SuiteCRM 7.12.1 Release

README.md

@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.12.0
+# SuiteCRM 7.12.1
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)

include/SugarFolders/SugarFolders.php

@@ -247,10 +247,7 @@ public function checkEmailExistForFolder($id)
         $res = $this->db->query($query);
         $a = $this->db->fetchByAssoc($res);
 
-        if ($a['c'] > 0) {
-            return true;
-        }
-        return false;
+        return $a['c'] > 0;
     }
 
     /**
@@ -708,10 +705,6 @@ public function addBean(SugarBean $bean)
             " AND deleted = 0";
 
         $result = $this->db->fetchByAssoc($this->db->query($q));
-        if ($result === false){
-            $GLOBALS['log']->debug("Error in query to check for existing email folders");
-            return false;
-        }
 
         if($result) {
             $GLOBALS['log']->debug("*** FOLDERS: addBean() is trying to create an already existing relationship");
@@ -1302,8 +1295,10 @@ public function save($addSubscriptions = true)
             }
 
             // if parent_id is set, update parent's has_child flag
-            $query3 = "UPDATE folders SET has_child = 1 WHERE id = " . $this->db->quoted($this->parent_folder);
-            $r3 = $this->db->query($query3);
+            if (!empty($this->parent_folder)) {
+                $query3 = "UPDATE folders SET has_child = 1 WHERE id = " . $this->db->quoted($this->parent_folder);
+                $r3 = $this->db->query($query3);
+            }
         } else {
             $query = "UPDATE folders SET " .
                 "name = " . $this->db->quoted($this->name) . ", " .

include/Sugarpdf/Sugarpdf.php

@@ -273,13 +273,13 @@ public function Header()
     * @access public
     * @see include/tcpdf/TCPDF#SetFont()
     */
-    public function SetFont($family, $style='', $size=0, $fontfile='')
+    public function SetFont($family, $style = '', $size = null, $fontfile = '', $subset = 'default', $out = true)
     {
         if (empty($fontfile) && defined('K_PATH_CUSTOM_FONTS')) {
             // This will force addFont to search the custom directory for font before the OOB directory
-            $fontfile = K_PATH_CUSTOM_FONTS."phantomFile.phantom";
+            $fontfile = K_PATH_CUSTOM_FONTS . "phantomFile.phantom";
         }
-        parent::SetFont($family, $style, $size, $fontfile);
+        parent::SetFont($family, $style, $size, $fontfile, $subset, $out);
     }
 
     public function Info()
@@ -304,9 +304,9 @@ public function Info()
      * The cell method is used by all the methods which print text (Write, MultiCell).
      * @see include/tcpdf/TCPDF#Cell()
      */
-    public function Cell($w, $h=0, $txt='', $border=0, $ln=0, $align='', $fill=0, $link='', $stretch=0, $ignore_min_height=false)
+    public function Cell($w, $h = 0, $txt = '', $border = 0, $ln = 0, $align = '', $fill = false, $link = '', $stretch = 0, $ignore_min_height = false, $calign = 'T', $valign = 'M')
     {
-        parent::Cell($w, $h, prepare_string($txt), $border, $ln, $align, $fill, $link, $stretch, $ignore_min_height);
+        parent::Cell($w, $h, prepare_string($txt), $border, $ln, $align, $fill, $link, $stretch, $ignore_min_height, $calign, $valign);
     }
 
     /**
@@ -640,7 +640,7 @@ private function initOptionsForWriteCellTable($options, $item)
     * @since 4.5.011
     * @OVERRIDE
     */
-    public function getNumLines($txt, $w=0)
+    public function getNumLines($txt, $w = 0, $reseth = false, $autopadding = true, $cellpadding = '', $border = 0)
     {
         $lines = 0;
         if (empty($w) or ($w <= 0)) {

include/language/en_us.lang.php

@@ -3722,3 +3722,9 @@
 // PDF Engines
 $app_strings['LBL_LEGACY_MPDF_ENGINE'] = 'Legacy MPDF Engine';
 $app_strings['LBL_TCPDF_ENGINE'] = 'TCPDF Engine';
+
+
+$app_strings['ERR_INVALID_FILE_NAME'] = 'Invalid file name:';
+$app_strings['LBL_LOGGER_VALID_FILENAME_CHARACTERS'] = 'This can only be alphanumeric characters, plus \'.\' , \'-\' and \'_\'';
+$app_strings['LBL_LOGGER_INVALID_FILENAME'] = 'Invalid import file name';
+

include/utils.php

@@ -425,6 +425,9 @@ function get_sugar_config_defaults(): array
         'log_memory_usage' => false,
         'oauth2_encryption_key' => base64_encode(random_bytes(32)),
         'portal_view' => 'single_user',
+        'pdf' => [
+            'defaultEngine' => 'TCPDFEngine'
+        ],
         'resource_management' => [
             'special_query_limit' => 50000,
             'special_query_modules' => ['AOR_Reports', 'Export', 'Import', 'Administration', 'Sync'],

include/utils/file_utils.php

@@ -479,3 +479,25 @@ function cleanDirName($name)
 {
     return str_replace(array("\\", "/", "."), "", $name);
 }
+
+/**
+ * Check if has valid file name
+ * @param string $fieldName
+ * @param string $value
+ * @return bool
+ */
+function hasValidFileName($fieldName, $value) {
+
+    if (empty($value)){
+        LoggerManager::getLogger()->error("Invalid filename for $fieldName : '$value'.");
+        return false;
+    }
+
+    $isValid = preg_match('/^[\w\-.]+(\.\w+)?$/', $value);
+    if ($isValid === false || $isValid < 1) {
+        LoggerManager::getLogger()->error("Invalid filename for $fieldName : '$value'.");
+        return false;
+    }
+
+    return true;
+}

lib/PDF/PDFWrapper.php

@@ -40,7 +40,7 @@
 namespace SuiteCRM\PDF;
 
 use SuiteCRM\PDF\Exceptions\PDFEngineNotFoundException;
-use SuiteCRM\PDF\MPDF\LegacyMPDFEngine;
+use SuiteCRM\PDF\LegacyMPDF\LegacyMPDFEngine;
 use SuiteCRM\PDF\TCPDF\TCPDFEngine;
 
 if (!defined('sugarEntry') || !sugarEntry) {
@@ -116,6 +116,12 @@ public static function getEngines(): array
         $pdfs = [];
         $default = array_keys(self::$engines);
 
+        $MPDF = __DIR__ . '/../../modules/AOS_PDF_Templates/PDF_Lib/mpdf.php';
+        if (($key = array_search('LegacyMPDFEngine', $default, true)) !== false
+            && (!file_exists($MPDF) || version_compare(PHP_VERSION, '8.0.0') >= 0)) {
+            unset($default[$key]);
+        }
+
         if (file_exists('custom/application/Ext/PDF/pdfs.ext.php')) {
             include('custom/application/Ext/PDF/pdfs.ext.php');
         }

lib/Search/ElasticSearch/ElasticSearchIndexer.php

@@ -99,7 +99,7 @@ public static function isEnabled(): ?bool
         global $sugar_config;
 
         try {
-            return $sugar_config['search']['ElasticSearch']['enabled'];
+            return !empty($sugar_config['search']['ElasticSearch']['enabled']);
         } catch (Exception $exception) {
             LoggerManager::getLogger()->fatal("Failed to retrieve ElasticSearch options");
 

modules/Configurator/Configurator.php

@@ -92,20 +92,17 @@ public function loadConfig()
     public function populateFromPost()
     {
         $sugarConfig = SugarConfig::getInstance();
+
+        $this->checkLoggerFileName();
+
         foreach ($_POST as $key => $value) {
-            if ($key == "logger_file_ext") {
+            if ($key === "logger_file_ext" || $key === 'logger_file_name') {
                 if ($value === '') {
                     $GLOBALS['log']->security("Log file extension can't be blank.");
                     continue;
                 }
-
-                $trim_value = preg_replace('/.*\.([^\.]+)$/', '\1', $value);
-                $badext = array_map('strtolower', $this->config['upload_badext']);
-                if (in_array(strtolower($trim_value), $badext)) {
-                    $GLOBALS['log']->security("Invalid log file extension: trying to use invalid file extension '$value'.");
-                    continue;
-                }
             }
+
             if (isset($this->config[$key]) || in_array($key, $this->allow_undefined)) {
                 if (strcmp((string)$value, 'true') == 0) {
                     $value = true;
@@ -123,6 +120,119 @@ public function populateFromPost()
         }
     }
 
+    public function checkLoggerFileName()
+    {
+
+        $logFileName =  '';
+        if (!empty($_POST['logger_file_name'])) {
+            $logFileName = $_POST['logger_file_name'];
+        }
+
+        $logFileExt = '';
+        if (!empty($_POST['logger_file_ext'])) {
+            $logFileExt = $_POST['logger_file_ext'];
+        }
+
+        $logFileExt = $this->prependDot($logFileExt);
+
+
+        $fullName = $logFileName . $logFileExt;
+        $_POST['logger_file_name'] = $logFileName;
+        $_POST['logger_file_ext'] = $logFileExt;
+        $valid = true;
+
+        if (!hasValidFileName('logger_file_name', $logFileName) ||
+            !$this->hasValidExtension('logger_file_name', $logFileName)
+        ) {
+            LoggerManager::getLogger()->security("Setting logger_file_name to ''.");
+            $_POST['logger_file_name'] = '';
+            $valid = false;
+        }
+
+        if (!$this->hasValidExtension('logger_file_ext', $logFileExt)) {
+            $_POST['logger_file_ext'] = '';
+            LoggerManager::getLogger()->security("Setting logger_file_ext to ''.");
+            $valid = false;
+        }
+
+        if (!$valid) {
+            return;
+        }
+
+        if (!hasValidFileName('logger_full_name', $fullName) ||
+            !$this->hasValidExtension('logger_full_name', $fullName)
+        ) {
+            LoggerManager::getLogger()->security("Setting logger_file_name and  logger_file_ext to ''.");
+            $_POST['logger_file_name'] = '';
+            $_POST['logger_file_ext'] = '';
+        }
+    }
+
+    /**
+     * Trim value
+     * @param string $value
+     * @return string
+     */
+    public function trimValue($value)
+    {
+        return preg_replace('/.*\.([^\.]+)$/', '\1', $value);
+    }
+
+    /**
+     * Prepend dot
+     * @param string $value
+     * @return string
+     */
+    public function prependDot($value)
+    {
+
+        if (empty($value)) {
+            return $value;
+        }
+
+        if ($value[0] === '.') {
+            return $value;
+        }
+
+        return '.' . $value;
+    }
+
+    /**
+     * Check if has valid extension
+     * @param string $fieldName
+     * @param string $value
+     * @return bool
+     */
+    public function hasValidExtension($fieldName, $value)
+    {
+
+        if ($value === '.' || empty($value)) {
+            LoggerManager::getLogger()->security("Invalid ext  $fieldName : '$value'.");
+
+            return false;
+        }
+
+        $badExt = array_map('strtolower', $this->config['upload_badext']);
+
+        $parts = explode('.', $value);
+
+        if (empty($parts)) {
+            LoggerManager::getLogger()->security("Invalid ext  $fieldName : '$value'.");
+
+            return false;
+        }
+
+        $ext = array_pop($parts);
+
+        if (in_array(strtolower($this->trimValue($ext)), $badExt, true)) {
+            LoggerManager::getLogger()->security("Invalid $fieldName: '$value'.");
+
+            return false;
+        }
+
+        return true;
+    }
+
     public function handleOverride($fromParseLoggerSettings = false)
     {
         global $sugar_config, $sugar_version;
@@ -290,6 +400,7 @@ public function checkTempImage($path)
             $this->error = $error;
             return false;
         }
+
         return $path;
     }
 

modules/Configurator/tpls/EditView.tpl

@@ -365,7 +365,10 @@
 </tr>
 	<tr>
 		<td  scope="row" valign='middle'>{$MOD.LBL_LOGGER_FILENAME}</td>
-		<td   valign='middle' ><input type='text' name = 'logger_file_name'  value="{$config.logger.file.name}"></td>
+		<td   valign='middle' >
+			<input type='text' name = 'logger_file_name'  value="{$config.logger.file.name}">
+			<div><span class="small">{$APP.LBL_LOGGER_VALID_FILENAME_CHARACTERS}</span></div>
+		</td>
 		<td  scope="row">{$MOD.LBL_LOGGER_FILE_EXTENSION}</td>
 		<td ><input name ="logger_file_ext" type="text" size="5" value="{$config.logger.file.ext}"></td>
 		<td scope="row">{$MOD.LBL_LOGGER_FILENAME_SUFFIX}</td>

modules/Import/tpls/step2.tpl

@@ -82,7 +82,7 @@
             <td scope="row" colspan="4">&nbsp;</td>
         </tr>
         <tr>
-            <td align="left" scope="row" colspan="3"><label for="userfile">{$MOD.LBL_SELECT_FILE}</label> <input type="hidden" /><input size="20" id="userfile" name="userfile" type="file"/> &nbsp;{sugar_help text=$MOD.LBL_FILE_UPLOAD_WIDGET_HELP}</td>
+            <td align="left" scope="row" colspan="3"><div><label for="userfile">{$MOD.LBL_SELECT_FILE}</label></div> <div><input type="hidden" /><input size="20" id="userfile" name="userfile" type="file"/>{sugar_help text=$MOD.LBL_FILE_UPLOAD_WIDGET_HELP}</div> <div><span class="small">{$APP.LBL_LOGGER_VALID_FILENAME_CHARACTERS}</span></div></td>
         </tr>
         <tr>
             <td scope="row" colspan="4"><div class="hr">&nbsp;</div></td>
@@ -181,5 +181,5 @@
 </table>
 <script>
 {$JAVASCRIPT}
-</script>  
+</script>
 </form>

modules/Import/views/view.confirm.php

@@ -67,7 +67,19 @@ public function display()
     {
         global $mod_strings, $app_strings, $current_user;
         global $sugar_config, $locale;
-
+
+        if (isset($_FILES['userfile']['name']) && !hasValidFileName('import_upload_file_name', $_FILES['userfile']['name'])) {
+            LoggerManager::getLogger()->fatal('Invalid import file name');
+            echo $app_strings['LBL_LOGGER_INVALID_FILENAME'];
+            return;
+        }
+
+        if (isset($_REQUEST['tmp_file']) && !hasValidFileName('import_upload_file_name', $_REQUEST['tmp_file'])) {
+            LoggerManager::getLogger()->fatal('Invalid import file name');
+            echo $app_strings['LBL_LOGGER_INVALID_FILENAME'];
+            return;
+        }
+
         $this->ss->assign("IMPORT_MODULE", $_REQUEST['import_module']);
         $this->ss->assign("TYPE", (!empty($_REQUEST['type']) ? $_REQUEST['type'] : "import"));
         $this->ss->assign("SOURCE_ID", $_REQUEST['source_id']);

modules/Import/views/view.step3.php

@@ -128,6 +128,15 @@ public function display()
             return;
         }
 
+
+        if (isset($uploadFileName) && !hasValidFileName('import_upload_file_name', str_replace('upload://', '', $uploadFileName))) {
+            echo $app_strings['LBL_LOGGER_INVALID_FILENAME'];
+            echo $uploadFileName;
+            LoggerManager::getLogger()->fatal('Invalid import file name');
+            return;
+        }
+
+
         if (strpos($uploadFileName, 'phar://') !== false) {
             return;
         }
@@ -527,7 +536,7 @@ protected function _getCSS()
                     background: transparent url('index.php?entryPoint=getImage&themeName=Sugar&themeName=Sugar&imageName=sugar-yui-sprites.png') no-repeat 0 -90px;
                     padding-left: 10px;
                     cursor: pointer;
-		    display: inline; 
+		    display: inline;
                 }
 
                 span.expand{

suitecrm_version.php

@@ -3,5 +3,5 @@
     die('Not A Valid Entry Point');
 }
 
-$suitecrm_version = '7.12.0';
-$suitecrm_timestamp = '2021-10-28 17:00:00';
+$suitecrm_version = '7.12.1';
+$suitecrm_timestamp = '2021-11-19 17:00:00';