From c7652af3bc9dc0ee6017607f2bb45b792bc20d13 Mon Sep 17 00:00:00 2001 From: lmarcouiller Date: Wed, 3 Aug 2022 14:24:27 +0200 Subject: [PATCH] New : Add DoS security on GETPOST with img --- htdocs/admin/security_other.php | 15 +++++++++++++-- htdocs/core/lib/functions.lib.php | 5 +++++ htdocs/install/mysql/migration/16.0.0-17.0.0.sql | 1 + htdocs/langs/en_US/admin.lang | 2 ++ 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index 79190725c16..090e2254541 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -61,14 +61,17 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) { dol_print_error($db); } } elseif ($action == 'updateform') { - $res1 = 1; $res2 = 1; + $res1 = 1; $res2 = 1; $res3 = 1; if (GETPOSTISSET('MAIN_APPLICATION_TITLE')) { $res1 = dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", GETPOST("MAIN_APPLICATION_TITLE", 'alphanohtml'), 'chaine', 0, '', $conf->entity); } if (GETPOSTISSET('MAIN_SESSION_TIMEOUT')) { $res2 = dolibarr_set_const($db, "MAIN_SESSION_TIMEOUT", GETPOST("MAIN_SESSION_TIMEOUT", 'alphanohtml'), 'chaine', 0, '', $conf->entity); } - if ($res1 && $res2) { + if (GETPOSTISSET('MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT')) { + $res3 = dolibarr_set_const($db, "MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", GETPOST("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 'alphanohtml'), 'int', 0, '', $conf->entity); + } + if ($res1 && $res2 && $res3) { setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); } } @@ -174,6 +177,14 @@ print ''; print ''; +print ''; +print ''.$langs->trans("MaxNumberOfImagesInGetPost").''; +print ''; +print ''; +print ' '.strtolower($langs->trans("Images")); +print ''; +print ''; + /* if (empty($conf->global->MAIN_APPLICATION_TITLE)) { $conf->global->MAIN_APPLICATION_TITLE = ""; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 90288645003..cf4b19d3aa6 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -954,6 +954,11 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options // Restore entity ' into ' (restricthtml is for html content so we can use html entity) $out = preg_replace('/'/i', "'", $out); + + preg_match_all('/( (getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") ? getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") : 1000)) { + $out = ''; + } } while ($oldstringtoclean != $out); break; case 'custom': diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql index 4ab1b1e1fa3..597681c4ad5 100644 --- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql +++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql @@ -73,3 +73,4 @@ ALTER TABLE llx_commande_fournisseur_dispatch ADD INDEX idx_commande_fournisseur ALTER TABLE llx_recruitment_recruitmentcandidature ADD email_date datetime after email_msgid; ALTER TABLE llx_ticket ADD email_date datetime after email_msgid; +INSERT INTO llx_const (name, entity, value, type, visible) VALUES ('MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT', 1, 1000, 'int', 0); diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index 7148e19fb48..6ca93dc7788 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -2287,4 +2287,6 @@ DoesNotWorkWithAllThemes=Will not work with all themes NoName=No name ShowAdvancedOptions= Show advanced options HideAdvancedoptions= Hide advanced options +Images=Images +MaxNumberOfImagesInGetPost=Max number of images allowed in GETPOST check CIDLookupURL=The module brings an URL that can be used by an external tool to get the name of a thirdparty or contact from its phone number. URL to use is: