diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index c6476f98a11..c6ceadf0a71 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8167,7 +8167,7 @@ function dol_getIdFromCode($db, $key, $tablename, $fieldkey = 'code', $fieldid = * Verify if condition in string is ok or not * * @param string $strToEvaluate String with condition to check - * @return boolean True or False. Note: It returns True if $strToEvaluate is '' + * @return boolean True or False. Note: It returns also True if $strToEvaluate is '' */ function verifCond($strToEvaluate) { @@ -8178,8 +8178,10 @@ function verifCond($strToEvaluate) //print $strToEvaluate."
\n"; $rights = true; if (isset($strToEvaluate) && $strToEvaluate !== '') { - $str = 'if(!('.$strToEvaluate.')) { $rights = false; }'; - dol_eval($str); // The dol_eval must contains all the global $xxx used into a condition + $str = 'if(!('.$strToEvaluate.')) $rights = false;'; + dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition + //$rep = dol_eval($strToEvaluate, 1, 1 , '1'); // The dol_eval must contains all the global $xxx used into a condition + //$rights = ($rep ? true : false); } return $rights; } @@ -8191,7 +8193,7 @@ function verifCond($strToEvaluate) * @param string $s String to evaluate * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)). * @param int $hideerrors 1=Hide errors - * @param string $onlysimplestring Accept only simple string with char 'a-z0-9\s$_->&|='; + * @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s$_->&|=';, 2=Accept also '!?():";' * @return mixed Nothing or return result of eval */ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1') @@ -8210,7 +8212,22 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1' if ($onlysimplestring == '1') { //print preg_quote('$_->&|', '/'); if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=', '/').']/i', $s)) { - return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; + if ($returnvalue) { + return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; + } else { + dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s); + return ''; + } + } + } elseif ($onlysimplestring == '2') { + //print preg_quote('$_->&|', '/'); + if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?():";', '/').']/i', $s)) { + if ($returnvalue) { + return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; + } else { + dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s); + return ''; + } } } if (strpos($s, '`') !== false) { diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index a687e6adbd7..7194c1cbfd4 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -876,12 +876,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php'; - $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref: "Parent project not found"'; + $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"'; $result=dol_eval($s, 1, 1, ''); print "result = ".$result."\n"; $this->assertEquals('Parent project not found', $result); - $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref: \'Parent project not found\''; + $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : \'Parent project not found\''; $result=dol_eval($s, 1, 1, ''); print "result = ".$result."\n"; $this->assertEquals('Parent project not found', $result); @@ -910,6 +910,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase print "result = ".$result."\n"; $this->assertContains('Bad string syntax to evaluate', $result); + $result=dol_eval("sprintf(\"%s%s\", \"ex\", \"ec\")('echo abc')", 1, 0, ''); + print "result = ".$result."\n"; + $this->assertContains('Bad string syntax to evaluate', $result); + // Case with param onlysimplestring = 1 $result=dol_eval('1 && $conf->abc->doesnotexist1 && $conf->def->doesnotexist1', 1, 0); // Should return false and not a 'Bad string syntax to evaluate ...' print "result = ".$result."\n";