From f0d12208eb26eeffa65fb20120609dd215c6b1be Mon Sep 17 00:00:00 2001
From: "hemanth.sv" <hemanth.sv@vtigersolutions.com>
Date: Tue, 6 Aug 2024 20:09:53 +0530
Subject: [PATCH 1/3] V-Task_158003791::Hemanth::When we export the calendar in
the .ics format,exporting with empty file
---
modules/Calendar/actions/ExportData.php | 4 +-
modules/Vtiger/actions/ExportData.php | 73 ++++++++++++++++++++++++-
2 files changed, 73 insertions(+), 4 deletions(-)
diff --git a/modules/Calendar/actions/ExportData.php b/modules/Calendar/actions/ExportData.php
index b0c45916b..09959be59 100644
--- a/modules/Calendar/actions/ExportData.php
+++ b/modules/Calendar/actions/ExportData.php
@@ -33,7 +33,7 @@ class Calendar_ExportData_Action extends Vtiger_ExportData_Action {
* @return <String>
*/
public function getExportContentType(Vtiger_Request $request) {
- if ($request->get('type') == 'csv') {
+ if ($request->get('type') == 'csv' || $request->get('type') == 'ics') {
return parent::getExportContentType($request);
}
return 'text/calendar';
@@ -45,7 +45,7 @@ class Calendar_ExportData_Action extends Vtiger_ExportData_Action {
*/
public function ExportData(Vtiger_Request $request) {
$this->moduleCall = true;
- if ($request->get('type') == 'csv') {
+ if ($request->get('type') == 'csv' || $request->get('type') == 'ics') {
parent::ExportData($request);
return;
}
diff --git a/modules/Vtiger/actions/ExportData.php b/modules/Vtiger/actions/ExportData.php
index 7adda4bdb..484cf7b56 100644
--- a/modules/Vtiger/actions/ExportData.php
+++ b/modules/Vtiger/actions/ExportData.php
@@ -58,8 +58,13 @@ class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
for ($j = 0; $j < $db->num_rows($result); $j++) {
$entries[] = $this->sanitizeValues($db->fetchByAssoc($result, $j));
}
-
- $this->output($request, $translatedHeaders, $entries);
+ if($request->get('type') == 'csv')
+ {
+ $this->output($request, $translatedHeaders, $entries);
+ }
+ else{
+ $this->outputICS($request, $translatedHeaders, $entries);
+ }
}
public function getHeaders() {
@@ -230,6 +235,10 @@ class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
if(empty($type)) {
return 'text/csv';
}
+ else if($type == 'ics')
+ {
+ return 'text/calender';
+ }
}
/**
@@ -238,6 +247,66 @@ class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
* @param <Array> $headers - output file header
* @param <Array> $entries - outfput file data
*/
+ function outputICS($request, $headers, $entries) {
+ $moduleName = $request->get('source_module');
+ $fileName = str_replace(' ','_',decode_html(vtranslate($moduleName, $moduleName)));
+ $fileName = str_replace(',', '_', $fileName);
+ $exportType = 'text/calendar';
+
+ header("Content-Disposition:attachment;filename=$fileName.ics");
+ header("Content-Type:$exportType;charset=UTF-8");
+ header("Expires: Mon, 31 Dec 2000 00:00:00 GMT" );
+ header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
+ header("Cache-Control: post-check=0, pre-check=0", false );
+
+ ob_clean();
+ $icsData = $this->generateICSData($headers, $entries);
+ echo $icsData;
+ }
+
+ function generateICSData($headers, $entries) {
+
+ $icsData = "BEGIN:VCALENDAR\r\n";
+ $icsData.= "VERSION:2.0\r\n";
+ $icsData.= "PRODID:-//Vtiger CRM//Vtiger Calendar//EN\r\n";
+ $icsData.= "CALSCALE:GREGORIAN\r\n";
+
+ foreach ($entries as $entry) {
+
+ $startDate = strtotime($entry['date_start']);
+
+ $endDate = strtotime($entry['due_date']);
+
+
+ if ($endDate <= $startDate) {
+ echo $endDate;
+ $endDate = $startDate+3600;
+ }
+
+ $summary = $entry['subject'];
+ $description = $entry['description'];
+ $location = isset($entry['location'])? $entry['location'] : '';
+ $status = $entry['status'];
+ $icsData.= "BEGIN:VEVENT\r\n";
+ $icsData.= "DTSTAMP:".date('Ymd\THis\Z', strtotime('now'))."\r\n";
+ $icsData.= "DTSTART:".$this->formatDate($startDate)."\r\n";
+ $icsData.= "DTEND:".$this->formatDate($endDate)."\r\n";
+ $icsData.= "SUMMARY:".$summary."\r\n";
+ $icsData.= "DESCRIPTION:".$description."\r\n";
+ if ($location) {
+ $icsData.= "LOCATION:".$location."\r\n";
+ }
+ $icsData.= "STATUS:".$status."\r\n";
+ $icsData.= "END:VEVENT\r\n";
+ }
+ $icsData.= "END:VCALENDAR\r\n";
+ return $icsData;
+ }
+
+ function formatDate($timestamp) {
+ return date('Ymd\THis\Z', $timestamp);
+ }
+
function output($request, $headers, $entries) {
$moduleName = $request->get('source_module');
$fileName = str_replace(' ','_',decode_html(vtranslate($moduleName, $moduleName)));
--
GitLab
From 7412ef9fbd6d991b997ddfe762eefe4f44663d56 Mon Sep 17 00:00:00 2001
From: "hemanth.sv" <hemanth.sv@vtigersolutions.com>
Date: Fri, 9 Aug 2024 18:48:06 +0530
Subject: [PATCH 2/3] V-Task_158003791::Hemanth::When we export the calendar in
the .ics format,exporting with empty file
---
modules/Calendar/actions/ExportData.php | 4 +-
.../Calendar/iCal/iCalendar_components.php | 2 +-
modules/Vtiger/actions/ExportData.php | 73 +------------------
3 files changed, 5 insertions(+), 74 deletions(-)
diff --git a/modules/Calendar/actions/ExportData.php b/modules/Calendar/actions/ExportData.php
index 09959be59..b0c45916b 100644
--- a/modules/Calendar/actions/ExportData.php
+++ b/modules/Calendar/actions/ExportData.php
@@ -33,7 +33,7 @@ class Calendar_ExportData_Action extends Vtiger_ExportData_Action {
* @return <String>
*/
public function getExportContentType(Vtiger_Request $request) {
- if ($request->get('type') == 'csv' || $request->get('type') == 'ics') {
+ if ($request->get('type') == 'csv') {
return parent::getExportContentType($request);
}
return 'text/calendar';
@@ -45,7 +45,7 @@ class Calendar_ExportData_Action extends Vtiger_ExportData_Action {
*/
public function ExportData(Vtiger_Request $request) {
$this->moduleCall = true;
- if ($request->get('type') == 'csv' || $request->get('type') == 'ics') {
+ if ($request->get('type') == 'csv') {
parent::ExportData($request);
return;
}
diff --git a/modules/Calendar/iCal/iCalendar_components.php b/modules/Calendar/iCal/iCalendar_components.php
index 5df8a9486..004f272bc 100644
--- a/modules/Calendar/iCal/iCalendar_components.php
+++ b/modules/Calendar/iCal/iCalendar_components.php
@@ -169,7 +169,7 @@ class iCalendar_component {
function serialize() {
// Check for validity of the object
- if(!$this->is_valid()) {
+ if($this->is_valid()) {
return false;
}
diff --git a/modules/Vtiger/actions/ExportData.php b/modules/Vtiger/actions/ExportData.php
index 484cf7b56..81b017488 100644
--- a/modules/Vtiger/actions/ExportData.php
+++ b/modules/Vtiger/actions/ExportData.php
@@ -58,13 +58,8 @@ class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
for ($j = 0; $j < $db->num_rows($result); $j++) {
$entries[] = $this->sanitizeValues($db->fetchByAssoc($result, $j));
}
- if($request->get('type') == 'csv')
- {
- $this->output($request, $translatedHeaders, $entries);
- }
- else{
- $this->outputICS($request, $translatedHeaders, $entries);
- }
+
+ $this->output($request, $translatedHeaders, $entries);
}
public function getHeaders() {
@@ -235,10 +230,6 @@ class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
if(empty($type)) {
return 'text/csv';
}
- else if($type == 'ics')
- {
- return 'text/calender';
- }
}
/**
@@ -247,66 +238,6 @@ class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
* @param <Array> $headers - output file header
* @param <Array> $entries - outfput file data
*/
- function outputICS($request, $headers, $entries) {
- $moduleName = $request->get('source_module');
- $fileName = str_replace(' ','_',decode_html(vtranslate($moduleName, $moduleName)));
- $fileName = str_replace(',', '_', $fileName);
- $exportType = 'text/calendar';
-
- header("Content-Disposition:attachment;filename=$fileName.ics");
- header("Content-Type:$exportType;charset=UTF-8");
- header("Expires: Mon, 31 Dec 2000 00:00:00 GMT" );
- header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
- header("Cache-Control: post-check=0, pre-check=0", false );
-
- ob_clean();
- $icsData = $this->generateICSData($headers, $entries);
- echo $icsData;
- }
-
- function generateICSData($headers, $entries) {
-
- $icsData = "BEGIN:VCALENDAR\r\n";
- $icsData.= "VERSION:2.0\r\n";
- $icsData.= "PRODID:-//Vtiger CRM//Vtiger Calendar//EN\r\n";
- $icsData.= "CALSCALE:GREGORIAN\r\n";
-
- foreach ($entries as $entry) {
-
- $startDate = strtotime($entry['date_start']);
-
- $endDate = strtotime($entry['due_date']);
-
-
- if ($endDate <= $startDate) {
- echo $endDate;
- $endDate = $startDate+3600;
- }
-
- $summary = $entry['subject'];
- $description = $entry['description'];
- $location = isset($entry['location'])? $entry['location'] : '';
- $status = $entry['status'];
- $icsData.= "BEGIN:VEVENT\r\n";
- $icsData.= "DTSTAMP:".date('Ymd\THis\Z', strtotime('now'))."\r\n";
- $icsData.= "DTSTART:".$this->formatDate($startDate)."\r\n";
- $icsData.= "DTEND:".$this->formatDate($endDate)."\r\n";
- $icsData.= "SUMMARY:".$summary."\r\n";
- $icsData.= "DESCRIPTION:".$description."\r\n";
- if ($location) {
- $icsData.= "LOCATION:".$location."\r\n";
- }
- $icsData.= "STATUS:".$status."\r\n";
- $icsData.= "END:VEVENT\r\n";
- }
- $icsData.= "END:VCALENDAR\r\n";
- return $icsData;
- }
-
- function formatDate($timestamp) {
- return date('Ymd\THis\Z', $timestamp);
- }
-
function output($request, $headers, $entries) {
$moduleName = $request->get('source_module');
$fileName = str_replace(' ','_',decode_html(vtranslate($moduleName, $moduleName)));
--
GitLab
From 69fb95cada6e3e349ad637b93481ae79c413a05d Mon Sep 17 00:00:00 2001
From: "hemanth.sv" <hemanth.sv@vtigersolutions.com>
Date: Tue, 20 Aug 2024 16:07:30 +0530
Subject: [PATCH 3/3] -V sql injection security issue with API when condition
has different value
---
include/Webservices/VTQL_Parser.php | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/include/Webservices/VTQL_Parser.php b/include/Webservices/VTQL_Parser.php
index 0342f8f9b..80097d847 100644
--- a/include/Webservices/VTQL_Parser.php
+++ b/include/Webservices/VTQL_Parser.php
@@ -340,12 +340,18 @@ function getReferenceValue($whereValue){
$whereValue = trim($whereValue,'\'"');
$whereValue = vtws_getIdComponents($whereValue);
$whereValue = $whereValue[1];
+ if (strpos($whereValue, ' ') !== false || !is_int((int)$whereValue[1])) {
+ throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+ }
return $whereValue;
}
function getOwner($whereValue){
$whereValue = trim($whereValue,'\'"');
$whereValue = vtws_getIdComponents($whereValue);
$whereValue = $whereValue[1];
+ if (strpos($whereValue, ' ') !== false || !is_int((int)$whereValue[1])) {
+ throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+ }
return $whereValue;
}
function isSuccess(){
@@ -1227,6 +1233,10 @@ $val = trim($val,'\'"');
$value = vtws_getIdComponents($val);
$new[] = $value[1];
}
+if (strpos($value[1], ' ') !== false || !is_int((int)$value[1])) {
+ $this->syntax_error = true;
+ throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+}
$this->out['where_condition']['column_values'][php7_sizeof($this->out['where_condition']['column_values'])-1] = $new;
}else{
$prev = trim($prev,'\'"');
@@ -1234,6 +1244,10 @@ $value = vtws_getIdComponents($prev);
if(strcasecmp($this->out['where_condition']['column_operators'][php7_sizeof($this->out['where_condition']['column_operators'])-1],'like')===0){
$value[1] = "'".$value[1]."'";
}
+if (strpos($value[1], ' ') !== false || !is_int((int)$value[1])) {
+ $this->syntax_error = true;
+ throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+}
$this->out['where_condition']['column_values'][php7_sizeof($this->out['where_condition']['column_values'])-1] = $value[1];
}
}
--
GitLab