CVE-2022-4093: Fix sqli ->escape after ->escapeforlike · Dolibarr/dolibarr@7c1eac9

@@ -0,0 +1,178 @@ <?php /* Copyright © 2010 Laurent Destailleur [email protected] * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see https://www.gnu.org/licenses/. * or see https://www.gnu.org/ */
/** * \file test/phpunit/WebsiteTest.php * \ingroup test * \brief PHPUnit test * \remarks To run this script as CLI: phpunit filename.php */
global $conf,$user,$langs,$db; //define(‘TEST_DB_FORCE_TYPE’,’mysql’); // This is to force using mysql driver //require_once 'PHPUnit/Autoload.php’;
if (! defined(‘NOREQUIRESOC’)) { define('NOREQUIRESOC’, ‘1’); } if (! defined(‘NOCSRFCHECK’)) { define('NOCSRFCHECK’, ‘1’); } if (! defined(‘NOTOKENRENEWAL’)) { define('NOTOKENRENEWAL’, ‘1’); } if (! defined(‘NOREQUIREMENU’)) { define('NOREQUIREMENU’, ‘1’); // If there is no menu to show } if (! defined(‘NOREQUIREHTML’)) { define('NOREQUIREHTML’, ‘1’); // If we don’t need to load the html.form.class.php } if (! defined(‘NOREQUIREAJAX’)) { define('NOREQUIREAJAX’, ‘1’); } if (! defined(“NOLOGIN”)) { define("NOLOGIN", ‘1’); // If this page is public (can be called outside logged session) } if (! defined(“NOSESSION”)) { define("NOSESSION", ‘1’); }
require_once dirname(__FILE__).’/…/…/htdocs/main.inc.php’; require_once dirname(__FILE__).’/…/…/htdocs/core/lib/website.lib.php’;

if (empty($user->id)) { print "Load permissions for admin user nb 1\n"; $user->fetch(1); $user->getrights(); } $conf->global->MAIN_DISABLE_ALL_MAILS=1;

/** * Class for PHPUnit tests * * @backupGlobals disabled * @backupStaticAttributes enabled * @remarks backupGlobals must be disabled to have db,conf,user and lang not erased. */ class WebsiteTest extends PHPUnit\Framework\TestCase { protected $savconf; protected $savuser; protected $savlangs; protected $savdb;
/** * Constructor * We save global variables into local variables * * @return SecurityTest */ public function __construct() { parent::__construct();
//$this->sharedFixture global $conf,$user,$langs,$db; $this->savconf=$conf; $this->savuser=$user; $this->savlangs=$langs; $this->savdb=$db;
print __METHOD__." db->type=".$db->type." user->id=".$user->id; //print " - db ".$db->db; print "\n"; }
/** * setUpBeforeClass * * @return void */ public static function setUpBeforeClass() { global $conf,$user,$langs,$db; $db->begin(); // This is to have all actions inside a transaction even if test launched without suite.
print __METHOD__."\n"; }
/** * tearDownAfterClass * * @return void */ public static function tearDownAfterClass() { global $conf,$user,$langs,$db; $db->rollback();
print __METHOD__."\n"; }
/** * Init phpunit tests * * @return void */ protected function setUp() { global $conf,$user,$langs,$db; $conf=$this->savconf; $user=$this->savuser; $langs=$this->savlangs; $db=$this->savdb;
print __METHOD__."\n"; }
/** * End phpunit tests * * @return void */ protected function tearDown() { print __METHOD__."\n"; }

/** * testGetPagesFromSearchCriterias * * @return void */ public function testGetPagesFromSearchCriterias() { global $db;
$s = “123’) OR 1=1-- \’ xxx"; /* var_dump($s); var_dump($db->escapeforlike($s)); var_dump($db->escape($db->escapeforlike($s))); */
$res = getPagesFromSearchCriterias('page,blogpost’, 'meta,content’, $s, 2, 'date_creation’, 'DESC’, ‘en’); //var_dump($res); print __METHOD__.” message=".$res[‘code’]."\n"; // We must found no line (so code should be KO). If we found somethiing, it means there is a SQL injection of the 1=1 $this->assertEquals($res[‘code’], ‘KO’); } }