security fixes

intaro.intarocrm/classes/general/ICrmOrderActions.php

@@ -1091,13 +1091,11 @@ class ICrmOrderActions
     public static function orderAgent() {
         if(self::isForkable()) {
             $ch = curl_init();
-            curl_setopt($ch,CURLOPT_URL,
+            curl_setopt($ch, CURLOPT_URL, ($_SERVER['HTTPS'] == 'on' ? 'https://' : 'http://') .
-                ($_SERVER['HTTPS'] == 'on' ? 'https://' : 'http://') .
+                $_SERVER['SERVER_NAME'] . '/retailcrm/agent.php');
-                $_SERVER['SERVER_NAME'] . '/intaro/agent.php'
-            );
             curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
             //curl_setopt($ch,CURLOPT_HEADER, true); // headers
-            curl_exec($ch);
+            $result = curl_exec($ch);
             curl_close($ch);
         } else {
             self::notForkedOrderAgent();
@@ -1535,7 +1533,8 @@ class ICrmOrderActions
         $fork = COption::GetOptionString('main', 'agents_use_crontab', 'N');
         if($fork === 'N') {
             $file = $_SERVER['DOCUMENT_ROOT'] . '/retailcrm/agent.php';
-            return file_exists($file) && is_callable('curl_init');
+            return file_exists($file) && is_callable('curl_init') &&
+                   isset($_SERVER['SERVER_NAME']) && $_SERVER['SERVER_NAME'];
         }
 
         return false;

intaro.intarocrm/classes/general/agent.php

@@ -1,5 +1,6 @@
 <?php
 require_once($_SERVER['DOCUMENT_ROOT'] . '/bitrix/modules/main/include/prolog_before.php');
+if ($_SERVER['SERVER_ADDR'] != $_SERVER['REMOTE_ADDR']) die('You are not allowed to access this file.');
 if (!CModule::IncludeModule('intaro.intarocrm')) die('retailCRM not installed.');
 
 ICrmOrderActions::notForkedOrderAgent();

intaro.intarocrm/install/index.php

@@ -1230,7 +1230,7 @@ class intaro_intarocrm extends CModule {
             $dateAgent->add($intAgent);
 
             CAgent::AddAgent(
-                    "ICrmOrderActions::forkedOrderAgent();", $this->MODULE_ID, "N", 600, // interval - 10 mins
+                    "ICrmOrderActions::orderAgent();", $this->MODULE_ID, "N", 600, // interval - 10 mins
                     $dateAgent->format('d.m.Y H:i:s'), // date of first check
                     "Y", // agent is active
                     $dateAgent->format('d.m.Y H:i:s'), // date of first start
@@ -1270,7 +1270,7 @@ class intaro_intarocrm extends CModule {
         CAgent::RemoveAgent("ICrmOrderActions::uploadOrdersAgent();", $this->MODULE_ID);
         CAgent::RemoveAgent("ICrmOrderActions::orderHistoryAgent();", $this->MODULE_ID);
         CAgent::RemoveAgent("ICrmOrderActions::orderAgent();", $this->MODULE_ID);
-        CAgent::RemoveAgent("ICrmOrderActions::forkedOrderAgent();", $this->MODULE_ID);
+        CAgent::RemoveAgent("ICrmOrderActions::orderAgent();", $this->MODULE_ID);
 
         COption::RemoveOption($this->MODULE_ID, $this->CRM_API_HOST_OPTION);
         COption::RemoveOption($this->MODULE_ID, $this->CRM_API_KEY_OPTION);

intaro.intarocrm/install/version.php

@@ -1,5 +1,5 @@
 <?
 $arModuleVersion = array(
         "VERSION" => "1.0.15",
-        "VERSION_DATE" => "2014-11-24 23:55:00"
+        "VERSION_DATE" => "2014-11-27 16:00:00"
 );