Skip to content

Commit 4fcd3fe

Browse files
committed
Fix disallow -- string into filename for security purpose. Vulnerability
reported by Yılmaz Değirmenci
1 parent 89854ea commit 4fcd3fe

File tree

3 files changed

+28
-4
lines changed

3 files changed

+28
-4
lines changed

Diff for: htdocs/admin/tools/export_files.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@
3434
$what = GETPOST('what', 'alpha');
3535
$export_type = GETPOST('export_type', 'alpha');
3636
$file = trim(GETPOST('zipfilename_template', 'alpha'));
37-
$compression = GETPOST('compression');
37+
$compression = GETPOST('compression', 'aZ09');
3838

3939
$file = dol_sanitizeFileName($file);
4040
$file = preg_replace('/(\.zip|\.tar|\.tgz|\.gz|\.tar\.gz|\.bz2)$/i', '', $file);

Diff for: htdocs/core/lib/functions.lib.php

+3-2
Original file line numberDiff line numberDiff line change
@@ -866,8 +866,9 @@ function dol_sanitizeFileName($str, $newstr = '_', $unaccent = 1)
866866
// List of special chars for filenames in windows are defined on page https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file
867867
// Char '>' '<' '|' '$' and ';' are special chars for shells.
868868
// Char '/' and '\' are file delimiters.
869-
$filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';');
870-
return dol_string_nospecial($unaccent ?dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars);
869+
// -- car can be used into filename to inject special paramaters like --use-compress-program to make command with file as parameter making remote execution of command
870+
$filesystem_forbidden_chars = array('<', '>', '/', '\\', '?', '*', '|', '"', ':', '°', '$', ';', '--');
871+
return dol_string_nospecial($unaccent ? dol_string_unaccent($str) : $str, $newstr, $filesystem_forbidden_chars);
871872
}
872873

873874
/**

Diff for: test/phpunit/SecurityTest.php

+24-1
Original file line numberDiff line numberDiff line change
@@ -244,7 +244,7 @@ public function testCheckLoginPassEntity()
244244

245245
$login=checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists
246246
print __METHOD__." login=".$login."\n";
247-
$this->assertEquals($login, 'admin');
247+
$this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed');
248248

249249
$login=checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authetntication method
250250
print __METHOD__." login=".$login."\n";
@@ -326,4 +326,27 @@ public function testRestrictedArea()
326326
$result=restrictedArea($user, 'societe');
327327
$this->assertEquals(1, $result);
328328
}
329+
330+
/**
331+
* testDolSanitizeFileName
332+
*
333+
* @return void
334+
*/
335+
public function testDolSanitizeFileName()
336+
{
337+
global $conf,$user,$langs,$db;
338+
$conf=$this->savconf;
339+
$user=$this->savuser;
340+
$langs=$this->savlangs;
341+
$db=$this->savdb;
342+
343+
//$dummyuser=new User($db);
344+
//$result=restrictedArea($dummyuser,'societe');
345+
346+
$result=dol_sanitizeFileName('bad file | evilaction');
347+
$this->assertEquals('bad file _ evilaction', $result);
348+
349+
$result=dol_sanitizeFileName('bad file --evilparam');
350+
$this->assertEquals('bad file _evilparam', $result);
351+
}
329352
}

0 commit comments

Comments
 (0)