diff --git a/README.md b/README.md index da262c5a7ee..b7c7f892d44 100755 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ -# SuiteCRM 7.10.32 +# SuiteCRM 7.10.33 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=7.10.x)](https://travis-ci.org/salesagility/SuiteCRM) [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/7.10.x/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/7.10.x) diff --git a/composer.lock b/composer.lock index 9e51aae781a..a2d5b990602 100644 --- a/composer.lock +++ b/composer.lock @@ -1,7 +1,7 @@ { "_readme": [ "This file locks the dependencies of your project to a known state", - "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", + "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], "content-hash": "de48c1351e816dda827717bab04cf5b1", @@ -1724,16 +1724,16 @@ }, { "name": "phpmailer/phpmailer", - "version": "v6.5.0", + "version": "v6.5.1", "source": { "type": "git", "url": "https://github.com/PHPMailer/PHPMailer.git", - "reference": "a5b5c43e50b7fba655f793ad27303cd74c57363c" + "reference": "dd803df5ad7492e1b40637f7ebd258fee5ca7355" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/a5b5c43e50b7fba655f793ad27303cd74c57363c", - "reference": "a5b5c43e50b7fba655f793ad27303cd74c57363c", + "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/dd803df5ad7492e1b40637f7ebd258fee5ca7355", + "reference": "dd803df5ad7492e1b40637f7ebd258fee5ca7355", "shasum": "" }, "require": { @@ -1745,10 +1745,12 @@ "require-dev": { "dealerdirect/phpcodesniffer-composer-installer": "^0.7.0", "doctrine/annotations": "^1.2", + "php-parallel-lint/php-console-highlighter": "^0.5.0", + "php-parallel-lint/php-parallel-lint": "^1.3", "phpcompatibility/php-compatibility": "^9.3.5", "roave/security-advisories": "dev-latest", - "squizlabs/php_codesniffer": "^3.5.6", - "yoast/phpunit-polyfills": "^0.2.0" + "squizlabs/php_codesniffer": "^3.6.0", + "yoast/phpunit-polyfills": "^1.0.0" }, "suggest": { "ext-mbstring": "Needed to send email in multibyte encoding charset or decode encoded addresses", @@ -1786,7 +1788,13 @@ } ], "description": "PHPMailer is a full-featured email creation and transfer class for PHP", - "time": "2021-06-16T14:33:43+00:00" + "funding": [ + { + "url": "https://github.com/Synchro", + "type": "github" + } + ], + "time": "2021-08-18T09:14:16+00:00" }, { "name": "phpoption/phpoption", @@ -2674,6 +2682,20 @@ "configuration", "options" ], + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], "time": "2020-10-24T10:57:07+00:00" }, { @@ -2974,6 +2996,20 @@ ], "description": "Symfony Validator Component", "homepage": "https://symfony.com", + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], "time": "2020-10-28T05:23:51+00:00" }, { @@ -3192,6 +3228,16 @@ "env", "environment" ], + "funding": [ + { + "url": "https://github.com/GrahamCampbell", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/vlucas/phpdotenv", + "type": "tidelift" + } + ], "time": "2021-01-20T14:39:46+00:00" }, { @@ -6221,5 +6267,6 @@ "platform-dev": [], "platform-overrides": { "php": "5.5.9" - } + }, + "plugin-api-version": "1.1.0" } diff --git a/files.md5 b/files.md5 index 5d8cb7f1609..858a27628c5 100755 --- a/files.md5 +++ b/files.md5 @@ -1,7 +1,6 @@ '0f515637362239411c512ab1bcb8055c', './Api/Core/Config/ApiConfig.php' => '69a1e7b3d7755a2a63499a16ddae81cf', './Api/Core/Config/slim.php' => 'b134e68765e6a1403577e2a5a06322b8', './Api/Core/Loader/ContainerLoader.php' => '6d5e0db5708f5e34bec7ba8fb8196bdc', @@ -18,7 +17,7 @@ $md5_string = array ( './Api/V8/Config/services/factories.php' => 'abedc3b0445f9076cf55fb81f922999b', './Api/V8/Config/services/globals.php' => 'd1bdcccf5150b16b84fc8192f63affdd', './Api/V8/Config/services/helpers.php' => 'd15737677999e4f7307443aa83da8afa', - './Api/V8/Config/services/middlewares.php' => '18dde9147c371f54d571ba15e2ed329c', + './Api/V8/Config/services/middlewares.php' => 'a7e3340374c5bfb6b26b4d99e61a8935', './Api/V8/Config/services/params.php' => '9fd77ca190fbcea45ad11f156d5db9b7', './Api/V8/Config/services/services.php' => '1c6d1cc19c087015430b4b965705e2fb', './Api/V8/Config/services/validators.php' => '884d713ad8ed932500039acaf285fa45', @@ -117,7 +116,7 @@ $md5_string = array ( './ModuleInstall/PackageManager/tpls/PackageManagerLicense.tpl' => 'df5e267d1df5ce08fb9406e42d5b4816', './ModuleInstall/PackageManager/tpls/PackageManagerScripts.tpl' => '98e396c0aa57329731fda19c790fffb2', './ModuleInstall/extensions.php' => '87596ad3f28a39c996a5551cad3b5cab', - './README.md' => '3be4fedc1f6a36679866f664b41c1925', + './README.md' => '3fc46c38fce81b7aa4e54e94e8151a8c', './RoboFile.php' => '045b82c1df69553824d0e4ffcce6e03c', './SugarSecurity.php' => '47e316b2d408e8c5192c8ea4a4f921b3', './TreeData.php' => '32873e20cb5fd33f9d1cdaf18c3cac5c', @@ -505,11 +504,9 @@ $md5_string = array ( './Zend/Validate/Interface.php' => 'e313ef824309253dcfab90ff1d38ac86', './Zend/Validate/Ip.php' => 'e313ef824309253dcfab90ff1d38ac86', './Zend/Version.php' => 'e313ef824309253dcfab90ff1d38ac86', - './build/push_output.sh' => 'cde8cd38e3b0c4e988ec4be7d81faa89', - './build/travis-ci-apache' => 'e1e212c4eaf679b6ec620cd0b12f4571', './campaign_tracker.php' => '321e43ca8b664e6ca57ae5589e8c0667', './composer.json' => '23a2894e04aac300bb832241fc2b352e', - './composer.lock' => '864ca531acd5ec38b31326e64b1fa614', + './composer.lock' => 'c81b9ca0686fe63b57414ad6e7d44f9c', './cron.php' => '0b8b6bd839a2232a8da074b31feaa708', './crossdomain.xml' => '24b7711640c652b21aa89c9d83d6ec13', './data/BeanFactory.php' => '84b7c36b6a59ea8c5c4069659cc72950', @@ -523,7 +520,7 @@ $md5_string = array ( './data/Relationships/One2OneRelationship.php' => 'c46d3067d5651fbc928763600d5e1a51', './data/Relationships/RelationshipFactory.php' => 'f657e59f0ec38f6b6fb276261a095a2d', './data/Relationships/SugarRelationship.php' => '888cafd8937b15f3fc2ab3a4b5c1a79e', - './data/SugarBean.php' => 'd1a3c9f6f1cd03f62e0016a4e4277cba', + './data/SugarBean.php' => '39cea40c6250e6cef2705e1d7cc40802', './deprecated.php' => 'f5f507fd6314f38d29c97e2cc2c62239', './dictionary.php' => 'b7c1370fb75a2940c04db74627c4462c', './download.php' => 'f2d366039d134ac463ff1e75634ce509', @@ -2741,7 +2738,7 @@ $md5_string = array ( './install/installSystemCheck.php' => '7ac2652d957e53ab6ddfa94df42f6da3', './install/installType.php' => '0e2dec11b26e35ee79eb1da0084be8b7', './install/install_defaults.php' => 'd25503407f0db14fa875b295d0f34ae5', - './install/install_utils.php' => '8fb3fc994c368eecd4c875bf0dee4479', + './install/install_utils.php' => '640b6ec4a434023fbb8422e3d4fcbd83', './install/lang.config.php' => 'cb3e68fdb0600481497dcd60f0746aca', './install/language/en_us.lang.php' => '443a21c6c24b089d6dc085a3ebb588d8', './install/license.js' => '9b5c798584a7ae54703dcfa2d1bb991f', @@ -4908,7 +4905,7 @@ $md5_string = array ( './modules/Emails/include/ComposeView/ComposeView.tpl' => '1ec29fbb9803c24e5ed8a12155668e58', './modules/Emails/include/ComposeView/ComposeViewBlank.tpl' => '22365ce6727ffb560e5ad3fc187f13f2', './modules/Emails/include/ComposeView/ComposeViewToolbar.tpl' => '656b26827857375278124e4610b9ff06', - './modules/Emails/include/ComposeView/EmailsComposeView.js' => '4a493e1cefdac676a0988051d45ca3dd', + './modules/Emails/include/ComposeView/EmailsComposeView.js' => '5c836fdc4d36bb39c6b027f13f9724db', './modules/Emails/include/DetailView/EmailsDetailView.php' => 'f95937f398f37afe3927ecc035b8b743', './modules/Emails/include/DetailView/EmailsDraftDetailView.php' => 'baafca815e89a4c0ec3df8b6192552ea', './modules/Emails/include/DetailView/EmailsNonImportedDetailView.php' => 'ef9ecbcf65fa6f03e32f94b6a9805b2f', @@ -5205,7 +5202,7 @@ $md5_string = array ( './modules/Import/Importer.php' => 'c4bf3967c463f929acff62fa541cc664', './modules/Import/Menu.php' => '776e6242c638410abd3290c9387e134e', './modules/Import/UsersLastImport.php' => 'a1c22f45aa62094045f32acbcba0ba8d', - './modules/Import/controller.php' => '84c58a01c2fcff75550e1f90d3dffe9d', + './modules/Import/controller.php' => '461f26cd01bc94f0fa0f17608183120b', './modules/Import/language/en_us.lang.php' => '41328cd1de165898134141618e777774', './modules/Import/maps/ImportMap.php' => 'f8a79c733d4ec686203476e5930c0670', './modules/Import/maps/ImportMapAct.php' => '15401c409712de8a08e3dfc7f95df8a0', @@ -5240,7 +5237,7 @@ $md5_string = array ( './modules/Import/views/view.last.php' => 'dd767d6243f3ee8818f07fb422b3d499', './modules/Import/views/view.step1.php' => '7f515a1fc6c2c182c24d6af3c65d73b3', './modules/Import/views/view.step2.php' => '30d49b03050d05f5605dc935ea87fd9a', - './modules/Import/views/view.step3.php' => '20ff05beb7cfb2da46aa18806044fe06', + './modules/Import/views/view.step3.php' => 'fcb36271f73fdc163bf0fd7452aff1d2', './modules/Import/views/view.step4.php' => '8694e2f07e6ddc9128af648d42aa802d', './modules/Import/views/view.undo.php' => '0f11a824c733c819214ef88f666358b5', './modules/InboundEmail/AOPInboundEmail.php' => '2c74ce41273c1982b221a8862dfcc997', @@ -5962,7 +5959,7 @@ $md5_string = array ( './modules/SecurityGroups/javascript/popup_relate.js' => '7579a87bd17a42988d7cfdb1983061d3', './modules/SecurityGroups/language/en_us.lang.php' => '4b8424175457d63eaefd8d924f86920e', './modules/SecurityGroups/metadata/SearchFields.php' => '96c05b90550f5063a76b0ccf0a27f6bf', - './modules/SecurityGroups/metadata/detailviewdefs.php' => 'c2a93e716003fb32e5e2784ea7983664', + './modules/SecurityGroups/metadata/detailviewdefs.php' => '05a1c1a20a12755f8b1e4b18f0769985', './modules/SecurityGroups/metadata/editviewdefs.php' => '6739d8de7b420f85ff4396f5f7603161', './modules/SecurityGroups/metadata/listviewdefs.php' => 'f2405e3ec285440740c0b030b85a1c66', './modules/SecurityGroups/metadata/metafiles.php' => 'be0931e2262e0459e06038d775203322', @@ -6299,7 +6296,7 @@ $md5_string = array ( './modules/Users/SetTimezone.tpl' => 'f0fb5ed64fae81a5657ebc8f167967c9', './modules/Users/UpdateTourStatus.php' => 'cc111e28e6df1d96b98678661dd42490', './modules/Users/User.js' => '430d6a4d4b14300ea4c6c3592601fa6c', - './modules/Users/User.php' => 'ea91062f8049d49f17783bb9238b4f84', + './modules/Users/User.php' => '7c30e814008c465f2b45e5d81121b39d', './modules/Users/UserEditView.js' => 'a5d33c708bf0e30356dfe2945df13704', './modules/Users/UserEmailOptions.tpl' => '96b848efbf7f6d4fee7b6bf13a1a1aee', './modules/Users/UserEmailSettings.tpl' => '5d9ff3379f63dcf7c5efbbcc3e88d8ed', @@ -6584,7 +6581,7 @@ $md5_string = array ( './soap.php' => 'e28988c2e0b8e2c484587b537a710525', './sugar_version.json' => 'bdfbcefae2f9af559bef6a36367df7bb', './sugar_version.php' => 'db7b6c8d51f87879fce1e6172eedfbed', - './suitecrm_version.php' => '84337b366cbeffb317c95831b9f2c184', + './suitecrm_version.php' => '06faf6ccf7d4608f9098c06add7374b5', './themes/SuiteP/css/Dawn/color-palette.scss' => 'f85621a6c8b0cd015a8c4703e83e519b', './themes/SuiteP/css/Dawn/icons.scss' => 'd59f8c5855e7a8df09542a663835a196', './themes/SuiteP/css/Dawn/style.css' => '96e228603dfc1458e19c4d07013f2ef3', @@ -7988,7 +7985,7 @@ $md5_string = array ( './themes/SuiteP/include/DetailView/header.tpl' => 'ba7fbc5faa2a0e336373aae9b1e52a8e', './themes/SuiteP/include/DetailView/tab_panel_content.tpl' => '38b33c06fc8e5c4d55b5276b457d0330', './themes/SuiteP/include/DetailView/test.tpl' => 'fcf838f4139733066cc727fc7f3818ae', - './themes/SuiteP/include/EditView/EditView.tpl' => '875af492db7774ac8c18b11c3946f634', + './themes/SuiteP/include/EditView/EditView.tpl' => '5e279ffcc56b22f3c2d6032247fa288e', './themes/SuiteP/include/EditView/QuickCreate.tpl' => '3acca81ef6a983731de021c1943f4c0b', './themes/SuiteP/include/EditView/SugarVCR.tpl' => 'eed25c746ed4a7ffeeaaae25a36f49c4', './themes/SuiteP/include/EditView/actions_buttons.tpl' => '3ccfac667a36f3f67706deb6de2f9a77', diff --git a/install/install_utils.php b/install/install_utils.php index 18dbecb048e..9cc947207d0 100755 --- a/install/install_utils.php +++ b/install/install_utils.php @@ -1288,17 +1288,15 @@ function create_table_if_not_exist(&$focus) } - function create_default_users() { - $db = DBManagerFactory::getInstance(); global $setup_site_admin_password; global $setup_site_admin_user_name; global $create_default_user; global $sugar_config; require_once('install/UserDemoData.php'); - + //Create default admin user $user = BeanFactory::newBean('Users'); $user->id = 1; @@ -1310,11 +1308,9 @@ function create_default_users() $user->is_admin = true; $user->employee_status = 'Active'; $user->user_hash = User::getPasswordHash($setup_site_admin_password); - $user->save(); - //Bug#53793: Keep default current user in the global variable in order to store 'created_by' info as default user - // while installation is proceed. - $GLOBALS['current_user'] = $user; + $GLOBALS['current_user'] = $user; + $GLOBALS['current_user']->save(); if ($create_default_user) { $default_user = BeanFactory::newBean('Users'); diff --git a/modules/Import/controller.php b/modules/Import/controller.php index eb454ff9052..c705a3bfcca 100755 --- a/modules/Import/controller.php +++ b/modules/Import/controller.php @@ -1,15 +1,11 @@ bean; } } - + public function action_index() { $this->action_Step1(); @@ -128,24 +128,33 @@ public function action_mapping() } } } - + echo json_encode($results); sugar_cleanup(true); } + public function action_RefreshMapping() { global $mod_strings; - require_once('modules/Import/sources/ImportFile.php'); - require_once('modules/Import/views/view.confirm.php'); + require_once __DIR__ . '/../../modules/Import/sources/ImportFile.php'; + require_once __DIR__ . '/../../modules/Import/views/view.confirm.php'; $v = new ImportViewConfirm(); $fileName = $_REQUEST['importFile']; + + if (isset($fileName) && strpos($fileName, '..') !== false) { + LoggerManager::getLogger()->security('Directory navigation attack denied'); + return; + } + $delim = $_REQUEST['delim']; - if ($delim == '\t') { + + if ($delim === '\t') { $delim = "\t"; } + $enclosure = $_REQUEST['qualif']; $enclosure = html_entity_decode($enclosure, ENT_QUOTES); - $hasHeader = isset($_REQUEST['header']) && !empty($_REQUEST['header']) ? true : false; + $hasHeader = !empty($_REQUEST['header']); $importFile = new ImportFile($fileName, $delim, $enclosure, false); $importFile->setHeaderRow($hasHeader); @@ -175,10 +184,10 @@ public function action_RefreshTable() $if->setHeaderRow($has_header); $lv = new ImportListView($if, array('offset'=> $offset), $tableID); $lv->display(false); - + sugar_cleanup(true); } - + public function action_Step1() { $fromAdminView = isset($_REQUEST['from_admin_wizard']) ? $_REQUEST['from_admin_wizard'] : false; @@ -189,7 +198,7 @@ public function action_Step1() $this->view = 'step2'; } } - + public function action_Step2() { $this->view = 'step2'; @@ -214,17 +223,17 @@ public function action_Step4() { $this->view = 'step4'; } - + public function action_Last() { $this->view = 'last'; } - + public function action_Undo() { $this->view = 'undo'; } - + public function action_Error() { $this->view = 'error'; @@ -244,7 +253,7 @@ public function action_Extimport() { $this->view = 'extimport'; } - + public function action_GetControl() { echo getControl($_REQUEST['import_module'], $_REQUEST['field_name']); diff --git a/modules/Import/views/view.step3.php b/modules/Import/views/view.step3.php index d70f44d6683..44ec4ab264f 100755 --- a/modules/Import/views/view.step3.php +++ b/modules/Import/views/view.step3.php @@ -1,14 +1,11 @@ getRequestDelimiter(); - + $this->ss->assign("CUSTOM_DELIMITER", $delimiter); $this->ss->assign("CUSTOM_ENCLOSURE", (!empty($_REQUEST['custom_enclosure']) ? $_REQUEST['custom_enclosure'] : "")); @@ -122,6 +123,11 @@ public function display() $uploadFileName = $_REQUEST['file_name']; + if (isset($uploadFileName) && strpos($uploadFileName, '..') !== false) { + LoggerManager::getLogger()->security('Directory navigation attack denied'); + return; + } + if (strpos($uploadFileName, 'phar://') !== false) { return; } diff --git a/modules/Users/User.php b/modules/Users/User.php index f4d9be5a61b..342634d773b 100755 --- a/modules/Users/User.php +++ b/modules/Users/User.php @@ -656,6 +656,10 @@ public function save($check_notify = false) $this->portal_only = 0; } + // If the current user is not an admin, do not allow them to set the admin flag to true. + if (!is_admin($current_user)) { + $this->is_admin = 0; + } // set some default preferences when creating a new user $setNewUserPreferences = empty($this->id) || !empty($this->new_with_id); diff --git a/suitecrm_version.php b/suitecrm_version.php index 9cfc14433ab..3da34a566af 100755 --- a/suitecrm_version.php +++ b/suitecrm_version.php @@ -3,5 +3,5 @@ die('Not A Valid Entry Point'); } -$suitecrm_version = '7.10.32'; -$suitecrm_timestamp = '2021-05-28 17:00:00'; +$suitecrm_version = '7.10.33'; +$suitecrm_timestamp = '2021-09-24 17:00:00';