Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Add a way to enhance security check.

Laurent Destailleur 9 years ago
parent
945fcc7586
commit
266fef40ad
4 changed files with 73 additions and 33 deletions
Split View Show Diff Stats
  1. 38 12
      htdocs/admin/tools/export.php
  2. 23 16
      htdocs/conf/conf.php.example
  3. 11 5
      htdocs/install/step1.php
  4. 1 0
      htdocs/langs/en_US/admin.lang

+ 38 - 12
htdocs/admin/tools/export.php
View File 

@@ -53,6 +53,8 @@ if ($file && ! $what)
 
     exit;
 
 }
 
 
+$errormsg='';
 
+
 
 
 /*
 
  * Actions
 
@@ -120,16 +122,37 @@ if ($what == 'mysql')
 
 {
 
     
     $cmddump=GETPOST("mysqldump");	// Do not sanitize here with 'alpha', will be sanitize later by escapeshellarg
 
-    if ($cmddump)
 
+    if (! empty($dolibarr_main_restrict_os_commands))
 
+    {
 
+        $arrayofallowedcommand=explode(',', $dolibarr_main_restrict_os_commands);
 
+        $ok=0;
 
+        dol_syslog("Command are restricted to ".$dolibarr_main_restrict_os_commands.". We check that on of this command is inside ".$cmddump);
 
+        foreach($arrayofallowedcommand as $allowedcommand)
 
+        {
 
+            if (preg_match('/'.preg_quote($allowedcommand,'/').'/', $cmddump))
 
+            {
 
+                $ok=1;
 
+                break;
 
+            }
 
+        }
 
+        if (! $ok)
 
+        {
 
+            $errormsg=$langs->trans('CommandIsNotInsideAllowedCommands');
 
+        }
 
+    }
 
+    
+    if (! $errormsg && $cmddump)
 
     {
 
         dolibarr_set_const($db, 'SYSTEMTOOLS_MYSQLDUMP', $cmddump,'chaine',0,'',$conf->entity);
 
     }
 
 
-    $utils->dumpDatabase(GETPOST('compression','alpha'), $what, 0, $file);
 
-    
-    $errormsg=$utils->error;
 
-    $_SESSION["commandbackuplastdone"]=$utils->result['commandbackuplastdone'];
 
-    $_SESSION["commandbackuptorun"]=$utils->result['commandbackuptorun'];
 
+    if (! $errormsg) 
+    {
 
+        $utils->dumpDatabase(GETPOST('compression','alpha'), $what, 0, $file);
 
+        $errormsg=$utils->error;
 
+        $_SESSION["commandbackuplastdone"]=$utils->result['commandbackuplastdone'];
 
+        $_SESSION["commandbackuptorun"]=$utils->result['commandbackuptorun'];
 
+    }
 
 }
 
 
 // MYSQL NO BIN
 
@@ -146,16 +169,19 @@ if ($what == 'mysqlnobin')
 
 if ($what == 'postgresql')
 
 {
 
     $cmddump=GETPOST("postgresqldump");	// Do not sanitize here with 'alpha', will be sanitize later by escapeshellarg
 
-    if ($cmddump)
 
+    
+    if (! $errormsg && $cmddump)
 
     {
 
         dolibarr_set_const($db, 'SYSTEMTOOLS_POSTGRESQLDUMP', $cmddump,'chaine',0,'',$conf->entity);
 
     }
 
 
-    $utils->dumpDatabase(GETPOST('compression','alpha'), $what, 0, $file);
 
-    
-    $errormsg=$utils->error;
 
-    $_SESSION["commandbackuplastdone"]=$utils->result['commandbackuplastdone'];
 
-    $_SESSION["commandbackuptorun"]=$utils->result['commandbackuptorun'];
 
+    if (! $errormsg) 
+    {
 
+        $utils->dumpDatabase(GETPOST('compression','alpha'), $what, 0, $file);
 
+        $errormsg=$utils->error;
 
+        $_SESSION["commandbackuplastdone"]=$utils->result['commandbackuplastdone'];
 
+        $_SESSION["commandbackuptorun"]=$utils->result['commandbackuptorun'];
 
+    }
 
 
     $what='';   // Clear to show message to run command
 
 }

+ 23 - 16
htdocs/conf/conf.php.example
View File 

@@ -220,6 +220,25 @@ $dolibarr_main_authentication='dolibarr';
 
 //
 
 $dolibarr_main_force_https='0';
 
 
+// dolibarr_main_prod
 
+// When this parameter is defined, all errors messages are not reported.
 
+// This feature exists for production usage to avoid to give any information to hackers.
 
+// Default value: 0
 
+// Possible values: 0 or 1
 
+// Examples:
 
+// $dolibarr_main_prod='0';
 
+//
 
+$dolibarr_main_prod='0';
 
+
 
+// $dolibarr_main_restrict_os_commands
 
+// To restrict commands you can execute by the backup feature, enter allowed command here.
 
+// Note: If you can, defining permission on OS linux (using SELinux for example) may be a better choice.
 
+// Default value: 'mysqldump, mysql, pg_dump, pgrestore'
 
+// Examples:
 
+// $dolibarr_main_restrict_os_commands='mysqldump, mysqldumpalias';
 
+//
 
+$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
 
+
 
 // dolibarr_nocsrfcheck
 
 // This parameter can be used to disable CSRF protection.
 
 // This might be required if you access Dolibarr behind a proxy that make
 
@@ -231,15 +250,11 @@ $dolibarr_main_force_https='0';
 
 //
 
 $dolibarr_nocsrfcheck='0';
 
 
-// dolibarr_main_prod
 
-// When this parameter is defined, all errors messages are not reported.
 
-// This feature exists for production usage to avoid to give any information to hackers.
 
-// Default value: 0
 
-// Possible values: 0 or 1
 
+// dolibarr_mailing_limit_sendbyweb
 
+// Can set a limit for mailing send by web. Can be used for a restricted mode.
 
+// Default value: 0 (use database value if exist)
 
 // Examples:
 
-// $dolibarr_main_prod='0';
 
-//
 
-$dolibarr_main_prod='0';
 
+// $dolibarr_mailing_limit_sendbyweb='0';
 
 
 
 
@@ -251,8 +266,6 @@ $dolibarr_main_prod='0';
 
 // This parameter contains prefix of Dolibarr database. 'llx_' if not defined.
 
 // Examples:
 
 // $dolibarr_main_db_prefix='llx_';
 
-//
 
-$dolibarr_main_db_prefix='';
 
 
 // dolibarr_main_limit_users
 
 // Can set a limit on the number of users it will be possible to create
 
@@ -261,12 +274,6 @@ $dolibarr_main_db_prefix='';
 
 // Examples:
 
 // $dolibarr_main_limit_users='0';
 
 
-// dolibarr_mailing_limit_sendbyweb
 
-// Can set a limit for mailing send by web. Can be used for a restricted mode.
 
-// Default value: 0 (use database value if exist)
 
-// Examples:
 
-// $dolibarr_mailing_limit_sendbyweb='0';
 
-
 
 // dolibarr_strict_mode
 
 // Set this to 1 to enable the PHP strict mode. For dev environment only.
 
 // Default value: 0 (use database value if exist)

+ 11 - 5
htdocs/install/step1.php
View File 

@@ -853,24 +853,30 @@ function write_conf_file($conffile)
 
 		fputs($fp,"\n");
 
 
 		/* Authentication */
 
+		fputs($fp, '// Authentication settings');
 
+        fputs($fp,"\n");
 
+
 
 		fputs($fp, '$dolibarr_main_authentication=\'dolibarr\';');
 
 		fputs($fp,"\n\n");
 
 
-		fputs($fp, '// Specific settings');
 
-        fputs($fp,"\n");
 
-
 
         fputs($fp, '//$dolibarr_main_demo=\'autologin,autopass\';');
 
         fputs($fp,"\n");
 
 
-        fputs($fp, '$dolibarr_main_prod=\'0\';');
 
+		fputs($fp, '// Security settings');
 
         fputs($fp,"\n");
 
 
-        fputs($fp, '$dolibarr_nocsrfcheck=\'0\';');
 
+        fputs($fp, '$dolibarr_main_prod=\'0\';');
 
         fputs($fp,"\n");
 
 
         fputs($fp, '$dolibarr_main_force_https=\''.$main_force_https.'\';');
 
 		fputs($fp,"\n");
 
 
+        fputs($fp, '$dolibarr_main_restrict_os_commands=\'mysqldump, mysql, pg_dump, pgrestore\';');
 
+		fputs($fp,"\n");
 
+		
+        fputs($fp, '$dolibarr_nocsrfcheck=\'0\';');
 
+        fputs($fp,"\n");
 
+
 
 		fputs($fp, '$dolibarr_main_cookie_cryptkey=\''.$key.'\';');
 
 		fputs($fp,"\n");

+ 1 - 0
htdocs/langs/en_US/admin.lang
View File 

@@ -1589,3 +1589,4 @@ DetectionNotPossible=Detection not possible
 
 UrlToGetKeyToUseAPIs=Url to get token to use API (once token has been received it is saved on database user table and will be checked on each future access) 
 ListOfAvailableAPIs=List of available APIs
 
 activateModuleDependNotSatisfied=Module "%s" depends on module "%s" that is missing, so module "%1$s" may not work correclty. Please install module "%2$s" or disable module "%1$s" if you want to be safe from any surprise
 
+CommandIsNotInsideAllowedCommands=The command you try to run is not inside list of allowed commands defined into parameter <strong>$dolibarr_main_restrict_os_commands</strong> into <strong>conf.php</strong> file.