Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX #yogosha6944 Protection against traversal path.

Browse Source
This commit is contained in:
Laurent Destailleur
2021-08-23 15:47:18 +02:00
parent 21852bd16b
commit d46dfd017a
3 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/lib/functions.lib.php
View File

@@ -753,9 +753,9 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
$out = dol_string_nohtmltag($out, 0);
// Remove also other dangerous string sequences
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
// '../' or '..\' is dangerous because it allows dir transversals
// Note &#38, '&#0000038', '&#x26'... is a simple char like '&' alone but there is no reason to accept such way to encode input data.
$out = str_ireplace(array('&#38', '&#0000038', '&#x26', '&quot', '&#34', '&#0000034', '&#x22', '"', '&#47', '&#0000047', '&#x2F', '../'), '', $out);
$out = str_ireplace(array('&#38', '&#0000038', '&#x26', '&quot', '&#34', '&#0000034', '&#x22', '"', '&#47', '&#0000047', '&#92', '&#0000092', '&#x2F', '../', '..\\'), '', $out);
} while ($oldstringtoclean != $out);
// keep lines feed
}
@@ -768,9 +768,9 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
// Remove html tags
$out = dol_html_entity_decode($out, ENT_COMPAT | ENT_HTML5, 'UTF-8');
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
// '../' or '..\' is dangerous because it allows dir transversals
// Note &#38, '&#0000038', '&#x26'... is a simple char like '&' alone but there is no reason to accept such way to encode input data.
$out = str_ireplace(array('&#38', '&#0000038', '&#x26', '&quot', '&#34', '&#0000034', '&#x22', '"', '&#47', '&#0000047', '&#x2F', '../'), '', $out);
$out = str_ireplace(array('&#38', '&#0000038', '&#x26', '&quot', '&#34', '&#0000034', '&#x22', '"', '&#47', '&#0000047', '&#92', '&#0000092', '&#x2F', '../', '..\\'), '', $out);
} while ($oldstringtoclean != $out);
}
break;

3
htdocs/document.php
View File

@@ -195,7 +195,8 @@ if (!in_array($type, array('text/x-javascript')) && !dolIsAllowedForPreview($ori
}
// Security: Delete string ../ into $original_file
$original_file = str_replace("../", "/", $original_file);
$original_file = str_replace('../', '/', $original_file);
$original_file = str_replace('..\\', '/', $original_file);
// Find the subdirectory name as the reference
$refname = basename(dirname($original_file)."/");

15
test/phpunit/SecurityTest.php
View File

@@ -349,7 +349,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param1"]="333";
$_GET["param2"]='a/b#e(pr)qq-rr\cc';
$_GET["param3"]='"na/b#e(pr)qq-rr\cc'; // Same than param2 + " and n
$_GET["param4"]='../dir';
$_GET["param4a"]='../../dir';
$_GET["param4b"]='..\..\dirwindows';
$_GET["param5"]="a_1-b";
$_POST["param6"]="&quot;&gt;<svg o&#110;load='console.log(&quot;123&quot;)'&gt;";
$_POST["param6b"]='<<<../>../>../svg><<<../>../>../animate =alert(1)>abc';
@@ -394,10 +395,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'na/b#e(pr)qq-rr\cc', 'Test on param3');
$result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../
$result=GETPOST("param4a", 'alpha'); // Must return string sanitized from ../
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'dir');
$result=GETPOST("param4b", 'alpha'); // Must return string sanitized from ../
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'dirwindows');
// Test with aZ09
$result=GETPOST("param1", 'aZ09');
@@ -412,7 +417,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($result, '');
$result=GETPOST("param4", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
$result=GETPOST("param4a", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
print __METHOD__." result=".$result."\n";
$this->assertEquals('', $result);
$result=GETPOST("param4b", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
print __METHOD__." result=".$result."\n";
$this->assertEquals('', $result);