Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Better error management on import web site with PHP

Browse Source
This commit is contained in:
Laurent Destailleur
2024-05-06 15:16:08 +02:00
parent 55d2f3d9fc
commit 1a8eb720d1
2 changed files with 46 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/lib/admin.lib.php
View File

@@ -328,7 +328,7 @@ function run_sql($sqlfile, $silent = 1, $entity = 0, $usesavepoint = 1, $handler
$keyforsql = md5($sqlfile);
foreach ($arraysql as $i => $sql) {
if ($sql) {
// Test if th SQL is allowed SQL
// Test if the SQL is allowed SQL
if ($onlysqltoimportwebsite) {
$newsql = str_replace(array("\'"), '__BACKSLASHQUOTE__', $sql); // Replace the \' char
@@ -388,6 +388,7 @@ function run_sql($sqlfile, $silent = 1, $entity = 0, $usesavepoint = 1, $handler
break;
}
if (!$qualified) {
$error++;
//print 'Request '.($i + 1)." contains non allowed instructions.<br>\n";

16
htdocs/core/lib/website2.lib.php
View File

@@ -681,7 +681,16 @@ function checkPHPCode(&$phpfullcodestringold, &$phpfullcodestring)
return 0;
}
// First check forbidden commands
// First check permission
if ($phpfullcodestringold != $phpfullcodestring) {
if (!$error && !$user->hasRight('website', 'writephp')) {
$error++;
setEventMessages($langs->trans("NotAllowedToAddDynamicContent"), null, 'errors');
}
}
// Then check forbidden commands
if (!$error) {
$forbiddenphpcommands = array("override_function", "session_id", "session_create_id", "session_regenerate_id");
if (!getDolGlobalString('WEBSITE_PHP_ALLOW_EXEC')) { // If option is not on, we disallow functions to execute commands
$forbiddenphpcommands = array_merge($forbiddenphpcommands, array("exec", "passthru", "shell_exec", "system", "proc_open", "popen", "eval", "dol_eval", "executeCLI"));
@@ -718,12 +727,9 @@ function checkPHPCode(&$phpfullcodestringold, &$phpfullcodestring)
$error++;
setEventMessages($langs->trans("DynamicPHPCodeContainsAForbiddenInstruction", '$...('), null, 'errors');
}
}
if ($phpfullcodestringold != $phpfullcodestring) {
if (!$error && !$user->hasRight('website', 'writephp')) {
$error++;
setEventMessages($langs->trans("NotAllowedToAddDynamicContent"), null, 'errors');
}
if (!$error) {
$dolibarrdataroot = preg_replace('/([\\/]+)$/i', '', DOL_DATA_ROOT);
$allowimportsite = true;