Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-05 09:08:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '21.0' of git@github.com:Dolibarr/dolibarr.git into 22.0

Browse Source
This commit is contained in:
ldestailleur
2025-07-15 15:21:59 +02:00
parent cb447b608b 6f15da3537
commit 85782ca3f6
6 changed files with 121 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/admin/tools/listevents.php
View File

@@ -72,7 +72,7 @@ $search_user = GETPOST("search_user", "alpha");
$search_desc = GETPOST("search_desc", "alpha");
$search_ua = GETPOST("search_ua", "restricthtml");
$search_prefix_session = GETPOST("search_prefix_session", "restricthtml");
$search_entity = ($user->entity > 0 ? $user->entity : GETPOSTINT('search_entity'));
$search_entity = ($user->entity > 0 ? $user->entity : GETPOSTINT('search_entity')); // TODO Replace with $search_entity = GETPOSTINT('search_entity') when the filter is available on screen for this page
$now = dol_now();
$nowarray = dol_getdate($now);

20
htdocs/core/lib/functions.lib.php
View File

@@ -10891,14 +10891,14 @@ function verifCond($strToEvaluate, $onlysimplestring = '1')
/**
* Replace eval function to add more security.
* This function is called by verifCond() or trans() and transnoentitiesnoconv().
* This function is called by verifCond() for example.
*
* @param string $s String to evaluate
* @param int<0,1> $returnvalue 0=No return (deprecated, used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
* @param int<0,1> $hideerrors 1=Hide errors
* @param string $onlysimplestring '0' (deprecated, do not use it anymore)=Accept all chars,
* '1' (most common use)=Accept only simple string with char 'a-z0-9\s^$_+-.*>&|=!?():"\',/@';',
* '2' (used for example for the compute property of extrafields)=Accept also '<[]'
* @param string $onlysimplestring '0' (deprecated, do not use it anymore) = Accept all chars,
* '1' (most common use) = Accept only simple string with char 'a-z0-9\s^$_+-.*>&|=!?():"\',/@';',
* '2' (used for example for the compute property of extrafields) = Accept also '<[]'
* @return string Return result of eval (even if type can be int, it is safer to assume string and find all potential typing issues as abs(dol_eval(...)).
* @see verifCond(), checkPHPCode() to see sanitizing rules that should be very close.
* @phan-suppress PhanPluginUnsafeEval
@@ -11265,14 +11265,26 @@ function dol_eval_standard($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestr
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_GLOBAL', '_POST', '_REQUEST', 'ReflectionFunction'));
// We list all forbidden function as keywords we don't want to see (we don't mind it if is "kewyord(" or just "keyword", we don't want "keyword" at all)
// We must exclude all functions that allow to execute another function. This includes all function that has a parameter with type "callable" to avoid things
// like we can do with array_map and its callable parameter: dol_eval('json_encode(array_map(implode("",["ex","ec"]), ["id"]))', 1, 1, '0')
$forbiddenphpfunctions = array();
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("override_function", "session_id", "session_create_id", "session_regenerate_id"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("get_defined_functions", "get_defined_vars", "get_defined_constants", "get_declared_classes"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func", "call_user_func_array"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("array_all", "array_any", "array_diff_ukey", "array_filter", "array_find", "array_find_key", "array_map", "array_reduce", "array_intersect_uassoc", "array_intersect_ukey", "array_walk", "array_walk_recursive"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("usort", "uasort", "uksort", "preg_replace_callback", "preg_replace_callback_array", "header_register_callback"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("set_error_handler", "set_exception_handler", "libxml_set_external_entity_loader", "register_shutdown_function", "register_tick_function", "unregister_tick_function"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("spl_autoload_register", "spl_autoload_unregister", "iterator_apply", "session_set_save_handler"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("forward_static_call", "forward_static_call_array", "register_postsend_function"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("ob_start"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("require", "include", "require_once", "include_once"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("exec", "passthru", "shell_exec", "system", "proc_open", "popen"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_eval", "dol_eval_new", "dol_eval_standard", "dol_concatdesc", "executeCLI", "verifCond", "GETPOST")); // native dolibarr functions
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("eval", "create_function", "assert", "mb_ereg_replace")); // function with eval capabilities
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("readline_completion_function", "readline_callback_handler_install"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("dol_compress_dir", "dol_decode", "dol_delete_file", "dol_delete_dir", "dol_delete_dir_recursive", "dol_copy", "archiveOrBackupFile")); // more dolibarr functions
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("require", "include"));

10
htdocs/install/upgrade.php
View File

@@ -40,6 +40,11 @@
define('ALLOWED_IF_UPGRADE_UNLOCK_FOUND', 1);
include_once 'inc.php';
/**
* @var string $conffile
*/
if (!file_exists($conffile)) {
print 'Error: Dolibarr config file was not found. This may means that Dolibarr is not installed yet. Please call the page "/install/index.php" instead of "/install/upgrade.php").';
}
@@ -48,6 +53,11 @@ require_once $dolibarr_main_document_root.'/core/lib/admin.lib.php';
global $langs;
/**
* @var Conf $conf
* @var Translate $langs
*/
$grant_query = '';
$step = 2;
$ok = 0;

91
htdocs/install/upgrade2.php
View File

@@ -43,6 +43,11 @@
define('ALLOWED_IF_UPGRADE_UNLOCK_FOUND', 1);
include_once 'inc.php';
/**
* @var string $conffile
*/
if (!file_exists($conffile)) {
print 'Error: Dolibarr config file was not found. This may means that Dolibarr is not installed yet. Please call the page "/install/index.php" instead of "/install/upgrade.php").';
}
@@ -59,13 +64,17 @@ require_once $dolibarr_main_document_root.'/core/lib/files.lib.php';
global $langs;
/**
* @var Conf $conf
* @var Translate $langs
*/
$grant_query = '';
$step = 2;
$error = 0;
// Cette page peut etre longue. On augmente le delai autorise.
// Ne fonctionne que si on est pas en safe_mode.
// This page can be long. We increase the allowed delay, but this does not work when we are in safe_mode.
$err = error_reporting();
error_reporting(0);
if (getDolGlobalString('MAIN_OVERRIDE_TIME_LIMIT')) {
@@ -230,17 +239,23 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$db->begin();
foreach ($listofentities as $entity) {
dol_syslog("Process upgrade2 for entity ".$entity);
// Set $conf context for entity
$conf->setEntityValues($db, $entity);
// Reset forced setup after the setValues
if (defined('SYSLOG_FILE')) {
$conf->global->SYSLOG_FILE = constant('SYSLOG_FILE');
}
$conf->global->MAIN_ENABLE_LOG_TO_HTML = 1;
$conf->global->MAIN_ENABLE_LOG_TO_HTML = 1; // Add also log into conf->logbuffer.
$versiontoarray = array();
$versionranarray = array();
dol_syslog("Process upgrade2 d for entity ".$entity);
if (!$error) {
if (count($listofentities) > 1) {
print '<tr><td colspan="4">*** '.$langs->trans("Entity").' '.$entity.'</td></tr>'."\n";
@@ -257,10 +272,11 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$versiontoarray = explode('.', $versionto);
$versionranarray = explode('.', DOL_VERSION);
$afterversionarray = explode('.', '2.0.0');
$beforeversionarray = explode('.', '2.7.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
// Script pour V2 -> V2.1
migrate_paiements($db, $langs, $conf);
@@ -324,6 +340,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$beforeversionarray = explode('.', '2.8.9');
//print $versionto.' '.versioncompare($versiontoarray,$afterversionarray).' '.versioncompare($versiontoarray,$beforeversionarray);
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_price_facture($db, $langs, $conf); // Code of this function works for 2.8+ because need a field tva_tx
migrate_relationship_tables($db, $langs, $conf, 'co_exp', 'fk_commande', 'commande', 'fk_expedition', 'shipping');
@@ -349,6 +367,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '2.8.9');
$beforeversionarray = explode('.', '2.9.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_element_time($db, $langs, $conf);
migrate_customerorder_shipping($db, $langs, $conf);
@@ -369,6 +389,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '3.0.9');
$beforeversionarray = explode('.', '3.1.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_rename_directories($db, $langs, $conf, '/rss', '/externalrss');
migrate_actioncomm_element($db, $langs, $conf);
@@ -378,6 +400,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '3.1.9');
$beforeversionarray = explode('.', '3.2.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_price_contrat($db, $langs, $conf);
migrate_mode_reglement($db, $langs, $conf);
@@ -389,6 +413,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '3.2.9');
$beforeversionarray = explode('.', '3.3.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_categorie_association($db, $langs, $conf);
}
@@ -399,6 +425,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '3.6.9'); // target is after this
$beforeversionarray = explode('.', '3.7.9'); // target is before this
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_event_assignement($db, $langs, $conf);
}
@@ -413,6 +441,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '3.9.9');
$beforeversionarray = explode('.', '4.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_rename_directories($db, $langs, $conf, '/fckeditor', '/medias');
}
@@ -420,6 +450,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '4.0.9');
$beforeversionarray = explode('.', '5.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
// Migrate to add entity value into llx_societe_remise
migrate_remise_entity($db, $langs, $conf);
@@ -436,6 +468,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
// Only if the transverse mode is not used
if (empty($multicompany_transverse_mode)) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
// Migrate to add entity value into llx_user_rights
migrate_user_rights_entity($db, $langs, $conf);
@@ -449,6 +483,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '6.0.9');
$beforeversionarray = explode('.', '7.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
// Migrate contact association
migrate_event_assignement_contact($db, $langs, $conf);
@@ -459,6 +495,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '7.0.9');
$beforeversionarray = explode('.', '8.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_rename_directories($db, $langs, $conf, '/contracts', '/contract');
}
@@ -473,6 +511,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '10.0.9');
$beforeversionarray = explode('.', '11.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_users_socialnetworks();
migrate_members_socialnetworks();
migrate_contacts_socialnetworks();
@@ -483,6 +523,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '13.0.9');
$beforeversionarray = explode('.', '14.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_export_import_profiles('export');
migrate_export_import_profiles('import');
}
@@ -491,6 +533,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '15.0.9');
$beforeversionarray = explode('.', '16.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_user_photospath();
migrate_user_photospath2();
}
@@ -499,6 +543,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '16.0.9');
$beforeversionarray = explode('.', '17.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_contractdet_rank();
}
@@ -506,6 +552,8 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '17.0.9');
$beforeversionarray = explode('.', '18.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_contractdet_rank();
}
@@ -521,13 +569,19 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
$afterversionarray = explode('.', '19.0.9');
$beforeversionarray = explode('.', '20.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_invoice_export_models();
}
// Scripts for 21.0
$afterversionarray = explode('.', '20.0.9');
$beforeversionarray = explode('.', '21.0.9');
if (versioncompare($versiontoarray, $afterversionarray) >= 0 && versioncompare($versiontoarray, $beforeversionarray) <= 0) {
dol_syslog("Run migrate_... versionto is between ".json_encode($afterversionarray)." and ".json_encode($beforeversionarray));
migrate_productlot_path();
}
@@ -539,9 +593,10 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
}
}
// Code executed only if migration is LAST ONE. Must always be done.
if (versioncompare($versiontoarray, $versionranarray) >= 0 || versioncompare($versiontoarray, $versionranarray) <= -3) {
dol_syslog("Run migrate_... if migration is LAST ONE");
// Reload modules (this must be always done and only into last targeted version, because code to reload module may need table structure of last version)
$listofmodule = array(
'MAIN_MODULE_ACCOUNTING' => 'newboxdefonly',
@@ -586,6 +641,7 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ
if ($result < 0) {
$error++;
}
// Reload menus (this must be always and only into last targeted version)
$result = migrate_reload_menu($db, $langs, $conf);
if ($result < 0) {
@@ -4407,7 +4463,7 @@ function migrate_reload_menu($db, $langs, $conf)
/**
* Migrate file from old path to new one for lot path
*
* @return void
* @return int Return integer <0 if KO, >0 if OK
*/
function migrate_productlot_path()
{
@@ -4422,10 +4478,14 @@ function migrate_productlot_path()
print '<b>'.$langs->trans('MigrationProductLotPath')."</b><br>\n";
$sql = "SELECT rowid , entity, batch, fk_product from ".MAIN_DB_PREFIX."product_lot";
$sql = "SELECT rowid, entity, batch, fk_product from ".MAIN_DB_PREFIX."product_lot";
$resql = $db->query($sql);
if ($resql) {
$modulepart="product_batch";
$lot = new Productlot($db);
while ($obj = $db->fetch_object($resql)) {
$entity = (empty($obj->entity) ? 1 : $obj->entity);
if ($entity > 1) {
@@ -4434,16 +4494,23 @@ function migrate_productlot_path()
$dir = $conf->productbatch->multidir_output[$entity];
}
$lot = new Productlot($db);
$res = $lot->fetch($obj->rowid, $obj->fk_product, $obj->batch);
if ($dir) {
$lot->id = $obj->rowid;
$lot->ref = $obj->id; // No ref for the moment
$lot->batch = $obj->batch;
$lot->entity = $obj->entity;
$lot->fk_product = $obj->fk_product;
$savref = $lot->ref;
if ($dir && $res > 0) {
$lot->ref = $obj->batch;
$origin = $dir . '/' . get_exdir(0, 0, 0, 1, $lot, $modulepart);
$lot->fetch($obj->rowid, $obj->fk_product, $obj->batch);
$lot->ref = $savref; // So restore the id
$destin = $dir . '/' . get_exdir(0, 0, 0, 1, $lot, $modulepart);
//var_dump($origin.' -> '.$destin.' '.$lot->batch.' dir origin is '.dol_is_dir($origin));exit;
if (dol_is_dir($origin) && !dol_is_dir($destin)) {
dol_move_dir($origin, $destin, 0);
}
@@ -4451,6 +4518,8 @@ function migrate_productlot_path()
}
}
print '</td></tr>';
return 1;
}
/**

6
htdocs/projet/list.php
View File

@@ -105,8 +105,7 @@ $pageprev = $page - 1;
$pagenext = $page + 1;
$search_all = GETPOST('search_all', 'alphanohtml');
$search_entity = ($user->entity > 0 ? $user->entity : GETPOSTINT('search_entity'));
$search_entity = GETPOSTINT('search_entity');
$search_ref = GETPOST("search_ref", 'alpha');
$search_label = GETPOST("search_label", 'alpha');
$search_societe = GETPOST("search_societe", 'alpha');
@@ -618,11 +617,10 @@ $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'user AS u ON p.fk_user_creat = u.rowid';
$parameters = array();
$reshook = $hookmanager->executeHooks('printFieldListFrom', $parameters, $object, $action); // Note that $action and $object may have been modified by hook
$sql .= $hookmanager->resPrint;
if ($search_entity > 0) {
$sql .= " WHERE p.entity = ".((int) $search_entity);
} else {
$sql .= " WHERE p.entity IN (".getEntity('project', (GETPOSTINT('search_current_entity') ? 0 : 1)).')';
$sql .= " WHERE p.entity IN (".getEntity('project').')';
}
if (!$user->hasRight('projet', 'all', 'lire')) {
$sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users

12
test/phpunit/SecurityTest.php
View File

@@ -687,6 +687,18 @@ class SecurityTest extends CommonClassTest
print "result = ".$result."\n";
$this->assertStringContainsString('Bad string syntax to evaluate', $result, 'The string was not detected as evil');
$result = dol_eval('json_encode(array_map(implode("",["ex","ec"]), ["id"]))', 1, 1, '1'); // result of dol_eval may be an object Closure
print "result4a = ".json_encode($result)."\n";
$this->assertStringContainsString('Bad string syntax to evaluate', json_encode($result), 'The string was not detected as evil, it should due to the [ char and method "2"');
$result = dol_eval('json_encode(array_map(implode("",["ex","ec"]), ["id"]))', 1, 1, '2'); // result of dol_eval may be an object Closure
print "result4b = ".json_encode($result)."\n";
$this->assertStringContainsString('Bad string syntax to evaluate', json_encode($result), 'The string was not detected as evil, it should due to the use of array_map');
$result = dol_eval('json_encode(array_map(implode("",array("ex","ec"), array("id")))', 1, 1, '1'); // result of dol_eval may be an object Closure
print "result4c = ".json_encode($result)."\n";
$this->assertStringContainsString('Bad string syntax to evaluate', json_encode($result), 'The string was not detected as evil, it should due to the use of array_map');
$result = dol_eval('$a=function() { }; $a', 1, 1, '0'); // result of dol_eval may be an object Closure
print "result5 = ".json_encode($result)."\n";
$this->assertStringContainsString('Bad string syntax to evaluate', json_encode($result), 'The string was not detected as evil');