mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-02-20 13:46:52 +01:00
Add a way to enhance security check.
This commit is contained in:
Laurent Destailleur
parent
945fcc7586
commit
266fef40ad
|
|
@ -53,6 +53,8 @@ if ($file && ! $what)
|
|||
exit;
|
||||
}
|
||||
|
||||
$errormsg='';
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
|
@ -120,16 +122,37 @@ if ($what == 'mysql')
|
|||
{
|
||||
|
||||
$cmddump=GETPOST("mysqldump"); // Do not sanitize here with 'alpha', will be sanitize later by escapeshellarg
|
||||
if ($cmddump)
|
||||
if (! empty($dolibarr_main_restrict_os_commands))
|
||||
{
|
||||
$arrayofallowedcommand=explode(',', $dolibarr_main_restrict_os_commands);
|
||||
$ok=0;
|
||||
dol_syslog("Command are restricted to ".$dolibarr_main_restrict_os_commands.". We check that on of this command is inside ".$cmddump);
|
||||
foreach($arrayofallowedcommand as $allowedcommand)
|
||||
{
|
||||
if (preg_match('/'.preg_quote($allowedcommand,'/').'/', $cmddump))
|
||||
{
|
||||
$ok=1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (! $ok)
|
||||
{
|
||||
$errormsg=$langs->trans('CommandIsNotInsideAllowedCommands');
|
||||
}
|
||||
}
|
||||
|
||||
if (! $errormsg && $cmddump)
|
||||
{
|
||||
dolibarr_set_const($db, 'SYSTEMTOOLS_MYSQLDUMP', $cmddump,'chaine',0,'',$conf->entity);
|
||||
}
|
||||
|
||||
$utils->dumpDatabase(GETPOST('compression','alpha'), $what, 0, $file);
|
||||
|
||||
$errormsg=$utils->error;
|
||||
$_SESSION["commandbackuplastdone"]=$utils->result['commandbackuplastdone'];
|
||||
$_SESSION["commandbackuptorun"]=$utils->result['commandbackuptorun'];
|
||||
if (! $errormsg)
|
||||
{
|
||||
$utils->dumpDatabase(GETPOST('compression','alpha'), $what, 0, $file);
|
||||
$errormsg=$utils->error;
|
||||
$_SESSION["commandbackuplastdone"]=$utils->result['commandbackuplastdone'];
|
||||
$_SESSION["commandbackuptorun"]=$utils->result['commandbackuptorun'];
|
||||
}
|
||||
}
|
||||
|
||||
// MYSQL NO BIN
|
||||
|
|
@ -146,16 +169,19 @@ if ($what == 'mysqlnobin')
|
|||
if ($what == 'postgresql')
|
||||
{
|
||||
$cmddump=GETPOST("postgresqldump"); // Do not sanitize here with 'alpha', will be sanitize later by escapeshellarg
|
||||
if ($cmddump)
|
||||
|
||||
if (! $errormsg && $cmddump)
|
||||
{
|
||||
dolibarr_set_const($db, 'SYSTEMTOOLS_POSTGRESQLDUMP', $cmddump,'chaine',0,'',$conf->entity);
|
||||
}
|
||||
|
||||
$utils->dumpDatabase(GETPOST('compression','alpha'), $what, 0, $file);
|
||||
|
||||
$errormsg=$utils->error;
|
||||
$_SESSION["commandbackuplastdone"]=$utils->result['commandbackuplastdone'];
|
||||
$_SESSION["commandbackuptorun"]=$utils->result['commandbackuptorun'];
|
||||
if (! $errormsg)
|
||||
{
|
||||
$utils->dumpDatabase(GETPOST('compression','alpha'), $what, 0, $file);
|
||||
$errormsg=$utils->error;
|
||||
$_SESSION["commandbackuplastdone"]=$utils->result['commandbackuplastdone'];
|
||||
$_SESSION["commandbackuptorun"]=$utils->result['commandbackuptorun'];
|
||||
}
|
||||
|
||||
$what=''; // Clear to show message to run command
|
||||
}
|
||||
|
|
|
|||
|
|
@ -220,6 +220,25 @@ $dolibarr_main_authentication='dolibarr';
|
|||
//
|
||||
$dolibarr_main_force_https='0';
|
||||
|
||||
// dolibarr_main_prod
|
||||
// When this parameter is defined, all errors messages are not reported.
|
||||
// This feature exists for production usage to avoid to give any information to hackers.
|
||||
// Default value: 0
|
||||
// Possible values: 0 or 1
|
||||
// Examples:
|
||||
// $dolibarr_main_prod='0';
|
||||
//
|
||||
$dolibarr_main_prod='0';
|
||||
|
||||
// $dolibarr_main_restrict_os_commands
|
||||
// To restrict commands you can execute by the backup feature, enter allowed command here.
|
||||
// Note: If you can, defining permission on OS linux (using SELinux for example) may be a better choice.
|
||||
// Default value: 'mysqldump, mysql, pg_dump, pgrestore'
|
||||
// Examples:
|
||||
// $dolibarr_main_restrict_os_commands='mysqldump, mysqldumpalias';
|
||||
//
|
||||
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
|
||||
|
||||
// dolibarr_nocsrfcheck
|
||||
// This parameter can be used to disable CSRF protection.
|
||||
// This might be required if you access Dolibarr behind a proxy that make
|
||||
|
|
@ -231,15 +250,11 @@ $dolibarr_main_force_https='0';
|
|||
//
|
||||
$dolibarr_nocsrfcheck='0';
|
||||
|
||||
// dolibarr_main_prod
|
||||
// When this parameter is defined, all errors messages are not reported.
|
||||
// This feature exists for production usage to avoid to give any information to hackers.
|
||||
// Default value: 0
|
||||
// Possible values: 0 or 1
|
||||
// dolibarr_mailing_limit_sendbyweb
|
||||
// Can set a limit for mailing send by web. Can be used for a restricted mode.
|
||||
// Default value: 0 (use database value if exist)
|
||||
// Examples:
|
||||
// $dolibarr_main_prod='0';
|
||||
//
|
||||
$dolibarr_main_prod='0';
|
||||
// $dolibarr_mailing_limit_sendbyweb='0';
|
||||
|
||||
|
||||
|
||||
|
|
@ -251,8 +266,6 @@ $dolibarr_main_prod='0';
|
|||
// This parameter contains prefix of Dolibarr database. 'llx_' if not defined.
|
||||
// Examples:
|
||||
// $dolibarr_main_db_prefix='llx_';
|
||||
//
|
||||
$dolibarr_main_db_prefix='';
|
||||
|
||||
// dolibarr_main_limit_users
|
||||
// Can set a limit on the number of users it will be possible to create
|
||||
|
|
@ -261,12 +274,6 @@ $dolibarr_main_db_prefix='';
|
|||
// Examples:
|
||||
// $dolibarr_main_limit_users='0';
|
||||
|
||||
// dolibarr_mailing_limit_sendbyweb
|
||||
// Can set a limit for mailing send by web. Can be used for a restricted mode.
|
||||
// Default value: 0 (use database value if exist)
|
||||
// Examples:
|
||||
// $dolibarr_mailing_limit_sendbyweb='0';
|
||||
|
||||
// dolibarr_strict_mode
|
||||
// Set this to 1 to enable the PHP strict mode. For dev environment only.
|
||||
// Default value: 0 (use database value if exist)
|
||||
|
|
|
|||
|
|
@ -853,24 +853,30 @@ function write_conf_file($conffile)
|
|||
fputs($fp,"\n");
|
||||
|
||||
/* Authentication */
|
||||
fputs($fp, '// Authentication settings');
|
||||
fputs($fp,"\n");
|
||||
|
||||
fputs($fp, '$dolibarr_main_authentication=\'dolibarr\';');
|
||||
fputs($fp,"\n\n");
|
||||
|
||||
fputs($fp, '// Specific settings');
|
||||
fputs($fp, '//$dolibarr_main_demo=\'autologin,autopass\';');
|
||||
fputs($fp,"\n");
|
||||
|
||||
fputs($fp, '//$dolibarr_main_demo=\'autologin,autopass\';');
|
||||
fputs($fp, '// Security settings');
|
||||
fputs($fp,"\n");
|
||||
|
||||
fputs($fp, '$dolibarr_main_prod=\'0\';');
|
||||
fputs($fp,"\n");
|
||||
|
||||
fputs($fp, '$dolibarr_nocsrfcheck=\'0\';');
|
||||
fputs($fp,"\n");
|
||||
|
||||
fputs($fp, '$dolibarr_main_force_https=\''.$main_force_https.'\';');
|
||||
fputs($fp,"\n");
|
||||
|
||||
fputs($fp, '$dolibarr_main_restrict_os_commands=\'mysqldump, mysql, pg_dump, pgrestore\';');
|
||||
fputs($fp,"\n");
|
||||
|
||||
fputs($fp, '$dolibarr_nocsrfcheck=\'0\';');
|
||||
fputs($fp,"\n");
|
||||
|
||||
fputs($fp, '$dolibarr_main_cookie_cryptkey=\''.$key.'\';');
|
||||
fputs($fp,"\n");
|
||||
|
||||
|
|
|
|||
|
|
@ -1589,3 +1589,4 @@ DetectionNotPossible=Detection not possible
|
|||
UrlToGetKeyToUseAPIs=Url to get token to use API (once token has been received it is saved on database user table and will be checked on each future access)
|
||||
ListOfAvailableAPIs=List of available APIs
|
||||
activateModuleDependNotSatisfied=Module "%s" depends on module "%s" that is missing, so module "%1$s" may not work correclty. Please install module "%2$s" or disable module "%1$s" if you want to be safe from any surprise
|
||||
CommandIsNotInsideAllowedCommands=The command you try to run is not inside list of allowed commands defined into parameter <strong>$dolibarr_main_restrict_os_commands</strong> into <strong>conf.php</strong> file.
|
||||
Loading…
Reference in New Issue
Block a user