diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php
index c545cc7e0dd..57100155ed3 100644
--- a/htdocs/admin/security_file.php
+++ b/htdocs/admin/security_file.php
@@ -32,10 +32,6 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';
// Load translation files required by the page
$langs->loadLangs(array('users', 'admin', 'other'));
-if (!$user->admin) {
- accessforbidden();
-}
-
$action = GETPOST('action', 'aZ09');
$sortfield = GETPOST('sortfield', 'aZ09');
$sortorder = GETPOST('sortorder', 'aZ09');
@@ -48,6 +44,12 @@ if (empty($sortorder)) {
$upload_dir = $conf->admin->dir_temp;
+if (!$user->admin) {
+ accessforbidden();
+}
+
+$error = 0;
+
/*
* Actions
@@ -65,12 +67,26 @@ if ($action == 'updateform') {
$antivircommand = dol_string_nospecial($antivircommand, '', array("|", ";", "<", ">", "&")); // Sanitize command
$antivirparam = dol_string_nospecial($antivirparam, '', array("|", ";", "<", ">", "&")); // Sanitize params
- $res3 = dolibarr_set_const($db, 'MAIN_UPLOAD_DOC', GETPOST('MAIN_UPLOAD_DOC', 'alpha'), 'chaine', 0, '', $conf->entity);
- $res4 = dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK', 'alpha'), 'chaine', 0, '', $conf->entity);
- $res5 = dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim($antivircommand), 'chaine', 0, '', $conf->entity);
- $res6 = dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim($antivirparam), 'chaine', 0, '', $conf->entity);
- if ($res3 && $res4 && $res5 && $res6) {
- setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
+ if (!empty($dolibarr_main_restrict_os_commands)) {
+ $arrayofallowedcommand = explode(',', $dolibarr_main_restrict_os_commands);
+ $arrayofallowedcommand = array_map('trim', $arrayofallowedcommand);
+ dol_syslog("Command are restricted to ".$dolibarr_main_restrict_os_commands.". We check that one of this command is inside ".$antivircommand);
+ $basenamecmddump = basename(str_replace('\\', '/', $antivircommand));
+ if (!in_array($basenamecmddump, $arrayofallowedcommand)) { // the provided command $cmddump must be an allowed command
+ $errormsg = $langs->trans('CommandIsNotInsideAllowedCommands');
+ setEventMessages($errormsg, null, 'errors');
+ $error++;
+ }
+ }
+
+ if (!$error) {
+ $res3 = dolibarr_set_const($db, 'MAIN_UPLOAD_DOC', GETPOST('MAIN_UPLOAD_DOC', 'alpha'), 'chaine', 0, '', $conf->entity);
+ $res4 = dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK', 'alpha'), 'chaine', 0, '', $conf->entity);
+ $res5 = dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim($antivircommand), 'chaine', 0, '', $conf->entity);
+ $res6 = dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim($antivirparam), 'chaine', 0, '', $conf->entity);
+ if ($res3 && $res4 && $res5 && $res6) {
+ setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
+ }
}
} elseif ($action == 'deletefile') {
// Delete file
@@ -160,7 +176,7 @@ if (ini_get('safe_mode') && !empty($conf->global->MAIN_ANTIVIRUS_COMMAND)) {
dol_syslog("safe_mode is on, basedir is ".$basedir.", safe_mode_exec_dir is ".ini_get('safe_mode_exec_dir'), LOG_WARNING);
}
}
-print '';
+print '';
if (defined('MAIN_ANTIVIRUS_COMMAND') && !defined('MAIN_ANTIVIRUS_BYPASS_COMMAND_AND_PARAM')) {
print '
'.$langs->trans("ValueIsForcedBySystem").'';
}
diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php
index 7a91f8f598c..c9655afb26d 100644
--- a/htdocs/admin/tools/export.php
+++ b/htdocs/admin/tools/export.php
@@ -123,8 +123,9 @@ if ($what == 'mysql') {
if (!empty($dolibarr_main_restrict_os_commands)) {
$arrayofallowedcommand = explode(',', $dolibarr_main_restrict_os_commands);
+ $arrayofallowedcommand = array_map('trim', $arrayofallowedcommand);
dol_syslog("Command are restricted to ".$dolibarr_main_restrict_os_commands.". We check that one of this command is inside ".$cmddump);
- $basenamecmddump = basename($cmddump);
+ $basenamecmddump = basename(str_replace('\\', '/', $cmddump));
if (!in_array($basenamecmddump, $arrayofallowedcommand)) { // the provided command $cmddump must be an allowed command
$errormsg = $langs->trans('CommandIsNotInsideAllowedCommands');
}
@@ -160,8 +161,9 @@ if ($what == 'postgresql') {
if (!empty($dolibarr_main_restrict_os_commands))
{
$arrayofallowedcommand=explode(',', $dolibarr_main_restrict_os_commands);
+ $arrayofallowedcommand = array_map('trim', $arrayofallowedcommand);
dol_syslog("Command are restricted to ".$dolibarr_main_restrict_os_commands.". We check that one of this command is inside ".$cmddump);
- $basenamecmddump=basename($cmddump);
+ $basenamecmddump = basename(str_replace('\\', '/', $cmddump));
if (! in_array($basenamecmddump, $arrayofallowedcommand)) // the provided command $cmddump must be an allowed command
{
$errormsg=$langs->trans('CommandIsNotInsideAllowedCommands');
diff --git a/htdocs/install/step1.php b/htdocs/install/step1.php
index 7958012b0a1..4df1370570a 100644
--- a/htdocs/install/step1.php
+++ b/htdocs/install/step1.php
@@ -908,7 +908,7 @@ function write_conf_file($conffile)
fputs($fp, '$dolibarr_main_force_https=\''.$main_force_https.'\';');
fputs($fp, "\n");
- fputs($fp, '$dolibarr_main_restrict_os_commands=\'mysqldump, mysql, pg_dump, pgrestore\';');
+ fputs($fp, '$dolibarr_main_restrict_os_commands=\'mysqldump, mysql, pg_dump, pgrestore, clamdscan, clamscan.exe\';');
fputs($fp, "\n");
fputs($fp, '$dolibarr_nocsrfcheck=\'0\';');