7.10.26

README.md

@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.10.25
+# SuiteCRM 7.10.26
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=7.10.x)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/7.10.x/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/7.10.x)

include/MySugar/retrieve_dash_page.php

@@ -205,6 +205,7 @@
 $sugar_smarty = new Sugar_Smarty();
 
 $activePage = isset($_REQUEST['page_id']) && $_REQUEST['page_id'] ? $_REQUEST['page_id'] : 0;
+$activePage = (int)$activePage;
 
 $divPages[] = $activePage;
 

index.php

@@ -5,7 +5,7 @@
  * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
  *
  * SuiteCRM is an extension to SugarCRM Community Edition developed by SalesAgility Ltd.
- * Copyright (C) 2011 - 2018 SalesAgility Ltd.
+ * Copyright (C) 2011 - 2020 SalesAgility Ltd.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU Affero General Public License version 3 as published by the

modules/AOS_Contracts/controller.php

@@ -23,7 +23,7 @@
  *
  * @author SalesAgility Ltd <[email protected]>
  */
- 
+
 require_once('include/MVC/Controller/SugarController.php');
 
 class AOS_ContractsController extends SugarController
@@ -36,28 +36,28 @@ public function action_editview()
         $GLOBALS['view'] = $this->view;
 
         if (isset($_REQUEST['aos_quotes_id'])) {
-            $query = "SELECT * FROM aos_quotes WHERE id = '{$_REQUEST['aos_quotes_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT * FROM aos_quotes WHERE id = '?'";
+            $result = $this->bean->db->pquery($query, [$_REQUEST['aos_quotes_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->name = $row['name'];
             $this->bean->total_contract_value = $row['total_amount'];
-            
+
             if (isset($row['billing_account_id'])) {
                 $_REQUEST['account_id'] = $row['billing_account_id'];
             }
 
             if (isset($row['billing_contact_id'])) {
                 $_REQUEST['contact_id'] = $row['billing_contact_id'];
             }
-                
+
             if (isset($row['opportunity_id'])) {
                 $_REQUEST['opportunity_id'] = $row['opportunity_id'];
             }
         }
-            
+
         if (isset($_REQUEST['account_id'])) {
-            $query = "SELECT id,name FROM accounts WHERE id = '{$_REQUEST['account_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT id,name FROM accounts WHERE id = '?'";
+            $result = $this->bean->db->pquery($query, [$_REQUEST['account_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->contract_account = $row['name'];
             $this->bean->contract_account_id = $row['id'];
@@ -69,10 +69,10 @@ public function action_editview()
             $this->bean->contact = $contact->name;
             $this->bean->contact_id = $contact->id;
         }
-        
+
         if (isset($_REQUEST['opportunity_id'])) {
-            $query = "SELECT id,name FROM opportunities WHERE id = '{$_REQUEST['opportunity_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT id,name FROM opportunities WHERE id = '?'";
+            $result = $this->bean->db->pquery($query, [$_REQUEST['opportunity_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->opportunity = $row['name'];
             $this->bean->opportunity_id = $row['id'];

modules/AOS_Invoices/controller.php

@@ -23,7 +23,7 @@
  *
  * @author SalesAgility Ltd <[email protected]>
  */
- 
+
 require_once('include/MVC/Controller/SugarController.php');
 
 class AOS_InvoicesController extends SugarController
@@ -34,26 +34,26 @@ public function action_editview()
 
         $this->view = 'edit';
         $GLOBALS['view'] = $this->view;
-        
+
         if (isset($_REQUEST['aos_quotes_id'])) {
-            $query = "SELECT * FROM aos_quotes WHERE id = '{$_REQUEST['aos_quotes_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT * FROM aos_quotes WHERE id = '?'";
+            $result = $this->bean->db->pquery($query, [$_REQUEST['aos_quotes_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->name = $row['name'];
-            
+
             if (isset($row['billing_account_id'])) {
                 $_REQUEST['account_id'] = $row['billing_account_id'];
             }
-                
+
             if (isset($row['billing_contact_id'])) {
                 $_REQUEST['contact_id'] = $row['billing_contact_id'];
             }
         }
 
 
         if (isset($_REQUEST['account_id'])) {
-            $query = "SELECT * FROM accounts WHERE id = '{$_REQUEST['account_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT * FROM accounts WHERE id = '?'";
+            $result = $this->bean->db->pquery($query, [$_REQUEST['account_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->billing_account_id = $row['id'];
             $this->bean->billing_account = $row['name'];
@@ -68,10 +68,10 @@ public function action_editview()
             $this->bean->shipping_address_postalcode = $row['shipping_address_postalcode'];
             $this->bean->shipping_address_country = $row['shipping_address_country'];
         }
-        
+
         if (isset($_REQUEST['contact_id'])) {
-            $query = "SELECT id,first_name,last_name FROM contacts WHERE id = '{$_REQUEST['contact_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT id,first_name,last_name FROM contacts WHERE id = '?'";
+            $result = $this->bean->db->pquery($query, [$_REQUEST['contact_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->billing_contact_id = $row['id'];
             $this->bean->billing_contact = $row['first_name'].' '.$row['last_name'];

modules/AOS_Quotes/controller.php

@@ -21,7 +21,7 @@
  *
  * @author SalesAgility <[email protected]>
  */
- 
+
 require_once('include/MVC/Controller/SugarController.php');
 
 class AOS_QuotesController extends SugarController
@@ -32,41 +32,40 @@ public function action_editview()
 
         $this->view = 'edit';
         $GLOBALS['view'] = $this->view;
-        
+
         if (isset($_REQUEST['aos_invoices_id'])) {
-            $query = "SELECT * FROM aos_invoices WHERE id = '{$_REQUEST['aos_invoices_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT * FROM aos_invoices WHERE id = '?'";
+            $result = $this->bean->db->pQuery($query, [$_REQUEST['aos_invoices_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->name = $row['name'];
-            
+
             if (isset($row['billing_account_id'])) {
                 $_REQUEST['account_id'] = $row['billing_account_id'];
             }
-                
+
             if (isset($row['billing_contact_id'])) {
                 $_REQUEST['contact_id'] = $row['billing_contact_id'];
             }
         }
-        
+
         if (isset($_REQUEST['aos_contracts_id'])) {
-            $query = "SELECT * FROM aos_contracts WHERE id = '{$_REQUEST['aos_contracts_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT * FROM aos_contracts WHERE id = '?'";
+            $result = $this->bean->db->pQuery($query, [$_REQUEST['aos_contracts_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->name = $row['name'];
-            
+
             if (isset($row['contract_account_id'])) {
                 $_REQUEST['account_id'] = $row['contract_account_id'];
             }
-                
+
             if (isset($row['opportunity_id'])) {
                 $_REQUEST['opportunity_id'] = $row['opportunity_id'];
             }
         }
 
-
         if (isset($_REQUEST['account_id'])) {
-            $query = "SELECT * FROM accounts WHERE id = '{$_REQUEST['account_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT * FROM accounts WHERE id = '?'";
+            $result = $this->bean->db->pQuery($query, [$_REQUEST['account_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->billing_account_id = $row['id'];
             $this->bean->billing_account = $row['name'];
@@ -81,18 +80,18 @@ public function action_editview()
             $this->bean->shipping_address_postalcode = $row['shipping_address_postalcode'];
             $this->bean->shipping_address_country = $row['shipping_address_country'];
         }
-        
+
         if (isset($_REQUEST['contact_id'])) {
-            $query = "SELECT id,first_name,last_name FROM contacts WHERE id = '{$_REQUEST['contact_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT id, first_name, last_name FROM contacts WHERE id = '?'";
+            $result = $this->bean->db->pQuery($query, [$_REQUEST['contact_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->billing_contact_id = $row['id'];
             $this->bean->billing_contact = $row['first_name'].' '.$row['last_name'];
         }
-        
+
         if (isset($_REQUEST['opportunity_id'])) {
-            $query = "SELECT id,name FROM opportunities WHERE id = '{$_REQUEST['opportunity_id']}'";
-            $result = $this->bean->db->query($query, true);
+            $query = "SELECT id, name FROM opportunities WHERE id = '?'";
+            $result = $this->bean->db->pQuery($query, [$_REQUEST['opportunity_id']]);
             $row = $this->bean->db->fetchByAssoc($result);
             $this->bean->opportunity_id = $row['id'];
             $this->bean->opportunity = $row['name'];

modules/Home/quicksearchQuery.php

@@ -54,7 +54,14 @@
 }
 
 $json = getJSONobj();
-$data = $json->decode(html_entity_decode($_REQUEST['data']));
+$data = $json::decode(html_entity_decode($_REQUEST['data']));
+
+if (isset($data['field_list'])) {
+    foreach ($data['field_list'] as $k => $v) {
+        $data['field_list'][$k] = securexss($v);
+    }
+}
+
 if (isset($_REQUEST['query']) && !empty($_REQUEST['query'])) {
     foreach ($data['conditions'] as $k=>$v) {
         if (empty($data['conditions'][$k]['value']) && ($data['conditions'][$k]['op'] != $conditionEqual)) {

modules/InboundEmail/AOPInboundEmail.php

@@ -82,8 +82,7 @@ public function handleCreateCase(Email $email, $userId)
             }
             $c->assigned_user_id = $userId;
             $c->name = $email->name;
-            $c->status = 'New';
-            $c->priority = 'P1';
+            $c->status = 'Open_New';
 
             if (!empty($email->reply_to_email)) {
                 $contactAddr = $email->reply_to_email;

modules/InboundEmail/InboundEmail.php

@@ -3618,8 +3618,7 @@ public function handleCreateCase($email, $userId)
             $c->description = $email->description;
             $c->assigned_user_id = $userId;
             $c->name = $email->name;
-            $c->status = 'New';
-            $c->priority = 'P1';
+            $c->status = 'Open_New';
 
             if (!empty($email->reply_to_email)) {
                 $contactAddr = $email->reply_to_email;

modules/UpgradeWizard/systemCheck.php

@@ -83,7 +83,7 @@
  * @param RecursiveCallbackFilterIterator $iterator
  * @return bool
  */
-$fileCheck = function ($file, $key, $iterator) use ($baseDirectory, $skipDirs, $includeDirs, $isWindows) {
+$fileCheck = function ($file, $key, $iterator) use ($baseDirectory, $skipDirs, $includeDirs) {
     $subDir = explode(DIRECTORY_SEPARATOR, str_replace($baseDirectory . DIRECTORY_SEPARATOR, '', $key));
     if ($iterator->hasChildren() &&
         !in_array($file->getFilename(), $skipDirs, true) &&
@@ -92,10 +92,6 @@
         return true;
     }
 
-    if ($isWindows) {
-        return $file->isFile() && is_writable_windows($file->getPathname());
-    }
-
     return $file->isFile() && !$file->isWritable();
 };
 
@@ -110,50 +106,49 @@
     )
 );
 
-
-if (!empty($files)) {
-    $i = 0;
-    $filesOut = "
-	<a href='javascript:void(0); toggleNwFiles(\"filesNw\");'>{$mod_strings['LBL_UW_SHOW_NW_FILES']}</a>
-	<div id='filesNw' style='display:none;'>
-	<table cellpadding='3' cellspacing='0' border='0'>
-	<tr>
-		<th align='left'>{$mod_strings['LBL_UW_FILE']}</th>
-		<th align='left'>{$mod_strings['LBL_UW_FILE_PERMS']}</th>
-		<th align='left'>{$mod_strings['LBL_UW_FILE_OWNER']}</th>
-		<th align='left'>{$mod_strings['LBL_UW_FILE_GROUP']}</th>
-	</tr>";
-
-    foreach ($files as $file) {
-        logThis('File [' . $file->getPathname() . '] not writable - saving for display');
-
-        $filesNotWritable[$i] = $file->getPathname();
-        $perms = substr(sprintf('%o', $file->getPerms()), -4);
-        $owner = $file->getOwner();
-        $group = $file->getGroup();
-        if (!$isWindows && function_exists('posix_getpwuid')) {
-            $ownerData = posix_getpwuid($owner);
-            $owner = !empty($ownerData) ? $ownerData['name'] : $owner;
-        }
-        if (!$isWindows && function_exists('posix_getgrgid')) {
-            $groupData = posix_getgrgid($group);
-            $group = !empty($groupData) ? $groupData['name'] : $group;
-        }
-        $filesOut .= "<tr>" .
-            "<td><span class='error'>{$file}</span></td>" .
-            "<td>{$perms}</td>" .
-            "<td>{$owner}</td>" .
-            "<td>{$group}</td>" .
-            "</tr>";
-
+$i = 0;
+$filesOut = "
+<a href='javascript:void(0); toggleNwFiles(\"filesNw\");'>{$mod_strings['LBL_UW_SHOW_NW_FILES']}</a>
+<div id='filesNw' style='display:none;'>
+<table cellpadding='3' cellspacing='0' border='0'>
+<tr>
+    <th align='left'>{$mod_strings['LBL_UW_FILE']}</th>
+    <th align='left'>{$mod_strings['LBL_UW_FILE_PERMS']}</th>
+    <th align='left'>{$mod_strings['LBL_UW_FILE_OWNER']}</th>
+    <th align='left'>{$mod_strings['LBL_UW_FILE_GROUP']}</th>
+</tr>";
+
+foreach ($files as $file) {
+    logThis('File [' . $file->getPathname() . '] not writable - saving for display');
+
+    $filesNotWritable[$i] = $file->getPathname();
+    $perms = substr(sprintf('%o', $file->getPerms()), -4);
+    $owner = $file->getOwner();
+    $group = $file->getGroup();
+    if (!$isWindows && function_exists('posix_getpwuid')) {
+        $ownerData = posix_getpwuid($owner);
+        $owner = !empty($ownerData) ? $ownerData['name'] : $owner;
     }
-    $i++;
+    if (!$isWindows && function_exists('posix_getgrgid')) {
+        $groupData = posix_getgrgid($group);
+        $group = !empty($groupData) ? $groupData['name'] : $group;
+    }
+    $filesOut .= "<tr>" .
+        "<td><span class='error'>{$file->getFilename()}</span></td>" .
+        "<td>{$perms}</td>" .
+        "<td>{$owner}</td>" .
+        "<td>{$group}</td>" .
+        "</tr>";
 
-    $filesOut .= '</table></div>';
-    $errors['files']['filesNotWritable'] = true;
+    $i++;
 }
+
+$filesOut .= '</table></div>';
+$errors['files']['filesNotWritable'] = true;
+
 if (count($filesNotWritable) < 1) {
     $filesOut = "<b>{$mod_strings['LBL_UW_FILE_NO_ERRORS']}</b>";
+    $errors['files']['filesNotWritable'] = false;
 }
 
 logThis('Finished file permission check.');