From: Moritz Bunkus Date: Fri, 21 Sep 2007 10:43:31 +0000 (+0000) Subject: Quoten von allen in regulären Ausdrücken verwendeten Variablen, die direkt oder indir... X-Git-Tag: release-2.6.0beta1~488 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=5cf977e52788c523150fa19225b90914e6ddc909;p=kivitendo-erp.git Quoten von allen in regulären Ausdrücken verwendeten Variablen, die direkt oder indirekt von Benutzereingaben stammen können. Fix für Bug 302. --- diff --git a/SL/Form.pm b/SL/Form.pm index 196d828cd..2d6ba266a 100644 --- a/SL/Form.pm +++ b/SL/Form.pm @@ -2231,7 +2231,7 @@ sub create_links { while ($ref = $sth->fetchrow_hashref(NAME_lc)) { foreach my $key (split(/:/, $ref->{link})) { - if ($key =~ /$module/) { + if ($key =~ /\Q$module\E/) { # cross reference for keys $xkeyref{ $ref->{accno} } = $key; @@ -2300,7 +2300,7 @@ sub create_links { while ($ref = $sth->fetchrow_hashref(NAME_lc)) { foreach my $key (split(/:/, $ref->{link})) { - if ($key =~ /$module/) { + if ($key =~ /\Q$module\E/) { # cross reference for keys $xkeyref{ $ref->{accno} } = $key; @@ -2532,8 +2532,8 @@ sub update_status { } $sth->finish(); - my $printed = ($self->{printed} =~ /$self->{formname}/) ? "1" : "0"; - my $emailed = ($self->{emailed} =~ /$self->{formname}/) ? "1" : "0"; + my $printed = ($self->{printed} =~ /\Q$self->{formname}\E/) ? "1" : "0"; + my $emailed = ($self->{emailed} =~ /\Q$self->{formname}\E/) ? "1" : "0"; my %queued = split / /, $self->{queued}; my @values; @@ -2588,15 +2588,15 @@ sub save_status { my %queued = split / /, $self->{queued}; foreach my $formname (keys %queued) { - $printed = ($self->{printed} =~ /$self->{formname}/) ? "1" : "0"; - $emailed = ($self->{emailed} =~ /$self->{formname}/) ? "1" : "0"; + $printed = ($self->{printed} =~ /\Q$self->{formname}\E/) ? "1" : "0"; + $emailed = ($self->{emailed} =~ /\Q$self->{formname}\E/) ? "1" : "0"; $query = qq|INSERT INTO status (trans_id, printed, emailed, spoolfile, formname) VALUES (?, ?, ?, ?, ?)|; do_query($self, $dbh, $query, $self->{id}, $printed, $emailed, $queued{$formname}, $formname); - $formnames =~ s/$self->{formname}//; - $emailforms =~ s/$self->{formname}//; + $formnames =~ s/\Q$self->{formname}\E//; + $emailforms =~ s/\Q$self->{formname}\E//; } } @@ -2610,8 +2610,8 @@ sub save_status { map { $status{$_}{emailed} = 1 } split / +/, $emailforms; foreach my $formname (keys %status) { - $printed = ($formnames =~ /$self->{formname}/) ? "1" : "0"; - $emailed = ($emailforms =~ /$self->{formname}/) ? "1" : "0"; + $printed = ($formnames =~ /\Q$self->{formname}\E/) ? "1" : "0"; + $emailed = ($emailforms =~ /\Q$self->{formname}\E/) ? "1" : "0"; $query = qq|INSERT INTO status (trans_id, printed, emailed, formname) VALUES (?, ?, ?, ?)|; diff --git a/SL/IC.pm b/SL/IC.pm index 38a30e008..bc82b0c55 100644 --- a/SL/IC.pm +++ b/SL/IC.pm @@ -577,7 +577,7 @@ sub save { $form->{taxaccount} = ""; while ($ptr = $stw->fetchrow_hashref(NAME_lc)) { $form->{taxaccount} .= "$ptr->{accno} "; - if (!($form->{taxaccount2} =~ /$ptr->{accno}/)) { + if (!($form->{taxaccount2} =~ /\Q$ptr->{accno}\E/)) { $form->{"$ptr->{accno}_rate"} = $ptr->{rate}; $form->{"$ptr->{accno}_description"} = $ptr->{description}; $form->{"$ptr->{accno}_taxnumber"} = $ptr->{taxnumber}; @@ -1562,7 +1562,7 @@ sub create_links { my $sth = prepare_execute_query($form, $dbh, $query, @values); while (my $ref = $sth->fetchrow_hashref(NAME_lc)) { foreach my $key (split(/:/, $ref->{link})) { - if ($key =~ /$module/) { + if ($key =~ /\Q$module\E/) { if ( ($ref->{id} eq $ref->{inventory_accno_id}) || ($ref->{id} eq $ref->{income_accno_id}) || ($ref->{id} eq $ref->{expense_accno_id})) { diff --git a/SL/IR.pm b/SL/IR.pm index 656140491..f220a1674 100644 --- a/SL/IR.pm +++ b/SL/IR.pm @@ -532,7 +532,7 @@ sub post_invoice { # add shipto $form->{name} = $form->{vendor}; - $form->{name} =~ s/--$form->{vendor_id}//; + $form->{name} =~ s/--\Q$form->{vendor_id}\E//; $form->add_shipto($dbh, $form->{id}, "AP"); # delete zero entries @@ -786,7 +786,7 @@ sub retrieve_invoice { $ref->{taxaccounts} .= "$ptr->{accno} "; - if (!($form->{taxaccounts} =~ /$ptr->{accno}/)) { + if (!($form->{taxaccounts} =~ /\Q$ptr->{accno}\E/)) { $form->{"$ptr->{accno}_rate"} = $ptr->{rate}; $form->{"$ptr->{accno}_description"} = $ptr->{taxdescription}; $form->{"$ptr->{accno}_taxnumber"} = $ptr->{taxnumber}; @@ -1033,7 +1033,7 @@ sub retrieve_item { $ref->{taxaccounts} .= "$ptr->{accno} "; - if (!($form->{taxaccounts} =~ /$ptr->{accno}/)) { + if (!($form->{taxaccounts} =~ /\Q$ptr->{accno}\E/)) { $form->{"$ptr->{accno}_rate"} = $ptr->{rate}; $form->{"$ptr->{accno}_description"} = $ptr->{taxdescription}; $form->{"$ptr->{accno}_taxnumber"} = $ptr->{taxnumber}; diff --git a/SL/IS.pm b/SL/IS.pm index 866f3f58e..76825169c 100644 --- a/SL/IS.pm +++ b/SL/IS.pm @@ -780,7 +780,7 @@ sub post_invoice { foreach my $trans_id (keys %{ $form->{amount} }) { foreach my $accno (keys %{ $form->{amount}{$trans_id} }) { - next unless ($form->{expense_inventory} =~ /$accno/); + next unless ($form->{expense_inventory} =~ /\Q$accno\E/); $form->{amount}{$trans_id}{$accno} = $form->round_amount($form->{amount}{$trans_id}{$accno}, 2); @@ -979,7 +979,7 @@ sub post_invoice { # add shipto $form->{name} = $form->{customer}; - $form->{name} =~ s/--$form->{customer_id}//; + $form->{name} =~ s/--\Q$form->{customer_id}\E//; if (!$form->{shipto_id}) { $form->add_shipto($dbh, $form->{id}, "AR"); @@ -1458,7 +1458,7 @@ sub retrieve_invoice { } $ref->{taxaccounts} .= "$ptr->{accno} "; - if (!($form->{taxaccounts} =~ /$ptr->{accno}/)) { + if (!($form->{taxaccounts} =~ /\Q$ptr->{accno}\E/)) { $form->{"$ptr->{accno}_rate"} = $ptr->{rate}; $form->{"$ptr->{accno}_description"} = $ptr->{taxdescription}; $form->{"$ptr->{accno}_taxnumber"} = $ptr->{taxnumber}; @@ -1801,7 +1801,7 @@ sub retrieve_item { } $ref->{taxaccounts} .= "$ptr->{accno} "; - if (!($form->{taxaccounts} =~ /$ptr->{accno}/)) { + if (!($form->{taxaccounts} =~ /\Q$ptr->{accno}\E/)) { $form->{"$ptr->{accno}_rate"} = $ptr->{rate}; $form->{"$ptr->{accno}_description"} = $ptr->{taxdescription}; $form->{"$ptr->{accno}_taxnumber"} = $ptr->{taxnumber}; diff --git a/SL/Mailer.pm b/SL/Mailer.pm index 7b011d4b0..5123babb9 100644 --- a/SL/Mailer.pm +++ b/SL/Mailer.pm @@ -152,7 +152,7 @@ $self->{message} } else { $filename = $attachment; # strip path - $filename =~ s/(.*\/|$self->{fileid})//g; + $filename =~ s/(.*\/|\Q$self->{fileid}\E)//g; } my $application = diff --git a/SL/OE.pm b/SL/OE.pm index b0fa27294..f66261550 100644 --- a/SL/OE.pm +++ b/SL/OE.pm @@ -444,7 +444,7 @@ sub save { # add shipto $form->{name} = $form->{ $form->{vc} }; - $form->{name} =~ s/--$form->{"$form->{vc}_id"}//; + $form->{name} =~ s/--\Q$form->{"$form->{vc}_id"}\E//; if (!$form->{shipto_id}) { $form->add_shipto($dbh, $form->{id}, "OE"); @@ -824,7 +824,7 @@ sub retrieve { $ptr->{accno} = $i; } $ref->{taxaccounts} .= "$ptr->{accno} "; - if (!($form->{taxaccounts} =~ /$ptr->{accno}/)) { + if (!($form->{taxaccounts} =~ /\Q$ptr->{accno}\E/)) { $form->{"$ptr->{accno}_rate"} = $ptr->{rate}; $form->{"$ptr->{accno}_description"} = $ptr->{taxdescription}; $form->{"$ptr->{accno}_taxnumber"} = $ptr->{taxnumber}; diff --git a/SL/ReportGenerator.pm b/SL/ReportGenerator.pm index 746945108..b02ab35ef 100644 --- a/SL/ReportGenerator.pm +++ b/SL/ReportGenerator.pm @@ -231,7 +231,7 @@ sub get_visible_columns { my $self = shift; my $format = shift; - return grep { my $c = $self->{columns}->{$_}; $c && $c->{visible} && (($c->{visible} == 1) || ($c->{visible} =~ /${format}/i)) } @{ $self->{column_order} }; + return grep { my $c = $self->{columns}->{$_}; $c && $c->{visible} && (($c->{visible} == 1) || ($c->{visible} =~ /\Q${format}\E/i)) } @{ $self->{column_order} }; } sub html_format { diff --git a/SL/Template.pm b/SL/Template.pm index f6afe692a..297c025fb 100644 --- a/SL/Template.pm +++ b/SL/Template.pm @@ -503,7 +503,7 @@ sub convert_to_postscript { return 0; } - $form->{tmpfile} =~ s/$userspath\///g; + $form->{tmpfile} =~ s/\Q$userspath\E\///g; for (my $run = 1; $run <= 2; $run++) { system("latex --interaction=nonstopmode $form->{tmpfile} " . @@ -542,7 +542,7 @@ sub convert_to_pdf { return 0; } - $form->{tmpfile} =~ s/$userspath\///g; + $form->{tmpfile} =~ s/\Q$userspath\E\///g; for (my $run = 1; $run <= 2; $run++) { system("pdflatex --interaction=nonstopmode $form->{tmpfile} " . @@ -650,7 +650,7 @@ sub convert_to_postscript { return 0; } - $form->{"tmpfile"} =~ s/$userspath\///g; + $form->{"tmpfile"} =~ s/\Q$userspath\E\///g; my $psfile = $form->{"tmpfile"}; $psfile =~ s/.html/.ps/; if ($psfile eq $form->{"tmpfile"}) { @@ -683,7 +683,7 @@ sub convert_to_pdf { return 0; } - $form->{"tmpfile"} =~ s/$userspath\///g; + $form->{"tmpfile"} =~ s/\Q$userspath\E\///g; my $pdffile = $form->{"tmpfile"}; $pdffile =~ s/.html/.pdf/; if ($pdffile eq $form->{"tmpfile"}) { diff --git a/SL/User.pm b/SL/User.pm index 830544b8c..8e60b8d0b 100644 --- a/SL/User.pm +++ b/SL/User.pm @@ -830,7 +830,7 @@ sub dbupdate { foreach my $upgradescript (@upgradescripts) { my $a = $upgradescript; - $a =~ s/^$form->{dbdriver}-upgrade-|\.(sql|pl)$//g; + $a =~ s/^\Q$form->{dbdriver}\E-upgrade-|\.(sql|pl)$//g; my $file_type = $1; my ($mindb, $maxdb) = split /-/, $a; @@ -1036,7 +1036,7 @@ sub save_member { truncate(CONF, 0); while ($line = shift @config) { - if ($line =~ /^\[$self->{login}\]/) { + if ($line =~ /^\[\Q$self->{login}\E\]/) { $newmember = 0; last; } diff --git a/bin/mozilla/admin.pl b/bin/mozilla/admin.pl index 3fba37cc8..a24272b8b 100644 --- a/bin/mozilla/admin.pl +++ b/bin/mozilla/admin.pl @@ -438,7 +438,7 @@ sub save { open(TEMP, "$templates/$file") or $form->error("$templates/$file : $ERRNO"); - $file =~ s/$form->{mastertemplates}-//; + $file =~ s/\Q$form->{mastertemplates}\E-//; open(NEW, ">$form->{templates}/$file") or $form->error("$form->{templates}/$file : $ERRNO"); diff --git a/bin/mozilla/am.pl b/bin/mozilla/am.pl index 76cc217a6..d11f16113 100644 --- a/bin/mozilla/am.pl +++ b/bin/mozilla/am.pl @@ -1688,11 +1688,11 @@ sub buchungsgruppe_header { if ($form->{id}) { $form->{selectIC} =~ s/selected//g; - $form->{selectIC} =~ s/ value=$form->{inventory_accno_id}/ value=$form->{inventory_accno_id} selected/; + $form->{selectIC} =~ s/ value=\Q$form->{inventory_accno_id}\E/ value=$form->{inventory_accno_id} selected/; $form->{selectIC_income} =~ s/selected//g; - $form->{selectIC_income} =~ s/ value=$form->{income_accno_id_0}/ value=$form->{income_accno_id_0} selected/; + $form->{selectIC_income} =~ s/ value=\Q$form->{income_accno_id_0}\E/ value=$form->{income_accno_id_0} selected/; $form->{selectIC_expense} =~ s/selected//g; - $form->{selectIC_expense} =~ s/ value=$form->{expense_accno_id_0}/ value=$form->{expense_accno_id_0} selected/; + $form->{selectIC_expense} =~ s/ value=\Q$form->{expense_accno_id_0}\E/ value=$form->{expense_accno_id_0} selected/; } if (!$eur) { @@ -1719,9 +1719,9 @@ sub buchungsgruppe_header { |; if ($form->{id}) { $form->{selectIC_income} =~ s/selected//g; - $form->{selectIC_income} =~ s/ value=$form->{income_accno_id_1}/ value=$form->{income_accno_id_1} selected/; + $form->{selectIC_income} =~ s/ value=\Q$form->{income_accno_id_1}\E/ value=$form->{income_accno_id_1} selected/; $form->{selectIC_expense} =~ s/selected//g; - $form->{selectIC_expense} =~ s/ value=$form->{expense_accno_id_1}/ value=$form->{expense_accno_id_1} selected/; + $form->{selectIC_expense} =~ s/ value=\Q$form->{expense_accno_id_1}\E/ value=$form->{expense_accno_id_1} selected/; } $linkaccounts .= qq| | . $locale->text('Revenues EU with UStId') . qq| @@ -1734,9 +1734,9 @@ sub buchungsgruppe_header { if ($form->{id}) { $form->{selectIC_income} =~ s/selected//g; - $form->{selectIC_income} =~ s/ value=$form->{income_accno_id_2}/ value=$form->{income_accno_id_2} selected/; + $form->{selectIC_income} =~ s/ value=\Q$form->{income_accno_id_2}\E/ value=$form->{income_accno_id_2} selected/; $form->{selectIC_expense} =~ s/selected//g; - $form->{selectIC_expense} =~ s/ value=$form->{expense_accno_id_2}/ value=$form->{expense_accno_id_2} selected/; + $form->{selectIC_expense} =~ s/ value=\Q$form->{expense_accno_id_2}\E/ value=$form->{expense_accno_id_2} selected/; } $linkaccounts .= qq| @@ -1750,9 +1750,9 @@ sub buchungsgruppe_header { if ($form->{id}) { $form->{selectIC_income} =~ s/selected//g; - $form->{selectIC_income} =~ s/ value=$form->{income_accno_id_3}/ value=$form->{income_accno_id_3} selected/; + $form->{selectIC_income} =~ s/ value=\Q$form->{income_accno_id_3}\E/ value=$form->{income_accno_id_3} selected/; $form->{selectIC_expense} =~ s/selected//g; - $form->{selectIC_expense} =~ s/ value=$form->{expense_accno_id_3}/ value=$form->{expense_accno_id_3} selected/; + $form->{selectIC_expense} =~ s/ value=\Q$form->{expense_accno_id_3}\E/ value=$form->{expense_accno_id_3} selected/; } $linkaccounts .= qq| diff --git a/bin/mozilla/common.pl b/bin/mozilla/common.pl index d006c5436..473acfffc 100644 --- a/bin/mozilla/common.pl +++ b/bin/mozilla/common.pl @@ -578,8 +578,11 @@ sub mark_as_paid_common { $form->redirect($locale->text("Marked as paid")); } else { - my $referer = $ENV{HTTP_REFERER}; - $referer =~ s/^(.*)action\=.*\&(.*)$/$1action\=mark_as_paid\&mark_as_paid\=1\&login\=$form->{login}\&password\=$form->{password}\&id\=$form->{id}\&$2/; + my $referer = $ENV{HTTP_REFERER}; + my $login = $form->escape($form->{login}); + my $password = $form->escape($form->{password}); + my $id = $form->escape($form->{id}); + $referer =~ s/^(.*)action\=.*\&(.*)$/$1action\=mark_as_paid\&mark_as_paid\=1\&login\=$login\&password\=$password\&id\=$id\&$2/; $form->header(); print qq||; print qq|

|.$locale->text('Mark as paid?').qq|

|; diff --git a/bin/mozilla/ic.pl b/bin/mozilla/ic.pl index 28d41f3b3..b5e4db70d 100644 --- a/bin/mozilla/ic.pl +++ b/bin/mozilla/ic.pl @@ -1910,7 +1910,7 @@ sub link_part { # if this is a tax field if ($key =~ /IC_tax/) { - if ($key =~ /$item/) { + if ($key =~ /\Q$item\E/) { $form->{taxaccounts} .= "$ref->{accno} "; $form->{"IC_tax_$ref->{accno}_description"} = "$ref->{accno}--$ref->{description}"; diff --git a/bin/mozilla/io.pl b/bin/mozilla/io.pl index cb8376486..d85e618f7 100644 --- a/bin/mozilla/io.pl +++ b/bin/mozilla/io.pl @@ -1869,7 +1869,7 @@ sub print_form { %queued = map { s|.*/|| } split / /, $form->{queued}; if ($filename = $queued{ $form->{formname} }) { - $form->{queued} =~ s/$form->{formname} $filename//; + $form->{queued} =~ s/\Q$form->{formname} $filename\E//; unlink "$spool/$filename"; $filename =~ s/\..*$//g; } else { diff --git a/bin/mozilla/menu.pl b/bin/mozilla/menu.pl index fe2c731da..121f8b4a4 100644 --- a/bin/mozilla/menu.pl +++ b/bin/mozilla/menu.pl @@ -70,7 +70,7 @@ sub display { sub acc_menu { $lxdebug->enter_sub(); $mainlevel = $form->{level}; - $mainlevel =~ s/$mainlevel--//g; + $mainlevel =~ s/\Q$mainlevel\E--//g; my $menu = new Menu "$menufile"; $form->{title} = $locale->text('Accounting Menu'); @@ -106,7 +106,7 @@ sub section_menu { $item = shift @menuorder; $label = $item; $ml = $item; - $label =~ s/$level--//g; + $label =~ s/\Q$level\E--//g; $ml =~ s/--.*//; if ($ml eq $mainlevel) { $zeige = 1; } else { $zeige = 0; } @@ -138,7 +138,7 @@ sub section_menu { if ($menu->{$item}{submenu}) { $menu->{$item}{$item} = !$form->{$item}; - if ($form->{level} && $item =~ /^$form->{level}/) { + if ($form->{level} && $item =~ /^\Q$form->{level}\E/) { # expand menu if ($zeige) { diff --git a/bin/mozilla/menunew.pl b/bin/mozilla/menunew.pl index be6522181..e91d8a320 100644 --- a/bin/mozilla/menunew.pl +++ b/bin/mozilla/menunew.pl @@ -124,7 +124,7 @@ window.onload=clockon sub acc_menu { $mainlevel = $form->{level}; - $mainlevel =~ s/$mainlevel--//g; + $mainlevel =~ s/\Q$mainlevel\E--//g; my $menu = new Menu "$menufile"; $| = 1; @@ -370,7 +370,7 @@ sub section_menu { $item = shift @menuorder; $label = $item; $ml = $item; - $label =~ s/$level--//g; + $label =~ s/\Q$level\E--//g; $ml =~ s/--.*//; $label = $locale->text($label); $label =~ s/ / /g; diff --git a/bin/mozilla/menuv3.pl b/bin/mozilla/menuv3.pl index 86cf6bb59..c2fef5df4 100644 --- a/bin/mozilla/menuv3.pl +++ b/bin/mozilla/menuv3.pl @@ -75,7 +75,7 @@ sub acc_menu { $locale = Locale->new($language, "menu"); $mainlevel = $form->{level}; - $mainlevel =~ s/$mainlevel--//g; + $mainlevel =~ s/\Q$mainlevel\E--//g; my $menu = new Menu "$menufile"; $| = 1;