From 9490e13c21590cdd1c7a224f4ee05571c63d11a1 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 29 Sep 2017 14:52:05 +0200 Subject: [PATCH 1/4] Fix: command not found with escapeshellarg ! --- htdocs/core/class/antivir.class.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/htdocs/core/class/antivir.class.php b/htdocs/core/class/antivir.class.php index 357f184eea8..7fa7d866489 100644 --- a/htdocs/core/class/antivir.class.php +++ b/htdocs/core/class/antivir.class.php @@ -63,9 +63,9 @@ class AntiVir if (preg_match('/\.virus$/i', $file)) { $this->errors='File has an extension saying file is a virus'; - return -97; + return -97; } - + $fullcommand=$this->getCliCommand($file); //$fullcommand='"c:\Program Files (x86)\ClamWin\bin\clamscan.exe" --database="C:\Program Files (x86)\ClamWin\lib" "c:\temp\aaa.txt"'; $fullcommand.=' 2>&1'; // This is to get error output @@ -160,7 +160,8 @@ class AntiVir if (! preg_match('/%file/',$conf->global->MAIN_ANTIVIRUS_PARAM)) $param=$param." ".escapeshellarg(trim($file)); - if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command. Using escapeshellcmd fails. + //if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command. Using escapeshellcmd fails. + if (preg_match("/\s/",$command)) $command=escapeshellcmd($command); // Use quotes on command. Using escapeshellarg fails. $ret=$command.' '.$param; //$ret=$command.' '.$param.' 2>&1'; From a88938ace458ca62d0db62fe0cca0b2ad14b4f15 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 3 Oct 2017 17:08:16 +0200 Subject: [PATCH 2/4] Fix: use GETPOST --- htdocs/admin/security_file.php | 16 ++++++++-------- htdocs/core/class/antivir.class.php | 3 +-- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index 161ef427265..3e66e0ba541 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -1,7 +1,7 @@ - * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2013 Juanjo Menent +/* Copyright (C) 2004-2017 Laurent Destailleur + * Copyright (C) 2005-2017 Regis Houssin + * Copyright (C) 2013 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -54,7 +54,7 @@ if (GETPOST('sendit') && ! empty($conf->global->MAIN_UPLOAD_DOC)) if (preg_match('/set_(.*)/',$action,$reg)) { $code=$reg[1]; - $value=(GETPOST($code) ? GETPOST($code) : 1); + $value=(GETPOST($code, 'alpha') ? GETPOST($code, 'alpha') : 1); if (dolibarr_set_const($db, $code, $value, 'chaine', 0, '', $conf->entity) > 0) { Header("Location: ".$_SERVER["PHP_SELF"]); @@ -82,10 +82,10 @@ else if (preg_match('/del_(.*)/',$action,$reg)) else if ($action == 'updateform') { - $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',$_POST["MAIN_UPLOAD_DOC"],'chaine',0,'',$conf->entity); - $res4=dolibarr_set_const($db, "MAIN_UMASK", $_POST["MAIN_UMASK"],'chaine',0,'',$conf->entity); - $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", $_POST["MAIN_ANTIVIRUS_COMMAND"],'chaine',0,'',$conf->entity); - $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", $_POST["MAIN_ANTIVIRUS_PARAM"],'chaine',0,'',$conf->entity); + $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',GETPOST('MAIN_UPLOAD_DOC','int'),'chaine',0,'',$conf->entity); + $res4=dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK','int'),'chaine',0,'',$conf->entity); + $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", GETPOST('MAIN_ANTIVIRUS_COMMAND','alpha'),'chaine',0,'',$conf->entity); + $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", GETPOST('MAIN_ANTIVIRUS_PARAM','alpha'),'chaine',0,'',$conf->entity); if ($res3 && $res4 && $res5 && $res6) setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); } diff --git a/htdocs/core/class/antivir.class.php b/htdocs/core/class/antivir.class.php index 7fa7d866489..b5f4f0e5539 100644 --- a/htdocs/core/class/antivir.class.php +++ b/htdocs/core/class/antivir.class.php @@ -160,8 +160,7 @@ class AntiVir if (! preg_match('/%file/',$conf->global->MAIN_ANTIVIRUS_PARAM)) $param=$param." ".escapeshellarg(trim($file)); - //if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command. Using escapeshellcmd fails. - if (preg_match("/\s/",$command)) $command=escapeshellcmd($command); // Use quotes on command. Using escapeshellarg fails. + if (preg_match("/\s/",$command)) $command=escapeshellarg($command); // Use quotes on command. Using escapeshellcmd fails. $ret=$command.' '.$param; //$ret=$command.' '.$param.' 2>&1'; From 2f02015c30606e248e2247e38a7784f9d6075f6e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 3 Oct 2017 17:58:50 +0200 Subject: [PATCH 3/4] Update security_file.php --- htdocs/admin/security_file.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index 3e66e0ba541..2d2554e8c19 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -82,8 +82,8 @@ else if (preg_match('/del_(.*)/',$action,$reg)) else if ($action == 'updateform') { - $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',GETPOST('MAIN_UPLOAD_DOC','int'),'chaine',0,'',$conf->entity); - $res4=dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK','int'),'chaine',0,'',$conf->entity); + $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',GETPOST('MAIN_UPLOAD_DOC','alpha'),'chaine',0,'',$conf->entity); + $res4=dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK','alpha'),'chaine',0,'',$conf->entity); $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", GETPOST('MAIN_ANTIVIRUS_COMMAND','alpha'),'chaine',0,'',$conf->entity); $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", GETPOST('MAIN_ANTIVIRUS_PARAM','alpha'),'chaine',0,'',$conf->entity); if ($res3 && $res4 && $res5 && $res6) setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); From 386c8215ee2eb07745773d91815ccb97506fc443 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 3 Oct 2017 18:06:32 +0200 Subject: [PATCH 4/4] Update security_file.php --- htdocs/admin/security_file.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index 2d2554e8c19..310c52ca3a6 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -84,8 +84,8 @@ else if ($action == 'updateform') { $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',GETPOST('MAIN_UPLOAD_DOC','alpha'),'chaine',0,'',$conf->entity); $res4=dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK','alpha'),'chaine',0,'',$conf->entity); - $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", GETPOST('MAIN_ANTIVIRUS_COMMAND','alpha'),'chaine',0,'',$conf->entity); - $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", GETPOST('MAIN_ANTIVIRUS_PARAM','alpha'),'chaine',0,'',$conf->entity); + $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim(GETPOST('MAIN_ANTIVIRUS_COMMAND','none')),'chaine',0,'',$conf->entity); // Use GETPOST none because we must accept " + $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim(GETPOST('MAIN_ANTIVIRUS_PARAM','none')),'chaine',0,'',$conf->entity); // Use GETPOST none because we must accept " if ($res3 && $res4 && $res5 && $res6) setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); }