Add local ip into excluded IP for external URL download.
Fix #yogosha5861
This commit is contained in:
Laurent Destailleur
parent
61df76dd9a
commit
0537fdd1c6
@ -110,7 +110,7 @@ print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print $langs->trans("MakeIntegrityAnalysisFrom").':<br>';
|
||||
print '<!-- for a local check target=local&xmlshortfile=... -->'."\n";
|
||||
if (dol_is_file($xmlfile)) {
|
||||
print '<input type="radio" name="target" value="local"'.((!GETPOST('target') || GETPOST('target') == 'local') ? 'checked="checked"' : '').'"> '.$langs->trans("LocalSignature").' = ';
|
||||
print '<input type="radio" name="target" id="checkboxlocal" value="local"'.((!GETPOST('target') || GETPOST('target') == 'local') ? 'checked="checked"' : '').'"> <label for="checkboxlocal">'.$langs->trans("LocalSignature").'</label> = ';
|
||||
print '<input name="xmlshortfile" class="flat minwidth400" value="'.dol_escape_htmltag($xmlshortfile).'">';
|
||||
print '<br>';
|
||||
} else {
|
||||
@ -121,7 +121,7 @@ if (dol_is_file($xmlfile)) {
|
||||
}
|
||||
print '<!-- for a remote target=remote&xmlremote=... -->'."\n";
|
||||
if ($enableremotecheck) {
|
||||
print '<input type="radio" name="target" value="remote"'.(GETPOST('target') == 'remote' ? 'checked="checked"' : '').'> '.$langs->trans("RemoteSignature").' = ';
|
||||
print '<input type="radio" name="target" id="checkboxremote" value="remote"'.(GETPOST('target') == 'remote' ? 'checked="checked"' : '').'> <label for="checkboxremote">'.$langs->trans("RemoteSignature").'</label> = ';
|
||||
print '<input name="xmlremote" class="flat minwidth400" value="'.dol_escape_htmltag($xmlremote).'"><br>';
|
||||
} else {
|
||||
print '<input type="radio" name="target" value="remote" disabled="disabled"> '.$langs->trans("RemoteSignature").' = '.$xmlremote;
|
||||
@ -156,7 +156,7 @@ if (GETPOST('target') == 'local') {
|
||||
}
|
||||
}
|
||||
if (GETPOST('target') == 'remote') {
|
||||
$xmlarray = getURLContent($xmlremote, 'GET', '', 1, array(), array('http', 'https'), 0); // Accept http or https links on external remote server only
|
||||
$xmlarray = getURLContent($xmlremote, 'GET', '', 1, array(), array('http', 'https'), 0); // Accept http or https links on external remote server only. Same is used into api_setup.class.php.
|
||||
|
||||
// Return array('content'=>response,'curl_error_no'=>errno,'curl_error_msg'=>errmsg...)
|
||||
if (!$xmlarray['curl_error_no'] && $xmlarray['http_code'] != '400' && $xmlarray['http_code'] != '404') {
|
||||
@ -164,7 +164,7 @@ if (GETPOST('target') == 'remote') {
|
||||
//print "xmlfilestart".$xmlfile."xmlfileend";
|
||||
$xml = simplexml_load_string($xmlfile);
|
||||
} else {
|
||||
$errormsg = $langs->trans('XmlNotFound').': '.$xmlremote.' - '.$xmlarray['http_code'].' '.$xmlarray['curl_error_no'].' '.$xmlarray['curl_error_msg'];
|
||||
$errormsg = $langs->trans('XmlNotFound').': '.$xmlremote.' - '.$xmlarray['http_code'].(($xmlarray['http_code'] == 400 && $xmlarray['content']) ? ' '.$xmlarray['content'] : '').' '.$xmlarray['curl_error_no'].' '.$xmlarray['curl_error_msg'];
|
||||
setEventMessages($errormsg, null, 'errors');
|
||||
$error++;
|
||||
}
|
||||
|
||||
@ -1673,7 +1673,7 @@ class Setup extends DolibarrApi
|
||||
throw new RestException(500, $langs->trans('XmlNotFound').': '.$xmlfile);
|
||||
}
|
||||
} else {
|
||||
$xmlarray = getURLContent($xmlremote, 'GET', '', 1, array(), array('http', 'https'), 0); // Accept http or https links on external remote server only
|
||||
$xmlarray = getURLContent($xmlremote, 'GET', '', 1, array(), array('http', 'https'), 0); // Accept http or https links on external remote server only. Same is used into filecheck.php.
|
||||
|
||||
// Return array('content'=>response,'curl_error_no'=>errno,'curl_error_msg'=>errmsg...)
|
||||
if (!$xmlarray['curl_error_no'] && $xmlarray['http_code'] != '400' && $xmlarray['http_code'] != '404') {
|
||||
|
||||
@ -165,14 +165,21 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
|
||||
} elseif (in_array($hosttocheck, array('ip6-localhost', 'ip6-loopback'))) {
|
||||
$iptocheck = '::1';
|
||||
} else {
|
||||
// TODO Resolve $hosttocheck to get the IP $iptocheck and set CURLOPT_CONNECT_TO to use this ip
|
||||
$iptocheck = $hosttocheck;
|
||||
// Resolve $hosttocheck to get the IP $iptocheck and set CURLOPT_CONNECT_TO to use this ip so curl will not try another resolution that may give a different result
|
||||
if (function_exists('gethostbyname')) {
|
||||
$iptocheck = gethostbyname($hosttocheck);
|
||||
} else {
|
||||
$iptocheck = $hosttocheck;
|
||||
}
|
||||
// TODO Resolve ip v6
|
||||
}
|
||||
|
||||
if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)) { // This is not an IP
|
||||
// Check $iptocheck is an IP (v4 or v6), if not clear value.
|
||||
if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)) { // This is not an IP, we clean data
|
||||
$iptocheck = '0'; //
|
||||
}
|
||||
|
||||
//var_dump($_SERVER);
|
||||
if ($iptocheck) {
|
||||
if ($localurl == 0) { // Only external url allowed (dangerous, may allow to get malware)
|
||||
if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
|
||||
@ -181,6 +188,11 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
|
||||
$info['content'] = 'Error bad hostname IP (private or reserved range). Must be an external URL.';
|
||||
break;
|
||||
}
|
||||
if ($iptocheck == $_SERVER["SERVER_ADDR"]) {
|
||||
$info['http_code'] = 400;
|
||||
$info['content'] = 'Error bad hostname IP (IP is a local IP). Must be an external URL.';
|
||||
break;
|
||||
}
|
||||
if (in_array($iptocheck, array('100.100.100.200'))) {
|
||||
$info['http_code'] = 400;
|
||||
$info['content'] = 'Error bad hostname IP (Used by Alibaba metadata). Must be an external URL.';
|
||||
@ -194,6 +206,9 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
// Set CURLOPT_CONNECT_TO so curl will not try another resolution that may give a different result
|
||||
curl_setopt($ch, CURLOPT_CONNECT_TO, $iptocheck);
|
||||
}
|
||||
|
||||
// Getting response from server
|
||||
@ -220,7 +235,7 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
|
||||
|
||||
$rep = array();
|
||||
if (curl_errno($ch)) {
|
||||
// Ad keys to $rep
|
||||
// Add keys to $rep
|
||||
$rep['content'] = $response;
|
||||
|
||||
// moving to display page to display curl errors
|
||||
@ -231,14 +246,16 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
|
||||
} else {
|
||||
//$info = curl_getinfo($ch);
|
||||
|
||||
// Ad keys to $rep
|
||||
// Add keys to $rep
|
||||
$rep = $info;
|
||||
//$rep['header_size']=$info['header_size'];
|
||||
//$rep['http_code']=$info['http_code'];
|
||||
dol_syslog("getURLContent http_code=".$rep['http_code']);
|
||||
|
||||
// Add more keys to $rep
|
||||
$rep['content'] = $response;
|
||||
if ($response) {
|
||||
$rep['content'] = $response;
|
||||
}
|
||||
$rep['curl_error_no'] = '';
|
||||
$rep['curl_error_msg'] = '';
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user