Dolibarr/sendrecurringinvoicebymail
1
0
Fork 0
Code Issues Pull requests Releases 6 Activity Actions

Execute the hook only for customer invoices

Browse source 
With the introduction of supplier invoice templates in Dolibarr 16, with the
same hook but different table, this module tried to load the customer invoice
having the same id than the supplier invoice template being treated. This could
result in severe information disclosure.

Fixes gh-10
This commit is contained in:
Chl 2024-03-13 01:05:50 +01:00
parent d3bac76b2e
commit a7532db483
3 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
ChangeLog.md
View file

@ -1,5 +1,15 @@
# CHANGELOG SENDRECURRINGINVOICEBYMAIL FOR [DOLIBARR ERP CRM](https://www.dolibarr.org)
## 0.3.4
Fix: the hook was also triggered by supplier invoices.
Thanks to jpardenoy for the report and the fix.
## 0.3.3
Fix: adds CSRF protection.
## 0.3.2

8
class/actions_sendrecurringinvoicebymail.class.php
View file

@ -84,6 +84,14 @@ class Actionssendrecurringinvoicebymail
$error = 0; // Error counter
$facturerec = $parameters['facturerec'];
// Since Dolibarr 16, this hook is also used for the FactureFournisseurRec class.
if (! $facturerec instanceof FactureRec) {
return 0;
}
// Load our own object, linked to this facture
// (if it doesn't exist in database, fetch(,,true) will fill the object
// from the global mail template)
$mailObject = new SRIBMCustomMailInfo($this->db);
if ($mailObject->fetch(null, $facturerec->id, true) != 1) {
dol_syslog("Error loading SRIBMCustomMailInfo for facture rec " . (isset($facturerec->id) ? $facturerec->id : "(facturerec->id not set ??)"));

2
core/modules/modsendrecurringinvoicebymail.class.php
View file

@ -69,7 +69,7 @@ class modsendrecurringinvoicebymail extends DolibarrModules
$this->editor_url = 'https://code.bugness.org/Dolibarr/sendrecurringinvoicebymail';
// Possible values for version are: 'development', 'experimental', 'dolibarr', 'dolibarr_deprecated' or a version string like 'x.y.z'
$this->version = '0.3.3';
$this->version = '0.3.4';
//Url to the file with your last numberversion of this module
//$this->url_last_version = 'http://www.example.com/versionmodule.txt';