Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-24 18:31:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX #yogosha9754

Browse Source
This commit is contained in:
Laurent Destailleur
2022-04-02 14:32:53 +02:00
parent d0ee40e55d
commit 9c00115abe
2 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
htdocs/main.inc.php
View File

@@ -89,7 +89,7 @@ function testSqlAndScriptInject($val, $type)
// Decode string first because a lot of things are obfuscated by encoding or multiple encoding.
// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
// So "&colon;&apos;" become ":'" (due to ENT_HTML5)
// Loop to decode until no more thing to decode.
// Loop to decode until no more things to decode.
//print "before decoding $val\n";
do {
$oldval = $val;
@@ -97,16 +97,22 @@ function testSqlAndScriptInject($val, $type)
//$val = preg_replace_callback('/&#(x?[0-9][0-9a-f]+;?)/i', 'realCharForNumericEntities', $val); // Sometimes we have entities without the ; at end so html_entity_decode does not work but entities is still interpreted by browser.
$val = preg_replace_callback('/&#(x?[0-9][0-9a-f]+;?)/i', function ($m) {
return realCharForNumericEntities($m); }, $val);
// We clean html comments because some hacks try to obfuscate evil strings by inserting HTML comments. Example: on<!-- -->error=alert(1)
$val = preg_replace('/<!--[^>]*-->/', '', $val);
} while ($oldval != $val);
//print "after decoding $val\n";
// We clean string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
// We should use dol_string_nounprintableascii but function is not yet loaded/available
$val = preg_replace('/[\x00-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace
// We clean html comments because some hacks try to obfuscate evil strings by inserting HTML comments. Example: on<!-- -->error=alert(1)
$val = preg_replace('/<!--[^>]*-->/', '', $val);
//print "type = ".$type." after decoding: ".$val."\n";
$inj = 0;
// We check string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
// We should use dol_string_nounprintableascii but function is not yet loaded/available
$newval = preg_replace('/[\x00-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace
if ($newval != $val) {
// If $val has changed after removing non valid UTF8 chars, it means we have an evil string.
$inj += 1;
}
//print 'type='.$type.'-val='.$val.'-newval='.$newval."-inj=".$inj."\n";
// For SQL Injection (only GET are used to scan for such injection strings)
if ($type == 1 || $type == 3) {
$inj += preg_match('/delete\s+from/i', $val);
@@ -166,7 +172,6 @@ function testSqlAndScriptInject($val, $type)
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...
$inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
$inj += preg_match('/javascript\s*:/i', $val);
$inj += preg_match('/vbscript\s*:/i', $val);
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)