Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-07 16:41:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Close #36120

Browse Source
This commit is contained in:
Laurent Destailleur
2025-11-21 00:07:31 +01:00
parent 09da2b2365
commit bbc100b6d3
1 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/core/lib/functions.lib.php
View File

@@ -11915,7 +11915,10 @@ function dol_eval_standard($s, $hideerrors = 1, $onlysimplestring = '1')
$onlysimplestring = '1';
}
if (!in_array($onlysimplestring, array('1', '2'))) {
return "Bad call of dol_eval. Parameter onlysimplestring must be '1' or '2'";
return "Bad call of dol_eval. Parameter onlysimplestring must be '1' or '2'.";
}
if (!is_scalar($s)) {
return "Bad call of dol_eval. First parameter must be a string, found ".var_export($s, true);
}
try {
@@ -11928,10 +11931,6 @@ function dol_eval_standard($s, $hideerrors = 1, $onlysimplestring = '1')
//print '$dolibarr_main_restrict_eval_methods = '.$dolibarr_main_restrict_eval_methods."\n";
$dolibarr_main_restrict_eval_methods_array = explode(',', $dolibarr_main_restrict_eval_methods);
if (is_array($s) || $s === 'Array') {
return 'Bad string syntax to evaluate (value is Array): ' . var_export($s, true);
}
// Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing
// We must accept with 1: '1 && getDolGlobalInt("doesnotexist1") && getDolGlobalString("MAIN_FEATURES_LEVEL")'
// We must accept with 1: '$user->hasRight("cabinetmed", "read") && !$objectoffield->canvas == "patient@cabinetmed"'