Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch '15.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/compta/tva/card.php
	htdocs/langs/en_US/admin.lang
This commit is contained in:
Laurent Destailleur
2022-04-28 19:23:13 +02:00
parent 559694dd4f 93815404a2
commit 40d0c3b996
18 changed files with 112 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/main.inc.php
View File

@@ -109,10 +109,11 @@ function testSqlAndScriptInject($val, $type)
// We check string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
// We should use dol_string_nounprintableascii but function is not yet loaded/available
// Example of valid UTF8 chars:
// utf8=utf8mb3: '\x0A', '\x0D', '\x7E'
// utf8=utf8mb3: '\x09', '\x0A', '\x0D', '\x7E'
// utf8=utf8mb3: '\xE0\xA0\x80'
// utf8mb4: '\xF0\x9D\x84\x9E' (but this may be refused by the database insert if pagecode is utf8=utf8mb3)
$newval = preg_replace('/[\x00-\x09\x0B-\x0C\x0E-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace
$newval = preg_replace('/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace
// Note that $newval may also be completely empty '' when non valid UTF8 are found.
if ($newval != $val) {
// If $val has changed after removing non valid UTF8 chars, it means we have an evil string.