject, $oFormField = null)
{
if ($oFormField === null)
{
$sFormFieldClass = static::GetFormFieldClass();
$oFormField = new $sFormFieldClass($this->GetCode());
}
parent::MakeFormField($oObject, $oFormField);
$oFormField->SetTarget($this->Get('target'));
return $oFormField;
}
}
/**

View File

@@ -1270,6 +1270,7 @@ class DisplayableGraph extends SimpleGraph
$oPdf->SetAutoPageBreak(true, $fBreakMargin);
$oPdf->SetAlpha(1);
$oPdf->SetTextColor(0, 0, 0);
}
/**

View File

@@ -191,8 +191,15 @@ class ormCaseLog {
public function __toString()
{
return $this->m_sLog;
if($this->IsEmpty()) return '';
return $this->m_sLog;
}
public function IsEmpty()
{
return ($this->m_sLog === null);
}
public function ClearModifiedFlag()
{

View File

@@ -51,6 +51,8 @@ class ormDocument
public function __toString()
{
if($this->IsEmpty()) return '';
return MyHelpers::beautifulstr($this->m_data, 100, true);
}

View File

@@ -368,7 +368,7 @@ class ManageBrickController extends BrickController
if ($sItemAttr === $sMainActionAttrCode)
{
// Checking if we can edit the object
if (SecurityHelper::IsActionAllowed($oApp, UR_ACTION_MODIFY, $sCurrentClass, $oCurrentRow->GetKey()) && ($oBrick->GetOpeningMode() === ManageBrick::ENUM_ACTION_EDIT))
if (($oBrick->GetOpeningMode() === ManageBrick::ENUM_ACTION_EDIT) && SecurityHelper::IsActionAllowed($oApp, UR_ACTION_MODIFY, $sCurrentClass, $oCurrentRow->GetKey()))
{
$sActionType = ManageBrick::ENUM_ACTION_EDIT;
}

View File

@@ -192,6 +192,13 @@ try
*/
function ProcessCSVData(WebPage $oPage, $bSimulate = true)
{
$sClassName = utils::ReadParam('class_name', '', false, 'class');
// Class access right check for the import
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_MODIFY) == UR_ALLOWED_NO)
{
throw new CoreException(Dict::S('UI:ActionNotAllowed'));
}
$aResult = array();
$sCSVData = utils::ReadParam('csvdata', '', false, 'raw_data');
$sCSVDataTruncated = utils::ReadParam('csvdata_truncated', '', false, 'raw_data');
@@ -203,7 +210,6 @@ try
{
$iSkippedLines = utils::ReadParam('nb_skipped_lines', '0');
}
$sClassName = utils::ReadParam('class_name', '', false, 'class');
$aFieldsMapping = utils::ReadParam('field', array(), false, 'raw_data');
$aSearchFields = utils::ReadParam('search_field', array(), false, 'field_name');
$iCurrentStep = $bSimulate ? 4 : 5;

View File

@@ -1,182 +1,184 @@
<?php
// Copyright (C) 2010-2012 Combodo SARL
//
// This file is part of iTop.
//
// iTop is free software; you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// iTop is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with iTop. If not, see <http://www.gnu.org/licenses/>
/**
* Does load data from XML files (currently used in the setup only)
*
* @copyright Copyright (C) 2010-2012 Combodo SARL
* @license http://opensource.org/licenses/AGPL-3.0
*/
/**
* This page is called to perform "asynchronously" the setup actions
* parameters
* 'operation': one of 'compile_data_model', 'update_db_schema', 'after_db_creation', 'file'
*
* if 'operation' == 'update_db_schema':
* 'mode': install | upgrade
*
* if 'operation' == 'after_db_creation':
* 'mode': install | upgrade
*
* if 'operation' == 'file':
* 'file': string Name of the file to load
* 'session_status': string 'start', 'continue' or 'end'
* 'percent': integer 0..100 the percentage of completion once the file has been loaded
*/
define('SAFE_MINIMUM_MEMORY', 64*1024*1024);
require_once('../approot.inc.php');
require_once(APPROOT.'/application/utils.inc.php');
require_once(APPROOT.'/setup/setuppage.class.inc.php');
require_once(APPROOT.'/setup/moduleinstaller.class.inc.php');
ini_set('max_execution_time', max(3600, ini_get('max_execution_time'))); // Under Windows SQL/backup operations are part of the timeout and require extra time
date_default_timezone_set('Europe/Paris'); // Just to avoid a warning if the timezone is not set in php.ini
$sMemoryLimit = trim(ini_get('memory_limit'));
if (empty($sMemoryLimit))
{
// On some PHP installations, memory_limit does not exist as a PHP setting!
// (encountered on a 5.2.0 under Windows)
// In that case, ini_set will not work, let's keep track of this and proceed with the data load
SetupPage::log_info("No memory limit has been defined in this instance of PHP");
}
else
{
// Check that the limit will allow us to load the data
//
$iMemoryLimit = utils::ConvertToBytes($sMemoryLimit);
if ($iMemoryLimit < SAFE_MINIMUM_MEMORY)
{
if (ini_set('memory_limit', SAFE_MINIMUM_MEMORY) === FALSE)
{
SetupPage::log_error("memory_limit is too small: $iMemoryLimit and can not be increased by the script itself.");
}
else
{
SetupPage::log_info("memory_limit increased from $iMemoryLimit to ".SAFE_MINIMUM_MEMORY.".");
}
}
}
function FatalErrorCatcher($sOutput)
{
if ( preg_match('|<phpfatalerror>.*</phpfatalerror>|s', $sOutput, $aMatches) )
{
header("HTTP/1.0 500 Internal server error.");
$errors = '';
foreach ($aMatches as $sMatch)
{
$errors .= strip_tags($sMatch)."\n";
}
$sOutput = "$errors\n";
// Logging to a file does not work if the whole memory is exhausted...
//SetupPage::log_error("Fatal error - in $__FILE__ , $errors");
}
return $sOutput;
}
//Define some bogus, invalid HTML tags that no sane
//person would ever put in an actual document and tell
//PHP to delimit fatal error warnings with them.
ini_set('error_prepend_string', '<phpfatalerror>');
ini_set('error_append_string', '</phpfatalerror>');
// Starts the capture of the ouput, and sets a filter to capture the fatal errors.
ob_start('FatalErrorCatcher'); // Start capturing the output, and pass it through the fatal error catcher
require_once(APPROOT.'/core/config.class.inc.php');
require_once(APPROOT.'/core/log.class.inc.php');
require_once(APPROOT.'/core/kpi.class.inc.php');
require_once(APPROOT.'/core/cmdbsource.class.inc.php');
require_once('./xmldataloader.class.inc.php');
require_once(APPROOT.'/application/ajaxwebpage.class.inc.php');
// Never cache this page
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); // Date in the past
/**
* Main program
*/
$sOperation = Utils::ReadParam('operation', '');
try
{
switch($sOperation)
{
case 'async_action':
ini_set('max_execution_time', max(240, ini_get('max_execution_time')));
// While running the setup it is desirable to see any error that may happen
ini_set('display_errors', true);
ini_set('display_startup_errors', true);
require_once(APPROOT.'/setup/wizardcontroller.class.inc.php');
require_once(APPROOT.'/setup/wizardsteps.class.inc.php');
$sClass = utils::ReadParam('step_class', '');
$sState = utils::ReadParam('step_state', '');
$sActionCode = utils::ReadParam('code', '');
$aParams = utils::ReadParam('params', array(), false, 'raw_data');
$oPage = new ajax_page('');
$oDummyController = new WizardController('');
if (is_subclass_of($sClass, 'WizardStep'))
{
$oStep = new $sClass($oDummyController, $sState);
$sConfigFile = utils::GetConfigFilePath();
if (file_exists($sConfigFile) && !is_writable($sConfigFile) && $oStep->RequiresWritableConfig())
{
$oPage->error("<b>Error:</b> the configuration file '".$sConfigFile."' already exists and cannot be overwritten.");
$oPage->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".realpath($sConfigFile)."</b>' can be modified by the web server.");
$oPage->output();
}
else
{
$oStep->AsyncAction($oPage, $sActionCode, $aParams);
}
}
$oPage->output();
break;
default:
throw(new Exception("Error unsupported operation '$sOperation'"));
}
}
catch(Exception $e)
{
header("HTTP/1.0 500 Internal server error.");
echo "<p>An error happened while processing the installation:</p>\n";
echo '<p>'.$e."</p>\n";
SetupPage::log_error("An error happened while processing the installation: ".$e);
}
if (function_exists('memory_get_peak_usage'))
{
if ($sOperation == 'file')
{
SetupPage::log_info("loading file '$sFileName', peak memory usage. ".memory_get_peak_usage());
}
else
{
SetupPage::log_info("operation '$sOperation', peak memory usage. ".memory_get_peak_usage());
}
}
?>
<?php
// Copyright (C) 2010-2012 Combodo SARL
//
// This file is part of iTop.
//
// iTop is free software; you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// iTop is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with iTop. If not, see <http://www.gnu.org/licenses/>
/**
* Does load data from XML files (currently used in the setup only)
*
* @copyright Copyright (C) 2010-2012 Combodo SARL
* @license http://opensource.org/licenses/AGPL-3.0
*/
/**
* This page is called to perform "asynchronously" the setup actions
* parameters
* 'operation': one of 'compile_data_model', 'update_db_schema', 'after_db_creation', 'file'
*
* if 'operation' == 'update_db_schema':
* 'mode': install | upgrade
*
* if 'operation' == 'after_db_creation':
* 'mode': install | upgrade
*
* if 'operation' == 'file':
* 'file': string Name of the file to load
* 'session_status': string 'start', 'continue' or 'end'
* 'percent': integer 0..100 the percentage of completion once the file has been loaded
*/
define('SAFE_MINIMUM_MEMORY', 64*1024*1024);
require_once('../approot.inc.php');
require_once(APPROOT.'/application/utils.inc.php');
require_once(APPROOT.'/setup/setuppage.class.inc.php');
require_once(APPROOT.'/setup/moduleinstaller.class.inc.php');
ini_set('max_execution_time', max(3600, ini_get('max_execution_time'))); // Under Windows SQL/backup operations are part of the timeout and require extra time
date_default_timezone_set('Europe/Paris'); // Just to avoid a warning if the timezone is not set in php.ini
$sMemoryLimit = trim(ini_get('memory_limit'));
if (empty($sMemoryLimit))
{
// On some PHP installations, memory_limit does not exist as a PHP setting!
// (encountered on a 5.2.0 under Windows)
// In that case, ini_set will not work, let's keep track of this and proceed with the data load
SetupPage::log_info("No memory limit has been defined in this instance of PHP");
}
else
{
// Check that the limit will allow us to load the data
//
$iMemoryLimit = utils::ConvertToBytes($sMemoryLimit);
if ($iMemoryLimit < SAFE_MINIMUM_MEMORY)
{
if (ini_set('memory_limit', SAFE_MINIMUM_MEMORY) === FALSE)
{
SetupPage::log_error("memory_limit is too small: $iMemoryLimit and can not be increased by the script itself.");
}
else
{
SetupPage::log_info("memory_limit increased from $iMemoryLimit to ".SAFE_MINIMUM_MEMORY.".");
}
}
}
function FatalErrorCatcher($sOutput)
{
if ( preg_match('|<phpfatalerror>.*</phpfatalerror>|s', $sOutput, $aMatches) )
{
header("HTTP/1.0 500 Internal server error.");
$errors = '';
foreach ($aMatches as $sMatch)
{
$errors .= strip_tags($sMatch)."\n";
}
$sOutput = "$errors\n";
// Logging to a file does not work if the whole memory is exhausted...
//SetupPage::log_error("Fatal error - in $__FILE__ , $errors");
}
return $sOutput;
}
//Define some bogus, invalid HTML tags that no sane
//person would ever put in an actual document and tell
//PHP to delimit fatal error warnings with them.
ini_set('error_prepend_string', '<phpfatalerror>');
ini_set('error_append_string', '</phpfatalerror>');
// Starts the capture of the ouput, and sets a filter to capture the fatal errors.
ob_start('FatalErrorCatcher'); // Start capturing the output, and pass it through the fatal error catcher
require_once(APPROOT.'/core/config.class.inc.php');
require_once(APPROOT.'/core/log.class.inc.php');
require_once(APPROOT.'/core/kpi.class.inc.php');
require_once(APPROOT.'/core/cmdbsource.class.inc.php');
require_once('./xmldataloader.class.inc.php');
require_once(APPROOT.'/application/ajaxwebpage.class.inc.php');
// Never cache this page
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); // Date in the past
/**
* Main program
*/
$sOperation = Utils::ReadParam('operation', '');
try
{
if (!is_writable(utils::GetConfigFilePath())) throw new Exception('Setup operations are not allowed outside of the setup');
switch($sOperation)
{
case 'async_action':
ini_set('max_execution_time', max(240, ini_get('max_execution_time')));
// While running the setup it is desirable to see any error that may happen
ini_set('display_errors', true);
ini_set('display_startup_errors', true);
require_once(APPROOT.'/setup/wizardcontroller.class.inc.php');
require_once(APPROOT.'/setup/wizardsteps.class.inc.php');
$sClass = utils::ReadParam('step_class', '');
$sState = utils::ReadParam('step_state', '');
$sActionCode = utils::ReadParam('code', '');
$aParams = utils::ReadParam('params', array(), false, 'raw_data');
$oPage = new ajax_page('');
$oDummyController = new WizardController('');
if (is_subclass_of($sClass, 'WizardStep'))
{
$oStep = new $sClass($oDummyController, $sState);
$sConfigFile = utils::GetConfigFilePath();
if (file_exists($sConfigFile) && !is_writable($sConfigFile) && $oStep->RequiresWritableConfig())
{
$oPage->error("<b>Error:</b> the configuration file '".$sConfigFile."' already exists and cannot be overwritten.");
$oPage->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".realpath($sConfigFile)."</b>' can be modified by the web server.");
$oPage->output();
}
else
{
$oStep->AsyncAction($oPage, $sActionCode, $aParams);
}
}
$oPage->output();
break;
default:
throw(new Exception("Error unsupported operation '$sOperation'"));
}
}
catch(Exception $e)
{
header("HTTP/1.0 500 Internal server error.");
echo "<p>An error happened while processing the installation:</p>\n";
echo '<p>'.$e."</p>\n";
SetupPage::log_error("An error happened while processing the installation: ".$e);
}
if (function_exists('memory_get_peak_usage'))
{
if ($sOperation == 'file')
{
SetupPage::log_info("loading file '$sFileName', peak memory usage. ".memory_get_peak_usage());
}
else
{
SetupPage::log_info("operation '$sOperation', peak memory usage. ".memory_get_peak_usage());
}
}
?>

View File

@@ -30,6 +30,7 @@ require_once APPROOT . 'sources/form/field/textfield.class.inc.php';
require_once APPROOT . 'sources/form/field/hiddenfield.class.inc.php';
require_once APPROOT . 'sources/form/field/labelfield.class.inc.php';
require_once APPROOT . 'sources/form/field/stringfield.class.inc.php';
require_once APPROOT . 'sources/form/field/urlfield.class.inc.php';
require_once APPROOT . 'sources/form/field/passwordfield.class.inc.php';
require_once APPROOT . 'sources/form/field/datetimefield.class.inc.php';
require_once APPROOT . 'sources/form/field/durationfield.class.inc.php';

View File

@@ -0,0 +1,67 @@
<?php
// Copyright (C) 2010-2016 Combodo SARL
//
// This file is part of iTop.
//
// iTop is free software; you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// iTop is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with iTop. If not, see <http://www.gnu.org/licenses/>
namespace Combodo\iTop\Form\Field;
use \Str;
use \Combodo\iTop\Form\Field\StringField;
/**
* Description of UrlField
*
* @author Guillaume Lajarige <guillaume.lajarige@combodo.com>
*/
class UrlField extends StringField
{
const DEFAULT_TARGET = '_blank';
protected $sTarget;
/**
* Default constructor
*
* @param string $sId
* @param Closure $onFinalizeCallback (Used in the $oForm->AddField($sId, ..., function() use ($oManager, $oForm, '...') { ... } ); )
*/
public function __construct($sId, Closure $onFinalizeCallback = null)
{
parent::__construct($sId, $onFinalizeCallback);
$this->sTarget = static::DEFAULT_TARGET;
}
public function SetTarget($sTarget)
{
$this->sTarget = $sTarget;
return $this;
}
public function GetDisplayValue()
{
$sLabel = Str::pure2html($this->currentValue);
if (strlen($sLabel) > 128)
{
// Truncate the length to 128 characters, by removing the middle
$sLabel = substr($sLabel, 0, 100).'.....'.substr($sLabel, -20);
}
return "<a target=\"$this->sTarget\" href=\"$this->currentValue\">$sLabel</a>";
}
}

View File

@@ -43,7 +43,8 @@ class BsFormRenderer extends FormRenderer
$this->AddSupportedField('HiddenField', 'BsSimpleFieldRenderer');
$this->AddSupportedField('LabelField', 'BsSimpleFieldRenderer');
$this->AddSupportedField('PasswordField', 'BsSimpleFieldRenderer');
$this->AddSupportedField('StringField', 'BsSimpleFieldRenderer');
$this->AddSupportedField('StringField', 'BsSimpleFieldRenderer');
$this->AddSupportedField('UrlField', 'BsSimpleFieldRenderer');
$this->AddSupportedField('TextAreaField', 'BsSimpleFieldRenderer');
$this->AddSupportedField('CaseLogField', 'BsSimpleFieldRenderer');
$this->AddSupportedField('SelectField', 'BsSimpleFieldRenderer');

View File

@@ -84,6 +84,7 @@ EOF
break;
case 'Combodo\\iTop\\Form\\Field\\StringField':
case 'Combodo\\iTop\\Form\\Field\\UrlField':
$oOutput->AddHtml('<div class="form-group ' . $sFieldMandatoryClass . '">');
if ($this->oField->GetLabel() !== '')
{
@@ -210,7 +211,8 @@ EOF
$oOutput->AddHtml('</div>');
break;
case 'Combodo\\iTop\\Form\\Field\\StringField':
case 'Combodo\\iTop\\Form\\Field\\StringField':
case 'Combodo\\iTop\\Form\\Field\\UrlField':
case 'Combodo\\iTop\\Form\\Field\\TextAreaField':
$oOutput->AddHtml('<div class="form-group">');
// Showing label / value only if read-only but not hidden
@@ -221,7 +223,7 @@ EOF
$oOutput->AddHtml('<label for="' . $this->oField->GetGlobalId() . '" class="control-label">')->AddHtml($this->oField->GetLabel(), true)->AddHtml('</label>');
}
if($sFieldClass === 'Combodo\\iTop\\Form\\Field\\TextAreaField')
if($sFieldClass === 'Combodo\\iTop\\Form\\Field\\UrlField' || $sFieldClass === 'Combodo\\iTop\\Form\\Field\\TextAreaField')
{
$bEncodeHtmlEntities = false;
$sDisplayValue = $this->oField->GetDisplayValue();
@@ -324,7 +326,8 @@ EOF
switch ($sFieldClass)
{
case 'Combodo\\iTop\\Form\\Field\\PasswordField':
case 'Combodo\\iTop\\Form\\Field\\StringField':
case 'Combodo\\iTop\\Form\\Field\\StringField':
case 'Combodo\\iTop\\Form\\Field\\UrlField':
case 'Combodo\\iTop\\Form\\Field\\TextAreaField':
case 'Combodo\\iTop\\Form\\Field\\CaseLogField':
case 'Combodo\\iTop\\Form\\Field\\SelectField':
@@ -396,7 +399,8 @@ EOF
switch ($sFieldClass)
{
case 'Combodo\\iTop\\Form\\Field\\PasswordField':
case 'Combodo\\iTop\\Form\\Field\\StringField':
case 'Combodo\\iTop\\Form\\Field\\StringField':
case 'Combodo\\iTop\\Form\\Field\\UrlField':
case 'Combodo\\iTop\\Form\\Field\\SelectField':
case 'Combodo\\iTop\\Form\\Field\\MultipleSelectField':
case 'Combodo\\iTop\\Form\\Field\\HiddenField':