Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix #yogosha19893

Browse Source
This commit is contained in:
Laurent Destailleur 2024-01-19 15:29:26 +01:00
parent f711d0d144
commit 63cb470e39
1 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
htdocs/main.inc.php
View File

@ -220,15 +220,39 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
if (analyseVarsForSqlAndScriptsInjection($key, $type) && analyseVarsForSqlAndScriptsInjection($value, $type)) {
//$var[$key] = $value; // This is useless
} else {
global $dolibarr_main_prod;
http_response_code(403);
// Get remote IP: PS: We do not use getRemoteIP(), function is not yet loaded and we need a value that can't be spoofed
$ip = (empty($_SERVER['REMOTE_ADDR']) ? 'unknown' : $_SERVER['REMOTE_ADDR']);
$errormessage = 'Access refused to '.htmlentities($ip, ENT_COMPAT, 'UTF-8').' by SQL or Script injection protection in main.inc.php - GETPOST type='.htmlentities($type, ENT_COMPAT, 'UTF-8').' paramkey='.htmlentities($key, ENT_COMPAT, 'UTF-8').' paramvalue='.htmlentities($value, ENT_COMPAT, 'UTF-8').' page='.htmlentities($_SERVER["REQUEST_URI"], ENT_COMPAT, 'UTF-8');
$errormessage = 'Access refused to '.htmlentities($ip, ENT_COMPAT, 'UTF-8').' by SQL or Script injection protection in main.inc.php:analyseVarsForSqlAndScriptsInjection type='.htmlentities($type, ENT_COMPAT, 'UTF-8');
$errormessage2 = 'paramkey='.htmlentities($key, ENT_COMPAT, 'UTF-8');
$errormessage2 .= ' paramvalue='.htmlentities($value, ENT_COMPAT, 'UTF-8');
$errormessage2 .= ' page='.htmlentities($_SERVER["REQUEST_URI"], ENT_COMPAT, 'UTF-8');
print $errormessage;
// Add entry into error log
if (function_exists('error_log')) {
error_log($errormessage);
print "<br>\n";
print 'Try to go back, fix data of your form and resubmit it. You can contact also your technical support.';
if (empty($dolibarr_main_prod)) { // If not prod
print '<br><br>'."\n";
print 'Technical debug information: '.$errormessage2;
} else {
print '<!--'."\n";
print $errormessage2;
print "\n".'-->';
}
// TODO Add entry into security audit table
// Add entry into error the PHP server error log
if (function_exists('error_log')) {
error_log($errormessage.' '.$errormessage2);
}
// Note: No addition into security audit table is done because we don't want to execute code in such a case.
// Detection of too many such requests can be done with a fail2ban rule on 403 error code or into the PHP server error log.
exit;
}
}
@ -262,7 +286,7 @@ if (!defined('NOSCANPHPSELFFORINJECTION') && !empty($_SERVER["PHP_SELF"])) {
if (!defined('NOSCANGETFORINJECTION') && !empty($_SERVER["QUERY_STRING"])) {
// Note: QUERY_STRING is url encoded, but $_GET and $_POST are already decoded
// Because the analyseVarsForSqlAndScriptsInjection is designed for already url decoded value, we must decode QUERY_STRING
// Another solution is to provide $_GET as parameter
// Another solution is to provide $_GET as parameter with analyseVarsForSqlAndScriptsInjection($_GET, 1);
$morevaltochecklikeget = array(urldecode($_SERVER["QUERY_STRING"]));
analyseVarsForSqlAndScriptsInjection($morevaltochecklikeget, 1);
}