From 779a134022e4ccf80fa4cf03dae6880572ffaf7f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 13 Feb 2023 12:27:23 +0100 Subject: [PATCH 1/2] Fix call of antivirus must be done using utils->executeCLI --- htdocs/core/class/antivir.class.php | 54 ++++++++--------------------- 1 file changed, 14 insertions(+), 40 deletions(-) diff --git a/htdocs/core/class/antivir.class.php b/htdocs/core/class/antivir.class.php index dc38d38185e..cb195b58f5d 100644 --- a/htdocs/core/class/antivir.class.php +++ b/htdocs/core/class/antivir.class.php @@ -81,63 +81,37 @@ class AntiVir } $fullcommand = $this->getCliCommand($file); + //$fullcommand="/usr/bin/clamdscan --fdpass '/tmp/phpuxoAEo'" //$fullcommand='"c:\Program Files (x86)\ClamWin\bin\clamscan.exe" --database="C:\Program Files (x86)\ClamWin\lib" "c:\temp\aaa.txt"'; - $fullcommand .= ' 2>&1'; // This is to get error output - $output = array(); $return_var = 0; $safemode = ini_get("safe_mode"); // Create a clean fullcommand dol_syslog("AntiVir::dol_avscan_file Run command=".$fullcommand." with safe_mode ".($safemode ? "on" : "off")); - // Run CLI command. If run of Windows, you can get return with echo %ERRORLEVEL% - $lastline = exec($fullcommand, $output, $return_var); + // Run CLI command. + include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php'; + $utils = new Utils($this->db); + $outputfile = $conf->user->dir_temp.'/antivir.tmp'; + $result = $utils->executeCLI($fullcommand, $outputfile); + + $return_var = $result['result']; + $output = $result['output']; + $errorstring = $result['error']; if (is_null($output)) { $output = array(); } - //print "x".$lastline." - ".join(',',$output)." - ".$return_var."y";exit; - - /* - $outputfile=$conf->admin->dir_temp.'/dol_avscan_file.out.'.session_id(); - $handle = fopen($outputfile, 'w'); - if ($handle) - { - $handlein = popen($fullcommand, 'r'); - while (!feof($handlein)) - { - $read = fgets($handlein); - fwrite($handle,$read); - } - pclose($handlein); - - $errormsg = fgets($handle,2048); - $this->output=$errormsg; - - fclose($handle); - - if (!empty($conf->global->MAIN_UMASK)) - @chmod($outputfile, octdec($conf->global->MAIN_UMASK)); - } - else - { - $langs->load("errors"); - dol_syslog("Failed to open file ".$outputfile,LOG_ERR); - $this->error="ErrorFailedToWriteInDir"; - $return=-1; - } - */ - - dol_syslog("AntiVir::dol_avscan_file Result return_var=".$return_var." output=".join(',', $output)); + dol_syslog("AntiVir::dol_avscan_file Result return_var=".$return_var." output=".$output); $returncodevirus = 1; if ($return_var == $returncodevirus) { // Virus found - $this->errors = $output; + $this->errors = array($errorstring, $output); return -99; } if ($return_var > 0) { // If other error - $this->errors = $output; + $this->errors = array($errorstring, $output); return -98; } @@ -178,7 +152,7 @@ class AntiVir } if (preg_match("/\s/", $command)) { - $command = escapeshellarg($command); // Use quotes on command. Using escapeshellcmd fails. + $command = escapeshellarg($command); // Force use of quotes on command. Using escapeshellcmd fails. } $ret = $command.' '.$param; From 183ae35ab7c2f9eaeb9a619895c1ca8f0b3139fe Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 13 Feb 2023 12:27:23 +0100 Subject: [PATCH 2/2] Fix #huntr10e423cd-7051-43fd-b736-4e18650d0172 --- htdocs/admin/system/security.php | 3 ++ htdocs/core/class/antivir.class.php | 61 +++++++++-------------------- htdocs/core/lib/functions.lib.php | 4 +- 3 files changed, 24 insertions(+), 44 deletions(-) diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php index 99b0ec96b08..e1b47b5beaa 100644 --- a/htdocs/admin/system/security.php +++ b/htdocs/admin/system/security.php @@ -577,6 +577,9 @@ print '
'; print 'MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL = '.getDolGlobalString('MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL', ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 0)')."
"; print '
'; +print 'MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED = '.getDolGlobalString('MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED', ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 0)')."
"; +print '
'; + print 'MAIN_SECURITY_FORCECSP = '.getDolGlobalString('MAIN_SECURITY_FORCECSP', ''.$langs->trans("Undefined").'').'   ('.$langs->trans("Example").": \"frame-ancestors 'self'; default-src 'self'; img-src *;\")
"; print '
'; diff --git a/htdocs/core/class/antivir.class.php b/htdocs/core/class/antivir.class.php index dc38d38185e..f8391c7a512 100644 --- a/htdocs/core/class/antivir.class.php +++ b/htdocs/core/class/antivir.class.php @@ -81,63 +81,38 @@ class AntiVir } $fullcommand = $this->getCliCommand($file); + //$fullcommand="/usr/bin/clamdscan --fdpass '/tmp/phpuxoAEo'" //$fullcommand='"c:\Program Files (x86)\ClamWin\bin\clamscan.exe" --database="C:\Program Files (x86)\ClamWin\lib" "c:\temp\aaa.txt"'; - $fullcommand .= ' 2>&1'; // This is to get error output + //var_dump($fullcommand); - $output = array(); - $return_var = 0; $safemode = ini_get("safe_mode"); // Create a clean fullcommand dol_syslog("AntiVir::dol_avscan_file Run command=".$fullcommand." with safe_mode ".($safemode ? "on" : "off")); - // Run CLI command. If run of Windows, you can get return with echo %ERRORLEVEL% - $lastline = exec($fullcommand, $output, $return_var); + // Run CLI command. + include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php'; + $utils = new Utils($this->db); + $outputfile = $conf->user->dir_temp.'/antivir.tmp'; + + $result = $utils->executeCLI($fullcommand, $outputfile); + + $return_var = $result['result']; + $output = $result['output']; + $errorstring = $result['error']; if (is_null($output)) { $output = array(); } - //print "x".$lastline." - ".join(',',$output)." - ".$return_var."y";exit; - - /* - $outputfile=$conf->admin->dir_temp.'/dol_avscan_file.out.'.session_id(); - $handle = fopen($outputfile, 'w'); - if ($handle) - { - $handlein = popen($fullcommand, 'r'); - while (!feof($handlein)) - { - $read = fgets($handlein); - fwrite($handle,$read); - } - pclose($handlein); - - $errormsg = fgets($handle,2048); - $this->output=$errormsg; - - fclose($handle); - - if (!empty($conf->global->MAIN_UMASK)) - @chmod($outputfile, octdec($conf->global->MAIN_UMASK)); - } - else - { - $langs->load("errors"); - dol_syslog("Failed to open file ".$outputfile,LOG_ERR); - $this->error="ErrorFailedToWriteInDir"; - $return=-1; - } - */ - - dol_syslog("AntiVir::dol_avscan_file Result return_var=".$return_var." output=".join(',', $output)); + dol_syslog("AntiVir::dol_avscan_file Result return_var=".$return_var." output=".$output); $returncodevirus = 1; if ($return_var == $returncodevirus) { // Virus found - $this->errors = $output; + $this->errors = array($errorstring, $output); return -99; } if ($return_var > 0) { // If other error - $this->errors = $output; + $this->errors = array($errorstring, $output); return -98; } @@ -178,10 +153,12 @@ class AntiVir } if (preg_match("/\s/", $command)) { - $command = escapeshellarg($command); // Use quotes on command. Using escapeshellcmd fails. + $command = escapeshellarg($command); // Force use of quotes on command. Using escapeshellcmd fails. } - $ret = $command.' '.$param; + $forbidden_chars_to_replace = array("*", "?", "\"", "<", ">", "|", "[", "]", ";", '°', '$'); + $ret = dol_sanitizePathName($command).' '.dol_string_nospecial($param, '_', $forbidden_chars_to_replace); + //$ret=$command.' '.$param.' 2>&1'; //print "xx".$ret."xx";exit; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 1913e7dc235..a73bf3e096f 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -1385,7 +1385,7 @@ function dol_string_unaccent($str) /** * Clean a string from all punctuation characters to use it as a ref or login. - * This is a more complete function than dol_sanitizeFileName. + * This is a more complete function than dol_sanitizeFileName(). * * @param string $str String to clean * @param string $newstr String to replace forbidden chars with @@ -1397,7 +1397,7 @@ function dol_string_unaccent($str) */ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '', $badcharstoremove = '') { - $forbidden_chars_to_replace = array(" ", "'", "/", "\\", ":", "*", "?", "\"", "<", ">", "|", "[", "]", ",", ";", "=", '°'); // more complete than dol_sanitizeFileName + $forbidden_chars_to_replace = array(" ", "'", "/", "\\", ":", "*", "?", "\"", "<", ">", "|", "[", "]", ",", ";", "=", '°', '$', ';'); // more complete than dol_sanitizeFileName $forbidden_chars_to_remove = array(); //$forbidden_chars_to_remove=array("(",")");