Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-05 16:42:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX allow double colon and string obfuscation in dol eval for computed extra fields (#34015)

Browse Source 
* FIX allow double colon and string obfuscation in dol eval for computed extra fields

* Update functions.lib.php

---------

Co-authored-by: Laurent Destailleur <eldy@destailleur.fr>
This commit is contained in:
lvessiller-opendsi
2025-05-06 11:50:28 +02:00
committed by GitHub
parent 9b74628e29
commit cc78023a44
1 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
htdocs/core/lib/functions.lib.php
View File

@@ -9284,14 +9284,16 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
if (is_array($s) || $s === 'Array') {
return 'Bad string syntax to evaluate (value is Array) '.var_export($s, true);
}
if (strpos($s, '::') !== false) {
if (!getDolGlobalString('MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL') && strpos($s, '::') !== false) {
if ($returnvalue) {
return 'Bad string syntax to evaluate (double : char is forbidden): '.$s;
return 'Bad string syntax to evaluate (double : char is forbidden without setting MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL): '.$s;
} else {
dol_syslog('Bad string syntax to evaluate (double : char is forbidden): '.$s);
dol_syslog('Bad string syntax to evaluate (double : char is forbidden without setting MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL): '.$s, LOG_WARNING);
return '';
}
}
if (strpos($s, '`') !== false) {
if ($returnvalue) {
return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
@@ -9300,12 +9302,16 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
return '';
}
}
if (preg_match('/[^0-9]+\.[^0-9]+/', $s)) { // We refuse . if not between 2 numbers
if ($returnvalue) {
return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
} else {
dol_syslog('Bad string syntax to evaluate (dot char is forbidden): '.$s);
return '';
// Disallow also concat
if (getDolGlobalString('MAIN_DISALLOW_STRING_OBFUSCATION_IN_DOL_EVAL')) {
if (preg_match('/[^0-9]+\.[^0-9]+/', $s)) { // We refuse . if not between 2 numbers
if ($returnvalue) {
return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
} else {
dol_syslog('Bad string syntax to evaluate (dot char is forbidden): '.$s);
return '';
}
}
}