SuiteCRM 7.12.6 Release

README.md

@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.12.5
+# SuiteCRM 7.12.6
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)

export.php

@@ -49,15 +49,28 @@
 global $sugar_config;
 global $current_user;
 global $app_list_strings;
+global $beanList;
+global $log;
 
 $the_module = clean_string($_REQUEST['module']);
 
+if (empty($current_user) || empty($current_user->id)) {
+    die($GLOBALS['app_strings']['ERR_EXPORT_DISABLED']);
+}
+
 if ($sugar_config['disable_export'] 	|| (!empty($sugar_config['admin_export_only']) && !(is_admin($current_user) || (ACLController::moduleSupportsACL($the_module)  && ACLAction::getUserAccessLevel($current_user->id, $the_module, 'access') == ACL_ALLOW_ENABLED &&
     (ACLAction::getUserAccessLevel($current_user->id, $the_module, 'admin') == ACL_ALLOW_ADMIN ||
      ACLAction::getUserAccessLevel($current_user->id, $the_module, 'admin') == ACL_ALLOW_ADMIN_DEV))))) {
     die($GLOBALS['app_strings']['ERR_EXPORT_DISABLED']);
 }
 
+if (empty($beanList[$_REQUEST['module']])) {
+    $log->security("export: trying to access an invalid module '" . $_REQUEST['module'] . "'");
+    throw new RuntimeException('Unexpected error. See logs.');
+}
+
+$bean = $beanList[$_REQUEST['module']];
+
 //check to see if this is a request for a sample or for a regular export
 if (!empty($_REQUEST['sample'])) {
     //call special method that will create dummy data for bean as well as insert standard help message.

include/MVC/Controller/entry_point_registry.php

@@ -75,7 +75,7 @@
     'SAML'=>  array('file' => 'modules/Users/authentication/SAMLAuthenticate/index.php', 'auth' => false),
     'SAML2Metadata'=>  array('file' => 'modules/Users/authentication/SAML2Authenticate/SAML2Metadata.php', 'auth' => false),
     'jslang'=> array('file' => 'include/language/getJSLanguage.php', 'auth' => true),
-    'deleteAttachment' => array('file' => 'include/SugarFields/Fields/Image/deleteAttachment.php', 'auth' => false),
+    'deleteAttachment' => array('file' => 'include/SugarFields/Fields/Image/deleteAttachment.php', 'auth' => true),
     'responseEntryPoint' => array('file' => 'modules/FP_events/responseEntryPoint.php', 'auth' => false),
     'formLetter' => array('file' => 'modules/AOS_PDF_Templates/formLetterPdf.php' , 'auth' => true),
     'generatePdf' => array('file' => 'modules/AOS_PDF_Templates/generatePdf.php' , 'auth' => true),

include/MVC/SugarApplication.php

@@ -147,6 +147,8 @@ public function loadUser()
         }
 
         $GLOBALS['current_user'] = BeanFactory::newBean('Users');
+
+        $isLogicActionCall = $this->controller->module === 'Users' && in_array($this->controller->action, $allowed_actions);
         if (isset($_SESSION['authenticated_user_id'])) {
             // set in modules/Users/Authenticate.php
             if (!$authController->sessionAuthenticate()) {
@@ -156,7 +158,7 @@ public function loadUser()
                 SugarApplication::redirect('index.php?action=Login&module=Users');
                 die();
             }//fi
-        } elseif (!($this->controller->module == 'Users' && in_array($this->controller->action, $allowed_actions))) {
+        } elseif (!$isLogicActionCall || !empty($_REQUEST['entryPoint'])) {
             session_destroy();
             SugarApplication::redirect('index.php?action=Login&module=Users');
             die();

include/SugarFields/Fields/Image/deleteAttachment.php

@@ -41,10 +41,13 @@
  * display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
  */
 
-    $field = $_REQUEST['field'];
-    $removeFile = "upload://{$_REQUEST[$field . '_record_id'] }_" . $field;
-    $bean = BeanFactory::getBean($_REQUEST['module'], $_REQUEST[$field . "_record_id"]);
+$field = $_REQUEST['field'];
+$removeFile = "upload://{$_REQUEST[$field . '_record_id'] }_" . $field;
+$bean = BeanFactory::getBean($_REQUEST['module'], $_REQUEST[$field . "_record_id"]);
 
+if (!$bean->ACLAccess('save')){
+    throw new RuntimeException('Not authorized');
+}
 
 if (file_exists($removeFile)) {
     if (!unlink($removeFile)) {

include/export_utils.php

@@ -110,21 +110,45 @@ function export($type, $records = null, $members = false, $sample=false)
     global $timedate;
     global $mod_strings;
     global $current_language;
+    global $log;
     $sampleRecordNum = 5;
 
     //Array of fields that should not be exported, and are only used for logic
     $remove_from_members = array("ea_deleted", "ear_deleted", "primary_address");
     $focus = 0;
 
-    $bean = $beanList[$type];
+    $db = DBManagerFactory::getInstance();
+    if (empty($db)){
+        $log->fatal('export: not able to get db instance');
+        throw new RuntimeException('Unexpected error. See logs.');
+    }
+
+    if (empty($beanList[$db->quote($type)])) {
+        $log->security("export: trying to access an invalid module '" . $db->quote($type) . "'");
+        throw new RuntimeException('Unexpected error. See logs.');
+    }
+
+    $bean = $beanList[$db->quote($type)];
+
     require_once($beanFiles[$bean]);
     $focus = new $bean;
     $searchFields = array();
-    $db = DBManagerFactory::getInstance();
 
-    if ($records) {
-        $records = explode(',', $records);
-        $records = "'" . implode("','", $records) . "'";
+    $records = $db->quote($records);
+    $recordsArray = [];
+
+    if (!empty($records)) {
+        $recordsArray = explode(',', $records);
+    }
+
+    if (!empty($recordsArray)) {
+        $quotedRecords = [];
+
+        foreach ($recordsArray as $record) {
+            $quotedRecords[] = $db->quote($record);
+        }
+
+        $records = "'" . implode("','", $quotedRecords) . "'";
         $where = "{$focus->table_name}.id in ($records)";
     } elseif (isset($_REQUEST['all'])) {
         $where = '';

include/utils.php

@@ -215,6 +215,8 @@ function make_sugar_config(&$sugar_config)
             'vbs',
             'html',
             'htm',
+            'phtml',
+            'phar',
         ) : $upload_badext,
         'valid_image_ext' => [
             'gif',
@@ -476,6 +478,7 @@ function get_sugar_config_defaults(): array
             'html',
             'htm',
             'phtml',
+            'phar',
         ],
         'valid_image_ext' => [
             'gif',
@@ -554,6 +557,7 @@ function get_sugar_config_defaults(): array
             'min_cron_interval' => 30, // minimal interval between cron jobs
         ],
         'strict_id_validation' => false,
+        'id_validation_pattern' => '/^[a-zA-Z0-9_-]*$/i',
         'session_gc' => [
             'enable' => true,
             'gc_probability' => 1,
@@ -5978,3 +5982,18 @@ function isTrue($value): bool {
 function isFalse($value): bool {
     return $value === false || $value === 'false' || $value === 0;
 }
+
+/**
+ * Get validation pattern
+ * @return string
+ */
+function get_id_validation_pattern(): string {
+    global $sugar_config;
+
+    $pattern = '/^[a-zA-Z0-9_-]*$/i';
+    if (!empty($sugar_config['id_validation_pattern'])){
+        $pattern = $sugar_config['id_validation_pattern'];
+    }
+
+    return $pattern;
+}

install/download_modules.php

@@ -57,7 +57,24 @@
     $sugar_config['upload_maxsize'] = 8192000;
 }
 if (empty($sugar_config['upload_badext'])) {
-    $sugar_config['upload_badext'] = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py', 'asp', 'cfm', 'js', 'vbs', 'html', 'htm');
+    $sugar_config['upload_badext'] = [
+        'php',
+        'php3',
+        'php4',
+        'php5',
+        'pl',
+        'cgi',
+        'py',
+        'asp',
+        'cfm',
+        'js',
+        'vbs',
+        'html',
+        'htm',
+        'phtml',
+        'phar',
+    ];
+
 }
 ////    END PREFILL $sugar_config VARS
 ///////////////////////////////////////////////////////////////////////////////

lib/Utility/SuiteValidator.php

@@ -46,25 +46,18 @@ class SuiteValidator
      * @param string $id
      * @return bool
      */
-    public function isValidId($id)
+    public function isValidId(string $id): bool
     {
-        global $sugar_config;
-
-        if ($sugar_config['strict_id_validation']) {
-            $valid = is_numeric($id) || (is_string($id) && preg_match('/^\{?[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\}?$/i',
-                        $id));
-        } else {
-            $valid = is_numeric($id) || (is_string($id) && preg_match('/^[a-zA-Z0-9_-]*$/i', $id));
-        }
+        $pattern = $this->getIdValidationPattern();
 
-        return $valid;
+        return is_numeric($id) || (is_string($id) && preg_match($pattern, $id));
     }
 
     /**
      * @param string $fieldname
      * @return bool
      */
-    public function isPercentageField($fieldname)
+    public function isPercentageField(string $fieldname): bool
     {
         if ($fieldname === 'aos_products_quotes_vat' ||
             strpos(strtolower($fieldname), 'pct') !== false ||
@@ -75,4 +68,21 @@ public function isPercentageField($fieldname)
 
         return false;
     }
+
+    /**
+     * Get id validation pattern
+     * @return string
+     */
+    public function getIdValidationPattern(): string
+    {
+        global $sugar_config;
+
+        if (isset($sugar_config['strict_id_validation']) && $sugar_config['strict_id_validation']) {
+            $pattern = '/^\{?[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\}?$/i';
+        } else {
+            $pattern = get_id_validation_pattern();
+        }
+
+        return $pattern;
+    }
 }

metadata/users_passwordLinkMetaData.php

@@ -51,6 +51,13 @@
             'type' => 'id',
             'required' => true,
         ],
+        'keyhash' => [
+            'name' => 'keyhash',
+            'vname' => 'LBL_KEY',
+            'type' => 'varchar',
+            'len'=>'255',
+            'required' => true,
+        ],
         'user_id' => [
             'name' => 'user_id',
             'vname' => 'LBL_USER_ID',

modules/Configurator/Configurator.php

@@ -135,6 +135,11 @@ public function checkLoggerFileName()
 
         $logFileExt = $this->prependDot($logFileExt);
 
+        if (!$this->hasValidExtension('logger_file_ext', $logFileExt)) {
+            $_POST['logger_file_ext'] = 'log';
+            $logFileExt = $this->prependDot('log');
+            LoggerManager::getLogger()->security("Setting logger_file_ext to '.log'.");
+        }
 
         $fullName = $logFileName . $logFileExt;
         $_POST['logger_file_name'] = $logFileName;
@@ -149,12 +154,6 @@ public function checkLoggerFileName()
             $valid = false;
         }
 
-        if (!$this->hasValidExtension('logger_file_ext', $logFileExt)) {
-            $_POST['logger_file_ext'] = '';
-            LoggerManager::getLogger()->security("Setting logger_file_ext to ''.");
-            $valid = false;
-        }
-
         if (!$valid) {
             return;
         }
@@ -203,7 +202,7 @@ public function prependDot($value)
      * @param string $value
      * @return bool
      */
-    public function hasValidExtension($fieldName, $value)
+    public function hasValidExtension(string $fieldName, string $value): bool
     {
 
         if ($value === '.' || empty($value)) {
@@ -212,7 +211,11 @@ public function hasValidExtension($fieldName, $value)
             return false;
         }
 
-        $badExt = array_map('strtolower', $this->config['upload_badext']);
+        $defaults = get_sugar_config_defaults() ?? [];
+        $badExtDefaults = $defaults['upload_badext'] ?? [];
+        $badExtensions = array_merge($badExtDefaults, $this->config['upload_badext'] ?? []) ?? [];
+
+        $badExt = array_map('strtolower', $badExtensions);
 
         $parts = explode('.', $value);
 

modules/EmailTemplates/EmailTemplateFormBase.php

@@ -160,10 +160,9 @@ public function handleSave($prefix, $redirect=true, $useRequired=false, $useSite
         } else {
             $focus->text_only = 0;
         }
-        if (!$focus->ACLAccess('Save')) {
-            ACLController::displayNoAccess(true);
-            sugar_cleanup(true);
-        }
+
+        $this->checkAccess($focus);
+
         if (!isset($_REQUEST['published'])) {
             $focus->published = 'off';
         }
@@ -410,4 +409,32 @@ public function handleAttachments($focus, $redirect, $return_id)
             return $focus;
         }
     }
+
+    /**
+     * @param SugarBean $focus
+     * @return void
+     */
+    protected function checkAccess(SugarBean $focus): void
+    {
+        global $current_user;
+
+        if (!$focus->ACLAccess('Save')) {
+            ACLController::displayNoAccess(true);
+            sugar_cleanup(true);
+        }
+
+        $type = !empty($focus->type) ? $focus->type : '';
+        if (!empty($focus->id)) {
+            $template = BeanFactory::getBean('EmailTemplates', $focus->id);
+
+            if (!empty($template) && !empty($template->type)) {
+                $type = $template->type;
+            }
+        }
+
+        if ($type === 'system' && !is_admin($current_user)) {
+            ACLController::displayNoAccess(true);
+            sugar_cleanup(true);
+        }
+    }
 }