diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index c43dd851c78..57f785261ea 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -9839,6 +9839,7 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1' global $object; global $obj; // To get $obj used into list when dol_eval() is used for computed fields and $obj is not yet $object + $isObBufferActive = false; // When true, the ObBuffer must be cleaned in the exception handler if (!in_array($onlysimplestring, array('0', '1', '2'))) { return "Bad call of dol_eval. Parameter onlysimplestring must be '0' (deprecated), '1' or '2'"; } @@ -9957,16 +9958,20 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1' if ($returnvalue) { if ($hideerrors) { ob_start(); // An evaluation has no reason to output data + $isObBufferActive = true; $tmps = @eval('return '.$s.';'); $tmpo = ob_get_clean(); + $isObBufferActive = false; if ($tmpo) { print 'Bad string syntax to evaluate. Some data were output when it should not when evaluating: '.$s; } return $tmps; } else { ob_start(); // An evaluation has no reason to output data + $isObBufferActive = true; $tmps = eval('return '.$s.';'); $tmpo = ob_get_clean(); + $isObBufferActive = false; if ($tmpo) { print 'Bad string syntax to evaluate. Some data were output when it should not when evaluating: '.$s; } @@ -9981,6 +9986,11 @@ function dol_eval($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestring = '1' } } } catch (Error $e) { + if ($isObBufferActive) { + // Clean up buffer which was left behind due to exception. + $tmpo = ob_get_clean(); + $isObBufferActive = false; + } $error = 'dol_eval try/catch error : '; $error .= $e->getMessage(); dol_syslog($error, LOG_WARNING); diff --git a/test/phpunit/CommonClassTest.class.php b/test/phpunit/CommonClassTest.class.php index 2be3f58362f..a7c793ed9bf 100644 --- a/test/phpunit/CommonClassTest.class.php +++ b/test/phpunit/CommonClassTest.class.php @@ -26,11 +26,16 @@ * \remarks Class that extends all PHPunit tests. To share similare code between each test. */ +// Workaround for false security issue with main.inc.php in tests: +$_SERVER['PHP_SELF'] = "phpunit"; + global $conf,$user,$langs,$db; //define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver //require_once 'PHPUnit/Autoload.php'; require_once dirname(__FILE__).'/../../htdocs/master.inc.php'; + + if (empty($user->id)) { print "Load permissions for admin user nb 1\n"; $user->fetch(1); diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 8a154897acb..42455c49cef 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -53,10 +53,11 @@ if (! defined("NOSESSION")) { define("NOSESSION", '1'); } -require_once dirname(__FILE__).'/../../htdocs/main.inc.php'; +// Implements workaround for PHP_SELF & includes common files: +require_once dirname(__FILE__).'/CommonClassTest.class.php'; + require_once dirname(__FILE__).'/../../htdocs/core/lib/security.lib.php'; require_once dirname(__FILE__).'/../../htdocs/core/lib/security2.lib.php'; -require_once dirname(__FILE__).'/CommonClassTest.class.php'; if (empty($user->id)) { print "Load permissions for admin user nb 1\n"; @@ -988,7 +989,7 @@ class SecurityTest extends CommonClassTest include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php'; - $result=dol_eval('1==1', 1, 0); + $result = dol_eval('1==1', 1, 0); print "result1 = ".$result."\n"; $this->assertTrue($result);