Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX CVE-2019–17223 FIX #13053

Browse Source
This commit is contained in:
Laurent Destailleur 2020-02-09 18:28:34 +01:00
parent 5c000159c1
commit 8645fd8946
11 changed files with 55 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/comm/action/card.php
View File

@ -1789,7 +1789,7 @@ if ($id > 0)
// Description
print '<tr><td class="tdtop">'.$langs->trans("Description").'</td><td colspan="3">';
print dol_htmlentitiesbr($object->note);
print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private));
print '</td></tr>';
// Other attributes

2
htdocs/core/class/commonobject.class.php
View File

@ -337,7 +337,7 @@ abstract class CommonObject
/**
* @deprecated
* @see $note_public
* @see $note_private
*/
public $note;

8
htdocs/core/class/html.form.class.php
View File

@ -298,9 +298,13 @@ class Form
$firstline = preg_replace('/[\n\r].*/', '', $firstline);
$tmpcontent = $firstline.((strlen($firstline) != strlen($tmpcontent)) ? '...' : '');
}
$ret .= $tmpcontent;
// We dont use dol_escape_htmltag to get the html formating active, but this need we must also
// clean data from some dangerous html
$ret .= dol_string_onlythesehtmltags(dol_htmlentitiesbr($tmpcontent));
}
else {
$ret .= dol_escape_htmltag($value);
}
else $ret .= dol_escape_htmltag($value);
if ($formatfunc && method_exists($object, $formatfunc))
{

30
htdocs/core/lib/functions.lib.php
View File

@ -5559,22 +5559,27 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
/**
* Clean a string to keep only desirable HTML tags.
*
* @param string $stringtoclean String to clean
* @return string String cleaned
* @param string $stringtoclean String to clean
* @param string $cleanalsosomestyles Clean also some tags
* @return string String cleaned
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
*/
function dol_string_onlythesehtmltags($stringtoclean)
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1)
{
$allowed_tags = array(
"html", "head", "meta", "body", "article", "a", "b", "br", "div", "em", "font", "img", "ins", "hr", "i", "li", "link",
"html", "head", "meta", "body", "article", "a", "b", "br", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
"ol", "p", "s", "section", "span", "strong", "title",
"table", "tr", "th", "td", "u", "ul"
);
$allowed_tags_string = join("><", $allowed_tags);
$allowed_tags_string = preg_replace('/^>/', '', $allowed_tags_string);
$allowed_tags_string = preg_replace('/<$/', '', $allowed_tags_string);
$allowed_tags_string = '<'.$allowed_tags_string.'>';
if ($cleanalsosomestyles) {
$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
}
$temp = strip_tags($stringtoclean, $allowed_tags_string);
@ -5583,14 +5588,16 @@ function dol_string_onlythesehtmltags($stringtoclean)
/**
* Clean a string from some undesirable HTML tags.
* Note. Not enough secured as dol_string_onlythesehtmltags().
*
* @param string $stringtoclean String to clean
* @param array $disallowed_tags Array of tags not allowed
* @return string String cleaned
* @param string $stringtoclean String to clean
* @param array $disallowed_tags Array of tags not allowed
* @param string $cleanalsosomestyles Clean also some tags
* @return string String cleaned
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags()
*/
function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array('textarea'))
function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array('textarea'), $cleanalsosomestyles = 0)
{
$temp = $stringtoclean;
foreach ($disallowed_tags as $tagtoremove)
@ -5598,6 +5605,11 @@ function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array(
$temp = preg_replace('/<\/?'.$tagtoremove.'>/', '', $temp);
$temp = preg_replace('/<\/?'.$tagtoremove.'\s+[^>]*>/', '', $temp);
}
if ($cleanalsosomestyles) {
$temp = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $temp); // Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
}
return $temp;
}

11
htdocs/core/tpl/notes.tpl.php
View File

@ -1,7 +1,7 @@
<?php
/* Copyright (C) 2012 Regis Houssin <regis.houssin@inodbox.com>
* Copyright (C) 2013 Florian Henry <florian.henry@open-concept.pro>
* Copyright (C) 2014-2017 Laurent Destailleur <eldy@destailleur.fr>
* Copyright (C) 2014-2020 Laurent Destailleur <eldy@destailleur.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -78,20 +78,21 @@ print '<div class="tagtable border table-border tableforfield centpercent">'."\n
if ($module != 'product') {
// No public note yet on products
print '<div class="tagtr table-border-row">'."\n";
print '<div class="tagtd tagtdnote tdtop table-key-border-col'.(empty($cssclass)?'':' '.$cssclass).'"'.($colwidth ? ' style="width: '.$colwidth.'%"' : '').'>'."\n";
print '<div class="tagtd tagtdnote tdtop sensiblehtmlcontent table-key-border-col'.(empty($cssclass)?'':' '.$cssclass).'"'.($colwidth ? ' style="width: '.$colwidth.'%"' : '').'>'."\n";
print $form->editfieldkey("NotePublic", $note_public, $value_public, $object, $permission, $typeofdata, $moreparam, '', 0);
print '</div>'."\n";
print '<div class="tagtd table-val-border-col">'."\n";
print '<div class="tagtd table-val-border-col sensiblehtmlcontent">'."\n";
print $form->editfieldval("NotePublic", $note_public, $value_public, $object, $permission, $typeofdata, '', null, null, $moreparam, 1)."\n";
print '</div>'."\n";
print '</div>'."\n";
}
if (empty($user->socid)) {
// Private notes (always hidden to external users)
print '<div class="tagtr table-border-row">'."\n";
print '<div class="tagtd tagtdnote tdtop table-key-border-col'.(empty($cssclass)?'':' '.$cssclass).'"'.($colwidth ? ' style="width: '.$colwidth.'%"' : '').'>'."\n";
print '<div class="tagtd tagtdnote tdtop sensiblehtmlcontent table-key-border-col'.(empty($cssclass)?'':' '.$cssclass).'"'.($colwidth ? ' style="width: '.$colwidth.'%"' : '').'>'."\n";
print $form->editfieldkey("NotePrivate", $note_private, $value_private, $object, $permission, $typeofdata, $moreparam, '', 0);
print '</div>'."\n";
print '<div class="tagtd table-val-border-col">'."\n";
print '<div class="tagtd table-val-border-col sensiblehtmlcontent">'."\n";
print $form->editfieldval("NotePrivate", $note_private, $value_private, $object, $permission, $typeofdata, '', null, null, $moreparam, 1);
print '</div>'."\n";
print '</div>'."\n";

4
htdocs/theme/eldy/global.inc.php
View File

@ -23,6 +23,10 @@ body {
<?php print 'direction: '.$langs->trans("DIRECTION").";\n"; ?>
}
.sensiblehtmlcontent * {
position: static !important;
}
.thumbstat { font-weight: bold !important; }
th a { font-weight: <?php echo ($useboldtitle ? 'bold' : 'normal'); ?> !important; }
a.tab { font-weight: 500 !important; }

4
htdocs/theme/md/style.css.php
View File

@ -247,6 +247,10 @@ body {
<?php print 'direction: '.$langs->trans("DIRECTION").";\n"; ?>
}
.sensiblehtmlcontent * {
position: static !important;
}
.thumbstat { font-weight: bold !important; }
th a { font-weight: <?php echo ($useboldtitle ? 'bold' : 'normal'); ?> !important; }
a.tab { font-weight: 500 !important; }

4
htdocs/user/group/card.php
View File

@ -386,7 +386,9 @@ else
// Note
print '<tr><td class="titlefield tdtop">'.$langs->trans("Description").'</td>';
print '<td class="valeur">'.dol_htmlentitiesbr($object->note).'&nbsp;</td>';
print '<td class="valeur sensiblehtmlcontent"">';
print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
print '</td>';
print "</tr>\n";
// Other attributes

4
htdocs/user/group/ldap.php
View File

@ -126,7 +126,9 @@ if (! empty($conf->mutlicompany->enabled))
// Note
print '<tr><td class="tdtop">'.$langs->trans("Description").'</td>';
print '<td class="valeur">'.dol_htmlentitiesbr($object->note).'</td>';
print '<td class="valeur sensiblehtmlcontent">';
print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
print '</td>';
print "</tr>\n";
// LDAP DN

4
htdocs/user/group/perms.php
View File

@ -212,7 +212,9 @@ if ($object->id > 0)
// Note
print '<tr><td class="titlefield tdtop">'.$langs->trans("Description").'</td>';
print '<td class="valeur">'.dol_htmlentitiesbr($object->note).'</td>';
print '<td class="valeur sensiblehtmlcontent">';
print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
print '</td>';
print "</tr>\n";
print '</table><br>';

6
htdocs/user/note.php
View File

@ -111,19 +111,19 @@ if ($id)
// Note
print '<tr><td class="tdtop">'.$langs->trans("Note").'</td>';
print '<td>';
print '<td class="sensiblehtmlcontent">';
if ($action == 'edit' && $user->rights->user->user->creer)
{
print "<input type=\"hidden\" name=\"action\" value=\"update\">";
print "<input type=\"hidden\" name=\"id\" value=\"".$object->id."\">";
// Editeur wysiwyg
require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
$doleditor=new DolEditor('note_private', $object->note, '', 280, 'dolibarr_notes', 'In', true, false, $conf->global->FCKEDITOR_ENABLE_SOCIETE, ROWS_8, '90%');
$doleditor=new DolEditor('note_private', $object->note_private, '', 280, 'dolibarr_notes', 'In', true, false, $conf->global->FCKEDITOR_ENABLE_SOCIETE, ROWS_8, '90%');
$doleditor->Create();
}
else
{
print dol_htmlentitiesbr($object->note);
print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private));
}
print "</td></tr>";