Merge branch '10.0/bugfixes'

.phpstan-baseline.php

@@ -2881,30 +2881,6 @@
 	'count' => 2,
 	'path' => __DIR__ . '/src/Html.php',
 ];
-$ignoreErrors[] = [
-	// identifier: offsetAccess.notFound
-	'message' => '#^Offset \'max\' does not exist on array\\{value\\: mixed, maybeempty\\: mixed, canedit\\: mixed, mindate\\: mixed, maxdate\\: mixed, mintime\\: mixed, maxtime\\: mixed, timestep\\: mixed, \\.\\.\\.\\}\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/src/Html.php',
-];
-$ignoreErrors[] = [
-	// identifier: empty.offset
-	'message' => '#^Offset \'max\' on array\\{value\\: mixed, maybeempty\\: mixed, canedit\\: mixed, mindate\\: mixed, maxdate\\: mixed, mintime\\: mixed, maxtime\\: mixed, timestep\\: mixed, \\.\\.\\.\\} in empty\\(\\) does not exist\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/src/Html.php',
-];
-$ignoreErrors[] = [
-	// identifier: offsetAccess.notFound
-	'message' => '#^Offset \'min\' does not exist on array\\{value\\: mixed, maybeempty\\: mixed, canedit\\: mixed, mindate\\: mixed, maxdate\\: mixed, mintime\\: mixed, maxtime\\: mixed, timestep\\: mixed, \\.\\.\\.\\}\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/src/Html.php',
-];
-$ignoreErrors[] = [
-	// identifier: empty.offset
-	'message' => '#^Offset \'min\' on array\\{value\\: mixed, maybeempty\\: mixed, canedit\\: mixed, mindate\\: mixed, maxdate\\: mixed, mintime\\: mixed, maxtime\\: mixed, timestep\\: mixed, \\.\\.\\.\\} in empty\\(\\) does not exist\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/src/Html.php',
-];
 $ignoreErrors[] = [
 	// identifier: phpDoc.parseError
 	'message' => '#^PHPDoc tag @phpstan\\-return has invalid value \\(\\$display \\? void \\: string\\)\\: Unexpected token "\\$display", expected type at offset 656$#',

CHANGELOG.md

@@ -547,7 +547,28 @@ The present file will list all changes made to the project; according to the
 - Handling of the `delegate` right in `User::getSqlSearchResult()`.
 
 
-## [10.0.17] unreleased
+## [10.0.18] unreleased
+
+### Added
+
+### Changed
+
+### Deprecated
+
+### Removed
+
+### API changes
+
+#### Added
+
+#### Changes
+
+#### Deprecated
+
+#### Removed
+
+
+## [10.0.17] 2024-11-06
 
 ### Added
 
@@ -562,6 +583,8 @@ The present file will list all changes made to the project; according to the
 
 #### Added
 
+- `NotificationTarget::canNotificationContentBeDisclosed()` method that can be overriden to indicates whether a notification contents should be undisclosed.
+
 #### Changes
 
 #### Deprecated

ajax/common.tabs.php

@@ -109,5 +109,5 @@
 }
 
 \Glpi\Debug\Profiler::getInstance()->start('CommonGLPI::displayStandardTab');
-CommonGLPI::displayStandardTab($item, $_GET['_glpi_tab'], $_GET["withtemplate"], $options);
+CommonGLPI::displayStandardTab($item, $_GET['_glpi_tab'], (int)$_GET["withtemplate"], $options);
 \Glpi\Debug\Profiler::getInstance()->stop('CommonGLPI::displayStandardTab');

ajax/genericdate.php

@@ -41,11 +41,12 @@
 Html::header_nocache();
 
 if (isset($_POST['value']) && (strcmp($_POST['value'], '0') == 0)) {
-    if ($_POST['withtime']) {
+    $withtime = filter_var($_POST['withtime'], FILTER_VALIDATE_BOOLEAN);
+    if ($withtime) {
         Html::showDateTimeField($_POST['name'], ['value' => $_POST['specificvalue']]);
     } else {
         Html::showDateField($_POST['name'], ['value' => $_POST['specificvalue']]);
     }
 } else {
-    echo "<input type='hidden' name='" . $_POST['name'] . "' value='" . $_POST['value'] . "'>";
+    echo "<input type='hidden' name='" . htmlescape($_POST['name']) . "' value='" . htmlescape($_POST['value']) . "'>";
 }

ajax/kanban.php

@@ -98,7 +98,7 @@
     }
     if (in_array($action, ['delete_item'])) {
         $maybe_deleted = $item->maybeDeleted();
-        if (($maybe_deleted && !$item::canDelete()) && (!$maybe_deleted && $item::canPurge())) {
+        if (($maybe_deleted && !$item::canDelete()) || (!$maybe_deleted && $item::canPurge())) {
            // Missing rights
             throw new AccessDeniedHttpException();
         }
@@ -280,7 +280,7 @@
     $item->getFromDB($_POST['items_id']);
    // Check if the item can be trashed and if the request isn't forcing deletion (purge)
     $maybe_deleted = $item->maybeDeleted() && !($_REQUEST['force'] ?? false);
-    if (($maybe_deleted && $item->canDeleteItem()) || (!$maybe_deleted && $item->canPurgeItem())) {
+    if (($maybe_deleted && $item->can($_POST['items_id'], DELETE)) || (!$maybe_deleted && $item->can($_POST['items_id'], PURGE))) {
         $item->delete(['id' => $_POST['items_id']], !$maybe_deleted);
         // Check if the item was deleted or purged
         header("Content-Type: application/json; charset=UTF-8", true);
@@ -295,7 +295,7 @@
     $item->getFromDB($_POST['items_id']);
     // Check if the item can be restored
     $maybe_deleted = $item->maybeDeleted();
-    if (($maybe_deleted && $item->canDeleteItem())) {
+    if (($maybe_deleted && $item->can($_POST['items_id'], DELETE))) {
         $item->restore(['id' => $_POST['items_id']]);
     } else {
         throw new AccessDeniedHttpException();

ajax/savedsearch.php

@@ -89,7 +89,7 @@
 }
 
 if ($action == 'reorder') {
-    $savedsearch->saveOrder(array_map('intval', $_POST['ids']));
+    $savedsearch->saveOrder($_POST['ids']);
     header("Content-Type: application/json; charset=UTF-8");
     echo json_encode(['res' => true]);
 }

ajax/telemetry.php

@@ -40,12 +40,15 @@
 
 if (!($_SESSION['telemetry_from_install'] ?? false)) {
     Session::checkRight("config", READ);
+    $hide_sensitive_data = false;
+} else {
+    $hide_sensitive_data = true;
 }
 
 echo Html::css("lib/monaco.css");
 
 $twig_params = [
-    'info' => json_encode(Telemetry::getTelemetryInfos(), JSON_PRETTY_PRINT),
+    'info' => json_encode(Telemetry::getTelemetryInfos($hide_sensitive_data), JSON_PRETTY_PRINT),
     'description' => __("We only collect the following data: plugins usage, performance and responsiveness statistics about user interface features, memory, and hardware configuration.")
 ];
 // language=Twig

front/stat.global.php

@@ -45,7 +45,7 @@
 
 //sanitize dates
 foreach (['date1', 'date2'] as $key) {
-    if (array_key_exists($key, $_GET) && preg_match('/\d{4}-\d{2}-\d{2}/', (string)$_GET[$key]) !== 1) {
+    if (array_key_exists($key, $_GET) && preg_match('/^\d{4}-\d{2}-\d{2}$/', (string)$_GET[$key]) !== 1) {
         unset($_GET[$key]);
     }
 }

front/stat.graph.php

@@ -56,7 +56,7 @@
 
 //sanitize dates
 foreach (['date1', 'date2'] as $key) {
-    if (array_key_exists($key, $_GET) && preg_match('/\d{4}-\d{2}-\d{2}/', (string)$_GET[$key]) !== 1) {
+    if (array_key_exists($key, $_GET) && preg_match('/^\d{4}-\d{2}-\d{2}$/', (string)$_GET[$key]) !== 1) {
         unset($_GET[$key]);
     }
 }

front/stat.location.php

@@ -56,7 +56,7 @@
 
 //sanitize dates
 foreach (['date1', 'date2'] as $key) {
-    if (array_key_exists($key, $_GET) && preg_match('/\d{4}-\d{2}-\d{2}/', (string)$_GET[$key]) !== 1) {
+    if (array_key_exists($key, $_GET) && preg_match('/^\d{4}-\d{2}-\d{2}$/', (string)$_GET[$key]) !== 1) {
         unset($_GET[$key]);
     }
 }

front/stat.tracking.php

@@ -54,7 +54,7 @@
 
 //sanitize dates
 foreach (['date1', 'date2'] as $key) {
-    if (array_key_exists($key, $_GET) && preg_match('/\d{4}-\d{2}-\d{2}/', (string)$_GET[$key]) !== 1) {
+    if (array_key_exists($key, $_GET) && preg_match('/^\d{4}-\d{2}-\d{2}$/', (string)$_GET[$key]) !== 1) {
         unset($_GET[$key]);
     }
 }

inc/relation.constant.php

@@ -1711,6 +1711,7 @@
 $specifically_managed_types = [
     Agent::class, // FIXME Agent should be a CommonDBChild with $mustBeAttached=true
     Consumable::class, // Consumables are handled manually to redefine `date_out` to `null`
+    DatabaseInstance::class, // FIXME DatabaseInstance should be a CommonDBChild with $mustBeAttached=true
     Item_Cluster::class, // FIXME $mustBeAttached_1 and $mustBeAttached_2 should probably be set to true
     Item_Enclosure::class, // FIXME $mustBeAttached_1 and $mustBeAttached_2 should probably be set to true
     Item_Rack::class, // FIXME $mustBeAttached_1 and $mustBeAttached_2 should probably be set to true

install/install.php

@@ -396,6 +396,7 @@ function step8()
     $url_base = $referer_url !== null
         ? str_replace("/install/install.php", "", $referer_url)
         : 'http://localhost';
+
     $DB->update(
         'glpi_configs',
         ['value' => $url_base],
@@ -477,7 +478,7 @@ function update1($dbname)
 Session::start();
 error_reporting(0); // we want to check system before affraid the user.
 
-if (isset($_POST["language"])) {
+if (isset($_POST["language"]) && isset($CFG_GLPI["languages"][$_POST["language"]])) {
     $_SESSION["glpilanguage"] = $_POST["language"];
 }
 

install/migrations/update_10.0.16_to_10.0.17/tree_dropdowns.php

@@ -0,0 +1,72 @@
+<?php
+
+/**
+ * ---------------------------------------------------------------------
+ *
+ * GLPI - Gestionnaire Libre de Parc Informatique
+ *
+ * http://glpi-project.org
+ *
+ * @copyright 2015-2024 Teclib' and contributors.
+ * @copyright 2003-2014 by the INDEPNET Development Team.
+ * @licence   https://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * ---------------------------------------------------------------------
+ *
+ * LICENSE
+ *
+ * This file is part of GLPI.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * ---------------------------------------------------------------------
+ */
+
+use Glpi\DBAL\QueryExpression;
+
+/**
+ * @var \DBmysql $DB
+ * @var \Migration $migration
+ */
+
+// Drop the ancestors/sons cache that may have been corrupted by bugs that have now been resolved.
+$tree_dropdown_tables = [
+    'glpi_businesscriticities',
+    'glpi_documentcategories',
+    'glpi_entities',
+    'glpi_groups',
+    'glpi_ipnetworks',
+    'glpi_itilcategories',
+    'glpi_knowbaseitemcategories',
+    'glpi_locations',
+    'glpi_softwarecategories',
+    'glpi_softwarelicenses',
+    'glpi_softwarelicensetypes',
+    'glpi_states',
+    'glpi_taskcategories',
+];
+foreach ($tree_dropdown_tables as $table) {
+    $migration->addPostQuery(
+        $DB->buildUpdate(
+            $table,
+            [
+                'ancestors_cache' => null,
+                'sons_cache' => null,
+            ],
+            [
+                new QueryExpression(true),
+            ]
+        )
+    );
+}