Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 01:28:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enhance antiXSS by excluding non printable chars used to obfuscate hack

Browse Source
This commit is contained in:
Laurent Destailleur
2020-09-20 04:56:45 +02:00
parent 85aa1ab402
commit 2eb46b4900
3 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
htdocs/core/lib/functions.lib.php
View File

@@ -970,7 +970,7 @@ function dol_string_unaccent($str)
* @param array $badcharstoreplace List of forbidden characters
* @return string Cleaned string
*
* @see dol_sanitizeFilename(), dol_string_unaccent()
* @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nounprintableascii()
*/
function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
{
@@ -983,6 +983,21 @@ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
}
/**
* Clean a string from all non printable ascii chars (0x00-0x1F and 0x7F). It removes also CR-LF
* This can be used to sanitize a string and view its real content. Some hacks try to obfuscate attacks by inserting non printable chars.
*
* @param string $str String to clean
* @return string Cleaned string
*
* @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nospecial()
*/
function dol_string_nounprintableascii($str)
{
return preg_replace('/[\x00-\x1F\x7F]/u', '', $str);
}
/**
* Returns text escaped for inclusion into javascript code
*

6
htdocs/main.inc.php
View File

@@ -58,10 +58,12 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO']))
function testSqlAndScriptInject($val, $type)
{
$val = html_entity_decode($val, ENT_QUOTES); // So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
$val = str_replace('%09', '', $val); // 'java%09script' is processed like 'javascript' (whatever is place of %09)
// TODO loop to decode until no more thing to decode ?
// We clean string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
$val = preg_replace('/[\x00-\x1F\x7F]/u', '', $val); // We should use dol_string_nounprintableascii but function is not yet loaded/available
//var_dump($val);
$inj = 0;
// For SQL Injection (only GET are used to be included into bad escaped SQL requests)
if ($type == 1 || $type == 3)

3
htdocs/ticket/class/actions_ticket.class.php
View File

@@ -208,7 +208,8 @@ class ActionsTicket
$msg = GETPOST('message_initial', 'alpha') ? GETPOST('message_initial', 'alpha') : $object->message;
include_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
$uselocalbrowser = true;
$doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $conf->global->FCKEDITOR_ENABLE_TICKET, ROWS_9, '95%');
$ckeditorenabledforticket = $conf->global->FCKEDITOR_ENABLE_TICKET;
$doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $ckeditorenabledforticket, ROWS_9, '95%');
$doleditor->Create();
} else {
// Deal with format differences (text / HTML)