Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-07 10:08:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Code comment

Browse Source
This commit is contained in:
Laurent Destailleur
2022-10-07 23:29:58 +02:00
parent b051da4b04
commit f58ee62798
2 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
htdocs/core/lib/functions.lib.php
View File

@@ -8618,8 +8618,6 @@ function verifCond($strToEvaluate)
//print $strToEvaluate."<br>\n"; //print $strToEvaluate."<br>\n";
$rights = true; $rights = true;
if (isset($strToEvaluate) && $strToEvaluate !== '') { if (isset($strToEvaluate) && $strToEvaluate !== '') {
//$str = 'if(!('.$strToEvaluate.')) $rights = false;';
//dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition
//var_dump($strToEvaluate); //var_dump($strToEvaluate);
$rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval must contains all the global $xxx for all variables $xxx found into the string condition $rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval must contains all the global $xxx for all variables $xxx found into the string condition
$rights = $rep && (!is_string($rep) || strpos($rep, 'Bad string syntax to evaluate') === false); $rights = $rep && (!is_string($rep) || strpos($rep, 'Bad string syntax to evaluate') === false);
@@ -8635,7 +8633,7 @@ function verifCond($strToEvaluate)
* @param string $s String to evaluate * @param string $s String to evaluate
* @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)). * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
* @param int $hideerrors 1=Hide errors * @param int $hideerrors 1=Hide errors
* @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s^$_+-.*\/>&|=!?():"\',/';', 2=Accept also ';[]' * @param string $onlysimplestring '0' (used for computed property of extrafields)=Accept all chars, '1' (most common use)=Accept only simple string with char 'a-z0-9\s^$_+-.*>&|=!?():"\',/@';', '2' (not used)=Accept also ';[]'
* @return mixed Nothing or return result of eval * @return mixed Nothing or return result of eval
*/ */
function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1') function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1')
@@ -8653,8 +8651,8 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
// Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing // Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing
if ($onlysimplestring == '1') { if ($onlysimplestring == '1') {
// We must accept: '1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL' // We must accept: '1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL'
// We must accept: '$conf->barcode->enabled && preg_match(\'/^(AAA|BBB)/\',$leftmenu)' // We must accept: '$conf->barcode->enabled || preg_match(\'/^AAA/\',$leftmenu)'
// We must accept: '$user->rights->cabinetmed->read && $object->canvas=="patient@cabinetmed"' // We must accept: '$user->rights->cabinetmed->read && !$object->canvas=="patient@cabinetmed"'
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*>&|=!?():"\',/@', '/').']/i', $s)) { if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*>&|=!?():"\',/@', '/').']/i', $s)) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
@@ -8662,7 +8660,8 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s); dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s);
return ''; return '';
} }
// TODO We can exclude all () that is not '($db)' and 'getDolGlobalInt(' and 'getDolGlobalString(' and 'preg_match(' // TODO
// We can exclude all parenthesis ( that are not '($db' and 'getDolGlobalInt(' and 'getDolGlobalString(' and 'preg_match(' and 'isModEnabled('
// ... // ...
} }
} elseif ($onlysimplestring == '2') { } elseif ($onlysimplestring == '2') {

2
htdocs/exports/class/export.class.php
View File

@@ -700,7 +700,7 @@ class Export
// Export of compute field does not work. $obj contains $obj->alias_field and formula may contains $obj->field // Export of compute field does not work. $obj contains $obj->alias_field and formula may contains $obj->field
// Also the formula may contains objects of class that are not loaded. // Also the formula may contains objects of class that are not loaded.
$computestring = $this->array_export_special[$indice][$key]; $computestring = $this->array_export_special[$indice][$key];
//$tmp = dol_eval($computestring, 1, 0); //$tmp = dol_eval($computestring, 1, 0, '1');
//$obj->$alias = $tmp; //$obj->$alias = $tmp;
$this->error = "ERROPNOTSUPPORTED. Operation ".$computestring." not supported. Export of 'computed' extrafields is not yet supported, please remove field."; $this->error = "ERROPNOTSUPPORTED. Operation ".$computestring." not supported. Export of 'computed' extrafields is not yet supported, please remove field.";