From 0e6f14dbaf6563713b7c7090e8f89bd21cfe6aa5 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Fri, 21 Mar 2025 13:19:26 +0100 Subject: [PATCH 01/12] add odt2txt for converting libreoffice documents to txt --- doc/README.Converters | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/README.Converters b/doc/README.Converters index 8f83c1307..32a73f72f 100644 --- a/doc/README.Converters +++ b/doc/README.Converters @@ -49,6 +49,9 @@ application/vnd.openxmlformats-officedocument.wordprocessingml.document application/msword catdoc %s +application/vnd.oasis.opendocument.text + odt2txt %s + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx2csv -d tab %s From a4899a52ade9b19e235015e003da76c3b77bc9e7 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Fri, 21 Mar 2025 13:20:04 +0100 Subject: [PATCH 02/12] $settings must be passed into route function --- index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.php b/index.php index 7d53674b1..9c0106cbe 100644 --- a/index.php +++ b/index.php @@ -81,7 +81,7 @@ if(true) { } /* Catch all route */ - $app->get('/{path:.*}', function($request, $response) { + $app->get('/{path:.*}', function($request, $response) use ($settings) { return $response ->withHeader('Location', $settings->_httpRoot.'out/out.ViewFolder.php') ->withStatus(302); From 54c3ec54fcca8151693114ff654e4ed246c2f4dc Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Fri, 21 Mar 2025 13:20:52 +0100 Subject: [PATCH 03/12] seperate seeddms info from extension list, output storage driver --- views/bootstrap/class.Info.php | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/views/bootstrap/class.Info.php b/views/bootstrap/class.Info.php index 119f85f10..88c118c5f 100644 --- a/views/bootstrap/class.Info.php +++ b/views/bootstrap/class.Info.php @@ -13,11 +13,6 @@ * @version Release: @package_version@ */ -/** - * Include parent class - */ -//require_once("class.Bootstrap.php"); - /** * Class which outputs the html page for Info view * @@ -60,17 +55,30 @@ class SeedDMS_View_Info extends SeedDMS_Theme_Style { $this->rowStart(); $this->columnStart(6); $this->contentHeading(getMLText("seeddms_info")); - $seedextensions = $extmgr->getExtensionConfiguration(); echo "\n"; echo "\n\n"; - echo ""; - echo "\n"; + echo "\n"; echo "\n\n\n"; $dbversion = $dms->getDBVersion(); - echo "\n"; + echo "\n"; if($user->isAdmin()) { - echo "\n"; + $storage = $dms->getStorage(); + echo "\n"; + echo "\n"; + } + echo "\n
".getMLText("name"); - echo "".getMLText("name")."
".getMLText('seeddms_version')."".$version->version()."
".getMLText('seeddms_version')."".$version->version()."
".getMLText('database_schema_version')."".$dbversion['major'].".".$dbversion['minor'].".".$dbversion['subminor']."
".getMLText('database_schema_version')."".$dbversion['major'].".".$dbversion['minor'].".".$dbversion['subminor']."
".getMLText('storage')."".($storage ? $storage->info() : "legacy")."
\n"; + + if($user->isAdmin()) { + $this->contentHeading(getMLText("extension_info")); + echo "\n"; + echo "\n\n"; + echo ""; + echo ""; + echo "\n"; + echo "\n"; + echo "\n\n\n"; + $seedextensions = $extmgr->getExtensionConfiguration(); foreach($seedextensions as $extname=>$extconf) { echo ""; echo "\n"; } + echo "\n
".getMLText("name"); + echo "".getMLText("version")."
"; if(!$settings->extensionIsDisabled($extname)) @@ -85,8 +93,8 @@ class SeedDMS_View_Info extends SeedDMS_Theme_Style { echo "".$extname."
".$extconf['title']."		".$extconf['version']."
\n"; } - echo "\n\n"; $this->columnEnd(); $this->columnStart(6); if($user->isAdmin()) { From 37fd1ac969bbda46ca2aab530ced9fd1b8a39d7a Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Fri, 21 Mar 2025 13:23:07 +0100 Subject: [PATCH 04/12] replace functions directly accessing file system if documents or attachments are involved --- views/bootstrap/class.ViewDocument.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/views/bootstrap/class.ViewDocument.php b/views/bootstrap/class.ViewDocument.php index 698923c57..e40237207 100644 --- a/views/bootstrap/class.ViewDocument.php +++ b/views/bootstrap/class.ViewDocument.php @@ -308,7 +308,7 @@ $(document).ready( function() { foreach($files as $file) { - $file_exists=file_exists($dms->contentDir . $file->getPath()); + $file_exists = $file->exists();//file_exists($dms->contentDir . $file->getPath()); $responsibleUser = $file->getUser(); @@ -344,7 +344,7 @@ $(document).ready( function() { print "
  • ".htmlspecialchars($file->getOriginalFileName())."
    • \n"; if ($file_exists) { $realmimetype = $file->getRealMimeType(); - print "
  • ".SeedDMS_Core_File::format_filesize(filesize($dms->contentDir . $file->getPath())) ." bytes, ".htmlspecialchars($file->getMimeType())."
    • "; + print "
  • ".SeedDMS_Core_File::format_filesize($file->size()) ." bytes, ".htmlspecialchars($file->getMimeType())."
    • "; } else print "
  • ".htmlspecialchars($file->getMimeType())." - ".getMLText("document_deleted")."
    • "; print "
  • ".getMLText("uploaded_by")." getEmail())."\">".htmlspecialchars($responsibleUser->getFullName())."
    • "; @@ -703,7 +703,7 @@ $(document).ready( function() { $previewwidthdetail = $this->params['previewWidthDetail']; // verify if file exists - $file_exists=file_exists($dms->contentDir . $latestContent->getPath()); + $file_exists = $latestContent->exists(); //file_exists($dms->contentDir . $latestContent->getPath()); $status = $latestContent->getStatus(); @@ -1717,4 +1717,3 @@ $(document).ready( function() { $this->htmlEndPage(); } /* }}} */ } -?> From f3fa653eee5f17191a20bb92dedccb2960d0f364 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Fri, 21 Mar 2025 13:25:13 +0100 Subject: [PATCH 05/12] replace file_exists() with exists() function of object --- views/bootstrap/class.Bootstrap.php | 2 +- views/bootstrap4/class.Bootstrap4.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php index 91ab0bc20..8ac2e2922 100644 --- a/views/bootstrap/class.Bootstrap.php +++ b/views/bootstrap/class.Bootstrap.php @@ -3278,7 +3278,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev) $extracontent = array_merge($extracontent, $ec); $content .= ""; - if (file_exists($dms->contentDir . $latestContent->getPath())) { + if ($latestContent->exists()) { $previewhtml = $this->callHook('documentListPreview', $previewer, $document, $latestContent); if(is_string($previewhtml)) $content .= $previewhtml; diff --git a/views/bootstrap4/class.Bootstrap4.php b/views/bootstrap4/class.Bootstrap4.php index 5ffa75298..fc8f61bf4 100644 --- a/views/bootstrap4/class.Bootstrap4.php +++ b/views/bootstrap4/class.Bootstrap4.php @@ -3327,7 +3327,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev) $extracontent = array_merge($extracontent, $ec); $content .= ""; - if (file_exists($dms->contentDir . $latestContent->getPath())) { + if ($latestContent->exists()) { $previewhtml = $this->callHook('documentListPreview', $previewer, $document, $latestContent); if(is_string($previewhtml)) $content .= $previewhtml; From 5ce55216ad24f6f7ae58ab04515a983eea5d8c02 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Mon, 24 Mar 2025 15:55:57 +0100 Subject: [PATCH 06/12] add changes for 5.1.40 --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 4ac10f57c..87cd0e523 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ Changes in version 5.1.40 -------------------------------------------------------------------------------- - fix saving user data when language selection is turned of (Closes: #568) +- add much better support for new storage drivers -------------------------------------------------------------------------------- Changes in version 5.1.39 From edb91d329975cbd66842b010a0e3d72499432ffe Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Tue, 25 Mar 2025 18:09:41 +0100 Subject: [PATCH 07/12] fix possible xss attack --- views/bootstrap/class.Clipboard.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/views/bootstrap/class.Clipboard.php b/views/bootstrap/class.Clipboard.php index cce60ab47..7899bb055 100644 --- a/views/bootstrap/class.Clipboard.php +++ b/views/bootstrap/class.Clipboard.php @@ -52,12 +52,12 @@ class SeedDMS_View_Clipboard extends SeedDMS_Theme_Style { $subitems = []; foreach($clipboard['folders'] as $folderid) { if($folder = $this->params['dms']->getFolder($folderid)) { - $subitems[] = array('label'=>' '.$folder->getName(), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewFolder.php?folderid=".$folder->getID(), 'class'=>"table-row-folder droptarget", 'attributes'=>array(array('data-droptarget', "folder_".$folder->getID()), array('rel', "folder_".$folder->getID()), array('data-name', htmlspecialchars($folder->getName(), ENT_QUOTES)))); + $subitems[] = array('label'=>' '.htmlspecialchars($folder->getName()), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewFolder.php?folderid=".$folder->getID(), 'class'=>"table-row-folder droptarget", 'attributes'=>array(array('data-droptarget', "folder_".$folder->getID()), array('rel', "folder_".$folder->getID()), array('data-name', htmlspecialchars($folder->getName(), ENT_QUOTES)))); } } foreach($clipboard['docs'] as $docid) { if($document = $this->params['dms']->getDocument($docid)) - $subitems[] = array('label'=>' '.$document->getName(), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID(), 'class'=>"table-row-document droptarget", 'attributes'=>array(array('data-droptarget', "document_".$document->getID()), array('rel', "document_".$document->getID()), array('formtoken', createFormKey('')), array('data-name', htmlspecialchars($document->getName(), ENT_QUOTES)))); + $subitems[] = array('label'=>' '.htmlspecialchars($document->getName()), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID(), 'class'=>"table-row-document droptarget", 'attributes'=>array(array('data-droptarget', "document_".$document->getID()), array('rel', "document_".$document->getID()), array('formtoken', createFormKey('')), array('data-name', htmlspecialchars($document->getName(), ENT_QUOTES)))); } if((count($clipboard['docs']) + count($clipboard['folders'])) > 0) { $subitems[] = array('divider'=>true); From 7529c68c80b7b49aea6f7e5eb6bf44ef6969ce17 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 26 Mar 2025 07:54:33 +0100 Subject: [PATCH 08/12] include all conf.php files and var_export() them instead of concating them --- inc/inc.ClassExtensionMgr.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/inc/inc.ClassExtensionMgr.php b/inc/inc.ClassExtensionMgr.php index 3b1033364..519014339 100644 --- a/inc/inc.ClassExtensionMgr.php +++ b/inc/inc.ClassExtensionMgr.php @@ -206,13 +206,19 @@ class SeedDMS_Extension_Mgr { $fp = @fopen(self::getExtensionsConfFile(), "w"); if($fp) { if($extensions) { + $EXT_CONF = []; foreach($extensions as $_ext) { if(file_exists($this->extdir . "/" . $_ext . "/conf.php")) { - $content = file_get_contents($this->extdir . "/" . $_ext . "/conf.php"); - fwrite($fp, $content); + include $this->extdir . "/" . $_ext . "/conf.php"; +// $content = file_get_contents($this->extdir . "/" . $_ext . "/conf.php"); +// fwrite($fp, $content); } } } +// fclose($fp); +// $fp = @fopen(self::getExtensionsConfFile(), "w"); + fwrite($fp, ' Date: Wed, 26 Mar 2025 07:55:50 +0100 Subject: [PATCH 09/12] add changes for 5.1.40 --- CHANGELOG | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 87cd0e523..ac498445b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,8 @@ -------------------------------------------------------------------------------- - fix saving user data when language selection is turned of (Closes: #568) - add much better support for new storage drivers +- fix possible xss attack +- saver way to collect plugin configuration -------------------------------------------------------------------------------- Changes in version 5.1.39 From 5a4042383634da834f167c066f0ae2c6b312fa30 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 26 Mar 2025 08:39:30 +0100 Subject: [PATCH 10/12] set id of some select fields for extension config --- views/bootstrap/class.Settings.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/views/bootstrap/class.Settings.php b/views/bootstrap/class.Settings.php index 7eec265b0..1a8d15b6c 100644 --- a/views/bootstrap/class.Settings.php +++ b/views/bootstrap/class.Settings.php @@ -688,7 +688,7 @@ if(($kkk = $this->callHook('getFullSearchEngine')) && is_array($kkk)) switch($conf['type']) { case 'checkbox': ?> - " value="">" value="1" _extensions[$extname][$confkey]) && $settings->_extensions[$extname][$confkey]) echo 'checked'; ?> /> + " value="">" value="1" _extensions[$extname][$confkey]) && $settings->_extensions[$extname][$confkey]) echo 'checked'; ?> /> callHook('getFullSearchEngine')) && is_array($kkk)) $order = empty($conf['order']) ? '' : $conf['order']; if(!empty($conf['options'])) { $selections = empty($settings->_extensions[$extname][$confkey]) ? array() : explode(",", $settings->_extensions[$extname][$confkey]); - echo ""; if(is_array($conf['options'])) { $options = $conf['options']; } elseif(is_string($conf['options']) && $conf['options'] == 'hook') { From d1dfc924b56c6d556c74bcd5e2b08828b30d508c Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 26 Mar 2025 08:39:58 +0100 Subject: [PATCH 11/12] fix possible xss attack when document name contains malicious code --- views/bootstrap/class.Tasks.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/views/bootstrap/class.Tasks.php b/views/bootstrap/class.Tasks.php index cfcb6c1be..dfb29f9fc 100644 --- a/views/bootstrap/class.Tasks.php +++ b/views/bootstrap/class.Tasks.php @@ -203,7 +203,7 @@ class SeedDMS_View_Tasks extends SeedDMS_Theme_Style { $subitems = []; foreach($tasks['review'] as $t) { $doc = $dms->getDocument($t['id']); - $subitems[] = array('label'=>$doc->getName(), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$doc->getID()."¤ttab=revapp", 'class'=>"table-row-document", 'rel'=>"document_".$doc->getID()); + $subitems[] = array('label'=>htmlspecialchars($doc->getName()), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$doc->getID()."¤ttab=revapp", 'class'=>"table-row-document", 'rel'=>"document_".$doc->getID()); } $menuitems['tasks']['children']['review'] = array('label'=>getMLText('documents_to_review'), 'children'=>$subitems); @@ -212,7 +212,7 @@ class SeedDMS_View_Tasks extends SeedDMS_Theme_Style { $subitems = []; foreach($tasks['approval'] as $t) { $doc = $dms->getDocument($t['id']); - $subitems[] = array('label'=>$doc->getName(), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$doc->getID()."¤ttab=revapp", 'class'=>"table-row-document", 'rel'=>"document_".$doc->getID()); + $subitems[] = array('label'=>htmlspecialchars($doc->getName()), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$doc->getID()."¤ttab=revapp", 'class'=>"table-row-document", 'rel'=>"document_".$doc->getID()); } $menuitems['tasks']['children']['approval'] = array('label'=>getMLText('documents_to_approve'), 'children'=>$subitems); } @@ -220,7 +220,7 @@ class SeedDMS_View_Tasks extends SeedDMS_Theme_Style { $subitems = []; foreach($tasks['workflow'] as $t) { $doc = $dms->getDocument($t['id']); - $subitems[] = array('label'=>$doc->getName(), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$doc->getID()."¤ttab=workflow", 'class'=>"table-row-document", 'rel'=>"document_".$doc->getID()); + $subitems[] = array('label'=>htmlspecialchars($doc->getName()), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$doc->getID()."¤ttab=workflow", 'class'=>"table-row-document", 'rel'=>"document_".$doc->getID()); } $menuitems['tasks']['children']['workflow'] = array('label'=>getMLText('documents_to_trigger_workflow'), 'children'=>$subitems); } @@ -228,7 +228,7 @@ class SeedDMS_View_Tasks extends SeedDMS_Theme_Style { $subitems = []; foreach($tasks['rejected'] as $t) { $doc = $dms->getDocument($t['id']); - $subitems[] = array('label'=>$doc->getName(), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$doc->getID()."¤ttab=docinfo", 'class'=>"table-row-document", 'rel'=>"document_".$doc->getID()); + $subitems[] = array('label'=>htmlspecialchars($doc->getName()), 'link'=>$this->params['settings']->_httpRoot."out/out.ViewDocument.php?documentid=".$doc->getID()."¤ttab=docinfo", 'class'=>"table-row-document", 'rel'=>"document_".$doc->getID()); } $menuitems['tasks']['children']['rejected'] = array('label'=>getMLText('documents_rejected'), 'children'=>$subitems); } From 0ad6416d651defb1286e8f27a2b1e397c337a1a8 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 26 Mar 2025 09:30:33 +0100 Subject: [PATCH 12/12] fix typo --- CHANGELOG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index ac498445b..fce17f2ea 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,7 +3,7 @@ -------------------------------------------------------------------------------- - fix saving user data when language selection is turned of (Closes: #568) - add much better support for new storage drivers -- fix possible xss attack +- fix possible xss attacks - saver way to collect plugin configuration --------------------------------------------------------------------------------