lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix regression in dol_eval

Browse Source
This commit is contained in:
Laurent Destailleur 2022-05-09 21:56:21 +02:00
parent b3bfe22f58
commit ef18456724
2 changed files with 38 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/lib/functions.lib.php
View File

@ -8200,7 +8200,7 @@ function verifCond($strToEvaluate)
* @param string $s String to evaluate * @param string $s String to evaluate
* @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)). * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
* @param int $hideerrors 1=Hide errors * @param int $hideerrors 1=Hide errors
* @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s$_->&|=';, 2=Accept also '!?():"\';,/' * @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s^$_+-.*\/>&|=!?():"\',/';, 2=Accept also ';[]'
* @return mixed Nothing or return result of eval * @return mixed Nothing or return result of eval
*/ */
function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1') function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1')
@ -8218,7 +8218,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
// Test dangerous char (used for RCE), we allow only PHP variable testing. // Test dangerous char (used for RCE), we allow only PHP variable testing.
if ($onlysimplestring == '1') { if ($onlysimplestring == '1') {
//print preg_quote('$_->&|', '/'); //print preg_quote('$_->&|', '/');
if (preg_match('/[^a-z0-9\s'.preg_quote('$_+-*/>&|=!?():"', '/').']/i', $s)) { if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*/>&|=!?():"\',/', '/').']/i', $s)) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
} else { } else {
@ -8228,7 +8228,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
} }
} elseif ($onlysimplestring == '2') { } elseif ($onlysimplestring == '2') {
//print preg_quote('$_->&|', '/'); //print preg_quote('$_->&|', '/');
if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-*/>&|=!?():"\';,/', '/').']/i', $s)) { if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-.*/>&|=!?():"\',/;[]', '/').']/i', $s)) {
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
} else { } else {
@ -8245,7 +8245,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
return ''; return '';
} }
} }
if (strpos($s, '.') !== false) { if (preg_match('/[^0-9]+\.[^0-9]+/', $s)) { // We refuse . if not between 2 numbers
if ($returnvalue) { if ($returnvalue) {
return 'Bad string syntax to evaluate (dot char is forbidden): '.$s; return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
} else { } else {

62
test/phpunit/SecurityTest.php
View File

@ -584,34 +584,6 @@ class SecurityTest extends PHPUnit\Framework\TestCase
return $result; return $result;
} }
/**
* testCheckLoginPassEntity
*
* @return void
*/
public function testCheckLoginPassEntity()
{
$login=checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login=checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login=checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed');
$login=checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin');
$login=checkLoginPassEntity('admin', 'admin', 1, array('forceuser'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, ''); // Expected '' because should failed because login 'auto' does not exists
}
/** /**
* testEncodeDecode * testEncodeDecode
* *
@ -919,6 +891,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print "result = ".$result."\n"; print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result); $this->assertContains('Bad string syntax to evaluate', $result);
$result=dol_eval("90402.38+267678+0", 1, 1, 1);
print "result = ".$result."\n";
$this->assertEquals('358080.38', $result);
global $leftmenu; global $leftmenu;
$leftmenu = 'admintools'; $leftmenu = 'admintools';
$result=dol_eval('$conf->currency && preg_match(\'/^(admintools|all)/\',$leftmenu)', 1, 0, '2'); $result=dol_eval('$conf->currency && preg_match(\'/^(admintools|all)/\',$leftmenu)', 1, 0, '2');
@ -936,4 +913,33 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print "result = ".$result."\n"; print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result); $this->assertContains('Bad string syntax to evaluate', $result);
} }
/**
* testCheckLoginPassEntity
*
* @return void
*/
public function testCheckLoginPassEntity()
{
$login=checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login=checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, '');
$login=checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed');
$login=checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, 'admin');
$login=checkLoginPassEntity('admin', 'admin', 1, array('forceuser'));
print __METHOD__." login=".$login."\n";
$this->assertEquals($login, ''); // Expected '' because should failed because login 'auto' does not exists
}
} }