FIX SEC for HTB23302
This commit is contained in:
Laurent Destailleur
parent
666c62af04
commit
2b7ef01e42
@ -121,7 +121,9 @@ $utils = new Utils($db);
|
||||
if ($what == 'mysql')
|
||||
{
|
||||
|
||||
$cmddump=GETPOST("mysqldump"); // Do not sanitize here with 'alpha', will be sanitize later by escapeshellarg
|
||||
$cmddump=GETPOST("mysqldump"); // Do not sanitize here with 'alpha', will be sanitize later by dol_sanitizePathName and escapeshellarg
|
||||
$cmddump=dol_sanitizePathName($cmddump);
|
||||
|
||||
if (! empty($dolibarr_main_restrict_os_commands))
|
||||
{
|
||||
$arrayofallowedcommand=explode(',', $dolibarr_main_restrict_os_commands);
|
||||
@ -168,7 +170,8 @@ if ($what == 'mysqlnobin')
|
||||
// POSTGRESQL
|
||||
if ($what == 'postgresql')
|
||||
{
|
||||
$cmddump=GETPOST("postgresqldump"); // Do not sanitize here with 'alpha', will be sanitize later by escapeshellarg
|
||||
$cmddump=GETPOST("postgresqldump"); // Do not sanitize here with 'alpha', will be sanitize later by dol_sanitizePathName and escapeshellarg
|
||||
$cmddump=dol_sanitizePathName($cmddump);
|
||||
|
||||
if (! $errormsg && $cmddump)
|
||||
{
|
||||
|
||||
@ -443,10 +443,10 @@ function dol_size($size,$type='')
|
||||
*
|
||||
* @param string $str String to clean
|
||||
* @param string $newstr String to replace bad chars with
|
||||
* @param int $unaccent 1=Remove also accent (default), 0 do not remove them
|
||||
* @param int $unaccent 1=Remove also accent (default), 0 do not remove them
|
||||
* @return string String cleaned (a-zA-Z_)
|
||||
*
|
||||
* @see dol_string_nospecial, dol_string_unaccent
|
||||
* @see dol_string_nospecial, dol_string_unaccent, dol_sanitizePathName
|
||||
*/
|
||||
function dol_sanitizeFileName($str,$newstr='_',$unaccent=1)
|
||||
{
|
||||
@ -454,6 +454,22 @@ function dol_sanitizeFileName($str,$newstr='_',$unaccent=1)
|
||||
return dol_string_nospecial($unaccent?dol_string_unaccent($str):$str, $newstr, $filesystem_forbidden_chars);
|
||||
}
|
||||
|
||||
/**
|
||||
* Clean a string to use it as a path name
|
||||
*
|
||||
* @param string $str String to clean
|
||||
* @param string $newstr String to replace bad chars with
|
||||
* @param int $unaccent 1=Remove also accent (default), 0 do not remove them
|
||||
* @return string String cleaned (a-zA-Z_)
|
||||
*
|
||||
* @see dol_string_nospecial, dol_string_unaccent, dol_sanitizeFileName
|
||||
*/
|
||||
function dol_sanitizePathName($str,$newstr='_',$unaccent=1)
|
||||
{
|
||||
$filesystem_forbidden_chars = array('<','>','?','*','|','"','°');
|
||||
return dol_string_nospecial($unaccent?dol_string_unaccent($str):$str, $newstr, $filesystem_forbidden_chars);
|
||||
}
|
||||
|
||||
/**
|
||||
* Clean a string from all accent characters to be used as ref, login or by dol_sanitizeFileName
|
||||
*
|
||||
|
||||
Loading…
Reference in New Issue
Block a user