From 379d096f88e95ed3cabccc990469de9521c653a0 Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Sat, 29 Aug 2015 21:29:01 -0400 Subject: [PATCH 1/8] #331 Update admin_settings_save --- admin/admin_settings_save.php | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/admin/admin_settings_save.php b/admin/admin_settings_save.php index cd9e186c..54f38115 100644 --- a/admin/admin_settings_save.php +++ b/admin/admin_settings_save.php @@ -35,6 +35,12 @@ define('IN_SCRIPT',1); define('HESK_PATH','../'); +// Make sure OPcache is reset when modifying settings +if ( function_exists('opcache_reset') ) +{ + opcache_reset(); +} + /* Get all the required files and functions */ require(HESK_PATH . 'hesk_settings.inc.php'); require(HESK_PATH . 'modsForHesk_settings.inc.php'); @@ -108,7 +114,7 @@ else /* --> Helpdesk settings */ $set['hesk_title'] = hesk_input( hesk_POST('s_hesk_title'), $hesklang['err_htitle']); $set['hesk_title'] = str_replace('\\"','"',$set['hesk_title']); -$set['hesk_url'] = hesk_input( hesk_POST('s_hesk_url'), $hesklang['err_hurl']); +$set['hesk_url'] = rtrim( hesk_input( hesk_POST('s_hesk_url'), $hesklang['err_hurl']), '/'); // ---> check admin folder $set['admin_dir'] = isset($_POST['s_admin_dir']) && ! is_array($_POST['s_admin_dir']) ? preg_replace('/[^a-zA-Z0-9_-]/', '', $_POST['s_admin_dir']) : 'admin'; @@ -487,6 +493,19 @@ for ($i=1;$i<=20;$i++) { $set['custom_fields'][$this_field]['type'] = 'text'; } + + // Try to detect if field type changed to anything except "select" + if ($set['custom_fields'][$this_field]['type'] != 'select') + { + // If type is "radio" or "checkbox" remove "please select", keep other options + $set['custom_fields'][$this_field]['value'] = str_replace('{HESK_SELECT}', '', $set['custom_fields'][$this_field]['value']); + + // Field type changed to "text" or "textarea", clear default value if it contains "#HESK#" separator + if ( in_array($set['custom_fields'][$this_field]['type'], array('text','textarea')) && ! in_array($hesk_settings['custom_fields'][$this_field]['type'], array('text','textarea')) && strpos($set['custom_fields'][$this_field]['value'], '#HESK#') !== false ) + { + $set['custom_fields'][$this_field]['value'] = ''; + } + } } else { From 3619a4c5075f9680df09dd6ac8fc68a76f8211ce Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Sat, 29 Aug 2015 21:29:12 -0400 Subject: [PATCH 2/8] #331 Update password --- admin/password.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/admin/password.php b/admin/password.php index 4811a896..754a5736 100644 --- a/admin/password.php +++ b/admin/password.php @@ -238,6 +238,9 @@ elseif ( isset($_GET['h']) ) // Expire all verification hashes for this user hesk_dbQuery("DELETE FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."reset_password` WHERE `user`=".intval($row['user'])); + // Load additional required functions + require(HESK_PATH . 'inc/admin_functions.inc.php'); + // Get user details $res = hesk_dbQuery('SELECT * FROM `'.$hesk_settings['db_pfix']."users` WHERE `id`=".intval($row['user'])." LIMIT 1"); $row = hesk_dbFetchAssoc($res); @@ -245,6 +248,11 @@ elseif ( isset($_GET['h']) ) { $_SESSION[$k]=$v; } + + // Set a tag that will be used to expire sessions after username or password change + $_SESSION['session_verify'] = hesk_activeSessionCreateTag($_SESSION['user'], $_SESSION['pass']); + + // We don't need the password hash anymore unset($_SESSION['pass']); // Clean brute force attempts From a0958641ff0416f1e8456fc30fa7527f992817af Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Sat, 29 Aug 2015 21:29:22 -0400 Subject: [PATCH 3/8] #331 Update admin_functions --- inc/admin_functions.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inc/admin_functions.inc.php b/inc/admin_functions.inc.php index 03224155..c518dd99 100644 --- a/inc/admin_functions.inc.php +++ b/inc/admin_functions.inc.php @@ -758,13 +758,13 @@ function hesk_checkPermission($feature,$showerror=1) { global $hesklang; /* Admins have full access to all features */ - if ($_SESSION['isadmin']) + if (isset($_SESSION['isadmin']) && $_SESSION['isadmin']) { return true; } /* Check other staff for permissions */ - if (strpos($_SESSION['heskprivileges'], $feature) === false) + if (isset($_SESSION['heskprivileges']) && strpos($_SESSION['heskprivileges'], $feature) === false) { if ($showerror) { From f3d84cf361ab757a3bf6e4e9d7cea36cf1cd9531 Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Sat, 29 Aug 2015 21:29:35 -0400 Subject: [PATCH 4/8] #331 Update common --- inc/common.inc.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/inc/common.inc.php b/inc/common.inc.php index 8fe783c0..f033a92e 100644 --- a/inc/common.inc.php +++ b/inc/common.inc.php @@ -37,6 +37,12 @@ if (!defined('IN_SCRIPT')) {die('Invalid attempt');} #error_reporting(E_ALL); +// Set correct Content-Type header +if ( ! defined('NO_HTTP_HEADER') ) +{ + header('Content-Type: text/html; charset=utf-8'); +} + // Set backslash options if (get_magic_quotes_gpc()) { From b774572766026d01562feb0c94035201f3f9bd55 Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Sat, 29 Aug 2015 21:30:20 -0400 Subject: [PATCH 5/8] #331 Update email_functions --- inc/email_functions.inc.php | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/inc/email_functions.inc.php b/inc/email_functions.inc.php index fc335c19..134c484d 100644 --- a/inc/email_functions.inc.php +++ b/inc/email_functions.inc.php @@ -104,7 +104,7 @@ function hesk_notifyCustomer($email_template = 'new_ticket') $changedLanguage = false; //Set the user's language according to the ticket. - if ($ticket['language'] !== NULL) + if (isset($ticket['language']) && $ticket['language'] !== NULL) { hesk_setLanguage($ticket['language']); $changedLanguage = true; @@ -135,10 +135,7 @@ function hesk_notifyCustomer($email_template = 'new_ticket') hesk_mail($ticket['email'], $subject, $message, $htmlMessage, $ccEmails, $bccEmails, $hasMessage); // Reset the language if it was changed - if ($changedLanguage) - { - hesk_resetLanguage(); - } + hesk_resetLanguage(); return true; From 39a49b9cf510e6f7db58c8375969c2a7edd86f97 Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Sat, 29 Aug 2015 21:31:36 -0400 Subject: [PATCH 6/8] #331 Update recaptchalib --- inc/recaptcha/recaptchalib_v2.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/recaptcha/recaptchalib_v2.php b/inc/recaptcha/recaptchalib_v2.php index 9b035ada..4fdae35f 100755 --- a/inc/recaptcha/recaptchalib_v2.php +++ b/inc/recaptcha/recaptchalib_v2.php @@ -52,7 +52,7 @@ class ReCaptcha * * @param string $secret shared secret between site and ReCAPTCHA server. */ - function ReCaptcha($secret) + function __construct($secret) { if ($secret == null || $secret == "") { die("To use reCAPTCHA you must get an API key from