diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php
index 9b9fcdea1fd..fbe1ae98619 100644
--- a/htdocs/admin/modules.php
+++ b/htdocs/admin/modules.php
@@ -897,7 +897,7 @@ if ($mode == 'common' || $mode == 'commonkanban') {
if (!empty($conf->global->CHECKLASTVERSION_EXTERNALMODULE)) { // This is a bad practice to activate a synch external access during building of a page. 1 external module can hang the application.
require_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php';
if (!empty($objMod->url_last_version)) {
- $newversion = getURLContent($objMod->url_last_version);
+ $newversion = getURLContent($objMod->url_last_version, 'GET', '', 1, array(), array('http', 'https'), 0); // Accept http or https links on external remote server only
if (isset($newversion['content'])) {
if (version_compare($newversion['content'], $versiontrans) > 0) {
print " ".$newversion['content']."";
diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php
index ab42039b98a..3869c37ce7d 100644
--- a/htdocs/admin/system/filecheck.php
+++ b/htdocs/admin/system/filecheck.php
@@ -92,8 +92,6 @@ if (empty($xmlremote) && !empty($conf->global->$param)) {
if (empty($xmlremote)) {
$xmlremote = 'https://www.dolibarr.org/files/stable/signatures/filelist-'.DOL_VERSION.'.xml';
}
-if ($xmlremote && !preg_match('/^https?:\/\//', $xmlremote)) {
-}
if ($xmlremote && !preg_match('/^https?:\/\//', $xmlremote)) {
$langs->load("errors");
setEventMessages($langs->trans("ErrorURLMustStartWithHttp", $xmlremote), '', 'errors');
diff --git a/htdocs/api/class/api_setup.class.php b/htdocs/api/class/api_setup.class.php
index 064fb6ad359..0029d0fd110 100644
--- a/htdocs/api/class/api_setup.class.php
+++ b/htdocs/api/class/api_setup.class.php
@@ -1647,8 +1647,8 @@ class Setup extends DolibarrApi
$file_list = array('missing' => array(), 'updated' => array());
// Local file to compare to
- $xmlshortfile = GETPOST('xmlshortfile') ?GETPOST('xmlshortfile') : '/install/filelist-'.DOL_VERSION.'.xml';
- $xmlfile = DOL_DOCUMENT_ROOT.$xmlshortfile;
+ $xmlshortfile = dol_sanitizeFileName(GETPOST('xmlshortfile', 'alpha') ? GETPOST('xmlshortfile', 'alpha') : 'filelist-'.DOL_VERSION.(empty($conf->global->MAIN_FILECHECK_LOCAL_SUFFIX) ? '' : $conf->global->MAIN_FILECHECK_LOCAL_SUFFIX).'.xml'.(empty($conf->global->MAIN_FILECHECK_LOCAL_EXT) ? '' : $conf->global->MAIN_FILECHECK_LOCAL_EXT));
+ $xmlfile = DOL_DOCUMENT_ROOT.'/install/'.$xmlshortfile;
// Remote file to compare to
$xmlremote = ($target == 'default' ? '' : $target);
if (empty($xmlremote) && !empty($conf->global->MAIN_FILECHECK_URL)) {
@@ -1661,6 +1661,10 @@ class Setup extends DolibarrApi
if (empty($xmlremote)) {
$xmlremote = 'https://www.dolibarr.org/files/stable/signatures/filelist-'.DOL_VERSION.'.xml';
}
+ if ($xmlremote && !preg_match('/^https?:\/\//', $xmlremote)) {
+ $langs->load("errors");
+ throw new RestException(500, $langs->trans("ErrorURLMustStartWithHttp", $xmlremote));
+ }
if ($target == 'local') {
if (dol_is_file($xmlfile)) {
@@ -1669,7 +1673,7 @@ class Setup extends DolibarrApi
throw new RestException(500, $langs->trans('XmlNotFound').': '.$xmlfile);
}
} else {
- $xmlarray = getURLContent($xmlremote);
+ $xmlarray = getURLContent($xmlremote, 'GET', '', 1, array(), array('http', 'https'), 0); // Accept http or https links on external remote server only
// Return array('content'=>response,'curl_error_no'=>errno,'curl_error_msg'=>errmsg...)
if (!$xmlarray['curl_error_no'] && $xmlarray['http_code'] != '400' && $xmlarray['http_code'] != '404') {
diff --git a/htdocs/core/class/openid.class.php b/htdocs/core/class/openid.class.php
index 5156e7b767a..abb006969db 100644
--- a/htdocs/core/class/openid.class.php
+++ b/htdocs/core/class/openid.class.php
@@ -405,7 +405,7 @@ class SimpleOpenID
$url = $conf->global->MAIN_AUTHENTICATION_OPENID_URL;
}
- $response = getURLContent($url);
+ $response = getURLContent($url, 'GET', '', 1, array(), array('http', 'https'));
list($servers, $delegates) = $this->HTML2OpenIDServer($response);
if (count($servers) == 0) {
@@ -525,7 +525,7 @@ class SimpleOpenID
dol_syslog(get_class($this).'::sendDiscoveryRequestToGetXRDS get XRDS');
$addheaders = array('Accept: application/xrds+xml');
- $response = getURLContent($url, 'GET', '', 1, $addheaders);
+ $response = getURLContent($url, 'GET', '', 1, $addheaders, array('http', 'https'), 0);
/* response should like this:
diff --git a/htdocs/core/lib/website.lib.php b/htdocs/core/lib/website.lib.php
index bf3b9f3dd07..4fa0f053236 100644
--- a/htdocs/core/lib/website.lib.php
+++ b/htdocs/core/lib/website.lib.php
@@ -1023,7 +1023,7 @@ function getAllImages($object, $objectpage, $urltograb, &$tmp, &$action, $modify
if (empty($alreadygrabbed[$urltograbbis])) {
if ($grabimages) {
- $tmpgeturl = getURLContent($urltograbbis);
+ $tmpgeturl = getURLContent($urltograbbis, 'GET', '', 1, array(), array('http', 'https'), 0);
if ($tmpgeturl['curl_error_no']) {
$error++;
setEventMessages('Error getting '.$urltograbbis.': '.$tmpgeturl['curl_error_msg'], null, 'errors');
@@ -1094,7 +1094,7 @@ function getAllImages($object, $objectpage, $urltograb, &$tmp, &$action, $modify
if (empty($alreadygrabbed[$urltograbbis])) {
if ($grabimages) {
- $tmpgeturl = getURLContent($urltograbbis);
+ $tmpgeturl = getURLContent($urltograbbis, 'GET', '', 1, array(), array('http', 'https'), 0);
if ($tmpgeturl['curl_error_no']) {
$error++;
setEventMessages('Error getting '.$urltograbbis.': '.$tmpgeturl['curl_error_msg'], null, 'errors');
diff --git a/htdocs/product/dynamic_price/class/price_global_variable_updater.class.php b/htdocs/product/dynamic_price/class/price_global_variable_updater.class.php
index 96e77d661ab..172c004a2d7 100644
--- a/htdocs/product/dynamic_price/class/price_global_variable_updater.class.php
+++ b/htdocs/product/dynamic_price/class/price_global_variable_updater.class.php
@@ -487,7 +487,7 @@ class PriceGlobalVariableUpdater
if ($this->type == 0) {
// Call JSON request
include_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php';
- $tmpresult = getURLContent($url);
+ $tmpresult = getURLContent($url, 'GET', '', 1, array(), array('http', 'https'), 0);
$code = $tmpresult['http_code'];
$result = $tmpresult['content'];
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index 26ca6df9bf8..86c50a22247 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -680,7 +680,7 @@ if ($action == 'addcontainer' && $usercanedit) {
}
if (!$error) {
- $tmp = getURLContent($urltograb);
+ $tmp = getURLContent($urltograb, 'GET', '', 1, array(), array('http', 'https'), 0);
if ($tmp['curl_error_no']) {
$error++;
setEventMessages('Error getting '.$urltograb.': '.$tmp['curl_error_msg'], null, 'errors');
@@ -795,7 +795,7 @@ if ($action == 'addcontainer' && $usercanedit) {
}
/*
- $tmpgeturl = getURLContent($urltograbbis);
+ $tmpgeturl = getURLContent($urltograbbis, 'GET', '', 1, array(), array('http', 'https'), 0);
if ($tmpgeturl['curl_error_no'])
{
$error++;
@@ -860,7 +860,7 @@ if ($action == 'addcontainer' && $usercanedit) {
continue;
}
- $tmpgeturl = getURLContent($urltograbbis);
+ $tmpgeturl = getURLContent($urltograbbis, 'GET', '', 1, array(), array('http', 'https'), 0);
if ($tmpgeturl['curl_error_no']) {
$errorforsubresource++;
setEventMessages('Error getting link tag url '.$urltograbbis.': '.$tmpgeturl['curl_error_msg'], null, 'errors');