Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

CHANGELOG

@@ -294,6 +294,7 @@
 - minor improvements in restapi
 - update layout of tab for attachments
 - remove session when calling logout of restapi
+- fix some potential security issues
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.32

inc/inc.ClassControllerCommon.php

@@ -73,7 +73,13 @@ class SeedDMS_Controller_Common {
 		if(!$this->callHook('preRun', get_class($this), $action ? $action : 'run')) {
 			if($action) {
 				if(method_exists($this, $action)) {
-					return $this->{$action}();
+					$refl = new ReflectionMethod($this, $action);
+					if($refl->isPublic())
+						return $this->{$action}();
+					else {
+						echo "Action '".$action."' not public";
+						return false;
+					}
 				} else {
 					echo "Missing action '".$action."'";
 					return false;

inc/inc.ClassViewCommon.php

@@ -69,7 +69,13 @@ class SeedDMS_View_Common {
 		if(!$this->callHook('preRun', get_class($this), $action ? $action : 'show')) {
 			if($action) {
 				if(method_exists($this, $action)) {
-					$this->{$action}();
+					$refl = new ReflectionMethod($this, $action);
+					if($refl->isPublic())
+						$this->{$action}();
+					else {
+						echo "Action '".$action."' not public";
+						return false;
+					}
 				} else {
 					echo "Missing action '".htmlspecialchars($action)."'";
 				}

inc/inc.Utils.php

@@ -975,7 +975,7 @@ function seed_pass_hash($password) { /* {{{ */
  * @return string hashed password
  */
 function seed_pass_verify($password, $hash) { /* {{{ */
-	return $hash == md5($password);
+	return $hash === md5($password);
 } /* }}} */
 
 function resolveTask($task) { /* {{{ */

op/op.Login.php

@@ -82,6 +82,7 @@ else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {
 
 add_log_line();
 
+$controller->setParam('action', 'run'); // Force action run to be called, prevents overriding action with url parameter
 $controller->setParam('login', $login);
 $controller->setParam('pwd', $pwd);
 $controller->setParam('source', 'web');
@@ -98,6 +99,12 @@ if(!$controller()) {
 }
 
 $user = $controller->getUser();
+if(!$user) {
+	$session = null;
+	add_log_line("login failed", PEAR_LOG_ERR);
+	_printMessage(getMLText('login_error_text'), getMLText('login_error_text')."\n");
+	exit;
+}
 
 if (isset($referuri) && strlen($referuri)>0) {
 	header("Location: " . getBaseUrl() . $referuri);

package.json

@@ -26,7 +26,7 @@
     "grunt-contrib-clean": "^2.0.0",
     "grunt-contrib-copy": "^1.0.0",
     "jqtree": "^1.5.1",
-    "jquery": "^1.12.4",
+    "jquery": "^3.7.1",
     "jquery-typeahead": "^2.11.1",
     "jquery-validation": "^1.19.2",
     "moment": "^2.29.1",
@@ -35,7 +35,7 @@
     "perfect-scrollbar": "^1.5.0",
     "popper.js": "^1.16.1",
     "select2": "^4.0.13",
-    "spectrum-colorpicker2": "^2.0.8",
+    "spectrum-colorpicker2": "^2.0.10",
     "vis-timeline": "^7.4.7"
   }
 }

webdav/webdav.php

@@ -173,6 +173,7 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
 
 		$controller = Controller::factory('Login', array('dms'=>$this->dms));
 		$controller->setParam('authenticator', $this->authenticator);
+		$controller->setParam('action', 'run');
 		$controller->setParam('login', $user);
 		$controller->setParam('pwd', $pass);
 		$controller->setParam('lang', $this->settings->_language);
@@ -190,6 +191,13 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
 			$this->logger->log('check_auth: type='.$type.', user='.$user.' authenticated', PEAR_LOG_INFO);
 
 		$this->user = $controller->getUser();
+		if(!$this->user) {
+			if($this->logger) {
+				$this->logger->log($controller->getErrorMsg(), PEAR_LOG_NOTICE);
+				$this->logger->log('check_auth: error authenicating user '.$user, PEAR_LOG_NOTICE);
+			}
+			return false;
+		}
 
 		return true;
 	} /* }}} */