Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

# WARNING: head commit changed in the meantime

Browse Source 
Merge branch '15.0' of git@github.com:Dolibarr/dolibarr.git into develop
This commit is contained in:
Laurent Destailleur
2022-03-01 19:13:28 +01:00
parent 7c253c7e28 0ee858a9a2
commit 72965fdb2e
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/lib/functions.lib.php
View File

@@ -8341,13 +8341,15 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
// Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing. // Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing.
if ($onlysimplestring == '1') { if ($onlysimplestring == '1') {
//print preg_quote('$_->&|', '/'); //print preg_quote('$_->&|', '/');
if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?:', '/').']/i', $s)) { if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?():"', '/').']/i', $s)) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
} else { } else {
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s); dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s);
return ''; return '';
} }
// TODO We can exclude all () that is not ...($db) and getDolGlobalInt( and getDolGlobalString(
// ...
} }
} elseif ($onlysimplestring == '2') { } elseif ($onlysimplestring == '2') {
//print preg_quote('$_->&|', '/'); //print preg_quote('$_->&|', '/');

2
test/phpunit/SecurityTest.php
View File

@@ -915,7 +915,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$this->assertContains('Bad string syntax to evaluate', $result); $this->assertContains('Bad string syntax to evaluate', $result);
// Case with param onlysimplestring = 1 // Case with param onlysimplestring = 1
$result=dol_eval('1 && $conf->abc->doesnotexist1 && $conf->def->doesnotexist1', 1, 0); // Should return false and not a 'Bad string syntax to evaluate ...' $result=dol_eval('1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL', 1, 0); // Should return false and not a 'Bad string syntax to evaluate ...'
print "result = ".$result."\n"; print "result = ".$result."\n";
$this->assertFalse($result); $this->assertFalse($result);