From eae5410ced1ae22563c253c3669fd4dca0035c63 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 17 Sep 2020 16:57:39 +0200 Subject: [PATCH] Protect md file --- htdocs/core/boxes/modules_boxes.php | 1 + htdocs/core/lib/functions.lib.php | 1 + htdocs/modulebuilder/index.php | 8 +++++++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/htdocs/core/boxes/modules_boxes.php b/htdocs/core/boxes/modules_boxes.php index e5fa9d8fb0d..51719ec6c15 100644 --- a/htdocs/core/boxes/modules_boxes.php +++ b/htdocs/core/boxes/modules_boxes.php @@ -422,6 +422,7 @@ class ModeleBoxes // Can't be abtract as it is instantiated to build "empty" box { while (($file = readdir($handle)) !== false) { + $reg = array(); if (is_readable($newdir.'/'.$file) && preg_match('/^(.+)\.php/', $file, $reg)) { if (preg_match('/\.back$/', $file)) continue; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index cbcc685e32a..585d3394cf9 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -7970,6 +7970,7 @@ function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0) if (preg_match('/\.ini$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'ini'; $famime = 'file-text-o'; } if (preg_match('/\.md$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'md'; $famime = 'file-text-o'; } if (preg_match('/\.css$/i', $tmpfile)) { $mime = 'text/css'; $imgmime = 'css.png'; $srclang = 'css'; $famime = 'file-text-o'; } + if (preg_match('/\.lang$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'lang'; $famime = 'file-text-o'; } // Certificate files if (preg_match('/\.(crt|cer|key|pub)$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $famime = 'file-text-o'; } // XML based (HTML/XML/XAML) diff --git a/htdocs/modulebuilder/index.php b/htdocs/modulebuilder/index.php index eb350eb9a3a..87226e0fe10 100644 --- a/htdocs/modulebuilder/index.php +++ b/htdocs/modulebuilder/index.php @@ -1463,7 +1463,13 @@ if ($action == 'savefile' && empty($cancel)) dol_copy($pathoffile, $pathoffilebackup, 0, 1); } - $content = GETPOST('editfilecontent', 'none'); + $check = 'restricthtml'; + $srclang = dol_mimetype($pathoffile, '', 3); + if ($srclang == 'md') $check = 'restricthtml'; + if ($srclang == 'lang') $check = 'restricthtml'; + if ($srclang == 'php') $check = 'none'; + + $content = GETPOST('editfilecontent', $check); // Save file on disk if ($content)