From 6c5c1c36fa682244c355f6c06808ec715f0a2baa Mon Sep 17 00:00:00 2001 From: einhverfr Date: Thu, 26 Apr 2007 20:28:38 +0000 Subject: Merging bugfixes from current branches/1.2 git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@1105 4979c152-3d1c-0410-bac9-87ea11338e46 --- LedgerSMB/AA.pm | 10 +-- LedgerSMB/AM.pm | 52 ++++---------- LedgerSMB/Form.pm | 186 +++++++++++++++++++++++++++++-------------------- LedgerSMB/IC.pm | 22 +++--- LedgerSMB/IR.pm | 14 ++-- LedgerSMB/IS.pm | 41 ++++++----- LedgerSMB/Locale.pm | 14 ++-- LedgerSMB/Menu.pm | 9 ++- LedgerSMB/OE.pm | 77 ++++++++------------ LedgerSMB/Sysconfig.pm | 13 ++-- LedgerSMB/Tax.pm | 16 ++++- LedgerSMB/User.pm | 74 ++++++++++---------- 12 files changed, 273 insertions(+), 255 deletions(-) (limited to 'LedgerSMB') diff --git a/LedgerSMB/AA.pm b/LedgerSMB/AA.pm index e6d7b573..dde35958 100644 --- a/LedgerSMB/AA.pm +++ b/LedgerSMB/AA.pm @@ -394,7 +394,7 @@ sub post_transaction { INSERT INTO acc_trans (trans_id, chart_id, amount, transdate) VALUES (?, (SELECT id FROM chart - WHERE accno = '?'), + WHERE accno = ?), ?, ?)|; @queryargs = ( $form->{id}, $accno, $invamount * -1 * $ml, $form->{transdate} ); @@ -455,7 +455,7 @@ sub post_transaction { ?, ?)|; @queryargs = ( - $form->{id}, + $form->{id}, $accno, $paid{amount}{$i} * $ml, $form->{"datepaid_$i"} ); @@ -480,7 +480,7 @@ sub post_transaction { cleared) VALUES (?, (SELECT id FROM chart WHERE accno = ?), - ? * -1 * $ml, ?, ?, ?, ?)|; + ?, ?, ?, ?, ?)|; @queryargs = ( $form->{id}, $accno, @@ -545,7 +545,8 @@ sub post_transaction { FROM chart WHERE accno = ?), - ?, ?, '1', ?, ?)|; + ?, ?, + '1', ?, ?)|; @queryargs = ( $form->{id}, $accno, @@ -870,7 +871,6 @@ sub transactions { $query .= "WHERE $where ORDER BY $sortorder"; - my $sth = $dbh->prepare($query); $sth->execute(@paidargs) || $form->dberror($query); diff --git a/LedgerSMB/AM.pm b/LedgerSMB/AM.pm index 1219c50c..696b370b 100644 --- a/LedgerSMB/AM.pm +++ b/LedgerSMB/AM.pm @@ -247,7 +247,7 @@ sub delete_account { # set inventory_accno_id, income_accno_id, expense_accno_id to defaults $query = qq| UPDATE parts - SET inventory_accno_id = (SELECT value + SET inventory_accno_id = (SELECT value::int FROM defaults WHERE setting_key = 'inventory_accno_id') @@ -259,7 +259,7 @@ sub delete_account { for (qw(income_accno_id expense_accno_id)) { $query = qq| UPDATE parts - SET $_ = (SELECT value + SET $_ = (SELECT value::int FROM defaults WHERE setting_key = '$_') WHERE $_ = ?|; @@ -1247,12 +1247,12 @@ sub check_template_name { my ( $self, $myconfig, $form ) = @_; my @allowedsuff = qw(css tex txt html xml); - if ( $form->{file} =~ /^(.:)*?\/|\.\.\/|^\// ) { + if ( $form->{file} =~ /^(.:)*?\/|:|\.\.\/|^\// ) { $form->error("Directory transversal not allowed."); } - if ( $form->{file} =~ /^${LedgerSMB::Sysconfig::userspath}\// ) { + if ( $form->{file} =~ /^${LedgerSMB::Sysconfig::backuppath}\// ) { $form->error( -"Not allowed to access ${LedgerSMB::Sysconfig::userspath}/ with this method" +"Not allowed to access ${LedgerSMB::Sysconfig::backuppath}/ with this method" ); } my $whitelisted = 0; @@ -1353,10 +1353,6 @@ sub save_preferences { company menuwidth countrycode address timeout stylesheet printer password); - foreach my $item ( keys %$form ) { - $myconfig->{$item} = $form->{$item}; - } - $myconfig->{password} = $form->{new_password} if ( $form->{old_password} ne $form->{new_password} ); @@ -1614,8 +1610,7 @@ sub backup { my $boundary = time; my $tmpfile = -"${LedgerSMB::Sysconfig::userspath}/$boundary.$myconfig->{dbname}-$form->{dbversion}-$t[5]$t[4]$t[3].sql"; - $tmpfile .= ".gz" if ${LedgerSMB::Sysconfig::gzip}; +"${LedgerSMB::Sysconfig::backuppath}/$boundary.$globalDBname-$form->{dbversion}-$t[5]$t[4]$t[3].sql"; $form->{OUT} = "$tmpfile"; open( OUT, '>', "$form->{OUT}" ) or $form->error("$form->{OUT} : $!"); @@ -1624,24 +1619,12 @@ sub backup { my $today = scalar localtime; - $myconfig->{dbhost} = 'localhost' unless $myconfig->{dbhost}; - - $ENV{PGPASSWD} = $myconfig->{dbpasswd}; - - # drop tables and sequences - # compress backup if gzip defined - my $suffix = ""; + my $suffix = "c"; if ( $form->{media} eq 'email' ) { - if ( ${LedgerSMB::Sysconfig::gzip} ) { - print OUT -`pg_dump -U $myconfig->{dbuser} -h $myconfig->{dbhost} $myconfig->{dbname} | ${LedgerSMB::Sysconfig::gzip}`; - } - else { - print OUT -`pg_dump -U $myconfig->{dbuser} -h $myconfig->{dbhost} $myconfig->{dbname}`; - } + print OUT +qx(PGPASSWORD="$myconfig->{dbpasswd}" pg_dump -U $myconfig->{dbuser} -h $myconfig->{dbhost} -Fc -p $myconfig->{dbport} $myconfig->{dbname}); close OUT; use LedgerSMB::Mailer; $mail = new Mailer; @@ -1649,12 +1632,12 @@ sub backup { $mail->{to} = qq|"$myconfig->{name}" <$myconfig->{email}>|; $mail->{from} = qq|"$myconfig->{name}" <$myconfig->{email}>|; $mail->{subject} = -"LedgerSMB Backup / $myconfig->{dbname}-$form->{dbversion}-$t[5]$t[4]$t[3].sql$suffix"; +"LedgerSMB Backup / $globalDBname-$form->{dbversion}-$t[5]$t[4]$t[3].sql$suffix"; @{ $mail->{attachments} } = ($tmpfile); $mail->{version} = $form->{version}; $mail->{fileid} = "$boundary."; $mail->{format} = "plain"; - $mail->{format} = "octet-stream" if ${LedgerSMB::Sysconfig::gzip}; + $mail->{format} = "octet-stream"; $myconfig->{signature} =~ s/\\n/\n/g; $mail->{message} = "-- \n$myconfig->{signature}"; @@ -1669,15 +1652,8 @@ sub backup { print OUT qq|Content-Type: application/file;\n| . qq|Content-Disposition: attachment; filename="$myconfig->{dbname}-$form->{dbversion}-$t[5]$t[4]$t[3].sql$suffix"\n\n|; - if ( ${LedgerSMB::Sysconfig::gzip} ) { - print OUT -`pg_dump -U $myconfig->{dbuser} -h $myconfig->{dbhost} $myconfig->{dbname} | ${LedgerSMB::Sysconfig::gzip}`; - } - else { - print OUT -`pg_dump -U $myconfig->{dbuser} -h $myconfig->{dbhost} $myconfig->{dbname}`; - } - + print OUT +qx(PGPASSWORD="$myconfig->{dbpasswd}" pg_dump -U $myconfig->{dbuser} -h $myconfig->{dbhost} -Fc -p $myconfig->{dbport} $myconfig->{dbname}); } unlink "$tmpfile"; @@ -1716,7 +1692,7 @@ sub closebooks { for (qw(revtrans closedto audittrail)) { if ( $form->{$_} ) { - $val = 1; + $val = $form->{$_}; } else { $val = 0; diff --git a/LedgerSMB/Form.pm b/LedgerSMB/Form.pm index 76f4877f..a7955240 100644 --- a/LedgerSMB/Form.pm +++ b/LedgerSMB/Form.pm @@ -35,6 +35,11 @@ use Math::BigFloat lib => 'GMP'; use LedgerSMB::Sysconfig; +use List::Util qw(first); +use LedgerSMB::Mailer; +use Time::Local; +use Cwd; +use File::Copy; package Form; @@ -68,35 +73,32 @@ sub new { $self->{nextsub} =~ s/( |-|,|\#|\/|\.$)/_/g; } + $self->{login} =~ s/[^a-zA-Z0-9._+@'-]//g; + $self->{menubar} = 1 if $self->{path} =~ /lynx/i; #menubar will be deprecated, replaced with below $self->{lynx} = 1 if $self->{path} =~ /lynx/i; - $self->{version} = "1.3.0 Alpha 0 Pre"; + $self->{version} = "1.2.5"; $self->{dbversion} = "1.2.0"; bless $self, $type; - if ( $self->{path} eq "bin/lynx" ) { - $self->{menubar} = 1; - - #menubar will be deprecated, replaced with below - $self->{lynx} = 1; - $self->{path} = "bin/lynx"; - } - else { - $self->{path} = "bin/mozilla"; + if ( $self->{path} ne 'bin/lynx' ) { $self->{path} = 'bin/mozilla'; } + if ( ( $self->{script} ) + and not List::Util::first { $_ eq $self->{script} } + @{LedgerSMB::Sysconfig::scripts} ) + { + $self->error( 'Access Denied', __line__, __file__ ); } - if ( ( $self->{script} =~ m#(\.\.|\\|/)# ) ) { - $self->error("Access Denied"); + if ( ( $self->{action} =~ /(:|')/ ) || ( $self->{nextsub} =~ /(:|')/ ) ) { + $self->error( "Access Denied", __line__, __file__ ); } - if ( ( $self->{action} =~ /:/ ) || ( $self->{nextsub} =~ /:/ ) ) { - $self->error("Access Denied"); - } + for ( keys %$self ) { $self->{$_} =~ s/\000//g } $self; } @@ -116,6 +118,16 @@ sub debug { } +sub encode_all { + + # TODO; +} + +sub decode_all { + + # TODO +} + sub escape { my ( $self, $str, $beenthere ) = @_; @@ -155,24 +167,6 @@ sub quote { } -sub format_date { - - # takes an iso date in, and converts it to the date for printing - my ( $self, $date ) = @_; - my $datestring; - if ( $date =~ /^\d{4}\D/ ) { # is an ISO date - $datestring = $self->{db_dateformat}; - my ( $yyyy, $mm, $dd ) = split( /\W/, $date ); - $datestring =~ s/y+/$yyyy/; - $datestring =~ s/mm/$mm/; - $datestring =~ s/dd/$dd/; - } - else { # return date - $datestring = $date; - } - $datestring; -} - sub unquote { my ( $self, $str ) = @_; @@ -234,9 +228,7 @@ sub error { if ( $ENV{error_function} ) { &{ $ENV{error_function} }($msg); } - else { - die "Error: $msg\n"; - } + die "Error: $msg\n"; } } @@ -343,7 +335,6 @@ qq|{callback} || !$msg ) { @@ -524,8 +515,8 @@ sub parse_amount { my ( $self, $myconfig, $amount ) = @_; - if ( $amount eq '' or $amount == undef ) { - return 0; + if ( ( $amount eq '' ) or ( ! defined $amount ) ) { + $amount = 0; } if ( UNIVERSAL::isa( $amount, 'Math::BigFloat' ) ) @@ -557,7 +548,14 @@ sub parse_amount { $amount = $1 * -1; } $amount =~ s/\s?CR//; + + $amount =~ /(\d*)\.(\d*)/; + + my $decimalplaces = length $1 + length $2; + $amount = new Math::BigFloat($amount); + $amount->accuracy($decimalplaces); + return ( $amount * 1 ); } @@ -661,21 +659,28 @@ sub parse_template { my $fileid = time; my $tmpfile = $self->{IN}; $tmpfile =~ s/\./_$self->{fileid}./ if $self->{fileid}; - $self->{tmpfile} = - "${LedgerSMB::Sysconfig::userspath}/${fileid}_${tmpfile}"; - - my %temphash; + $self->{tmpfile} = "${LedgerSMB::Sysconfig::tempdir}/${fileid}_${tmpfile}"; + my $temphash; if ( $self->{format} =~ /(postscript|pdf)/ || $self->{media} eq 'email' ) { - $temphash{out} = $self->{OUT}; - $self->{OUT} = "$self->{tmpfile}"; + $temphash{out} = $self->{OUT}; + $self->{OUT} = "$self->{tmpfile}"; + File::Copy::copy( + "$self->{templates}/logo.png", + "${LedgerSMB::Sysconfig::tempdir}/" + ); + File::Copy::copy( + "$self->{templates}/logo.eps", + "${LedgerSMB::Sysconfig::tempdir}/" + ); $temphash{printmode} = $self->{printmode}; - $self->{printmode} = '>'; + $self->{printmode} = '>'; } if ( $self->{OUT} ) { open( OUT, $self->{printmode}, "$self->{OUT}" ) or $self->error("$self->{OUT} : $!"); + chmod( 0600, "$self->{OUT}" ); } else { @@ -826,13 +831,19 @@ sub parse_template { chop; s/.*?<\?lsmb if (.+?) \?>/$1/; - if (/\s/) { - @a = split; - $ok = eval "$self->{$a[0]} $a[1] $a[2]"; - } - else { - $ok = $self->{$_}; - } + # commenting this out for security reasons. If needed, + # please uncomment. Functionality below will be in 1.3 + # Chris Travers + #if (/\s/) { + # @args = split; + # if ($args[1] !~ /^(==|eq|>|gt|>|lt|>=|ge|le|<=|ne|!=)$/){ + # $self->error("Unknown/forbidden operator"); + # } + # $ok = eval "$self->{$args[0]} $args[1] $args[2]"; + #} else { + $ok = $self->{$_}; + + #} if ($ok) { while ( $_ = shift ) { @@ -898,19 +909,15 @@ sub parse_template { # Convert the tex file to postscript if ( $self->{format} =~ /(postscript|pdf)/ ) { - use Cwd; - $self->{cwd} = cwd(); - $self->{tmpdir} = "$self->{cwd}/${LedgerSMB::Sysconfig::userspath}"; - $self->{tmpdir} = "${LedgerSMB::Sysconfig::userspath}" - if ${LedgerSMB::Sysconfig::userspath} =~ /^\//; + $self->{tmpdir} = "${LedgerSMB::Sysconfig::tempdir}"; - unless ( chdir("${LedgerSMB::Sysconfig::userspath}") ) { + unless ( chdir( $self->{tmpdir} ) ) { $err = $!; $self->cleanup; - $self->error("chdir : $err"); + $self->error("chdir : $self->{tmpdir} : $err"); } - $self->{tmpfile} =~ s/${LedgerSMB::Sysconfig::userspath}\///g; + $self->{tmpfile} =~ s/$self->{tmpdir}\///g; $self->{errfile} = $self->{tmpfile}; $self->{errfile} =~ s/tex$/err/; @@ -958,8 +965,6 @@ sub parse_template { if ( $self->{media} eq 'email' ) { - use LedgerSMB::Mailer; - my $mail = new Mailer; for (qw(cc bcc subject message version format charset)) { @@ -1017,8 +1022,8 @@ sub parse_template { } else { - $self->{OUT} = $temphash{out}; - $self->{printmode} = $temphash{printmode}; + $self->{OUT} = $temphash{out}; + $self->{printmode} = $temphash{printmode} if $temphash{printmode}; unless ( open( IN, '<', $self->{tmpfile} ) ) { $err = $!; @@ -1040,6 +1045,7 @@ sub parse_template { $self->cleanup; $self->error("$self->{OUT} : $err"); } + chmod( 0600, "$self->{OUT}" ); } else { @@ -1339,8 +1345,6 @@ sub add_date { my ( $self, $myconfig, $date, $repeat, $unit ) = @_; - use Time::Local; - my $diff = 0; my $spc = $myconfig->{dateformat}; $spc =~ s/\w//g; @@ -1435,6 +1439,16 @@ qq|