diff --git a/htdocs/admin/emailcollector_list.php b/htdocs/admin/emailcollector_list.php
index af137a1ecdb75..9e93dd78b863a 100644
--- a/htdocs/admin/emailcollector_list.php
+++ b/htdocs/admin/emailcollector_list.php
@@ -109,11 +109,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = dol_eval($val['visible'], 1);
+ $visible = dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position']
);
}
diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php
index fb3a1ccf702ec..803f3b7453695 100644
--- a/htdocs/admin/mails_templates.php
+++ b/htdocs/admin/mails_templates.php
@@ -1034,7 +1034,7 @@
continue; // It means this is a type of template not into elementList (may be because enabled condition of this type is false because module is not enabled)
}
// Test on 'enabled'
- if (!dol_eval($obj->enabled, 1)) {
+ if (!dol_eval($obj->enabled, 1, 1, '1')) {
$i++;
continue; // Email template not qualified
}
diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php
index 02c46d8ca35e5..a9e2fe9287fcc 100644
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@@ -464,7 +464,7 @@ function init_topleft()
}
print '
';
foreach ($object->fields as $key => $val) {
- if (!empty($val['isameasure']) && (!isset($val['enabled']) || dol_eval($val['enabled'], 1))) {
+ if (!empty($val['isameasure']) && (!isset($val['enabled']) || dol_eval($val['enabled'], 1, 1, '1'))) {
$arrayofmesures['t.'.$key.'-sum'] = $langs->trans($val['label']).'
('.$langs->trans("Sum").')';
$arrayofmesures['t.'.$key.'-average'] = $langs->trans($val['label']).'
('.$langs->trans("Average").')';
$arrayofmesures['t.'.$key.'-min'] = $langs->trans($val['label']).'
('.$langs->trans("Minimum").')';
@@ -412,7 +412,7 @@
// Add extrafields to Measures
if ($object->isextrafieldmanaged) {
foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) {
- if (!empty($extrafields->attributes[$object->table_element]['totalizable'][$key]) && (!isset($extrafields->attributes[$object->table_element]['enabled'][$key]) || dol_eval($extrafields->attributes[$object->table_element]['enabled'][$key], 1))) {
+ if (!empty($extrafields->attributes[$object->table_element]['totalizable'][$key]) && (!isset($extrafields->attributes[$object->table_element]['enabled'][$key]) || dol_eval($extrafields->attributes[$object->table_element]['enabled'][$key], 1, 1, '1'))) {
$arrayofmesures['te.'.$key.'-sum'] = $langs->trans($extrafields->attributes[$object->table_element]['label'][$key]).'
('.$langs->trans("Sum").')';
$arrayofmesures['te.'.$key.'-average'] = $langs->trans($extrafields->attributes[$object->table_element]['label'][$key]).'
('.$langs->trans("Average").')';
$arrayofmesures['te.'.$key.'-min'] = $langs->trans($extrafields->attributes[$object->table_element]['label'][$key]).'
('.$langs->trans("Minimum").')';
@@ -443,7 +443,7 @@
// YAxis
print '
';
foreach ($object->fields as $key => $val) {
- if (empty($val['measure']) && (!isset($val['enabled']) || dol_eval($val['enabled'], 1))) {
+ if (empty($val['measure']) && (!isset($val['enabled']) || dol_eval($val['enabled'], 1, 1, '1'))) {
if (in_array($key, array('id', 'rowid', 'entity', 'last_main_doc', 'extraparams'))) {
continue;
}
@@ -464,7 +464,7 @@
// Add measure from extrafields
if ($object->isextrafieldmanaged) {
foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) {
- if (!empty($extrafields->attributes[$object->table_element]['totalizable'][$key]) && (!isset($extrafields->attributes[$object->table_element]['enabled'][$key]) || dol_eval($extrafields->attributes[$object->table_element]['enabled'][$key], 1))) {
+ if (!empty($extrafields->attributes[$object->table_element]['totalizable'][$key]) && (!isset($extrafields->attributes[$object->table_element]['enabled'][$key]) || dol_eval($extrafields->attributes[$object->table_element]['enabled'][$key], 1, 1, '1'))) {
$arrayofyaxis['te.'.$key] = array('label' => $extrafields->attributes[$object->table_element]['label'][$key], 'position' => (int) $extrafields->attributes[$object->table_element]['pos'][$key]);
}
}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 513534ba38c61..c6476f98a116f 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -8188,12 +8188,13 @@ function verifCond($strToEvaluate)
* Replace eval function to add more security.
* This function is called by verifCond() or trans() and transnoentitiesnoconv().
*
- * @param string $s String to evaluate
- * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
- * @param int $hideerrors 1=Hide errors
- * @return mixed Nothing or return result of eval
+ * @param string $s String to evaluate
+ * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)).
+ * @param int $hideerrors 1=Hide errors
+ * @param string $onlysimplestring Accept only simple string with char 'a-z0-9\s$_->&|=';
+ * @return mixed Nothing or return result of eval
*/
-function dol_eval($s, $returnvalue = 0, $hideerrors = 1)
+function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1')
{
// Only global variables can be changed by eval function and returned to caller
global $db, $langs, $user, $conf, $website, $websitepage;
@@ -8205,9 +8206,18 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1)
global $obj; // To get $obj used into list when dol_eval is used for computed fields and $obj is not yet $object
global $soc; // For backward compatibility
- // Replace dangerous char (used for RCE), we allow only PHP variable testing.
+ // Test dangerous char (used for RCE), we allow only PHP variable testing.
+ if ($onlysimplestring == '1') {
+ //print preg_quote('$_->&|', '/');
+ if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=', '/').']/i', $s)) {
+ return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
+ }
+ }
if (strpos($s, '`') !== false) {
- return 'Bad string syntax to evaluate: '.$s;
+ return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s;
+ }
+ if (strpos($s, '.') !== false) {
+ return 'Bad string syntax to evaluate (dot char is forbidden): '.$s;
}
// We block use of php exec or php file functions
@@ -8215,7 +8225,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1)
$forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST'));
$forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen", "eval", "dol_eval", "executeCLI");
- $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "unlink", "mkdir", "rmdir", "symlink", "touch", "umask"));
+ $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "require", "include", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask"));
$forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func"));
$forbiddenphpregex = 'global\s+\$|\b('.implode('|', $forbiddenphpfunctions).')\b';
diff --git a/htdocs/core/tpl/admin_extrafields_view.tpl.php b/htdocs/core/tpl/admin_extrafields_view.tpl.php
index d1145229db7b7..369f60ea2018a 100644
--- a/htdocs/core/tpl/admin_extrafields_view.tpl.php
+++ b/htdocs/core/tpl/admin_extrafields_view.tpl.php
@@ -73,7 +73,7 @@
if (isset($extrafields->attributes[$elementtype]['type']) && is_array($extrafields->attributes[$elementtype]['type']) && count($extrafields->attributes[$elementtype]['type'])) {
foreach ($extrafields->attributes[$elementtype]['type'] as $key => $value) {
- /*if (! dol_eval($extrafields->attributes[$elementtype]['enabled'][$key], 1)) {
+ /*if (! dol_eval($extrafields->attributes[$elementtype]['enabled'][$key], 1, 1, '1')) {
// TODO Uncomment this to exclude extrafields of modules not enabled. Add a link to "Show extrafields disabled"
// continue;
}*/
diff --git a/htdocs/core/tpl/extrafields_list_array_fields.tpl.php b/htdocs/core/tpl/extrafields_list_array_fields.tpl.php
index 36eeee89627b2..b704891da16d1 100644
--- a/htdocs/core/tpl/extrafields_list_array_fields.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_array_fields.tpl.php
@@ -23,9 +23,9 @@
$arrayfields[$extrafieldsobjectprefix.$key] = array(
'label' => $extrafields->attributes[$extrafieldsobjectkey]['label'][$key],
'type' => $extrafields->attributes[$extrafieldsobjectkey]['type'][$key],
- 'checked' => ((dol_eval($extrafields->attributes[$extrafieldsobjectkey]['list'][$key], 1) <= 0) ? 0 : 1),
+ 'checked' => ((dol_eval($extrafields->attributes[$extrafieldsobjectkey]['list'][$key], 1, 1, '1') <= 0) ? 0 : 1),
'position' => $extrafields->attributes[$extrafieldsobjectkey]['pos'][$key],
- 'enabled' => (abs((int) $extrafields->attributes[$extrafieldsobjectkey]['list'][$key]) != 3 && dol_eval($extrafields->attributes[$extrafieldsobjectkey]['perms'][$key], 1)),
+ 'enabled' => (abs((int) $extrafields->attributes[$extrafieldsobjectkey]['list'][$key]) != 3 && dol_eval($extrafields->attributes[$extrafieldsobjectkey]['perms'][$key], 1, 1, '1')),
'langfile' => $extrafields->attributes[$extrafieldsobjectkey]['langfile'][$key],
'help' => $extrafields->attributes[$extrafieldsobjectkey]['help'][$key],
);
diff --git a/htdocs/core/tpl/extrafields_list_print_fields.tpl.php b/htdocs/core/tpl/extrafields_list_print_fields.tpl.php
index 80d6cd7da56f2..00c2739e3f832 100644
--- a/htdocs/core/tpl/extrafields_list_print_fields.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_print_fields.tpl.php
@@ -38,7 +38,7 @@
//var_dump($extrafields->attributes[$extrafieldsobjectkey]['computed'][$key]);
//var_dump($obj);
//var_dump($extrafields->attributes[$extrafieldsobjectkey]['computed'][$key]);
- $value = dol_eval($extrafields->attributes[$extrafieldsobjectkey]['computed'][$key], 1);
+ $value = dol_eval($extrafields->attributes[$extrafieldsobjectkey]['computed'][$key], 1, 1, '0');
//var_dump($value);
}
diff --git a/htdocs/eventorganization/conferenceorbooth_list.php b/htdocs/eventorganization/conferenceorbooth_list.php
index d105ad05c43f0..943205adca299 100644
--- a/htdocs/eventorganization/conferenceorbooth_list.php
+++ b/htdocs/eventorganization/conferenceorbooth_list.php
@@ -114,11 +114,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/eventorganization/conferenceorboothattendee_list.php b/htdocs/eventorganization/conferenceorboothattendee_list.php
index e084c68cfe7b8..ab2699187b228 100644
--- a/htdocs/eventorganization/conferenceorboothattendee_list.php
+++ b/htdocs/eventorganization/conferenceorboothattendee_list.php
@@ -122,11 +122,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/hrm/evaluation_list.php b/htdocs/hrm/evaluation_list.php
index 35189f11b871f..ad99573b0962a 100644
--- a/htdocs/hrm/evaluation_list.php
+++ b/htdocs/hrm/evaluation_list.php
@@ -114,11 +114,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/hrm/job_list.php b/htdocs/hrm/job_list.php
index 55363d729b55a..7644ea1fd0fd2 100644
--- a/htdocs/hrm/job_list.php
+++ b/htdocs/hrm/job_list.php
@@ -114,11 +114,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/hrm/position.php b/htdocs/hrm/position.php
index d36d352e89569..253945e6c5ac9 100644
--- a/htdocs/hrm/position.php
+++ b/htdocs/hrm/position.php
@@ -357,11 +357,11 @@ function DisplayPositionList()
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.' . $key] = array(
'label' => $val['label'],
'checked' => (($visible < 0) ? 0 : 1),
- 'enabled' => ($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled' => ($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position' => $val['position'],
'help' => isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/hrm/position_list.php b/htdocs/hrm/position_list.php
index 1585ed1e03feb..13315a2a9bcb4 100644
--- a/htdocs/hrm/position_list.php
+++ b/htdocs/hrm/position_list.php
@@ -114,11 +114,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/hrm/skill_card.php b/htdocs/hrm/skill_card.php
index a06cf40952a88..7c63bb2cff75d 100644
--- a/htdocs/hrm/skill_card.php
+++ b/htdocs/hrm/skill_card.php
@@ -538,11 +538,11 @@
foreach ($objectline->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.' . $key] = array(
'label' => $val['label'],
'checked' => (($visible < 0) ? 0 : 1),
- 'enabled' => ($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled' => ($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position' => $val['position'],
'help' => isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/hrm/skill_list.php b/htdocs/hrm/skill_list.php
index 1fc5440e58933..8ef800b3ffc8f 100644
--- a/htdocs/hrm/skill_list.php
+++ b/htdocs/hrm/skill_list.php
@@ -114,11 +114,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/knowledgemanagement/knowledgerecord_list.php b/htdocs/knowledgemanagement/knowledgerecord_list.php
index aed45b1db260f..c4440028e4946 100644
--- a/htdocs/knowledgemanagement/knowledgerecord_list.php
+++ b/htdocs/knowledgemanagement/knowledgerecord_list.php
@@ -114,11 +114,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/mrp/mo_list.php b/htdocs/mrp/mo_list.php
index e5648cad5f783..6e15a71e517d1 100644
--- a/htdocs/mrp/mo_list.php
+++ b/htdocs/mrp/mo_list.php
@@ -109,11 +109,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/partnership/partnership_list.php b/htdocs/partnership/partnership_list.php
index 89394960632b0..dc9958fa3df1b 100644
--- a/htdocs/partnership/partnership_list.php
+++ b/htdocs/partnership/partnership_list.php
@@ -118,11 +118,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/product/inventory/list.php b/htdocs/product/inventory/list.php
index 41e43fdf433ce..c4548b3aa665e 100644
--- a/htdocs/product/inventory/list.php
+++ b/htdocs/product/inventory/list.php
@@ -102,11 +102,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/product/list.php b/htdocs/product/list.php
index a3ec599dea8ab..26dbf18e4390a 100644
--- a/htdocs/product/list.php
+++ b/htdocs/product/list.php
@@ -244,11 +244,11 @@
/*foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = dol_eval($val['visible'], 1);
+ $visible = dol_eval($val['visible'], 1, 1, '1');
$arrayfields['p.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position']
);
}
diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php
index 8f24fb9c110d6..93c963e006552 100644
--- a/htdocs/product/stock/list.php
+++ b/htdocs/product/stock/list.php
@@ -117,11 +117,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : 'help'
);
diff --git a/htdocs/product/stock/productlot_list.php b/htdocs/product/stock/productlot_list.php
index e5a8b05902e27..92172643096bf 100644
--- a/htdocs/product/stock/productlot_list.php
+++ b/htdocs/product/stock/productlot_list.php
@@ -104,11 +104,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = dol_eval($val['visible'], 1);
+ $visible = dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position']
);
}
diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php
index 56db0bd2a6409..3eeb1bb1e4c05 100644
--- a/htdocs/projet/class/task.class.php
+++ b/htdocs/projet/class/task.class.php
@@ -27,6 +27,7 @@
*/
require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php';
+require_once DOL_DOCUMENT_ROOT.'/core/class/commonobjectline.class.php';
require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php
index cc9099b463bc3..36c2fc942b5bc 100644
--- a/htdocs/projet/list.php
+++ b/htdocs/projet/list.php
@@ -182,11 +182,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = dol_eval($val['visible'], 1);
+ $visible = dol_eval($val['visible'], 1, 1, '1');
$arrayfields['p.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/recruitment/recruitmentcandidature_list.php b/htdocs/recruitment/recruitmentcandidature_list.php
index f16b8c3dcf92a..05cf56636eaa8 100644
--- a/htdocs/recruitment/recruitmentcandidature_list.php
+++ b/htdocs/recruitment/recruitmentcandidature_list.php
@@ -151,11 +151,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = dol_eval($val['visible'], 1);
+ $visible = dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position']
);
}
diff --git a/htdocs/recruitment/recruitmentjobposition_list.php b/htdocs/recruitment/recruitmentjobposition_list.php
index f0935bc87988f..c4a43d0bab4d8 100644
--- a/htdocs/recruitment/recruitmentjobposition_list.php
+++ b/htdocs/recruitment/recruitmentjobposition_list.php
@@ -153,11 +153,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php
index 7a8b3ebca103e..2e77c29cd01e5 100644
--- a/htdocs/salaries/list.php
+++ b/htdocs/salaries/list.php
@@ -134,11 +134,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/salaries/payments.php b/htdocs/salaries/payments.php
index 77cbae397f0ce..58f5546216f85 100644
--- a/htdocs/salaries/payments.php
+++ b/htdocs/salaries/payments.php
@@ -129,11 +129,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/ticket/list.php b/htdocs/ticket/list.php
index b2548807be433..f489c9218fc11 100644
--- a/htdocs/ticket/list.php
+++ b/htdocs/ticket/list.php
@@ -136,11 +136,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help'=> isset($val['help']) ? $val['help'] : ''
);
diff --git a/htdocs/workstation/workstation_list.php b/htdocs/workstation/workstation_list.php
index 25dcc44de655a..0d17232c9db18 100644
--- a/htdocs/workstation/workstation_list.php
+++ b/htdocs/workstation/workstation_list.php
@@ -108,11 +108,11 @@
foreach ($object->fields as $key => $val) {
// If $val['visible']==0, then we never show the field
if (!empty($val['visible'])) {
- $visible = (int) dol_eval($val['visible'], 1);
+ $visible = (int) dol_eval($val['visible'], 1, 1, '1');
$arrayfields['t.'.$key] = array(
'label'=>$val['label'],
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>$val['position'],
'help' => empty($val['help']) ? '' : $val['help']
);
@@ -130,7 +130,7 @@
$arrayfields['wr.fk_resource'] = array(
'label'=>$langs->trans('Resources'),
'checked'=>(($visible < 0) ? 0 : 1),
- 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)),
+ 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')),
'position'=>1001,
'help' => empty($val['help']) ? '' : $val['help']
);
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index 15e4eaa8bda64..a687e6adbd765 100644
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -875,11 +875,18 @@ public function testDolEval()
include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
- $result=dol_eval('(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref: "Parent project not found"', 1, 1);
+
+ $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref: "Parent project not found"';
+ $result=dol_eval($s, 1, 1, '');
+ print "result = ".$result."\n";
+ $this->assertEquals('Parent project not found', $result);
+
+ $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref: \'Parent project not found\'';
+ $result=dol_eval($s, 1, 1, '');
print "result = ".$result."\n";
$this->assertEquals('Parent project not found', $result);
- $result=dol_eval('$a=function() { }; $a;', 1, 1);
+ $result=dol_eval('$a=function() { }; $a;', 1, 1, '');
print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result);
@@ -898,5 +905,18 @@ public function testDolEval()
$result=dol_eval('`ls`', 1, 0);
print "result = ".$result."\n";
$this->assertContains('Bad string syntax to evaluate', $result);
+
+ $result=dol_eval("('ex'.'ec')('echo abc')", 1, 0);
+ print "result = ".$result."\n";
+ $this->assertContains('Bad string syntax to evaluate', $result);
+
+ // Case with param onlysimplestring = 1
+ $result=dol_eval('1 && $conf->abc->doesnotexist1 && $conf->def->doesnotexist1', 1, 0); // Should return false and not a 'Bad string syntax to evaluate ...'
+ print "result = ".$result."\n";
+ $this->assertFalse($result);
+
+ $result=dol_eval("(\$a.'aa')", 1, 0);
+ print "result = ".$result."\n";
+ $this->assertContains('Bad string syntax to evaluate', $result);
}
}