Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-03 07:32:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix security on GETPOST('action'). Param must be sanitized.

Browse Source
This commit is contained in:
Laurent Destailleur
2018-11-05 20:29:07 +01:00
parent 763f3cd518
commit 4a25317f10
120 changed files with 325 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/lib/functions.lib.php
View File

@@ -1038,6 +1038,8 @@ function dol_syslog($message, $level = LOG_INFO, $ident = 0, $suffixinfilename='
}
if ($level > $conf->global->SYSLOG_LEVEL) return;
$message = preg_replace('/password=\'[^\']*\'/', 'password=\'hidden\'', $message); // protection to avoid to have value of password in log
// If adding log inside HTML page is required
if (! empty($_REQUEST['logtohtml']) && (! empty($conf->global->MAIN_ENABLE_LOG_TO_HTML) || ! empty($conf->global->MAIN_LOGTOHTML))) // MAIN_LOGTOHTML kept for backward compatibility
{
@@ -1045,7 +1047,7 @@ function dol_syslog($message, $level = LOG_INFO, $ident = 0, $suffixinfilename='
}
//TODO: Remove this. MAIN_ENABLE_LOG_INLINE_HTML should be deprecated and use a log handler dedicated to HTML output
// If enable html log tag enabled and url parameter log defined, we show output log on HTML comments
// If html log tag enabled and url parameter log defined, we show output log on HTML comments
if (! empty($conf->global->MAIN_ENABLE_LOG_INLINE_HTML) && ! empty($_GET["log"]))
{
print "\n\n<!-- Log start\n";