From f8eadf6fe1755ff3f8063a260b6bdd34897392c1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 5 Jul 2021 22:26:38 +0200 Subject: [PATCH] Fix #yogosha6561 --- htdocs/core/lib/functions.lib.php | 29 +++++++++++++++++++---------- test/phpunit/SecurityTest.php | 4 ++-- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f10b430ddbd..663158e1ef3 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -1029,10 +1029,11 @@ function dol_size($size, $type = '') /** - * Clean a string to use it as a file name + * Clean a string to use it as a file name. + * Replace also '--' and ' -' strings, they are used for parameters separation. * * @param string $str String to clean - * @param string $newstr String to replace bad chars with + * @param string $newstr String to replace bad chars with. * @param int $unaccent 1=Remove also accent (default), 0 do not remove them * @return string String cleaned (a-zA-Z_) * @@ -1044,8 +1045,11 @@ function dol_sanitizeFileName($str, $newstr = '_', $unaccent = 1) // Char '>' '<' '|' '$' and ';' are special chars for shells. // Char '/' and '\' are file delimiters. // -- car can be used into filename to inject special paramaters like --use-compress-program to make command with file as parameter making remote execution of command - $filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';', '--'); - return dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars); + $filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';'); + $tmp = dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars); + $tmp = preg_replace('/\-\-+/', '_', $tmp); + $tmp = preg_replace('/\s+\-/', ' _', $tmp); + return $tmp; } /** @@ -1157,21 +1161,26 @@ function dol_string_unaccent($str) * Clean a string from all punctuation characters to use it as a ref or login. * This is a more complete function than dol_sanitizeFileName. * - * @param string $str String to clean - * @param string $newstr String to replace forbidden chars with - * @param array $badcharstoreplace List of forbidden characters - * @return string Cleaned string + * @param string $str String to clean + * @param string $newstr String to replace forbidden chars with + * @param array|string $badcharstoreplace List of forbidden characters to replace + * @param array|string $badcharstoremove List of forbidden characters to remove + * @return string Cleaned string * * @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nounprintableascii() */ -function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '') +function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '', $badcharstoremove = '') { $forbidden_chars_to_replace = array(" ", "'", "/", "\\", ":", "*", "?", "\"", "<", ">", "|", "[", "]", ",", ";", "=", '°'); // more complete than dol_sanitizeFileName $forbidden_chars_to_remove = array(); + //$forbidden_chars_to_remove=array("(",")"); + if (is_array($badcharstoreplace)) { $forbidden_chars_to_replace = $badcharstoreplace; } - //$forbidden_chars_to_remove=array("(",")"); + if (is_array($badcharstoremove)) { + $forbidden_chars_to_remove = $badcharstoremove; + } return str_replace($forbidden_chars_to_replace, $newstr, str_replace($forbidden_chars_to_remove, "", $str)); } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 63c52ac60c5..5111b5bd13a 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -798,8 +798,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase $result=dol_sanitizeFileName('bad file | evilaction'); $this->assertEquals('bad file _ evilaction', $result); - $result=dol_sanitizeFileName('bad file --evilparam'); - $this->assertEquals('bad file _evilparam', $result); + $result=dol_sanitizeFileName('bad file -evilparam --evilparam ---evilparam ----evilparam'); + $this->assertEquals('bad file_evilparam _evilparam _evilparam _evilparam', $result); } /**