SuiteCRM 7.12.13 Release

jack7anderson7 · jack7anderson7 · commit df71828b9ae8 · 2023-10-02T10:54:53.000+01:00
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.12.12
+# SuiteCRM 7.12.13
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)
diff --git a/data/SugarBean.php b/data/SugarBean.php
@@ -2515,12 +2515,12 @@ public function cleanBean()
                 }
 
                 if (isset($def['type']) && ($def['type'] == 'html' || $def['type'] == 'longhtml')) {
-                    $this->$key = htmlentities(SugarCleaner::cleanHtml($this->$key, true));
+                    $this->$key = purify_html($this->$key);
                 } elseif (
                     (strpos($type, 'char') !== false || strpos($type, 'text') !== false || $type == 'enum') &&
                     !empty($this->$key)
                 ) {
-                    $this->$key = htmlentities(SugarCleaner::cleanHtml($this->$key, true));
+                    $this->$key = purify_html($this->$key);
                 }
             }
         }
diff --git a/files.md5 b/files.md5
@@ -1,5 +1,5 @@
 <?php
-// created: 2023-06-30 17:00:00
+// created: 2023-10-02 17:00:00
 $md5_string = array (
   './Api/Core/Config/ApiConfig.php' => '69a1e7b3d7755a2a63499a16ddae81cf',
   './Api/Core/Config/slim.php' => 'b134e68765e6a1403577e2a5a06322b8',
@@ -116,7 +116,7 @@ $md5_string = array (
   './ModuleInstall/PackageManager/tpls/PackageManagerLicense.tpl' => 'df5e267d1df5ce08fb9406e42d5b4816',
   './ModuleInstall/PackageManager/tpls/PackageManagerScripts.tpl' => '98e396c0aa57329731fda19c790fffb2',
   './ModuleInstall/extensions.php' => '094f4650261f6efbab1b90b119829388',
-  './README.md' => 'aa47c7789a83b1956c6d9bf77043a535',
+  './README.md' => '7f18bd75a95720a9e6ac03ba4e1de94f',
   './RoboFile.php' => '045b82c1df69553824d0e4ffcce6e03c',
   './SugarSecurity.php' => '47e316b2d408e8c5192c8ea4a4f921b3',
   './TreeData.php' => '32873e20cb5fd33f9d1cdaf18c3cac5c',
@@ -522,7 +522,7 @@ $md5_string = array (
   './data/Relationships/One2OneRelationship.php' => 'c46d3067d5651fbc928763600d5e1a51',
   './data/Relationships/RelationshipFactory.php' => '98a46e44186f2d2db23be9b894a4f1e2',
   './data/Relationships/SugarRelationship.php' => 'a71b96492ee7457826fc91a2356c4ebd',
-  './data/SugarBean.php' => 'ccf600118e4ad9437e82efb376443ea4',
+  './data/SugarBean.php' => '29f70a2ff02ffea10630200a90e7b0a0',
   './deprecated.php' => 'f5f507fd6314f38d29c97e2cc2c62239',
   './dictionary.php' => 'b7c1370fb75a2940c04db74627c4462c',
   './download.php' => 'ffc5806938cc1f888c7ddedb79f7bedf',
@@ -2391,7 +2391,7 @@ $md5_string = array (
   './include/utils/recaptcha_utils.php' => '73f5eddf707788c1dff4b7d07dc82656',
   './include/utils/security_utils.php' => 'e953d0b673df3df313ecf1ac975e8f57',
   './include/utils/sugar_file_utils.php' => '1c1915cad8c88feb0edbf5bbaee106c4',
-  './include/utils.php' => 'e5143d953655f5c11f58f8f947b1930a',
+  './include/utils.php' => '80454524089c3b5c7c48a4bd4572c0aa',
   './include/vCard.php' => '44052bbedcdaba3fdf67cfc10a112e75',
   './include/ytree/ExtNode.php' => '000d4ccbdb6e0a7628c636128781b5e3',
   './include/ytree/JQueryTree.php' => '3712d2224b93818b990b876f8405b745',
@@ -4809,7 +4809,7 @@ $md5_string = array (
   './modules/Groups/EditView.html' => '09c8789599fb3b305469bd23f2991713',
   './modules/Groups/EditView.php' => '677c06f6ab72c5d5a02c75fb665b84bf',
   './modules/Groups/Forms.php' => 'a0e51e5d5a49b1f89af75ff58abd8df0',
-  './modules/Groups/Group.php' => 'e826001afe86f1d2143f64547ffe04a6',
+  './modules/Groups/Group.php' => 'e7ee4cc74313f7a910c4331a25b69fa2',
   './modules/Groups/ListView.html' => '43fe23308f2ea9134b80f3ac57953a95',
   './modules/Groups/ListView.php' => '61a47a739e5884c882c2d95fe0c406e6',
   './modules/Groups/Menu.php' => 'f845d9f69cd33c22ca43991c9be80612',
@@ -5338,7 +5338,7 @@ $md5_string = array (
   './modules/Opportunities/OpportunitiesListViewSmarty.php' => 'c7ff09cb175fc446643a8b7aeb81997a',
   './modules/Opportunities/OpportunitiesQuickCreate.php' => '1ecc35174add3abb072044636fbac07c',
   './modules/Opportunities/Opportunity.php' => 'f8acf2b7f0ac5d4c1e2e0c9ad3f05bec',
-  './modules/Opportunities/OpportunityFormBase.php' => 'de70213c7746dc2028fa1b8bc87418dc',
+  './modules/Opportunities/OpportunityFormBase.php' => '60d6c618959551453d5b5f876100ffe7',
   './modules/Opportunities/Save.php' => '8f327e0b5b44141a863fdc396abe4930',
   './modules/Opportunities/SaveOverload.php' => 'b2f5b800a2c6c7022197d450e925b2c9',
   './modules/Opportunities/SubPanelView.html' => '3df668036b5e50515dc62d4bcaf316c9',
@@ -6282,7 +6282,7 @@ $md5_string = array (
   './soap.php' => 'e28988c2e0b8e2c484587b537a710525',
   './sugar_version.json' => 'bdfbcefae2f9af559bef6a36367df7bb',
   './sugar_version.php' => 'db7b6c8d51f87879fce1e6172eedfbed',
-  './suitecrm_version.php' => '812928dd34f9a7fa2ef2990cd6379901',
+  './suitecrm_version.php' => '845918436e2f220106def3626ab9def8',
   './themes/SuiteP/css/Dawn/color-palette.scss' => 'e64677d79e1d68c069bdc2dc661c4f99',
   './themes/SuiteP/css/Dawn/icons.scss' => 'd59f8c5855e7a8df09542a663835a196',
   './themes/SuiteP/css/Dawn/select.ico' => '22393ad23f16c3f1462455bae8f20279',
diff --git a/include/utils.php b/include/utils.php
@@ -2665,7 +2665,9 @@ function purify_html(?string $value): string {
         $cleanedValue = '';
     }
 
-    return $cleanedValue;
+    $doubleCleanedValue = htmlentities((string) SugarCleaner::cleanHtml($doubleDecoded, true));
+
+    return $doubleCleanedValue;
 }
 
 function preprocess_param($value)
diff --git a/modules/Groups/Group.php b/modules/Groups/Group.php
@@ -66,11 +66,21 @@ public function __construct()
      */
     public function mark_deleted($id)
     {
+        global $current_user;
+        if (!is_admin($current_user)) {
+            throw new RuntimeException('Not authorized');
+        }
+
         SugarBean::mark_deleted($id);
     }
 
     public function create_export_query($order_by, $where, $relate_link_join = '')
     {
+        global $current_user;
+        if (!is_admin($current_user)) {
+            throw new RuntimeException('Not authorized');
+        }
+
         $query = "SELECT users.*";
         $query .= " FROM users ";
         $where_auto = " users.deleted = 0";
diff --git a/modules/Opportunities/OpportunityFormBase.php b/modules/Opportunities/OpportunityFormBase.php
@@ -465,8 +465,8 @@ public function handleSave($prefix, $redirect=true, $useRequired=false)
 
         $focus->save($check_notify);
 
-        if (!empty($_POST['duplicate_parent_id'])) {
-            clone_relationship($focus->db, array('opportunities_contacts'), 'opportunity_id', $_POST['duplicate_parent_id'], $focus->id);
+        if (!empty($_POST['duplicate_parent_id']) && (new \SuiteCRM\Utility\SuiteValidator())->isValidId($_POST['duplicate_parent_id'] ?? '')) {
+            clone_relationship($focus->db, array('opportunities_contacts'), 'opportunity_id', $focus->db->quote($_POST['duplicate_parent_id']), $focus->id);
         }
         $return_id = $focus->id;
 
diff --git a/suitecrm_version.php b/suitecrm_version.php
@@ -3,5 +3,5 @@
     die('Not A Valid Entry Point');
 }
 
-$suitecrm_version = '7.12.12';
-$suitecrm_timestamp = '2023-07-11 12:00:00';
+$suitecrm_version = '7.12.13';
+$suitecrm_timestamp = '2023-10-03 12:00:00';

Original file line number	Diff line number	Diff line change
`@@ -2515,12 +2515,12 @@ public function cleanBean()`
`2515`	`2515`	`}`
`2516`	`2516`
`2517`	`2517`	`if (isset($def['type']) && ($def['type'] == 'html' \|\| $def['type'] == 'longhtml')) {`
`2518`		`- $this->$key = htmlentities(SugarCleaner::cleanHtml($this->$key, true));`
	`2518`	`+ $this->$key = purify_html($this->$key);`
`2519`	`2519`	`} elseif (`
`2520`	`2520`	`(strpos($type, 'char') !== false \|\| strpos($type, 'text') !== false \|\| $type == 'enum') &&`
`2521`	`2521`	`!empty($this->$key)`
`2522`	`2522`	`) {`
`2523`		`- $this->$key = htmlentities(SugarCleaner::cleanHtml($this->$key, true));`
	`2523`	`+ $this->$key = purify_html($this->$key);`
`2524`	`2524`	`}`
`2525`	`2525`	`}`
`2526`	`2526`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2665,7 +2665,9 @@ function purify_html(?string $value): string {`
`2665`	`2665`	`$cleanedValue = '';`
`2666`	`2666`	`}`
`2667`	`2667`
`2668`		`- return $cleanedValue;`
	`2668`	`+ $doubleCleanedValue = htmlentities((string) SugarCleaner::cleanHtml($doubleDecoded, true));`
	`2669`	`+`
	`2670`	`+ return $doubleCleanedValue;`
`2669`	`2671`	`}`
`2670`	`2672`
`2671`	`2673`	`function preprocess_param($value)`
Original file line number	Diff line number	Diff line change
`@@ -465,8 +465,8 @@ public function handleSave($prefix, $redirect=true, $useRequired=false)`
`465`	`465`
`466`	`466`	`$focus->save($check_notify);`
`467`	`467`
`468`		`- if (!empty($_POST['duplicate_parent_id'])) {`
`469`		`- clone_relationship($focus->db, array('opportunities_contacts'), 'opportunity_id', $_POST['duplicate_parent_id'], $focus->id);`
	`468`	`+ if (!empty($_POST['duplicate_parent_id']) && (new \SuiteCRM\Utility\SuiteValidator())->isValidId($_POST['duplicate_parent_id'] ?? '')) {`
	`469`	`+ clone_relationship($focus->db, array('opportunities_contacts'), 'opportunity_id', $focus->db->quote($_POST['duplicate_parent_id']), $focus->id);`
`470`	`470`	`}`
`471`	`471`	`$return_id = $focus->id;`
`472`	`472`
Original file line number	Diff line number	Diff line change
`@@ -3,5 +3,5 @@`
`3`	`3`	`die('Not A Valid Entry Point');`
`4`	`4`	`}`
`5`	`5`
`6`		`-$suitecrm_version = '7.12.12';`
`7`		`-$suitecrm_timestamp = '2023-07-11 12:00:00';`
	`6`	`+$suitecrm_version = '7.12.13';`
	`7`	`+$suitecrm_timestamp = '2023-10-03 12:00:00';`