lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a protection for forged sql filters

Browse Source
This commit is contained in:
Laurent Destailleur 2023-01-31 20:41:00 +01:00
parent 404a70a2a9
commit 79eacba4d8
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
htdocs/core/class/html.form.class.php
View File

@ -7801,7 +7801,7 @@ class Form
}
/**
* Function to forge a SQL criteria
* Function to forge a SQL criteria from a Dolibarr filter syntax string.
*
* @param array $matches Array of found string by regex search. Example: "t.ref:like:'SO-%'" or "t.date_creation:<:'20160101'" or "t.nature:is:NULL"
* @return string Forged criteria. Example: "t.field like 'abc%'"
@ -7816,7 +7816,7 @@ class Form
}
$tmp = explode(':', $matches[1]);
if (count($tmp) < 3) {
return '';
return '1=2'; // An always false request
}
$tmpescaped = $tmp[2];
@ -7826,7 +7826,19 @@ class Form
} else {
$tmpescaped = $db->escape($tmpescaped);
}
return $db->escape($tmp[0]).' '.strtoupper($db->escape($tmp[1]))." ".$tmpescaped;
if ($tmp[1] == '!=') {
$tmp[1] = '<>';
}
if (preg_match('/[\(\)]/', $tmp[0])) {
return '1=2'; // An always false request
}
if (! in_array($tmp[1], array('<', '>', '<>', 'is', 'isnot', '=', 'like'))) {
return '1=2'; // An always false request
}
return $db->escape($tmp[0]).' '.strtoupper($db->escape($tmp[1])).' '.$tmpescaped;
}
/**