SuiteCRM 7.14.6 Release

ojs87 · Oct 31, 2024 · e572230 · e572230
1 parent 9c0ab61
commit e572230
Show file tree

Hide file tree

Showing 12 changed files with 130 additions and 60 deletions.
diff --git a/ModuleInstall/ModuleScanner.php b/ModuleInstall/ModuleScanner.php
@@ -611,6 +611,7 @@ public function scanFile($file)
         $checkFunction = false;
         $possibleIssue = '';
         $lastToken = false;
+        $return = false;
         foreach ($tokens as $index=>$token) {
             if (is_string($token[0])) {
                 switch ($token[0]) {
@@ -622,7 +623,16 @@ public function scanFile($file)
                             $issues[] = $possibleIssue;
                         }
                         break;
+                    case ']':
+                        if ($checkFunction){
+                            $issues[] = $possibleIssue;
+                        }
+                }
+
+                if ($return && $checkFunction){
+                    $issues[] = $possibleIssue;
                 }
+
                 $checkFunction = false;
                 $possibleIssue = '';
             } else {
@@ -641,7 +651,8 @@ public function scanFile($file)
                         $issues[]= translate('ML_INVALID_FUNCTION', 'Administration') . ' exit / die';
                         break;
                     case T_STRING:
-                        $token[1] = strtolower($token[1]);
+                    case T_CONSTANT_ENCAPSED_STRING:
+                        $token[1] = trim(strtolower($token[1]),'\'"');
                         if ($lastToken !== false && $lastToken[0] == T_NEW) {
                             if (!in_array($token[1], $this->classBlackList)) {
                                 break;
@@ -688,6 +699,10 @@ public function scanFile($file)
                             if (in_array($token[1], $this->blackListExempt)) {
                                 break;
                             }
+
+                            if ($lastToken[1] === 'return'){
+                                $return = true;
+                            }
                         }
                         // no break
                     case T_VARIABLE:

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.14.5
+# SuiteCRM 7.14.6
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)

diff --git a/composer.lock b/composer.lock
diff --git a/files.md5 b/files.md5
diff --git a/include/SearchForm/SearchForm2.php b/include/SearchForm/SearchForm2.php
@@ -951,7 +951,7 @@ public function generateSearchWhere($add_custom_fields = false, $module = '')
 
                         $this->searchFields[$real_field]['value'] = $this->searchFields[$field]['value'];
                         $this->searchFields[$real_field]['operator'] = $this->searchFields[$field]['operator'];
-                        $params['value'] = $this->searchFields[$field]['value'];
+                        $params['value'] = $db->quote($this->searchFields[$field]['value']);
                         $params['operator'] = $this->searchFields[$field]['operator'];
                         unset($this->searchFields[$field]['value']);
                         $field = $real_field;
@@ -1049,7 +1049,7 @@ public function generateSearchWhere($add_custom_fields = false, $module = '')
                         }
                     }
                 } else {
-                    $field_value = $parms['value'];
+                    $field_value = $db->quote($parms['value']);
                 }
 
                 //set db_fields array.

diff --git a/include/generic/DeleteRelationship.php b/include/generic/DeleteRelationship.php
@@ -61,16 +61,16 @@
 
 require_once('include/formbase.php');
 
- global $beanFiles,$beanList;
+ global $beanFiles,$beanList, $db;
  $bean_name = $beanList[$_REQUEST['module']];
  require_once($beanFiles[$bean_name]);
  $focus = new $bean_name();
  if (empty($_REQUEST['linked_id']) || empty($_REQUEST['linked_field'])  || empty($_REQUEST['record'])) {
      die("need linked_field, linked_id and record fields");
  }
- $linked_field = $_REQUEST['linked_field'];
- $record = $_REQUEST['record'];
- $linked_id = $_REQUEST['linked_id'];
+ $linked_field = $db->quote($_REQUEST['linked_field']);
+ $record = $db->quote($_REQUEST['record']);
+ $linked_id = $db->quote($_REQUEST['linked_id']);
  if ($linked_field === 'aclroles') {
      if (!ACLController::checkAccess($bean_name, 'edit', true)) {
          ACLController::displayNoAccess();

diff --git a/include/utils/file_utils.php b/include/utils/file_utils.php
@@ -140,7 +140,7 @@ function write_override_label_to_file($the_name, $the_array, $the_file, $mode =
     }
 
     foreach ($the_array as $labelName => $labelValue) {
-        $the_string .= '$' . "{$the_name}['{$labelName}'] = '{$labelValue}';\n";
+        $the_string .= '$' . "{$the_name}['" . addslashes($labelName) . "'] = '" . addslashes($labelValue) ."';\n";
     }
 
     return sugar_file_put_contents($the_file, $the_string, LOCK_EX) !== false;

diff --git a/lib/Utility/SuiteValidator.php b/lib/Utility/SuiteValidator.php
@@ -58,6 +58,21 @@ public function isValidId(?string $id): bool
         return is_numeric($id) || (is_string($id) && preg_match($pattern, $id));
     }
 
+    /**
+     * @param string|null $key
+     * @return bool
+     */
+    public function isValidKey(?string $key): bool
+    {
+        if (empty($key)) {
+            return false;
+        }
+
+        $pattern = $this->getKeyValidationPattern();
+
+        return is_numeric($key) || preg_match($pattern, $key);
+    }
+
     /**
      * @param string $fieldname
      * @return bool
@@ -90,4 +105,20 @@ public function getIdValidationPattern(): string
 
         return $pattern;
     }
+
+    /**
+     * @return string
+     */
+    protected function getKeyValidationPattern(): string
+    {
+        global $sugar_config;
+
+        if (!empty($sugar_config['key_validation_pattern'])) {
+            $pattern = $sugar_config['key_validation_pattern'];
+        } else {
+            $pattern = '/^[A-Z0-9\-\_\.]*$/i';
+        }
+
+        return $pattern;
+    }
 }
diff --git a/modules/AM_ProjectTemplates/controller.php b/modules/AM_ProjectTemplates/controller.php
@@ -39,12 +39,15 @@ public function action_create_project()
         global $current_user, $db, $mod_strings;
 
         $project_name = $_POST['p_name'];
-        $template_id = $_POST['template_id'];
+        $template_id = $db->quote($_POST['template_id']);
         $project_start = $_POST['start_date'];
         $copy_all = isset($_POST['copy_all_tasks']) ? 1 : 0;
-        $copy_tasks = isset($_POST['tasks']) ? $_POST['tasks'] : array() ;
 
+        $copy_tasks = array();
 
+        if (isset($_POST['tasks']) && is_array($_POST['tasks'])) {
+            $copy_tasks = $_POST['tasks'];
+        }
 
         //Get project start date
         if ($project_start!='') {
@@ -262,7 +265,7 @@ public function action_generate_chart()
         include_once('modules/AM_ProjectTemplates/project_table.php');
 
         $project_template = BeanFactory::newBean('AM_ProjectTemplates');
-        $pid = $_POST["pid"];
+        $pid = $db->quote($_POST["pid"]);
         $project_template->retrieve($pid);
 
         //Get project tasks

diff --git a/modules/Users/User.php b/modules/Users/User.php
@@ -976,9 +976,14 @@ public function saveFormPreferences()
                 $this->setPreference('default_email_charset', $_REQUEST['default_email_charset'], 0, 'global');
             }
 
-            if (isset($_POST['calendar_publish_key'])) {
+            $isValidator = new \SuiteCRM\Utility\SuiteValidator();
+
+            if (isset($_POST['calendar_publish_key']) && $isValidator->isValidKey($_POST['calendar_publish_key'])) {
                 $this->setPreference('calendar_publish_key', $_POST['calendar_publish_key'], 0, 'global');
+            } elseif (isset($_POST['calendar_publish_key'])) {
+                $_POST['calendar_publish_key'] = '';
             }
+
             if (isset($_POST['subtheme'])) {
                 $this->setPreference('subtheme', $_POST['subtheme'], 0, 'global');
             }

diff --git a/modules/Users/tpls/EditViewFooter.tpl b/modules/Users/tpls/EditViewFooter.tpl
@@ -584,12 +584,23 @@
 
   $(document).ready(function () {
     var checkKey = function (key) {
-      if (key != '') {
+      var validation = /^[A-Z0-9\-_.]*$/i;
+      if (key != '' && validation.test(key)) {
+
+        var encodedKey = key.replace(/[&<>'"]/g, function(tag) {
+          return ({
+              '&': '&amp;',
+              '<': '&lt;',
+              '>': '&gt;',
+              "'": '&#39;',
+              '"': '&quot;'
+            }[tag]);
+        })
         $(".calendar_publish_ok").css('display', 'inline');
         $(".calendar_publish_none").css('display', 'none');
-        $('#cal_pub_key_span').html(key);
-        $('#ical_pub_key_span').html(key);
-        $('#search_pub_key_span').html(key);
+        $('#cal_pub_key_span').html(encodedKey);
+        $('#ical_pub_key_span').html(encodedKey);
+        $('#search_pub_key_span').html(encodedKey);
       } else {
         $(".calendar_publish_ok").css('display', 'none');
         $(".calendar_publish_none").css('display', 'inline');

diff --git a/suitecrm_version.php b/suitecrm_version.php
@@ -3,5 +3,5 @@
     die('Not A Valid Entry Point');
 }
 
-$suitecrm_version = '7.14.5';
-$suitecrm_timestamp = '2024-08-14 12:00:00';
+$suitecrm_version = '7.14.6';
+$suitecrm_timestamp = '2024-11-05 12:00:00';