From cb6c65183dd57d62160f2fd92b2ed66efdaa0ebd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 2 Mar 2024 13:53:10 +0100 Subject: [PATCH 1/3] Fix bad condition on project field --- htdocs/compta/sociales/list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index 69a69891536..48e8b510877 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -102,7 +102,7 @@ $arrayfields = array( 'cs.fk_type' =>array('label'=>"Type", 'checked'=>1, 'position'=>30), 'cs.date_ech' =>array('label'=>"Date", 'checked'=>1, 'position'=>40), 'cs.periode' =>array('label'=>"PeriodEndDate", 'checked'=>1, 'position'=>50), - 'p.ref' =>array('label'=>"ProjectRef", 'checked'=>1, 'position'=>60, 'enable'=>(isModEnabled('project'))), + 'p.ref' =>array('label'=>"ProjectRef", 'checked'=>1, 'position'=>60, 'enabled'=>(isModEnabled('project'))), 'cs.fk_user' =>array('label'=>"Employee", 'checked'=>1, 'position'=>70), 'cs.fk_mode_reglement' =>array('checked'=>-1, 'position'=>80, 'label'=>"DefaultPaymentMode"), 'cs.amount' =>array('label'=>"Amount", 'checked'=>1, 'position'=>100), From 717297ef295f69c627295eff4f0dfdee3b37f2e7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 2 Mar 2024 14:49:27 +0100 Subject: [PATCH 2/3] FIX Wrong currency shown in TakePOS payment page --- htdocs/takepos/pay.php | 40 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/htdocs/takepos/pay.php b/htdocs/takepos/pay.php index f2e58f98573..df498a5fec7 100644 --- a/htdocs/takepos/pay.php +++ b/htdocs/takepos/pay.php @@ -248,6 +248,7 @@ if ($resql) { } } } + ?> +currency != $_SESSION["takeposcustomercurrency"]) { + //Only show customer currency if multicurrency module is enabled, if currency selected and if this currency selected is not the same as main currency + $showothercurrency = 1; + include_once DOL_DOCUMENT_ROOT . '/multicurrency/class/multicurrency.class.php'; + $multicurrency = new MultiCurrency($db); + $multicurrency->fetch(0, $_SESSION["takeposcustomercurrency"]); +} +?> +
- trans('TotalTTC'); ?>: total_ttc, 1, '', 1, -1, -1, $invoice->multicurrency_code); ?> + trans('TotalTTC'); ?>: total_ttc, 1, '', 1, -1, -1, $conf->currency); + if ($showothercurrency) { + print '   (' . price($invoice->total_ht * $multicurrency->rate->rate) . ' ' . $_SESSION["takeposcustomercurrency"] . ')'; + } + ?>
total_ttc) { ?>
- trans('RemainToPay'); ?>: multicurrency_code); ?> + trans('RemainToPay'); ?>: multicurrency_code); + if ($showothercurrency) { + print '   (' . price($remaintopay * $multicurrency->rate->rate) . ' ' . $_SESSION["takeposcustomercurrency"] . ')'; + } + ?>
- trans("Received"); ?>: multicurrency_code); ?> + trans("Received"); ?>: multicurrency_code); + if ($showothercurrency) { + print '   (' . price(0 * $multicurrency->rate->rate) . ' ' . $_SESSION["takeposcustomercurrency"] . ')'; + } + ?>
- trans("Change"); ?>: multicurrency_code); ?> + trans("Change"); ?>: multicurrency_code); + if ($showothercurrency) { + print '   (' . price(0 * $multicurrency->rate->rate) . ' ' . $_SESSION["takeposcustomercurrency"] . ')'; + } + ?>
global->TAKEPOS_CAN_FORCE_BANK_ACCOUNT_DURING_PAYMENT)) { From 17ff0972ab407eb7c55cce6ffa72553c1e001696 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 3 Mar 2024 19:35:37 +0100 Subject: [PATCH 3/3] Fix use of invoke into computed fields --- htdocs/core/lib/functions.lib.php | 9 +++++++-- test/phpunit/SecurityTest.php | 10 ++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index cf8bb9b324e..cbf8fee96e0 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -9289,22 +9289,27 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1' // We block use of php exec or php file functions $forbiddenphpstrings = array('$$'); - $forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST')); + $forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST', 'ReflectionFunction')); $forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen"); $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_eval", "executeCLI", "verifCond")); // native dolibarr functions - $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("base64_decode", "rawurldecode", "urldecode")); // decode string functions + $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("base64_decode", "rawurldecode", "urldecode", "str_rot13", "hex2bin")); // decode string functions used to obfuscated function name $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "require", "include", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask")); $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("get_defined_functions", "get_defined_vars", "get_defined_constants", "get_declared_classes")); $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func")); $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("eval", "create_function", "assert", "mb_ereg_replace")); // function with eval capabilities + $forbiddenphpmethods = array('invoke', 'invokeArgs'); // Method of ReflectionFunction to execute a function + $forbiddenphpregex = 'global\s+\$|\b('.implode('|', $forbiddenphpfunctions).')\b'; + $forbiddenphpmethodsregex = '->('.implode('|', $forbiddenphpmethods).')'; + do { $oldstringtoclean = $s; $s = str_ireplace($forbiddenphpstrings, '__forbiddenstring__', $s); $s = preg_replace('/'.$forbiddenphpregex.'/i', '__forbiddenstring__', $s); + $s = preg_replace('/'.$forbiddenphpmethodsregex.'/i', '__forbiddenstring__', $s); //$s = preg_replace('/\$[a-zA-Z0-9_\->\$]+\(/i', '', $s); // Remove $function( call and $mycall->mymethod( } while ($oldstringtoclean != $s); diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 545306f5734..fb3132a17ff 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -960,6 +960,16 @@ class SecurityTest extends PHPUnit\Framework\TestCase print "result = ".$result."\n"; $this->assertEquals('Parent project not found', $result); + $s = 'new abc->invoke(\'whoami\')'; + $result=dol_eval($s, 1, 1, '2'); + print "result = ".$result."\n"; + $this->assertEquals('Bad string syntax to evaluate: new abc__forbiddenstring__(\'whoami\')', $result); + + $s = 'new ReflectionFunction(\'abc\')'; + $result=dol_eval($s, 1, 1, '2'); + print "result = ".$result."\n"; + $this->assertEquals('Bad string syntax to evaluate: new __forbiddenstring__(\'abc\')', $result); + $result=dol_eval('$a=function() { }; $a;', 1, 1, ''); print "result = ".$result."\n"; $this->assertContains('Bad string syntax to evaluate', $result);