lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix #15949 by introducing 'alphawithlgt' as GETPOST possible param.

Browse Source
This commit is contained in:
Laurent Destailleur 2021-01-12 21:06:02 +01:00
parent 2e9f3b803d
commit 958b255822
3 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/core/lib/functions.lib.php
View File

@ -675,7 +675,7 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
case 'nohtml':
$out = dol_string_nohtmltag($out, 0);
break;
case 'alpha': // No html and no " and no ../
case 'alpha': // No html and no ../ and " replaced with ''
case 'alphanohtml': // Recommended for most scalar parameters and search parameters
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
@ -686,6 +686,14 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
$out = dol_string_nohtmltag($out, 0);
}
break;
case 'alphawithlgt': // No " and no ../ but we keep < > tags
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('&quot;', '"'), "", trim($out));
$out = str_replace(array('../'), '', $out);
}
break;
case 'restricthtml': // Recommended for most html textarea
$out = dol_string_onlythesehtmltags($out, 0, 1, 1);
break;

2
htdocs/core/tpl/card_presend.tpl.php
View File

@ -196,7 +196,7 @@ if ($action == 'presend')
}
$formmail->withto = $liste;
$formmail->withtofree = (GETPOSTISSET('sendto') ? (GETPOST('sendto') ? GETPOST('sendto') : '1') : '1');
$formmail->withtofree = (GETPOSTISSET('sendto') ? (GETPOST('sendto', 'alphawithlgt') ? GETPOST('sendto', 'alphawithlgt') : '1') : '1');
$formmail->withtocc = $liste;
$formmail->withtoccc = $conf->global->MAIN_EMAIL_USECCC;
$formmail->withtopic = $topicmail;

13
test/phpunit/SecurityTest.php
View File

@ -287,6 +287,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param8"]="Hacker<svg o&#110;load='console.log(&quot;123&quot;)'"; // html tag is not closed so it is not detected as html tag but is still harmfull
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
$_POST["param11"]=' Name <email@email.com> ';
$result=GETPOST('id', 'int'); // Must return nothing
print __METHOD__." result=".$result."\n";
@ -334,6 +335,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($_GET["param5"], $result);
$result=GETPOST("param6", 'alpha');
print __METHOD__." result=".$result."\n";
$this->assertEquals('\'\'>', $result);
$result=GETPOST("param6", 'nohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals('">', $result);
@ -356,6 +361,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($_POST["param9"], $result, 'We should get param9 after processing param10');
$result=GETPOST("param11", 'alphanohtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals("Name", $result, 'Test an email string with alphanohtml');
$result=GETPOST("param11", 'alphawithlgt');
print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt');
return $result;
}