forked from Wavyzz/dolibarr
FIX Report by Ricardo Matias
Conflicts: test/phpunit/SecurityTest.php
This commit is contained in:
Laurent Destailleur
@@ -686,7 +686,7 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
|
|||||||
$out = dol_string_nohtmltag($out, 0);
|
$out = dol_string_nohtmltag($out, 0);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 'alphawithlgt': // No " and no ../ but we keep < > tags. Can be used for email string like "Name <email>"
|
case 'alphawithlgt': // No " and no ../ but we keep balanced < > tags with no special chars inside. Can be used for email string like "Name <email>"
|
||||||
if (!is_array($out)) {
|
if (!is_array($out)) {
|
||||||
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
|
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
|
||||||
// '../' is dangerous because it allows dir transversals
|
// '../' is dangerous because it allows dir transversals
|
||||||
@@ -5762,7 +5762,7 @@ function picto_required()
|
|||||||
* @param string $stringtoclean String to clean
|
* @param string $stringtoclean String to clean
|
||||||
* @param integer $removelinefeed 1=Replace all new lines by 1 space, 0=Only ending new lines are removed others are replaced with \n, 2=Ending new lines are removed but others are kept with a same number of \n than nb of <br> when there is both "...<br>\n..."
|
* @param integer $removelinefeed 1=Replace all new lines by 1 space, 0=Only ending new lines are removed others are replaced with \n, 2=Ending new lines are removed but others are kept with a same number of \n than nb of <br> when there is both "...<br>\n..."
|
||||||
* @param string $pagecodeto Encoding of input/output string
|
* @param string $pagecodeto Encoding of input/output string
|
||||||
* @param integer $strip_tags 0=Use internal strip, 1=Use strip_tags() php function (bugged when text contains a < char that is not for a html tag)
|
* @param integer $strip_tags 0=Use internal strip, 1=Use strip_tags() php function (bugged when text contains a < char that is not for a html tag or when tags is not closed like '<img onload=aaa')
|
||||||
* @param integer $removedoublespaces Replace double space into one space
|
* @param integer $removedoublespaces Replace double space into one space
|
||||||
* @return string String cleaned
|
* @return string String cleaned
|
||||||
*
|
*
|
||||||
@@ -5783,10 +5783,10 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
|
|||||||
} else {
|
} else {
|
||||||
$pattern = "/<[^<>]+>/";
|
$pattern = "/<[^<>]+>/";
|
||||||
// Example of $temp: <a href="/myurl" title="<u>A title</u>">0000-021</a>
|
// Example of $temp: <a href="/myurl" title="<u>A title</u>">0000-021</a>
|
||||||
$temp = preg_replace($pattern, "", $temp); // pass 1
|
$temp = preg_replace($pattern, "", $temp); // pass 1 - $temp after pass 1: <a href="/myurl" title="A title">0000-021
|
||||||
// $temp after pass 1: <a href="/myurl" title="A title">0000-021
|
$temp = preg_replace($pattern, "", $temp); // pass 2 - $temp after pass 2: 0000-021
|
||||||
$temp = preg_replace($pattern, "", $temp); // pass 2
|
// removed '<' into non closing html tags like '<a'
|
||||||
// $temp after pass 2: 0000-021
|
$temp = preg_replace('/<([^\s<]+)/', '\1', $temp);
|
||||||
}
|
}
|
||||||
|
|
||||||
$temp = dol_html_entity_decode($temp, ENT_COMPAT, $pagecodeto);
|
$temp = dol_html_entity_decode($temp, ENT_COMPAT, $pagecodeto);
|
||||||
|
|||||||
@@ -51,6 +51,8 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO']))
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Security: WAF layer for SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
|
* Security: WAF layer for SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
|
||||||
|
* Warning: Such a protection can't be enough. It is not reliable as it will alwyas be possible to bypass this. Good protection can
|
||||||
|
* only be guaranted by escaping data during output.
|
||||||
*
|
*
|
||||||
* @param string $val Value brut found int $_GET, $_POST or PHP_SELF
|
* @param string $val Value brut found int $_GET, $_POST or PHP_SELF
|
||||||
* @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test)
|
* @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test)
|
||||||
@@ -120,6 +122,19 @@ function testSqlAndScriptInject($val, $type)
|
|||||||
$inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|offline|online|pagehide|pageshow)\s*=/i', $val);
|
$inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|offline|online|pagehide|pageshow)\s*=/i', $val);
|
||||||
$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|start|submit|suspend)\s*=/i', $val);
|
$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|start|submit|suspend)\s*=/i', $val);
|
||||||
$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $val);
|
$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $val);
|
||||||
|
|
||||||
|
// We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML. Example: <img on<a>error=alert(1) to bypass test on onerror
|
||||||
|
$tmpval = preg_replace('/<[^<]+>/', '', $val);
|
||||||
|
// List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp
|
||||||
|
$inj += preg_match('/onmouse([a-z]*)\s*=/i', $tmpval); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
|
||||||
|
$inj += preg_match('/ondrag([a-z]*)\s*=/i', $tmpval); //
|
||||||
|
$inj += preg_match('/ontouch([a-z]*)\s*=/i', $tmpval); //
|
||||||
|
$inj += preg_match('/on(abort|afterprint|beforeprint|beforeunload|blur|canplay|canplaythrough|change|click|contextmenu|copy|cut)\s*=/i', $tmpval);
|
||||||
|
$inj += preg_match('/on(dblclick|drop|durationchange|ended|error|focus|focusin|focusout|hashchange|input|invalid)\s*=/i', $tmpval);
|
||||||
|
$inj += preg_match('/on(keydown|keypress|keyup|load|loadeddata|loadedmetadata|loadstart|offline|online|pagehide|pageshow)\s*=/i', $tmpval);
|
||||||
|
$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|resize|reset|scroll|search|seeking|select|show|stalled|start|submit|suspend)\s*=/i', $tmpval);
|
||||||
|
$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting)\s*=/i', $tmpval);
|
||||||
|
|
||||||
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...
|
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...
|
||||||
$inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
|
$inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
|
||||||
$inj += preg_match('/javascript\s*:/i', $val);
|
$inj += preg_match('/javascript\s*:/i', $val);
|
||||||
|
|||||||
@@ -2430,53 +2430,54 @@ class User extends CommonObject
|
|||||||
$label .= '<div class="centpercent">';
|
$label .= '<div class="centpercent">';
|
||||||
$label .= img_picto('', $this->picto).' <u class="paddingrightonly">'.$langs->trans("User").'</u>';
|
$label .= img_picto('', $this->picto).' <u class="paddingrightonly">'.$langs->trans("User").'</u>';
|
||||||
$label .= ' '.$this->getLibStatut(4);
|
$label .= ' '.$this->getLibStatut(4);
|
||||||
$label .= '<br><b>'.$langs->trans('Name').':</b> '.$this->getFullName($langs, '');
|
$label .= '<br><b>'.$langs->trans('Name').':</b> '.dol_string_nohtmltag($this->getFullName($langs, ''));
|
||||||
if (!empty($this->login)) {
|
if (!empty($this->login)) {
|
||||||
$label .= '<br><b>'.$langs->trans('Login').':</b> '.$this->login;
|
$label .= '<br><b>'.$langs->trans('Login').':</b> '.dol_string_nohtmltag($this->login);
|
||||||
}
|
}
|
||||||
if (!empty($this->job)) {
|
if (!empty($this->job)) {
|
||||||
$label .= '<br><b>'.$langs->trans("Job").':</b> '.$this->job;
|
$label .= '<br><b>'.$langs->trans("Job").':</b> '.dol_string_nohtmltag($this->job);
|
||||||
}
|
}
|
||||||
$label .= '<br><b>'.$langs->trans("Email").':</b> '.$this->email;
|
$label .= '<br><b>'.$langs->trans("Email").':</b> '.dol_string_nohtmltag($this->email);
|
||||||
if (!empty($this->phone)) {
|
if (!empty($this->phone)) {
|
||||||
$label .= '<br><b>'.$langs->trans("Phone").':</b> '.$this->phone;
|
$label .= '<br><b>'.$langs->trans("Phone").':</b> '.dol_string_nohtmltag($this->phone);
|
||||||
}
|
}
|
||||||
if (!empty($this->admin)) {
|
if (!empty($this->admin)) {
|
||||||
$label .= '<br><b>'.$langs->trans("Administrator").'</b>: '.yn($this->admin);
|
$label .= '<br><b>'.$langs->trans("Administrator").'</b>: '.yn($this->admin);
|
||||||
}
|
}
|
||||||
|
$company = '';
|
||||||
if (!empty($this->socid)) { // Add thirdparty for external users
|
if (!empty($this->socid)) { // Add thirdparty for external users
|
||||||
$thirdpartystatic = new Societe($db);
|
$thirdpartystatic = new Societe($db);
|
||||||
$thirdpartystatic->fetch($this->socid);
|
$thirdpartystatic->fetch($this->socid);
|
||||||
if (empty($hidethirdpartylogo)) {
|
if (empty($hidethirdpartylogo)) {
|
||||||
$companylink = ' '.$thirdpartystatic->getNomUrl(2, (($option == 'nolink') ? 'nolink' : '')); // picto only of company
|
$companylink = ' '.$thirdpartystatic->getNomUrl(2, (($option == 'nolink') ? 'nolink' : '')); // picto only of company
|
||||||
}
|
}
|
||||||
$company = ' ('.$langs->trans("Company").': '.$thirdpartystatic->name.')';
|
$company = ' ('.$langs->trans("Company").': '.dol_string_nohtmltag($thirdpartystatic->name).')';
|
||||||
}
|
}
|
||||||
$type = ($this->socid ? $langs->trans("External").$company : $langs->trans("Internal"));
|
$type = ($this->socid ? $langs->trans("External").$company : $langs->trans("Internal"));
|
||||||
$label .= '<br><b>'.$langs->trans("Type").':</b> '.$type;
|
$label .= '<br><b>'.$langs->trans("Type").':</b> '.dol_string_nohtmltag($type);
|
||||||
$label .= '</div>';
|
$label .= '</div>';
|
||||||
if ($infologin > 0) {
|
if ($infologin > 0) {
|
||||||
$label .= '<br>';
|
$label .= '<br>';
|
||||||
$label .= '<br><u>'.$langs->trans("Session").'</u>';
|
$label .= '<br><u>'.$langs->trans("Session").'</u>';
|
||||||
$label .= '<br><b>'.$langs->trans("IPAddress").'</b>: '.$_SERVER["REMOTE_ADDR"];
|
$label .= '<br><b>'.$langs->trans("IPAddress").'</b>: '.dol_string_nohtmltag(getUserRemoteIP());
|
||||||
if (!empty($conf->global->MAIN_MODULE_MULTICOMPANY)) {
|
if (!empty($conf->global->MAIN_MODULE_MULTICOMPANY)) {
|
||||||
$label .= '<br><b>'.$langs->trans("ConnectedOnMultiCompany").':</b> '.$conf->entity.' (user entity '.$this->entity.')';
|
$label .= '<br><b>'.$langs->trans("ConnectedOnMultiCompany").':</b> '.$conf->entity.' (User entity '.$this->entity.')';
|
||||||
}
|
}
|
||||||
$label .= '<br><b>'.$langs->trans("AuthenticationMode").':</b> '.$_SESSION["dol_authmode"].(empty($dolibarr_main_demo) ? '' : ' (demo)');
|
$label .= '<br><b>'.$langs->trans("AuthenticationMode").':</b> '.dol_string_nohtmltag($_SESSION["dol_authmode"].(empty($dolibarr_main_demo) ? '' : ' (demo)'));
|
||||||
$label .= '<br><b>'.$langs->trans("ConnectedSince").':</b> '.dol_print_date($this->datelastlogin, "dayhour", 'tzuser');
|
$label .= '<br><b>'.$langs->trans("ConnectedSince").':</b> '.dol_print_date($this->datelastlogin, "dayhour", 'tzuser');
|
||||||
$label .= '<br><b>'.$langs->trans("PreviousConnexion").':</b> '.dol_print_date($this->datepreviouslogin, "dayhour", 'tzuser');
|
$label .= '<br><b>'.$langs->trans("PreviousConnexion").':</b> '.dol_print_date($this->datepreviouslogin, "dayhour", 'tzuser');
|
||||||
$label .= '<br><b>'.$langs->trans("CurrentTheme").':</b> '.$conf->theme;
|
$label .= '<br><b>'.$langs->trans("CurrentTheme").':</b> '.dol_string_nohtmltag($conf->theme);
|
||||||
$label .= '<br><b>'.$langs->trans("CurrentMenuManager").':</b> '.$menumanager->name;
|
$label .= '<br><b>'.$langs->trans("CurrentMenuManager").':</b> '.dol_string_nohtmltag($menumanager->name);
|
||||||
$s = picto_from_langcode($langs->getDefaultLang());
|
$s = picto_from_langcode($langs->getDefaultLang());
|
||||||
$label .= '<br><b>'.$langs->trans("CurrentUserLanguage").':</b> '.($s ? $s.' ' : '').$langs->getDefaultLang();
|
$label .= '<br><b>'.$langs->trans("CurrentUserLanguage").':</b> '.dol_string_nohtmltag(($s ? $s.' ' : '').$langs->getDefaultLang());
|
||||||
$label .= '<br><b>'.$langs->trans("Browser").':</b> '.$conf->browser->name.($conf->browser->version ? ' '.$conf->browser->version : '').' ('.$_SERVER['HTTP_USER_AGENT'].')';
|
$label .= '<br><b>'.$langs->trans("Browser").':</b> '.dol_string_nohtmltag($conf->browser->name.($conf->browser->version ? ' '.$conf->browser->version : '').' ('.$_SERVER['HTTP_USER_AGENT'].')');
|
||||||
$label .= '<br><b>'.$langs->trans("Layout").':</b> '.$conf->browser->layout;
|
$label .= '<br><b>'.$langs->trans("Layout").':</b> '.dol_string_nohtmltag($conf->browser->layout);
|
||||||
$label .= '<br><b>'.$langs->trans("Screen").':</b> '.$_SESSION['dol_screenwidth'].' x '.$_SESSION['dol_screenheight'];
|
$label .= '<br><b>'.$langs->trans("Screen").':</b> '.dol_string_nohtmltag($_SESSION['dol_screenwidth'].' x '.$_SESSION['dol_screenheight']);
|
||||||
if ($conf->browser->layout == 'phone') {
|
if ($conf->browser->layout == 'phone') {
|
||||||
$label .= '<br><b>'.$langs->trans("Phone").':</b> '.$langs->trans("Yes");
|
$label .= '<br><b>'.$langs->trans("Phone").':</b> '.$langs->trans("Yes");
|
||||||
}
|
}
|
||||||
if (!empty($_SESSION["disablemodules"])) {
|
if (!empty($_SESSION["disablemodules"])) {
|
||||||
$label .= '<br><b>'.$langs->trans("DisabledModules").':</b> <br>'.join(', ', explode(',', $_SESSION["disablemodules"]));
|
$label .= '<br><b>'.$langs->trans("DisabledModules").':</b> <br>'.dol_string_nohtmltag(join(', ', explode(',', $_SESSION["disablemodules"])));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ($infologin < 0) {
|
if ($infologin < 0) {
|
||||||
@@ -2540,12 +2541,12 @@ class User extends CommonObject
|
|||||||
}
|
}
|
||||||
if ($withpictoimg > -2 && $withpictoimg != 2) {
|
if ($withpictoimg > -2 && $withpictoimg != 2) {
|
||||||
if (empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) {
|
if (empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) {
|
||||||
$result .= '<span class=" nopadding usertext'.((!isset($this->statut) || $this->statut) ? '' : ' strikefordisabled').($morecss ? ' '.$morecss : '').'">';
|
$result .= '<span class="nopadding usertext'.((!isset($this->statut) || $this->statut) ? '' : ' strikefordisabled').($morecss ? ' '.$morecss : '').'">';
|
||||||
}
|
}
|
||||||
if ($mode == 'login') {
|
if ($mode == 'login') {
|
||||||
$result .= dol_trunc($this->login, $maxlen);
|
$result .= dol_string_nohtmltag(dol_trunc($this->login, $maxlen));
|
||||||
} else {
|
} else {
|
||||||
$result .= $this->getFullName($langs, '', ($mode == 'firstelselast' ? 3 : ($mode == 'firstname' ? 2 : -1)), $maxlen);
|
$result .= dol_string_nohtmltag($this->getFullName($langs, '', ($mode == 'firstelselast' ? 3 : ($mode == 'firstname' ? 2 : -1)), $maxlen));
|
||||||
}
|
}
|
||||||
if (empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) {
|
if (empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) {
|
||||||
$result .= '</span>';
|
$result .= '</span>';
|
||||||
|
|||||||
@@ -128,7 +128,7 @@ if ($resql)
|
|||||||
print '<table class="noborder centpercent">';
|
print '<table class="noborder centpercent">';
|
||||||
print '<tr class="liste_titre"><td colspan="3">'.$langs->trans("LastUsersCreated", min($num, $max)).'</td>';
|
print '<tr class="liste_titre"><td colspan="3">'.$langs->trans("LastUsersCreated", min($num, $max)).'</td>';
|
||||||
print '<td class="right" colspan="2"><a class="commonlink" href="'.DOL_URL_ROOT.'/user/list.php?sortfield=u.datec&sortorder=DESC">'.$langs->trans("FullList").'</td>';
|
print '<td class="right" colspan="2"><a class="commonlink" href="'.DOL_URL_ROOT.'/user/list.php?sortfield=u.datec&sortorder=DESC">'.$langs->trans("FullList").'</td>';
|
||||||
print '</tr>';
|
print '</tr>'."\n";
|
||||||
$i = 0;
|
$i = 0;
|
||||||
|
|
||||||
while ($i < $num && $i < $max)
|
while ($i < $num && $i < $max)
|
||||||
|
|||||||
@@ -171,7 +171,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
|
|||||||
|
|
||||||
$_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
|
$_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
|
||||||
$result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
|
$result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
|
||||||
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject 1a');
|
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0a');
|
||||||
|
|
||||||
|
$test = 'This is a < inside string with < and > also and tag like <a> before the >';
|
||||||
|
$result=testSqlAndScriptInject($test, 0);
|
||||||
|
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0b');
|
||||||
|
|
||||||
// Should detect XSS
|
// Should detect XSS
|
||||||
$expectedresult=1;
|
$expectedresult=1;
|
||||||
@@ -260,6 +264,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
|
|||||||
$test="on<!-- ab\nc -->error=alert(1)";
|
$test="on<!-- ab\nc -->error=alert(1)";
|
||||||
$result=testSqlAndScriptInject($test, 0);
|
$result=testSqlAndScriptInject($test, 0);
|
||||||
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject jjj');
|
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject jjj');
|
||||||
|
|
||||||
|
$test="<img src=x one<a>rror=alert(document.location)";
|
||||||
|
$result=testSqlAndScriptInject($test, 0);
|
||||||
|
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject kkk');
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -270,106 +278,116 @@ class SecurityTest extends PHPUnit\Framework\TestCase
|
|||||||
public function testGETPOST()
|
public function testGETPOST()
|
||||||
{
|
{
|
||||||
global $conf,$user,$langs,$db;
|
global $conf,$user,$langs,$db;
|
||||||
$conf=$this->savconf;
|
$conf=$this->savconf;
|
||||||
$user=$this->savuser;
|
$user=$this->savuser;
|
||||||
$langs=$this->savlangs;
|
$langs=$this->savlangs;
|
||||||
$db=$this->savdb;
|
$db=$this->savdb;
|
||||||
|
|
||||||
$_COOKIE["id"]=111;
|
$_COOKIE["id"]=111;
|
||||||
$_GET["param1"]="222";
|
$_GET["param1"]="222";
|
||||||
$_POST["param1"]="333";
|
$_POST["param1"]="333";
|
||||||
$_GET["param2"]='a/b#e(pr)qq-rr\cc';
|
$_GET["param2"]='a/b#e(pr)qq-rr\cc';
|
||||||
$_GET["param3"]='"na/b#e(pr)qq-rr\cc'; // Same than param2 + " and n
|
$_GET["param3"]='"na/b#e(pr)qq-rr\cc'; // Same than param2 + " and n
|
||||||
$_GET["param4"]='../dir';
|
$_GET["param4"]='../dir';
|
||||||
$_GET["param5"]="a_1-b";
|
$_GET["param5"]="a_1-b";
|
||||||
$_POST["param6"]=""><svg onload='console.log("123")'>";
|
$_POST["param6"]=""><svg onload='console.log("123")'>";
|
||||||
$_GET["param7"]='"c:\this is a path~1\aaan" abc<bad>def</bad>';
|
$_GET["param7"]='"c:\this is a path~1\aaan" abc<bad>def</bad>';
|
||||||
$_POST["param8"]="Hacker<svg onload='console.log("123")'"; // html tag is not closed so it is not detected as html tag but is still harmfull
|
$_POST["param8a"]="Hacker<svg onload='console.log("123")'"; // html tag is not closed so it is not detected as html tag but is still harmfull
|
||||||
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
|
$_POST['param8b']='<img src=x onerror=alert(document.location) t='; // this is html obfuscated by non closing tag
|
||||||
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
|
$_POST['param8c']='< with space after is ok';
|
||||||
$_POST["param11"]=' Name <email@email.com> ';
|
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
|
||||||
|
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
|
||||||
|
$_POST["param11"]=' Name <email@email.com> ';
|
||||||
|
|
||||||
$result=GETPOST('id', 'int'); // Must return nothing
|
$result=GETPOST('id', 'int'); // Must return nothing
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, '');
|
$this->assertEquals($result, '');
|
||||||
|
|
||||||
$result=GETPOST("param1", 'int');
|
$result=GETPOST("param1", 'int');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, 222, 'Test on param1 with no 3rd param');
|
$this->assertEquals($result, 222, 'Test on param1 with no 3rd param');
|
||||||
|
|
||||||
$result=GETPOST("param1", 'int', 2);
|
$result=GETPOST("param1", 'int', 2);
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, 333, 'Test on param1 with 3rd param = 2');
|
$this->assertEquals($result, 333, 'Test on param1 with 3rd param = 2');
|
||||||
|
|
||||||
// Test alpha
|
// Test alpha
|
||||||
$result=GETPOST("param2", 'alpha');
|
$result=GETPOST("param2", 'alpha');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, $_GET["param2"], 'Test on param2');
|
$this->assertEquals($result, $_GET["param2"], 'Test on param2');
|
||||||
|
|
||||||
$result=GETPOST("param3", 'alpha'); // Must return string sanitized from char "
|
$result=GETPOST("param3", 'alpha'); // Must return string sanitized from char "
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, 'na/b#e(pr)qq-rr\cc', 'Test on param3');
|
$this->assertEquals($result, 'na/b#e(pr)qq-rr\cc', 'Test on param3');
|
||||||
|
|
||||||
$result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../
|
$result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, 'dir');
|
$this->assertEquals($result, 'dir');
|
||||||
|
|
||||||
// Test aZ09
|
// Test aZ09
|
||||||
$result=GETPOST("param1", 'aZ09');
|
$result=GETPOST("param1", 'aZ09');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, $_GET["param1"]);
|
$this->assertEquals($result, $_GET["param1"]);
|
||||||
|
|
||||||
$result=GETPOST("param2", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
|
$result=GETPOST("param2", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, '');
|
$this->assertEquals($result, '');
|
||||||
|
|
||||||
$result=GETPOST("param3", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
|
$result=GETPOST("param3", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($result, '');
|
$this->assertEquals($result, '');
|
||||||
|
|
||||||
$result=GETPOST("param4", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
|
$result=GETPOST("param4", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals('', $result);
|
$this->assertEquals('', $result);
|
||||||
|
|
||||||
$result=GETPOST("param5", 'aZ09');
|
$result=GETPOST("param5", 'aZ09');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($_GET["param5"], $result);
|
$this->assertEquals($_GET["param5"], $result);
|
||||||
|
|
||||||
$result=GETPOST("param6", 'alpha');
|
$result=GETPOST("param6", 'alpha');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals('>', $result);
|
$this->assertEquals('>', $result);
|
||||||
|
|
||||||
$result=GETPOST("param6", 'nohtml');
|
$result=GETPOST("param6", 'nohtml');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals('">', $result);
|
$this->assertEquals('">', $result);
|
||||||
|
|
||||||
// With restricthtml we must remove html open/close tag and content but not htmlentities like n
|
// With restricthtml we must remove html open/close tag and content but not htmlentities like n
|
||||||
$result=GETPOST("param7", 'restricthtml');
|
$result=GETPOST("param7", 'restricthtml');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals('"c:\this is a path~1\aaan" abcdef', $result);
|
$this->assertEquals('"c:\this is a path~1\aaan" abcdef', $result);
|
||||||
|
|
||||||
// With alphanohtml, we must convert the html entities like n
|
// With alphanohtml, we must convert the html entities like n and disable all entities
|
||||||
$result=GETPOST("param8", 'alphanohtml');
|
$result=GETPOST("param8a", 'alphanohtml');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals("Hacker<svg onload='console.log(123)'", $result);
|
$this->assertEquals("Hackersvg onload='console.log(123)'", $result);
|
||||||
|
|
||||||
$result=GETPOST("param9", 'alphanohtml');
|
$result=GETPOST("param8b", 'alphanohtml');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($_POST["param9"], $result);
|
$this->assertEquals('img src=x onerror=alert(document.location) t=', $result, 'Test a string with non closing html tag with alphanohtml');
|
||||||
|
|
||||||
$result=GETPOST("param10", 'alphanohtml');
|
$result=GETPOST("param8c", 'alphanohtml');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals($_POST["param9"], $result, 'We should get param9 after processing param10');
|
$this->assertEquals($_POST['param8c'], $result, 'Test a string with non closing html tag with alphanohtml');
|
||||||
|
|
||||||
$result=GETPOST("param11", 'alphanohtml');
|
$result=GETPOST("param9", 'alphanohtml');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals("Name", $result, 'Test an email string with alphanohtml');
|
$this->assertEquals($_POST["param9"], $result);
|
||||||
|
|
||||||
$result=GETPOST("param11", 'alphawithlgt');
|
$result=GETPOST("param10", 'alphanohtml');
|
||||||
print __METHOD__." result=".$result."\n";
|
print __METHOD__." result=".$result."\n";
|
||||||
$this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt');
|
$this->assertEquals($_POST["param9"], $result, 'We should get param9 after processing param10');
|
||||||
|
|
||||||
return $result;
|
$result=GETPOST("param11", 'alphanohtml');
|
||||||
|
print __METHOD__." result=".$result."\n";
|
||||||
|
$this->assertEquals("Name", $result, 'Test an email string with alphanohtml');
|
||||||
|
|
||||||
|
$result=GETPOST("param11", 'alphawithlgt');
|
||||||
|
print __METHOD__." result=".$result."\n";
|
||||||
|
$this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt');
|
||||||
|
|
||||||
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
Reference in New Issue
Block a user