Explorar o código

SEC Add a protection against installation of external module bypassing
installmodules.lock

Laurent Destailleur hai 1 ano
pai
achega
f2c70d952a
Modificáronse 1 ficheiros con 10 adicións e 8 borrados
  1. 10 8
      htdocs/admin/modules.php

+ 10 - 8
htdocs/admin/modules.php

@@ -122,6 +122,13 @@ if ($max_time && $max_time < $max_execution_time_for_deploy) {
 	@ini_set("max_execution_time", $max_execution_time_for_deploy); // This work only if safe mode is off. also web servers has timeout of 300
 }
 
+$dolibarrdataroot = preg_replace('/([\\/]+)$/i', '', DOL_DATA_ROOT);
+$allowonlineinstall = true;
+$allowfromweb = 1;
+if (dol_is_file($dolibarrdataroot.'/installmodules.lock')) {
+	$allowonlineinstall = false;
+}
+
 
 /*
  * Actions
@@ -142,7 +149,7 @@ if (GETPOST('buttonreset', 'alpha')) {
 	$search_version = '';
 }
 
-if ($action == 'install') {
+if ($action == 'install' && $allowonlineinstall) {
 	$error = 0;
 
 	// $original_file should match format module_modulename-x.y[.z].zip
@@ -263,6 +270,8 @@ if ($action == 'install') {
 	if (!$error) {
 		setEventMessages($langs->trans("SetupIsReadyForUse", DOL_URL_ROOT.'/admin/modules.php?mainmenu=home', $langs->transnoentitiesnoconv("Home").' - '.$langs->transnoentitiesnoconv("Setup").' - '.$langs->transnoentitiesnoconv("Modules")), null, 'warnings');
 	}
+} elseif ($action == 'install' && !$allowonlineinstall) {
+	httponly_accessforbidden("You try to bypass the protection to disallow deployment of an external module. Hack attempt ?");
 }
 
 if ($action == 'set' && $user->admin) {
@@ -1175,13 +1184,6 @@ if ($mode == 'marketplace') {
 if ($mode == 'deploy') {
 	print dol_get_fiche_head($head, $mode, '', -1);
 
-	$dolibarrdataroot = preg_replace('/([\\/]+)$/i', '', DOL_DATA_ROOT);
-	$allowonlineinstall = true;
-	$allowfromweb = 1;
-	if (dol_is_file($dolibarrdataroot.'/installmodules.lock')) {
-		$allowonlineinstall = false;
-	}
-
 	$fullurl = '<a href="'.$urldolibarrmodules.'" target="_blank" rel="noopener noreferrer">'.$urldolibarrmodules.'</a>';
 	$message = '';
 	if ($allowonlineinstall) {