Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix GETPOST accept < if followed with a number

Browse Source
This commit is contained in:
Laurent Destailleur
2021-02-04 23:36:41 +01:00
parent 8cbd9fc0d8
commit 4a2f26415e
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
test/phpunit/SecurityTest.php
View File

@@ -295,6 +295,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param8a"]="Hacker<svg o&#110;load='console.log(&quot;123&quot;)'"; // html tag is not closed so it is not detected as html tag but is still harmfull
$_POST['param8b']='<img src=x onerror=alert(document.location) t='; // this is html obfuscated by non closing tag
$_POST['param8c']='< with space after is ok';
$_POST['param8d']='<abc123 is html to clean';
$_POST['param8e']='<123abc is not html to clean';
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
$_POST["param11"]=' Name <email@email.com> ';
@@ -371,6 +373,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($_POST['param8c'], $result, 'Test a string with non closing html tag with alphanohtml');
$result=GETPOST("param8d", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('abc123 is html to clean', $result, 'Test a string with non closing html tag with alphanohtml');
$result=GETPOST("param8e", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals($_POST['param8e'], $result, 'Test a string with non closing html tag with alphanohtml');
$result=GETPOST("param9", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals($_POST["param9"], $result);