Headline
CVE-2022-2493: bug fixes b1 (#5280) · openemr/openemr@871ae51
Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.
@@ -16,6 +16,7 @@
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Crypto\CryptoGen;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Services\FacilityService;
use OpenEMR\Services\PatientService;
@@ -1063,9 +1064,17 @@ public function list_action($patient_id = “”)
$cur_pid = isset($_GET[‘patient_id’]) ? filter_input(INPUT_GET, ‘patient_id’) : '’;
$used_msg = xl(‘Current patient unavailable here. Use Patient Documents’);
if ($cur_pid == ‘00’) {
if (!AclMain::aclCheckCore('patients’, 'docs’, '’, ['write’, ‘addonly’])) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Documents”)]);
exit;
}
$cur_pid = '0’;
$is_new = 1;
}
if (!AclMain::aclCheckCore('patients’, ‘docs’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Documents”)]);
exit;
}
$this->assign('is_new’, $is_new);
$this->assign('place_hld’, $place_hld);
$this->assign('cur_pid’, $cur_pid);
@@ -1,5 +1,8 @@
<?php
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
class C_PracticeSettings extends Controller
{
var $template_mod;
@@ -14,6 +17,11 @@ function __construct($template_mod = “general”)
$this->assign("TOP_ACTION", $GLOBALS[‘webroot’] . “/controller.php?” . “practice_settings” . “&”);
$this->assign("STYLE", $GLOBALS[‘style’]);
$this->direction = ($GLOBALS[‘_SESSION’][‘language_direction’] == ‘rtl’) ? ‘right’ : 'left’;
if (!AclMain::aclCheckCore('admin’, ‘practice’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Practice Settings”)]);
exit;
}
}
function default_action($display = “”)
@@ -27,8 +27,15 @@
require_once(“$srcdir/options.inc.php”);
require_once(“$srcdir/payment.inc.php”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
if (!AclMain::aclCheckCore('acct’, 'bill’, '’, ‘write’) && !AclMain::aclCheckCore('acct’, 'eob’, '’, ‘write’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Confirm Payment”)]);
exit;
}
$screen = 'edit_payment’;
// Deletion of payment distribution code
@@ -23,10 +23,17 @@
use OpenEMR\Billing\ParseERA;
use OpenEMR\Billing\SLEOB;
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
use OpenEMR\OeUI\OemrUI;
if (!AclMain::aclCheckCore('acct’, 'bill’, '’, ‘write’) && !AclMain::aclCheckCore('acct’, 'eob’, '’, ‘write’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“ERA Posting”)]);
exit;
}
$hidden_type_code = isset($_POST[‘hidden_type_code’]) ? $_POST[‘hidden_type_code’] : '’;
$check_date = isset($_POST[‘check_date’]) ? $_POST[‘check_date’] : '’;
$post_to_date = isset($_POST[‘post_to_date’]) ? $_POST[‘post_to_date’] : '’;
@@ -17,9 +17,16 @@
require_once(“…/globals.php”);
require_once(“$srcdir/patient.inc”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
if (!AclMain::aclCheckCore('acct’, ‘rep_a’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Indigent Patients Report”)]);
exit;
}
$alertmsg = '’;
function bucks($amount)
@@ -25,9 +25,16 @@
require_once(“$srcdir/payment.inc.php”);
use OpenEMR\Billing\ParseERA;
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
use OpenEMR\OeUI\OemrUI;
if (!AclMain::aclCheckCore('acct’, 'bill’, '’, ‘write’) && !AclMain::aclCheckCore('acct’, 'eob’, '’, ‘write’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“New Payment”)]);
exit;
}
//===============================================================================
$screen = 'new_payment’;
//===============================================================================
@@ -23,9 +23,16 @@
require_once(“$srcdir/options.inc.php”);
require_once(“$srcdir/payment.inc.php”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
use OpenEMR\OeUI\OemrUI;
if (!AclMain::aclCheckCore('acct’, 'bill’, '’, ‘write’) && !AclMain::aclCheckCore('acct’, 'eob’, '’, ‘write’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Search Payment”)]);
exit;
}
//===============================================================================
//Deletion of payment and its corresponding distributions.
//===============================================================================
@@ -36,10 +36,17 @@
use OpenEMR\Billing\InvoiceSummary;
use OpenEMR\Billing\ParseERA;
use OpenEMR\Billing\SLEOB;
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
use OpenEMR\OeUI\OemrUI;
if (!AclMain::aclCheckCore('acct’, 'eob’, '’, ‘write’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“EOB Posting - Search”)]);
exit;
}
$DEBUG = 0; // set to 0 for production, 1 to test
$alertmsg = '’;
$where = '’;
@@ -36,8 +36,14 @@
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
if (!AclMain::aclCheckCore('acct’, ‘rep’) && !AclMain::aclCheckCore('acct’, ‘rep_a’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Cash Receipts by Provider”)]);
exit;
}
function is_clinic($code)
{
global $bcodes;
@@ -60,11 +66,6 @@ function bucks($amount)
}
}
if (! AclMain::aclCheckCore('acct’, ‘rep’)) {
die(xlt(“Unauthorized access.”));
}
$form_use_edate = $_POST[‘form_use_edate’] ?? null;
$form_proc_codefull = trim($_POST[‘form_proc_codefull’] ?? ‘’);
@@ -373,6 +374,11 @@ function sel_diagnosis() {
<?php
if ($_POST[‘form_refresh’]) {
$form_doctor = $_POST[‘form_doctor’];
if (!AclMain::aclCheckCore('acct’, ‘rep_a’)) {
// only allow user to see their encounter information
$form_doctor = $_SESSION[‘authUserID’];
}
$arows = array();
$ids_to_skip = array();
@@ -18,8 +18,15 @@
require_once(‘…/globals.php’);
require_once(“$srcdir/patient.inc”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
if (!AclMain::aclCheckCore('patients’, ‘lab’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Lab Documents”)]);
exit;
}
$curdate = date_create(date(“Y-m-d”));
date_sub($curdate, date_interval_create_from_date_string(“7 days”));
$sub_date = date_format($curdate, ‘Y-m-d’);
@@ -17,6 +17,7 @@
require_once(“$srcdir/lab.inc”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
// Indicates if we are entering in batch mode.
@@ -26,15 +27,17 @@
$form_review = empty($_GET[‘review’]) ? 0 : 1;
// Check authorization.
$thisauth = AclMain::aclCheckCore('patients’, ‘med’);
$thisauth = AclMain::aclCheckCore('patients’, ‘lab’);
if (!$thisauth) {
die(xlt(‘Not authorized’));
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Procedure Results”)]);
exit;
}
// Check authorization for pending review.
$reviewauth = AclMain::aclCheckCore('patients’, ‘sign’);
if ($form_review and !$reviewauth and !$thisauth) {
die(xlt(‘Not authorized’));
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Procedure Results”)]);
exit;
}
// Set pid for pending review.
@@ -18,8 +18,14 @@
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
if (!AclMain::aclCheckCore('patients’, ‘lab’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Pending Orders”)]);
exit;
}
function thisLineItem($row)
{
$provname = $row[‘provider_lname’];
@@ -53,10 +59,6 @@ function thisLineItem($row)
} // End not csv export
}
if (!AclMain::aclCheckCore('acct’, ‘rep’)) {
die(xlt(“Unauthorized access.”));
}
$form_from_date = isset($_POST[‘form_from_date’]) ? DateToYYYYMMDD($_POST[‘form_from_date’]) : date(‘Y-m-d’);
$form_to_date = isset($_POST[‘form_to_date’]) ? DateToYYYYMMDD($_POST[‘form_to_date’]) : date(‘Y-m-d’);
$form_facility = $_POST[‘form_facility’] ?? null;
@@ -22,12 +22,12 @@
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
// Might want something different here.
//
if (! AclMain::aclCheckCore('acct’, ‘rep’)) {
die(xlt(“Unauthorized access.”));
if (!AclMain::aclCheckCore('patients’, ‘lab’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Procedure Statistics Report”)]);
exit;
}
$from_date = isset($_POST[‘form_from_date’]) ? DateToYYYYMMDD($_POST[‘form_from_date’]) : '0000-00-00’;
@@ -15,6 +15,8 @@
require_once(“…/globals.php”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
// This script can be run either inside the OpenEMR frameset for order catalog
@@ -26,6 +28,15 @@
$order = isset($_GET[‘order’]) ? $_GET[‘order’] + 0 : 0;
$labid = isset($_GET[‘labid’]) ? $_GET[‘labid’] + 0 : 0;
if (!$popup && !AclMain::aclCheckCore('admin’, ‘super’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Configure Orders and Results”)]);
exit;
}
if ($popup && !AclMain::aclCheckCore('patients’, ‘lab’) && !AclMain::aclCheckCore('admin’, ‘super’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Configure Orders and Results”)]);
exit;
}
// If Save was clicked, set the result, close the window and exit.
//
if ($popup && $_POST[‘form_save’]) {
@@ -17,8 +17,15 @@
require_once(dirname(__FILE__) . “…/…/globals.php”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
if (!AclMain::aclCheckCore('patients’, 'med’, '’, ‘write’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Import”)]);
exit;
}
?>
<html>
<head>
@@ -18,9 +18,16 @@
require_once(dirname(__FILE__) . “/…/…/library/patient.inc”);
require_once(dirname(__FILE__) . “/…/…/library/parse_patient_xml.php”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
if (!AclMain::aclCheckCore('patients’, 'med’, '’, ‘write’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“CCR Approve”)]);
exit;
}
if (isset($_GET[‘approve’]) && $_GET[‘approve’] == 1) {
if (!CsrfUtils::verifyCsrfToken($_GET[“csrf_token_form”])) {
CsrfUtils::csrfNotVerified();
@@ -13,6 +13,11 @@
*/
require_once(“…/…/globals.php”);
require_once(“…/…/…/library/registry.inc”);
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Twig\TwigContainer;
if (substr($_GET[“formname”], 0, 3) === ‘LBF’) {
// Use the List Based Forms engine for all LBFxxxxx forms.
include_once(“$incdir/forms/LBF/new.php”);
@@ -25,6 +30,14 @@
// ensure the path variable has no illegal characters
check_file_dir_name($_GET[“formname”]);
// ensure authorized to see the form
if (!AclMain::aclCheckForm($_GET[“formname”])) {
$formLabel = xl_form_title(getRegistryEntryByDirectory($_GET[“formname”], ‘name’)[‘name’] ?? ‘’);
$formLabel = (!empty($formLabel)) ? $formLabel : $_GET[“formname”];
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => $formLabel]);
exit;
}
include_once(“$incdir/forms/” . $_GET[“formname”] . “/new.php”);
}
@@ -23,11 +23,29 @@
use OpenEMR\Billing\BillingUtilities;
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Core\Header;
use OpenEMR\OeUI\OemrUI;
use OpenEMR\PaymentProcessing\Sphere\SpherePayment;
use OpenEMR\Services\FacilityService;
if (!empty($_REQUEST[‘receipt’]) && empty($_POST[‘form_save’])) {
if (!AclMain::aclCheckCore('acct’, ‘bill’) && !AclMain::aclCheckCore('acct’, ‘rep_a’) && !AclMain::aclCheckCore('patients’, ‘rx’)) {
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => xl(“Receipt for Payment”)]);
exit;
}
} else {
if (!AclMain::aclCheckCore('acct’, 'bill’, '’, ‘write’)) {
if (!empty($_POST[‘form_save’])) {
$pageTitle = xl(“Receipt for Payment”);
} else {
$pageTitle = xl(“Record Payment”);
}
echo (new TwigContainer(null, $GLOBALS[‘kernel’]))->getTwig()->render('core/unauthorized.html.twig’, [‘pageTitle’ => $pageTitle]);
exit;
}
}
$pid = (!empty($_REQUEST[‘hidden_patient_code’]) && ($_REQUEST[‘hidden_patient_code’] > 0)) ? $_REQUEST[‘hidden_patient_code’] : $pid;
$facilityService = new FacilityService();