diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php index 590ff276831..6e0b0508a07 100644 --- a/htdocs/admin/tools/export_files.php +++ b/htdocs/admin/tools/export_files.php @@ -33,8 +33,8 @@ $langs->load("admin"); $action = GETPOST('action', 'aZ09'); $what = GETPOST('what', 'alpha'); $export_type = GETPOST('export_type', 'alpha'); -$file = GETPOST('zipfilename_template', 'alpha'); -$compression = GETPOST('compression'); +$file = trim(GETPOST('zipfilename_template', 'alpha')); +$compression = GETPOST('compression', 'aZ09'); $file = dol_sanitizeFileName($file); $file = preg_replace('/(\.zip|\.tar|\.tgz|\.gz|\.tar\.gz|\.bz2)$/i', '', $file); diff --git a/htdocs/contrat/card.php b/htdocs/contrat/card.php index a92ac8a1e73..2e692dc25c4 100644 --- a/htdocs/contrat/card.php +++ b/htdocs/contrat/card.php @@ -6,7 +6,7 @@ * Copyright (C) 2010-2017 Juanjo Menent * Copyright (C) 2013 Christophe Battarel * Copyright (C) 2013-2014 Florian Henry - * Copyright (C) 2014-2018 Ferran Marcet + * Copyright (C) 2014-2020 Ferran Marcet * Copyright (C) 2014-2016 Marcos García * Copyright (C) 2015 Jean-François Ferry * Copyright (C) 2018-2020 Frédéric France @@ -2035,7 +2035,7 @@ if ($action == 'create') // Send if (empty($user->socid)) { if ($object->statut == 1) { - if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->commande->order_advance->send)) { + if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->contrat->creer)) { print '
'.$langs->trans('SendMail').'
'; } else print '
'.$langs->trans('SendMail').'
'; } diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index ea62a4d6f6f..e5816a7ea71 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -931,8 +931,9 @@ function dol_sanitizeFileName($str, $newstr = '_', $unaccent = 1) // List of special chars for filenames in windows are defined on page https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file // Char '>' '<' '|' '$' and ';' are special chars for shells. // Char '/' and '\' are file delimiters. - $filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';'); - return dol_string_nospecial($unaccent ?dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars); + // -- car can be used into filename to inject special paramaters like --use-compress-program to make command with file as parameter making remote execution of command + $filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';', '--'); + return dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars); } /** diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 4d642c733b4..3eda8354113 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -376,7 +376,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase $login=checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists print __METHOD__." login=".$login."\n"; - $this->assertEquals($login, 'admin'); + $this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed'); $login=checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authetntication method print __METHOD__." login=".$login."\n"; @@ -553,4 +553,27 @@ class SecurityTest extends PHPUnit\Framework\TestCase return 0; } + + /** + * testDolSanitizeFileName + * + * @return void + */ + public function testDolSanitizeFileName() + { + global $conf,$user,$langs,$db; + $conf=$this->savconf; + $user=$this->savuser; + $langs=$this->savlangs; + $db=$this->savdb; + + //$dummyuser=new User($db); + //$result=restrictedArea($dummyuser,'societe'); + + $result=dol_sanitizeFileName('bad file | evilaction'); + $this->assertEquals('bad file _ evilaction', $result); + + $result=dol_sanitizeFileName('bad file --evilparam'); + $this->assertEquals('bad file _evilparam', $result); + } }