forked from Wavyzz/dolibarr
Merge branch '20.0' of git@github.com:Dolibarr/dolibarr.git into develop
This commit is contained in:
Laurent Destailleur
@@ -2063,9 +2063,10 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
|
||||
$result = str_ireplace('__SRCHTTPIMG', 'src="http:', $result);
|
||||
$result = str_ireplace('__SRCHTTPSIMG', 'src="https:', $result);
|
||||
$result = str_ireplace('__DOUBLEQUOTE', '"', $result);
|
||||
$result = str_ireplace('__SIMPLEQUOTE', ''', $result);
|
||||
}
|
||||
|
||||
$result = str_ireplace('__SIMPLEQUOTE', ''', $result);
|
||||
|
||||
//$result="\n\n\n".var_export($tmp, true)."\n\n\n".var_export($result, true);
|
||||
|
||||
return $result;
|
||||
@@ -6339,7 +6340,7 @@ function print_barre_liste($title, $page, $file, $options = '', $sortfield = '',
|
||||
print '<div class="titre inline-block">';
|
||||
print $title; // $title may contains HTML
|
||||
if (!empty($title) && $savtotalnboflines >= 0 && (string) $savtotalnboflines != '') {
|
||||
print '<span class="opacitymedium colorblack marginleftonly" title="'.$langs->trans("NbRecordQualified").'">('.$totalnboflines.')</span>';
|
||||
print '<span class="opacitymedium colorblack paddingleft marginleftonly" title="'.$langs->trans("NbRecordQualified").'">('.$totalnboflines.')</span>';
|
||||
}
|
||||
print '</div></td>';
|
||||
|
||||
@@ -6471,9 +6472,10 @@ function print_fleche_navigation($page, $file, $options = '', $nextpage = 0, $be
|
||||
if (empty($hidenavigation)) {
|
||||
if ((int) $limit > 0 && empty($hideselectlimit)) {
|
||||
$pagesizechoices = '10:10,15:15,20:20,25:25,50:50,100:100,250:250,500:500,1000:1000';
|
||||
$pagesizechoices .= ',5000:5000,10000:10000,20000:20000';
|
||||
//$pagesizechoices.=',0:'.$langs->trans("All"); // Not yet supported
|
||||
//$pagesizechoices.=',2:2';
|
||||
$pagesizechoices .= ',5000:5000,10000:10000';
|
||||
//$pagesizechoices .= ',20000:20000'; // Memory trouble on browsers
|
||||
//$pagesizechoices .= ',0:'.$langs->trans("All"); // Not yet supported
|
||||
//$pagesizechoices .= ',2:2';
|
||||
if (getDolGlobalString('MAIN_PAGESIZE_CHOICES')) {
|
||||
$pagesizechoices = getDolGlobalString('MAIN_PAGESIZE_CHOICES');
|
||||
}
|
||||
@@ -10283,7 +10285,7 @@ function verifCond($strToEvaluate, $onlysimplestring = '1')
|
||||
* '1' (most common use)=Accept only simple string with char 'a-z0-9\s^$_+-.*>&|=!?():"\',/@';',
|
||||
* '2' (used for example for the compute property of extrafields)=Accept also '[]'
|
||||
* @return void|string Nothing or return result of eval (even if type can be int, it is safer to assume string and find all potential typing issues as abs(dol_eval(...)).
|
||||
* @see verifCond()
|
||||
* @see verifCond(), checkPHPCode() to see sanitizing rules that should be very close.
|
||||
* @phan-suppress PhanPluginUnsafeEval
|
||||
*/
|
||||
function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1')
|
||||
@@ -10310,6 +10312,8 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1'
|
||||
// We must accept with 1: '1 && getDolGlobalInt("doesnotexist1") && getDolGlobalString("MAIN_FEATURES_LEVEL")'
|
||||
// We must accept with 1: '$user->hasRight("cabinetmed", "read") && !$object->canvas=="patient@cabinetmed"'
|
||||
// We must accept with 2: (($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"
|
||||
|
||||
// Check if there is dynamic call (first we check chars are all into use a whitelist chars)
|
||||
$specialcharsallowed = '^$_+-.*>&|=!?():"\',/@';
|
||||
if ($onlysimplestring == '2') {
|
||||
$specialcharsallowed .= '[]';
|
||||
@@ -10321,17 +10325,29 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1'
|
||||
if ($returnvalue) {
|
||||
return 'Bad string syntax to evaluate (found chars that are not chars for a simple clean eval string): '.$s;
|
||||
} else {
|
||||
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for a simple clean eval string): '.$s);
|
||||
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for a simple clean eval string): '.$s, LOG_WARNING);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
||||
// Check if there is dynamic call (first we use black list patterns)
|
||||
if (preg_match('/\$[\w]*\s*\(/', $s)) {
|
||||
if ($returnvalue) {
|
||||
return 'Bad string syntax to evaluate (mode '.$onlysimplestring.', found a call using of "$abc(" or "$abc (" instead of using the direct name of the function): '.$s;
|
||||
} else {
|
||||
dol_syslog('Bad string syntax to evaluate (mode '.$onlysimplestring.', found a call using of "$abc(" or "$abc (" instead of using the direct name of the function): '.$s, LOG_WARNING);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
||||
// Now we check if we try dynamic call (by removing white list pattern of using parenthesis then testing if a parenthesis exists)
|
||||
$savescheck = '';
|
||||
$scheck = $s;
|
||||
while ($scheck && $savescheck != $scheck) {
|
||||
$savescheck = $scheck;
|
||||
$scheck = preg_replace('/->[a-zA-Z0-9_]+\(/', '->__METHOD__', $scheck); // accept parenthesis in '...->method(...'
|
||||
$scheck = preg_replace('/^\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '(...'. Must replace with __PARENTHESIS__ with a space after to allow following substitutions
|
||||
$scheck = preg_replace('/\s\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '... ('. Must replace with __PARENTHESIS__ with a space after to allow following substitutions
|
||||
$scheck = preg_replace('/\s\(/', '__PARENTHESIS__ ', $scheck); // accept parenthesis in '... (' like in 'if ($a == 1)'. Must replace with __PARENTHESIS__ with a space after to allow following substitutions
|
||||
$scheck = preg_replace('/^!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in 'function(' and '!function('
|
||||
$scheck = preg_replace('/\s!?[a-zA-Z0-9_]+\(/', '__FUNCTION__', $scheck); // accept parenthesis in '... function(' and '... !function('
|
||||
$scheck = preg_replace('/(\^|\')\(/', '__REGEXSTART__', $scheck); // To allow preg_match('/^(aaa|bbb)/'... or isStringVarMatching('leftmenu', '(aaa|bbb)')
|
||||
@@ -10341,22 +10357,28 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1'
|
||||
if ($returnvalue) {
|
||||
return 'Bad string syntax to evaluate (mode '.$onlysimplestring.', found call of a function or method without using the direct name of the function): '.$s;
|
||||
} else {
|
||||
dol_syslog('Bad string syntax to evaluate (mode '.$onlysimplestring.', found call of a function or method without using the direct name of the function): '.$s);
|
||||
dol_syslog('Bad string syntax to evaluate (mode '.$onlysimplestring.', found call of a function or method without using the direct name of the function): '.$s, LOG_WARNING);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
||||
// TODO
|
||||
// We can exclude $ char that are not:
|
||||
// $db, $langs, $leftmenu, $topmenu, $user, $langs, $objectoffield, $object...,
|
||||
}
|
||||
if (is_array($s) || $s === 'Array') {
|
||||
return 'Bad string syntax to evaluate (value is Array) '.var_export($s, true);
|
||||
if ($returnvalue) {
|
||||
return 'Bad string syntax to evaluate (value is Array): '.var_export($s, true);
|
||||
} else {
|
||||
dol_syslog('Bad string syntax to evaluate (value is Array): '.var_export($s, true), LOG_WARNING);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
if (strpos($s, '::') !== false) {
|
||||
if ($returnvalue) {
|
||||
return 'Bad string syntax to evaluate (double : char is forbidden): '.$s;
|
||||
} else {
|
||||
dol_syslog('Bad string syntax to evaluate (double : char is forbidden): '.$s);
|
||||
dol_syslog('Bad string syntax to evaluate (double : char is forbidden): '.$s, LOG_WARNING);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
@@ -10364,7 +10386,7 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1'
|
||||
if ($returnvalue) {
|
||||
return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
|
||||
} else {
|
||||
dol_syslog('Bad string syntax to evaluate (backtick char is forbidden): '.$s);
|
||||
dol_syslog('Bad string syntax to evaluate (backtick char is forbidden): '.$s, LOG_WARNING);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
@@ -10372,22 +10394,24 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1'
|
||||
if ($returnvalue) {
|
||||
return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
|
||||
} else {
|
||||
dol_syslog('Bad string syntax to evaluate (dot char is forbidden): '.$s);
|
||||
dol_syslog('Bad string syntax to evaluate (dot char is forbidden): '.$s, LOG_WARNING);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
||||
// We block use of php exec or php file functions
|
||||
$forbiddenphpstrings = array('$$');
|
||||
$forbiddenphpstrings = array('$$', '$_', '}[');
|
||||
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST', 'ReflectionFunction'));
|
||||
|
||||
$forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen");
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_eval", "executeCLI", "verifCond")); // native dolibarr functions
|
||||
$forbiddenphpfunctions = array();
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("base64_decode", "rawurldecode", "urldecode", "str_rot13", "hex2bin")); // decode string functions used to obfuscated function name
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "require", "include", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("override_function", "session_id", "session_create_id", "session_regenerate_id"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("get_defined_functions", "get_defined_vars", "get_defined_constants", "get_declared_classes"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("require", "include", "require_once", "include_once"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("exec", "passthru", "shell_exec", "system", "proc_open", "popen"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_eval", "executeCLI", "verifCond")); // native dolibarr functions
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("eval", "create_function", "assert", "mb_ereg_replace")); // function with eval capabilities
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_compress_dir", "dol_decode", "dol_delete_file", "dol_delete_dir", "dol_delete_dir_recursive", "dol_copy", "archiveOrBackupFile")); // more dolibarr functions
|
||||
|
||||
@@ -10405,6 +10429,7 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1'
|
||||
//$s = preg_replace('/\$[a-zA-Z0-9_\->\$]+\(/i', '', $s); // Remove $function( call and $mycall->mymethod(
|
||||
} while ($oldstringtoclean != $s);
|
||||
|
||||
|
||||
if (strpos($s, '__forbiddenstring__') !== false) {
|
||||
dol_syslog('Bad string syntax to evaluate: '.$s, LOG_WARNING);
|
||||
if ($returnvalue) {
|
||||
|
||||
Reference in New Issue
Block a user