Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '20.0' of git@github.com:Dolibarr/dolibarr.git into 21.0

Browse Source
This commit is contained in:
Laurent Destailleur (aka Eldy) 2025-02-13 20:39:19 +01:00
commit 705164cc9f
6 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/compta/facture/class/facture.class.php
View File

@ -5156,11 +5156,12 @@ class Facture extends CommonInvoice
//Avoid php warning Warning: mt_rand(): max(0) is smaller than min(1) when no product exists
if (empty($num_prods)) {
$num_prods = 1;
$prodids[$num_prods] = 1;
}
// Initialize parameters
$this->id = 0;
$this->entity = 1;
$this->entity = $conf->entity;
$this->ref = 'SPECIMEN';
$this->specimen = 1;
$this->socid = 1;

4
htdocs/core/modules/modCommande.class.php
View File

@ -95,7 +95,7 @@ class modCommande extends DolibarrModules
$r++;
$this->const[$r][0] = "COMMANDE_ADDON_PDF_ODT_PATH";
$this->const[$r][1] = "chaine";
$this->const[$r][2] = "DOL_DATA_ROOT/doctemplates/orders";
$this->const[$r][2] = "DOL_DATA_ROOT".($conf->entity > 1 ? '/'.$conf->entity : '')."/doctemplates/orders";
$this->const[$r][3] = "";
$this->const[$r][4] = 0;
@ -460,7 +460,7 @@ class modCommande extends DolibarrModules
//ODT template
$src = DOL_DOCUMENT_ROOT.'/install/doctemplates/orders/template_order.odt';
$dirodt = DOL_DATA_ROOT.'/doctemplates/orders';
$dirodt = DOL_DATA_ROOT.($conf->entity > 1 ? '/'.$conf->entity : '').'/doctemplates/orders';
$dest = $dirodt.'/template_order.odt';
if (file_exists($src) && !file_exists($dest)) {

4
htdocs/core/modules/modFacture.class.php
View File

@ -95,7 +95,7 @@ class modFacture extends DolibarrModules
$this->const[$r][0] = "FACTURE_ADDON_PDF_ODT_PATH";
$this->const[$r][1] = "chaine";
$this->const[$r][2] = "DOL_DATA_ROOT/doctemplates/invoices";
$this->const[$r][2] = "DOL_DATA_ROOT".($conf->entity > 1 ? '/'.$conf->entity : '')."/doctemplates/invoices";
$this->const[$r][3] = "";
$this->const[$r][4] = 0;
$r++;
@ -780,7 +780,7 @@ class modFacture extends DolibarrModules
//ODT template
$src = DOL_DOCUMENT_ROOT.'/install/doctemplates/invoices/template_invoice.odt';
$dirodt = DOL_DATA_ROOT.'/doctemplates/invoices';
$dirodt = DOL_DATA_ROOT.($conf->entity > 1 ? '/'.$conf->entity : '').'/doctemplates/invoices';
$dest = $dirodt.'/template_invoice.odt';
if (file_exists($src) && !file_exists($dest)) {

4
htdocs/core/modules/modPropale.class.php
View File

@ -100,7 +100,7 @@ class modPropale extends DolibarrModules
$this->const[$r][0] = "PROPALE_ADDON_PDF_ODT_PATH";
$this->const[$r][1] = "chaine";
$this->const[$r][2] = "DOL_DATA_ROOT/doctemplates/proposals";
$this->const[$r][2] = "DOL_DATA_ROOT".($conf->entity > 1 ? '/'.$conf->entity : '')."/doctemplates/proposals";
$this->const[$r][3] = "";
$this->const[$r][4] = 0;
$r++;
@ -490,7 +490,7 @@ class modPropale extends DolibarrModules
//ODT template
$src = DOL_DOCUMENT_ROOT.'/install/doctemplates/proposals/template_proposal.odt';
$dirodt = DOL_DATA_ROOT.'/doctemplates/proposals';
$dirodt = DOL_DATA_ROOT.($conf->entity > 1 ? '/'.$conf->entity : '').'/doctemplates/proposals';
$dest = $dirodt.'/template_proposal.odt';
if (file_exists($src) && !file_exists($dest)) {

8
htdocs/main.inc.php
View File

@ -214,13 +214,13 @@ function testSqlAndScriptInject($val, $type)
// List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/Events
$inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)[a-z]*\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/on(abort|after|animation|auxclick|before|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $val);
$inj += preg_match('/on(abort|after|animation|auxclick|before|blur|bounce|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $val);
$inj += preg_match('/on(dblclick|drop|durationchange|emptied|end|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)[a-z]*\s*=/i', $val);
$inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)[a-z]*\s*=/i', $val);
$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)[a-z]*\s*=/i', $val);
$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)[a-z]*\s*=/i', $val);
// More not into the previous list
$inj += preg_match('/on(repeat|begin|finish|beforeinput)[a-z]*\s*=/i', $val);
$inj += preg_match('/on(repeat|begin|finish)[a-z]*\s*=/i', $val);
// We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML.
// Example: <img on<a>error=alert(1) or <img onerror<>=alert(1) to bypass test on onerror=
@ -228,13 +228,13 @@ function testSqlAndScriptInject($val, $type)
// List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/Events
$inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)[a-z]*\s*=/i', $tmpval); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/on(abort|after|animation|auxclick|before|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $tmpval);
$inj += preg_match('/on(abort|after|animation|auxclick|before|blur|bounce|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $tmpval);
$inj += preg_match('/on(dblclick|drop|durationchange|emptied|end|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)[a-z]*\s*=/i', $tmpval);
$inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)[a-z]*\s*=/i', $tmpval);
$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)[a-z]*\s*=/i', $tmpval);
$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)[a-z]*\s*=/i', $tmpval);
// More not into the previous list
$inj += preg_match('/on(repeat|begin|finish|beforeinput)[a-z]*\s*=/i', $tmpval);
$inj += preg_match('/on(repeat|begin|finish)[a-z]*\s*=/i', $tmpval);
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...
$inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'

10
test/phpunit/SecurityTest.php
View File

@ -202,6 +202,13 @@ class SecurityTest extends CommonClassTest
$result = testSqlAndScriptInject($test, 0);
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject bbb');
$test='<marquee onbeforeintput="alert(1)">';
$result=testSqlAndScriptInject($test, 0);
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject onbeforeintput');
$test='<marquee onbounce="alert(1)">';
$result=testSqlAndScriptInject($test, 0);
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject onbounce');
$test = '<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>';
$result = testSqlAndScriptInject($test, 0);
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ccc');
@ -702,6 +709,7 @@ class SecurityTest extends CommonClassTest
// Must be allowed
global $leftmenu; // Used into strings to eval
$conf->global->MAIN_FEATURES_LEVEL = 1;
$leftmenu = 'AAA';
$result = dol_eval('$conf->currency && preg_match(\'/^(AAA|BBB)/\',$leftmenu)', 1, 1, '1');
@ -726,7 +734,7 @@ class SecurityTest extends CommonClassTest
$leftmenu = 'XXX';
$conf->global->MAIN_FEATURES_LEVEL = 1; // Force for the case option is -1
$string = '(isModEnabled("agenda") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)';
$string = '(isModEnabled("user") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)';
$result = dol_eval($string, 1, 1, '1');
print "result17 = ".$result."\n";
$this->assertTrue($result);