Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-07 01:23:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/develop' into loadlangs

Browse Source
This commit is contained in:
Frédéric FRANCE
2023-09-08 09:28:48 +02:00
parent e6f249eaca e9787451a8
commit 198e7bf795
97 changed files with 147 additions and 890 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/lib/files.lib.php
View File

@@ -1885,7 +1885,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
$linkObject->objectid = GETPOST('objectid', 'int');
$linkObject->label = GETPOST('label', 'alpha');
$res = $linkObject->create($user);
$langs->load('link');
if ($res > 0) {
setEventMessages($langs->trans("LinkComplete"), null, 'mesgs');
} else {

95
htdocs/core/lib/functions.lib.php
View File

@@ -9145,6 +9145,33 @@ function dol_getIdFromCode($db, $key, $tablename, $fieldkey = 'code', $fieldid =
}
}
/**
* Check if a variable with name $var start with $text.
* Can be used to forge dol_eval() conditions.
*
* @param $var string Variable
* @param $regextext string Text that must be a valid regex string
* @param $matchrule int 1=Test if start with, 0=Test if equal
* @return boolean|string True or False, text if bad use.
*/
function isStringVarMatching($var, $regextext, $matchrule = 1)
{
if ($matchrule == 1) {
if ($var == 'mainmenu') {
global $mainmenu;
return (preg_match('/^'.$regextext.'/', $mainmenu));
} elseif ($var == 'leftmenu') {
global $leftmenu;
return (preg_match('/^'.$regextext.'/', $leftmenu));
} else {
return 'This variable is not accessible with dol_eval';
}
} else {
return 'This value for matchrule is not implemented';
}
}
/**
* Verify if condition in string is ok or not
*
@@ -9153,15 +9180,15 @@ function dol_getIdFromCode($db, $key, $tablename, $fieldkey = 'code', $fieldid =
*/
function verifCond($strToEvaluate)
{
global $user, $conf, $langs;
global $conf; // Read of const is done with getDolGlobalString() but we need $conf->currency for example
global $user, $langs;
global $leftmenu;
global $rights; // To export to dol_eval function
//print $strToEvaluate."<br>\n";
$rights = true;
if (isset($strToEvaluate) && $strToEvaluate !== '') {
//var_dump($strToEvaluate);
$rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval must contains all the global $xxx for all variables $xxx found into the string condition
$rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval() must contains all the "global $xxx;" for all variables $xxx found into the string condition
$rights = $rep && (!is_string($rep) || strpos($rep, 'Bad string syntax to evaluate') === false);
//var_dump($rights);
}
@@ -9175,29 +9202,36 @@ function verifCond($strToEvaluate)
* @param string $s String to evaluate
* @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
* @param int $hideerrors 1=Hide errors
* @param string $onlysimplestring '0' (used for computed property of extrafields)=Accept all chars, '1' (most common use)=Accept only simple string with char 'a-z0-9\s^$_+-.*>&|=!?():"\',/@';', '2' (rarely used)=Accept also '[]'
* @param string $onlysimplestring '0' (deprecated, used for computed property of extrafields)=Accept all chars,
* '1' (most common use)=Accept only simple string with char 'a-z0-9\s^$_+-.*>&|=!?():"\',/@';',
* '2' (rarely used)=Accept also '[]'
* @return mixed Nothing or return result of eval
* @see verifCond()
*/
function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1')
{
// Only global variables can be changed by eval function and returned to caller
global $db, $langs, $user, $conf, $website, $websitepage;
// Only this global variables can be read by eval function and returned to caller
global $conf; // Read of const is done with getDolGlobalString() but we need $conf->currency for example
global $db, $langs, $user, $website, $websitepage;
global $action, $mainmenu, $leftmenu;
global $mysoc;
global $objectoffield;
global $objectoffield; // To allow the use of $objectoffield in computed fields
// Old variables used
global $rights;
global $object;
global $obj; // To get $obj used into list when dol_eval is used for computed fields and $obj is not yet $object
global $soc; // For backward compatibility
global $obj; // To get $obj used into list when dol_eval() is used for computed fields and $obj is not yet $object
//global $rights;
//global $soc; // For backward compatibility
if (!in_array($onlysimplestring, array('0', '1', '2'))) {
return "Bad call of dol_eval. Parameter onlysimplestring must be '0' (deprecated), '1' or '2'";
}
try {
// Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing
if ($onlysimplestring == '1') {
// We must accept: '1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL'
// We must accept: '$conf->barcode->enabled || preg_match(\'/^AAA/\',$leftmenu)'
// We must accept: '$user->rights->cabinetmed->read && !$object->canvas=="patient@cabinetmed"'
// We must accept: '1 && getDolGlobalInt("doesnotexist1") && getDolGlobalString("MAIN_FEATURES_LEVEL")'
// We must accept: '$user->hasRight("cabinetmed", "read") && !$object->canvas=="patient@cabinetmed"'
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*>&|=!?():"\',/@', '/').']/i', $s)) {
if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
@@ -9205,10 +9239,21 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s);
return '';
}
// TODO
// We can exclude all parenthesis ( that are not '($db' and 'getDolGlobalInt(' and 'getDolGlobalString(' and 'preg_match(' and 'isModEnabled('
// ...
}
$scheck = preg_replace('/->[a-zA-Z0-9_]+\(/', '->__METHOD__', $s);
$scheck = preg_replace('/\s[a-zA-Z0-9_]+\(/', ' __FUNCTION__', $scheck);
$scheck = preg_replace('/(\^|\')\(/', '__REGEXSTART__', $scheck); // To allow preg_match('/^(aaa|bbb)/'... or isStringVarMatching('leftmenu', '(aaa|bbb)')
//print 'scheck='.$scheck." : ".strpos($scheck, '(')."\n";
if (strpos($scheck, '(') !== false) {
if ($returnvalue) {
return 'Bad string syntax to evaluate (found call of a function or method without using direct name): '.$s;
} else {
dol_syslog('Bad string syntax to evaluate (found call of a function or method without using direct name): '.$s);
return '';
}
}
// TODO
// We can exclude $ char that are not: $db, $langs, $leftmenu, $topmenu, $user, $langs, $objectoffield, $object...,
} elseif ($onlysimplestring == '2') {
// We must accept: (($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*>&|=!?():"\',/@[]', '/').']/i', $s)) {
@@ -9218,10 +9263,17 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s);
return '';
}
// TODO
// We can exclude all parenthesis ( that are not '($db' and 'getDolGlobalInt(' and 'getDolGlobalString(' and 'preg_match(' and 'isModEnabled('
// ...
}
if (strpos($scheck, '(') !== false) {
if ($returnvalue) {
return 'Bad string syntax to evaluate (found call of a function or method without using direct name): '.$s;
} else {
dol_syslog('Bad string syntax to evaluate (found call of a function or method without using direct name): '.$s);
return '';
}
}
// TODO
// We can exclude $ char that are not: $db, $leftmenu, $topmenu, $user, $langs, $object...,
}
if (is_array($s) || $s === 'Array') {
return 'Bad string syntax to evaluate (value is Array) '.var_export($s, true);
@@ -9255,8 +9307,11 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
$forbiddenphpstrings = array('$$');
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST'));
$forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen", "eval", "dol_eval", "executeCLI", "verifCond", "base64_decode");
$forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen", "eval");
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_eval", "executeCLI", "verifCond")); // native dolibarr functions
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("base64_decode", "rawurldecode", "urldecode")); // decode string functions
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "require", "include", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("get_defined_functions", "get_defined_vars", "get_defined_constants", "get_declared_classes"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func"));
$forbiddenphpregex = 'global\s+\$|\b('.implode('|', $forbiddenphpfunctions).')\b';

22
htdocs/core/lib/security.lib.php
View File

@@ -434,19 +434,21 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
// Get more permissions checks from hooks
$parameters = array('features'=>$features, 'originalfeatures'=>$originalfeatures, 'objectid'=>$objectid, 'dbt_select'=>$dbt_select, 'idtype'=>$dbt_select, 'isdraft'=>$isdraft);
$reshook = $hookmanager->executeHooks('restrictedArea', $parameters);
if (!empty($hookmanager)) {
$reshook = $hookmanager->executeHooks('restrictedArea', $parameters);
if (isset($hookmanager->resArray['result'])) {
if ($hookmanager->resArray['result'] == 0) {
if ($mode) {
return 0;
} else {
accessforbidden(); // Module returns 0, so access forbidden
if (isset($hookmanager->resArray['result'])) {
if ($hookmanager->resArray['result'] == 0) {
if ($mode) {
return 0;
} else {
accessforbidden(); // Module returns 0, so access forbidden
}
}
}
}
if ($reshook > 0) { // No other test done.
return 1;
if ($reshook > 0) { // No other test done.
return 1;
}
}
// Features/modules to check

2
htdocs/core/lib/website.lib.php
View File

@@ -171,6 +171,7 @@ function dolWebsiteReplacementOfLinks($website, $content, $removephppart = 0, $c
$content = str_replace('href="styles.css.php', 'href="!~!~!~styles.css.php', $content);
$content = str_replace('src="javascript.js.php', 'src="!~!~!~javascript.js.php', $content);
$content = str_replace('href="http', 'href="!~!~!~http', $content);
$content = str_replace('xlink:href="', 'xlink:href="!~!~!~', $content);
$content = str_replace('href="//', 'href="!~!~!~//', $content);
$content = str_replace('src="//', 'src="!~!~!~//', $content);
$content = str_replace('src="viewimage.php', 'src="!~!~!~/viewimage.php', $content);
@@ -311,6 +312,7 @@ function dolWebsiteOutput($content, $contenttype = 'html', $containerid = '')
$content = str_replace('href="styles.css.php', 'href="!~!~!~styles.css.php', $content);
$content = str_replace('src="javascript.css.php', 'src="!~!~!~javascript.css.php', $content);
$content = str_replace('href="http', 'href="!~!~!~http', $content);
$content = str_replace('xlink:href="', 'xlink:href="!~!~!~', $content);
$content = str_replace('href="//', 'href="!~!~!~//', $content);
$content = str_replace('src="//', 'src="!~!~!~//', $content);
$content = str_replace(array('src="viewimage.php', 'src="/viewimage.php'), 'src="!~!~!~/viewimage.php', $content);