Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

New : Add DoS security on GETPOST with img

Browse Source
This commit is contained in:
lmarcouiller
2022-08-03 14:24:27 +02:00
parent ffecf42808
commit c7652af3bc
4 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
htdocs/admin/security_other.php
View File

@@ -61,14 +61,17 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) {
dol_print_error($db); dol_print_error($db);
} }
} elseif ($action == 'updateform') { } elseif ($action == 'updateform') {
$res1 = 1; $res2 = 1; $res1 = 1; $res2 = 1; $res3 = 1;
if (GETPOSTISSET('MAIN_APPLICATION_TITLE')) { if (GETPOSTISSET('MAIN_APPLICATION_TITLE')) {
$res1 = dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", GETPOST("MAIN_APPLICATION_TITLE", 'alphanohtml'), 'chaine', 0, '', $conf->entity); $res1 = dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", GETPOST("MAIN_APPLICATION_TITLE", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
} }
if (GETPOSTISSET('MAIN_SESSION_TIMEOUT')) { if (GETPOSTISSET('MAIN_SESSION_TIMEOUT')) {
$res2 = dolibarr_set_const($db, "MAIN_SESSION_TIMEOUT", GETPOST("MAIN_SESSION_TIMEOUT", 'alphanohtml'), 'chaine', 0, '', $conf->entity); $res2 = dolibarr_set_const($db, "MAIN_SESSION_TIMEOUT", GETPOST("MAIN_SESSION_TIMEOUT", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
} }
if ($res1 && $res2) { if (GETPOSTISSET('MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT')) {
$res3 = dolibarr_set_const($db, "MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", GETPOST("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 'alphanohtml'), 'int', 0, '', $conf->entity);
}
if ($res1 && $res2 && $res3) {
setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
} }
} }
@@ -174,6 +177,14 @@ print '<input class="flat right width50" name="MAIN_SESSION_TIMEOUT" type="text"
print '</td>'; print '</td>';
print '</tr>'; print '</tr>';
print '<tr class="oddeven">';
print '<td>'.$langs->trans("MaxNumberOfImagesInGetPost").'</td><td class="right">';
print '</td>';
print '<td class="nowrap">';
print '<input class="flat right width50" name="MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT" type="text" value="'.dol_escape_htmltag($conf->global->MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT).'"> '.strtolower($langs->trans("Images"));
print '</td>';
print '</tr>';
/* /*
if (empty($conf->global->MAIN_APPLICATION_TITLE)) { if (empty($conf->global->MAIN_APPLICATION_TITLE)) {
$conf->global->MAIN_APPLICATION_TITLE = ""; $conf->global->MAIN_APPLICATION_TITLE = "";

5
htdocs/core/lib/functions.lib.php
View File

@@ -954,6 +954,11 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
// Restore entity &apos; into &#39; (restricthtml is for html content so we can use html entity) // Restore entity &apos; into &#39; (restricthtml is for html content so we can use html entity)
$out = preg_replace('/&apos;/i', "&#39;", $out); $out = preg_replace('/&apos;/i', "&#39;", $out);
preg_match_all('/(<img)/', $out, $reg);
if (count($reg[0]) > (getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") ? getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") : 1000)) {
$out = '';
}
} while ($oldstringtoclean != $out); } while ($oldstringtoclean != $out);
break; break;
case 'custom': case 'custom':

1
htdocs/install/mysql/migration/16.0.0-17.0.0.sql
View File

@@ -73,3 +73,4 @@ ALTER TABLE llx_commande_fournisseur_dispatch ADD INDEX idx_commande_fournisseur
ALTER TABLE llx_recruitment_recruitmentcandidature ADD email_date datetime after email_msgid; ALTER TABLE llx_recruitment_recruitmentcandidature ADD email_date datetime after email_msgid;
ALTER TABLE llx_ticket ADD email_date datetime after email_msgid; ALTER TABLE llx_ticket ADD email_date datetime after email_msgid;
INSERT INTO llx_const (name, entity, value, type, visible) VALUES ('MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT', 1, 1000, 'int', 0);

2
htdocs/langs/en_US/admin.lang
View File

@@ -2287,4 +2287,6 @@ DoesNotWorkWithAllThemes=Will not work with all themes
NoName=No name NoName=No name
ShowAdvancedOptions= Show advanced options ShowAdvancedOptions= Show advanced options
HideAdvancedoptions= Hide advanced options HideAdvancedoptions= Hide advanced options
Images=Images
MaxNumberOfImagesInGetPost=Max number of images allowed in GETPOST check
CIDLookupURL=The module brings an URL that can be used by an external tool to get the name of a thirdparty or contact from its phone number. URL to use is: CIDLookupURL=The module brings an URL that can be used by an external tool to get the name of a thirdparty or contact from its phone number. URL to use is: