Merge pull request #4392 from nilsteampassnet/vulnerability-install-sql-injection

nilsteampassnet · web-flow · commit 04f4e4bec09e · 2024-10-04T18:19:40.000+02:00
Vulnerability during install
diff --git a/includes/config/include.php b/includes/config/include.php
@@ -28,7 +28,7 @@
 
 define('TP_VERSION', '3.1.2');
 define("UPGRADE_MIN_DATE", "1727110744");
-define('TP_VERSION_MINOR', '131');
+define('TP_VERSION_MINOR', '134');
 define('TP_TOOL_NAME', 'Teampass');
 define('TP_ONE_DAY_SECONDS', 86400);
 define('TP_ONE_WEEK_SECONDS', 604800);
diff --git a/includes/tables_integrity.json b/includes/tables_integrity.json
@@ -13,15 +13,15 @@
     },
     {
         "table_name": "background_tasks",
-        "structure_hash": "c3b96e3d6b07ca079266f59370af356e84848c6863aaa3662f06ffaf42b65b55"
+        "structure_hash": "824ea4c3db1b930b8655191a54d6c09415fca3e0c104117da14ecaa924f05c06"
     },
     {
         "table_name": "background_tasks_logs",
-        "structure_hash": "95925613dcdd22f045680f9c337725bdfe34c1f12ffbbc77aff7afbd06cd21a6"
+        "structure_hash": "8825f1d0e45b66d4245eb0a7d9d8e0937c504110294ff7e2774511ccc67c5c9b"
     },
     {
         "table_name": "cache",
-        "structure_hash": "d11037afa64b847d341c467132588bc1fb49d6a7f59764103485720c753c1266"
+        "structure_hash": "a5988fbb32009d30106453eb5434d90b1f10135fb988fb3736bbf5fa254a39db"
     },
     {
         "table_name": "cache_tree",
@@ -57,15 +57,15 @@
     },
     {
         "table_name": "items",
-        "structure_hash": "0e88a81eda19ffe8f6bf035f2853e645f888bdc350150875179a97917e02a627"
+        "structure_hash": "af8b6e0e7bf0fe17a709bba14dca6c7833ddf2f6e0a1e91acd0a5cf5ffb4e22d"
     },
     {
         "table_name": "items_change",
         "structure_hash": "1560c119b0aa9a2e983fbf56ad584da6fd8e35517fdbd9c1144e6144a35512dd"
     },
     {
         "table_name": "items_edition",
-        "structure_hash": "427adb445bc9dfca2d50c769d0667c4f21bff7c601cf97bb5f1b0c0c52e452cc"
+        "structure_hash": "cf58c1c9b678dc0ece44492639d3c3bd23e095e69f8f65e7df67d147f90eb3b4"
     },
     {
         "table_name": "items_otp",
@@ -97,11 +97,11 @@
     },
     {
         "table_name": "log_items",
-        "structure_hash": "bd6960c43399a81559a8ff6feb0c924421f7aa6c456241c00ccb3ba0cb75def6"
+        "structure_hash": "470b020e4d7578366bf8299b3fd14c9a4681057a77dc018587ba08a24a6be7bb"
     },
     {
         "table_name": "log_system",
-        "structure_hash": "f20b028189d86bbc95e4d55ff4b1676895e62c62e0f39296449a6c8ae8541357"
+        "structure_hash": "8e396ef59c43500907160db66b009e41e29c6ed9d9a6aa8e324abd31be0d5777"
     },
     {
         "table_name": "misc",
@@ -169,7 +169,7 @@
     },
     {
         "table_name": "sharekeys_items",
-        "structure_hash": "f033299e24b9eb873d03c38084a55d866971d70f06d701b42e2d744b355a2818"
+        "structure_hash": "eedece29bce054b48d0f5525a6349072a6f9aec1a234c9980c36d6077fadaa75"
     },
     {
         "table_name": "sharekeys_logs",
diff --git a/install/install.js b/install/install.js
@@ -189,19 +189,6 @@ function checkPage()
                         .prop("disabled", true)
                         .addClass("hidden");
                 }
-                
-                /*
-                * Removing automatic action
-                // Go to next step
-                if (step <= 6) {
-                    setTimeout(
-                        function(){
-                            $('#but_next').trigger('click');
-                        },
-                        1000
-                    );
-                }
-                */
             }
         });
     } else if (error === "" && multiple === "") {
@@ -228,7 +215,7 @@ function checkPage()
             complete : function(data){
                 data = $.parseJSON(data.responseText);
                 
-                if (data[0].error !== "" ) {
+                if (data[0].error !== "") {
                     alertify
                         .error('<i class="fas fa-ban mr-2"></i>Next ERROR occurred: <i>' + data[0].error + '</i><br />Please correct and relaunch.', 0)
                         .dismissOthers();
@@ -246,19 +233,6 @@ function checkPage()
                         .prop("disabled", false)
                         .removeClass("hidden");
                 }
-                
-                /*
-                * Removing automatic action
-                // Go to next step
-                if (step <= 6) {
-                    setTimeout(
-                        function(){
-                            $('#but_next').trigger('click');
-                        },
-                        1000
-                    );
-                }
-                */
             }
         });
     } else {
@@ -282,7 +256,7 @@ function doGetJson(task)
         async: false,
         data : {
             type:       "step_"+step,
-            data:  aesEncrypt(dataToUse), //
+            data:       aesEncrypt(dataToUse), //
             activity:   aesEncrypt(tsk[0]),
             task:       aesEncrypt(tsk[1]),
             db:         aesEncrypt(JSON.stringify(dbInfo)),
@@ -292,7 +266,7 @@ function doGetJson(task)
         }
     })
     .complete(function(data) {
-        console.log("\n\n--- RECEPTION---\n"+data+"\n-------\n")
+        console.log("\n\n--- RECEPTION---\n"+JSON.stringify(data, null, 2)+"\n-------\n")
         if (data.responseText === "") {
             alertify
                 .error('<i class="fas fa-ban mr-2">[ERROR] Answer from server is empty.', 10)
@@ -320,8 +294,11 @@ function doGetJson(task)
                 }
             } else {
                 $("#res"+step+"_check"+data[0].index).html('<span class="badge badge-danger"><i class="fas fa-ban text-warning mr-2"></i>' + data[0].error + "</i></span>");
-                                            
-                global_error_on_query = true;
+                
+                // Considere only a warning on GMP extension
+                if (data[0].index !== "16") {
+                    global_error_on_query = true;
+                }
             }
         }
         index++;
diff --git a/install/install.php b/install/install.php
@@ -434,7 +434,7 @@
 	echo '
     <div id="footer">
         <div style="width:500px; font-size:16px;">
-            ' . TP_TOOL_NAME . ' ' . TP_VERSION . ' <i class="far fa-copyright"></i> copyright 2009-2019
+            ' . TP_TOOL_NAME . ' ' . TP_VERSION . ' <i class="far fa-copyright"></i> copyright 2009-'.date('Y').'
         </div>
         <div style="float:right;margin-top:-15px;">
         </div>
diff --git a/install/install.queries.php b/install/install.queries.php
diff --git a/vendor/composer/composer/res/composer-lock-schema.json b/vendor/composer/composer/res/composer-lock-schema.json

Original file line number	Diff line number	Diff line change
`@@ -13,15 +13,15 @@`
`13`	`13`	`},`
`14`	`14`	`{`
`15`	`15`	`"table_name": "background_tasks",`
`16`		`- "structure_hash": "c3b96e3d6b07ca079266f59370af356e84848c6863aaa3662f06ffaf42b65b55"`
	`16`	`+ "structure_hash": "824ea4c3db1b930b8655191a54d6c09415fca3e0c104117da14ecaa924f05c06"`
`17`	`17`	`},`
`18`	`18`	`{`
`19`	`19`	`"table_name": "background_tasks_logs",`
`20`		`- "structure_hash": "95925613dcdd22f045680f9c337725bdfe34c1f12ffbbc77aff7afbd06cd21a6"`
	`20`	`+ "structure_hash": "8825f1d0e45b66d4245eb0a7d9d8e0937c504110294ff7e2774511ccc67c5c9b"`
`21`	`21`	`},`
`22`	`22`	`{`
`23`	`23`	`"table_name": "cache",`
`24`		`- "structure_hash": "d11037afa64b847d341c467132588bc1fb49d6a7f59764103485720c753c1266"`
	`24`	`+ "structure_hash": "a5988fbb32009d30106453eb5434d90b1f10135fb988fb3736bbf5fa254a39db"`
`25`	`25`	`},`
`26`	`26`	`{`
`27`	`27`	`"table_name": "cache_tree",`
`@@ -57,15 +57,15 @@`
`57`	`57`	`},`
`58`	`58`	`{`
`59`	`59`	`"table_name": "items",`
`60`		`- "structure_hash": "0e88a81eda19ffe8f6bf035f2853e645f888bdc350150875179a97917e02a627"`
	`60`	`+ "structure_hash": "af8b6e0e7bf0fe17a709bba14dca6c7833ddf2f6e0a1e91acd0a5cf5ffb4e22d"`
`61`	`61`	`},`
`62`	`62`	`{`
`63`	`63`	`"table_name": "items_change",`
`64`	`64`	`"structure_hash": "1560c119b0aa9a2e983fbf56ad584da6fd8e35517fdbd9c1144e6144a35512dd"`
`65`	`65`	`},`
`66`	`66`	`{`
`67`	`67`	`"table_name": "items_edition",`
`68`		`- "structure_hash": "427adb445bc9dfca2d50c769d0667c4f21bff7c601cf97bb5f1b0c0c52e452cc"`
	`68`	`+ "structure_hash": "cf58c1c9b678dc0ece44492639d3c3bd23e095e69f8f65e7df67d147f90eb3b4"`
`69`	`69`	`},`
`70`	`70`	`{`
`71`	`71`	`"table_name": "items_otp",`
`@@ -97,11 +97,11 @@`
`97`	`97`	`},`
`98`	`98`	`{`
`99`	`99`	`"table_name": "log_items",`
`100`		`- "structure_hash": "bd6960c43399a81559a8ff6feb0c924421f7aa6c456241c00ccb3ba0cb75def6"`
	`100`	`+ "structure_hash": "470b020e4d7578366bf8299b3fd14c9a4681057a77dc018587ba08a24a6be7bb"`
`101`	`101`	`},`
`102`	`102`	`{`
`103`	`103`	`"table_name": "log_system",`
`104`		`- "structure_hash": "f20b028189d86bbc95e4d55ff4b1676895e62c62e0f39296449a6c8ae8541357"`
	`104`	`+ "structure_hash": "8e396ef59c43500907160db66b009e41e29c6ed9d9a6aa8e324abd31be0d5777"`
`105`	`105`	`},`
`106`	`106`	`{`
`107`	`107`	`"table_name": "misc",`
`@@ -169,7 +169,7 @@`
`169`	`169`	`},`
`170`	`170`	`{`
`171`	`171`	`"table_name": "sharekeys_items",`
`172`		`- "structure_hash": "f033299e24b9eb873d03c38084a55d866971d70f06d701b42e2d744b355a2818"`
	`172`	`+ "structure_hash": "eedece29bce054b48d0f5525a6349072a6f9aec1a234c9980c36d6077fadaa75"`
`173`	`173`	`},`
`174`	`174`	`{`
`175`	`175`	`"table_name": "sharekeys_logs",`