Merge Hotfix security fixes 210416 into 21.04.x (#11493)

* fix(conf) fix sql in escalation conf (#11251) (#11315) * fix(conf) fix sql in escalation conf * fix cs * apply suggestion * fix data display in escalations config pages * fix escalation period save * fix resources inheritance duplication * Apply suggestion * chore(install): Update version to 21.04.16 + Update Jenkinsfile * Update Jenkinsfile Co-authored-by: alaunois <alaunois@centreon.com>
centreon · Aug 3, 2022 · 76fdfba · 76fdfba
1 parent 51ca164
commit 76fdfba
Show file tree

Hide file tree

Showing 7 changed files with 601 additions and 479 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -9,7 +9,7 @@ def maintenanceBranch = "${serie}.x"
 def qaBranch = "dev-${serie}.x"
 env.REF_BRANCH = "${maintenanceBranch}"
 env.PROJECT='centreon-web'
-if (env.BRANCH_NAME.startsWith('release-')) {
+if (env.BRANCH_NAME.startsWith("hotfix-") || env.BRANCH_NAME.startsWith("release-")) {
   env.BUILD = 'RELEASE'
   env.DELIVERY_STAGE = 'Delivery to testing'
   env.DOCKER_STAGE = 'Docker packaging'

diff --git a/www/include/common/common-Func.php b/www/include/common/common-Func.php
@@ -113,9 +113,20 @@ function table_not_exists($table_name)
     }
 }
 
-function myDecode($arg)
+function myDecode($data)
 {
-    return html_entity_decode($arg, ENT_QUOTES, "UTF-8");
+    if (is_string($data)) {
+        $data = html_entity_decode($data, ENT_QUOTES, "UTF-8");
+    }
+    return $data;
+}
+
+function myEncode($data)
+{
+    if (is_string($data)) {
+        $data = htmlentities($data);
+    }
+    return $data;
 }
 
 /*

diff --git a/www/include/configuration/configObject/escalation/DB-Func.php b/www/include/configuration/configObject/escalation/DB-Func.php
diff --git a/www/include/configuration/configObject/escalation/formEscalation.php b/www/include/configuration/configObject/escalation/formEscalation.php
@@ -1,6 +1,7 @@
 <?php
+
 /*
- * Copyright 2005-2015 Centreon
+ * Copyright 2005-2022 Centreon
  * Centreon is developped by : Julien Mathis and Romain Le Merlus under
  * GPL Licence 2.0.
  *
@@ -48,7 +49,7 @@
     $DBRESULT = $pearDB->query("SELECT * FROM escalation WHERE esc_id = '" . $esc_id . "' LIMIT 1");
 
     # Set base value
-    $esc = array_map("myDecode", $DBRESULT->fetchRow());
+    $esc = array_map("myEncode", $DBRESULT->fetchRow());
 
     # Set Host Options
     $esc["escalation_options1"] = explode(',', $esc["escalation_options1"]);
@@ -221,7 +222,6 @@
 $form->addRule('last_notification', _("Required Field"), 'required');
 $form->addRule('notification_interval', _("Required Field"), 'required');
 $form->addRule('esc_cgs', _("Required Field"), 'required');
-// $form->addRule('dep_hostChilds', _("Required Field"), 'required'); - Fields is not added so rule is not needed
 $form->registerRule('exist', 'callback', 'testExistence');
 $form->addRule('esc_name', _("Name is already in use"), 'exist');
 $form->setRequiredNote("<font style='color: red;'>*</font>&nbsp;" . _("Required fields"));

diff --git a/www/include/configuration/configObject/escalation/listEscalation.php b/www/include/configuration/configObject/escalation/listEscalation.php
@@ -1,6 +1,7 @@
 <?php
+
 /*
- * Copyright 2005-2019 Centreon
+ * Copyright 2005-2022 Centreon
  * Centreon is developed by : Julien Mathis and Romain Le Merlus under
  * GPL Licence 2.0.
  *
@@ -149,6 +150,7 @@
 // Fill a tab with a multidimensional Array we put in $tpl
 $elemArr = array();
 for ($i = 0; $esc = $dbResult->fetch(); $i++) {
+    $esc = array_map("myEncode", $esc);
     $moptions = "";
     $selectedElements = $form->addElement('checkbox', "select[" . $esc['esc_id'] . "]");
     $moptions .=
@@ -160,8 +162,8 @@
     $elemArr[$i] = array(
         "MenuClass" => "list_" . $style,
         "RowMenu_select" => $selectedElements->toHtml(),
-        "RowMenu_name" => CentreonUtils::escapeSecure(myDecode($esc["esc_name"])),
-        "RowMenu_alias" => CentreonUtils::escapeSecure(myDecode($esc["esc_alias"])),
+        "RowMenu_name" => CentreonUtils::escapeSecure($esc["esc_name"]),
+        "RowMenu_alias" => CentreonUtils::escapeSecure($esc["esc_alias"]),
         "RowMenu_link" => "main.php?p=" . $p . "&o=c&esc_id=" . $esc['esc_id'],
         "RowMenu_options" => $moptions
     );

diff --git a/www/install/insertBaseConf.sql b/www/install/insertBaseConf.sql
@@ -2,7 +2,7 @@
 -- Insert version
 --
 
-INSERT INTO `informations` (`key` ,`value`) VALUES ('version', '21.04.15');
+INSERT INTO `informations` (`key` ,`value`) VALUES ('version', '21.04.16');
 
 --
 -- Contenu de la table `contact`

diff --git a/www/install/php/Update-21.04.16.php b/www/install/php/Update-21.04.16.php
@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * Copyright 2005 - 2022 Centreon (https://www.centreon.com/)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * For more information : contact@centreon.com
+ *
+ */