Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX @ must be allowed into dol_eval

Browse Source
This commit is contained in:
Laurent Destailleur
2022-10-04 13:57:42 +02:00
parent 7bab68753a
commit 013d136bf7
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/lib/functions.lib.php
View File

@@ -8232,7 +8232,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
// Test dangerous char (used for RCE), we allow only PHP variable testing.
if ($onlysimplestring == '1') {
//print preg_quote('$_->&|', '/');
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*/>&|=!?():"\',/', '/').']/i', $s)) {
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*/>&|=!?():"\',/@', '/').']/i', $s)) {
if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
} else {
@@ -8242,11 +8242,11 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
}
} elseif ($onlysimplestring == '2') {
//print preg_quote('$_->&|', '/');
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*/>&|=!?():"\',/;[]', '/').']/i', $s)) {
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*/>&|=!?():"\',/@;[]', '/').']/i', $s)) {
if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring 2): '.$s;
} else {
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s);
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring 2): '.$s);
return '';
}
}