Browse Source

Enhance antiXSS by excluding non printable chars used to obfuscate hack

Laurent Destailleur 4 years ago
parent
commit
2eb46b4900

+ 16 - 1
htdocs/core/lib/functions.lib.php

@@ -970,7 +970,7 @@ function dol_string_unaccent($str)
  *  @param  array	$badcharstoreplace  List of forbidden characters
  * 	@return string          			Cleaned string
  *
- * 	@see    		dol_sanitizeFilename(), dol_string_unaccent()
+ * 	@see    		dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nounprintableascii()
  */
 function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
 {
@@ -983,6 +983,21 @@ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '')
 }
 
 
+/**
+ *	Clean a string from all non printable ascii chars (0x00-0x1F and 0x7F). It removes also CR-LF
+ *  This can be used to sanitize a string and view its real content. Some hacks try to obfuscate attacks by inserting non printable chars.
+ *
+ *	@param	string	$str            	String to clean
+ * 	@return string          			Cleaned string
+ *
+ * 	@see    		dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nospecial()
+ */
+function dol_string_nounprintableascii($str)
+{
+	return preg_replace('/[\x00-\x1F\x7F]/u', '', $str);
+}
+
+
 /**
  *  Returns text escaped for inclusion into javascript code
  *

+ 5 - 3
htdocs/main.inc.php

@@ -57,11 +57,13 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO']))
  */
 function testSqlAndScriptInject($val, $type)
 {
-	$val = html_entity_decode($val, ENT_QUOTES);		// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
-	$val = str_replace('%09', '', $val);				// 'java%09script' is processed like 'javascript' (whatever is place of %09)
-
+	$val = html_entity_decode($val, ENT_QUOTES);	// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
 	// TODO loop to decode until no more thing to decode ?
 
+	// We clean string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
+	$val = preg_replace('/[\x00-\x1F\x7F]/u', '', $val);	// We should use dol_string_nounprintableascii but function is not yet loaded/available
+	//var_dump($val);
+
 	$inj = 0;
 	// For SQL Injection (only GET are used to be included into bad escaped SQL requests)
 	if ($type == 1 || $type == 3)

+ 2 - 1
htdocs/ticket/class/actions_ticket.class.php

@@ -208,7 +208,8 @@ class ActionsTicket
 			$msg = GETPOST('message_initial', 'alpha') ? GETPOST('message_initial', 'alpha') : $object->message;
 			include_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
 			$uselocalbrowser = true;
-			$doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $conf->global->FCKEDITOR_ENABLE_TICKET, ROWS_9, '95%');
+			$ckeditorenabledforticket = $conf->global->FCKEDITOR_ENABLE_TICKET;
+			$doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $ckeditorenabledforticket, ROWS_9, '95%');
 			$doleditor->Create();
 		} else {
 			// Deal with format differences (text / HTML)