mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-05 17:18:13 +01:00
Share not allowed extension into the method getExecutableContent()
This commit is contained in:
ldestailleur
@@ -166,7 +166,7 @@ if (isset($max)) {
|
||||
}
|
||||
print '</td>';
|
||||
print '<td class="nowrap">';
|
||||
print '<input class="flat" name="MAIN_UPLOAD_DOC" type="text" size="6" value="'.dol_escape_htmltag(getDolGlobalString('MAIN_UPLOAD_DOC')).'"> '.$langs->trans("Kb");
|
||||
print '<input class="flat width75 right" name="MAIN_UPLOAD_DOC" type="text" spellcheck="false" value="'.dol_escape_htmltag(getDolGlobalString('MAIN_UPLOAD_DOC')).'"> '.$langs->trans("Kb");
|
||||
print '</td>';
|
||||
print '</tr>';
|
||||
|
||||
@@ -176,7 +176,7 @@ print '<td>';
|
||||
print $form->textwithpicto($langs->trans("UMask"), $langs->trans("UMaskExplanation"));
|
||||
print '</td>';
|
||||
print '<td class="nowrap">';
|
||||
print '<input class="flat" name="MAIN_UMASK" type="text" size="6" value="'.dol_escape_htmltag(getDolGlobalString('MAIN_UMASK')).'">';
|
||||
print '<input class="flat width75 right" name="MAIN_UMASK" type="text" spellcheck="false" value="'.dol_escape_htmltag(getDolGlobalString('MAIN_UMASK')).'">';
|
||||
print '</td>';
|
||||
print '</tr>';
|
||||
|
||||
@@ -197,7 +197,7 @@ if (ini_get('safe_mode') && getDolGlobalString('MAIN_ANTIVIRUS_COMMAND')) {
|
||||
dol_syslog("safe_mode is on, basedir is ".$basedir.", safe_mode_exec_dir is ".ini_get('safe_mode_exec_dir'), LOG_WARNING);
|
||||
}
|
||||
}
|
||||
print '<input type="text" '.((defined('MAIN_ANTIVIRUS_COMMAND') && !defined('MAIN_ANTIVIRUS_BYPASS_COMMAND_AND_PARAM')) ? 'disabled ' : '').'name="MAIN_ANTIVIRUS_COMMAND" class="minwidth500imp" value="'.dol_escape_htmltag(GETPOSTISSET('MAIN_ANTIVIRUS_COMMAND') ? GETPOST('MAIN_ANTIVIRUS_COMMAND') : getDolGlobalString('MAIN_ANTIVIRUS_COMMAND')).'">';
|
||||
print '<input type="text" '.((defined('MAIN_ANTIVIRUS_COMMAND') && !defined('MAIN_ANTIVIRUS_BYPASS_COMMAND_AND_PARAM')) ? 'disabled ' : '').'name="MAIN_ANTIVIRUS_COMMAND" class="minwidth500imp" spellcheck="false" value="'.dol_escape_htmltag(GETPOSTISSET('MAIN_ANTIVIRUS_COMMAND') ? GETPOST('MAIN_ANTIVIRUS_COMMAND') : getDolGlobalString('MAIN_ANTIVIRUS_COMMAND')).'">';
|
||||
if (defined('MAIN_ANTIVIRUS_COMMAND') && !defined('MAIN_ANTIVIRUS_BYPASS_COMMAND_AND_PARAM')) {
|
||||
print '<br><span class="opacitymedium">'.$langs->trans("ValueIsForcedBySystem").'</span>';
|
||||
}
|
||||
@@ -211,7 +211,7 @@ print '<td>'.$langs->trans("AntiVirusParam").'<br>';
|
||||
print '<span class="opacitymedium">'.$langs->trans("AntiVirusParamExample").'</span>';
|
||||
print '</td>';
|
||||
print '<td>';
|
||||
print '<input type="text" '.(defined('MAIN_ANTIVIRUS_PARAM') ? 'disabled ' : '').'name="MAIN_ANTIVIRUS_PARAM" class="minwidth500imp" value="'.(getDolGlobalString('MAIN_ANTIVIRUS_PARAM') ? dol_escape_htmltag(getDolGlobalString('MAIN_ANTIVIRUS_PARAM')) : '').'">';
|
||||
print '<input type="text" '.(defined('MAIN_ANTIVIRUS_PARAM') ? 'disabled ' : '').'name="MAIN_ANTIVIRUS_PARAM" class="minwidth500imp" spellcheck="false" value="'.(getDolGlobalString('MAIN_ANTIVIRUS_PARAM') ? dol_escape_htmltag(getDolGlobalString('MAIN_ANTIVIRUS_PARAM')) : '').'">';
|
||||
if (defined('MAIN_ANTIVIRUS_PARAM')) {
|
||||
print '<br><span class="opacitymedium">'.$langs->trans("ValueIsForcedBySystem").'</span>';
|
||||
}
|
||||
@@ -223,7 +223,7 @@ print '<td>'.$langs->trans("UploadExtensionRestriction").'<br>';
|
||||
print '<span class="opacitymedium">'.$langs->trans("UploadExtensionRestrictionExemple").'</span>';
|
||||
print '</td>';
|
||||
print '<td>';
|
||||
print '<input type="text" name="MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION" class="minwidth500imp" value="'.getDolGlobalString('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION', 'htm,html,shtml,js,php').'">';
|
||||
print '<input type="text" name="MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION" class="minwidth500imp" spellcheck="false" value="'.getDolGlobalString('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION', implode(',', getExecutableContent())).'">';
|
||||
print "</td>";
|
||||
print '</tr>';
|
||||
|
||||
|
||||
@@ -461,6 +461,9 @@ print '<strong>'.$langs->trans("MaxNumberOfAttachementOnForms").'</strong>: ';
|
||||
print(getDolGlobalInt('MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS', 10) ? img_picto('', 'tick').' ' : '').getDolGlobalInt("MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS", 10).' '.strtolower($langs->trans("Files"));
|
||||
print '<br><br>';
|
||||
|
||||
|
||||
// Clear password ?
|
||||
|
||||
print '<strong>'.$langs->trans("DoNotStoreClearPassword").'</strong>: ';
|
||||
print !getDolGlobalString('DATABASE_PWD_ENCRYPTED') ? '' : img_picto('', 'tick').' ';
|
||||
print yn(!getDolGlobalString('DATABASE_PWD_ENCRYPTED') ? 0 : 1);
|
||||
@@ -470,6 +473,22 @@ if (!getDolGlobalString('DATABASE_PWD_ENCRYPTED')) {
|
||||
print '<br>';
|
||||
print '<br>';
|
||||
|
||||
|
||||
// Mask by default in upload
|
||||
$umask = getDolGlobalString('MAIN_UMASK');
|
||||
|
||||
print '<strong>'.$langs->trans("UMask").'</strong>: ';
|
||||
if (! in_array($umask, array('600', '660', '0600', '0660'))) {
|
||||
print img_warning().' ';
|
||||
}
|
||||
print $umask;
|
||||
if (! in_array($umask, array('600', '660', '0600', '0660'))) {
|
||||
print ' <span class="opacitymedium">('.$langs->trans("Recommended").': 0600 | 0660)</span>';
|
||||
}
|
||||
print '<br>';
|
||||
print '<br>';
|
||||
|
||||
|
||||
/* Already into section conf file */
|
||||
/*
|
||||
$usepassinconfencrypted = 0;
|
||||
@@ -516,20 +535,16 @@ if (!getDolGlobalString('MAIN_ANTIVIRUS_COMMAND')) {
|
||||
print '<br>';
|
||||
print '<br>';
|
||||
|
||||
$umask = getDolGlobalString('MAIN_UMASK');
|
||||
// File extension locked in upload by default
|
||||
|
||||
print '<strong>'.$langs->trans("UMask").'</strong>: ';
|
||||
if (! in_array($umask, array('600', '660', '0600', '0660'))) {
|
||||
print img_warning().' ';
|
||||
}
|
||||
print $umask;
|
||||
if (! in_array($umask, array('600', '660', '0600', '0660'))) {
|
||||
print ' <span class="opacitymedium">('.$langs->trans("Recommended").': 0600 | 0660)</span>';
|
||||
}
|
||||
print '<strong>'.$langs->trans("UploadExtensionRestriction").'</strong>: ';
|
||||
print implode(', ', explode(',', getDolGlobalString('MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION')));
|
||||
print ' <span class="opacitymedium">('.$langs->trans("Recommended").': '.implode(', ', getExecutableContent()).')</span>';
|
||||
print '<br>';
|
||||
print '<br>';
|
||||
|
||||
|
||||
|
||||
$securityevent = new Events($db);
|
||||
$eventstolog = $securityevent->eventstolog;
|
||||
|
||||
@@ -602,7 +617,6 @@ if (!$test) {
|
||||
}
|
||||
print '<br>';
|
||||
|
||||
|
||||
// Modules for Payments
|
||||
$test = isModEnabled('stripe');
|
||||
if ($test) {
|
||||
@@ -664,6 +678,8 @@ print '<br>';
|
||||
print '<br>';
|
||||
|
||||
|
||||
// Other setup
|
||||
|
||||
print load_fiche_titre($langs->trans("OtherSetup"), '', 'folder');
|
||||
|
||||
print '<div class="divsection wordbreak">';
|
||||
@@ -681,11 +697,9 @@ print '<strong>MAIN_SECURITY_CSRF_WITH_TOKEN</strong> = '.getDolGlobalString('MA
|
||||
|
||||
print '</div>';
|
||||
|
||||
|
||||
print '<br>';
|
||||
print '<br>';
|
||||
|
||||
|
||||
print load_fiche_titre($langs->trans("DatabaseEncryption"), '', 'folder');
|
||||
|
||||
print '<div class="divsection wordbreak">';
|
||||
@@ -734,8 +748,10 @@ print '</div>';
|
||||
print '<br>';
|
||||
print '<br>';
|
||||
|
||||
|
||||
// Websites
|
||||
|
||||
if (isModEnabled('website')) {
|
||||
print load_fiche_titre($langs->trans("Website"), '', 'website');
|
||||
print '<div class="divsection wordbreak">';
|
||||
|
||||
@@ -774,6 +790,8 @@ if ($resql) {
|
||||
print '<br>';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
print '<span class="opacity">'.$langs->trans("NoWebsite").'</span>';
|
||||
}
|
||||
} else {
|
||||
dol_print_error($db);
|
||||
@@ -781,6 +799,10 @@ if ($resql) {
|
||||
print '</div>';
|
||||
|
||||
|
||||
print '<br>';
|
||||
}
|
||||
|
||||
|
||||
// Other - experimental
|
||||
|
||||
print load_fiche_titre($langs->trans("OtherSetup").' ('.$langs->trans("Experimental").')', '', 'folder');
|
||||
@@ -790,7 +812,7 @@ print '<strong>MAIN_EXEC_USE_POPEN</strong> = ';
|
||||
if (!getDolGlobalString('MAIN_EXEC_USE_POPEN')) {
|
||||
print '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>';
|
||||
} else {
|
||||
print $conf->global->MAIN_EXEC_USE_POPEN;
|
||||
print getDolGlobalString('MAIN_EXEC_USE_POPEN');
|
||||
}
|
||||
if ($execmethod == 1) {
|
||||
print '<span class="opacitymedium"> "exec" PHP method will be used for shell commands';
|
||||
@@ -869,6 +891,11 @@ print '<br>';
|
||||
print '<strong>MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS</strong> = '.getDolGlobalString('MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS', '<span class="opacitymedium">'.$langs->trans("Undefined").' ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 0)</span>')."<br>";
|
||||
print '<br>';
|
||||
|
||||
print '<strong>MAIN_DISALLOW_STRING_OBFUSCATION_IN_DOL_EVAL</strong> = '.(getDolGlobalString('MAIN_DISALLOW_STRING_OBFUSCATION_IN_DOL_EVAL') ? '1' : '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>');
|
||||
print ' <span class="opacitymedium">('.$langs->trans("Recommended").": 1 - may break use of concatenation function like . or dol_concatdesc into extra fields conditions or formula)</span><br>";
|
||||
print '<br>';
|
||||
|
||||
|
||||
// MAIN_ALLOW_LOCAL_LINKS_AS_EXTERNAL_LINKS
|
||||
|
||||
print '<strong>MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL</strong> = '.getDolGlobalString('MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL', '<span class="opacitymedium">'.$langs->trans("Undefined").' ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 0)</span>')."<br>";
|
||||
@@ -889,9 +916,11 @@ print '<strong>MAIN_SECURITY_FORCERP</strong> = '.getDolGlobalString('MAIN_SECUR
|
||||
print '<br>';
|
||||
|
||||
print '<strong>MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN</strong> = '.getDolGlobalString('MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' <span class="opacitymedium">('.$langs->trans("Recommended").": 1)</span><br>";
|
||||
print '<br>';
|
||||
|
||||
|
||||
/* Removed, already in the dedicated section Websites.
|
||||
print '<br>';
|
||||
|
||||
print '<strong>WEBSITE_MAIN_SECURITY_FORCECSPRO</strong> = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>');
|
||||
print ' <span class="opacitymedium">('.$langs->trans("Example").': "';
|
||||
$examplecsprule = "default-src 'self' 'unsafe-inline' matomo.".getDomainFromURL($_SERVER["SERVER_NAME"], 1)." *.transifex.net *.transifex.com *.cloudflare.com *.cloudflareinsights.com *.google-analytics.com *.googletagmanager.com *.google.com *.gstatic.com *.googleapis.com *.googleadservices.com *.ads-twitter.com *.doubleclick.net; frame-ancestors 'self'; object-src *.youtube.com; frame-src 'self' *.twitter.com *.facebook.com *.youtube.com; img-src * data:;";
|
||||
@@ -913,10 +942,12 @@ print '<strong>WEBSITE_MAIN_SECURITY_FORCESTS</strong> = '.getDolGlobalString('W
|
||||
print '<br>';
|
||||
|
||||
print '<strong>WEBSITE_MAIN_SECURITY_FORCEPP</strong> = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP', '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>').' <span class="opacitymedium">('.$langs->trans("Example").": \"camera=(), microphone=(), geolocation=*\")</span><br>";
|
||||
*/
|
||||
|
||||
print '</div>';
|
||||
|
||||
|
||||
print '<br>';
|
||||
print '<br>';
|
||||
|
||||
|
||||
|
||||
@@ -1972,11 +1972,13 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $updatesessionor
|
||||
$info = pathinfo($destfile);
|
||||
$destfile = dol_sanitizeFileName($info['filename'].($info['extension'] != '' ? ('.'.strtolower($info['extension'])) : ''));
|
||||
|
||||
$fileextensionrestriction = getDolGlobalString("MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION", 'htm,html,shtml,js,php');
|
||||
if (!empty($info['extension']) && !empty($fileextensionrestriction)) {
|
||||
$fileextensionrestrictionarr = explode(",", $fileextensionrestriction);
|
||||
foreach ($fileextensionrestrictionarr as $key => $fileextension) {
|
||||
if (preg_match('/'.preg_quote($fileextension, '/').'/i', $info['extension'])) {
|
||||
// Check extension is allowed for upload
|
||||
$fileextensionrestriction = getDolGlobalString("MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION", implode(',', getExecutableContent()));
|
||||
if (!empty($fileextensionrestriction)) {
|
||||
$arrayofregexextension = explode(",", $fileextensionrestriction);
|
||||
|
||||
foreach ($arrayofregexextension as $fileextension) {
|
||||
if (preg_match('/\.'.preg_quote(trim($fileextension), '/').'$/i', $destfull)) {
|
||||
$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
|
||||
setEventMessages($langs->trans("ErrorFilenameExtensionNotAllowed", $filenameto), null, 'errors');
|
||||
return -1;
|
||||
|
||||
@@ -14118,6 +14118,21 @@ function fetchObjectByElement($element_id, $element_type, $element_ref = '', $us
|
||||
return $ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return array of extension for executable files of text files that can contains executable code.
|
||||
*
|
||||
* @return array Array of extensions
|
||||
*/
|
||||
function getExecutableContent()
|
||||
{
|
||||
$arrayofregexextension = array(
|
||||
'htm', 'html', 'shtml', 'js', 'phar', 'php', 'php3', 'php4', 'php5', 'phtml', 'pht', 'pl', 'py', 'cgi', 'ksh', 'sh', 'shtml',
|
||||
'bash', 'bat', 'cmd', 'wpk', 'exe', 'dmg', 'appimage'
|
||||
);
|
||||
|
||||
return $arrayofregexextension;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return if a file can contains executable content
|
||||
*
|
||||
@@ -14126,9 +14141,13 @@ function fetchObjectByElement($element_id, $element_type, $element_ref = '', $us
|
||||
*/
|
||||
function isAFileWithExecutableContent($filename)
|
||||
{
|
||||
if (preg_match('/\.(htm|html|js|phar|php|php\d+|phtml|pht|pl|py|cgi|ksh|sh|shtml|bash|bat|cmd|wpk|exe|dmg)$/i', $filename)) {
|
||||
$arrayofregexextension = getExecutableContent();
|
||||
|
||||
foreach ($arrayofregexextension as $fileextension) {
|
||||
if (preg_match('/\.'.preg_quote($fileextension, '/').'$/i', $filename)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user