230 Commits

Author	SHA1	Message	Date
Laurent Destailleur	d858764b15	Add config param $dolibarr_main_restrict_eval_methods with whitelist of ... functionsallowed in dol_eval. Advisory GHSA-x3w7-24rq-gvc5	2025-11-19 03:44:24 +01:00
Laurent Destailleur	9818c76f7f	MAIN_DISALLOW_STRING_OBFUSCATION_IN_DOL_EVAL replaced with ... MAIN_ALLOW_OBFUSCATION_METHODS_IN_DOL_EVAL	2025-11-18 23:34:23 +01:00
Frédéric FRANCE	3a3785c92d	Update SecurityTest.php (#36295) ... * Update SecurityTest.php * Update SecurityTest.php * Update SecurityTest.php	2025-11-17 21:43:53 +01:00
Laurent Destailleur	e54cc9ab28	Fix phpunit	2025-11-17 21:40:36 +01:00
Laurent Destailleur	74455fd391	FIX #35887	2025-10-22 02:21:52 +02:00
ldestailleur	f160e23918	Merge branch '21.0' of git@github.com:Dolibarr/dolibarr.git into 22.0	2025-09-05 17:23:25 +02:00
ldestailleur	6c0873708a	Merge branch '20.0' of git@github.com:Dolibarr/dolibarr.git into 21.0	2025-09-05 15:34:13 +02:00
ldestailleur	c2ed4519b1	Merge branch '19.0' of git@github.com:Dolibarr/dolibarr.git into 20.0	2025-09-05 11:38:30 +02:00
ldestailleur	781adf507b	Merge branch '18.0' of git@github.com:Dolibarr/dolibarr.git into 19.0	2025-09-04 20:47:13 +02:00
ThomasNgr-OpenDSI	01aa901f93	18.0 fix CVE 2024 40137 (#34762) ... * Sec: Remove all functions that accept callable params - CVE-2024-40137 * FIX #34746 - More complete fix for CVE-2024-40137 --------- Co-authored-by: ldestailleur <eldy@destailleur.fr>	2025-09-04 14:59:44 +02:00
ldestailleur	96a74c4976	Disable this test where result is not predicable	2025-09-04 14:13:13 +02:00
ldestailleur	b03f30c7e2	Sec: Remove functions accepting callable params - Reported by phdwg1410	2025-07-27 13:54:02 +02:00
ldestailleur	c0a0acf129	FIX #34746	2025-07-17 19:30:58 +02:00
ldestailleur	61dcd176e0	Merge branch '21.0' of git@github.com:Dolibarr/dolibarr.git into 22.0	2025-07-17 19:30:58 +02:00
ldestailleur	a4aa00c498	Sec: Remove all functions that accept callable params - CVE-2024-40137	2025-07-17 19:30:58 +02:00
ldestailleur	a674676ded	Merge branch '21.0' of git@github.com:Dolibarr/dolibarr.git into develop	2025-05-10 13:33:53 +02:00
ldestailleur	d76848351c	Merge branch '20.0' of git@github.com:Dolibarr/dolibarr.git into 21.0	2025-05-10 13:30:36 +02:00
ldestailleur	ae94c71a10	Merge branch '19.0' of git@github.com:Dolibarr/dolibarr.git into 20.0	2025-05-10 13:25:31 +02:00
ldestailleur	445f089556	Merge branch '18.0' of git@github.com:Dolibarr/dolibarr.git into 19.0	2025-05-10 12:53:37 +02:00
Laurent Destailleur (aka Eldy)	b85bfc40f4	Fix phpunit	2025-05-06 11:59:08 +02:00
ldestailleur	eadc676edf	NEW Add option MAIN_ALLOW_DOUBLE_COLON_IN_DOL_EVAL	2025-05-06 11:10:57 +02:00
ldestailleur	9582894136	Add constant SECURITY_WAF_ALLOW_QUOTES_IN_GET in WAF	2025-04-06 18:56:59 +02:00
ldestailleur	3edadbd8b8	Add option MAIN_DISALLOW_STRING_OBFUSCATION_IN_DOL_EVAL. Close #33612	2025-04-01 16:23:50 +02:00
ldestailleur	15f2f4f223	Clean code	2025-04-01 15:21:43 +02:00
ldestailleur	cc8c7b8329	Fix possible remote code execution using dol_concatdesc in dol_eval. To ... allow concat char, you can use MAIN_ALLOW_UNSECURED_SPECIAL_CHARS_IN_DOL_EVAL='.'	2025-04-01 13:25:10 +02:00
ldestailleur	bcf0ef0bc0	Test switch in dol_eval function()	2025-04-01 12:31:27 +02:00
ldestailleur	d670d67668	Disable test when libxml not good.	2025-03-09 23:37:36 +01:00
ldestailleur	202ffe732e	Enhance phpunit tests	2025-03-09 21:26:51 +01:00
Laurent Destailleur (aka Eldy)	bd9bf8b5a8	FIX #CVE-2024-34051	2025-02-17 12:24:03 +01:00
Laurent Destailleur (aka Eldy)	d223f8a0b9	Merge branch '21.0' of git@github.com:Dolibarr/dolibarr.git into develop	2025-02-13 20:42:23 +01:00
Laurent Destailleur (aka Eldy)	705164cc9f	Merge branch '20.0' of git@github.com:Dolibarr/dolibarr.git into 21.0	2025-02-13 20:39:19 +01:00
Laurent Destailleur (aka Eldy)	256e0e0470	Merge branch '19.0' of git@github.com:Dolibarr/dolibarr.git into 20.0	2025-02-13 20:37:12 +01:00
Laurent Destailleur (aka Eldy)	054010f8ec	Fix test	2025-02-13 20:34:55 +01:00
Laurent Destailleur (aka Eldy)	36fd5b7b26	FIX #CVE-2024-34051	2025-02-13 20:29:25 +01:00
Laurent Destailleur (aka Eldy)	802562a575	Fix regression after a fix	2025-01-09 19:35:01 +01:00
Laurent Destailleur (aka Eldy)	56710ce9b7	FIX CVE-2024-55227 and CVE-2024-55228 CSRF when ... MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY is on (hidden option not on by default)	2025-01-09 19:35:01 +01:00
Laurent Destailleur	9de730aeab	Add more phpunit	2025-01-09 19:28:08 +01:00
Laurent Destailleur	000e2ebe54	Test	2025-01-09 19:19:28 +01:00
Laurent Destailleur (aka Eldy)	429f5db55a	Merge branch '21.0' of git@github.com:Dolibarr/dolibarr.git into develop	2025-01-09 14:09:33 +01:00
Laurent Destailleur (aka Eldy)	58e42656c0	Fix regression after a fix	2025-01-09 13:54:25 +01:00
Laurent Destailleur (aka Eldy)	79ae59ee2a	Merge branch '21.0' of git@github.com:Dolibarr/dolibarr.git into develop	2025-01-08 17:54:13 +01:00
Laurent Destailleur (aka Eldy)	c0250e4c91	FIX CVE-2024-55227 CSRF when MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY is ... on (hidden option not on by default)	2025-01-08 17:41:45 +01:00
Laurent Destailleur (aka Eldy)	3bfd6c1e30	Debug MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY	2025-01-06 12:56:24 +01:00
Laurent Destailleur (aka Eldy)	8733e9d57e	Fix security test blocking $_SESSION...	2024-12-26 15:43:29 +01:00
Laurent Destailleur (aka Eldy)	fcc344f9da	Security - More robust dol_eval function after vulnerability report by ... Muhammad Zeeshan (Xib3rR4dAr)	2024-12-26 15:43:29 +01:00
Laurent Destailleur (aka Eldy)	7f4b2b08b4	Complete phpunit and tests to avoid use of non expected function	2024-12-18 19:00:33 +01:00
Frédéric FRANCE	9067c6deec	replace deprecated (#31803) ... * replace deprecated * replace deprecated	2024-11-14 00:16:43 +01:00
Laurent Destailleur	eaf92c9fa4	FIX better regex to detect substitution key	2024-10-30 19:53:40 +01:00
Laurent Destailleur	b8aa7e2511	Fix option restricthtmlallowlinkscript of GETPOST	2024-09-09 15:56:47 +02:00
Laurent Destailleur	8ac368ce17	FIX Better sanitizing for javascript. Fix <> bypass.	2024-07-27 18:07:37 +02:00