Merge branch 'bugfix' into stable-v0.5

Author: jbtronics

data/media/.htaccess

@@ -1,2 +1,7 @@
 Allow from all
 Options -Indexes
+
+<Files *.php>
+    Order Deny,Allow
+    Deny from all
+</Files>

edit_part_info.php

@@ -65,7 +65,7 @@
 
 // section: part attributes
 $part_id                    = isset($_REQUEST['pid'])                       ? (integer)$_REQUEST['pid']                      : -1;
-$new_name                   = isset($_POST['name'])                      ? (string)$_POST['name']                      : '';
+$new_name                   = isset($_REQUEST['name'])                      ? (string)$_REQUEST['name']                      : '';
 $new_description            = isset($_POST['description'])               ? (string)$_POST['description']               : '';
 $new_manufacturer_id        = isset($_POST['manufacturer_id'])           ? (integer)$_POST['manufacturer_id']          : 0;
 $new_instock                = isset($_POST['instock'])                   ? (integer)$_POST['instock']                  : 0;
@@ -91,7 +91,7 @@
 $new_is_master_picture      = isset($_POST['is_master_picture']);
 $attachement_id             = isset($_POST['attachement_id'])            ? (integer)$_POST['attachement_id']           : 0;
 $new_attachement_type_id    = isset($_POST['attachement_type_id'])       ? (integer)$_POST['attachement_type_id']      : 0;
-$new_name                   = isset($_POST['name'])                      ? (string)$_POST['name']                      : '';
+$new_name                   = isset($_REQUEST['name'])                      ? (string)$_REQUEST['name']                      : '';
 $new_filename               = isset($_POST['attachement_filename'])      ? toUnixPath(trim((string)$_POST['attachement_filename'])) : '';
 $download_file              = isset($_POST['download_file']);
 
@@ -287,6 +287,8 @@
                     global $config;
                     if ($config['edit_parts']['created_go_to_info'] xor $rightclicked) {
                         $html->redirect("show_part_info.php?pid=" . $part->getID(), true);
+                    } else {
+                        $html->redirect("edit_part_info.php?pid=" . $part->getID(), true);
                     }
                 } else {
                     $partname_hint = $category->getPartnameHint(true, false);
@@ -325,9 +327,9 @@
                     $messages[] = array('html' => generateInputHidden("comment", $new_comment), 'no_linebreak' => 'true');
                     $messages[] = array('html' => generateInputHidden("visible", $new_visible), 'no_linebreak' => 'true');
 
-
                     $partname_invalid = true;
                 }
+
             } catch (Exception $e) {
                 $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red');
             }

inc/config_defaults.php

@@ -271,7 +271,7 @@
 $config['table']['noprice_parts']['columns']            = 'hover_picture;name;description;instock_mininstock;footprint;storelocation;suppliers;supplier_partnrs;button_edit';
 $config['table']['unknown_instock_parts']['columns']    = 'hover_picture;name;description;mininstock;footprint;storelocation;suppliers;supplier_partnrs;button_edit';
 $config['table']['order_parts']['columns']              = 'hover_picture;name_description;instock_mininstock;footprint;storelocation;suppliers_radiobuttons;supplier_partnrs;single_prices;total_prices;order_quantity_edit;order_options';
-$config['table']['searched_device_parts']['columns']    = 'hover_picture;quantity_edit;mountnames_edit;name;description;category;footprint;storelocation;manufacturer';
+$config['table']['searched_device_parts']['columns']    = 'hover_picture;quantity_edit;mountnames_edit;name;description;instock_mininstock;category;footprint;storelocation';
 $config['table']['device_parts']['columns']             = 'hover_picture;name_description;quantity_edit;mountnames_edit;footprint;instock;storelocation;suppliers;supplier_partnrs;single_prices;total_prices';
 $config['table']['imported_parts']['columns']           = 'hover_picture;name;description;instock_mininstock;footprint;storelocation;suppliers;supplier_partnrs;single_prices;datasheets;attachements';
 $config['table']['location_parts']['columns']           = 'hover_picture;name;description;category;instock;mininstock;footprint;storelocation;datasheets;attachements;button_decrement;button_increment;button_edit';

inc/lib.php

@@ -270,6 +270,13 @@ function uploadFile($file_array, $destination_directory, $destination_filename =
         throw new Exception(_('Ungültiges Array übergeben!'));
     }
 
+    //Dont allow to upload a PHP file.
+    if(strpos($file_array['name'], ".php") != false
+        || strpos($destination_filename, ".php") != false)
+    {
+        throw new \Exception(_("Es ist nicht erlaubt PHP Dateien hochzuladen!"));
+    }
+
     if ($destination_filename == null) {
         $destination_filename = $file_array['name'];
     }
@@ -561,6 +568,11 @@ function downloadFile($url, $path, $filename = "", $download_override = false)
         $filename = basename($parts['path']);
     }
 
+    //Dont allow to upload a PHP file.
+    if(strpos($filename, ".php") != false) {
+        throw new \Exception(_("Es ist nicht erlaubt PHP Dateien herunterzuladen!"));
+    }
+
     set_time_limit(30);
 
     createPath($path);
@@ -1353,13 +1365,18 @@ function formatTimestamp($timestamp)
     }
 }
 
-function generatePagination($page_link, $selected_page, $limit, $max_entries)
+function generatePagination($page_link, $selected_page, $limit, $max_entries, $get_params = null)
 {
     $links = array();
 
+    $get_string = "";
+    if(!empty($get_params)) {
+        $get_string = '&' . http_build_query($get_params);
+    }
+
     //Back to first page
     $links[] = array("label" => '<i class="fa fa-angle-double-left" aria-hidden="true"></i>',
-        "href" => $page_link . "&page=1&limit=$limit",
+        "href" => $page_link . "&page=1&limit=$limit" . $get_string,
         "disabled" => $selected_page == 1,
         "hint" => _("Springe zur ersten Seite"));
 
@@ -1376,24 +1393,31 @@ function generatePagination($page_link, $selected_page, $limit, $max_entries)
 
     for ($n=$min_number; $n <= $max_number; $n++) {
         $links[] = array("label" => $n,
-            "href" => $page_link . "&page=" . ($n). "&limit=$limit",
+            "href" => $page_link . "&page=" . ($n). "&limit=$limit" . $get_string,
             "active" => $n == $selected_page);
     }
 
     //Jump to last page.
     $links[] = array("label" => '<i class="fa fa-angle-double-right" aria-hidden="true"></i>',
-        "href" => $page_link . "&page=$max_page&limit=$limit",
+        "href" => $page_link . "&page=$max_page&limit=$limit" . $get_string,
         "disabled" => $selected_page == $max_page,
         "hint" => _("Springe zur letzten Seite"));
 
     //Show all results
     $links[] = array("label" => '<i class="fa fa-bars" aria-hidden="true"></i>',
-        "href" => $page_link . "&page=0",
+        "href" => $page_link . "&page=0" . $get_string,
         "active" => $selected_page == 0,
-        "hint" => _("Zeige alle Bauteile"));
+        "hint" => _("Alle anzeigen"));
+
+    $upper_results = ($selected_page * $limit + 1) <= $max_entries && $selected_page > 0 ? $selected_page * $limit : $max_entries;
+    if($upper_results == 0) {
+        $lower_results = 0;
+    } else {
+        $lower_results = $selected_page > 0 ? ($selected_page - 1) * $limit + 1 : 1;
+    }
 
-    return array("lower_result" => $selected_page > 0 ? ($selected_page -1) * $limit + 1 : 1,
-        "upper_result" => ($selected_page * $limit +1) <= $max_entries && $selected_page > 0 ? $selected_page * $limit +1 : $max_entries,
+    return array("lower_result" =>  $lower_results,
+        "upper_result" => $upper_results,
         "max_entries" => $max_entries,
         "entries" => $links);
 }

lib/Attachement.php

@@ -223,6 +223,11 @@ public function getElement()
         return $this->element;
     }
 
+    public function isFileExisting()
+    {
+        return file_exists($this->getFilename()) || isURL($this->getFilename());
+    }
+
     /**
      * Get the filename (absolute path from filesystem root, as a UNIX path [only slashes])
      *

lib/LogSystem/InstockChangedEntry.php

@@ -198,6 +198,9 @@ public static function add(&$database, &$current_user, &$log, &$part, $old_insto
         }
 
         if (!is_int($old_instock) || !is_int($new_instock)) {
+            if (is_float($old_instock) || is_float($new_instock)) {
+               throw new \RuntimeException(sprintf(_('Es können maximal %d Bauteile vorhanden sein!'), PHP_INT_MAX));
+            }
             throw new \RuntimeException(_('$old_instock und $new_instock müssen vom Typ int sein'));
         }
 

lib/Part.php

@@ -1541,10 +1541,9 @@ public function buildTemplateTableRowArray($table_type, $row_index, $additional_
             switch ($caption) {
                 case 'hover_picture':
                     $picture_filename = str_replace(BASE, BASE_RELATIVE, $this->getMasterPictureFilename(true));
-                    if(!file_exists($this->getMasterPictureFilename(true))) { //When filename is invalid then dont show picture.
+                    if($this->getMasterPictureAttachement() != null && !$this->getMasterPictureAttachement()->isFileExisting()) { //When filename is invalid then dont show picture.
                         $picture_filename = "";
                     }
-
                     $row_field['picture_name']  = strlen($picture_filename) ? basename($picture_filename) : '';
                     $row_field['small_picture'] = strlen($picture_filename) ? $picture_filename : '';
                     $row_field['hover_picture'] = strlen($picture_filename) ? $picture_filename : '';