Make verifCond more robust against RCE

htdocs/core/lib/functions.lib.php

@@ -8308,10 +8308,10 @@ function verifCond($strToEvaluate)
 	//print $strToEvaluate."<br>\n";
 	$rights = true;
 	if (isset($strToEvaluate) && $strToEvaluate !== '') {
-		$str = 'if(!('.$strToEvaluate.')) $rights = false;';
-		dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition
-		//$rep = dol_eval($strToEvaluate, 1, 1 , '1'); // The dol_eval must contains all the global $xxx used into a condition
-		//$rights = ($rep ? true : false);
+		//$str = 'if(!('.$strToEvaluate.')) $rights = false;';
+		//dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition
+		$rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval must contains all the global $xxx used into a condition
+		$rights = ($rep ? true : false);
 	}
 	return $rights;
 }
@@ -8338,10 +8338,10 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
 	global $obj; // To get $obj used into list when dol_eval is used for computed fields and $obj is not yet $object
 	global $soc; // For backward compatibility
 
-	// Test dangerous char (used for RCE), we allow only PHP variable testing.
+	// Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing.
 	if ($onlysimplestring == '1') {
 		//print preg_quote('$_->&|', '/');
-		if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=', '/').']/i', $s)) {
+		if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?:', '/').']/i', $s)) {
 			if ($returnvalue) {
 				return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
 			} else {
@@ -8360,6 +8360,9 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
 			}
 		}
 	}
+	if (strpos($s, '::') !== false) {
+		return 'Bad string syntax to evaluate (double : char is forbidden): '.$s;
+	}
 	if (strpos($s, '`') !== false) {
 		return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
 	}