glpi-0.84-CVE-2014-9258.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

Index: branches/0.84-bugfixes/inc/dropdown.class.php
===================================================================
--- branches/0.84-bugfixes/inc/dropdown.class.php	(révision 23260)
+++ branches/0.84-bugfixes/inc/dropdown.class.php	(révision 23261)
@@ -177,6 +177,11 @@
          }
       }
 
+      // Manage condition
+      if (!empty($params['condition'])) {
+        $params['condition'] = static::addNewCondition($params['condition']);
+      }
+      
       $param = array('searchText'           => '__VALUE__',
                       'value'               => $params['value'],
                       'itemtype'            => $itemtype,
@@ -259,6 +264,11 @@
       }
    }
 
+    static function addNewCondition($condition) {
+        $sha1=sha1($condition);
+        $_SESSION['glpicondition'][$sha1] = $condition;
+        return $sha1;
+    }   
 
    /**
     * Get the value of a dropdown
@@ -1095,7 +1105,7 @@
                           'entity_restrict' => $entity_restrict);
 
          if ($onlyglobal) {
-            $params['condition'] = "`is_global` = '1'";
+            $params['condition'] = static::addNewCondition("`is_global` = '1'");
          }
          Ajax::updateItemOnSelectEvent("itemtype$rand", "show_$myname$rand",
                                        $CFG_GLPI["root_doc"]."/ajax/dropdownAllItems.php", $params);
Index: branches/0.84-bugfixes/ajax/dropdownValue.php
===================================================================
--- branches/0.84-bugfixes/ajax/dropdownValue.php	(révision 23260)
+++ branches/0.84-bugfixes/ajax/dropdownValue.php	(révision 23261)
@@ -72,13 +72,17 @@
    $_POST['permit_select_parent'] = false;
 }
 
-// No define rand
-if (!isset($_POST['rand'])) {
+    // No define rand
+    if (!isset($_POST['rand'])) {
    $_POST['rand'] = mt_rand();
 }
 
 if (isset($_POST['condition']) && !empty($_POST['condition'])) {
-   $_POST['condition'] = rawurldecode(stripslashes($_POST['condition']));
+    if (isset($_SESSION['glpicondition'][$_POST['condition']])) {
+        $_POST['condition'] = $_SESSION['glpicondition'][$_POST['condition']];
+    } else {
+        $_POST['condition'] = '';
+    }
 }
 
 if (!isset($_POST['emptylabel']) || ($_POST['emptylabel'] == '')) {