diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index 3d60db2e9ef..d1b36ca5187 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2004-2009 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -42,16 +42,13 @@ $upload_dir=$conf->admin->dir_temp; if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC)) { - /* - * Creation repertoire si n'existe pas - */ - if (! is_dir($upload_dir)) create_exdir($upload_dir); - - if (is_dir($upload_dir)) + $result=create_exdir($upload_dir); // Create dir if not exists + if ($result >= 0) { @dol_delete_file($upload_dir . "/" . $_FILES['userfile']['name'],1); - if (dol_move_uploaded_file($_FILES['userfile']['tmp_name'], $upload_dir . "/" . $_FILES['userfile']['name'],0) > 0) + $resupload=dol_move_uploaded_file($_FILES['userfile']['tmp_name'], $upload_dir . "/" . $_FILES['userfile']['name'],0); + if ($resupload > 0) { $mesg = '
'.$langs->trans("FileTransferComplete").'
'; //print_r($_FILES); @@ -59,7 +56,9 @@ if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC)) else { // Echec transfert (fichier depassant la limite ?) - $mesg = '
'.$langs->trans("ErrorFileNotUploaded").'
'; + $mesg = '
'.$langs->trans("ErrorFileNotUploaded"); + $mesg.= 'ee'; + $mesg.'
'; // print_r($_FILES); } } @@ -125,9 +124,16 @@ if ($_GET["action"] == 'MAIN_ANTIVIRUS_COMMAND') exit; } +if ($_GET["action"] == 'MAIN_ANTIVIRUS_PARAM') +{ + dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", $_POST["MAIN_ANTIVIRUS_PARAM"],'chaine',0,'',$conf->entity); + Header("Location: security_other.php"); + exit; +} + /* - * Affichage onglet + * View */ $form = new Form($db); @@ -192,7 +198,7 @@ print ''.$langs->trans("UseCaptchaCode").''; print ''; if($conf->global->MAIN_SECURITY_ENABLECAPTCHA == 1) { - print img_tick(); + print img_tick(); } print ''; print ''; @@ -280,6 +286,22 @@ print ''; print ''; print ''; +// Use anti virus +$var=!$var; +print '
'; +print ""; +print ''.$langs->trans("AntiVirusParam").'
'; +print $langs->trans("AntiVirusParamExample"); +print ''; +print ''; +print ''; +print ""; +print ''; +print ''; +print ''; +print ''; +print '
'; + print ''; print ''; diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php index 7e4897d1cba..fdbadb63749 100644 --- a/htdocs/admin/tools/export.php +++ b/htdocs/admin/tools/export.php @@ -97,7 +97,7 @@ if ($what == 'mysql') // Parameteres execution $command=$cmddump; - if (preg_match("/\s/",$command)) $command=$command=escapeshellarg($command); // Use quotes on command + if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command //$param=escapeshellarg($dolibarr_main_db_name)." -h ".escapeshellarg($dolibarr_main_db_host)." -u ".escapeshellarg($dolibarr_main_db_user)." -p".escapeshellarg($dolibarr_main_db_pass); $param=$dolibarr_main_db_name." -h ".$dolibarr_main_db_host; @@ -201,6 +201,7 @@ if ($what == 'mysql') if (! $errormsg) $errormsg=$langs->trans("ErrorFailedToRunExternalCommand"); } } + fclose($handle); // Fin execution commande } diff --git a/htdocs/lib/antivir.class.php b/htdocs/lib/antivir.class.php new file mode 100644 index 00000000000..259338e05a2 --- /dev/null +++ b/htdocs/lib/antivir.class.php @@ -0,0 +1,130 @@ + + * Copyright (C) 2003 Jean-Louis Bergamo + * Copyright (C) 2004-2009 Laurent Destailleur + * Copyright (C) 2005-2009 Regis Houssin + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * or see http://www.gnu.org/ + */ + +/** + * \file htdocs/lib/antivir.class.php + * \brief File of class to scan viruses + * \version $Id$ + * \author Laurent Destailleur. + */ + +/** + * \class AntiVir + * \brief Class to scan for virus + */ +class AntiVir +{ + var $error; + var $output; + var $db; + + /** + * Constructor + * + * @param unknown_type $db + * @return AntiVir + */ + function AntiVir($db) + { + $this->db=$db; + } + + /** + * \brief Scan a file with antivirus + * \param file File to scan + * \return malware Name of virus found or '' + */ + function dol_avscan_file($file) + { + global $conf; + + $return = 0; + + $maxreclevel = 5 ; // maximal recursion level + $maxfiles = 1000; // maximal number of files to be scanned within archive + $maxratio = 200; // maximal compression ratio + $bz2archivememlim = 0; // limit memory usage for bzip2 (0/1) + $maxfilesize = 10485760; // archived files larger than this value (in bytes) will not be scanned + + @set_time_limit($cfg['ExecTimeLimit']); + $outputfile=$conf->admin->dir_temp.'/dol_avscan_file.out.'.session_id(); + + $command=$conf->global->MAIN_ANTIVIRUS_COMMAND; + $param=$conf->global->MAIN_ANTIVIRUS_PARAM; + + if (preg_match('/%file/',$conf->global->MAIN_ANTIVIRUS_PARAM)) $param=preg_replace('/%file/',trim($file),$param); + else $param=trim($file); + $param=preg_replace('/%maxreclevel/',$maxreclevel,$param); + $param=preg_replace('/%maxfiles/',$maxfiles,$param); + $param=preg_replace('/%maxratio/',$maxratiod,$param); + $param=preg_replace('/%bz2archivememlim/',$bz2archivememlim,$param); + $param=preg_replace('/%maxfilesize/',$maxfilesize,$param); + + // Create a clean fullcommand + //print $command." ".$param; + if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command + if (preg_match("/\s/",$param)) $param=escapeshellarg($param); // Use quotes on param + //print $command." ".$param; + + $output=array(); + $return_var=0; + $fullcommand=$command.' '.$param.' 2>&1'; + dol_syslog("Run command=".$fullcommand); + exec($fullcommand, $output, $return_var); + +/* + $handle = fopen($outputfile, 'w'); + if ($handle) + { + $handlein = popen($fullcommand, 'r'); + while (!feof($handlein)) + { + $read = fgets($handlein); + fwrite($handle,$read); + } + pclose($handlein); + + $errormsg = fgets($handle,2048); + $this->output=$errormsg; + + fclose($handle); + + if (! empty($conf->global->MAIN_UMASK)) + @chmod($outputfile, octdec($conf->global->MAIN_UMASK)); + } + else + { + $langs->load("errors"); + dol_syslog("Failed to open file ".$outputfile,LOG_ERR); + $this->error="ErrorFailedToWriteInDir"; + $return=-1; + } + */ + + dol_syslog("Result return_var=".$return_var." output=".join(',',$output)); + + return $return; + } + +} + +?> \ No newline at end of file diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php index 56798912a36..e5b9cbea435 100644 --- a/htdocs/lib/functions.lib.php +++ b/htdocs/lib/functions.lib.php @@ -1932,7 +1932,7 @@ function dol_print_error_email() * \param src_file Source filename * \param dest_file Target filename * \param allowoverwrite Overwrite if exists - * \return int >0 if OK, <0 if KO, Name of virus if virus found + * \return int >0 if OK, <0 if KO (-99 if virus found), Name of virus if virus found */ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite) { @@ -1941,25 +1941,25 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite) $file_name = $dest_file; // If we need to make a virus scan - if ($conf->global->MAIN_USE_AVSCAN) + if ($conf->global->MAIN_ANTIVIRUS_COMMAND) { require_once(DOL_DOCUMENT_ROOT.'/lib/security.lib.php'); - $malware = dol_avscan_file($src_file); - if ($malware) return $malware; + require_once(DOL_DOCUMENT_ROOT.'/lib/antivir.class.php'); + $antivir=new AntiVir($db); + $result = $antivir->dol_avscan_file($src_file); + if ($result < 0) return -99; } // Security: - // On renomme les fichiers avec extention script web car si on a mis le rep - // documents dans un rep de la racine web (pas bien), cela permet d'executer - // du code a la demande. + // Disallow file with some extensions. We renamed them. + // Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande. if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$file_name)) { $file_name.= '.noexe'; } // Security: - // On interdit fichiers caches, remontees de repertoire ainsi que les pipes dans - // les noms de fichiers. + // On interdit fichiers caches, remontees de repertoire ainsi que les pipes dans les noms de fichiers. if (preg_match('/^\./',$src_file) || preg_match('/\.\./',$src_file) || preg_match('/[<>|]/',$src_file)) { dol_syslog("Refused to deliver file ".$src_file, LOG_WARNING); @@ -2252,14 +2252,14 @@ function dol_delete_file($file,$disableglob=0) { $ok=unlink($filename); // The unlink encapsulated by dolibarr if ($ok) dol_syslog("Removed file ".$filename,LOG_DEBUG); - else dol_syslog("Failed to remove file ".$filename,LOG_ERR); + else dol_syslog("Failed to remove file ".$filename,LOG_WARNING); } } else { $ok=unlink($file_osencoded); // The unlink encapsulated by dolibarr if ($ok) dol_syslog("Removed file ".$file_osencoded,LOG_DEBUG); - else dol_syslog("Failed to remove file ".$file_osencoded,LOG_ERR); + else dol_syslog("Failed to remove file ".$file_osencoded,LOG_WARNING); } return $ok; } diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php index a82e1b14508..072d27d442e 100644 --- a/htdocs/lib/security.lib.php +++ b/htdocs/lib/security.lib.php @@ -719,31 +719,6 @@ function dol_decode($chain) } -/** - * \brief Scan les fichiers avec un anti-virus - * \param file Fichier a scanner - * \return malware Nom du virus si infecte sinon retourne "null" - */ -function dol_avscan_file($file) -{ - $malware = ''; - - // Clamav - if (function_exists("cl_scanfile")) - { - $maxreclevel = 5 ; // maximal recursion level - $maxfiles = 1000; // maximal number of files to be scanned within archive - $maxratio = 200; // maximal compression ratio - $archivememlim = 0; // limit memory usage for bzip2 (0/1) - $maxfilesize = 10485760; // archived files larger than this value (in bytes) will not be scanned - - cl_setlimits($maxreclevel, $maxfiles, $maxratio, $archivememlim, $maxfilesize); - $malware = cl_scanfile(dol_osencode($file)); - } - - return $malware; -} - /** * Return array of ciphers mode available *