Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Enhance antiXSS by excluding non printable chars used to obfuscate hack

Laurent Destailleur 4 years ago
parent
85aa1ab402
commit
2eb46b4900
3 changed files with 23 additions and 5 deletions
Split View Show Diff Stats
  1. 16 1
      htdocs/core/lib/functions.lib.php
  2. 5 3
      htdocs/main.inc.php
  3. 2 1
      htdocs/ticket/class/actions_ticket.class.php

+ 16 - 1
htdocs/core/lib/functions.lib.php
View File 

@@ -970,7 +970,7 @@ function dol_string_unaccent($str)
 
  *  @param  array	$badcharstoreplace  List of forbidden characters
 
  * 	@return string          			Cleaned string
 
  *
 
- * 	@see    		dol_sanitizeFilename(), dol_string_unaccent()
 
+ * 	@see    		dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nounprintableascii()
 
  */
 
 function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
 
 {
 
@@ -983,6 +983,21 @@ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
 
 }
 
 
 
+/**
 
+ *	Clean a string from all non printable ascii chars (0x00-0x1F and 0x7F). It removes also CR-LF
 
+ *  This can be used to sanitize a string and view its real content. Some hacks try to obfuscate attacks by inserting non printable chars.
 
+ *
 
+ *	@param	string	$str            	String to clean
 
+ * 	@return string          			Cleaned string
 
+ *
 
+ * 	@see    		dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nospecial()
 
+ */
 
+function dol_string_nounprintableascii($str)
 
+{
 
+	return preg_replace('/[\x00-\x1F\x7F]/u', '', $str);
 
+}
 
+
 
+
 
 /**
 
  *  Returns text escaped for inclusion into javascript code
 
  *

+ 5 - 3
htdocs/main.inc.php
View File 

@@ -57,11 +57,13 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO']))
 
  */
 
 function testSqlAndScriptInject($val, $type)
 
 {
 
-	$val = html_entity_decode($val, ENT_QUOTES);		// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
 
-	$val = str_replace('%09', '', $val);				// 'java%09script' is processed like 'javascript' (whatever is place of %09)
 
-
 
+	$val = html_entity_decode($val, ENT_QUOTES);	// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
 
 	// TODO loop to decode until no more thing to decode ?
 
 
+	// We clean string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
 
+	$val = preg_replace('/[\x00-\x1F\x7F]/u', '', $val);	// We should use dol_string_nounprintableascii but function is not yet loaded/available
 
+	//var_dump($val);
 
+
 
 	$inj = 0;
 
 	// For SQL Injection (only GET are used to be included into bad escaped SQL requests)
 
 	if ($type == 1 || $type == 3)

+ 2 - 1
htdocs/ticket/class/actions_ticket.class.php
View File 

@@ -208,7 +208,8 @@ class ActionsTicket
 
 			$msg = GETPOST('message_initial', 'alpha') ? GETPOST('message_initial', 'alpha') : $object->message;
 
 			include_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
 
 			$uselocalbrowser = true;
 
-			$doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $conf->global->FCKEDITOR_ENABLE_TICKET, ROWS_9, '95%');
 
+			$ckeditorenabledforticket = $conf->global->FCKEDITOR_ENABLE_TICKET;
 
+			$doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $ckeditorenabledforticket, ROWS_9, '95%');
 
 			$doleditor->Create();
 
 		} else {
 
 			// Deal with format differences (text / HTML)