Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch '12.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/admin/tools/export_files.php
	test/phpunit/SecurityTest.php
This commit is contained in:
Laurent Destailleur
2020-12-11 15:56:19 +01:00
parent 6a24da54a1 b3d49c4dce
commit 1f6f434a9c
4 changed files with 31 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/core/lib/functions.lib.php
View File

@@ -931,8 +931,9 @@ function dol_sanitizeFileName($str, $newstr = '_', $unaccent = 1)
// List of special chars for filenames in windows are defined on page https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file
// Char '>' '<' '|' '$' and ';' are special chars for shells.
// Char '/' and '\' are file delimiters.
$filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';');
return dol_string_nospecial($unaccent ?dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars);
// -- car can be used into filename to inject special paramaters like --use-compress-program to make command with file as parameter making remote execution of command
$filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';', '--');
return dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars);
}
/**