Fix #yogosha6561
This commit is contained in:
Laurent Destailleur
parent
db95339085
commit
f8eadf6fe1
@ -1029,10 +1029,11 @@ function dol_size($size, $type = '')
|
||||
|
||||
|
||||
/**
|
||||
* Clean a string to use it as a file name
|
||||
* Clean a string to use it as a file name.
|
||||
* Replace also '--' and ' -' strings, they are used for parameters separation.
|
||||
*
|
||||
* @param string $str String to clean
|
||||
* @param string $newstr String to replace bad chars with
|
||||
* @param string $newstr String to replace bad chars with.
|
||||
* @param int $unaccent 1=Remove also accent (default), 0 do not remove them
|
||||
* @return string String cleaned (a-zA-Z_)
|
||||
*
|
||||
@ -1044,8 +1045,11 @@ function dol_sanitizeFileName($str, $newstr = '_', $unaccent = 1)
|
||||
// Char '>' '<' '|' '$' and ';' are special chars for shells.
|
||||
// Char '/' and '\' are file delimiters.
|
||||
// -- car can be used into filename to inject special paramaters like --use-compress-program to make command with file as parameter making remote execution of command
|
||||
$filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';', '--');
|
||||
return dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars);
|
||||
$filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';');
|
||||
$tmp = dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars);
|
||||
$tmp = preg_replace('/\-\-+/', '_', $tmp);
|
||||
$tmp = preg_replace('/\s+\-/', ' _', $tmp);
|
||||
return $tmp;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1157,21 +1161,26 @@ function dol_string_unaccent($str)
|
||||
* Clean a string from all punctuation characters to use it as a ref or login.
|
||||
* This is a more complete function than dol_sanitizeFileName.
|
||||
*
|
||||
* @param string $str String to clean
|
||||
* @param string $newstr String to replace forbidden chars with
|
||||
* @param array $badcharstoreplace List of forbidden characters
|
||||
* @return string Cleaned string
|
||||
* @param string $str String to clean
|
||||
* @param string $newstr String to replace forbidden chars with
|
||||
* @param array|string $badcharstoreplace List of forbidden characters to replace
|
||||
* @param array|string $badcharstoremove List of forbidden characters to remove
|
||||
* @return string Cleaned string
|
||||
*
|
||||
* @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nounprintableascii()
|
||||
*/
|
||||
function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
|
||||
function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '', $badcharstoremove = '')
|
||||
{
|
||||
$forbidden_chars_to_replace = array(" ", "'", "/", "\\", ":", "*", "?", "\"", "<", ">", "|", "[", "]", ",", ";", "=", '°'); // more complete than dol_sanitizeFileName
|
||||
$forbidden_chars_to_remove = array();
|
||||
//$forbidden_chars_to_remove=array("(",")");
|
||||
|
||||
if (is_array($badcharstoreplace)) {
|
||||
$forbidden_chars_to_replace = $badcharstoreplace;
|
||||
}
|
||||
//$forbidden_chars_to_remove=array("(",")");
|
||||
if (is_array($badcharstoremove)) {
|
||||
$forbidden_chars_to_remove = $badcharstoremove;
|
||||
}
|
||||
|
||||
return str_replace($forbidden_chars_to_replace, $newstr, str_replace($forbidden_chars_to_remove, "", $str));
|
||||
}
|
||||
|
||||
@ -798,8 +798,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
|
||||
$result=dol_sanitizeFileName('bad file | evilaction');
|
||||
$this->assertEquals('bad file _ evilaction', $result);
|
||||
|
||||
$result=dol_sanitizeFileName('bad file --evilparam');
|
||||
$this->assertEquals('bad file _evilparam', $result);
|
||||
$result=dol_sanitizeFileName('bad file -evilparam --evilparam ---evilparam ----evilparam');
|
||||
$this->assertEquals('bad file_evilparam _evilparam _evilparam _evilparam', $result);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Loading…
Reference in New Issue
Block a user