lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIx #19227

Browse Source
This commit is contained in:
Laurent Destailleur 2021-10-31 15:59:03 +01:00
parent ed9f0c4ad9
commit 4f2cd2ba18
2 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
htdocs/core/lib/functions.lib.php
View File

@ -108,6 +108,10 @@ function getEntity($element, $shared = 1, $currentobject = null)
{
global $conf, $mc, $hookmanager, $object, $action;
if (! is_object($hookmanager)) {
$hookmanager = new HookManager($db);
}
// fix different element names (France to English)
switch ($element) {
case 'contrat':
@ -8151,16 +8155,20 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1)
return 'Bad string syntax to evaluate: '.$s;
}
// We block using of php exec or php file functions
$forbiddenphpstrings = array("exec(", "passthru(", "shell_exec(", "system(", "proc_open(", "popen(", "eval(", "dol_eval(", "executeCLI(");
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array("fopen(", "file_put_contents(", "fputs(", "fputscsv(", "fwrite(", "fpassthru(", "unlink(", "mkdir(", "rmdir(", "symlink(", "touch(", "umask("));
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array('function(', '$$', 'call_user_func('));
// We block use of php exec or php file functions
$forbiddenphpstrings = array('$$');
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST'));
$forbiddenphpregex = 'global\s+\$';
$forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen", "eval", "dol_eval", "executeCLI");
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "unlink", "mkdir", "rmdir", "symlink", "touch", "umask"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func"));
$forbiddenphpregex = 'global\s+\$|\b('.implode('|', $forbiddenphpfunctions).')\b';
do {
$oldstringtoclean = $s;
$s = str_ireplace($forbiddenphpstrings, '__forbiddenstring__', $s);
$s = preg_replace('/'.$forbiddenphpregex.'/', '__forbiddenstring__', $s);
$s = preg_replace('/'.$forbiddenphpregex.'/i', '__forbiddenstring__', $s);
//$s = preg_replace('/\$[a-zA-Z0-9_\->\$]+\(/i', '', $s); // Remove $function( call and $mycall->mymethod(
} while ($oldstringtoclean != $s);

4
test/phpunit/SecurityTest.php
View File

@ -874,6 +874,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result);
$result=dol_eval('$a=exec ("ls")', 1, 1);
print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result);
$result=dol_eval('$a="test"; $$a;', 1, 0);
print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result);