diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 409bf47d715..b522243ca12 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8618,8 +8618,6 @@ function verifCond($strToEvaluate) //print $strToEvaluate."
\n"; $rights = true; if (isset($strToEvaluate) && $strToEvaluate !== '') { - //$str = 'if(!('.$strToEvaluate.')) $rights = false;'; - //dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition //var_dump($strToEvaluate); $rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval must contains all the global $xxx for all variables $xxx found into the string condition $rights = $rep && (!is_string($rep) || strpos($rep, 'Bad string syntax to evaluate') === false); @@ -8635,7 +8633,7 @@ function verifCond($strToEvaluate) * @param string $s String to evaluate * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)). * @param int $hideerrors 1=Hide errors - * @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s^$_+-.*\/>&|=!?():"\',/';', 2=Accept also ';[]' + * @param string $onlysimplestring '0' (used for computed property of extrafields)=Accept all chars, '1' (most common use)=Accept only simple string with char 'a-z0-9\s^$_+-.*>&|=!?():"\',/@';', '2' (not used)=Accept also ';[]' * @return mixed Nothing or return result of eval */ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1') @@ -8653,8 +8651,8 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1' // Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing if ($onlysimplestring == '1') { // We must accept: '1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL' - // We must accept: '$conf->barcode->enabled && preg_match(\'/^(AAA|BBB)/\',$leftmenu)' - // We must accept: '$user->rights->cabinetmed->read && $object->canvas=="patient@cabinetmed"' + // We must accept: '$conf->barcode->enabled || preg_match(\'/^AAA/\',$leftmenu)' + // We must accept: '$user->rights->cabinetmed->read && !$object->canvas=="patient@cabinetmed"' if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*>&|=!?():"\',/@', '/').']/i', $s)) { if ($returnvalue) { return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; @@ -8662,7 +8660,8 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1' dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s); return ''; } - // TODO We can exclude all () that is not '($db)' and 'getDolGlobalInt(' and 'getDolGlobalString(' and 'preg_match(' + // TODO + // We can exclude all parenthesis ( that are not '($db' and 'getDolGlobalInt(' and 'getDolGlobalString(' and 'preg_match(' and 'isModEnabled(' // ... } } elseif ($onlysimplestring == '2') { diff --git a/htdocs/exports/class/export.class.php b/htdocs/exports/class/export.class.php index 883ba7ea11e..cf0383dd08c 100644 --- a/htdocs/exports/class/export.class.php +++ b/htdocs/exports/class/export.class.php @@ -700,7 +700,7 @@ class Export // Export of compute field does not work. $obj contains $obj->alias_field and formula may contains $obj->field // Also the formula may contains objects of class that are not loaded. $computestring = $this->array_export_special[$indice][$key]; - //$tmp = dol_eval($computestring, 1, 0); + //$tmp = dol_eval($computestring, 1, 0, '1'); //$obj->$alias = $tmp; $this->error = "ERROPNOTSUPPORTED. Operation ".$computestring." not supported. Export of 'computed' extrafields is not yet supported, please remove field.";