Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix security avoid RCE using -'- sequence to pass --checkpoint-action

Browse Source 
parameter in tar command.
This commit is contained in:
Laurent Destailleur
2025-02-27 01:43:26 +01:00
parent 728ab05ac3
commit cdf8ad44d0
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/admin/tools/export_files.php
View File

@@ -51,7 +51,7 @@ $export_type = GETPOST('export_type', 'alpha');
$file = trim(GETPOST('zipfilename_template', 'alpha'));
$compression = GETPOST('compression', 'aZ09');
$file = dol_sanitizeFileName($file);
$file = dol_sanitizeFileName($file, '_', 1, 1);
$file = preg_replace('/(\.zip|\.tar|\.tgz|\.gz|\.tar\.gz|\.bz2|\.zst)$/i', '', $file);
$sortfield = GETPOST('sortfield', 'aZ09comma');
@@ -178,7 +178,7 @@ if ($compression == 'zip') {
} elseif (in_array($compression, array('gz', 'bz', 'zstd'))) {
$userlogin = ($user->login ? $user->login : 'unknown');
$outputfile = $conf->admin->dir_temp.'/export_files.'.$userlogin.'.out'; // File used with popen method
$outputfile = $conf->admin->dir_temp.'/'.dol_sanitizeFileName('export_files.'.$userlogin.'.out'); // File used with popen method
$file .= '.tar';

7
htdocs/core/lib/functions.lib.php
View File

@@ -1636,22 +1636,27 @@ function dol_size($size, $type = '')
* @param string $str String to clean
* @param string $newstr String to replace bad chars with.
* @param int $unaccent 1=Remove also accent (default), 0 do not remove them
* @param int $includequotes 1=Include simple quotes (double is already included by default)
* @return string String cleaned
*
* @see dol_string_nospecial(), dol_string_unaccent(), dol_sanitizePathName()
*/
function dol_sanitizeFileName($str, $newstr = '_', $unaccent = 1)
function dol_sanitizeFileName($str, $newstr = '_', $unaccent = 1, $includequotes = 0)
{
// List of special chars for filenames in windows are defined on page https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file
// Char '>' '<' '|' '$' and ';' are special chars for shells.
// Char '/' and '\' are file delimiters.
// Chars '--' can be used into filename to inject special parameters like --use-compress-program to make command with file as parameter making remote execution of command
$filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';', '`');
if ($includequotes) {
$filesystem_forbidden_chars[] = "'";
}
$tmp = dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars);
$tmp = preg_replace('/\-\-+/', '_', $tmp);
$tmp = preg_replace('/\s+\-([^\s])/', ' _$1', $tmp);
$tmp = preg_replace('/\s+\-$/', '', $tmp);
$tmp = str_replace('..', '', $tmp);
return $tmp;
}