From 16b9e628661dca5af434a31b8e69dcc6c48aad91 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 17 Sep 2020 14:20:37 +0200 Subject: [PATCH] FIX #yogosha4456 --- htdocs/conf/conf.php.example | 24 ++++++++++++------- htdocs/cron/class/cronjob.class.php | 37 ++++++++++++++++++----------- htdocs/langs/en_US/errors.lang | 3 ++- 3 files changed, 40 insertions(+), 24 deletions(-) diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example index 32c37301a0e..6b1b5e0ea0a 100644 --- a/htdocs/conf/conf.php.example +++ b/htdocs/conf/conf.php.example @@ -219,10 +219,10 @@ $dolibarr_main_authentication='dolibarr'; // 1 = Force redirect to https, until SCRIPT_URI start with https into response // 2 = Force redirect to https, until SERVER["HTTPS"] is 'on' into response // 'https://my.domain.com' = Force redirect to https using this domain name. -// Warning: If you enable this parameter, your web server must be configured to -// respond URL with https protocol. -// According to your web server setup, some values may works and other not. Try -// different values (1,2 or 'https://my.domain.com') if you experience problems. +// Warning: If you enable this parameter, your web server must be configured to respond URL with https protocol. +// According to your web server setup, some values may works and other not. Try different values (1,2 or 'https://my.domain.com') if you experience problems. +// Even if a redirect to HTTPS is forced by the webserver, it is recommanded to set this value to another value than 0, so your session cookies will be +// flagged as secured. // Default value: 0 // Possible values: 0, 1, 2 or 'https://my.domain.com' // Examples: @@ -233,12 +233,12 @@ $dolibarr_main_force_https='0'; // dolibarr_main_prod // When this parameter is defined, all errors messages are not reported. // This feature exists for production usage to avoid to give any information to hackers. -// Default value: 0 +// Default value: 1 // Possible values: 0 or 1 // Examples: -// $dolibarr_main_prod='0'; +// $dolibarr_main_prod='1'; // -$dolibarr_main_prod='0'; +$dolibarr_main_prod='1'; // $dolibarr_main_restrict_os_commands // To restrict commands you can execute by the backup feature, enter allowed command here. @@ -260,8 +260,8 @@ $dolibarr_main_restrict_ip=''; // dolibarr_nocsrfcheck // This parameter can be used to disable CSRF protection. -// This might be required if you access Dolibarr behind a proxy that make -// URL rewriting, to avoid false alarms. +// This might be required if you access Dolibarr behind a proxy that make bad URL rewriting, to avoid false alarms. +// In most cases, you should always keep this to 0. // Default value: 0 // Possible values: 0 or 1 // Examples: @@ -269,6 +269,12 @@ $dolibarr_main_restrict_ip=''; // $dolibarr_nocsrfcheck='0'; +// dolibarr_cron_allow_cli +// If set to 1, you will be able to define some command line in the internale Job scheduler module. +// Default value: '0' +// Examples: '1' +$dolibarr_cron_allow_cli='0'; + // dolibarr_mailing_limit_sendbyweb // Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level. // Default value: '25' diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index d66c441c79c..fc038bb78bf 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -1119,23 +1119,32 @@ class Cronjob extends CommonObject // Run a command line if ($this->jobtype == 'command') { - $outputdir = $conf->cron->dir_temp; - if (empty($outputdir)) $outputdir = $conf->cronjob->dir_temp; + global $dolibarr_cron_allow_cli; - if (!empty($outputdir)) - { - dol_mkdir($outputdir); - $outputfile = $outputdir.'/cronjob.'.$userlogin.'.out'; // File used with popen method + if (empty($dolibarr_cron_allow_cli)) { + $langs->load("errors"); + $this->error = $langs->trans("FailedToExecutCommandJob"); + $this->lastoutput = ''; + $this->lastresult = $langs->trans("ErrorParameterMustBeEnabledToAllwoThisFeature", 'dolibarr_cron_allow_cli'); + } else { + $outputdir = $conf->cron->dir_temp; + if (empty($outputdir)) $outputdir = $conf->cronjob->dir_temp; - // Execute a CLI - include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php'; - $utils = new Utils($this->db); - $arrayresult = $utils->executeCLI($this->command, $outputfile); + if (!empty($outputdir)) + { + dol_mkdir($outputdir); + $outputfile = $outputdir.'/cronjob.'.$userlogin.'.out'; // File used with popen method - $retval = $arrayresult['result']; - $this->error = $arrayresult['error']; - $this->lastoutput = $arrayresult['output']; - $this->lastresult = $arrayresult['result']; + // Execute a CLI + include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php'; + $utils = new Utils($this->db); + $arrayresult = $utils->executeCLI($this->command, $outputfile); + + $retval = $arrayresult['result']; + $this->error = $arrayresult['error']; + $this->lastoutput = $arrayresult['output']; + $this->lastresult = $arrayresult['result']; + } } } diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index dfb6a9b83ca..773e073955e 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -243,6 +243,7 @@ ErrorReplaceStringEmpty=Error, the string to replace into is empty ErrorProductNeedBatchNumber=Error, product '%s' need a lot/serial number ErrorProductDoesNotNeedBatchNumber=Error, product '%s' does not accept a lot/serial number ErrorFailedToReadObject=Error, failed to read object of type %s +ErrorParameterMustBeEnabledToAllwoThisFeature=Error, parameter %s must be enabled into conf/conf.php to allow use of Command Line Interface by the internal job scheduler # Warnings WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup. WarningPasswordSetWithNoAccount=A password was set for this member. However, no user account was created. So this password is stored but can't be used to login to Dolibarr. It may be used by an external module/interface but if you don't need to define any login nor password for a member, you can disable option "Manage a login for each member" from Member module setup. If you need to manage a login but don't need any password, you can keep this field empty to avoid this warning. Note: Email can also be used as a login if the member is linked to a user. @@ -270,4 +271,4 @@ WarningDateOfLineMustBeInExpenseReportRange=Warning, the date of line is not in WarningProjectClosed=Project is closed. You must re-open it first. WarningSomeBankTransactionByChequeWereRemovedAfter=Some bank transaction were removed after that the receipt including them were generated. So nb of cheques and total of receipt may differ from number and total in list. WarningFailedToAddFileIntoDatabaseIndex=Warning, failed to add file entry into ECM database index table -WarningTheHiddenOptionIsOn=Warning, the hidden option %s is on. \ No newline at end of file +WarningTheHiddenOptionIsOn=Warning, the hidden option %s is on.