From 2a48dd349e7de0d4a38e448b0d2ecbe25e968075 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 1 Mar 2022 16:38:06 +0100 Subject: [PATCH] Fix #hunterb03d4415-d4f9-48c8-9ae2-d3aa248027b5 --- htdocs/admin/emailcollector_list.php | 4 +-- htdocs/admin/mails_templates.php | 2 +- htdocs/admin/menus/edit.php | 6 ++--- htdocs/bom/bom_list.php | 2 +- .../compta/cashcontrol/cashcontrol_list.php | 4 +-- htdocs/compta/facture/list.php | 4 +-- htdocs/compta/resultat/result.php | 8 +++--- htdocs/core/boxes/box_scheduled_jobs.php | 2 +- htdocs/core/class/commonobject.class.php | 18 ++++++------- htdocs/core/class/extrafields.class.php | 14 +++++----- htdocs/core/class/html.form.class.php | 2 +- htdocs/core/class/html.formother.class.php | 8 +++--- htdocs/core/class/menu.class.php | 2 +- htdocs/core/class/translate.class.php | 4 +-- htdocs/core/customreports.php | 10 +++---- htdocs/core/lib/functions.lib.php | 26 +++++++++++++------ .../core/tpl/admin_extrafields_view.tpl.php | 2 +- .../tpl/extrafields_list_array_fields.tpl.php | 4 +-- .../tpl/extrafields_list_print_fields.tpl.php | 2 +- .../conferenceorbooth_list.php | 4 +-- .../conferenceorboothattendee_list.php | 4 +-- htdocs/hrm/evaluation_list.php | 4 +-- htdocs/hrm/job_list.php | 4 +-- htdocs/hrm/position.php | 4 +-- htdocs/hrm/position_list.php | 4 +-- htdocs/hrm/skill_card.php | 4 +-- htdocs/hrm/skill_list.php | 4 +-- .../knowledgerecord_list.php | 4 +-- htdocs/mrp/mo_list.php | 4 +-- htdocs/partnership/partnership_list.php | 4 +-- htdocs/product/inventory/list.php | 4 +-- htdocs/product/list.php | 4 +-- htdocs/product/stock/list.php | 4 +-- htdocs/product/stock/productlot_list.php | 4 +-- htdocs/projet/class/task.class.php | 1 + htdocs/projet/list.php | 4 +-- .../recruitmentcandidature_list.php | 4 +-- .../recruitmentjobposition_list.php | 4 +-- htdocs/salaries/list.php | 4 +-- htdocs/salaries/payments.php | 4 +-- htdocs/ticket/list.php | 4 +-- htdocs/workstation/workstation_list.php | 6 ++--- test/phpunit/SecurityTest.php | 24 +++++++++++++++-- 43 files changed, 135 insertions(+), 104 deletions(-) diff --git a/htdocs/admin/emailcollector_list.php b/htdocs/admin/emailcollector_list.php index af137a1ecdb75..9e93dd78b863a 100644 --- a/htdocs/admin/emailcollector_list.php +++ b/htdocs/admin/emailcollector_list.php @@ -109,11 +109,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = dol_eval($val['visible'], 1); + $visible = dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'] ); } diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index fb3a1ccf702ec..803f3b7453695 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -1034,7 +1034,7 @@ continue; // It means this is a type of template not into elementList (may be because enabled condition of this type is false because module is not enabled) } // Test on 'enabled' - if (!dol_eval($obj->enabled, 1)) { + if (!dol_eval($obj->enabled, 1, 1, '1')) { $i++; continue; // Email template not qualified } diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index 02c46d8ca35e5..a9e2fe9287fcc 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -464,7 +464,7 @@ function init_topleft() } print ''; print ''.$langs->trans('DetailMenuIdParent'); - print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def'; + print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def'; print ''; // Niveau @@ -496,7 +496,7 @@ function init_topleft() print ''.$langs->trans('Enabled').''; print ''.$langs->trans('DetailEnabled'); if (!empty($menu->enabled)) { - print ' ('.$langs->trans("ConditionIsCurrently").': '.yn(dol_eval($menu->enabled, 1)).')'; + print ' ('.$langs->trans("ConditionIsCurrently").': '.yn(dol_eval($menu->enabled, 1, 1, '1')).')'; } print ''; @@ -504,7 +504,7 @@ function init_topleft() print ''.$langs->trans('Rights').''; print ''.$langs->trans('DetailRight'); if (!empty($menu->perms)) { - print ' ('.$langs->trans("ConditionIsCurrently").': '.yn(dol_eval($menu->perms, 1)).')'; + print ' ('.$langs->trans("ConditionIsCurrently").': '.yn(dol_eval($menu->perms, 1, 1, '1')).')'; } print ''; diff --git a/htdocs/bom/bom_list.php b/htdocs/bom/bom_list.php index 3cc0dc1753a74..48798db9b8f93 100644 --- a/htdocs/bom/bom_list.php +++ b/htdocs/bom/bom_list.php @@ -106,7 +106,7 @@ $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/compta/cashcontrol/cashcontrol_list.php b/htdocs/compta/cashcontrol/cashcontrol_list.php index 89781fcb211e2..7822819c06a7b 100644 --- a/htdocs/compta/cashcontrol/cashcontrol_list.php +++ b/htdocs/compta/cashcontrol/cashcontrol_list.php @@ -104,11 +104,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 0e3acc45d250a..3531817499922 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -261,14 +261,14 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $newkey = ''; if (array_key_exists($key, $arrayfields)) { $newkey = $key; } elseif (array_key_exists('t.'.$key, $arrayfields)) { $newkey = 't.'.$key; } elseif (array_key_exists('f.'.$key, $arrayfields)) { $newkey = 'f.'.$key; } elseif (array_key_exists('s.'.$key, $arrayfields)) { $newkey = 's.'.$key; } if ($newkey) { $arrayfields[$newkey] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help' => empty($val['help']) ? '' : $val['help'], ); diff --git a/htdocs/compta/resultat/result.php b/htdocs/compta/resultat/result.php index 635531ab86b84..c296d4037e596 100644 --- a/htdocs/compta/resultat/result.php +++ b/htdocs/compta/resultat/result.php @@ -334,7 +334,7 @@ //var_dump($result); //$r = $AccCat->calculate($result); - $r = dol_eval($result, 1); + $r = dol_eval($result, 1, 1, '1'); //var_dump($r); print ''.price($r).''; @@ -353,7 +353,7 @@ $result = strtr($formula, $vars); //$r = $AccCat->calculate($result); - $r = dol_eval($result, 1); + $r = dol_eval($result, 1, 1, 1); print ''.price($r).''; $sommes[$code]['N'] += $r; @@ -367,7 +367,7 @@ $result = strtr($formula, $vars); //$r = $AccCat->calculate($result); - $r = dol_eval($result, 1); + $r = dol_eval($result, 1, 1, 1); print ''.price($r).''; $sommes[$code]['M'][$k] += $r; @@ -381,7 +381,7 @@ $result = strtr($formula, $vars); //$r = $AccCat->calculate($result); - $r = dol_eval($result, 1); + $r = dol_eval($result, 1, 1, 1); print ''.price($r).''; $sommes[$code]['M'][$k] += $r; diff --git a/htdocs/core/boxes/box_scheduled_jobs.php b/htdocs/core/boxes/box_scheduled_jobs.php index 94695034ccea4..f21956596542a 100644 --- a/htdocs/core/boxes/box_scheduled_jobs.php +++ b/htdocs/core/boxes/box_scheduled_jobs.php @@ -102,7 +102,7 @@ public function loadBox($max = 5) while ($i < $num) { $objp = $this->db->fetch_object($result); - if (dol_eval($objp->test, 1, 1)) { + if (dol_eval($objp->test, 1, 1, '')) { $nextrun = $this->db->jdate($objp->datenextrun); if (empty($nextrun)) { $nextrun = $this->db->jdate($objp->datestart); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 4b3d6fca2d3ff..179f125530668 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -5675,12 +5675,12 @@ public function setValuesForExtraLanguages($onlykey = '') $enabled = 1; if (isset($this->fields[$key]['enabled'])) { - $enabled = dol_eval($this->fields[$key]['enabled'], 1); + $enabled = dol_eval($this->fields[$key]['enabled'], 1, 1, '1'); } /*$perms = 1; if (isset($this->fields[$key]['perms'])) { - $perms = dol_eval($this->fields[$key]['perms'], 1); + $perms = dol_eval($this->fields[$key]['perms'], 1, 1, '1'); }*/ if (empty($enabled)) { continue; @@ -5836,7 +5836,7 @@ public function fetch_optionals($rowid = null, $optionsArray = null) if (!empty($extrafields) && !empty($extrafields->attributes[$this->table_element]['computed'][$key])) { //var_dump($conf->disable_compute); if (empty($conf->disable_compute)) { - $this->array_options["options_".$key] = dol_eval($extrafields->attributes[$this->table_element]['computed'][$key], 1, 0); + $this->array_options["options_".$key] = dol_eval($extrafields->attributes[$this->table_element]['computed'][$key], 1, 0, ''); } } } @@ -5967,7 +5967,7 @@ public function insertExtraFields($trigger = '', $userused = null) if (!empty($attrfieldcomputed)) { if (!empty($conf->global->MAIN_STORE_COMPUTED_EXTRAFIELDS)) { - $value = dol_eval($attrfieldcomputed, 1, 0); + $value = dol_eval($attrfieldcomputed, 1, 0, ''); dol_syslog($langs->trans("Extrafieldcomputed")." sur ".$attributeLabel."(".$value.")", LOG_DEBUG); $new_array_options[$key] = $value; } else { @@ -6334,7 +6334,7 @@ public function updateExtraField($key, $trigger = null, $userused = null) if (!empty($attrfieldcomputed)) { if (!empty($conf->global->MAIN_STORE_COMPUTED_EXTRAFIELDS)) { - $value = dol_eval($attrfieldcomputed, 1, 0); + $value = dol_eval($attrfieldcomputed, 1, 0, ''); dol_syslog($langs->trans("Extrafieldcomputed")." sur ".$attributeLabel."(".$value.")", LOG_DEBUG); $this->array_options["options_".$key] = $value; } else { @@ -7188,7 +7188,7 @@ public function showOutputField($val, $key, $value, $moreparam = '', $keysuffix if ($computed) { // Make the eval of compute string //var_dump($computed); - $value = dol_eval($computed, 1, 0); + $value = dol_eval($computed, 1, 0, ''); } if (empty($morecss)) { @@ -7713,7 +7713,7 @@ public function showOptionals($extrafields, $mode = 'view', $params = null, $key // Test on 'enabled' ('enabled' is different than 'list' = 'visibility') $enabled = 1; if ($enabled && isset($extrafields->attributes[$this->table_element]['enabled'][$key])) { - $enabled = dol_eval($extrafields->attributes[$this->table_element]['enabled'][$key], 1); + $enabled = dol_eval($extrafields->attributes[$this->table_element]['enabled'][$key], 1, 1, '1'); } if (empty($enabled)) { continue; @@ -7721,12 +7721,12 @@ public function showOptionals($extrafields, $mode = 'view', $params = null, $key $visibility = 1; if ($visibility && isset($extrafields->attributes[$this->table_element]['list'][$key])) { - $visibility = dol_eval($extrafields->attributes[$this->table_element]['list'][$key], 1); + $visibility = dol_eval($extrafields->attributes[$this->table_element]['list'][$key], 1, 1, '1'); } $perms = 1; if ($perms && isset($extrafields->attributes[$this->table_element]['perms'][$key])) { - $perms = dol_eval($extrafields->attributes[$this->table_element]['perms'][$key], 1); + $perms = dol_eval($extrafields->attributes[$this->table_element]['perms'][$key], 1, 1, '1'); } if (($mode == 'create') && abs($visibility) != 1 && abs($visibility) != 3) { diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index 2b827d06f36f2..ff45a028d519d 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -915,9 +915,9 @@ public function showInputField($key, $value, $moreparam = '', $keysuffix = '', $ $unique = $this->attributes[$extrafieldsobjectkey]['unique'][$key]; $required = $this->attributes[$extrafieldsobjectkey]['required'][$key]; $param = $this->attributes[$extrafieldsobjectkey]['param'][$key]; - $perms = dol_eval($this->attributes[$extrafieldsobjectkey]['perms'][$key], 1); + $perms = dol_eval($this->attributes[$extrafieldsobjectkey]['perms'][$key], 1, 1, '1'); $langfile = $this->attributes[$extrafieldsobjectkey]['langfile'][$key]; - $list = dol_eval($this->attributes[$extrafieldsobjectkey]['list'][$key], 1); + $list = dol_eval($this->attributes[$extrafieldsobjectkey]['list'][$key], 1, 1, '1'); $totalizable = $this->attributes[$extrafieldsobjectkey]['totalizable'][$key]; $help = $this->attributes[$extrafieldsobjectkey]['help'][$key]; $hidden = (empty($list) ? 1 : 0); // If empty, we are sure it is hidden, otherwise we show. If it depends on mode (view/create/edit form or list, this must be filtered by caller) @@ -1505,9 +1505,9 @@ public function showOutputField($key, $value, $moreparam = '', $extrafieldsobjec $unique = $this->attributes[$extrafieldsobjectkey]['unique'][$key]; $required = $this->attributes[$extrafieldsobjectkey]['required'][$key]; $param = $this->attributes[$extrafieldsobjectkey]['param'][$key]; - $perms = dol_eval($this->attributes[$extrafieldsobjectkey]['perms'][$key], 1); + $perms = dol_eval($this->attributes[$extrafieldsobjectkey]['perms'][$key], 1, 1, '1'); $langfile = $this->attributes[$extrafieldsobjectkey]['langfile'][$key]; - $list = dol_eval($this->attributes[$extrafieldsobjectkey]['list'][$key], 1); + $list = dol_eval($this->attributes[$extrafieldsobjectkey]['list'][$key], 1, 1, '1'); $help = $this->attributes[$extrafieldsobjectkey]['help'][$key]; $hidden = (empty($list) ? 1 : 0); // If $list empty, we are sure it is hidden, otherwise we show. If it depends on mode (view/create/edit form or list, this must be filtered by caller) } else { @@ -1959,17 +1959,17 @@ public function setOptionalsFromPost($extralabels, &$object, $onlykey = '') $enabled = 1; if (isset($this->attributes[$object->table_element]['enabled'][$key])) { // 'enabled' is often a condition on module enabled or not - $enabled = dol_eval($this->attributes[$object->table_element]['enabled'][$key], 1); + $enabled = dol_eval($this->attributes[$object->table_element]['enabled'][$key], 1, 1, '1'); } $visibility = 1; if (isset($this->attributes[$object->table_element]['list'][$key])) { // 'list' is option for visibility - $visibility = dol_eval($this->attributes[$object->table_element]['list'][$key], 1); + $visibility = dol_eval($this->attributes[$object->table_element]['list'][$key], 1, 1, '1'); } $perms = 1; if (isset($this->attributes[$object->table_element]['perms'][$key])) { - $perms = dol_eval($this->attributes[$object->table_element]['perms'][$key], 1); + $perms = dol_eval($this->attributes[$object->table_element]['perms'][$key], 1, 1, '1'); } if (empty($enabled)) { continue; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index f25c9aad9d37c..975e6ed86ea3d 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -7424,7 +7424,7 @@ public function selectForFormsList($objecttmp, $htmlname, $preselectedvalue, $sh if (!empty($objecttmp->fields)) { // For object that declare it, it is better to use declared fields (like societe, contact, ...) $tmpfieldstoshow = ''; foreach ($objecttmp->fields as $key => $val) { - if (!dol_eval($val['enabled'], 1, 1)) { + if (!dol_eval($val['enabled'], 1, 1, 1, '1')) { continue; } if (!empty($val['showoncombobox'])) { diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index aa0e548676197..6dae77dffa49c 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1501,10 +1501,10 @@ public function selectGroupByField($object, $search_groupby, &$arrayofgroupby, $ 'parent', 'photo', 'socialnetworks', 'webservices_url', 'webservices_key'))) { continue; } - if (isset($val['enabled']) && !dol_eval($val['enabled'], 1)) { + if (isset($val['enabled']) && !dol_eval($val['enabled'], 1, 1, '1')) { continue; } - if (isset($val['visible']) && !dol_eval($val['visible'], 1)) { + if (isset($val['visible']) && !dol_eval($val['visible'], 1, 1, '1')) { continue; } if (preg_match('/^fk_/', $key) && !preg_match('/^fk_statu/', $key)) { @@ -1575,10 +1575,10 @@ public function selectXAxisField($object, $search_xaxis, &$arrayofxaxis) 'parent', 'photo', 'socialnetworks', 'webservices_url', 'webservices_key'))) { continue; } - if (isset($val['enabled']) && !dol_eval($val['enabled'], 1)) { + if (isset($val['enabled']) && !dol_eval($val['enabled'], 1, 1, '1')) { continue; } - if (isset($val['visible']) && !dol_eval($val['visible'], 1)) { + if (isset($val['visible']) && !dol_eval($val['visible'], 1, 1, '1')) { continue; } if (preg_match('/^fk_/', $key) && !preg_match('/^fk_statu/', $key)) { diff --git a/htdocs/core/class/menu.class.php b/htdocs/core/class/menu.class.php index e88ec70132005..eab31288cca9e 100644 --- a/htdocs/core/class/menu.class.php +++ b/htdocs/core/class/menu.class.php @@ -119,7 +119,7 @@ public function getNbOfVisibleMenuEntries() { $nb = 0; foreach ($this->liste as $val) { - //if (dol_eval($val['enabled'], 1)) $nb++; + //if (dol_eval($val['enabled'], 1, 1, '1')) $nb++; if (!empty($val['enabled'])) { $nb++; // $val['enabled'] is already evaluated to 0 or 1, no need for dol_eval() } diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php index f881447cd67f5..5bfdbc7e0f188 100644 --- a/htdocs/core/class/translate.class.php +++ b/htdocs/core/class/translate.class.php @@ -656,7 +656,7 @@ public function trans($key, $param1 = '', $param2 = '', $param3 = '', $param4 = return $str; } else { // Translation is not available - //if ($key[0] == '$') { return dol_eval($key,1); } + //if ($key[0] == '$') { return dol_eval($key, 1, 1, '1'); } return $this->getTradFromKey($key); } } @@ -722,7 +722,7 @@ public function transnoentitiesnoconv($key, $param1 = '', $param2 = '', $param3 return $str; } else { if ($key[0] == '$') { - return dol_eval($key, 1); + return dol_eval($key, 1, 1, '1'); } return $this->getTradFromKey($key); } diff --git a/htdocs/core/customreports.php b/htdocs/core/customreports.php index fafd1c015e881..0ff8ebc4e6479 100644 --- a/htdocs/core/customreports.php +++ b/htdocs/core/customreports.php @@ -371,7 +371,7 @@ print '
'.$langs->trans("StatisticsOn").'
'; $newarrayoftype = array(); foreach ($arrayoftype as $key => $val) { - if (dol_eval($val['enabled'], 1)) { + if (dol_eval($val['enabled'], 1, 1, '1')) { $newarrayoftype[$key] = $arrayoftype[$key]; } if ($val['langs']) { @@ -402,7 +402,7 @@ // Add measures into array print '
'; foreach ($object->fields as $key => $val) { - if (!empty($val['isameasure']) && (!isset($val['enabled']) || dol_eval($val['enabled'], 1))) { + if (!empty($val['isameasure']) && (!isset($val['enabled']) || dol_eval($val['enabled'], 1, 1, '1'))) { $arrayofmesures['t.'.$key.'-sum'] = $langs->trans($val['label']).' ('.$langs->trans("Sum").')'; $arrayofmesures['t.'.$key.'-average'] = $langs->trans($val['label']).' ('.$langs->trans("Average").')'; $arrayofmesures['t.'.$key.'-min'] = $langs->trans($val['label']).' ('.$langs->trans("Minimum").')'; @@ -412,7 +412,7 @@ // Add extrafields to Measures if ($object->isextrafieldmanaged) { foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) { - if (!empty($extrafields->attributes[$object->table_element]['totalizable'][$key]) && (!isset($extrafields->attributes[$object->table_element]['enabled'][$key]) || dol_eval($extrafields->attributes[$object->table_element]['enabled'][$key], 1))) { + if (!empty($extrafields->attributes[$object->table_element]['totalizable'][$key]) && (!isset($extrafields->attributes[$object->table_element]['enabled'][$key]) || dol_eval($extrafields->attributes[$object->table_element]['enabled'][$key], 1, 1, '1'))) { $arrayofmesures['te.'.$key.'-sum'] = $langs->trans($extrafields->attributes[$object->table_element]['label'][$key]).' ('.$langs->trans("Sum").')'; $arrayofmesures['te.'.$key.'-average'] = $langs->trans($extrafields->attributes[$object->table_element]['label'][$key]).' ('.$langs->trans("Average").')'; $arrayofmesures['te.'.$key.'-min'] = $langs->trans($extrafields->attributes[$object->table_element]['label'][$key]).' ('.$langs->trans("Minimum").')'; @@ -443,7 +443,7 @@ // YAxis print '
'; foreach ($object->fields as $key => $val) { - if (empty($val['measure']) && (!isset($val['enabled']) || dol_eval($val['enabled'], 1))) { + if (empty($val['measure']) && (!isset($val['enabled']) || dol_eval($val['enabled'], 1, 1, '1'))) { if (in_array($key, array('id', 'rowid', 'entity', 'last_main_doc', 'extraparams'))) { continue; } @@ -464,7 +464,7 @@ // Add measure from extrafields if ($object->isextrafieldmanaged) { foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) { - if (!empty($extrafields->attributes[$object->table_element]['totalizable'][$key]) && (!isset($extrafields->attributes[$object->table_element]['enabled'][$key]) || dol_eval($extrafields->attributes[$object->table_element]['enabled'][$key], 1))) { + if (!empty($extrafields->attributes[$object->table_element]['totalizable'][$key]) && (!isset($extrafields->attributes[$object->table_element]['enabled'][$key]) || dol_eval($extrafields->attributes[$object->table_element]['enabled'][$key], 1, 1, '1'))) { $arrayofyaxis['te.'.$key] = array('label' => $extrafields->attributes[$object->table_element]['label'][$key], 'position' => (int) $extrafields->attributes[$object->table_element]['pos'][$key]); } } diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 513534ba38c61..c6476f98a116f 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8188,12 +8188,13 @@ function verifCond($strToEvaluate) * Replace eval function to add more security. * This function is called by verifCond() or trans() and transnoentitiesnoconv(). * - * @param string $s String to evaluate - * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)). - * @param int $hideerrors 1=Hide errors - * @return mixed Nothing or return result of eval + * @param string $s String to evaluate + * @param int $returnvalue 0=No return (used to execute eval($a=something)). 1=Value of eval is returned (used to eval($something)). + * @param int $hideerrors 1=Hide errors + * @param string $onlysimplestring Accept only simple string with char 'a-z0-9\s$_->&|='; + * @return mixed Nothing or return result of eval */ -function dol_eval($s, $returnvalue = 0, $hideerrors = 1) +function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1') { // Only global variables can be changed by eval function and returned to caller global $db, $langs, $user, $conf, $website, $websitepage; @@ -8205,9 +8206,18 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1) global $obj; // To get $obj used into list when dol_eval is used for computed fields and $obj is not yet $object global $soc; // For backward compatibility - // Replace dangerous char (used for RCE), we allow only PHP variable testing. + // Test dangerous char (used for RCE), we allow only PHP variable testing. + if ($onlysimplestring == '1') { + //print preg_quote('$_->&|', '/'); + if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=', '/').']/i', $s)) { + return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s; + } + } if (strpos($s, '`') !== false) { - return 'Bad string syntax to evaluate: '.$s; + return 'Bad string syntax to evaluate (backtick char is forbidden): '.$s; + } + if (strpos($s, '.') !== false) { + return 'Bad string syntax to evaluate (dot char is forbidden): '.$s; } // We block use of php exec or php file functions @@ -8215,7 +8225,7 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1) $forbiddenphpstrings = array_merge($forbiddenphpstrings, array('_ENV', '_SESSION', '_COOKIE', '_GET', '_POST', '_REQUEST')); $forbiddenphpfunctions = array("exec", "passthru", "shell_exec", "system", "proc_open", "popen", "eval", "dol_eval", "executeCLI"); - $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "unlink", "mkdir", "rmdir", "symlink", "touch", "umask")); + $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("fopen", "file_put_contents", "fputs", "fputscsv", "fwrite", "fpassthru", "require", "include", "mkdir", "rmdir", "symlink", "touch", "unlink", "umask")); $forbiddenphpfunctions = array_merge($forbiddenphpfunctions, array("function", "call_user_func")); $forbiddenphpregex = 'global\s+\$|\b('.implode('|', $forbiddenphpfunctions).')\b'; diff --git a/htdocs/core/tpl/admin_extrafields_view.tpl.php b/htdocs/core/tpl/admin_extrafields_view.tpl.php index d1145229db7b7..369f60ea2018a 100644 --- a/htdocs/core/tpl/admin_extrafields_view.tpl.php +++ b/htdocs/core/tpl/admin_extrafields_view.tpl.php @@ -73,7 +73,7 @@ if (isset($extrafields->attributes[$elementtype]['type']) && is_array($extrafields->attributes[$elementtype]['type']) && count($extrafields->attributes[$elementtype]['type'])) { foreach ($extrafields->attributes[$elementtype]['type'] as $key => $value) { - /*if (! dol_eval($extrafields->attributes[$elementtype]['enabled'][$key], 1)) { + /*if (! dol_eval($extrafields->attributes[$elementtype]['enabled'][$key], 1, 1, '1')) { // TODO Uncomment this to exclude extrafields of modules not enabled. Add a link to "Show extrafields disabled" // continue; }*/ diff --git a/htdocs/core/tpl/extrafields_list_array_fields.tpl.php b/htdocs/core/tpl/extrafields_list_array_fields.tpl.php index 36eeee89627b2..b704891da16d1 100644 --- a/htdocs/core/tpl/extrafields_list_array_fields.tpl.php +++ b/htdocs/core/tpl/extrafields_list_array_fields.tpl.php @@ -23,9 +23,9 @@ $arrayfields[$extrafieldsobjectprefix.$key] = array( 'label' => $extrafields->attributes[$extrafieldsobjectkey]['label'][$key], 'type' => $extrafields->attributes[$extrafieldsobjectkey]['type'][$key], - 'checked' => ((dol_eval($extrafields->attributes[$extrafieldsobjectkey]['list'][$key], 1) <= 0) ? 0 : 1), + 'checked' => ((dol_eval($extrafields->attributes[$extrafieldsobjectkey]['list'][$key], 1, 1, '1') <= 0) ? 0 : 1), 'position' => $extrafields->attributes[$extrafieldsobjectkey]['pos'][$key], - 'enabled' => (abs((int) $extrafields->attributes[$extrafieldsobjectkey]['list'][$key]) != 3 && dol_eval($extrafields->attributes[$extrafieldsobjectkey]['perms'][$key], 1)), + 'enabled' => (abs((int) $extrafields->attributes[$extrafieldsobjectkey]['list'][$key]) != 3 && dol_eval($extrafields->attributes[$extrafieldsobjectkey]['perms'][$key], 1, 1, '1')), 'langfile' => $extrafields->attributes[$extrafieldsobjectkey]['langfile'][$key], 'help' => $extrafields->attributes[$extrafieldsobjectkey]['help'][$key], ); diff --git a/htdocs/core/tpl/extrafields_list_print_fields.tpl.php b/htdocs/core/tpl/extrafields_list_print_fields.tpl.php index 80d6cd7da56f2..00c2739e3f832 100644 --- a/htdocs/core/tpl/extrafields_list_print_fields.tpl.php +++ b/htdocs/core/tpl/extrafields_list_print_fields.tpl.php @@ -38,7 +38,7 @@ //var_dump($extrafields->attributes[$extrafieldsobjectkey]['computed'][$key]); //var_dump($obj); //var_dump($extrafields->attributes[$extrafieldsobjectkey]['computed'][$key]); - $value = dol_eval($extrafields->attributes[$extrafieldsobjectkey]['computed'][$key], 1); + $value = dol_eval($extrafields->attributes[$extrafieldsobjectkey]['computed'][$key], 1, 1, '0'); //var_dump($value); } diff --git a/htdocs/eventorganization/conferenceorbooth_list.php b/htdocs/eventorganization/conferenceorbooth_list.php index d105ad05c43f0..943205adca299 100644 --- a/htdocs/eventorganization/conferenceorbooth_list.php +++ b/htdocs/eventorganization/conferenceorbooth_list.php @@ -114,11 +114,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/eventorganization/conferenceorboothattendee_list.php b/htdocs/eventorganization/conferenceorboothattendee_list.php index e084c68cfe7b8..ab2699187b228 100644 --- a/htdocs/eventorganization/conferenceorboothattendee_list.php +++ b/htdocs/eventorganization/conferenceorboothattendee_list.php @@ -122,11 +122,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/hrm/evaluation_list.php b/htdocs/hrm/evaluation_list.php index 35189f11b871f..ad99573b0962a 100644 --- a/htdocs/hrm/evaluation_list.php +++ b/htdocs/hrm/evaluation_list.php @@ -114,11 +114,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/hrm/job_list.php b/htdocs/hrm/job_list.php index 55363d729b55a..7644ea1fd0fd2 100644 --- a/htdocs/hrm/job_list.php +++ b/htdocs/hrm/job_list.php @@ -114,11 +114,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/hrm/position.php b/htdocs/hrm/position.php index d36d352e89569..253945e6c5ac9 100644 --- a/htdocs/hrm/position.php +++ b/htdocs/hrm/position.php @@ -357,11 +357,11 @@ function DisplayPositionList() foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.' . $key] = array( 'label' => $val['label'], 'checked' => (($visible < 0) ? 0 : 1), - 'enabled' => ($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled' => ($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position' => $val['position'], 'help' => isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/hrm/position_list.php b/htdocs/hrm/position_list.php index 1585ed1e03feb..13315a2a9bcb4 100644 --- a/htdocs/hrm/position_list.php +++ b/htdocs/hrm/position_list.php @@ -114,11 +114,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/hrm/skill_card.php b/htdocs/hrm/skill_card.php index a06cf40952a88..7c63bb2cff75d 100644 --- a/htdocs/hrm/skill_card.php +++ b/htdocs/hrm/skill_card.php @@ -538,11 +538,11 @@ foreach ($objectline->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.' . $key] = array( 'label' => $val['label'], 'checked' => (($visible < 0) ? 0 : 1), - 'enabled' => ($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled' => ($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position' => $val['position'], 'help' => isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/hrm/skill_list.php b/htdocs/hrm/skill_list.php index 1fc5440e58933..8ef800b3ffc8f 100644 --- a/htdocs/hrm/skill_list.php +++ b/htdocs/hrm/skill_list.php @@ -114,11 +114,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/knowledgemanagement/knowledgerecord_list.php b/htdocs/knowledgemanagement/knowledgerecord_list.php index aed45b1db260f..c4440028e4946 100644 --- a/htdocs/knowledgemanagement/knowledgerecord_list.php +++ b/htdocs/knowledgemanagement/knowledgerecord_list.php @@ -114,11 +114,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/mrp/mo_list.php b/htdocs/mrp/mo_list.php index e5648cad5f783..6e15a71e517d1 100644 --- a/htdocs/mrp/mo_list.php +++ b/htdocs/mrp/mo_list.php @@ -109,11 +109,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/partnership/partnership_list.php b/htdocs/partnership/partnership_list.php index 89394960632b0..dc9958fa3df1b 100644 --- a/htdocs/partnership/partnership_list.php +++ b/htdocs/partnership/partnership_list.php @@ -118,11 +118,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/product/inventory/list.php b/htdocs/product/inventory/list.php index 41e43fdf433ce..c4548b3aa665e 100644 --- a/htdocs/product/inventory/list.php +++ b/htdocs/product/inventory/list.php @@ -102,11 +102,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/product/list.php b/htdocs/product/list.php index a3ec599dea8ab..26dbf18e4390a 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -244,11 +244,11 @@ /*foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = dol_eval($val['visible'], 1); + $visible = dol_eval($val['visible'], 1, 1, '1'); $arrayfields['p.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'] ); } diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php index 8f24fb9c110d6..93c963e006552 100644 --- a/htdocs/product/stock/list.php +++ b/htdocs/product/stock/list.php @@ -117,11 +117,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : 'help' ); diff --git a/htdocs/product/stock/productlot_list.php b/htdocs/product/stock/productlot_list.php index e5a8b05902e27..92172643096bf 100644 --- a/htdocs/product/stock/productlot_list.php +++ b/htdocs/product/stock/productlot_list.php @@ -104,11 +104,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = dol_eval($val['visible'], 1); + $visible = dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'] ); } diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 56db0bd2a6409..3eeb1bb1e4c05 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -27,6 +27,7 @@ */ require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/commonobjectline.class.php'; require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index cc9099b463bc3..36c2fc942b5bc 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -182,11 +182,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = dol_eval($val['visible'], 1); + $visible = dol_eval($val['visible'], 1, 1, '1'); $arrayfields['p.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/recruitment/recruitmentcandidature_list.php b/htdocs/recruitment/recruitmentcandidature_list.php index f16b8c3dcf92a..05cf56636eaa8 100644 --- a/htdocs/recruitment/recruitmentcandidature_list.php +++ b/htdocs/recruitment/recruitmentcandidature_list.php @@ -151,11 +151,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = dol_eval($val['visible'], 1); + $visible = dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'] ); } diff --git a/htdocs/recruitment/recruitmentjobposition_list.php b/htdocs/recruitment/recruitmentjobposition_list.php index f0935bc87988f..c4a43d0bab4d8 100644 --- a/htdocs/recruitment/recruitmentjobposition_list.php +++ b/htdocs/recruitment/recruitmentjobposition_list.php @@ -153,11 +153,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php index 7a8b3ebca103e..2e77c29cd01e5 100644 --- a/htdocs/salaries/list.php +++ b/htdocs/salaries/list.php @@ -134,11 +134,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/salaries/payments.php b/htdocs/salaries/payments.php index 77cbae397f0ce..58f5546216f85 100644 --- a/htdocs/salaries/payments.php +++ b/htdocs/salaries/payments.php @@ -129,11 +129,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/ticket/list.php b/htdocs/ticket/list.php index b2548807be433..f489c9218fc11 100644 --- a/htdocs/ticket/list.php +++ b/htdocs/ticket/list.php @@ -136,11 +136,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help'=> isset($val['help']) ? $val['help'] : '' ); diff --git a/htdocs/workstation/workstation_list.php b/htdocs/workstation/workstation_list.php index 25dcc44de655a..0d17232c9db18 100644 --- a/htdocs/workstation/workstation_list.php +++ b/htdocs/workstation/workstation_list.php @@ -108,11 +108,11 @@ foreach ($object->fields as $key => $val) { // If $val['visible']==0, then we never show the field if (!empty($val['visible'])) { - $visible = (int) dol_eval($val['visible'], 1); + $visible = (int) dol_eval($val['visible'], 1, 1, '1'); $arrayfields['t.'.$key] = array( 'label'=>$val['label'], 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>$val['position'], 'help' => empty($val['help']) ? '' : $val['help'] ); @@ -130,7 +130,7 @@ $arrayfields['wr.fk_resource'] = array( 'label'=>$langs->trans('Resources'), 'checked'=>(($visible < 0) ? 0 : 1), - 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1)), + 'enabled'=>($visible != 3 && dol_eval($val['enabled'], 1, 1, '1')), 'position'=>1001, 'help' => empty($val['help']) ? '' : $val['help'] ); diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 15e4eaa8bda64..a687e6adbd765 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -875,11 +875,18 @@ public function testDolEval() include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php'; - $result=dol_eval('(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref: "Parent project not found"', 1, 1); + + $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref: "Parent project not found"'; + $result=dol_eval($s, 1, 1, ''); + print "result = ".$result."\n"; + $this->assertEquals('Parent project not found', $result); + + $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref: \'Parent project not found\''; + $result=dol_eval($s, 1, 1, ''); print "result = ".$result."\n"; $this->assertEquals('Parent project not found', $result); - $result=dol_eval('$a=function() { }; $a;', 1, 1); + $result=dol_eval('$a=function() { }; $a;', 1, 1, ''); print "result = ".$result."\n"; $this->assertContains('Bad string syntax to evaluate', $result); @@ -898,5 +905,18 @@ public function testDolEval() $result=dol_eval('`ls`', 1, 0); print "result = ".$result."\n"; $this->assertContains('Bad string syntax to evaluate', $result); + + $result=dol_eval("('ex'.'ec')('echo abc')", 1, 0); + print "result = ".$result."\n"; + $this->assertContains('Bad string syntax to evaluate', $result); + + // Case with param onlysimplestring = 1 + $result=dol_eval('1 && $conf->abc->doesnotexist1 && $conf->def->doesnotexist1', 1, 0); // Should return false and not a 'Bad string syntax to evaluate ...' + print "result = ".$result."\n"; + $this->assertFalse($result); + + $result=dol_eval("(\$a.'aa')", 1, 0); + print "result = ".$result."\n"; + $this->assertContains('Bad string syntax to evaluate', $result); } }