Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Disallow more use of parenthesis into dol_eval

Browse Source
This commit is contained in:
Laurent Destailleur
2023-09-08 05:51:06 +02:00
parent c2f8c4f47c
commit e9787451a8
5 changed files with 96 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
test/phpunit/SecurityTest.php
View File

@@ -960,7 +960,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print "result = ".$result."\n";
$this->assertEquals('Parent project not found', $result);
$result=dol_eval('$a=function() { }; $a;', 1, 1, '');
$result=dol_eval('$a=function() { }; $a;', 1, 1, '0');
print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result);
@@ -999,12 +999,22 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print "result = ".$result."\n";
$this->assertTrue($result);
// Same with syntax error
// Same with a value that does not match
$leftmenu = 'XXX';
$result=dol_eval('$conf->currency && preg_match(\'/^(AAA|BBB)/\',$leftmenu)', 1, 1, '1');
print "result = ".$result."\n";
$this->assertFalse($result);
$leftmenu = 'AAA';
$result=dol_eval('$conf->currency && isStringVarMatching(\'leftmenu\', \'(AAA|BBB)\')', 1, 1, '1');
print "result = ".$result."\n";
$this->assertTrue($result);
$leftmenu = 'XXX';
$result=dol_eval('$conf->currency && isStringVarMatching(\'leftmenu\', \'(AAA|BBB)\')', 1, 1, '1');
print "result = ".$result."\n";
$this->assertFalse($result);
// Case with param onlysimplestring = 1
@@ -1015,6 +1025,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=dol_eval("(\$a.'aa')", 1, 0);
print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result);
$result=dol_eval('$a="abs" && $a(5)', 1, 0);
print "result = a".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result);
}