|
|
@@ -8297,7 +8297,7 @@ function dol_getIdFromCode($db, $key, $tablename, $fieldkey = 'code', $fieldid =
|
|
|
* Verify if condition in string is ok or not
|
|
|
*
|
|
|
* @param string $strToEvaluate String with condition to check
|
|
|
- * @return boolean True or False. Note: It returns also True if $strToEvaluate is ''
|
|
|
+ * @return boolean True or False. Note: It returns also True if $strToEvaluate is ''. False if error
|
|
|
*/
|
|
|
function verifCond($strToEvaluate)
|
|
|
{
|
|
|
@@ -8310,8 +8310,10 @@ function verifCond($strToEvaluate)
|
|
|
if (isset($strToEvaluate) && $strToEvaluate !== '') {
|
|
|
//$str = 'if(!('.$strToEvaluate.')) $rights = false;';
|
|
|
//dol_eval($str, 0, 1, '2'); // The dol_eval must contains all the global $xxx used into a condition
|
|
|
+ //var_dump($strToEvaluate);
|
|
|
$rep = dol_eval($strToEvaluate, 1, 1, '1'); // The dol_eval must contains all the global $xxx used into a condition
|
|
|
- $rights = ($rep ? true : false);
|
|
|
+ $rights = (($rep && strpos($rep, 'Bad string syntax to evaluate') === false) ? true : false);
|
|
|
+ //var_dump($rights);
|
|
|
}
|
|
|
return $rights;
|
|
|
}
|
|
|
@@ -8323,7 +8325,7 @@ function verifCond($strToEvaluate)
|
|
|
* @param string $s String to evaluate
|
|
|
* @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
|
|
|
* @param int $hideerrors 1=Hide errors
|
|
|
- * @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s$_->&|=';, 2=Accept also '!?():";'
|
|
|
+ * @param string $onlysimplestring 0=Accept all chars, 1=Accept only simple string with char 'a-z0-9\s^$_->&|=!?():"\',/' and restrict use of (, 2=Accept also ';' and no restriction on (.
|
|
|
* @return mixed Nothing or return result of eval
|
|
|
*/
|
|
|
function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1')
|
|
|
@@ -8338,22 +8340,23 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
|
|
|
global $obj; // To get $obj used into list when dol_eval is used for computed fields and $obj is not yet $object
|
|
|
global $soc; // For backward compatibility
|
|
|
|
|
|
- // Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing.
|
|
|
+ // Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing
|
|
|
if ($onlysimplestring == '1') {
|
|
|
- //print preg_quote('$_->&|', '/');
|
|
|
- if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?():"', '/').']/i', $s)) {
|
|
|
+ // We must accept: '1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL'
|
|
|
+ // We must accept: '$conf->barcode->enabled && preg_match(\'/^(AAA|BBB)/\',$leftmenu)'
|
|
|
+ if (preg_match('/[^a-z0-9\s'.preg_quote('^$_->&|=!?():"\',/', '/').']/i', $s)) {
|
|
|
if ($returnvalue) {
|
|
|
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
|
|
|
} else {
|
|
|
dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s);
|
|
|
return '';
|
|
|
}
|
|
|
- // TODO We can exclude all () that is not ...($db) and getDolGlobalInt( and getDolGlobalString(
|
|
|
+ // TODO We can exclude all () that is not '($db)' and 'getDolGlobalInt(' and 'getDolGlobalString(' and 'preg_match('
|
|
|
// ...
|
|
|
}
|
|
|
} elseif ($onlysimplestring == '2') {
|
|
|
- //print preg_quote('$_->&|', '/');
|
|
|
- if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?():";', '/').']/i', $s)) {
|
|
|
+ // We must accept: (($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"
|
|
|
+ if (preg_match('/[^a-z0-9\s'.preg_quote('^$_->&|=!?():"\',/;[]', '/').']/i', $s)) {
|
|
|
if ($returnvalue) {
|
|
|
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
|
|
|
} else {
|
|
|
@@ -8363,20 +8366,35 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
|
|
|
}
|
|
|
}
|
|
|
if (strpos($s, '::') !== false) {
|
|
|
- return 'Bad string syntax to evaluate (double : char is forbidden): '.$s;
|
|
|
+ if ($returnvalue) {
|
|
|
+ return 'Bad string syntax to evaluate (double : char is forbidden): '.$s;
|
|
|
+ } else {
|
|
|
+ dol_syslog('Bad string syntax to evaluate (double : char is forbidden): '.$s);
|
|
|
+ return '';
|
|
|
+ }
|
|
|
}
|
|
|
if (strpos($s, '`') !== false) {
|
|
|
- return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
|
|
|
+ if ($returnvalue) {
|
|
|
+ return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
|
|
|
+ } else {
|
|
|
+ dol_syslog('Bad string syntax to evaluate (backtick char is forbidden): '.$s);
|
|
|
+ return '';
|
|
|
+ }
|
|
|
}
|
|
|
if (strpos($s, '.') !== false) {
|
|
|
- return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
|
|
|
+ if ($returnvalue) {
|
|
|
+ return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
|
|
|
+ } else {
|
|
|
+ dol_syslog('Bad string syntax to evaluate (dot char is forbidden): '.$s);
|
|
|
+ return '';
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
// We block use of php exec or php file functions
|
|
|
$forbiddenphpstrings = array('$$');
|
|
|
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST'));
|
|
|
|
|
|
- $forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen", "eval", "dol_eval", "executeCLI");
|
|
|
+ $forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen", "eval", "dol_eval", "executeCLI", 'verifCond');
|
|
|
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "require", "include", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask"));
|
|
|
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func"));
|
|
|
|
|
|
@@ -8391,7 +8409,12 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
|
|
|
|
|
|
if (strpos($s, '__forbiddenstring__') !== false) {
|
|
|
dol_syslog('Bad string syntax to evaluate: '.$s, LOG_WARNING);
|
|
|
- return 'Bad string syntax to evaluate: '.$s;
|
|
|
+ if ($returnvalue) {
|
|
|
+ return 'Bad string syntax to evaluate: '.$s;
|
|
|
+ } else {
|
|
|
+ dol_syslog('Bad string syntax to evaluate: '.$s);
|
|
|
+ return '';
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
//print $s."<br>\n";
|
Laurent Destailleur