summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--composer.json2
-rw-r--r--glpi-security1.patch432
-rw-r--r--glpi-security2.patch292
-rw-r--r--glpi.spec19
4 files changed, 7 insertions, 738 deletions
diff --git a/composer.json b/composer.json
index d1c3ee8..66f6b52 100644
--- a/composer.json
+++ b/composer.json
@@ -43,7 +43,7 @@
"patchwork/jsqueeze": "^2.0",
"atoum/atoum": "^3.3",
"atoum/telemetry-extension": "^1.0",
- "sensiolabs/security-checker": "^4.1",
+ "sensiolabs/security-checker": "^5.0",
"fzaninotto/Faker": "^1.7",
"jakub-onderka/php-parallel-lint": "^1.0"
},
diff --git a/glpi-security1.patch b/glpi-security1.patch
deleted file mode 100644
index f33fc96..0000000
--- a/glpi-security1.patch
+++ /dev/null
@@ -1,432 +0,0 @@
-From c5314dd86d6560865670940b59ac0fbb97225bb4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
-Date: Tue, 26 Feb 2019 13:46:06 +0100
-Subject: [PATCH 01/10] Fix chevrons display in select2 rendering
-
----
- inc/html.class.php | 10 ++++++++++
- js/common.js | 16 ++++++++++++----
- 2 files changed, 22 insertions(+), 4 deletions(-)
-
-diff --git a/inc/html.class.php b/inc/html.class.php
-index 760ffe164b..e5907c8d5b 100644
---- a/inc/html.class.php
-+++ b/inc/html.class.php
-@@ -4329,6 +4329,11 @@ static function jsAdaptDropdown($id, $params = []) {
- if (typeof data.text === 'string'
- && data.text.toUpperCase().indexOf(params.term.toUpperCase()) >= 0
- ) {
-+ if (data.text.indexOf('>') !== -1 || data.text.indexOf('<') !== -1) {
-+ // escape text, if it contains chevrons (can already be escaped prior to this point :/)
-+ data.text = jQuery.fn.select2.defaults.defaults.escapeMarkup(data.text);
-+ }
-+
- return data;
- }
- return null;
-@@ -4341,6 +4346,11 @@ static function jsAdaptDropdown($id, $params = []) {
- if (child.text.toUpperCase().indexOf(params.term.toUpperCase()) != -1
- || data.text.toUpperCase().indexOf(params.term.toUpperCase()) != -1
- ) {
-+
-+ if (child.text.indexOf('>') !== -1 || child.text.indexOf('<') !== -1) {
-+ // escape text, if it contains chevrons (can already be escaped prior to this point :/)
-+ child.text = jQuery.fn.select2.defaults.defaults.escapeMarkup(child.text);
-+ }
- filteredChildren.push(child);
- }
- });
-diff --git a/js/common.js b/js/common.js
-index c08623434c..15cf04b200 100644
---- a/js/common.js
-+++ b/js/common.js
-@@ -948,17 +948,25 @@ function markMatch (text, term) {
- * Function that renders select2 results.
- */
- var templateResult = function(result) {
-- if (!result.id) {
-- return result.text;
-+ if (!result.text) {
-+ return null;
- }
-
- var _elt = $('<span></span>');
- _elt.attr('title', result.title);
-
-- var markup=[result.text];
-+ var text = result.text;
-+ if (text.indexOf('>') !== -1 || text.indexOf('<') !== -1) {
-+ // escape text, if it contains chevrons (can already be escaped prior to this point :/)
-+ text = jQuery.fn.select2.defaults.defaults.escapeMarkup(result.text);
-+ };
-+
-+ if (!result.id) {
-+ return text;
-+ }
-
- var _term = query.term || '';
-- var markup = markMatch(result.text, _term);
-+ var markup = markMatch(text, _term);
-
- if (result.level) {
- var a='';
-
-From 2c5d9f80f64a1f5ef4c62af8be5d24b812b75ecc Mon Sep 17 00:00:00 2001
-From: Johan Cwiklinski <jcwiklinski@teclib.com>
-Date: Tue, 5 Mar 2019 12:49:05 +0100
-Subject: [PATCH 02/10] Disallow all on attributes
-
----
- inc/html.class.php | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/inc/html.class.php b/inc/html.class.php
-index e5907c8d5b..f9aa6532dd 100644
---- a/inc/html.class.php
-+++ b/inc/html.class.php
-@@ -3550,6 +3550,9 @@ static function initEditorSystem($name, $rand = '', $display = true, $readonly =
- // init editor
- tinyMCE.init({
- language: '$language',
-+ invalid_elements: 'form,iframe,script,@[onclick|ondblclick|'
-+ + 'onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|'
-+ + 'onkeydown|onkeyup]',
- browser_spellcheck: true,
- mode: 'exact',
- elements: '$name',
-
-From a330e5b49f46680cf9fb877fdac7a6e44eff9115 Mon Sep 17 00:00:00 2001
-From: Johan Cwiklinski <jcwiklinski@teclib.com>
-Date: Mon, 4 Mar 2019 16:15:04 +0100
-Subject: [PATCH 03/10] Strict check
-
----
- inc/auth.class.php | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/inc/auth.class.php b/inc/auth.class.php
-index 323b3b94a2..707d7ab314 100644
---- a/inc/auth.class.php
-+++ b/inc/auth.class.php
-@@ -276,14 +276,14 @@ static function checkPassword($pass, $hash) {
- $ok = password_verify($pass, $hash);
-
- } else if (strlen($hash)==32) {
-- $ok = md5($pass) == $hash;
-+ $ok = md5($pass) === $hash;
-
- } else if (strlen($hash)==40) {
-- $ok = sha1($pass) == $hash;
-+ $ok = sha1($pass) === $hash;
-
- } else {
- $salt = substr($hash, 0, 8);
-- $ok = ($salt.sha1($salt.$pass) == $hash);
-+ $ok = ($salt.sha1($salt.$pass) === $hash);
- }
-
- return $ok;
-
-From f8959e587db32361c3013898c9f223a4151ada33 Mon Sep 17 00:00:00 2001
-From: Johan Cwiklinski <jcwiklinski@teclib.com>
-Date: Tue, 12 Mar 2019 14:44:53 +0100
-Subject: [PATCH 04/10] Use exif if present to check if file is image, or
- fallback with W on fileinfo
-
----
- inc/config.class.php | 3 +++
- inc/document.class.php | 13 +++++++++++--
- tests/functionnal/Document.php | 20 +++++++-------------
- tests/notanimage.jpg | 3 +++
- 4 files changed, 24 insertions(+), 15 deletions(-)
- create mode 100644 tests/notanimage.jpg
-
-diff --git a/inc/config.class.php b/inc/config.class.php
-index b648d53181..8797b5bd4c 100644
---- a/inc/config.class.php
-+++ b/inc/config.class.php
-@@ -2456,6 +2456,9 @@ static function checkExtensions($list = null) {
- 'CAS' => [
- 'required' => false,
- 'class' => 'phpCAS'
-+ ],
-+ 'exif' => [
-+ 'required' => false
- ]
- ];
- } else {
-diff --git a/inc/document.class.php b/inc/document.class.php
-index 8072dac9f2..faca1a93ee 100644
---- a/inc/document.class.php
-+++ b/inc/document.class.php
-@@ -1497,8 +1497,17 @@ static function getImageTag($string) {
- * @return boolean
- */
- public static function isImage($file) {
-- $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION));
-- return (in_array($ext, ['jpg', 'jpeg', 'png', 'bmp', 'gif']));
-+ if (extension_loaded('exif')) {
-+ $etype = exif_imagetype($file);
-+ return in_array($etype, [IMAGETYPE_JPEG, IMAGETYPE_GIF, IMAGETYPE_PNG, IMAGETYPE_BMP]);
-+ } else {
-+ Toolbox::logWarning('For security reasons, you should consider using exif PHP extension to properly check images.');
-+ $fileinfo = finfo_open(FILEINFO_MIME_TYPE);
-+ return in_array(
-+ finfo_file($fileinfo, $file),
-+ ['image/jpeg', 'image/png','image/gif', 'image/bmp']
-+ );
-+ }
- }
-
- /**
-diff --git a/tests/functionnal/Document.php b/tests/functionnal/Document.php
-index a00ca4b57f..1757ebc8e6 100644
---- a/tests/functionnal/Document.php
-+++ b/tests/functionnal/Document.php
-@@ -215,25 +215,19 @@ public function testGetImageTag() {
-
- protected function isImageProvider() {
- return [
-- ['PNG', true],
-- ['png', true],
-- ['JPG', true],
-- ['jpg', true],
-- ['jpeg', true],
-- ['JPEG', true],
-- ['bmp', true],
-- ['BMP', true],
-- ['gif', true],
-- ['GIF', true],
-- ['SVG', false]
-+ [__FILE__, false],
-+ [__DIR__ . "/../../pics/add_dropdown.png", true],
-+ [__DIR__ . "/../../pics/corners.gif", true],
-+ [__DIR__ . "/../../pics/PICS-AUTHORS.txt", false],
-+ [__DIR__ . "/../notanimage.jpg", false]
- ];
- }
-
- /**
- * @dataProvider isImageProvider
- */
-- public function testIsImage($ext, $expected) {
-- $this->variable(\Document::isImage('myfile.' . $ext))->isIdenticalTo($expected);
-+ public function testIsImage($file, $expected) {
-+ $this->boolean(\Document::isImage($file))->isIdenticalTo($expected);
- }
-
- /**
-diff --git a/tests/notanimage.jpg b/tests/notanimage.jpg
-new file mode 100644
-index 0000000000..d2dbc0fe33
---- /dev/null
-+++ b/tests/notanimage.jpg
-@@ -0,0 +1,3 @@
-+<?php
-+
-+echo 'This is not an image.';
-
-From 5d11af11e08cc16d52083fe4a13f64f5f1a332d2 Mon Sep 17 00:00:00 2001
-From: Johan Cwiklinski <jcwiklinski@teclib.com>
-Date: Tue, 12 Mar 2019 10:59:54 +0100
-Subject: [PATCH 05/10] Password token date was not removed
-
----
- inc/user.class.php | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/inc/user.class.php b/inc/user.class.php
-index e6ebb3a88d..fdc9d8b0ac 100644
---- a/inc/user.class.php
-+++ b/inc/user.class.php
-@@ -4355,7 +4355,7 @@ public function updateForgottenPassword(array $input) {
- }
- $input2 = [
- 'password_forget_token' => '',
-- 'password_forget_token_date' => null,
-+ 'password_forget_token_date' => 'NULL',
- 'id' => $this->fields['id']
- ];
- $this->update($input2);
-
-From 1ae67932a3de9349fbe5f0cd4d10d9a81a811f9d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
-Date: Thu, 14 Mar 2019 17:22:48 +0100
-Subject: [PATCH 06/10] Fix ITIL image path
-
----
- inc/ticket.class.php | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/inc/ticket.class.php b/inc/ticket.class.php
-index b414f85583..c9608c84e9 100644
---- a/inc/ticket.class.php
-+++ b/inc/ticket.class.php
-@@ -7249,7 +7249,7 @@ function showTimeline($rand) {
-
- echo "<a href='".$CFG_GLPI['root_doc']."/front/document.send.php?docid=".$item_i['id']
- ."&tickets_id=".$this->getID()."' target='_blank'>$filename";
-- if (Document::isImage($filename)) {
-+ if (Document::isImage(GLPI_DOC_DIR . '/' . $item_i['filepath'])) {
- echo "<div class='timeline_img_preview'>";
- echo "<img src='".$CFG_GLPI['root_doc']."/front/document.send.php?docid=".$item_i['id']
- ."&tickets_id=".$this->getID()."&context=timeline'/>";
-
-From cc1e2b02288635a4692bef5d2a7598862eafa4d1 Mon Sep 17 00:00:00 2001
-From: Johan Cwiklinski <jcwiklinski@teclib.com>
-Date: Mon, 18 Mar 2019 19:27:04 +0100
-Subject: [PATCH 08/10] Update security-checker
-
----
- composer.json | 2 +-
- composer.lock | 21 +++++++++++----------
- 2 files changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/composer.json b/composer.json
-index d1c3ee858b..66f6b52643 100644
---- a/composer.json
-+++ b/composer.json
-@@ -43,7 +43,7 @@
- "patchwork/jsqueeze": "^2.0",
- "atoum/atoum": "^3.3",
- "atoum/telemetry-extension": "^1.0",
-- "sensiolabs/security-checker": "^4.1",
-+ "sensiolabs/security-checker": "^5.0",
- "fzaninotto/Faker": "^1.7",
- "jakub-onderka/php-parallel-lint": "^1.0"
- },
-diff --git a/composer.lock b/composer.lock
-index 467f8ce42d..4ce22d532d 100644
---- a/composer.lock
-+++ b/composer.lock
-@@ -1,10 +1,10 @@
- {
- "_readme": [
- "This file locks the dependencies of your project to a known state",
-- "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
-+ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
- "This file is @generated automatically"
- ],
-- "content-hash": "4db9a468fea5706b030e4b631a08b28a",
-+ "content-hash": "57b9b4901479f79936d11b74f56ff761",
- "packages": [
- {
- "name": "container-interop/container-interop",
-@@ -2769,20 +2769,21 @@
- },
- {
- "name": "sensiolabs/security-checker",
-- "version": "v4.1.8",
-+ "version": "v5.0.3",
- "source": {
- "type": "git",
- "url": "https://github.com/sensiolabs/security-checker.git",
-- "reference": "dc270d5fec418cc6ac983671dba5d80ffaffb142"
-+ "reference": "46be3f58adac13084497961e10eed9a7fb4d44d1"
- },
- "dist": {
- "type": "zip",
-- "url": "https://api.github.com/repos/sensiolabs/security-checker/zipball/dc270d5fec418cc6ac983671dba5d80ffaffb142",
-- "reference": "dc270d5fec418cc6ac983671dba5d80ffaffb142",
-+ "url": "https://api.github.com/repos/sensiolabs/security-checker/zipball/46be3f58adac13084497961e10eed9a7fb4d44d1",
-+ "reference": "46be3f58adac13084497961e10eed9a7fb4d44d1",
- "shasum": ""
- },
- "require": {
- "composer/ca-bundle": "^1.0",
-+ "php": ">=5.5.9",
- "symfony/console": "~2.7|~3.0|~4.0"
- },
- "bin": [
-@@ -2791,12 +2792,12 @@
- "type": "library",
- "extra": {
- "branch-alias": {
-- "dev-master": "4.1-dev"
-+ "dev-master": "5.0-dev"
- }
- },
- "autoload": {
-- "psr-0": {
-- "SensioLabs\\Security": ""
-+ "psr-4": {
-+ "SensioLabs\\Security\\": "SensioLabs/Security"
- }
- },
- "notification-url": "https://packagist.org/downloads/",
-@@ -2810,7 +2811,7 @@
- }
- ],
- "description": "A security checker for your composer.lock",
-- "time": "2018-02-28T22:10:01+00:00"
-+ "time": "2018-12-19T17:14:59+00:00"
- },
- {
- "name": "squizlabs/php_codesniffer",
-
-From 150a94fc71230ca04fc00e2f2b6c40936cb3c060 Mon Sep 17 00:00:00 2001
-From: Frederico Gendorf <fred@fldevws045>
-Date: Fri, 15 Mar 2019 11:50:29 -0300
-Subject: [PATCH 09/10] Fix user image display and upload; fixes #5604
-
----
- front/document.send.php | 2 +-
- inc/user.class.php | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/front/document.send.php b/front/document.send.php
-index d80ab14aad..87a7db6298 100644
---- a/front/document.send.php
-+++ b/front/document.send.php
-@@ -69,7 +69,7 @@
- }
-
- if ($splitter[0] == "_pictures") {
-- if (Document::isImage($_GET['file'])) {
-+ if (Document::isImage(GLPI_DOC_DIR."/".$_GET['file'])) {
- $send = true;
- }
- }
-diff --git a/inc/user.class.php b/inc/user.class.php
-index fdc9d8b0ac..67bfc71496 100644
---- a/inc/user.class.php
-+++ b/inc/user.class.php
-@@ -735,7 +735,7 @@ function prepareInputForUpdate($input) {
- $picture_path = GLPI_PICTURE_DIR . "/$sub/${filename}.$extension";
- self::dropPictureFiles($filename.".".$extension);
-
-- if (Document::isImage($input["_picture"])
-+ if (Document::isImage($fullpath)
- && Document::renameForce($fullpath, $picture_path)) {
- Session::addMessageAfterRedirect(__('The file is valid. Upload is successful.'));
- // For display
-
-From 9ef29babf8ae57986b2f3c1480a07c4608599a64 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
-Date: Fri, 22 Mar 2019 11:05:24 +0100
-Subject: [PATCH 10/10] Fix escaping of optgroups in dropdowns; fixes #5646
-
----
- js/common.js | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/js/common.js b/js/common.js
-index 15cf04b200..e083b3970e 100644
---- a/js/common.js
-+++ b/js/common.js
-@@ -958,11 +958,13 @@ var templateResult = function(result) {
- var text = result.text;
- if (text.indexOf('>') !== -1 || text.indexOf('<') !== -1) {
- // escape text, if it contains chevrons (can already be escaped prior to this point :/)
-- text = jQuery.fn.select2.defaults.defaults.escapeMarkup(result.text);
-+ text = jQuery.fn.select2.defaults.defaults.escapeMarkup(text);
- };
-
- if (!result.id) {
-- return text;
-+ // If result has no id, then it is used as an optgroup and is not used for matches
-+ _elt.html(text);
-+ return _elt;
- }
-
- var _term = query.term || '';
diff --git a/glpi-security2.patch b/glpi-security2.patch
deleted file mode 100644
index 254c47a..0000000
--- a/glpi-security2.patch
+++ /dev/null
@@ -1,292 +0,0 @@
-From 9cd45a1ec1932189fc5295e0f9978b36ab5eecaa Mon Sep 17 00:00:00 2001
-From: Remi Collet <remi@remirepo.net>
-Date: Wed, 27 Mar 2019 14:55:25 +0100
-Subject: [PATCH] Fix/cookie auth (#5562) * prevent timed attack * add new
- field for storing cookie token and reverse the verification (we store the
- hash on our side and not client side)
-
-Backported from 9.4 26900a5e53a5ad347d20a947eb5f7e2b447fef9f
-
-Check cookie validity on glpi side
-
-Backported from 9.4 a3ab29c77c6fc7a45a7b0ef71c4442aee62acda6
-
-Hack for DB Schema
-
-As 9.3.3 use dbschema 9.3.2, we can switch to 9.3.3
-Migration detection use dbversion, so will be raised
-Script execution use version, which allow to keep it unchanged
-More 9.4 is aware of 9.3.3 (not of 9.4)
----
- inc/auth.class.php | 19 ++++-------
- inc/define.php | 2 +-
- inc/update.class.php | 7 +++-
- inc/user.class.php | 64 ++++++++++++++++++++++++++++++------
- install/mysql/glpi-empty.sql | 10 +++---
- install/update_932_933.php | 63 +++++++++++++++++++++++++++++++++++
- 6 files changed, 136 insertions(+), 29 deletions(-)
- create mode 100644 install/update_932_933.php
-
-diff --git a/inc/auth.class.php b/inc/auth.class.php
-index 707d7ab31..67d361653 100644
---- a/inc/auth.class.php
-+++ b/inc/auth.class.php
-@@ -500,11 +500,11 @@ class Auth extends CommonGLPI {
- if (count($data) === 2) {
- list ($cookie_id, $cookie_token) = $data;
-
-- $token = User::getToken($cookie_id, 'personal_token');
-+ $user = new User();
-+ $user->getFromDB($cookie_id);
-+ $hash = $user->getAuthToken('cookie_token');
-
-- if ($token !== false && Auth::checkPassword($token, $cookie_token)) {
-- $user = new User();
-- $user->getFromDB($cookie_id); //true if $token is not false
-+ if (Auth::checkPassword($cookie_token, $hash)) {
- $this->user->fields['name'] = $user->fields['name'];
- return true;
- } else {
-@@ -848,12 +848,7 @@ class Auth extends CommonGLPI {
- }
-
- if ($this->auth_succeded && $CFG_GLPI['login_remember_time'] > 0 && $remember_me) {
-- $token = false;
-- if (!empty($this->user->fields['personal_token'])) {
-- $token = $this->user->fields['personal_token'];
-- } else {
-- $token = User::getToken($this->user->fields['id'], 'personal_token');
-- }
-+ $token = $this->user->getAuthToken('cookie_token', true);
-
- if ($token) {
- //Cookie name (Allow multiple GLPI)
-@@ -861,11 +856,9 @@ class Auth extends CommonGLPI {
- //Cookie session path
- $cookie_path = ini_get('session.cookie_path');
-
-- $hash = Auth::getPasswordHash($token);
--
- $data = json_encode([
- $this->user->fields['id'],
-- $hash,
-+ $token,
- ]);
-
- //Send cookie to browser
-diff --git a/inc/define.php b/inc/define.php
-index 78125529e..22830bc05 100644
---- a/inc/define.php
-+++ b/inc/define.php
-@@ -41,7 +41,7 @@ if (substr(GLPI_VERSION, -4) === '-dev') {
- );
- } else {
- //for stable version
-- define("GLPI_SCHEMA_VERSION", '9.3.2');
-+ define("GLPI_SCHEMA_VERSION", '9.3.3');
- }
- define('GLPI_MIN_PHP', '5.6.0'); // Must also be changed in top of index.php
- define('GLPI_YEAR', '2018');
-diff --git a/inc/update.class.php b/inc/update.class.php
-index fec2271c0..e3da3c9f0 100644
---- a/inc/update.class.php
-+++ b/inc/update.class.php
-@@ -431,7 +431,12 @@ class Update extends CommonGLPI {
- case "9.3.1":
- include_once "{$updir}update_931_932.php";
- update931to932();
-- break;
-+
-+ case "9.3.2":
-+ case "9.3.3":
-+ // post 9.3.3
-+ include_once "{$updir}update_932_933.php";
-+ update932to933();
-
- case GLPI_VERSION:
- case GLPI_SCHEMA_VERSION:
-diff --git a/inc/user.class.php b/inc/user.class.php
-index 67bfc7149..d4139edfa 100644
---- a/inc/user.class.php
-+++ b/inc/user.class.php
-@@ -4595,26 +4595,70 @@ class User extends CommonDBTM {
- }
-
-
-- /**
-+ /**
-+ * Get token of a user. If it does not exists then generate it.
-+ *
-+ * @since 9.4
-+ *
-+ * @param string $field the field storing the token
-+ * @param boolean $force_new force generation of a new token
-+ *
-+ * @return string|false token or false in case of error
-+ */
-+ public function getAuthToken($field = 'personal_token', $force_new = false) {
-+ global $CFG_GLPI;
-+
-+ if ($this->isNewItem()) {
-+ return false;
-+ }
-+
-+ // check date validity for cookie token
-+ $outdated = false;
-+ if ($field === 'cookie_token') {
-+ $date_create = new DateTime($this->fields[$field."_date"]);
-+ $date_expir = $date_create->add(new DateInterval('PT'.$CFG_GLPI["login_remember_time"].'S'));
-+
-+ if ($date_expir < new DateTime()) {
-+ $outdated = true;
-+ }
-+ }
-+
-+ // token exists, is not oudated, and we may use it
-+ if (!empty($this->fields[$field]) && !$force_new && !$outdated) {
-+ return $this->fields[$field];
-+ }
-+
-+ // else get a new token
-+ $token = self::getUniqueToken($field);
-+
-+ // for cookie token, we need to store it hashed
-+ $hash = $token;
-+ if ($field === 'cookie_token') {
-+ $hash = Auth::getPasswordHash($token);
-+ }
-+
-+ // save this token in db
-+ $this->update(['id' => $this->getID(),
-+ $field => $hash,
-+ $field . "_date" => $_SESSION['glpi_currenttime']]);
-+
-+ return $token;
-+ }
-+
-+/**
- * Get token of a user. If not exists generate it.
- *
- * @param integer $ID User ID
- * @param string $field Field storing the token
-+ * @param boolean $force_new force generation of a new token
- *
- * @return string|boolean User token, false if user does not exist
- */
-- static function getToken($ID, $field = 'personal_token') {
-+ static function getToken($ID, $field = 'personal_token', $force_new = false) {
-
- $user = new self();
- if ($user->getFromDB($ID)) {
-- if (!empty($user->fields[$field])) {
-- return $user->fields[$field];
-- }
-- $token = self::getUniqueToken($field);
-- $user->update(['id' => $user->getID(),
-- $field => $token,
-- $field . "_date" => $_SESSION['glpi_currenttime']]);
-- return $user->fields[$field];
-+ return $user->getAuthToken($field, $force_new);
- }
-
- return false;
-diff --git a/install/mysql/glpi-empty.sql b/install/mysql/glpi-empty.sql
-index abfe14600..14d6976c9 100644
---- a/install/mysql/glpi-empty.sql
-+++ b/install/mysql/glpi-empty.sql
-@@ -8850,6 +8850,8 @@ CREATE TABLE `glpi_users` (
- `personal_token_date` datetime DEFAULT NULL,
- `api_token` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
- `api_token_date` datetime DEFAULT NULL,
-+ `cookie_token` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
-+ `cookie_token_date` datetime DEFAULT NULL,
- `display_count_on_home` int(11) DEFAULT NULL,
- `notification_to_myself` tinyint(1) DEFAULT NULL,
- `duedateok_color` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
-@@ -8900,10 +8902,10 @@ CREATE TABLE `glpi_users` (
- KEY `sync_field` (`sync_field`)
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
-
--INSERT INTO `glpi_users` VALUES ('2','glpi','$2y$10$rXXzbc2ShaiCldwkw4AZL.n.9QSH7c0c9XJAyyjrbL9BwmWditAYm','','','','',NULL,'0',NULL,'0','20','1',NULL,'0','1','2014-06-18 08:02:24','2014-06-18 08:02:24',NULL,'0','0','0','0','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,'',NULL);
--INSERT INTO `glpi_users` VALUES ('3','post-only','$2y$10$dTMar1F3ef5X/H1IjX9gYOjQWBR1K4bERGf4/oTPxFtJE/c3vXILm','','','','',NULL,'0','en_GB','0','20','1',NULL,'0','1',NULL,NULL,NULL,'0','0','0','0','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,'',NULL);
--INSERT INTO `glpi_users` VALUES ('4','tech','$2y$10$.xEgErizkp6Az0z.DHyoeOoenuh0RcsX4JapBk2JMD6VI17KtB1lO','','','','',NULL,'0','en_GB','0','20','1',NULL,'0','1',NULL,NULL,NULL,'0','0','0','0','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,'',NULL);
--INSERT INTO `glpi_users` VALUES ('5','normal','$2y$10$Z6doq4zVHkSPZFbPeXTCluN1Q/r0ryZ3ZsSJncJqkN3.8cRiN0NV.','','','','',NULL,'0','en_GB','0','20','1',NULL,'0','1',NULL,NULL,NULL,'0','0','0','0','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,'',NULL);
-+INSERT INTO `glpi_users` VALUES ('2','glpi','$2y$10$rXXzbc2ShaiCldwkw4AZL.n.9QSH7c0c9XJAyyjrbL9BwmWditAYm','','','','',NULL,'0',NULL,'0','20','1',NULL,'0','1','2014-06-18 08:02:24','2014-06-18 08:02:24',NULL,'0','0','0','0','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,'',NULL);
-+INSERT INTO `glpi_users` VALUES ('3','post-only','$2y$10$dTMar1F3ef5X/H1IjX9gYOjQWBR1K4bERGf4/oTPxFtJE/c3vXILm','','','','',NULL,'0','en_GB','0','20','1',NULL,'0','1',NULL,NULL,NULL,'0','0','0','0','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,'',NULL);
-+INSERT INTO `glpi_users` VALUES ('4','tech','$2y$10$.xEgErizkp6Az0z.DHyoeOoenuh0RcsX4JapBk2JMD6VI17KtB1lO','','','','',NULL,'0','en_GB','0','20','1',NULL,'0','1',NULL,NULL,NULL,'0','0','0','0','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,'',NULL);
-+INSERT INTO `glpi_users` VALUES ('5','normal','$2y$10$Z6doq4zVHkSPZFbPeXTCluN1Q/r0ryZ3ZsSJncJqkN3.8cRiN0NV.','','','','',NULL,'0','en_GB','0','20','1',NULL,'0','1',NULL,NULL,NULL,'0','0','0','0','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,'',NULL);
-
- ### Dump table glpi_usertitles
-
-diff --git a/install/update_932_933.php b/install/update_932_933.php
-new file mode 100644
-index 000000000..240c5cb00
---- /dev/null
-+++ b/install/update_932_933.php
-@@ -0,0 +1,63 @@
-+<?php
-+/**
-+ * ---------------------------------------------------------------------
-+ * GLPI - Gestionnaire Libre de Parc Informatique
-+ * Copyright (C) 2015-2017 Teclib' and contributors.
-+ *
-+ * http://glpi-project.org
-+ *
-+ * based on GLPI - Gestionnaire Libre de Parc Informatique
-+ * Copyright (C) 2003-2014 by the INDEPNET Development Team.
-+ *
-+ * ---------------------------------------------------------------------
-+ *
-+ * LICENSE
-+ *
-+ * This file is part of GLPI.
-+ *
-+ * GLPI is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GLPI is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with GLPI. If not, see <http://www.gnu.org/licenses/>.
-+ * ---------------------------------------------------------------------
-+ */
-+
-+/** @file
-+* @brief
-+*/
-+
-+/**
-+ * Update from 9.3.2 to 9.3.3 (DB schema version, introduced post 9.3.3)
-+ *
-+ * @return bool for success (will die for most error)
-+**/
-+function update932to933() {
-+ global $DB, $migration, $CFG_GLPI;
-+
-+ $current_config = Config::getConfigurationValues('core');
-+ $updateresult = true;
-+ $ADDTODISPLAYPREF = [];
-+
-+ //TRANS: %s is the number of new version
-+ $migration->displayTitle(sprintf(__('Update to %s'), '9.3.3'));
-+ $migration->setVersion('9.3.3');
-+
-+ // Create a dedicated token for rememberme process
-+ if (!$DB->fieldExists('glpi_users', 'cookie_token')) {
-+ $migration->addField('glpi_users', 'cookie_token', 'string', ['after' => 'api_token_date']);
-+ $migration->addField('glpi_users', 'cookie_token_date', 'datetime', ['after' => 'cookie_token']);
-+ }
-+
-+ // ************ Keep it at the end **************
-+ $migration->executeMigration();
-+
-+ return $updateresult;
-+}
---
-2.20.1
-
diff --git a/glpi.spec b/glpi.spec
index e3e3dfc..22aee17 100644
--- a/glpi.spec
+++ b/glpi.spec
@@ -7,7 +7,7 @@
# Please, preserve the changelog entries
#
-%global gh_commit 0cbfde346c5afd6b749a2dd893fd4c0fa3c49c74
+%global gh_commit 78c2f67b14007156ca9561d4ce0cc7d21089af27
%global gh_short %(c=%{gh_commit}; echo ${c:0:7})
#global gh_date 20160923
%global gh_owner glpi-project
@@ -52,11 +52,10 @@
%endif
Name: %{gh_project}
-%global upstream_version 9.3.3
+%global upstream_version 9.3.4
#global upstream_prever RC2
-# use 9.3.0~RC2 < 9.3 (for plugin compatibility check)
Version: %{upstream_version}%{?upstream_prever:~%{upstream_prever}}
-Release: 2%{?dist}
+Release: 1%{?dist}
Summary: Free IT asset management software
Summary(fr): Gestion Libre de Parc Informatique
@@ -76,12 +75,6 @@ Source6: %{name}-minify.php
# Override PHP configuration for php-fpm
Source7: %{name}-user.ini
-# Security patches backported from 9.4
-# https://github.com/glpi-project/glpi/pull/5606 merged
-Patch1: glpi-security1.patch
-# Backports
-Patch2: glpi-security2.patch
-
BuildArch: noarch
BuildRequires: gettext
BuildRequires: php-cli
@@ -315,9 +308,6 @@ techniciens grâce à une maintenance plus cohérente.
%prep
%setup -q -n %{name}-%{gh_commit}
-%patch1 -p1 -b .secfix
-%patch2 -p1 -b .secfix
-find . -name \*.secfix -delete -print
grep %{upstream_version} inc/define.php
@@ -606,6 +596,9 @@ fi
%changelog
+* Thu Apr 11 2019 Remi Collet <remi@remirepo.net> - 9.3.4-1
+- update to 9.3.4
+
* Wed Mar 27 2019 Remi Collet <remi@remirepo.net> - 9.3.3-2
- add security fix backported from 9.4.1:
[security] Bad chevrons rendering on dropdowns