From 1e1b963ca74785f3b07d83f89b978d34fcbd7f2a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 7 Apr 2021 19:38:54 +0200 Subject: [PATCH] Restriction on name of files --- htdocs/admin/system/filecheck.php | 16 +++++++++++----- htdocs/core/boxes/box_external_rss.php | 1 + htdocs/core/modules/modExternalRss.class.php | 1 + 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php index cb7c9667757..e6e95872c91 100644 --- a/htdocs/admin/system/filecheck.php +++ b/htdocs/admin/system/filecheck.php @@ -78,10 +78,10 @@ print '
'; $file_list = array('missing' => array(), 'updated' => array()); // Local file to compare to -$xmlshortfile = GETPOST('xmlshortfile', 'alpha') ?GETPOST('xmlshortfile', 'alpha') : '/install/filelist-'.DOL_VERSION.(empty($conf->global->MAIN_FILECHECK_LOCAL_SUFFIX) ? '' : $conf->global->MAIN_FILECHECK_LOCAL_SUFFIX).'.xml'.(empty($conf->global->MAIN_FILECHECK_LOCAL_EXT) ? '' : $conf->global->MAIN_FILECHECK_LOCAL_EXT); -$xmlfile = DOL_DOCUMENT_ROOT.$xmlshortfile; +$xmlshortfile = dol_sanitizeFileName(GETPOST('xmlshortfile', 'alpha') ? GETPOST('xmlshortfile', 'alpha') : 'filelist-'.DOL_VERSION.(empty($conf->global->MAIN_FILECHECK_LOCAL_SUFFIX) ? '' : $conf->global->MAIN_FILECHECK_LOCAL_SUFFIX).'.xml'.(empty($conf->global->MAIN_FILECHECK_LOCAL_EXT) ? '' : $conf->global->MAIN_FILECHECK_LOCAL_EXT)); +$xmlfile = DOL_DOCUMENT_ROOT.'/install/'.$xmlshortfile; // Remote file to compare to -$xmlremote = GETPOST('xmlremote'); +$xmlremote = GETPOST('xmlremote', 'alphanohtml'); if (empty($xmlremote) && !empty($conf->global->MAIN_FILECHECK_URL)) { $xmlremote = $conf->global->MAIN_FILECHECK_URL; } @@ -92,7 +92,13 @@ if (empty($xmlremote) && !empty($conf->global->$param)) { if (empty($xmlremote)) { $xmlremote = 'https://www.dolibarr.org/files/stable/signatures/filelist-'.DOL_VERSION.'.xml'; } - +if ($xmlremote && !preg_match('/^https?:\/\//', $xmlremote)) { +} +if ($xmlremote && !preg_match('/^https?:\/\//', $xmlremote)) { + $langs->load("errors"); + setEventMessages($langs->trans("ErrorURLMustStartWithHttp", $xmlremote), '', 'errors'); + $error++; +} // Test if remote test is ok $enableremotecheck = true; @@ -147,7 +153,7 @@ if (GETPOST('target') == 'local') { } $xml = simplexml_load_file($xmlfile); } else { - print $langs->trans('XmlNotFound').': '.$xmlfile; + print '
'.$langs->trans('XmlNotFound').': '.$xmlfile.''; $error++; } } diff --git a/htdocs/core/boxes/box_external_rss.php b/htdocs/core/boxes/box_external_rss.php index d85f0a3f44b..7bf8a69ed03 100644 --- a/htdocs/core/boxes/box_external_rss.php +++ b/htdocs/core/boxes/box_external_rss.php @@ -77,6 +77,7 @@ class box_external_rss extends ModeleBoxes $this->max = $max; // On recupere numero de param de la boite + $reg = array(); preg_match('/^([0-9]+) /', $this->paramdef, $reg); $site = $reg[1]; diff --git a/htdocs/core/modules/modExternalRss.class.php b/htdocs/core/modules/modExternalRss.class.php index 6ca023a65a8..d7710687ca6 100644 --- a/htdocs/core/modules/modExternalRss.class.php +++ b/htdocs/core/modules/modExternalRss.class.php @@ -100,6 +100,7 @@ class modExternalRss extends DolibarrModules $result = $this->db->query($sql); if ($result) { while ($obj = $this->db->fetch_object($result)) { + $reg = array(); if (preg_match('/EXTERNAL_RSS_TITLE_([0-9]+)/i', $obj->name, $reg)) { // Definie la boite si on a trouvee une ancienne configuration //$this->boxes[$reg[1]][0] = "(ExternalRSSInformations)";