|
|
@@ -8213,7 +8213,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
|
|
|
// Test dangerous char (used for RCE), we allow only PHP variable testing.
|
|
|
if ($onlysimplestring == '1') {
|
|
|
//print preg_quote('$_->&|', '/');
|
|
|
- if (preg_match('/[^a-z0-9\s'.preg_quote('$_+->&|=!?():"', '/').']/i', $s)) {
|
|
|
+ if (preg_match('/[^a-z0-9\s'.preg_quote('$_+-*/>&|=!?():"', '/').']/i', $s)) {
|
|
|
if ($returnvalue) {
|
|
|
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
|
|
|
} else {
|
|
|
@@ -8223,7 +8223,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
|
|
|
}
|
|
|
} elseif ($onlysimplestring == '2') {
|
|
|
//print preg_quote('$_->&|', '/');
|
|
|
- if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+->&|=!?():"\';,/', '/').']/i', $s)) {
|
|
|
+ if (preg_match('/[^a-z0-9\s'.preg_quote('^$_+-*/>&|=!?():"\';,/', '/').']/i', $s)) {
|
|
|
if ($returnvalue) {
|
|
|
return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
|
|
|
} else {
|
Laurent Destailleur