Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-05 17:18:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Debug v23

Browse Source
This commit is contained in:
Laurent Destailleur
2025-11-25 18:18:02 +01:00
parent 2734f0a032
commit c5c0b85498
4 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -2,7 +2,7 @@
![Downloads per day](https://img.shields.io/sourceforge/dw/dolibarr.svg) ![Downloads per day](https://img.shields.io/sourceforge/dw/dolibarr.svg)
![Docker hub pulls](https://img.shields.io/docker/pulls/dolibarr/dolibarr.svg) ![Docker hub pulls](https://img.shields.io/docker/pulls/dolibarr/dolibarr.svg)
[![Minimum PHP Version](https://img.shields.io/badge/php-%3E%3D%207.1-8892BF.svg?style=flat-square)](https://php.net/) [![Minimum PHP Version](https://img.shields.io/badge/php-%3E%3D%207.2-8892BF.svg?style=flat-square)](https://php.net/)
[![GitHub release](https://img.shields.io/github/v/release/Dolibarr/dolibarr)](https://github.com/Dolibarr/dolibarr) [![GitHub release](https://img.shields.io/github/v/release/Dolibarr/dolibarr)](https://github.com/Dolibarr/dolibarr)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5521/badge)](https://bestpractices.coreinfrastructure.org/projects/5521) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5521/badge)](https://bestpractices.coreinfrastructure.org/projects/5521)

14
htdocs/admin/system/security.php
View File

@@ -35,6 +35,11 @@ require '../../main.inc.php';
* @var string $conffile // $conffile is defined into filefunc.inc.php * @var string $conffile // $conffile is defined into filefunc.inc.php
* @var string $dolibarr_main_prod * @var string $dolibarr_main_prod
* @var string $dolibarr_main_document_root * @var string $dolibarr_main_document_root
* @var string $dolibarr_main_restrict_os_commands
* @var string $dolibarr_main_restrict_eval_methods
* @var string $dolibarr_main_restrict_ip
* @var string $dolibarr_main_db_pass
* @var string $dolibarr_main_db_encrypted_pass
*/ */
require_once DOL_DOCUMENT_ROOT.'/core/lib/memory.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/memory.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
@@ -387,6 +392,15 @@ if (empty($dolibarr_main_restrict_os_commands)) {
print ' &nbsp; &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", 'mysqldump, mysql, pg_dump, pg_restore, mariadb, mariadb-dump, clamdscan').')</span>'; print ' &nbsp; &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", 'mysqldump, mysql, pg_dump, pg_restore, mariadb, mariadb-dump, clamdscan').')</span>';
print '<br>'; print '<br>';
print '<strong>$dolibarr_main_restrict_eval_methods</strong>: ';
if (empty($dolibarr_main_restrict_eval_methods)) {
print $langs->trans("None");
} else {
print $dolibarr_main_restrict_eval_methods;
}
print ' &nbsp; &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", 'getDolGlobalString,getDolGlobalInt,getDolCurrency,fetchNoCompute,hasRight,isModEnabled,isStringVarMatching,abs,min,max,round,dol_now,dol_concat,preg_match').')</span>';
print '<br>';
if (!getDolGlobalString('SECURITY_DISABLE_TEST_ON_OBFUSCATED_CONF')) { if (!getDolGlobalString('SECURITY_DISABLE_TEST_ON_OBFUSCATED_CONF')) {
print '<strong>$dolibarr_main_db_pass</strong>: '; print '<strong>$dolibarr_main_db_pass</strong>: ';
if (!empty($dolibarr_main_db_pass) && empty($dolibarr_main_db_encrypted_pass)) { if (!empty($dolibarr_main_db_pass) && empty($dolibarr_main_db_encrypted_pass)) {

6
htdocs/conf/conf.php.example
View File

@@ -316,11 +316,11 @@ $dolibarr_main_restrict_os_commands='mariadb-dump, mariadb, mysqldump, mysql, pg
// ================================== // ==================================
// A whitelist of functions and methods to restrict the commands you can execute in a custom calculated fields, like "computed fields" of // A whitelist of functions and methods to restrict the commands you can execute in a custom calculated fields, like "computed fields" of
// extrafields or string conditions of extrafields. // extrafields or string conditions of extrafields.
// Default value: 'getDolGlobalString,getDolGlobalInt,getDolCurrency,fetchNoCompute,hasRight,isModEnabled,isStringVarMatching,abs,round,dol_now,preg_match' // Default value: 'getDolGlobalString, getDolGlobalInt, getDolCurrency, fetchNoCompute, hasRight, isModEnabled, isStringVarMatching, abs, round, dol_now, preg_match'
// Examples: // Examples:
// $dolibarr_main_restrict_eval_methods='getDolGlobalString,getDolGlobalInt,getDolCurrency,fetchNoCompute,hasRight,isModEnabled,isStringVarMatching,abs,min,max,round,dol_now,dol_concat,preg_match'; // $dolibarr_main_restrict_eval_methods='getDolGlobalString, getDolGlobalInt, getDolCurrency, fetchNoCompute, hasRight, isModEnabled, isStringVarMatching, abs, min, max, round, dol_now, dol_concat, preg_match';
// //
$dolibarr_main_restrict_eval_methods='getDolGlobalString,getDolGlobalInt,getDolCurrency,fetchNoCompute,hasRight,isModEnabled,isStringVarMatching,abs,min,max,round,dol_now,preg_match'; $dolibarr_main_restrict_eval_methods='getDolGlobalString, getDolGlobalInt, getDolCurrency, fetchNoCompute, hasRight, isModEnabled, isStringVarMatching, abs, min, max, round, dol_now, preg_match';
// dolibarr_main_disabled_modules // dolibarr_main_disabled_modules
// ================================== // ==================================

4
htdocs/core/lib/functions.lib.php
View File

@@ -11935,10 +11935,10 @@ function dol_eval_standard($s, $hideerrors = 1, $onlysimplestring = '1')
// Set $dolibarr_main_restrict_eval_methods_array // Set $dolibarr_main_restrict_eval_methods_array
if (!isset($dolibarr_main_restrict_eval_methods)) { if (!isset($dolibarr_main_restrict_eval_methods)) {
$dolibarr_main_restrict_eval_methods = 'getDolGlobalString,getDolGlobalInt,getDolCurrency,fetchNoCompute,hasRight,isModEnabled,isStringVarMatching,abs,min,max,round,dol_now,preg_match'; $dolibarr_main_restrict_eval_methods = 'getDolGlobalString, getDolGlobalInt, getDolCurrency, fetchNoCompute, hasRight, isModEnabled, isStringVarMatching, abs, min, max, round, dol_now, preg_match';
} }
//print '$dolibarr_main_restrict_eval_methods = '.$dolibarr_main_restrict_eval_methods."\n"; //print '$dolibarr_main_restrict_eval_methods = '.$dolibarr_main_restrict_eval_methods."\n";
$dolibarr_main_restrict_eval_methods_array = explode(',', $dolibarr_main_restrict_eval_methods); $dolibarr_main_restrict_eval_methods_array = explode(',', str_replace(" ", "", $dolibarr_main_restrict_eval_methods));
// Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing // Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing
// We must accept with 1: '1 && getDolGlobalInt("doesnotexist1") && getDolGlobalString("MAIN_FEATURES_LEVEL")' // We must accept with 1: '1 && getDolGlobalInt("doesnotexist1") && getDolGlobalString("MAIN_FEATURES_LEVEL")'