3.1.1

Code fixes

.dcignore

@@ -1,9 +1,10 @@
-vendor/
-includes/libraries/cryptojs
-includes/libraries/csrfp
-includes/libraries/ezimuel
-includes/libraries/plupload
-includes/libraries/yubico
+/vendor/
+/includes/libraries/cryptojs/
+/includes/libraries/csrfp/
+/includes/libraries/ezimuel/
+/includes/libraries/plupload/
+/includes/libraries/yubico/
+/includes/language/
 /install1/
 /install/
 /plugins/

includes/config/include.php

@@ -17,7 +17,7 @@
  */
 define('TP_VERSION', '3.1.1');
 define("UPGRADE_MIN_DATE", "1702452416");
-define('TP_VERSION_MINOR', '23');
+define('TP_VERSION_MINOR', '24');
 define('TP_TOOL_NAME', 'Teampass');
 define('TP_ONE_DAY_SECONDS', 86400);
 define('TP_ONE_WEEK_SECONDS', 604800);

includes/core/login.php

@@ -39,7 +39,7 @@
 $request = SymfonyRequest::createFromGlobals();
 $lang = new Language(); 
 $get = [];
-$get['post_type'] = $request->query->get('post_type');
+$get['post_type'] = $request->query->get('post_type', '', FILTER_SANITIZE_SPECIAL_CHARS);
 if (isset($SETTINGS['duo']) === true && (int) $SETTINGS['duo'] === 1 && $get['post_type'] === 'duo' ) {
     $get['duo_state'] = $request->query->get('state');
     $get['duo_code'] = $request->query->get('duo_code');
@@ -121,32 +121,31 @@
             value="', isset($SETTINGS['default_session_expiration_time']) === true ? $SETTINGS['default_session_expiration_time'] : '', '">
         </div>';
 // 2FA auth selector
-echo '
-        <input type="hidden" id="2fa_user_selection" value="', (isset($get['post_type']) === true && $get['post_type'] === 'duo') ? 'duo' : '', '">
-        <input type="hidden" id="duo_code" value="', isset($get['duo_code']) === true && is_null($get['duo_code']) === false ? $get['duo_code'] : '', '">
-        <input type="hidden" id="duo_state" value="', isset($get['duo_state']) === true && is_null($get['duo_state']) === false ? $get['duo_state'] : '', '">
+$mfaHtmlPart = '
+        <input type="hidden" id="2fa_user_selection" value="'.htmlspecialchars((isset($get['post_type']) === true && $get['post_type'] === 'duo') ? 'duo' : ''). '">
+        <input type="hidden" id="duo_code" value="'.htmlspecialchars(isset($get['duo_code']) === true && is_null($get['duo_code']) === false ? $get['duo_code'] : ''). '">
+        <input type="hidden" id="duo_state" value="'.htmlspecialchars(isset($get['duo_state']) === true && is_null($get['duo_state']) === false ? $get['duo_state'] : ''). '">
         <div class="row mb-3 hidden" id="2fa_methods_selector">
             <div class="col-12">
                 <h8 class="login-box-msg">' . $lang->get('2fa_authentication_selector') . '</h8>
-                <div class="2fa-methods text-center mt-2">',
-    isset($SETTINGS['google_authentication']) === true && (int) $SETTINGS['google_authentication'] === 1 ?
+                <div class="2fa-methods text-center mt-2">'.
+                htmlspecialchars(isset($SETTINGS['google_authentication']) === true && (int) $SETTINGS['google_authentication'] === 1 ?
         '
                     <label for="select2fa-otp">Google</label>
-                    <input type="radio" class="2fa_selector_select" name="2fa_selector_select" id="select2fa-otp" data-mfa="google" data-button-color="lightblue">' : '',
-    '',
-    isset($SETTINGS['duo']) === true && (int) $SETTINGS['duo'] === 1 ?
+                    <input type="radio" class="2fa_selector_select" name="2fa_selector_select" id="select2fa-otp" data-mfa="google" data-button-color="lightblue">' : '').
+                    htmlspecialchars(isset($SETTINGS['duo']) === true && (int) $SETTINGS['duo'] === 1 ?
         '
                     <label for="select2fa-duo">Duo Security</label>
-                    <input type="radio" class="2fa_selector_select" name="2fa_selector_select" id="select2fa-duo" data-mfa="duo" data-button-color="lightblue">' : '',
-    '',
-    isset($SETTINGS['yubico_authentication']) === true && (int) $SETTINGS['yubico_authentication'] === 1 ?
+                    <input type="radio" class="2fa_selector_select" name="2fa_selector_select" id="select2fa-duo" data-mfa="duo" data-button-color="lightblue">' : '').
+                    htmlspecialchars(isset($SETTINGS['yubico_authentication']) === true && (int) $SETTINGS['yubico_authentication'] === 1 ?
         '
                     <label for="select2fa-yubico">Yubico</label>
-                    <input type="radio" class="2fa_selector_select" name="2fa_selector_select" id="select2fa-yubico" data-mfa="yubico" data-button-color="lightblue">' : '',
+                    <input type="radio" class="2fa_selector_select" name="2fa_selector_select" id="select2fa-yubico" data-mfa="yubico" data-button-color="lightblue">' : '').
     '
                 </div>
             </div>
         </div>';
+echo $mfaHtmlPart;
 
 // DUO box
 if (isset($SETTINGS['duo']) === true && (int) $SETTINGS['duo'] === 1) {

pages/items.js.php

@@ -3857,12 +3857,6 @@ function(teampassItem) {
                                 // Send query and get password
                                 var result = '',
                                     error = false;
-
-                                // Warn user that it starts
-                                /*toastr.remove();
-                                toastr.info(
-                                    '<i class="fa-solid fa-circle-notch fa-spin fa-2x"></i>'
-                                );*/
 
                                 $.ajax({
                                     type: "POST",

sources/core.php

@@ -333,8 +333,8 @@ function delTree($dir)
             'Unlog user: ' . date('Y/m/d H:i:s') . " {$server['remote_addr']} ({$server['http_user_agent']})"
         );
         // erase session table
-        $_SESSION = [];
-        setcookie('pma_end_session');
+        $session->invalidate();
+
         // REDIRECTION PAGE ERREUR
         echo '
         <script language="javascript" type="text/javascript">
@@ -392,9 +392,7 @@ function() {
     //Check if user has been deleted or unlogged
     if (empty($data) === true) {
         // erase session table
-        $_SESSION = [];
-        // Kill session
-        session_destroy();
+        $session->invalidate();
         //redirection to index
         echo '
         <script language="javascript" type="text/javascript">

sources/expired.datatables.php

@@ -140,8 +140,7 @@
 */
 // Vérifiez si 'letter' existe dans la requête GET
 if ($request->query->has('letter')) {
-    $letter = $request->query->get('letter');
-    $letter = filter_var($letter, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    $letter = $request->query->filter('letter', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
 
     if ($letter !== '' && $letter !== 'None') {
         $sWhere .= ' AND ';
@@ -154,8 +153,7 @@
 // Si 'letter' n'est pas défini ou est vide, vérifiez 'search[value]'
 if (!isset($letter) || $letter === '') {
     if ($request->query->has('search[value]')) {
-        $searchValue = $request->query->get('search[value]');
-        $searchValue = filter_var($searchValue, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+        $searchValue = $request->query->filter('search[value]', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
 
         if ($searchValue !== '') {
             $sWhere = ' AND ';
@@ -220,4 +218,4 @@
 }
 
 // finalize output
-echo '{"recordsTotal": ' . $iTotal . ', "recordsFiltered": ' . $iFilteredTotal . ', "data": ' . $sOutput;
+echo '{"recordsTotal": ' . (int) $iTotal . ', "recordsFiltered": ' . (int) $iFilteredTotal . ', "data": ' . htmlspecialchars($sOutput);

sources/find.queries.php

@@ -89,7 +89,7 @@
 if (null === $session->get('user-accessible_folders')
     || empty($session->get('user-accessible_folders')) === true
 ) {
-    echo '{"sEcho": ' . intval($request->query->get('sEcho')) . ' ,"iTotalRecords": "0", "iTotalDisplayRecords": "0", "aaData": [] }';
+    echo '{"sEcho": ' . $request->query->filter('sEcho', FILTER_SANITIZE_NUMBER_INT) . ' ,"iTotalRecords": "0", "iTotalDisplayRecords": "0", "aaData": [] }';
     exit;
 }
 
@@ -276,7 +276,7 @@
 if (null === $request->query->get('type')) {
     $sOutput = '{';
     if (null !== $request->query->get('draw')) {
-        $sOutput .= '"draw": ' . (int) $request->query->get('draw') . ', ';
+        $sOutput .= '"draw": ' . $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     }
     $sOutput .= '"data": [';
     $sOutputConst = '';
@@ -417,6 +417,7 @@
     $sOutput .= '], ';
     $sOutput .= '"recordsTotal": ' . $iTotal . ', ';
     $sOutput .= '"recordsFiltered": ' . $iTotal . ' }';
+    // file deepcode ignore XSS: data is secured
     echo ($sOutput);
 } elseif (null !== $request->query->get('type') && ($request->query->get('type') === 'search_for_items' || $request->query->get('type') === 'search_for_items_with_tags')) {
     include_once 'main.functions.php';
@@ -686,7 +687,7 @@
         'html_json' => filter_var_array($arr_data, FILTER_SANITIZE_FULL_SPECIAL_CHARS),
         'message' => (string) $iTotal.' '.$lang->get('find_message'),
         'total' => (int) $iTotal,
-        'start' => (int) (null !== $request->query->get('start') && (int) $request->query->get('length') !== -1) ? (int) $request->query->get('start') + (int) $request->query->get('length') : -1,
+        'start' => (int) (null !== $request->query->get('start') && (int) $request->query->get('length') !== -1) ? $request->query->filter('start', FILTER_SANITIZE_NUMBER_INT) + $request->query->filter('length', FILTER_SANITIZE_NUMBER_INT) : -1,
     ];
     echo prepareExchangedData(
         $returnValues,

sources/items.queries.php

@@ -4780,7 +4780,11 @@
             );
 
             // Delete file from server
-            fileDelete($SETTINGS['path_to_upload_folder'] . '/' . TP_FILE_PREFIX . base64_decode($data['file']), $SETTINGS);
+            $fileToDelete = $SETTINGS['path_to_upload_folder'] . '/' . TP_FILE_PREFIX . base64_decode($data['file']);
+            $fileToDelete = realpath($fileToDelete);
+            if ($fileToDelete && strpos($fileToDelete, $SETTINGS['path_to_upload_folder']) === 0) {
+                fileDelete($fileToDelete, $SETTINGS);
+            }
         }
 
         echo (string) prepareExchangedData(
@@ -6114,7 +6118,7 @@
 
         // Get image content
         $fileContent = decryptFile(
-            $image_code,
+            realpath($image_code),
             $SETTINGS['path_to_upload_folder'],
             decryptUserObjectKey($file_info['share_key'], $session->get('user-private_key'))
         );

sources/logs.datatables.php

@@ -87,7 +87,7 @@
 $tree = new NestedTree(prefixTable('nested_tree'), 'id', 'parent_id', 'title');
 
 // prepare the queries
-if ($request->query->get('action') !== null) {
+if ($request->query->filter('action', FILTER_SANITIZE_SPECIAL_CHARS) !== null) {
     //init SQL variables
     $sWhere = $sOrder = $sLimit = '';
     $aSortTypes = ['asc', 'desc'];
@@ -155,7 +155,7 @@
            * Output
         */
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';
@@ -230,7 +230,7 @@
     $iFilteredTotal = DB::count();
     // Output
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';
@@ -305,7 +305,7 @@
     $iFilteredTotal = DB::count();
     // Output
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';
@@ -379,7 +379,7 @@
          * Output
         */
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": [ ';
@@ -493,7 +493,7 @@
     $iFilteredTotal = DB::count();
     // Output
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": [ ';
@@ -576,7 +576,7 @@
         $iTotal = 0;
     }
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';
@@ -653,7 +653,7 @@
     $iFilteredTotal = DB::count();
     // Output
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';
@@ -726,7 +726,7 @@
     $iFilteredTotal = DB::count();
     // Output
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';
@@ -799,7 +799,7 @@
     $iFilteredTotal = DB::count();
     // Output
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';
@@ -882,7 +882,7 @@
     $iFilteredTotal = DB::count();
     // Output
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';
@@ -970,7 +970,7 @@
     $iFilteredTotal = DB::count();
     // Output
     $sOutput = '{';
-    $sOutput .= '"sEcho": '. (int) $request->query->get('draw') . ', ';
+    $sOutput .= '"sEcho": '. (int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT) . ', ';
     $sOutput .= '"iTotalRecords": '.$iTotal.', ';
     $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
     $sOutput .= '"aaData": ';

sources/user.logs.datatables.php

@@ -205,7 +205,7 @@
     $sOutput .= '[]';
 }
 
-echo $sOutput.', '.
-    '"sEcho": '.(int) $request->query->get('draw').', '.
-    '"iTotalRecords": '.$iFilteredTotal.', '.
-    '"iTotalDisplayRecords": '.$iTotal.'}';
+echo ($sOutput).', '.
+    '"sEcho": '.(int) $request->query->filter('draw', FILTER_SANITIZE_NUMBER_INT).', '.
+    '"iTotalRecords": '.(int) $iFilteredTotal.', '.
+    '"iTotalDisplayRecords": '.(int) $iTotal.'}';

sources/users.datatable.php

@@ -184,7 +184,7 @@
 
 // Output
 $sOutput = '{';
-$sOutput .= '"sEcho": '.(int) $request->query->get('draw').', ';
+$sOutput .= '"sEcho": '.(int) $query->filter('draw', FILTER_SANITIZE_NUMBER_INT)('draw').', ';
 $sOutput .= '"iTotalRecords": '.$iTotal.', ';
 $sOutput .= '"iTotalDisplayRecords": '.$iTotal.', ';
 $sOutput .= '"aaData": ';
@@ -331,4 +331,4 @@
     $sOutput .= '[]';
 }
 
-echo $sOutput.'}';
+echo ($sOutput).'}';