diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index a6f667581bb..891e2b131da 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -11116,7 +11116,7 @@ function dol_eval_standard($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestr global $mysoc; global $objectoffield; // To allow the use of $objectoffield in computed fields - // Old variables used + // Old variables used (deprecated) global $object; global $obj; // To get $obj used into list when dol_eval() is used for computed fields and $obj is not yet $object @@ -11210,8 +11210,8 @@ function dol_eval_standard($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestr } // TODO - // We can exclude $ char that are not: - // $db, $langs, $leftmenu, $topmenu, $user, $langs, $objectoffield, $object..., + // We can exclude $ char that are not in dol_eval global, so that are not: + // $db, $langs, $leftmenu, $topmenu, $user, $langs, $objectoffield, $object, $obj, ..., } if (is_array($s) || $s === 'Array') { if ($returnvalue) { @@ -11221,11 +11221,11 @@ function dol_eval_standard($s, $returnvalue = 1, $hideerrors = 1, $onlysimplestr return ''; } } - if (strpos($s, '::') !== false) { + if (!getDolGlobalString('MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL') && strpos($s, '::') !== false) { if ($returnvalue) { - return 'Bad string syntax to evaluate (double : char is forbidden): '.$s; + return 'Bad string syntax to evaluate (double : char is forbidden without setting MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL): '.$s; } else { - dol_syslog('Bad string syntax to evaluate (double : char is forbidden): '.$s, LOG_WARNING); + dol_syslog('Bad string syntax to evaluate (double : char is forbidden without setting MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL): '.$s, LOG_WARNING); return ''; } } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 1f6b78e84ad..593604e7626 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -612,6 +612,8 @@ class SecurityTest extends CommonClassTest $conf->global->MAIN_USE_DOL_EVAL_NEW = 0; //$conf->global->MAIN_USE_DOL_EVAL_NEW = 1; + $conf->global->MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL = 0; + $conf->global->MAIN_DISALLOW_STRING_OBFUSCATION_IN_DOL_EVAL = 0; $result = dol_eval('1==1', 1, 0); print "result1 = ".$result."\n"; @@ -633,7 +635,7 @@ class SecurityTest extends CommonClassTest $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"'; $result = (string) dol_eval($s, 1, 1, '2'); - print "result3 = ".$result."\n"; + print "result3c = ".$result."\n"; $this->assertEquals('Parent project not found', $result); $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : \'Parent project not found\''; @@ -642,14 +644,20 @@ class SecurityTest extends CommonClassTest $this->assertEquals('Parent project not found', $result, 'Test 4'); $result = dol_eval('1==\x01', 1, 0); // Check that we can't make dol_eval on string containing \ char. - print "result0 = ".$result."\n"; + print "result5 = ".$result."\n"; $this->assertStringContainsString('Bad string syntax to evaluate (found chars that are not chars for a simple one line clean eval string)', $result); $s = '4 < 5'; $result = (string) dol_eval($s, 1, 1, '2'); - print "result5 = ".$result."\n"; + print "result6 = ".$result."\n"; $this->assertEquals('1', $result, 'Test 5'); + $s = 'MyClass::MyMethod()'; + $result = dol_eval($s, 1, 1, '2'); + print "result7 = ".$result."\n"; + $this->assertStringContainsString('Bad string syntax to evaluate (double : char is forbidden without setting MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL)', $result); + + /* not allowed. Not a one line eval string $result = (string) dol_eval('if ($a == 1) { }', 1, 1);