Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 09:38:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Debug v20

Browse Source
This commit is contained in:
Laurent Destailleur
2024-06-26 21:45:36 +02:00
parent 33d5dea17b
commit 04f64714f1
4 changed files with 65 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
htdocs/admin/emailcollector_card.php
View File

@@ -390,12 +390,10 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
$targetdir = ($object->target_directory ? $object->target_directory : ''); // Can be '[Gmail]/Trash' or 'mytag' $targetdir = ($object->target_directory ? $object->target_directory : ''); // Can be '[Gmail]/Trash' or 'mytag'
$connection = null; $connection = null;
$connectstringserver = ''; $connectstringserver = $object->getConnectStringIMAP(); // Note: $object->host has been loaded by the fetch
$connectstringsource = ''; $connectstringsource = '';
$connectstringtarget = ''; $connectstringtarget = '';
// Note: $object->host has been loaded by the fetch
$connectstringserver = $object->getConnectStringIMAP();
if ($action == 'scan') { if ($action == 'scan') {
if (getDolGlobalString('MAIN_IMAP_USE_PHPIMAP')) { if (getDolGlobalString('MAIN_IMAP_USE_PHPIMAP')) {
@@ -603,6 +601,16 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
print '<div class="underbanner clearboth"></div>'; print '<div class="underbanner clearboth"></div>';
print '<table class="border centpercent tableforfield">'."\n"; print '<table class="border centpercent tableforfield">'."\n";
// Clean info (in view mode only)
if ($object->acces_type == 0) {
// If authent is using LOGIN and not OAUTHTOKEN, we don't need to show the OAUTH token
unset($object->fields['oauth_service']);
}
if ($object->acces_type == 1) {
// If authent is using OAUTHTOKEN, we don't need to show the password
unset($object->fields['password']);
}
// Common attributes // Common attributes
//$keyforbreak='fieldkeytoswithonsecondcolumn'; //$keyforbreak='fieldkeytoswithonsecondcolumn';
include DOL_DOCUMENT_ROOT.'/core/tpl/commonfields_view.tpl.php'; include DOL_DOCUMENT_ROOT.'/core/tpl/commonfields_view.tpl.php';
@@ -760,7 +768,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
// Add operation // Add operation
print '<tr class="oddeven nodrag nodrop">'; print '<tr class="oddeven nodrag nodrop">';
print '<td>'; print '<td>';
print $form->selectarray('operationtype', $arrayoftypes, '', 1, 0, 0, '', 1, 0, 0, '', 'minwidth150 maxwidth300', 1); print $form->selectarray('operationtype', $arrayoftypes, '', 1, 0, 0, '', 1, 0, 0, '', 'minwidth150 maxwidth250', 1);
print '</td><td>'; print '</td><td>';
print '<textarea class="centpercent" name="operationparam" rows="3"></textarea>'; print '<textarea class="centpercent" name="operationparam" rows="3"></textarea>';
print '</td>'; print '</td>';

9
htdocs/core/lib/functions.lib.php
View File

@@ -1185,8 +1185,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
$oldstringtoclean = $out; $oldstringtoclean = $out;
// Remove html tags // Remove html tags
$out = dol_string_nohtmltag($out, 0); $out = dol_string_nohtmltag($out, 0);
// Convert '\' used for windows path into '/' so we can use for path but not for octal syntax \999, hexa syntax \x999 and unicode syntax \u{999} // Refuse octal syntax \999, hexa syntax \x999 and unicode syntax \u{999} by replacing the \ into / (so if it is a \ for a windows path, it is still ok).
$out = str_ireplace('\\', '/', $out); $out = preg_replace('/\\\([0-9xu])/', '/\1', $out);
// Remove also other dangerous string sequences // Remove also other dangerous string sequences
// '../' or '..\' is dangerous because it allows dir transversals // '../' or '..\' is dangerous because it allows dir transversals
// '&#38', '&#0000038', '&#x26'... is a the char '&' alone but there is no reason to accept such way to encode input char // '&#38', '&#0000038', '&#x26'... is a the char '&' alone but there is no reason to accept such way to encode input char
@@ -1205,8 +1205,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
$oldstringtoclean = $out; $oldstringtoclean = $out;
// Decode html entities // Decode html entities
$out = dol_html_entity_decode($out, ENT_COMPAT | ENT_HTML5, 'UTF-8'); $out = dol_html_entity_decode($out, ENT_COMPAT | ENT_HTML5, 'UTF-8');
// Convert '\' used for windows path into '/' so we can use for path but not for octal syntax \999, hexa syntax \x999 and unicode syntax \u{999} // Refuse octal syntax \999, hexa syntax \x999 and unicode syntax \u{999} by replacing the \ into / (so if it is a \ for a windows path, it is still ok).
$out = str_ireplace('\\', '/', $out); $out = preg_replace('/\\\([0-9xu])/', '/\1', $out);
// Remove also other dangerous string sequences // Remove also other dangerous string sequences
// '../' or '..\' is dangerous because it allows dir transversals // '../' or '..\' is dangerous because it allows dir transversals
// '&#38', '&#0000038', '&#x26'... is a the char '&' alone but there is no reason to accept such way to encode input char // '&#38', '&#0000038', '&#x26'... is a the char '&' alone but there is no reason to accept such way to encode input char
@@ -14340,6 +14340,7 @@ function show_actions_messaging($conf, $langs, $db, $filterobj, $objcon = null,
*/ */
function GETPOSTDATE($prefix, $hourTime = '', $gm = 'auto') function GETPOSTDATE($prefix, $hourTime = '', $gm = 'auto')
{ {
$m = array();
if ($hourTime === 'getpost') { if ($hourTime === 'getpost') {
$hour = GETPOSTINT($prefix . 'hour'); $hour = GETPOSTINT($prefix . 'hour');
$minute = GETPOSTINT($prefix . 'minute'); $minute = GETPOSTINT($prefix . 'minute');

4
htdocs/emailcollector/class/emailcollector.class.php
View File

@@ -3470,7 +3470,11 @@ class EmailCollector extends CommonObject
$this->datelastresult = $now; $this->datelastresult = $now;
$this->lastresult = $output; $this->lastresult = $output;
if (getDolGlobalString('MAIN_IMAP_USE_PHPIMAP')) {
$this->debuginfo .= 'IMAP search array used : '.$search;
} else {
$this->debuginfo .= 'IMAP search string used : '.$search; $this->debuginfo .= 'IMAP search string used : '.$search;
}
if ($searchhead) { if ($searchhead) {
$this->debuginfo .= '<br>Then search string into email header : '.dol_escape_htmltag($searchhead); $this->debuginfo .= '<br>Then search string into email header : '.dol_escape_htmltag($searchhead);
} }

71
test/phpunit/SecurityTest.php
View File

@@ -309,6 +309,7 @@ class SecurityTest extends CommonClassTest
$_GET["param3"] = '"&#110;a/b#e(pr)qq-rr\cc'; // Same than param2 + " and &#110; $_GET["param3"] = '"&#110;a/b#e(pr)qq-rr\cc'; // Same than param2 + " and &#110;
$_GET["param4a"] = '..&#47;../dir'; $_GET["param4a"] = '..&#47;../dir';
$_GET["param4b"] = '..&#92;..\dirwindows'; $_GET["param4b"] = '..&#92;..\dirwindows';
$_GET["param4c"] = '\a123 \123 \u123 \x123';
$_GET["param5"] = "a_1-b"; $_GET["param5"] = "a_1-b";
$_POST["param6"] = "&quot;&gt;<svg o&#110;load='console.log(&quot;123&quot;)'&gt;"; $_POST["param6"] = "&quot;&gt;<svg o&#110;load='console.log(&quot;123&quot;)'&gt;";
$_POST["param6b"] = '<<<../>../>../svg><<<../>../>../animate =alert(1)>abc'; $_POST["param6b"] = '<<<../>../>../svg><<<../>../>../animate =alert(1)>abc';
@@ -358,19 +359,23 @@ class SecurityTest extends CommonClassTest
$result = GETPOST("param2", 'alpha'); $result = GETPOST("param2", 'alpha');
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'a/b#e(pr)qq-rr/cc', 'Test on param2'); $this->assertEquals('a/b#e(pr)qq-rr\cc', $result, 'Test on param2');
$result = GETPOST("param3", 'alpha'); // Must return string sanitized from char " $result = GETPOST("param3", 'alpha'); // Must return string sanitized from char "
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'na/b#e(pr)qq-rr/cc', 'Test on param3'); $this->assertEquals('na/b#e(pr)qq-rr\cc', $result, 'Test on param3');
$result = GETPOST("param4a", 'alpha'); // Must return string sanitized from ../ $result = GETPOST("param4a", 'alpha'); // Must return string sanitized from ../
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'dir'); $this->assertEquals('dir', $result);
$result = GETPOST("param4b", 'alpha'); // Must return string sanitized from ../ $result = GETPOST("param4b", 'alpha'); // Must return string sanitized from ../
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals($result, 'dirwindows'); $this->assertEquals('dirwindows', $result);
$result = GETPOST("param4c", 'alpha'); // Must return string sanitized from ../
print __METHOD__." result=".$result."\n";
$this->assertEquals('\a123 /123 /u123 /x123', $result);
// Test with aZ09 // Test with aZ09
@@ -1185,35 +1190,6 @@ class SecurityTest extends CommonClassTest
} }
/**
* testCheckLoginPassEntity
*
* @return void
*/
public function testCheckLoginPassEntity()
{
$login = checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login = checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login = checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed');
$login = checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin');
$login = checkLoginPassEntity('admin', 'admin', 1, array('forceuser'));
print __METHOD__." login=".$login."\n";
$this->assertEquals('', $login, 'Error'); // Expected '' because should failed because login 'auto' does not exists
}
/** /**
* testRealCharforNumericEntities() * testRealCharforNumericEntities()
* *
@@ -1278,4 +1254,33 @@ class SecurityTest extends CommonClassTest
return 0; return 0;
} }
/**
* testCheckLoginPassEntity
*
* @return void
*/
public function testCheckLoginPassEntity()
{
$login = checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login = checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login = checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed');
$login = checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin');
$login = checkLoginPassEntity('admin', 'admin', 1, array('forceuser'));
print __METHOD__." login=".$login."\n";
$this->assertEquals('', $login, 'Error'); // Expected '' because should failed because login 'auto' does not exists
}
} }