Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Some changes to support all antiviruses

Browse Source
This commit is contained in:
Laurent Destailleur
2010-01-07 00:06:21 +00:00
parent 09c1887347
commit b11ac5d223
5 changed files with 176 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
htdocs/admin/security_other.php
View File

@@ -1,5 +1,5 @@
<?php <?php
/* Copyright (C) 2004-2008 Laurent Destailleur <eldy@users.sourceforge.net> /* Copyright (C) 2004-2009 Laurent Destailleur <eldy@users.sourceforge.net>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
@@ -42,16 +42,13 @@ $upload_dir=$conf->admin->dir_temp;
if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC)) if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
{ {
/* $result=create_exdir($upload_dir); // Create dir if not exists
* Creation repertoire si n'existe pas if ($result >= 0)
*/
if (! is_dir($upload_dir)) create_exdir($upload_dir);
if (is_dir($upload_dir))
{ {
@dol_delete_file($upload_dir . "/" . $_FILES['userfile']['name'],1); @dol_delete_file($upload_dir . "/" . $_FILES['userfile']['name'],1);
if (dol_move_uploaded_file($_FILES['userfile']['tmp_name'], $upload_dir . "/" . $_FILES['userfile']['name'],0) > 0) $resupload=dol_move_uploaded_file($_FILES['userfile']['tmp_name'], $upload_dir . "/" . $_FILES['userfile']['name'],0);
if ($resupload > 0)
{ {
$mesg = '<div class="ok">'.$langs->trans("FileTransferComplete").'</div>'; $mesg = '<div class="ok">'.$langs->trans("FileTransferComplete").'</div>';
//print_r($_FILES); //print_r($_FILES);
@@ -59,7 +56,9 @@ if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
else else
{ {
// Echec transfert (fichier depassant la limite ?) // Echec transfert (fichier depassant la limite ?)
$mesg = '<div class="error">'.$langs->trans("ErrorFileNotUploaded").'</div>'; $mesg = '<div class="error">'.$langs->trans("ErrorFileNotUploaded");
$mesg.= 'ee';
$mesg.'</div>';
// print_r($_FILES); // print_r($_FILES);
} }
} }
@@ -125,9 +124,16 @@ if ($_GET["action"] == 'MAIN_ANTIVIRUS_COMMAND')
exit; exit;
} }
if ($_GET["action"] == 'MAIN_ANTIVIRUS_PARAM')
{
dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", $_POST["MAIN_ANTIVIRUS_PARAM"],'chaine',0,'',$conf->entity);
Header("Location: security_other.php");
exit;
}
/* /*
* Affichage onglet * View
*/ */
$form = new Form($db); $form = new Form($db);
@@ -192,7 +198,7 @@ print '<td colspan="3">'.$langs->trans("UseCaptchaCode").'</td>';
print '<td align="center" width="60">'; print '<td align="center" width="60">';
if($conf->global->MAIN_SECURITY_ENABLECAPTCHA == 1) if($conf->global->MAIN_SECURITY_ENABLECAPTCHA == 1)
{ {
print img_tick(); print img_tick();
} }
print '</td>'; print '</td>';
print '<td align="center" width="100">'; print '<td align="center" width="100">';
@@ -280,6 +286,22 @@ print '</td>';
print '</tr>'; print '</tr>';
print '</form>'; print '</form>';
// Use anti virus
$var=!$var;
print '<form action="'.$_SERVER["PHP_SELF"].'?action=MAIN_ANTIVIRUS_PARAM" method="POST">';
print "<tr ".$bc[$var].">";
print '<td colspan="2">'.$langs->trans("AntiVirusParam").'<br>';
print $langs->trans("AntiVirusParamExample");
print '</td>';
print '<td align="center" width="100">';
print '<input type="text" name="MAIN_ANTIVIRUS_PARAM" size=80 value="'.$conf->global->MAIN_ANTIVIRUS_PARAM.'">';
print "</td>";
print '<td align="right">';
print '<input type="submit" class="button" name="button" value="'.$langs->trans("Modify").'">';
print '</td>';
print '</tr>';
print '</form>';
print '</table>'; print '</table>';
print '</div>'; print '</div>';

3
htdocs/admin/tools/export.php
View File

@@ -97,7 +97,7 @@ if ($what == 'mysql')
// Parameteres execution // Parameteres execution
$command=$cmddump; $command=$cmddump;
if (preg_match("/\s/",$command)) $command=$command=escapeshellarg($command); // Use quotes on command if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command
//$param=escapeshellarg($dolibarr_main_db_name)." -h ".escapeshellarg($dolibarr_main_db_host)." -u ".escapeshellarg($dolibarr_main_db_user)." -p".escapeshellarg($dolibarr_main_db_pass); //$param=escapeshellarg($dolibarr_main_db_name)." -h ".escapeshellarg($dolibarr_main_db_host)." -u ".escapeshellarg($dolibarr_main_db_user)." -p".escapeshellarg($dolibarr_main_db_pass);
$param=$dolibarr_main_db_name." -h ".$dolibarr_main_db_host; $param=$dolibarr_main_db_name." -h ".$dolibarr_main_db_host;
@@ -201,6 +201,7 @@ if ($what == 'mysql')
if (! $errormsg) $errormsg=$langs->trans("ErrorFailedToRunExternalCommand"); if (! $errormsg) $errormsg=$langs->trans("ErrorFailedToRunExternalCommand");
} }
} }
fclose($handle);
// Fin execution commande // Fin execution commande
} }

130
htdocs/lib/antivir.class.php Normal file
View File

@@ -0,0 +1,130 @@
<?php
/* Copyright (C) 2000-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2003 Jean-Louis Bergamo <jlb@j1b.org>
* Copyright (C) 2004-2009 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
* or see http://www.gnu.org/
*/
/**
* \file htdocs/lib/antivir.class.php
* \brief File of class to scan viruses
* \version $Id$
* \author Laurent Destailleur.
*/
/**
* \class AntiVir
* \brief Class to scan for virus
*/
class AntiVir
{
var $error;
var $output;
var $db;
/**
* Constructor
*
* @param unknown_type $db
* @return AntiVir
*/
function AntiVir($db)
{
$this->db=$db;
}
/**
* \brief Scan a file with antivirus
* \param file File to scan
* \return malware Name of virus found or ''
*/
function dol_avscan_file($file)
{
global $conf;
$return = 0;
$maxreclevel = 5 ; // maximal recursion level
$maxfiles = 1000; // maximal number of files to be scanned within archive
$maxratio = 200; // maximal compression ratio
$bz2archivememlim = 0; // limit memory usage for bzip2 (0/1)
$maxfilesize = 10485760; // archived files larger than this value (in bytes) will not be scanned
@set_time_limit($cfg['ExecTimeLimit']);
$outputfile=$conf->admin->dir_temp.'/dol_avscan_file.out.'.session_id();
$command=$conf->global->MAIN_ANTIVIRUS_COMMAND;
$param=$conf->global->MAIN_ANTIVIRUS_PARAM;
if (preg_match('/%file/',$conf->global->MAIN_ANTIVIRUS_PARAM)) $param=preg_replace('/%file/',trim($file),$param);
else $param=trim($file);
$param=preg_replace('/%maxreclevel/',$maxreclevel,$param);
$param=preg_replace('/%maxfiles/',$maxfiles,$param);
$param=preg_replace('/%maxratio/',$maxratiod,$param);
$param=preg_replace('/%bz2archivememlim/',$bz2archivememlim,$param);
$param=preg_replace('/%maxfilesize/',$maxfilesize,$param);
// Create a clean fullcommand
//print $command." ".$param;
if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command
if (preg_match("/\s/",$param)) $param=escapeshellarg($param); // Use quotes on param
//print $command." ".$param;
$output=array();
$return_var=0;
$fullcommand=$command.' '.$param.' 2>&1';
dol_syslog("Run command=".$fullcommand);
exec($fullcommand, $output, $return_var);
/*
$handle = fopen($outputfile, 'w');
if ($handle)
{
$handlein = popen($fullcommand, 'r');
while (!feof($handlein))
{
$read = fgets($handlein);
fwrite($handle,$read);
}
pclose($handlein);
$errormsg = fgets($handle,2048);
$this->output=$errormsg;
fclose($handle);
if (! empty($conf->global->MAIN_UMASK))
@chmod($outputfile, octdec($conf->global->MAIN_UMASK));
}
else
{
$langs->load("errors");
dol_syslog("Failed to open file ".$outputfile,LOG_ERR);
$this->error="ErrorFailedToWriteInDir";
$return=-1;
}
*/
dol_syslog("Result return_var=".$return_var." output=".join(',',$output));
return $return;
}
}
?>

22
htdocs/lib/functions.lib.php
View File

@@ -1932,7 +1932,7 @@ function dol_print_error_email()
* \param src_file Source filename * \param src_file Source filename
* \param dest_file Target filename * \param dest_file Target filename
* \param allowoverwrite Overwrite if exists * \param allowoverwrite Overwrite if exists
* \return int >0 if OK, <0 if KO, Name of virus if virus found * \return int >0 if OK, <0 if KO (-99 if virus found), Name of virus if virus found
*/ */
function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite) function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite)
{ {
@@ -1941,25 +1941,25 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite)
$file_name = $dest_file; $file_name = $dest_file;
// If we need to make a virus scan // If we need to make a virus scan
if ($conf->global->MAIN_USE_AVSCAN) if ($conf->global->MAIN_ANTIVIRUS_COMMAND)
{ {
require_once(DOL_DOCUMENT_ROOT.'/lib/security.lib.php'); require_once(DOL_DOCUMENT_ROOT.'/lib/security.lib.php');
$malware = dol_avscan_file($src_file); require_once(DOL_DOCUMENT_ROOT.'/lib/antivir.class.php');
if ($malware) return $malware; $antivir=new AntiVir($db);
$result = $antivir->dol_avscan_file($src_file);
if ($result < 0) return -99;
} }
// Security: // Security:
// On renomme les fichiers avec extention script web car si on a mis le rep // Disallow file with some extensions. We renamed them.
// documents dans un rep de la racine web (pas bien), cela permet d'executer // Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande.
// du code a la demande.
if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$file_name)) if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$file_name))
{ {
$file_name.= '.noexe'; $file_name.= '.noexe';
} }
// Security: // Security:
// On interdit fichiers caches, remontees de repertoire ainsi que les pipes dans // On interdit fichiers caches, remontees de repertoire ainsi que les pipes dans les noms de fichiers.
// les noms de fichiers.
if (preg_match('/^\./',$src_file) || preg_match('/\.\./',$src_file) || preg_match('/[<>|]/',$src_file)) if (preg_match('/^\./',$src_file) || preg_match('/\.\./',$src_file) || preg_match('/[<>|]/',$src_file))
{ {
dol_syslog("Refused to deliver file ".$src_file, LOG_WARNING); dol_syslog("Refused to deliver file ".$src_file, LOG_WARNING);
@@ -2252,14 +2252,14 @@ function dol_delete_file($file,$disableglob=0)
{ {
$ok=unlink($filename); // The unlink encapsulated by dolibarr $ok=unlink($filename); // The unlink encapsulated by dolibarr
if ($ok) dol_syslog("Removed file ".$filename,LOG_DEBUG); if ($ok) dol_syslog("Removed file ".$filename,LOG_DEBUG);
else dol_syslog("Failed to remove file ".$filename,LOG_ERR); else dol_syslog("Failed to remove file ".$filename,LOG_WARNING);
} }
} }
else else
{ {
$ok=unlink($file_osencoded); // The unlink encapsulated by dolibarr $ok=unlink($file_osencoded); // The unlink encapsulated by dolibarr
if ($ok) dol_syslog("Removed file ".$file_osencoded,LOG_DEBUG); if ($ok) dol_syslog("Removed file ".$file_osencoded,LOG_DEBUG);
else dol_syslog("Failed to remove file ".$file_osencoded,LOG_ERR); else dol_syslog("Failed to remove file ".$file_osencoded,LOG_WARNING);
} }
return $ok; return $ok;
} }

25
htdocs/lib/security.lib.php
View File

@@ -719,31 +719,6 @@ function dol_decode($chain)
} }
/**
* \brief Scan les fichiers avec un anti-virus
* \param file Fichier a scanner
* \return malware Nom du virus si infecte sinon retourne "null"
*/
function dol_avscan_file($file)
{
$malware = '';
// Clamav
if (function_exists("cl_scanfile"))
{
$maxreclevel = 5 ; // maximal recursion level
$maxfiles = 1000; // maximal number of files to be scanned within archive
$maxratio = 200; // maximal compression ratio
$archivememlim = 0; // limit memory usage for bzip2 (0/1)
$maxfilesize = 10485760; // archived files larger than this value (in bytes) will not be scanned
cl_setlimits($maxreclevel, $maxfiles, $maxratio, $archivememlim, $maxfilesize);
$malware = cl_scanfile(dol_osencode($file));
}
return $malware;
}
/** /**
* Return array of ciphers mode available * Return array of ciphers mode available
* *