Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch '15.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/core/lib/functions.lib.php
	test/phpunit/SecurityTest.php
This commit is contained in:
Laurent Destailleur
2022-05-09 22:04:36 +02:00
parent d0c95d87af ef18456724
commit cffec01451
2 changed files with 37 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/lib/functions.lib.php
View File

@@ -8351,7 +8351,7 @@ function verifCond($strToEvaluate)
* @param string $s String to evaluate * @param string $s String to evaluate
* @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)). * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
* @param int $hideerrors 1=Hide errors * @param int $hideerrors 1=Hide errors
* @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s^$_->&|=!?():"\',/' and restrict use of (, 2=Accept also ';' and no restriction on (. * @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s^$_+-.*\/>&|=!?():"\',/';', 2=Accept also ';[]'
* @return mixed Nothing or return result of eval * @return mixed Nothing or return result of eval
*/ */
function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1') function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1')
@@ -8370,7 +8370,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
if ($onlysimplestring == '1') { if ($onlysimplestring == '1') {
// We must accept: '1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL' // We must accept: '1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL'
// We must accept: '$conf->barcode->enabled && preg_match(\'/^(AAA|BBB)/\',$leftmenu)' // We must accept: '$conf->barcode->enabled && preg_match(\'/^(AAA|BBB)/\',$leftmenu)'
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-*>&|=!?():"\',/', '/').']/i', $s)) { if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*>&|=!?():"\',/', '/').']/i', $s)) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
} else { } else {
@@ -8382,7 +8382,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
} }
} elseif ($onlysimplestring == '2') { } elseif ($onlysimplestring == '2') {
// We must accept: (($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found" // We must accept: (($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-*>&|=!?():"\',/;[]', '/').']/i', $s)) { if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*>&|=!?():"\',/;[]', '/').']/i', $s)) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
} else { } else {
@@ -8407,7 +8407,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
return ''; return '';
} }
} }
if (strpos($s, '.') !== false) { if (preg_match('/[^0-9]+\.[^0-9]+/', $s)) { // We refuse . if not between 2 numbers
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (dot char is forbidden): '.$s; return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
} else { } else {

61
test/phpunit/SecurityTest.php
View File

@@ -584,34 +584,6 @@ class SecurityTest extends PHPUnit\Framework\TestCase
return $result; return $result;
} }
/**
* testCheckLoginPassEntity
*
* @return void
*/
public function testCheckLoginPassEntity()
{
$login=checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login=checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login=checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed');
$login=checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin');
$login=checkLoginPassEntity('admin', 'admin', 1, array('forceuser'));
print __METHOD__." login=".$login."\n";
$this->assertEquals('', $login, 'Error'); // Expected '' because should failed because login 'auto' does not exists
}
/** /**
* testEncodeDecode * testEncodeDecode
* *
@@ -919,6 +891,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print "result = ".$result."\n"; print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result); $this->assertContains('Bad string syntax to evaluate', $result);
$result=dol_eval("90402.38+267678+0", 1, 1, 1);
print "result = ".$result."\n";
$this->assertEquals('358080.38', $result);
global $leftmenu; // Used into strings to eval global $leftmenu; // Used into strings to eval
$leftmenu = 'AAA'; $leftmenu = 'AAA';
@@ -943,4 +919,33 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print "result = ".$result."\n"; print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result); $this->assertContains('Bad string syntax to evaluate', $result);
} }
/**
* testCheckLoginPassEntity
*
* @return void
*/
public function testCheckLoginPassEntity()
{
$login=checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login=checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login=checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed');
$login=checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin');
$login=checkLoginPassEntity('admin', 'admin', 1, array('forceuser'));
print __METHOD__." login=".$login."\n";
$this->assertEquals('', $login, 'Error'); // Expected '' because should failed because login 'auto' does not exists
}
} }