Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX #Yogosha5631

Browse Source
This commit is contained in:
Laurent Destailleur 2021-03-14 15:06:40 +01:00
parent 95006ec94c
commit 72766c830d
7 changed files with 47 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/categories/info.php
View File

@ -71,11 +71,11 @@ $title = Categorie::$MAP_TYPE_TITLE_AREA[$type];
$head = categories_prepare_head($object, $type);
print dol_get_fiche_head($head, 'info', $langs->trans($title), -1, 'category');
$backtolist = (GETPOST('backtolist') ? GETPOST('backtolist') : DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.$type);
$linkback = '<a href="'.$backtolist.'">'.$langs->trans("BackToList").'</a>';
$backtolist = (GETPOST('backtolist') ? GETPOST('backtolist') : DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.urlencode($type));
$linkback = '<a href="'.dol_sanitizeUrl($backtolist).'">'.$langs->trans("BackToList").'</a>';
$object->next_prev_filter = ' type = '.$object->type;
$object->ref = $object->label;
$morehtmlref = '<br><div class="refidno"><a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.$type.'">'.$langs->trans("Root").'</a> >> ';
$morehtmlref = '<br><div class="refidno"><a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.urlencode($type).'">'.$langs->trans("Root").'</a> >> ';
$ways = $object->print_all_ways(" &gt;&gt; ", '', 1);
foreach ($ways as $way) {
$morehtmlref .= $way."<br>\n";

3
htdocs/categories/photos.php
View File

@ -108,7 +108,8 @@ if ($object->id) {
$head = categories_prepare_head($object, $type);
print dol_get_fiche_head($head, 'photos', $langs->trans($title), -1, 'category');
$linkback = '<a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.$type.'">'.$langs->trans("BackToList").'</a>';
$backtolist = (GETPOST('backtolist') ? GETPOST('backtolist') : DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.urlencode($type));
$linkback = '<a href="'.dol_sanitizeUrl($backtolist).'">'.$langs->trans("BackToList").'</a>';
$object->next_prev_filter = ' type = '.$object->type;
$object->ref = $object->label;
$morehtmlref = '<br><div class="refidno"><a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.$type.'">'.$langs->trans("Root").'</a> >> ';

3
htdocs/categories/traduction.php
View File

@ -184,7 +184,8 @@ if (!empty($object->multilangs)) {
print dol_get_fiche_head($head, 'translation', $langs->trans($title), -1, 'category');
$linkback = '<a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.$type.'">'.$langs->trans("BackToList").'</a>';
$backtolist = (GETPOST('backtolist') ? GETPOST('backtolist') : DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.urlencode($type));
$linkback = '<a href="'.dol_sanitizeUrl($backtolist).'">'.$langs->trans("BackToList").'</a>';
$object->next_prev_filter = ' type = '.$object->type;
$object->ref = $object->label;
$morehtmlref = '<br><div class="refidno"><a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.$type.'">'.$langs->trans("Root").'</a> >> ';

8
htdocs/categories/viewcat.php
View File

@ -215,18 +215,18 @@ $title = Categorie::$MAP_TYPE_TITLE_AREA[$type];
$head = categories_prepare_head($object, $type);
print dol_get_fiche_head($head, 'card', $langs->trans($title), -1, 'category');
$backtolist = (GETPOST('backtolist') ? GETPOST('backtolist') : DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.$type);
$linkback = '<a href="'.$backtolist.'">'.$langs->trans("BackToList").'</a>';
$backtolist = (GETPOST('backtolist') ? GETPOST('backtolist') : DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.urlencode($type));
$linkback = '<a href="'.dol_sanitizeUrl($backtolist).'">'.$langs->trans("BackToList").'</a>';
$object->next_prev_filter = ' type = '.$object->type;
$object->ref = $object->label;
$morehtmlref = '<br><div class="refidno"><a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.$type.'">'.$langs->trans("Root").'</a> >> ';
$morehtmlref = '<br><div class="refidno"><a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=cat&type='.urlencode($type).'">'.$langs->trans("Root").'</a> >> ';
$ways = $object->print_all_ways(" &gt;&gt; ", '', 1);
foreach ($ways as $way) {
$morehtmlref .= $way."<br>\n";
}
$morehtmlref .= '</div>';
dol_banner_tab($object, 'label', $linkback, ($user->socid ? 0 : 1), 'label', 'label', $morehtmlref, '&type='.$type, 0, '', '', 1);
dol_banner_tab($object, 'label', $linkback, ($user->socid ? 0 : 1), 'label', 'label', $morehtmlref, '&type='.urlencode($type), 0, '', '', 1);
/*

16
htdocs/core/lib/functions.lib.php
View File

@ -611,7 +611,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
}
// Sanitizing for special parameters. There is no reason to allow the backtopage parameter to contains an external URL.
if ($paramname == 'backtopage') {
if ($paramname == 'backtopage' || $paramname == 'backtolist') {
$out = str_replace('\\', '/', $out);
$out = str_replace(array(':', '@'), '', $out);
$out = preg_replace(array('/^[a-z]*\/\/+/i'), '', $out);
@ -1000,6 +1000,19 @@ function dol_sanitizePathName($str, $newstr = '_', $unaccent = 1)
return dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars);
}
/**
* Clean a string to use it as an URL
*
* @param string $stringtoclean String to clean
* @return string Escaped string.
*/
function dol_sanitizeUrl($stringtoclean)
{
$stringtoclean = str_replace('javascript', '', $stringtoclean);
return $stringtoclean;
}
/**
* Clean a string from all accent characters to be used as ref, login or by dol_sanitizeFileName
*
@ -1098,7 +1111,6 @@ function dol_string_nounprintableascii($str, $removetabcrlf = 1)
}
}
/**
* Returns text escaped for inclusion into javascript code
*

18
htdocs/main.inc.php
View File

@ -59,12 +59,16 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) {
*/
function testSqlAndScriptInject($val, $type)
{
// Decode string first
// Decode string first bcause a lot of things are obfuscated by encoding or multiple encoding.
// So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
// So "&colon;&apos;" become ":'" (due to ENT_HTML5)
$val = html_entity_decode($val, ENT_QUOTES | ENT_HTML5);
// TODO loop to decode until no more thing to decode ?
// Loop to decode until no more thing to decode.
//print "before decoding $val\n";
do {
$oldval = $val;
$val = html_entity_decode($val, ENT_QUOTES | ENT_HTML5);
} while ($oldval != $val);
//print "after decoding $val\n";
// We clean string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
// We should use dol_string_nounprintableascii but function is not yet loaded/available
@ -135,16 +139,18 @@ function testSqlAndScriptInject($val, $type)
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...
$inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
$inj += preg_match('/javascript\s*:/i', $val);
$inj += preg_match('/vbscript\s*:/i', $val);
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($type == 1) {
$val = str_replace('enclosure="', 'enclosure=X', $val); // We accept enclosure="
$val = str_replace('enclosure="', 'enclosure=X', $val); // We accept enclosure=" for the export/import module
$inj += preg_match('/"/i', $val); // We refused " in GET parameters value.
}
if ($type == 2) {
$inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces.
}
return $inj;
}
@ -164,7 +170,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
} else {
// Get remote IP: PS: We do not use getRemoteIP(), function is not yet loaded and we need a value that can't be spoofed
$ip = (empty($_SERVER['REMOTE_ADDR']) ? 'unknown' : $_SERVER['REMOTE_ADDR']);
$errormessage = 'Access refused to '.$ip.' by SQL or Script injection protection in main.inc.php - type='.htmlentities($type).' key='.htmlentities($key).' value='.htmlentities($value).' page='.htmlentities($_SERVER["REQUEST_URI"]);
$errormessage = 'Access refused to '.$ip.' by SQL or Script injection protection in main.inc.php - GETPOST type='.htmlentities($type).' paramkey='.htmlentities($key).' paramvalue='.htmlentities($value).' page='.htmlentities($_SERVER["REQUEST_URI"]);
print $errormessage;
// Add entry into error log
if (function_exists('error_log')) {

15
test/phpunit/SecurityTest.php
View File

@ -192,7 +192,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
$result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0a');
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for PHP_SELF that should be ok');
$test = 'This is a < inside string with < and > also and tag like <a> before the >';
$result=testSqlAndScriptInject($test, 0);
@ -203,7 +203,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices;badaction';
$result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject 1b');
$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject for PHP_SELF that should detect XSS');
$test = 'javascript&colon&#x3B;alert(1)';
$result=testSqlAndScriptInject($test, 0);
$this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 1b');
$test="<img src='1.jpg' onerror =javascript:alert('XSS')>";
$result=testSqlAndScriptInject($test, 0);
@ -322,6 +326,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
$_POST["param11"]=' Name <email@email.com> ';
$_POST["param12"]='<!DOCTYPE html><html>aaa</html>';
$_POST["param13"]='javascript%26colon%26%23x3B%3Balert(1)';
$result=GETPOST('id', 'int'); // Must return nothing
print __METHOD__." result=".$result."\n";
@ -426,7 +431,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml');
// Special test for GETPOST of backtopage parameter
// Special test for GETPOST of backtopage or backtolist parameter
$_POST["backtopage"]='//www.google.com';
$result=GETPOST("backtopage");
@ -438,8 +443,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals('www.google.com', $result, 'Test for backtopage param');
$_POST["backtopage"]='::HTTPS://www.google.com';
$result=GETPOST("backtopage");
$_POST["backtolist"]='::HTTPS://www.google.com';
$result=GETPOST("backtolist");
print __METHOD__." result=".$result."\n";
$this->assertEquals('www.google.com', $result, 'Test for backtopage param');