Skip to content

Commit

Permalink
Merge branch 'develop' of [email protected]:Dolibarr/dolibarr.git into d…
Browse files Browse the repository at this point in the history
…evelop
  • Loading branch information
eldy committed Nov 16, 2023
2 parents e910c3f + e47811a commit f5af021
Show file tree
Hide file tree
Showing 19 changed files with 112 additions and 59 deletions.
16 changes: 8 additions & 8 deletions .github/CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@ Bug reports and feature requests
<a name="not-a-support-forum"></a>*Note*: **GitHub Issues is not a support forum.** If you have questions about Dolibarr / need help using the software, please use [the forums](https://www.dolibarr.org/forum.php). Forums exist in different languages.

Issues are managed on [GitHub](https://github.com/Dolibarr/dolibarr/issues).
Default **language here is english**. So please prepare your contributions in english.
Default **language here is English**. So please prepare your contributions in English.

1. Please [use the search engine](https://help.github.com/articles/searching-issues) to check if nobody's already reported your problem.
2. [Create an issue](https://help.github.com/articles/creating-an-issue). Choose an appropriate title. Prepend appropriately with Bug or Feature Request.
3. Tell us the version you are using! (look at /htdocs/admin/system/dolibarr.php? and check if you are using the latest version)
4. Write a report with as much detail as possible (Use [screenshots](https://help.github.com/articles/issue-attachments) or even screencasts and provide logging and debugging informations whenever possible).
4. Write a report with as much detail as possible (Use [screenshots](https://help.github.com/articles/issue-attachments) or even screencasts and provide logging and debugging information whenever possible).
5. Delete unnecessary submissions.
6. **Check your Message at Preview before sending.**

Expand Down Expand Up @@ -45,12 +45,12 @@ The rule N - 2 is just a tip if you don't know which version to choose to get th
and number of potential beneficiaries of the correction.

### General rules
Please don't edit the ChangeLog file. File will be generated from all commit messages during release process by the project manager.
Please don't edit the ChangeLog file. This file is generated from all commit messages during release process by the project manager.

### <a name="commits"></a>Commits
Use clear commit messages with the following structure:

```
```plaintext
[KEYWORD] [ISSUENUM] DESC
LONGDESC
Expand All @@ -68,12 +68,12 @@ where
#### Keyword
In uppercase if you want to have the log comment appears into the generated ChangeLog file.

The keyword can be ommitted if your commit does not fit in any of the following categories:
The keyword can be omitted if your commit does not fit in any of the following categories:

- Fix/FIX: for a bug fix
- Close/CLOSE: for closing a referenced feature request
- New/NEW: for an unreferenced new feature (Opening a feature request and using close is prefered)
- Perf/PERF: for performance enhancement
- New/NEW: for an unreferenced new feature (Opening a feature request and using close is preferred)
- Perf/PERF: for a performance enhancement
- Qual/QUAL: for quality code enhancement or re-engineering

#### Issuenum
Expand Down Expand Up @@ -150,7 +150,7 @@ All other translations are managed online at [Transifex](https://www.transifex.c

Translations done on transifex are available in the next major release.

Note: Sometimes, the source text (english) is modified. In such a case, the translation is reset. Transifex assume that if the original source
Note: Sometimes, the source text (English) is modified. In such a case, the translation is reset. Transifex assume that if the original source
has changed, the translation is surely no more correct so must be done again. But old translation is not lost and you can use the tab "History"
to retrieve all old translation of a source text, and restore the translation in one click with no need to retranslate it if there is no need to.

Expand Down
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/bug_report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,4 @@ body:
id: files
attributes:
label: Attached files
description: Screenshots, screencasts, dolibarr.log, debugging informations
description: Screenshots, screencasts, dolibarr.log, debugging information
2 changes: 1 addition & 1 deletion .github/workflows/github_ci_php71_pgsql.yml.disabled
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ jobs:
sudo cat /etc/apache2/sites-enabled/000-default.conf
sudo service apache2 restart
curl -I localhost
- name: Chech Apache availability
- name: Check Apache availability
run: |
echo "Checking webserver availability by a wget -O - --debug http://127.0.0.1"
# Ensure we stop on error with set -e
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/github_ci_php81_mysql.yml.disabled
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ jobs:
sudo cat /etc/apache2/sites-enabled/000-default.conf
sudo service apache2 restart
curl -I localhost
- name: Chech Apache availability
- name: Check Apache availability
run: |
echo "Checking webserver availability by a wget -O - --debug http://127.0.0.1"
# Ensure we stop on error with set -e
Expand Down
24 changes: 12 additions & 12 deletions README-FR.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ Note: *Le processus de migration peut être lancé manuellement et plusieurs foi

## CE QUI EST NOUVEAU

See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog) file.
Voir le fichier [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog).

## CE QUE DOLIBARR PEUT FAIRE

Expand All @@ -88,11 +88,11 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
- Gestion de contrats de services
- Gestion de stock et inventaires
- Gestion des expéditions
- Gestion des demandes de congès
- Gestion des demandes de congés
- Gestion des notes de frais
- Gestion de recrutement
- GED (Gestion Electronique de Documents)
- EMailings de masse
- E-Mailings de masse
- Réalisation de sondages
- Gestion d'adhérents
- Point de vente/Caisse enregistreuse
Expand All @@ -107,17 +107,17 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
- Support des codes barres
- Calcul des marges
- Connectivité LDAP
- Intégratn de ClickToDial
- Intégration de ClickToDial
- Intégration RSS
- Intégation Skype
- Intégration de système de paiements (Paypal, Stripe, Paybox...)
- Intégration Skype
- Intégration de système de paiements (PayPal, Stripe, Paybox...)
-

### Divers

- Multi-langue.
- Multi-utilisateurs avec différents niveaux de permissions par module.
- Multi-devise.
- Multidevise.
- Peux être multi-société par ajout du module externe multi-société.
- Plusieurs thèmes visuels.
- Application simple à utiliser.
Expand All @@ -127,7 +127,7 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
- Génération PDF et ODT des éléments (factures, propositions commerciales, commandes, bons expéditions, etc...)
- Code simple et facilement personnalisable (pas de framework lourd; mécanisme de hook et triggers).
- Support natif de nombreuses fonctions spécifiques aux pays comme:
- La tax espagnole TE et ISPF
- La taxe espagnole TE et ISPF
- Gestion de la TVA NPR (non perçue récupérable - pour les utilisateurs français des DOM-TOM)
- La loi française Finance 2016 et logiciels de caisse
- La double taxe canadienne
Expand All @@ -139,7 +139,7 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)

### Extension

Dolibarr peut aussi être étendu à volonté avec l'ajout de module/applications externes développées par des développeus tiers, disponible sur [DoliStore](https://www.dolistore.com).
Dolibarr peut aussi être étendu à volonté avec l'ajout de modules/applications externes développées par des développeurs tiers, disponible sur [DoliStore](https://www.dolistore.com).

## CE QUE DOLIBARR NE PEUT PAS (ENCORE) FAIRE

Expand Down Expand Up @@ -168,15 +168,15 @@ Voir le fichier [COPYRIGHT](https://github.com/Dolibarr/dolibarr/blob/develop/CO

## ACTUALITES ET RESEAUX SOCIAUX

Suivez le projet Dolibarr project sur les réseaux francophones
Suivez le projet Dolibarr sur les réseaux francophones

- [Facebook](https://www.facebook.com/dolibarr.fr)
- [Twitter](https://www.twitter.com/dolibarr_france)
- [X](https://www.twitter.com/dolibarr_france)

ou sur les réseaux anglophones

- [Facebook](https://www.facebook.com/dolibarr)
- [Twitter](https://www.twitter.com/dolibarr)
- [X](https://www.twitter.com/dolibarr)
- [LinkedIn](https://www.linkedin.com/company/association-dolibarr)
- [YouTube](https://www.youtube.com/user/DolibarrERPCRM)
- [GitHub](https://github.com/Dolibarr/dolibarr)
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)

Product Management

- Products and/or Services catalog
- Products and/or Services catalogue
- Stock / Warehouse management + Inventory
- Barcodes
- Batches / Lots / Serials
Expand Down Expand Up @@ -239,7 +239,7 @@ See [COPYRIGHT](https://github.com/Dolibarr/dolibarr/blob/develop/COPYRIGHT) fil
Follow Dolibarr project on:

- [Facebook](https://www.facebook.com/dolibarr)
- [Twitter](https://www.twitter.com/dolibarr)
- [X](https://x.com/dolibarr)
- [LinkedIn](https://www.linkedin.com/company/association-dolibarr)
- [Reddit](https://www.reddit.com/r/Dolibarr_ERP_CRM/)
- [YouTube](https://www.youtube.com/user/DolibarrERPCRM)
Expand Down
32 changes: 16 additions & 16 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,25 +20,25 @@ We believe that the future of software is online SaaS. This means software are m

If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and Dolibarr infrastructure.
Any type of denial-of-service attack is strictly forbidden, as well as any interference with network equipment and Dolibarr infrastructure.

We recommand to install Dolibarr ERP CRM on your own server (as most Open Source software, download and use is free: [https://www.dolibarr.org/download](https://www.dolibarr.org/download)) to get access on every side of application.
We recommend to install Dolibarr ERP CRM on your own server (as most Open Source software, download and use is free: [https://www.dolibarr.org/download](https://www.dolibarr.org/download)) to get access on every side of application.

### User Agent

If you try to find bug on Dolibarr, we recommend to append to your user-agent header the following value: '-securitytest-for-dolibarr'.

### Account access

You can install the web application yourself on your own platform/server so you get full access to application and sources. Download the zip of the files to put into your own web server virtual host from [https://www.dolibarr.org/download](https://www.dolibarr.org/download)
You can install the web application yourself on your own platform/server so you get full access to application and sources. Download the zip of the files to put in your own web server virtual host from [https://www.dolibarr.org/download](https://www.dolibarr.org/download)

## Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Dolibarr, however only those that meet the following eligibility requirements will be "validated reports" (if not, we may close the report without any answer):

You must be the first reporter of the vulnerability (duplicate reports are closed).

You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second), that's why we recommand to install software on your own platform.
You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second), that's why we recommend to install software on your own platform.

You must not leak, manipulate, or destroy any user data of third parties to find your vulnerability.

Expand All @@ -48,36 +48,36 @@ Reports are processed around once a month.

ONLY vulnerabilities discovered, when the following setup on test platform is used, are "valid":

* The version to analyze must be the last version available into "develop" branch or into last stable "vX.Y" released version. Reports on vulnerabilities already fixed (so already reported) into the develop branch will not be validated.
* $dolibarr_main_prod must be set to 1 into conf.php
* $dolibarr_nocsrfcheck must be kept to the value 0 into conf.php (this is the default value)
* The version to analyze must be the last version available in the "develop" branch or in the last stable "vX.Y" released version. Reports on vulnerabilities already fixed (so already reported) in the develop branch will not be validated.
* $dolibarr_main_prod must be set to 1 in conf.php
* $dolibarr_nocsrfcheck must be kept to the value 0 in conf.php (this is the default value)
* $dolibarr_main_force_https must be set to something else than 0.
* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 3 into backoffice menu Home - Setup - Other (this protection should be set to 3 soon by default). CSRF attacks are accepted but
* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 3 in the backoffice menu Home - Setup - Other (this protection should be set to 3 soon by default). CSRF attacks are accepted but
double check that you have set MAIN_SECURITY_CSRF_WITH_TOKEN to value 3.
* ONLY security reports on modules provided by default and with the "stable" status are valid (troubles into "experimental", "developement" or external modules are not valid vulnerabilities).
* ONLY security reports on modules provided by default and with the "stable" status are valid (troubles in "experimental", "development" or external modules are not valid vulnerabilities).
* The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer).
* The web server setup must be done so that only the documents directory is in write mode. The root directory called htdocs must be read-only.
* The modules DebugBar and ModuleBuilder must NOT be enabled. (by default, these modules are not enabled. They are developer tools)
* Ability for a high level user to edit web site pages into the CMS by including HTML or Javascript is an expected feature. Vulnerabilities into the website module are validated only if HTML or Javascript injection can be done by a non allowed user.
* Fail2ban rules for rate limit on the login page,password forgotten page, api calls and all public pages (/public/*) must be installed as recommendend into the section "About - Admin tools - Section Access limits and mitigation".
* Ability for a high-level user to edit web site pages in the CMS by including HTML or JavaScript is an expected feature. Vulnerabilities in the website module are validated only if HTML or JavaScript injection can be done by a non-allowed user.
* Fail2ban rules for rate limit on the login page, forgotten password page, API calls and all public pages (/public/*) must be installed as recommended in the section "About - Admin tools - Section Access limits and mitigation".

Scope is the web application (back office) and the APIs.
Scope is the web application (backoffice) and the APIs.

## Examples of vulnerabilities that are Qualified for reporting.

* Remote code execution (RCE)
* Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
* Code injections (JS, SQL, PHP). HTML are covered only for fields that are not description, notes or comments fields (where rich content is allowed on purpose).
* Cross-Site Scripting (XSS), except from setup page of module "External web site" (allowing any content here, editable by admin user only, is accepted on purpose) and except into module "Web site" when permission to edit website content is allowed (injecting any data in this case is allowed too).
* Cross-Site Scripting (XSS), except from setup page of module "External web site" (allowing any content here, editable by admin user only, is accepted on purpose) and except in the module "Web site" when permission to edit website content is allowed (injecting any data in this case is allowed too).
* Cross-Site Requests Forgery (CSRF) with real security impact (when using GET URLs, CSRF are qualified only for creating, updating or deleting data from pages restricted to admin users)
* Open redirect
* Broken authentication & session management
* Insecure direct object references (IDOR)
* Cross-Origin Resource Sharing (CORS) with real security impact
* Horizontal and vertical privilege escalation
* "HTTP Host Header" XSS
* Software version disclosure (for non admin users only)
* Stack traces or path disclosure (for non admin users only)
* Software version disclosure (for non-admin users only)
* Stack traces or path disclosure (for non-admin users only)

## Examples of vulnerabilities that are Non-qualified for reporting.

Expand All @@ -95,5 +95,5 @@ Scope is the web application (back office) and the APIs.
* Reports on features flagged as "experimental" or "development"
* Software version or private IP disclosure when logged-in user is admin
* Stack traces or path disclosure when logged-in user is admin
* Any vulnerabilities due to a configuration different than the one defined into chapter "Scope for qualified vulnerabilities".
* Any vulnerabilities due to a configuration different than the one defined in chapter "Scope for qualified vulnerabilities".
* Brute force attacks on login page, password forgotten page or any public pages (/public/*) are not qualified if the fail2ban recommended fail2ban rules were not installed.
2 changes: 1 addition & 1 deletion build/docker/README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# How to use it ?

The docker-compose.yml file is a sample of a config file to use to build and run Dolibarr in the current workspace with Docker.
This docker image is intended for developpement usage.
This docker image is intended for development usage.
For production usage you should consider other contributor reference like https://hub.docker.com/r/tuxgasy/dolibarr

Before build/run, define the variable HOST_USER_ID as following:
Expand Down
Loading

0 comments on commit f5af021

Please sign in to comment.