Skip to content

Commit

Permalink
SuiteCRM 7.10.36 Release
Browse files Browse the repository at this point in the history
  • Loading branch information
clemente-raposo committed Jan 27, 2022
1 parent 58b253d commit 6d352cb
Show file tree
Hide file tree
Showing 8 changed files with 154 additions and 40 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
</a>

# SuiteCRM 7.10.35
# SuiteCRM 7.10.36

[![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=7.10.x)](https://travis-ci.org/salesagility/SuiteCRM)
[![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/7.10.x/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/7.10.x)
Expand Down
58 changes: 31 additions & 27 deletions files.md5

Large diffs are not rendered by default.

14 changes: 14 additions & 0 deletions include/InlineEditing/InlineEditing.php
Original file line number Diff line number Diff line change
Expand Up @@ -387,13 +387,27 @@ function saveField($field, $id, $module, $value)

function getDisplayValue($bean, $field, $method = "save")
{
global $log;

if (file_exists("custom/modules/Accounts/metadata/listviewdefs.php")) {
$metadata = require("custom/modules/Accounts/metadata/listviewdefs.php");
} else {
$metadata = require("modules/Accounts/metadata/listviewdefs.php");
}

if (!$bean->ACLAccess('view')) {
$log->security("getDisplayValue - trying to access unauthorized view/module");
throw new BadMethodCallException('Unauthorized');
}

$fieldlist[$field] = $bean->getFieldDefinition($field);
$isSensitive = !empty($fieldlist[$field]['sensitive']);
$notApiVisible = !empty($fieldlist[$field]['api-visible']);

if ($isSensitive || $notApiVisible){
$log->security("getDisplayValue - trying to access sensitive field");
throw new BadMethodCallException('Unauthorized');
}

if (is_array($listViewDefs)) {
$fieldlist[$field] = array_merge($fieldlist[$field], $listViewDefs);
Expand Down
77 changes: 77 additions & 0 deletions include/utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,13 @@ function make_sugar_config(&$sugar_config)
'html',
'htm',
) : $upload_badext,
'valid_image_ext' => [
'gif',
'png',
'jpg',
'jpeg',
'svg'
],
'upload_dir' => $upload_dir, // this must be set!!
'upload_maxsize' => empty($upload_maxsize) ? 30000000 : $upload_maxsize,
'allowed_preview' => [
Expand Down Expand Up @@ -437,6 +444,13 @@ function get_sugar_config_defaults()
'htm',
'phtml',
),
'valid_image_ext' => [
'gif',
'png',
'jpg',
'jpeg',
'svg'
],
'upload_maxsize' => 30000000,
'import_max_execution_time' => 3600,
// 'use_php_code_json' => returnPhpJsonStatus(),
Expand Down Expand Up @@ -5840,3 +5854,66 @@ function getAppString($key)

return $app_strings[$key];
}

/**
* Check if has valid image extension
* @param string $fieldName
* @param string $value
* @return bool
*/
function has_valid_image_extension($fieldName, $name)
{
global $sugar_config;

$validExtensions = [
'gif',
'png',
'jpg',
'jpeg',
'svg'
];

if (isset($sugar_config['valid_image_ext']) && is_array($sugar_config['valid_image_ext'])){
$validExtensions = $sugar_config['valid_image_ext'];
}

return has_valid_extension($fieldName, $name, $validExtensions);
}

/**
* Check if has valid extension
* @param string $fieldName
* @param string $name
* @param array $validExtensions
* @return bool
*/
function has_valid_extension($fieldName, $name, $validExtensions)
{

if ($name === '.' || empty($name)) {
LoggerManager::getLogger()->security("Invalid ext $fieldName : '$name'.");

return false;
}

$validExtensions = array_map('strtolower', $validExtensions);

$parts = explode('.', $name);

if (empty($parts)) {
LoggerManager::getLogger()->security("Invalid ext $fieldName : '$name'.");

return false;
}

$ext = array_pop($parts);
$trimmedValue = preg_replace('/.*\.([^\.]+)$/', '\1', $ext);

if (!in_array(strtolower($trimmedValue), $validExtensions, true)) {
LoggerManager::getLogger()->security("Invalid $fieldName: '$name'.");

return false;
}

return true;
}
11 changes: 10 additions & 1 deletion modules/EmailTemplates/EmailTemplate.php
Original file line number Diff line number Diff line change
Expand Up @@ -917,7 +917,7 @@ private function repairMozaikClears()

private function repairEntryPointImages()
{
global $sugar_config;
global $sugar_config, $log;

// repair the images url at entry points, change to a public direct link for remote email clients..

Expand All @@ -926,8 +926,17 @@ private function repairEntryPointImages()
$regex = '#<img[^>]*[\s]+src=[\s]*["\'](' . preg_quote($siteUrl) . '\/index\.php\?entryPoint=download&type=Notes&id=([a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12})&filename=.+?)["\']#si';
if (preg_match($regex, $html, $match)) {
$splits = explode('.', $match[1]);
$fileExtension = end($splits);
$toFile = $match[2] . '.' . $fileExtension;
if (is_string($toFile) && !has_valid_image_extension('repair-entrypoint-images-fileext', $toFile)){
$log->error("repairEntryPointImages | file with invalid extension '$toFile'");
return;
}

$this->makePublicImage($match[2], $fileExtension);
$newSrc = $sugar_config['site_url'] . '/public/' . $match[2] . '.' . $fileExtension;
$this->body_html = to_html(str_replace($match[1], $newSrc, $html));
Expand Down
10 changes: 10 additions & 0 deletions modules/Import/controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,16 @@ public function action_RefreshMapping()
return;
}

if (isset($fileName) && !hasValidFileName('import_refresh_mapping_file_name', str_replace('upload://', '', $fileName))) {
LoggerManager::getLogger()->fatal('Invalid importFile file name');
return;
}

if (strpos($fileName, 'phar://') !== false) {
LoggerManager::getLogger()->fatal('Invalid importFile file path');
return;
}

$delim = $_REQUEST['delim'];

if ($delim === '\t') {
Expand Down
18 changes: 9 additions & 9 deletions modules/Project/controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -40,15 +40,15 @@ public function action_generate_chart()

$project = BeanFactory::newBean('Project');
$project->retrieve($_POST["pid"]);

//Get project tasks
$Task = BeanFactory::getBean('ProjectTask');
$tasks = $Task->get_full_list("order_number", "project_task.project_id = '".$project->id."'");

//Get the start and end date of the project in database format
$query = "SELECT min(date_start) FROM project_task WHERE project_id = '{$project->id}'";
$start_date = $db->getOne($query);

$query = "SELECT max(date_finish) FROM project_task WHERE project_id = '{$project->id}'";
$end_date = $db->getOne($query);

Expand Down Expand Up @@ -345,12 +345,12 @@ public function action_update_chart()
//Get specified dates and users
$start = $_POST['start'];
//$end = $_POST['end'];
$projects = explode(',', $_POST['projects']);
$users = explode(',', $_POST['users']);
$contacts = explode(',', $_POST['contacts']);
$month = $_POST['month'];
$projects = explode(',', $db->quote($_POST['projects']));
$users = explode(',', $db->quote($_POST['users']));
$contacts = explode(',', $db->quote($_POST['contacts']));
$month = is_numeric($_POST['month']) ? $_POST['month'] : '1' ;
$flag = $_POST['flag'];
$chart_type = $_POST['chart_type'];
$chart_type = $db->quote($_POST['chart_type']);
//$type = $_POST['type'];

$start = new DateTime($start);
Expand Down Expand Up @@ -497,7 +497,7 @@ public function action_Tooltips()
}

$Task = BeanFactory::getBean('ProjectTask');

$tasks = $Task->get_full_list("date_start", "project_task.assigned_user_id = '".$resource_id."' AND ( ( project_task.date_start BETWEEN '".$start_date."' AND '".$end_date."' ) OR ( project_task.date_finish BETWEEN '".$start_date."' AND '".$end_date."' ) OR ( '".$start_date."' BETWEEN project_task.date_start AND project_task.date_finish ) OR ( '".$end_date."' BETWEEN project_task.date_start AND project_task.date_finish ) ) AND (project_id is not null AND project_id <> '') " . $project_where);

echo '<table class="qtip_table">';
Expand Down
4 changes: 2 additions & 2 deletions suitecrm_version.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@
die('Not A Valid Entry Point');
}

$suitecrm_version = '7.10.35';
$suitecrm_timestamp = '2021-12-14 17:00:00';
$suitecrm_version = '7.10.36';
$suitecrm_timestamp = '2022-01-27 12:00:00';

0 comments on commit 6d352cb

Please sign in to comment.