Merge branch 'develop' into patch-10

htdocs/core/class/translate.class.php

@@ -682,7 +682,7 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 =
 				}
 			}
 
-			$str = str_replace('%)', '__percent_parenthesis__', $str);
+			$str = preg_replace('/([^%])%([^0sd])/', '__percent_parenthesis__', $str);
 
 			if (strpos($key, 'Format') !== 0) {
 				try {

htdocs/core/lib/admin.lib.php

@@ -1270,7 +1270,7 @@ function activateModule($value, $withdeps = 1, $noconfverification = 0)
 							if ($activateerr) {
 								$ret['errors'][] = $activateerr;
 							}
-							$ret['errors'][] = $langs->trans('activateModuleDependNotSatisfied', $objMod->name, $modulestring);
+							$ret['errors'][] = $langs->trans('activateModuleDependNotSatisfied', $objMod->name, $modulestring, $objMod->name).'<br>'.$langs->trans('activateModuleDependNotSatisfied2', $modulestring, $objMod->name);
 						}
 					}
 				}

htdocs/core/lib/project.lib.php

@@ -2806,6 +2806,7 @@ function print_projecttasks_array($db, $form, $socid, $projectsListId, $mytasks
 					}
 
 					print '<td class="right">';
+					$alttext = '';
 					if ($objp->opp_percent && $objp->opp_amount) {
 						$opp_weighted_amount = $objp->opp_percent * $objp->opp_amount / 100;
 						$alttext = $langs->trans("OpportunityWeightedAmount").' '.price($opp_weighted_amount, 0, '', 1, -1, 0, $conf->currency);

htdocs/core/lib/website2.lib.php

@@ -322,14 +322,14 @@ function dolSavePageContent($filetpl, Website $object, WebsitePage $objectpage,
 		$tplcontent .= "// Now fix the content for SEO or multilanguage\n";
 		// Old method for custom SEO
 		if (strpos($objectpage->content, '$__PAGE__KEYWORDS__') !== false) {
-			$tplcontent .= '$tmp = preg_replace("/^<meta name=\"keywords\" content=\".*?\" \/>/ms", "<meta name=\"keywords\" content=\"" . dolPrintHTMLForAttribute($__PAGE__KEYWORDS__, 1) . "\"  />", $tmp);'."\n";
+			$tplcontent .= '$tmp = preg_replace("/^<meta name=\"keywords\" content=\".*?\" \/>/ms", "<meta name=\"keywords\" content=\"" . dolPrintHTMLForAttribute($__PAGE__KEYWORDS__ ?? "", 1) . "\"  />", $tmp);'."\n";
 		}
 		if (strpos($objectpage->content, '$__PAGE__TITLE__') !== false) {
-			$tplcontent .= '$tmp = preg_replace("/^<title>.*?<\/title>/ms", "<title>" . dolPrintHTMLForAttribute($__PAGE__TITLE__, 1) . "</title>", $tmp);'."\n";
-			$tplcontent .= '$tmp = preg_replace("/^<meta name=\"title\" content=\".*?\" \/>/ms", "<meta name=\"title\" content=\"" . dolPrintHTMLForAttribute($__PAGE__TITLE__, 1) . "\"  />", $tmp);'."\n";
+			$tplcontent .= '$tmp = preg_replace("/^<title>.*?<\/title>/ms", "<title>" . dolPrintHTMLForAttribute($__PAGE__TITLE__ ?? "", 1) . "</title>", $tmp);'."\n";
+			$tplcontent .= '$tmp = preg_replace("/^<meta name=\"title\" content=\".*?\" \/>/ms", "<meta name=\"title\" content=\"" . dolPrintHTMLForAttribute($__PAGE__TITLE__ ?? "", 1) . "\"  />", $tmp);'."\n";
 		}
 		if (strpos($objectpage->content, '$__PAGE__DESC__') !== false) {
-			$tplcontent .= '$tmp = preg_replace("/^<meta name=\"description\" content=\".*?\" \/>/ms", "<meta name=\"description\" content=\"" . dolPrintHTMLForAttribute($__PAGE__DESC__, 1) . "\"  />", $tmp);'."\n";
+			$tplcontent .= '$tmp = preg_replace("/^<meta name=\"description\" content=\".*?\" \/>/ms", "<meta name=\"description\" content=\"" . dolPrintHTMLForAttribute($__PAGE__DESC__ ?? "", 1) . "\"  />", $tmp);'."\n";
 		}
 		// New method for custom SEO
 		if (strpos($objectpage->content, 'define("__SEO_PAGE_LANG__"') !== false) {

htdocs/langs/en_US/admin.lang

@@ -2116,7 +2116,8 @@ AddSubstitutions=Add keys substitutions
 DetectionNotPossible=Detection not possible
 UrlToGetKeyToUseAPIs=Url to get token to use API (once token has been received it is saved in database user table and must be provided on each API call)
 ListOfAvailableAPIs=List of available APIs
-activateModuleDependNotSatisfied=Module "%s" depends on module "%s", that is missing, so module "%1$s" may not work correctly. Please install module "%2$s" or disable module "%1$s" if you want to be safe from any surprise
+activateModuleDependNotSatisfied=Module "%s" depends on module "%s", that is missing, so module "%s" may not work correctly.
+activateModuleDependNotSatisfied2=Please install module "%s" or disable module "%s" if you want to be safe from any surprise.
 CommandIsNotInsideAllowedCommands=The command you are trying to run is not in the list of allowed commands defined in parameter <strong>$dolibarr_main_restrict_os_commands</strong> in the <strong>conf.php</strong> file.
 LandingPage=Landing page
 SamePriceAlsoForSharedCompanies=If you use a multicompany module, with the choice "Single price", the price will also be the same for all companies if products are shared between environments

htdocs/projet/class/project.class.php

@@ -2250,6 +2250,9 @@ public function loadTimeSpentMonth($datestart, $taskid = 0, $userid = 0)
 					$this->monthWorkLoadPerTask[$week_number][$obj->fk_element] = $obj->element_duration;
 				} else {
 					$this->monthWorkLoad[$week_number] += $obj->element_duration;
+					if (!isset($this->monthWorkLoadPerTask[$week_number][$obj->fk_element])) {
+						$this->monthWorkLoadPerTask[$week_number][$obj->fk_element] = 0;
+					}
 					$this->monthWorkLoadPerTask[$week_number][$obj->fk_element] += $obj->element_duration;
 				}
 				$weekalreadyfound[$week_number] = 1;

htdocs/projet/tasks/task.php

@@ -81,7 +81,10 @@
 }
 
 if ($id > 0 || $ref) {
-	$object->fetch($id, $ref);
+	$ret = $object->fetch($id, $ref);
+	if ($ret > 0) {
+		$projectstatic->fetch($object->fk_project);
+	}
 }
 
 // Security check
@@ -262,7 +265,7 @@
 	require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 	$langs->load("other");
-	$upload_dir = $conf->project->dir_output;
+	$upload_dir = $conf->project->dir_output."/".dol_sanitizeFileName($projectstatic->ref)."/".dol_sanitizeFileName($object->ref);
 	$file = $upload_dir.'/'.dol_sanitizeFileName(GETPOST('file'));
 
 	$ret = dol_delete_file($file);
@@ -292,7 +295,6 @@
 $formother = new FormOther($db);
 $formfile = new FormFile($db);
 $formproject = new FormProjets($db);
-$result = $projectstatic->fetch($object->fk_project);
 
 $title = $object->ref;
 if (!empty($withproject)) {
@@ -805,7 +807,7 @@
 		/*
 		 * Generated documents
 		 */
-		$filename = dol_sanitizeFileName($projectstatic->ref)."/".dol_sanitizeFileName($object->ref);
+		$filename = '';
 		$filedir = $conf->project->dir_output."/".dol_sanitizeFileName($projectstatic->ref)."/".dol_sanitizeFileName($object->ref);
 		$urlsource = $_SERVER["PHP_SELF"]."?id=".$object->id;
 		$genallowed = ($user->hasRight('projet', 'lire'));

htdocs/ticket/card.php

@@ -77,6 +77,7 @@
 $backtopage = GETPOST('backtopage', 'alpha');
 $backtopageforcancel = GETPOST('backtopageforcancel', 'alpha');
 
+$limit = GETPOSTINT('limit') ? GETPOSTINT('limit') : $conf->liste_limit;
 $sortfield = GETPOST('sortfield', 'aZ09comma') ? GETPOST('sortfield', 'aZ09comma') : "a.datep";
 $sortorder = GETPOST('sortorder', 'aZ09comma') ? GETPOST('sortorder', 'aZ09comma') : "desc";
 $search_rowid = GETPOST('search_rowid');

htdocs/website/samples/wrapper.php

@@ -64,9 +64,21 @@
 			if ($moduleparttocheck == $modulepart) {
 				// We remove first level of directory
 				$original_file = (($tmp[1] ? $tmp[1].'/' : '').$ecmfile->filename); // this is relative to module dir
-				//var_dump($original_file); exit;
+				//var_dump($original_file); exit(0);
 			} else {
+				// Security options
+
+				// X-Content-Type-Options
+				header("X-Content-Type-Options: nosniff");
+
+				// X-Frame-Options
+				if (!getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
+					header("X-Frame-Options: SAMEORIGIN");
+				}
+
+				http_response_code(401);
 				print 'Bad link. File is from another module part.';
+				exit(1);
 			}
 		} else {
 			$modulepart = $moduleparttocheck;
@@ -77,8 +89,19 @@
 			$original_file = getImageFileNameForSize($original_file, $extname);
 		}
 	} else {
+		// Security options
+
+		// X-Content-Type-Options
+		header("X-Content-Type-Options: nosniff");
+
+		// X-Frame-Options
+		if (!getDolGlobalString('WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES')) {
+			header("X-Frame-Options: SAMEORIGIN");
+		}
+
+		http_response_code(404);
 		print "ErrorFileNotFoundWithSharedLink";
-		exit;
+		exit(2);
 	}
 }
 
@@ -196,15 +219,19 @@
 				$error = 'Failed to rename '.$outputfiletmp.' into '.$outputfile;
 				dol_syslog("build_exportfile ".$error, LOG_ERR);
 				dol_delete_file($outputfiletmp, 0, 1);
+
+				http_response_code(500);
 				print $error;
-				exit(-1);
+				exit(3);
 			}
 		} else {
 			dol_syslog("build_exportfile build_xxxfile function fails to for format=".$format." outputfiletmp=".$outputfile, LOG_ERR);
 			dol_delete_file($outputfiletmp, 0, 1);
 			$langs->load("errors");
+
+			http_response_code(500);
 			print $langs->trans("ErrorFailToCreateFile", $outputfile);
-			exit(-1);
+			exit(4);
 		}
 	}
 
@@ -244,7 +271,7 @@
 	}
 
 	// header("Location: ".DOL_URL_ROOT.'/document.php?modulepart=agenda&file='.urlencode($filename));
-	exit;
+	exit(5);
 } elseif ($modulepart == "mycompany" && preg_match('/^\/?logos\//', $original_file)) {
 	// Get logos
 	readfile(dol_osencode($conf->mycompany->dir_output."/".$original_file));
@@ -263,8 +290,9 @@
 	// Security:
 	// Limit access if permissions are wrong
 	if (!$accessallowed) {
+		http_response_code(403);
 		print 'Access forbidden';
-		exit;
+		exit(6);
 	}
 
 	// For backward compatibility of old thumbs that were created with filename in lower case and with .png extension
@@ -282,8 +310,9 @@
 
 	// This test if file exists should be useless. We keep it to find bug more easily
 	if (!file_exists($fullpath_original_file_osencoded)) {
+		http_response_code(404);
 		print "ErrorFileDoesNotExists: ".dol_escape_htmltag($original_file);
-		exit;
+		exit(7);
 	}
 
 	// Permissions are ok and file found, so we return it