Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Make verifCond more robust against RCE

Browse Source
This commit is contained in:
Laurent Destailleur
2022-03-01 18:21:30 +01:00
parent 12b2a10865
commit e5fd841fe3
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
htdocs/core/lib/functions.lib.php
View File

@@ -8308,10 +8308,10 @@ function verifCond($strToEvaluate)
//print $strToEvaluate."<br>\n"; //print $strToEvaluate."<br>\n";
$rights = true; $rights = true;
if (isset($strToEvaluate) && $strToEvaluate !== '') { if (isset($strToEvaluate) && $strToEvaluate !== '') {
$str = 'if(!('.$strToEvaluate.')) $rights = false;'; //$str = 'if(!('.$strToEvaluate.')) $rights = false;';
dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition //dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition
//$rep = dol_eval($strToEvaluate, 1, 1 , '1'); // The dol_eval must contains all the global $xxx used into a condition $rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval must contains all the global $xxx used into a condition
//$rights = ($rep ? true : false); $rights = ($rep ? true : false);
} }
return $rights; return $rights;
} }
@@ -8338,10 +8338,10 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
global $obj; // To get $obj used into list when dol_eval is used for computed fields and $obj is not yet $object global $obj; // To get $obj used into list when dol_eval is used for computed fields and $obj is not yet $object
global $soc; // For backward compatibility global $soc; // For backward compatibility
// Test dangerous char (used for RCE), we allow only PHP variable testing. // Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing.
if ($onlysimplestring == '1') { if ($onlysimplestring == '1') {
//print preg_quote('$_->&|', '/'); //print preg_quote('$_->&|', '/');
if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=', '/').']/i', $s)) { if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?:', '/').']/i', $s)) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
} else { } else {
@@ -8360,6 +8360,9 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
} }
} }
} }
if (strpos($s, '::') !== false) {
return 'Bad string syntax to evaluate (double : char is forbidden): '.$s;
}
if (strpos($s, '`') !== false) { if (strpos($s, '`') !== false) {
return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s; return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
} }