From a7532db483aa9c63cdc19018004c33b05dd39a67 Mon Sep 17 00:00:00 2001
From: Chl <chl-dev@bugness.org>
Date: Wed, 13 Mar 2024 01:05:50 +0100
Subject: [PATCH] Execute the hook only for customer invoices

With the introduction of supplier invoice templates in Dolibarr 16, with the
same hook but different table, this module tried to load the customer invoice
having the same id than the supplier invoice template being treated. This could
result in severe information disclosure.

Fixes gh-10
---
 ChangeLog.md                                         | 10 ++++++++++
 class/actions_sendrecurringinvoicebymail.class.php   |  8 ++++++++
 core/modules/modsendrecurringinvoicebymail.class.php |  2 +-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index be22db7..8834495 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,5 +1,15 @@
 # CHANGELOG SENDRECURRINGINVOICEBYMAIL FOR [DOLIBARR ERP CRM](https://www.dolibarr.org)
 
+## 0.3.4
+
+Fix: the hook was also triggered by supplier invoices.
+Thanks to jpardenoy for the report and the fix.
+
+
+## 0.3.3
+
+Fix: adds CSRF protection.
+
 
 ## 0.3.2
 
diff --git a/class/actions_sendrecurringinvoicebymail.class.php b/class/actions_sendrecurringinvoicebymail.class.php
index 0209d6b..fcae1d4 100644
--- a/class/actions_sendrecurringinvoicebymail.class.php
+++ b/class/actions_sendrecurringinvoicebymail.class.php
@@ -84,6 +84,14 @@ class Actionssendrecurringinvoicebymail
         $error = 0; // Error counter
 
         $facturerec = $parameters['facturerec'];
+        // Since Dolibarr 16, this hook is also used for the FactureFournisseurRec class.
+        if (! $facturerec instanceof FactureRec) {
+            return 0;
+        }
+
+        // Load our own object, linked to this facture
+        // (if it doesn't exist in database, fetch(,,true) will fill the object
+        // from the global mail template)
         $mailObject = new SRIBMCustomMailInfo($this->db);
         if ($mailObject->fetch(null, $facturerec->id, true) != 1) {
             dol_syslog("Error loading SRIBMCustomMailInfo for facture rec " . (isset($facturerec->id) ? $facturerec->id : "(facturerec->id not set ??)"));
diff --git a/core/modules/modsendrecurringinvoicebymail.class.php b/core/modules/modsendrecurringinvoicebymail.class.php
index f2a029d..b3517b4 100644
--- a/core/modules/modsendrecurringinvoicebymail.class.php
+++ b/core/modules/modsendrecurringinvoicebymail.class.php
@@ -69,7 +69,7 @@ class modsendrecurringinvoicebymail extends DolibarrModules
         $this->editor_url = 'https://code.bugness.org/Dolibarr/sendrecurringinvoicebymail';
 
         // Possible values for version are: 'development', 'experimental', 'dolibarr', 'dolibarr_deprecated' or a version string like 'x.y.z'
-        $this->version = '0.3.3';
+        $this->version = '0.3.4';
 
         //Url to the file with your last numberversion of this module
         //$this->url_last_version = 'http://www.example.com/versionmodule.txt';