diff --git a/htdocs/admin/tools/dolibarr_export.php b/htdocs/admin/tools/dolibarr_export.php index 55be556afb9..231699dc636 100644 --- a/htdocs/admin/tools/dolibarr_export.php +++ b/htdocs/admin/tools/dolibarr_export.php @@ -50,7 +50,7 @@ if (! $user->admin) if ($action == 'delete') { - $file=$conf->admin->dir_output.'/'.GETPOST('urlfile'); + $file=$conf->admin->dir_output.'/backup/'.basename(GETPOST('urlfile', 'alpha')); $ret=dol_delete_file($file, 1); if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile')), null, 'mesgs'); else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile')), null, 'errors'); diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php index 5bfacc6c4f0..5697e48e07f 100644 --- a/htdocs/admin/tools/export.php +++ b/htdocs/admin/tools/export.php @@ -133,7 +133,8 @@ if ($what == 'mysql') dol_syslog("Command are restricted to ".$dolibarr_main_restrict_os_commands.". We check that one of this command is inside ".$cmddump); foreach($arrayofallowedcommand as $allowedcommand) { - if (preg_match('/'.preg_quote($allowedcommand,'/').'/', $cmddump)) + $basenamecmddump=basename($cmddump); + if (preg_match('/^'.preg_quote($allowedcommand,'/').'$/', $basenamecmddump)) // the provided command $cmddump must be an allowed command { $ok=1; break; diff --git a/htdocs/core/class/utils.class.php b/htdocs/core/class/utils.class.php index 8c051c85b33..3d43a319e51 100644 --- a/htdocs/core/class/utils.class.php +++ b/htdocs/core/class/utils.class.php @@ -239,36 +239,37 @@ class Utils dol_mkdir($conf->admin->dir_output.'/backup'); // Parameteres execution - $command=$cmddump; - if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command + $command = $cmddump; + $command = preg_replace('/(\$|%)/', '', $command); // We removed chars that can be used to inject vars that contains space inside path of command without seeing there is a space to bypass the escapeshellarg. + if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // If there is spaces, we add quotes on command to be sure $command is only a program and not a program+parameters //$param=escapeshellarg($dolibarr_main_db_name)." -h ".escapeshellarg($dolibarr_main_db_host)." -u ".escapeshellarg($dolibarr_main_db_user)." -p".escapeshellarg($dolibarr_main_db_pass); $param=$dolibarr_main_db_name." -h ".$dolibarr_main_db_host; $param.=" -u ".$dolibarr_main_db_user; if (! empty($dolibarr_main_db_port)) $param.=" -P ".$dolibarr_main_db_port; - if (! GETPOST("use_transaction")) $param.=" -l --single-transaction"; - if (GETPOST("disable_fk") || $usedefault) $param.=" -K"; - if (GETPOST("sql_compat") && GETPOST("sql_compat") != 'NONE') $param.=" --compatible=".escapeshellarg(GETPOST("sql_compat","alpha")); - if (GETPOST("drop_database")) $param.=" --add-drop-database"; - if (GETPOST("sql_structure") || $usedefault) + if (! GETPOST("use_transaction", "alpha")) $param.=" -l --single-transaction"; + if (GETPOST("disable_fk", "alpha") || $usedefault) $param.=" -K"; + if (GETPOST("sql_compat", "alpha") && GETPOST("sql_compat", "alpha") != 'NONE') $param.=" --compatible=".escapeshellarg(GETPOST("sql_compat", "alpha")); + if (GETPOST("drop_database", "alpha")) $param.=" --add-drop-database"; + if (GETPOST("sql_structure", "alpha") || $usedefault) { - if (GETPOST("drop") || $usedefault) $param.=" --add-drop-table=TRUE"; - else $param.=" --add-drop-table=FALSE"; + if (GETPOST("drop", "alpha") || $usedefault) $param.=" --add-drop-table=TRUE"; + else $param.=" --add-drop-table=FALSE"; } else { $param.=" -t"; } - if (GETPOST("disable-add-locks")) $param.=" --add-locks=FALSE"; - if (GETPOST("sql_data") || $usedefault) + if (GETPOST("disable-add-locks", "alpha")) $param.=" --add-locks=FALSE"; + if (GETPOST("sql_data", "alpha") || $usedefault) { $param.=" --tables"; - if (GETPOST("showcolumns") || $usedefault) $param.=" -c"; - if (GETPOST("extended_ins") || $usedefault) $param.=" -e"; + if (GETPOST("showcolumns", "alpha") || $usedefault) $param.=" -c"; + if (GETPOST("extended_ins", "alpha") || $usedefault) $param.=" -e"; else $param.=" --skip-extended-insert"; - if (GETPOST("delayed")) $param.=" --delayed-insert"; - if (GETPOST("sql_ignore")) $param.=" --insert-ignore"; - if (GETPOST("hexforbinary") || $usedefault) $param.=" --hex-blob"; + if (GETPOST("delayed", "alpha")) $param.=" --delayed-insert"; + if (GETPOST("sql_ignore", "alpha")) $param.=" --insert-ignore"; + if (GETPOST("hexforbinary", "alpha") || $usedefault) $param.=" --hex-blob"; } else { @@ -436,8 +437,9 @@ class Utils dol_mkdir($conf->admin->dir_output.'/backup'); // Parameteres execution - $command=$cmddump; - if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command + $command = $cmddump; + $command = preg_replace('/(\$|%)/', '', $command); // We removed chars that can be used to inject vars that contains space inside path of command without seeing there is a space to bypass the escapeshellarg. + if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // If there is spaces, we add quotes on command to be sure $command is only a program and not a program+parameters //$param=escapeshellarg($dolibarr_main_db_name)." -h ".escapeshellarg($dolibarr_main_db_host)." -u ".escapeshellarg($dolibarr_main_db_user)." -p".escapeshellarg($dolibarr_main_db_pass); //$param="-F c";