forked from Wavyzz/dolibarr
Merge branch '19.0' of git@github.com:Dolibarr/dolibarr.git into 20.0
This commit is contained in:
ldestailleur
@@ -1232,6 +1232,7 @@ class Notify
|
|||||||
$outputlangs->loadLangs(array('main', 'other'));
|
$outputlangs->loadLangs(array('main', 'other'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$substitutionarray = getCommonSubstitutionArray($outputlangs, 0, null, $object);
|
$substitutionarray = getCommonSubstitutionArray($outputlangs, 0, null, $object);
|
||||||
complete_substitutions_array($substitutionarray, $outputlangs, $object);
|
complete_substitutions_array($substitutionarray, $outputlangs, $object);
|
||||||
$subject = make_substitutions($emailTemplate->topic, $substitutionarray, $outputlangs);
|
$subject = make_substitutions($emailTemplate->topic, $substitutionarray, $outputlangs);
|
||||||
|
|||||||
@@ -10404,14 +10404,16 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1'
|
|||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (strpos($s, '::') !== false) {
|
|
||||||
|
if (!getDolGlobalString('MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL') && strpos($s, '::') !== false) {
|
||||||
if ($returnvalue) {
|
if ($returnvalue) {
|
||||||
return 'Bad string syntax to evaluate (double : char is forbidden): '.$s;
|
return 'Bad string syntax to evaluate (double : char is forbidden without setting MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL): '.$s;
|
||||||
} else {
|
} else {
|
||||||
dol_syslog('Bad string syntax to evaluate (double : char is forbidden): '.$s, LOG_WARNING);
|
dol_syslog('Bad string syntax to evaluate (double : char is forbidden without setting MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL): '.$s, LOG_WARNING);
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strpos($s, '`') !== false) {
|
if (strpos($s, '`') !== false) {
|
||||||
if ($returnvalue) {
|
if ($returnvalue) {
|
||||||
return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
|
return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
|
||||||
@@ -10420,12 +10422,16 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1'
|
|||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (preg_match('/[^0-9]+\.[^0-9]+/', $s)) { // We refuse . if not between 2 numbers
|
|
||||||
if ($returnvalue) {
|
// Disallow also concat
|
||||||
return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
|
if (getDolGlobalString('MAIN_DISALLOW_STRING_OBFUSCATION_IN_DOL_EVAL')) {
|
||||||
} else {
|
if (preg_match('/[^0-9]+\.[^0-9]+/', $s)) { // We refuse . if not between 2 numbers
|
||||||
dol_syslog('Bad string syntax to evaluate (dot char is forbidden): '.$s, LOG_WARNING);
|
if ($returnvalue) {
|
||||||
return '';
|
return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
|
||||||
|
} else {
|
||||||
|
dol_syslog('Bad string syntax to evaluate (dot char is forbidden): '.$s, LOG_WARNING);
|
||||||
|
return '';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -2176,7 +2176,7 @@ class pdf_sponge extends ModelePDFFactures
|
|||||||
$title = $outputlangs->transnoentities("InvoiceProForma");
|
$title = $outputlangs->transnoentities("InvoiceProForma");
|
||||||
}
|
}
|
||||||
if ($this->situationinvoice) {
|
if ($this->situationinvoice) {
|
||||||
$langs->loadLangs(array("other"));
|
$outputlangs->loadLangs(array("other"));
|
||||||
$title = $outputlangs->transnoentities("PDFInvoiceSituation") . " " . $outputlangs->transnoentities("NumberingShort") . $object->situation_counter . " -";
|
$title = $outputlangs->transnoentities("PDFInvoiceSituation") . " " . $outputlangs->transnoentities("NumberingShort") . $object->situation_counter . " -";
|
||||||
}
|
}
|
||||||
if (getDolGlobalString('PDF_USE_ALSO_LANGUAGE_CODE') && is_object($outputlangsbis)) {
|
if (getDolGlobalString('PDF_USE_ALSO_LANGUAGE_CODE') && is_object($outputlangsbis)) {
|
||||||
|
|||||||
@@ -298,11 +298,16 @@ if (empty($reshook)) {
|
|||||||
$payment->num_payment = $invoice->ref;
|
$payment->num_payment = $invoice->ref;
|
||||||
|
|
||||||
if ($pay != "delayed") {
|
if ($pay != "delayed") {
|
||||||
$payment->create($user);
|
$result = $payment->create($user); // This set $payment->amount
|
||||||
$res = $payment->addPaymentToBank($user, 'payment', '(CustomerInvoicePayment)', $bankaccount, '', '');
|
if ($result < 0) {
|
||||||
if ($res < 0) {
|
|
||||||
$error++;
|
$error++;
|
||||||
dol_htmloutput_errors($langs->trans('ErrorNoPaymentDefined'), $payment->errors, 1);
|
dol_htmloutput_errors($payment->error, $payment->errors, 1);
|
||||||
|
} else {
|
||||||
|
$res = $payment->addPaymentToBank($user, 'payment', '(CustomerInvoicePayment)', $bankaccount, '', '');
|
||||||
|
if ($res < 0) {
|
||||||
|
$error++;
|
||||||
|
dol_htmloutput_errors($langs->trans('ErrorNoPaymentDefined'), $payment->errors, 1);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
$remaintopay = $invoice->getRemainToPay(); // Recalculate remain to pay after the payment is recorded
|
$remaintopay = $invoice->getRemainToPay(); // Recalculate remain to pay after the payment is recorded
|
||||||
} elseif (getDolGlobalInt("TAKEPOS_DELAYED_TERMS")) {
|
} elseif (getDolGlobalInt("TAKEPOS_DELAYED_TERMS")) {
|
||||||
|
|||||||
@@ -1063,10 +1063,9 @@ class SecurityTest extends CommonClassTest
|
|||||||
print "result = ".$result."\n";
|
print "result = ".$result."\n";
|
||||||
$this->assertEquals('Bad string syntax to evaluate: new __forbiddenstring__(\'abc\')', $result);
|
$this->assertEquals('Bad string syntax to evaluate: new __forbiddenstring__(\'abc\')', $result);
|
||||||
|
|
||||||
|
|
||||||
$result = (string) dol_eval('$a=function() { }; $a;', 1, 1, '0');
|
$result = (string) dol_eval('$a=function() { }; $a;', 1, 1, '0');
|
||||||
print "result5 = ".$result."\n";
|
print "result5 = ".$result."\n";
|
||||||
$this->assertStringContainsString('Bad string syntax to evaluate', $result);
|
$this->assertStringContainsString('Bad string syntax to evaluate', $result, 'The string was not detected as evil');
|
||||||
|
|
||||||
$result = (string) dol_eval('$a=function() { }; $a;', 1, 1, '1');
|
$result = (string) dol_eval('$a=function() { }; $a;', 1, 1, '1');
|
||||||
print "result6 = ".$result."\n";
|
print "result6 = ".$result."\n";
|
||||||
@@ -1080,6 +1079,8 @@ class SecurityTest extends CommonClassTest
|
|||||||
print "result8 = ".$result."\n";
|
print "result8 = ".$result."\n";
|
||||||
$this->assertStringContainsString('Bad string syntax to evaluate', $result);
|
$this->assertStringContainsString('Bad string syntax to evaluate', $result);
|
||||||
|
|
||||||
|
$conf->global->MAIN_DISALLOW_STRING_OBFUSCATION_IN_DOL_EVAL = 1;
|
||||||
|
|
||||||
$result = (string) dol_eval('$a="test"; $$a;', 1, 0);
|
$result = (string) dol_eval('$a="test"; $$a;', 1, 0);
|
||||||
print "result9 = ".$result."\n";
|
print "result9 = ".$result."\n";
|
||||||
$this->assertStringContainsString('Bad string syntax to evaluate', $result);
|
$this->assertStringContainsString('Bad string syntax to evaluate', $result);
|
||||||
|
|||||||
Reference in New Issue
Block a user