SuiteCRM 7.12.3 Release

salesagility · Jan 27, 2022 · 613d449 · 613d449
1 parent 8798068
commit 613d449
Show file tree

Hide file tree

Showing 8 changed files with 165 additions and 48 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.12.2
+# SuiteCRM 7.12.3
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)

diff --git a/files.md5 b/files.md5
diff --git a/include/InlineEditing/InlineEditing.php b/include/InlineEditing/InlineEditing.php
@@ -387,13 +387,27 @@ function saveField($field, $id, $module, $value)
 
 function getDisplayValue($bean, $field, $method = "save")
 {
+    global $log;
+
     if (file_exists("custom/modules/Accounts/metadata/listviewdefs.php")) {
         $metadata = require("custom/modules/Accounts/metadata/listviewdefs.php");
     } else {
         $metadata = require("modules/Accounts/metadata/listviewdefs.php");
     }
 
+    if (!$bean->ACLAccess('view')) {
+        $log->security("getDisplayValue - trying to access unauthorized view/module");
+        throw new BadMethodCallException('Unauthorized');
+    }
+
     $fieldlist[$field] = $bean->getFieldDefinition($field);
+    $isSensitive = !empty($fieldlist[$field]['sensitive']);
+    $notApiVisible = !empty($fieldlist[$field]['api-visible']);
+
+    if ($isSensitive || $notApiVisible){
+        $log->security("getDisplayValue - trying to access sensitive field");
+        throw new BadMethodCallException('Unauthorized');
+    }
 
     if (is_array($listViewDefs)) {
         $fieldlist[$field] = array_merge($fieldlist[$field], $listViewDefs);

diff --git a/include/utils.php b/include/utils.php
@@ -216,6 +216,13 @@ function make_sugar_config(&$sugar_config)
             'html',
             'htm',
         ) : $upload_badext,
+        'valid_image_ext' => [
+            'gif',
+            'png',
+            'jpg',
+            'jpeg',
+            'svg'
+        ],
         'upload_dir' => $upload_dir, // this must be set!!
         'upload_maxsize' => empty($upload_maxsize) ? 30000000 : $upload_maxsize,
         'allowed_preview' => [
@@ -470,6 +477,13 @@ function get_sugar_config_defaults(): array
             'htm',
             'phtml',
         ],
+        'valid_image_ext' => [
+            'gif',
+            'png',
+            'jpg',
+            'jpeg',
+            'svg'
+        ],
         'upload_maxsize' => 30000000,
         'import_max_execution_time' => 3600,
 //	'use_php_code_json' => returnPhpJsonStatus(),
@@ -538,7 +552,7 @@ function get_sugar_config_defaults(): array
     if (!is_object($locale)) {
         $locale = new Localization();
     }
-    
+
     $sugar_config_defaults = sugarArrayMerge($locale->getLocaleConfigDefaults(), $sugar_config_defaults);
 
     return $sugar_config_defaults;
@@ -5871,3 +5885,66 @@ function getAppString($key)
 
     return $app_strings[$key];
 }
+
+/**
+ * Check if has valid image extension
+ * @param string $fieldName
+ * @param string $value
+ * @return bool
+ */
+function has_valid_image_extension($fieldName, $name)
+{
+    global $sugar_config;
+
+    $validExtensions = [
+        'gif',
+        'png',
+        'jpg',
+        'jpeg',
+        'svg'
+    ];
+
+    if (isset($sugar_config['valid_image_ext']) && is_array($sugar_config['valid_image_ext'])){
+        $validExtensions = $sugar_config['valid_image_ext'];
+    }
+
+    return has_valid_extension($fieldName, $name, $validExtensions);
+}
+
+/**
+ * Check if has valid extension
+ * @param string $fieldName
+ * @param string $name
+ * @param array $validExtensions
+ * @return bool
+ */
+function has_valid_extension($fieldName, $name, $validExtensions)
+{
+
+    if ($name === '.' || empty($name)) {
+        LoggerManager::getLogger()->security("Invalid ext  $fieldName : '$name'.");
+
+        return false;
+    }
+
+    $validExtensions = array_map('strtolower', $validExtensions);
+
+    $parts = explode('.', $name);
+
+    if (empty($parts)) {
+        LoggerManager::getLogger()->security("Invalid ext  $fieldName : '$name'.");
+
+        return false;
+    }
+
+    $ext = array_pop($parts);
+    $trimmedValue = preg_replace('/.*\.([^\.]+)$/', '\1', $ext);
+
+    if (!in_array(strtolower($trimmedValue), $validExtensions, true)) {
+        LoggerManager::getLogger()->security("Invalid $fieldName: '$name'.");
+
+        return false;
+    }
+
+    return true;
+}
diff --git a/modules/EmailTemplates/EmailTemplate.php b/modules/EmailTemplates/EmailTemplate.php
@@ -905,7 +905,7 @@ private function repairMozaikClears()
 
     private function repairEntryPointImages()
     {
-        global $sugar_config;
+        global $sugar_config, $log;
 
         // repair the images url at entry points, change to a public direct link for remote email clients..
 
@@ -914,8 +914,17 @@ private function repairEntryPointImages()
         $regex = '#<img[^>]*[\s]+src=[\s]*["\'](' . preg_quote($siteUrl) . '\/index\.php\?entryPoint=download&type=Notes&id=([a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12})&filename=.+?)["\']#si';
 
         if (preg_match($regex, $html, $match)) {
+
             $splits = explode('.', $match[1]);
+
             $fileExtension = end($splits);
+
+            $toFile = $match[2] . '.' . $fileExtension;
+            if (is_string($toFile) && !has_valid_image_extension('repair-entrypoint-images-fileext', $toFile)){
+                $log->error("repairEntryPointImages | file with invalid extension '$toFile'");
+                return;
+            }
+
             $this->makePublicImage($match[2], $fileExtension);
             $newSrc = $sugar_config['site_url'] . '/public/' . $match[2] . '.' . $fileExtension;
             $this->body_html = to_html(str_replace($match[1], $newSrc, $html));

diff --git a/modules/Import/controller.php b/modules/Import/controller.php
@@ -146,6 +146,16 @@ public function action_RefreshMapping()
             return;
         }
 
+        if (isset($fileName) && !hasValidFileName('import_refresh_mapping_file_name', str_replace('upload://', '', $fileName))) {
+            LoggerManager::getLogger()->fatal('Invalid importFile file name');
+            return;
+        }
+
+        if (strpos($fileName, 'phar://') !== false) {
+            LoggerManager::getLogger()->fatal('Invalid importFile file path');
+            return;
+        }
+
         $delim = $_REQUEST['delim'];
 
         if ($delim === '\t') {

diff --git a/modules/Project/controller.php b/modules/Project/controller.php
@@ -40,15 +40,15 @@ public function action_generate_chart()
 
         $project = BeanFactory::newBean('Project');
         $project->retrieve($_POST["pid"]);
-        
+
         //Get project tasks
         $Task = BeanFactory::getBean('ProjectTask');
         $tasks = $Task->get_full_list("order_number", "project_task.project_id = '".$project->id."'");
-        
+
         //Get the start and end date of the project in database format
         $query = "SELECT min(date_start) FROM project_task WHERE project_id = '{$project->id}'";
         $start_date = $db->getOne($query);
-        
+
         $query = "SELECT max(date_finish) FROM project_task WHERE project_id = '{$project->id}'";
         $end_date = $db->getOne($query);
 
@@ -347,12 +347,12 @@ public function action_update_chart()
         //Get  specified dates and users
         $start = $_POST['start'];
         //$end = $_POST['end'];
-        $projects = explode(',', $_POST['projects']);
-        $users = explode(',', $_POST['users']);
-        $contacts = explode(',', $_POST['contacts']);
-        $month = $_POST['month'];
+        $projects = explode(',', $db->quote($_POST['projects']));
+        $users = explode(',', $db->quote($_POST['users']));
+        $contacts = explode(',', $db->quote($_POST['contacts']));
+        $month = is_numeric($_POST['month']) ? $_POST['month'] : '1' ;
         $flag = $_POST['flag'];
-        $chart_type = $_POST['chart_type'];
+        $chart_type = $db->quote($_POST['chart_type']);
         //$type = $_POST['type'];
 
         $start = new DateTime($start);
@@ -499,7 +499,7 @@ public function action_Tooltips()
         }
 
         $Task = BeanFactory::getBean('ProjectTask');
-        
+
         $tasks = $Task->get_full_list("date_start", "project_task.assigned_user_id = '".$resource_id."' AND ( ( project_task.date_start BETWEEN '".$start_date."'  AND '".$end_date."' ) OR ( project_task.date_finish BETWEEN '".$start_date."' AND '".$end_date."' ) OR ( '".$start_date."' BETWEEN project_task.date_start  AND project_task.date_finish ) OR ( '".$end_date."' BETWEEN project_task.date_start AND project_task.date_finish ) ) AND (project_id is not null AND project_id <> '') " . $project_where);
 
         echo '<table class="qtip_table">';

diff --git a/suitecrm_version.php b/suitecrm_version.php
@@ -3,5 +3,5 @@
     die('Not A Valid Entry Point');
 }
 
-$suitecrm_version = '7.12.2';
-$suitecrm_timestamp = '2021-12-14 17:00:00';
+$suitecrm_version = '7.12.3';
+$suitecrm_timestamp = '2022-01-27 12:00:00';