mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-06 09:38:23 +01:00
18.0 fix CVE 2024 40137 (#34762)
* Sec: Remove all functions that accept callable params - CVE-2024-40137 * FIX #34746 - More complete fix for CVE-2024-40137 --------- Co-authored-by: ldestailleur <eldy@destailleur.fr>
This commit is contained in:
ThomasNgr-OpenDSI
committed by
GitHub
GitHub
parent
96a74c4976
commit
01aa901f93
@@ -7251,8 +7251,23 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
|
||||
*/
|
||||
function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes = array("allow", "allowfullscreen", "alt", "class", "contenteditable", "data-html", "frameborder", "height", "href", "id", "name", "src", "style", "target", "title", "width"))
|
||||
{
|
||||
if (is_null($allowed_attributes)) {
|
||||
$allowed_attributes = array(
|
||||
"allow", "allowfullscreen", "alt", "async", "class", "contenteditable", "crossorigin", "data-html", "frameborder", "height", "href", "id", "name", "property", "rel", "src", "style", "target", "title", "type", "width",
|
||||
// HTML5
|
||||
"header", "footer", "nav", "section", "menu", "menuitem"
|
||||
);
|
||||
}
|
||||
// Always add content and http-equiv for meta tags, required to force encoding and keep html content in utf8 by load/saveHTML functions.
|
||||
if (!in_array("content", $allowed_attributes)) {
|
||||
$allowed_attributes[] = "content";
|
||||
}
|
||||
if (!in_array("http-equiv", $allowed_attributes)) {
|
||||
$allowed_attributes[] = "http-equiv";
|
||||
}
|
||||
|
||||
if (class_exists('DOMDocument') && !empty($stringtoclean)) {
|
||||
$stringtoclean = '<?xml encoding="UTF-8"><html><body>'.$stringtoclean.'</body></html>';
|
||||
$stringtoclean = '<?xml encoding="UTF-8"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body>'.$stringtoclean.'</body></html>';
|
||||
|
||||
$dom = new DOMDocument(null, 'UTF-8');
|
||||
$dom->loadHTML($stringtoclean, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
|
||||
@@ -7293,12 +7308,15 @@ function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes
|
||||
}
|
||||
}
|
||||
|
||||
$dom->encoding = 'UTF-8';
|
||||
|
||||
$return = $dom->saveHTML(); // This may add a LF at end of lines, so we will trim later
|
||||
//$return = '<html><body>aaaa</p>bb<p>ssdd</p>'."\n<p>aaa</p>aa<p>bb</p>";
|
||||
|
||||
$return = preg_replace('/^'.preg_quote('<?xml encoding="UTF-8">', '/').'/', '', $return);
|
||||
$return = preg_replace('/^'.preg_quote('<html><body>', '/').'/', '', $return);
|
||||
$return = preg_replace('/'.preg_quote('</body></html>', '/').'$/', '', $return);
|
||||
$return = preg_replace('/^'.preg_quote('<html><head><', '/').'[^<>]*'.preg_quote('></head><body>', '/').'/', '', $return);
|
||||
$return = preg_replace('/'.preg_quote('</body></html>', '/').'$/', '', trim($return));
|
||||
|
||||
return trim($return);
|
||||
} else {
|
||||
return $stringtoclean;
|
||||
@@ -7448,13 +7466,26 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
|
||||
// Add a trick to solve pb with text without parent tag
|
||||
// like '<h1>Foo</h1><p>bar</p>' that wrongly ends up, without the trick, with '<h1>Foo<p>bar</p></h1>'
|
||||
// like 'abc' that wrongly ends up, without the trick, with '<p>abc</p>'
|
||||
$out = '<div class="tricktoremove">'.$out.'</div>';
|
||||
$dom->loadHTML($out, LIBXML_HTML_NODEFDTD|LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
|
||||
|
||||
if (dol_textishtml($out)) {
|
||||
$out = '<?xml encoding="UTF-8"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body><div class="tricktoremove">'.$out.'</div></body></html>';
|
||||
} else {
|
||||
$out = '<?xml encoding="UTF-8"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body><div class="tricktoremove">'.dol_nl2br($out).'</div></body></html>';
|
||||
}
|
||||
|
||||
$dom->loadHTML($out, LIBXML_HTML_NODEFDTD | LIBXML_ERR_NONE | LIBXML_HTML_NOIMPLIED | LIBXML_NONET | LIBXML_NOWARNING | LIBXML_NOERROR | LIBXML_NOXMLDECL);
|
||||
|
||||
$dom->encoding = 'UTF-8';
|
||||
|
||||
$out = trim($dom->saveHTML());
|
||||
|
||||
// Remove the trick added to solve pb with text without parent tag
|
||||
$out = preg_replace('/^<div class="tricktoremove">/', '', $out);
|
||||
$out = preg_replace('/<\/div>$/', '', $out);
|
||||
// Remove the trick added to solve pb with text in utf8 and text without parent tag
|
||||
$out = preg_replace('/^'.preg_quote('<?xml encoding="UTF-8">', '/').'/', '', $out);
|
||||
$out = preg_replace('/^'.preg_quote('<html><head><', '/').'[^<>]+'.preg_quote('></head><body><div class="tricktoremove">', '/').'/', '', $out);
|
||||
$out = preg_replace('/'.preg_quote('</div></body></html>', '/').'$/', '', trim($out));
|
||||
// $out = preg_replace('/^<\?xml encoding="UTF-8"><div class="tricktoremove">/', '', $out);
|
||||
// $out = preg_replace('/<\/div>$/', '', $out);
|
||||
// var_dump('rrrrrrrrrrrrrrrrrrrrrrrrrrrrr'.$out);
|
||||
} catch (Exception $e) {
|
||||
// If error, invalid HTML string with no way to clean it
|
||||
//print $e->getMessage();
|
||||
@@ -7492,7 +7523,7 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
|
||||
} while ($oldstringtoclean != $out);
|
||||
|
||||
// Check the limit of external links that are automatically executed in a Rich text content. We count:
|
||||
// '<img' to avoid <img src="http...">
|
||||
// '<img' to avoid <img src="http...">, we can only accept "<img src="data:..."
|
||||
// 'url(' to avoid inline style like background: url(http...
|
||||
// '<link' to avoid <link href="http...">
|
||||
$reg = array();
|
||||
@@ -9228,7 +9259,7 @@ function verifCond($strToEvaluate)
|
||||
|
||||
/**
|
||||
* Replace eval function to add more security.
|
||||
* This function is called by verifCond() or trans() and transnoentitiesnoconv().
|
||||
* This function is called by verifCond() for example.
|
||||
*
|
||||
* @param string $s String to evaluate
|
||||
* @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
|
||||
@@ -9319,14 +9350,32 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
|
||||
$forbiddenphpstrings = array('$$');
|
||||
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST', 'ReflectionFunction'));
|
||||
|
||||
$forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen");
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_eval", "executeCLI", "verifCond")); // native dolibarr functions
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("base64_decode", "rawurldecode", "urldecode", "str_rot13", "hex2bin")); // decode string functions used to obfuscated function name
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "require", "include", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask"));
|
||||
// We list all forbidden function as keywords we don't want to see (we don't mind it if is "kewyord(" or just "keyword", we don't want "keyword" at all)
|
||||
// We must exclude all functions that allow to execute another function. This includes all function that has a parameter with type "callable" to avoid things
|
||||
// like we can do with array_map and its callable parameter: dol_eval('json_encode(array_map(implode("",["ex","ec"]), ["id"]))', 1, 1, '0')
|
||||
$forbiddenphpfunctions = array();
|
||||
// @phpcs:ignore
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("base64"."_"."decode", "rawurl"."decode", "url"."decode", "str"."_rot13", "hex"."2bin")); // name of forbidden functions are split to avoid false positive
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("override_function", "session_id", "session_create_id", "session_regenerate_id"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("get_defined_functions", "get_defined_vars", "get_defined_constants", "get_declared_classes"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func", "call_user_func_array"));
|
||||
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("array_all", "array_any", "array_diff_ukey", "array_filter", "array_find", "array_find_key", "array_map", "array_reduce", "array_intersect_uassoc", "array_intersect_ukey", "array_walk", "array_walk_recursive"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("usort", "uasort", "uksort", "preg_replace_callback", "preg_replace_callback_array", "header_register_callback"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("set_error_handler", "set_exception_handler", "libxml_set_external_entity_loader", "register_shutdown_function", "register_tick_function", "unregister_tick_function"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("spl_autoload_register", "spl_autoload_unregister", "iterator_apply", "session_set_save_handler"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("forward_static_call", "forward_static_call_array", "register_postsend_function"));
|
||||
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("ob_start"));
|
||||
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("require", "include", "require_once", "include_once"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("eval", "create_function", "assert", "mb_ereg_replace")); // function with eval capabilities
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("exec", "passthru", "shell_exec", "system", "proc_open", "popen"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_eval", "executeCLI", "verifCond")); // native dolibarr functions
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("eval", "create_function", "assert", "mb_ereg_replace", "mb_ereg_replace_callback")); // function with eval capabilities
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("readline_completion_function", "readline_callback_handler_install"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_compress_dir", "dol_decode", "dol_delete_file", "dol_delete_dir", "dol_delete_dir_recursive", "dol_copy", "archiveOrBackupFile")); // more dolibarr functions
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask"));
|
||||
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("require", "include"));
|
||||
|
||||
$forbiddenphpmethods = array('invoke', 'invokeArgs'); // Method of ReflectionFunction to execute a function
|
||||
|
||||
|
||||
Reference in New Issue
Block a user