Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-16 22:41:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

SEC: Possible RCE when php module json off. +Warning in security page.

Browse Source
This commit is contained in:
Laurent Destailleur
2024-07-12 01:43:53 +02:00
parent 263c1e5445
commit d3ebd3fbe7
3 changed files with 363 additions and 356 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/admin/system/security.php
View File

@@ -190,10 +190,10 @@ print '<br>';
print '<strong>JSON</strong>: '; print '<strong>JSON</strong>: ';
$loadedExtensions = array_map('strtolower', get_loaded_extensions(false)); $loadedExtensions = array_map('strtolower', get_loaded_extensions(false));
$test = !in_array('json', $loadedExtensions); $test = !in_array('json', $loadedExtensions);
if ($test) { if ($test || function_exists('dol_json_decode')) {
print img_picto('', 'error').' '.$langs->trans("NotInstalled").' - '.$langs->trans("VulnerableToRCEAttack"); print img_picto('', 'error').' '.$langs->trans("NotInstalled").' - '.$langs->trans("VulnerableToRCEAttack");
} else { } else {
print img_picto('', 'tick').' '.$langs->trans("Available"); print img_picto('', 'tick').' '.$langs->trans("Available").' <span class="opacitymedium">(PHP native so not emulated, safe)</span>';
} }
print '<br>'; print '<br>';

153
htdocs/core/lib/json.lib.php
View File

@@ -25,22 +25,8 @@
* \ingroup core * \ingroup core
*/ */
if (!function_exists('json_encode')) { if (!function_exists('json_encode') || defined('PHPUNIT_MODE')) {
/** /**
* Implement json_encode for PHP that does not have module enabled.
*
* @param mixed $elements PHP Object to json encode
* @return string Json encoded string
* @phan-suppress PhanRedefineFunctionInternal
*/
function json_encode($elements)
{
return dol_json_encode($elements);
}
}
/**
* Implement json_encode for PHP that does not support it. * Implement json_encode for PHP that does not support it.
* Use json_encode and json_decode in your code ! * Use json_encode and json_decode in your code !
* Note: We can found some special chars into a json string: * Note: We can found some special chars into a json string:
@@ -50,8 +36,8 @@ if (!function_exists('json_encode')) {
* @return string Json encoded string * @return string Json encoded string
* @see json_encode() * @see json_encode()
*/ */
function dol_json_encode($elements) function dol_json_encode($elements)
{ {
dol_syslog("For better performance, enable the native json in your PHP", LOG_WARNING); dol_syslog("For better performance, enable the native json in your PHP", LOG_WARNING);
$num = 0; $num = 0;
@@ -118,16 +104,16 @@ function dol_json_encode($elements)
// return // return
return $output; return $output;
} }
/** /**
* Return text according to type * Return text according to type
* *
* @param mixed $val Value to show * @param mixed $val Value to show
* @return string Formatted value * @return string Formatted value
*/ */
function _val($val) function _val($val)
{ {
if (is_string($val)) { if (is_string($val)) {
// STRINGS ARE EXPECTED TO BE IN ASCII OR UTF-8 FORMAT // STRINGS ARE EXPECTED TO BE IN ASCII OR UTF-8 FORMAT
$ascii = ''; $ascii = '';
@@ -226,24 +212,65 @@ function _val($val)
} else { } else {
return 'null'; return 'null';
} }
} }
if (!function_exists('json_decode')) {
/** /**
* Implement json_decode for PHP that does not support it * Convert a string from one UTF-8 char to one UTF-16 char
* *
* @param string $json Json encoded to PHP Object or Array * Normally should be handled by mb_convert_encoding, but
* @param bool $assoc False return an object, true return an array * provides a slower PHP-only method for installations
* @return mixed Object or Array * that lack the multibyte string extension.
* @phan-suppress PhanRedefineFunctionInternal *
* @param string $utf8 UTF-8 character
* @return string UTF-16 character
*/ */
function json_decode($json, $assoc = false) function utf82utf16($utf8)
{ {
return dol_json_decode($json, $assoc); // oh please oh please oh please oh please oh please
if (function_exists('mb_convert_encoding')) {
return mb_convert_encoding($utf8, 'UTF-16', 'UTF-8');
}
switch (strlen($utf8)) {
case 1:
// this case should never be reached, because we are in ASCII range
// see: http://www.cl.cam.ac.uk/~mgk25/unicode.html#utf-8
return $utf8;
case 2:
// return a UTF-16 character from a 2-byte UTF-8 char
// see: http://www.cl.cam.ac.uk/~mgk25/unicode.html#utf-8
return chr(0x07 & (ord($utf8[0]) >> 2)).chr((0xC0 & (ord($utf8[0]) << 6)) | (0x3F & ord($utf8[1])));
case 3:
// return a UTF-16 character from a 3-byte UTF-8 char
// see: http://www.cl.cam.ac.uk/~mgk25/unicode.html#utf-8
return chr((0xF0 & (ord($utf8[0]) << 4)) | (0x0F & (ord($utf8[1]) >> 2))).chr((0xC0 & (ord($utf8[1]) << 6)) | (0x7F & ord($utf8[2])));
}
// ignoring UTF-32 for now, sorry
return '';
} }
} }
/** if (!function_exists('json_encode')) {
/**
* Implement json_encode for PHP that does not have module enabled.
*
* @param mixed $elements PHP Object to json encode
* @return string Json encoded string
* @phan-suppress PhanRedefineFunctionInternal
*/
function json_encode($elements)
{
return dol_json_encode($elements);
}
}
if (!function_exists('json_decode') || defined('PHPUNIT_MODE')) {
/**
* Implement json_decode for PHP that does not support it * Implement json_decode for PHP that does not support it
* Use json_encode and json_decode in your code ! * Use json_encode and json_decode in your code !
* *
@@ -252,8 +279,8 @@ if (!function_exists('json_decode')) {
* @return mixed Object or Array or false on error * @return mixed Object or Array or false on error
* @see json_decode() * @see json_decode()
*/ */
function dol_json_decode($json, $assoc = false) function dol_json_decode($json, $assoc = false)
{ {
dol_syslog("For better performance and security, enable the native json in your PHP", LOG_WARNING); dol_syslog("For better performance and security, enable the native json in your PHP", LOG_WARNING);
$comment = false; $comment = false;
@@ -323,16 +350,16 @@ function dol_json_decode($json, $assoc = false)
} }
return $array; return $array;
} }
/** /**
* Return text according to type * Return text according to type
* *
* @param string $val Value to decode * @param string $val Value to decode
* @return string Formatted value * @return string Formatted value
*/ */
function _unval($val) function _unval($val)
{ {
$reg = array(); $reg = array();
while (preg_match('/\\\u([0-9A-F]{2})([0-9A-F]{2})/i', $val, $reg)) { while (preg_match('/\\\u([0-9A-F]{2})([0-9A-F]{2})/i', $val, $reg)) {
// single, escaped unicode character // single, escaped unicode character
@@ -341,9 +368,9 @@ function _unval($val)
$val = preg_replace('/\\\u'.$reg[1].$reg[2].'/i', $utf8, $val); $val = preg_replace('/\\\u'.$reg[1].$reg[2].'/i', $utf8, $val);
} }
return $val; return $val;
} }
/** /**
* Convert a string from one UTF-16 char to one UTF-8 char * Convert a string from one UTF-16 char to one UTF-8 char
* *
* Normally should be handled by mb_convert_encoding, but * Normally should be handled by mb_convert_encoding, but
@@ -353,8 +380,8 @@ function _unval($val)
* @param string $utf16 UTF-16 character * @param string $utf16 UTF-16 character
* @return string UTF-8 character * @return string UTF-8 character
*/ */
function utf162utf8($utf16) function utf162utf8($utf16)
{ {
// oh please oh please oh please oh please oh please // oh please oh please oh please oh please oh please
if (function_exists('mb_convert_encoding')) { if (function_exists('mb_convert_encoding')) {
return mb_convert_encoding($utf16, 'UTF-8', 'UTF-16'); return mb_convert_encoding($utf16, 'UTF-8', 'UTF-16');
@@ -384,42 +411,20 @@ function utf162utf8($utf16)
// ignoring UTF-32 for now, sorry // ignoring UTF-32 for now, sorry
return ''; return '';
}
} }
/** if (!function_exists('json_decode')) {
* Convert a string from one UTF-8 char to one UTF-16 char /**
* Implement json_decode for PHP that does not support it
* *
* Normally should be handled by mb_convert_encoding, but * @param string $json Json encoded to PHP Object or Array
* provides a slower PHP-only method for installations * @param bool $assoc False return an object, true return an array
* that lack the multibyte string extension. * @return mixed Object or Array
* * @phan-suppress PhanRedefineFunctionInternal
* @param string $utf8 UTF-8 character
* @return string UTF-16 character
*/ */
function utf82utf16($utf8) function json_decode($json, $assoc = false)
{ {
// oh please oh please oh please oh please oh please return dol_json_decode($json, $assoc);
if (function_exists('mb_convert_encoding')) {
return mb_convert_encoding($utf8, 'UTF-16', 'UTF-8');
} }
switch (strlen($utf8)) {
case 1:
// this case should never be reached, because we are in ASCII range
// see: http://www.cl.cam.ac.uk/~mgk25/unicode.html#utf-8
return $utf8;
case 2:
// return a UTF-16 character from a 2-byte UTF-8 char
// see: http://www.cl.cam.ac.uk/~mgk25/unicode.html#utf-8
return chr(0x07 & (ord($utf8[0]) >> 2)).chr((0xC0 & (ord($utf8[0]) << 6)) | (0x3F & ord($utf8[1])));
case 3:
// return a UTF-16 character from a 3-byte UTF-8 char
// see: http://www.cl.cam.ac.uk/~mgk25/unicode.html#utf-8
return chr((0xF0 & (ord($utf8[0]) << 4)) | (0x0F & (ord($utf8[1]) >> 2))).chr((0xC0 & (ord($utf8[1]) << 6)) | (0x7F & ord($utf8[2])));
}
// ignoring UTF-32 for now, sorry
return '';
} }

2
test/phpunit/JsonLibTest.php
View File

@@ -24,6 +24,8 @@
* \remarks To run this script as CLI: phpunit filename.php * \remarks To run this script as CLI: phpunit filename.php
*/ */
define('PHPUNIT_MODE', 1);
global $conf,$user,$langs,$db; global $conf,$user,$langs,$db;
//define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver //define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver
//require_once 'PHPUnit/Autoload.php'; //require_once 'PHPUnit/Autoload.php';