diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index de5e3f7201b..75832d42d0a 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8308,10 +8308,10 @@ function verifCond($strToEvaluate) //print $strToEvaluate."
\n"; $rights = true; if (isset($strToEvaluate) && $strToEvaluate !== '') { - $str = 'if(!('.$strToEvaluate.')) $rights = false;'; - dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition - //$rep = dol_eval($strToEvaluate, 1, 1 , '1'); // The dol_eval must contains all the global $xxx used into a condition - //$rights = ($rep ? true : false); + //$str = 'if(!('.$strToEvaluate.')) $rights = false;'; + //dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition + $rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval must contains all the global $xxx used into a condition + $rights = ($rep ? true : false); } return $rights; } @@ -8338,10 +8338,10 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1' global $obj; // To get $obj used into list when dol_eval is used for computed fields and $obj is not yet $object global $soc; // For backward compatibility - // Test dangerous char (used for RCE), we allow only PHP variable testing. + // Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing. if ($onlysimplestring == '1') { //print preg_quote('$_->&|', '/'); - if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=', '/').']/i', $s)) { + if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?:', '/').']/i', $s)) { if ($returnvalue) { return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; } else { @@ -8360,6 +8360,9 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1' } } } + if (strpos($s, '::') !== false) { + return 'Bad string syntax to evaluate (double : char is forbidden): '.$s; + } if (strpos($s, '`') !== false) { return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s; }