From c7652af3bc9dc0ee6017607f2bb45b792bc20d13 Mon Sep 17 00:00:00 2001
From: lmarcouiller <lucas.marcouiller@gmail.com>
Date: Wed, 3 Aug 2022 14:24:27 +0200
Subject: [PATCH 1/4] New : Add DoS security on GETPOST with img

---
 htdocs/admin/security_other.php                  | 15 +++++++++++++--
 htdocs/core/lib/functions.lib.php                |  5 +++++
 htdocs/install/mysql/migration/16.0.0-17.0.0.sql |  1 +
 htdocs/langs/en_US/admin.lang                    |  2 ++
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php
index 79190725c16..090e2254541 100644
--- a/htdocs/admin/security_other.php
+++ b/htdocs/admin/security_other.php
@@ -61,14 +61,17 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) {
 		dol_print_error($db);
 	}
 } elseif ($action == 'updateform') {
-	$res1 = 1; $res2 = 1;
+	$res1 = 1; $res2 = 1; $res3 = 1;
 	if (GETPOSTISSET('MAIN_APPLICATION_TITLE')) {
 		$res1 = dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", GETPOST("MAIN_APPLICATION_TITLE", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	}
 	if (GETPOSTISSET('MAIN_SESSION_TIMEOUT')) {
 		$res2 = dolibarr_set_const($db, "MAIN_SESSION_TIMEOUT", GETPOST("MAIN_SESSION_TIMEOUT", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	}
-	if ($res1 && $res2) {
+	if (GETPOSTISSET('MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT')) {
+		$res3 = dolibarr_set_const($db, "MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", GETPOST("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 'alphanohtml'), 'int', 0, '', $conf->entity);
+	}
+	if ($res1 && $res2 && $res3) {
 		setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
 	}
 }
@@ -174,6 +177,14 @@ print '<input class="flat right width50" name="MAIN_SESSION_TIMEOUT" type="text"
 print '</td>';
 print '</tr>';
 
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("MaxNumberOfImagesInGetPost").'</td><td class="right">';
+print '</td>';
+print '<td class="nowrap">';
+print '<input class="flat right width50" name="MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT" type="text" value="'.dol_escape_htmltag($conf->global->MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT).'"> '.strtolower($langs->trans("Images"));
+print '</td>';
+print '</tr>';
+
 /*
 if (empty($conf->global->MAIN_APPLICATION_TITLE)) {
 	$conf->global->MAIN_APPLICATION_TITLE = "";
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 90288645003..cf4b19d3aa6 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -954,6 +954,11 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
 
 				// Restore entity &apos; into &#39; (restricthtml is for html content so we can use html entity)
 				$out = preg_replace('/&apos;/i', "&#39;", $out);
+
+				preg_match_all('/(<img)/', $out, $reg);
+				if (count($reg[0]) > (getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") ? getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") : 1000)) {
+					$out = '';
+				}
 			} while ($oldstringtoclean != $out);
 			break;
 		case 'custom':
diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
index 4ab1b1e1fa3..597681c4ad5 100644
--- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
+++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
@@ -73,3 +73,4 @@ ALTER TABLE llx_commande_fournisseur_dispatch ADD INDEX idx_commande_fournisseur
 ALTER TABLE llx_recruitment_recruitmentcandidature ADD email_date datetime after email_msgid;
 ALTER TABLE llx_ticket ADD email_date datetime after email_msgid;
 
+INSERT INTO llx_const (name, entity, value, type, visible) VALUES ('MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT', 1, 1000, 'int', 0);
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index 7148e19fb48..6ca93dc7788 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -2287,4 +2287,6 @@ DoesNotWorkWithAllThemes=Will not work with all themes
 NoName=No name
 ShowAdvancedOptions= Show advanced options
 HideAdvancedoptions= Hide advanced options
+Images=Images
+MaxNumberOfImagesInGetPost=Max number of images allowed in GETPOST check
 CIDLookupURL=The module brings an URL that can be used by an external tool to get the name of a thirdparty or contact from its phone number. URL to use is: 

From 09e47a5a8a23aa96ce26a61894d221494a5f25d9 Mon Sep 17 00:00:00 2001
From: lmarcouiller <lucas.marcouiller@gmail.com>
Date: Wed, 3 Aug 2022 14:27:58 +0200
Subject: [PATCH 2/4] Add DoS security on sanitizeVal() with img

---
 htdocs/core/lib/functions.lib.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index cf4b19d3aa6..5f9e1b7f4cc 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -923,6 +923,10 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
 						// Remove the trick added to solve pb with text without parent tag
 						$out = preg_replace('/^<div class="tricktoremove">/', '', $out);
 						$out = preg_replace('/<\/div>$/', '', $out);
+						preg_match_all('/(<img)/', $out, $reg);
+						if (count($reg[0]) > (getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") ? getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") : 1000)) {
+							$out = '';
+						}
 					} catch (Exception $e) {
 						//print $e->getMessage();
 						return 'InvalidHTMLString';

From 02c09704513f847e084d3f169b71d4e339ee6ccb Mon Sep 17 00:00:00 2001
From: lmarcouiller <lucas.marcouiller@gmail.com>
Date: Wed, 3 Aug 2022 14:35:41 +0200
Subject: [PATCH 3/4] remove error

---
 htdocs/core/lib/functions.lib.php | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 5f9e1b7f4cc..cf4b19d3aa6 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -923,10 +923,6 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
 						// Remove the trick added to solve pb with text without parent tag
 						$out = preg_replace('/^<div class="tricktoremove">/', '', $out);
 						$out = preg_replace('/<\/div>$/', '', $out);
-						preg_match_all('/(<img)/', $out, $reg);
-						if (count($reg[0]) > (getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") ? getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") : 1000)) {
-							$out = '';
-						}
 					} catch (Exception $e) {
 						//print $e->getMessage();
 						return 'InvalidHTMLString';

From 99141928a3cbf0e95ca15e6099584fa71eac923d Mon Sep 17 00:00:00 2001
From: lmarcouiller <lucas.marcouiller@gmail.com>
Date: Wed, 3 Aug 2022 17:00:39 +0200
Subject: [PATCH 4/4] better fix

---
 htdocs/core/lib/functions.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index cf4b19d3aa6..90698c95f80 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -955,8 +955,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
 				// Restore entity &apos; into &#39; (restricthtml is for html content so we can use html entity)
 				$out = preg_replace('/&apos;/i', "&#39;", $out);
 
-				preg_match_all('/(<img)/', $out, $reg);
-				if (count($reg[0]) > (getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") ? getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT") : 1000)) {
+				preg_match_all('/(<img)/i', $out, $reg);
+				if (count($reg[0]) > getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 1000)) {
 					$out = '';
 				}
 			} while ($oldstringtoclean != $out);