From d51d169c8a78a92aaf61dac4a2f3805a891ac90d Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Sat, 19 Sep 2020 04:03:32 +0200 Subject: [PATCH] FIX Yogosha report 4456 (backport) --- htdocs/conf/conf.php.example | 24 ++++++++++++------- htdocs/cron/class/cronjob.class.php | 37 ++++++++++++++++++----------- htdocs/langs/en_US/errors.lang | 3 ++- 3 files changed, 40 insertions(+), 24 deletions(-) diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example index 4d26fef7965..def20f3f8b9 100644 --- a/htdocs/conf/conf.php.example +++ b/htdocs/conf/conf.php.example @@ -217,10 +217,10 @@ $dolibarr_main_authentication='dolibarr'; // 1 = Force redirect to https, until SCRIPT_URI start with https into response // 2 = Force redirect to https, until SERVER["HTTPS"] is 'on' into response // 'https://my.domain.com' = Force reditect to https using this domain name. -// Warning: If you enable this parameter, your web server must be configured to -// respond URL with https protocol. -// According to your web server setup, some values may works and other not. Try -// different values (1,2 or 'https://my.domain.com') if you experience problems. +// Warning: If you enable this parameter, your web server must be configured to respond URL with https protocol. +// According to your web server setup, some values may works and other not. Try different values (1,2 or 'https://my.domain.com') if you experience problems. +// Even if a redirect to HTTPS is forced by the webserver, it is recommanded to set this value to another value than 0, so your session cookies will be +// flagged as secured. // Default value: 0 // Possible values: 0, 1, 2 or 'https://my.domain.com' // Examples: @@ -231,12 +231,12 @@ $dolibarr_main_force_https='0'; // dolibarr_main_prod // When this parameter is defined, all errors messages are not reported. // This feature exists for production usage to avoid to give any information to hackers. -// Default value: 0 +// Default value: 1 // Possible values: 0 or 1 // Examples: -// $dolibarr_main_prod='0'; +// $dolibarr_main_prod='1'; // -$dolibarr_main_prod='0'; +$dolibarr_main_prod='1'; // $dolibarr_main_restrict_os_commands // To restrict commands you can execute by the backup feature, enter allowed command here. @@ -258,8 +258,8 @@ $dolibarr_main_restrict_ip=''; // dolibarr_nocsrfcheck // This parameter can be used to disable CSRF protection. -// This might be required if you access Dolibarr behind a proxy that make -// URL rewriting, to avoid false alarms. +// This might be required if you access Dolibarr behind a proxy that make bad URL rewriting, to avoid false alarms. +// In most cases, you should always keep this to 0. // Default value: 0 // Possible values: 0 or 1 // Examples: @@ -267,6 +267,12 @@ $dolibarr_main_restrict_ip=''; // $dolibarr_nocsrfcheck='0'; +// dolibarr_cron_allow_cli +// If set to 1, you will be able to define some command line in the internal Job scheduler (cronjob) module. +// Default value: '0' +// Examples: '1' +$dolibarr_cron_allow_cli='0'; + // dolibarr_mailing_limit_sendbyweb // Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level. // Default value: '25' diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index 7934a628880..930b9b0e5a2 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -1168,23 +1168,32 @@ class Cronjob extends CommonObject // Run a command line if ($this->jobtype=='command') { - $outputdir = $conf->cron->dir_temp; - if (empty($outputdir)) $outputdir = $conf->cronjob->dir_temp; + global $dolibarr_cron_allow_cli; - if (! empty($outputdir)) - { - dol_mkdir($outputdir); - $outputfile=$outputdir.'/cronjob.'.$userlogin.'.out'; // File used with popen method + if (empty($dolibarr_cron_allow_cli)) { + $langs->load("errors"); + $this->error = $langs->trans("FailedToExecutCommandJob"); + $this->lastoutput = ''; + $this->lastresult = $langs->trans("ErrorParameterMustBeEnabledToAllwoThisFeature", 'dolibarr_cron_allow_cli'); + } else { + $outputdir = $conf->cron->dir_temp; + if (empty($outputdir)) $outputdir = $conf->cronjob->dir_temp; - // Execute a CLI - include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php'; - $utils = new Utils($this->db); - $arrayresult = $utils->executeCLI($this->command, $outputfile); + if (!empty($outputdir)) + { + dol_mkdir($outputdir); + $outputfile = $outputdir.'/cronjob.'.$userlogin.'.out'; // File used with popen method - $retval = $arrayresult['result']; - $this->error = $arrayresult['error']; - $this->lastoutput = $arrayresult['output']; - $this->lastresult = $arrayresult['result']; + // Execute a CLI + include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php'; + $utils = new Utils($this->db); + $arrayresult = $utils->executeCLI($this->command, $outputfile); + + $retval = $arrayresult['result']; + $this->error = $arrayresult['error']; + $this->lastoutput = $arrayresult['output']; + $this->lastresult = $arrayresult['result']; + } } } diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index 4c8e761da9a..e5415125e81 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -218,6 +218,7 @@ ErrorVariableKeyForContentMustBeSet=Error, the constant with name %s (with text ErrorURLMustStartWithHttp=URL %s must start with http:// or https:// ErrorNewRefIsAlreadyUsed=Error, the new reference is already used ErrorDeletePaymentLinkedToAClosedInvoiceNotPossible=Error, delete payment linked to a closed invoice is not possible. +ErrorParameterMustBeEnabledToAllwoThisFeature=Error, parameter %s must be enabled into conf/conf.php to allow use of Command Line Interface by the internal job scheduler # Warnings WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup. WarningPasswordSetWithNoAccount=A password was set for this member. However, no user account was created. So this password is stored but can't be used to login to Dolibarr. It may be used by an external module/interface but if you don't need to define any login nor password for a member, you can disable option "Manage a login for each member" from Member module setup. If you need to manage a login but don't need any password, you can keep this field empty to avoid this warning. Note: Email can also be used as a login if the member is linked to a user. @@ -242,4 +243,4 @@ WarningYourLoginWasModifiedPleaseLogin=Your login was modified. For security pur WarningAnEntryAlreadyExistForTransKey=An entry already exists for the translation key for this language WarningNumberOfRecipientIsRestrictedInMassAction=Warning, number of different recipient is limited to %s when using the mass actions on lists WarningDateOfLineMustBeInExpenseReportRange=Warning, the date of line is not in the range of the expense report -WarningProjectClosed=Project is closed. You must re-open it first. \ No newline at end of file +WarningProjectClosed=Project is closed. You must re-open it first.