Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX Better test on validity of compute field syntax with parenthesis

Browse Source
This commit is contained in:
Laurent Destailleur
2024-03-03 13:11:54 +01:00
parent b870a84d8a
commit 21feee3bc8
2 changed files with 39 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
htdocs/core/lib/functions.lib.php
View File

@@ -9641,18 +9641,23 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
return ''; return '';
} }
} }
$scheck = preg_replace('/->[a-zA-Z0-9_]+\(/', '->__METHOD__', $s); // accept parenthesis in '...->method(...' $savescheck = '';
$scheck = $s;
while ($scheck && $savescheck != $scheck) {
$savescheck = $scheck;
$scheck = preg_replace('/->[a-zA-Z0-9_]+\(/', '->__METHOD__', $scheck); // accept parenthesis in '...->method(...'
$scheck = preg_replace('/^\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '(...'. Must replace with __PARENTHESIS__ with a space after to allow following substitutions $scheck = preg_replace('/^\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '(...'. Must replace with __PARENTHESIS__ with a space after to allow following substitutions
$scheck = preg_replace('/\s\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '... ('. Must replace with __PARENTHESIS__ with a space after to allow following substitutions $scheck = preg_replace('/\s\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '... ('. Must replace with __PARENTHESIS__ with a space after to allow following substitutions
$scheck = preg_replace('/^!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in 'function(' and '!function(' $scheck = preg_replace('/^!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in 'function(' and '!function('
$scheck = preg_replace('/\s!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in '... function(' and '... !function(' $scheck = preg_replace('/\s!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in '... function(' and '... !function('
$scheck = preg_replace('/(\^|\')\(/', '__REGEXSTART__', $scheck); // To allow preg_match('/^(aaa|bbb)/'... or isStringVarMatching('leftmenu', '(aaa|bbb)') $scheck = preg_replace('/(\^|\')\(/', '__REGEXSTART__', $scheck); // To allow preg_match('/^(aaa|bbb)/'... or isStringVarMatching('leftmenu', '(aaa|bbb)')
}
//print 'scheck='.$scheck." : ".strpos($scheck, '(')."<br>\n"; //print 'scheck='.$scheck." : ".strpos($scheck, '(')."<br>\n";
if (strpos($scheck, '(') !== false) { if (strpos($scheck, '(') !== false) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found call of a function or method without using direct name): '.$s; return 'Bad string syntax to evaluate (mode 1, found call of a function or method without using the direct name of the function): '.$s;
} else { } else {
dol_syslog('Bad string syntax to evaluate (found call of a function or method without using direct name): '.$s); dol_syslog('Bad string syntax to evaluate (mode 1, found call of a function or method without using the direct name of the function): '.$s);
return ''; return '';
} }
} }
@@ -9672,18 +9677,23 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
return ''; return '';
} }
} }
$scheck = preg_replace('/->[a-zA-Z0-9_]+\(/', '->__METHOD__', $s); // accept parenthesis in '...->method(...' $savescheck = '';
$scheck = $s;
while ($scheck && $savescheck != $scheck) {
$savescheck = $scheck;
$scheck = preg_replace('/->[a-zA-Z0-9_]+\(/', '->__METHOD__', $scheck); // accept parenthesis in '...->method(...'
$scheck = preg_replace('/^\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '(...'. Must replace with __PARENTHESIS__ with a space after to allow following substitutions $scheck = preg_replace('/^\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '(...'. Must replace with __PARENTHESIS__ with a space after to allow following substitutions
$scheck = preg_replace('/\s\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '... ('. Must replace with __PARENTHESIS__ with a space after to allow following substitutions $scheck = preg_replace('/\s\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '... ('. Must replace with __PARENTHESIS__ with a space after to allow following substitutions
$scheck = preg_replace('/^!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in 'function(' and '!function(' $scheck = preg_replace('/^!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in 'function(' and '!function('
$scheck = preg_replace('/\s!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in '... function(' and '... !function(' $scheck = preg_replace('/\s!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in '... function(' and '... !function('
$scheck = preg_replace('/(\^|\')\(/', '__REGEXSTART__', $scheck); // To allow preg_match('/^(aaa|bbb)/'... or isStringVarMatching('leftmenu', '(aaa|bbb)') $scheck = preg_replace('/(\^|\')\(/', '__REGEXSTART__', $scheck); // To allow preg_match('/^(aaa|bbb)/'... or isStringVarMatching('leftmenu', '(aaa|bbb)')
}
//print 'scheck='.$scheck." : ".strpos($scheck, '(')."<br>\n"; //print 'scheck='.$scheck." : ".strpos($scheck, '(')."<br>\n";
if (strpos($scheck, '(') !== false) { if (strpos($scheck, '(') !== false) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found call of a function or method without using direct name): '.$s; return 'Bad string syntax to evaluate (mode 2, found call of a function or method without using the direct name of the function): '.$s;
} else { } else {
dol_syslog('Bad string syntax to evaluate (found call of a function or method without using direct name): '.$s); dol_syslog('Bad string syntax to evaluate (mode 2, found call of a function or method without using the direct name of the function): '.$s);
return ''; return '';
} }
} }

15
test/phpunit/SecurityTest.php
View File

@@ -1061,6 +1061,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$langs=$this->savlangs; $langs=$this->savlangs;
$db=$this->savdb; $db=$this->savdb;
// Declare classes found into string to evaluate
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
$result=dol_eval('1==1', 1, 0); $result=dol_eval('1==1', 1, 0);
print "result1 = ".$result."\n"; print "result1 = ".$result."\n";
$this->assertTrue($result); $this->assertTrue($result);
@@ -1069,8 +1073,15 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print "result2 = ".$result."\n"; print "result2 = ".$result."\n";
$this->assertFalse($result); $this->assertFalse($result);
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; $s = '((($reloadedobj = new ClassThatDoesNotExists($db)) && ($reloadedobj->fetchNoCompute($objectoffield->fk_product) > 0)) ? \'1\' : \'0\')';
include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php'; $result3a = dol_eval($s, 1, 1, '2');
print "result3a = ".$result."\n";
$this->assertTrue(is_null($result3a));
$s = '((($reloadedobj = new Project($db)) && ($reloadedobj->fetchNoCompute($objectoffield->fk_product) > 0)) ? \'1\' : \'0\')';
$result3b = dol_eval($s, 1, 1, '2');
print "result3b = ".$result."\n";
$this->assertEquals('0', $result3b);
$s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"'; $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"';
$result=dol_eval($s, 1, 1, '2'); $result=dol_eval($s, 1, 1, '2');