26require
'../../main.inc.php';
48require_once DOL_DOCUMENT_ROOT.
'/core/lib/admin.lib.php';
49require_once DOL_DOCUMENT_ROOT.
'/core/lib/memory.lib.php';
50require_once DOL_DOCUMENT_ROOT.
'/core/lib/date.lib.php';
51require_once DOL_DOCUMENT_ROOT.
'/core/lib/files.lib.php';
52require_once DOL_DOCUMENT_ROOT.
'/core/lib/geturl.lib.php';
53require_once DOL_DOCUMENT_ROOT.
'/core/lib/functions2.lib.php';
54require_once DOL_DOCUMENT_ROOT.
'/core/lib/security2.lib.php';
55require_once DOL_DOCUMENT_ROOT.
'/core/class/events.class.php';
58$langs->loadLangs(array(
"install",
"other",
"admin",
"errors",
"website"));
64if (
GETPOST(
'action',
'aZ09') ==
'donothing') {
77llxHeader(
'',
'',
'',
'', 0, 0,
'',
'',
'',
'mod-admin page-system_security');
81print
'<div class="info">';
82print
'<span class="">'.$langs->trans(
"YouMayFindSecurityAdviceHere",
'hhttps://wiki.dolibarr.org/index.php/Security_information').
'</span>';
83print
' ';
84print
'<a href="'.$_SERVER[
"PHP_SELF"].
'">';
85print
img_picto($langs->trans(
"Reload"),
'refresh').
' ';
86print $langs->trans(
"Reload");
97print
'<div class="divsection wordbreak">';
101print
"<strong>PHP</strong>: ".$langs->trans(
"Version").
": ".$phpversion;
102if (function_exists(
'php_ini_loaded_file')) {
103 $inipath = php_ini_loaded_file();
104 print
" - <strong>INI</strong>: ".$inipath;
109print
"<br><strong>Web server - ".$langs->trans(
"Version").
"</strong>: ".$_SERVER[
"SERVER_SOFTWARE"].
"<br>\n";
110print
'<strong>'.$langs->trans(
"DataRootServer").
"</strong>: ".DOL_DATA_ROOT.
"<br>\n";
114if ($labeluser && $labelgroup) {
115 print
'<strong>'.$langs->trans(
"WebUserGroup").
" (env vars)</strong> : ".$labeluser.
':'.$labelgroup;
116 if (function_exists(
'posix_geteuid') && function_exists(
'posix_getpwuid')) {
117 $arrayofinfoofuser = posix_getpwuid(posix_geteuid());
118 print
' <span class="opacitymedium">(POSIX '.$arrayofinfoofuser[
'name'].
':'.$arrayofinfoofuser[
'gecos'].
':'.$arrayofinfoofuser[
'dir'].
':'.$arrayofinfoofuser[
'shell'].
')</span><br>'.
"\n";
122if (function_exists(
'exec')) {
125 exec(
'id', $arrayout, $varout);
126 if (empty($varout)) {
127 print
'<strong>'.$langs->trans(
"WebUserGroup").
" (real, 'id' command)</strong> : ".implode(
',', $arrayout).
"<br>\n";
132print (ini_get(
'session.use_strict_mode') ?
img_picto(
'',
'tick',
'class="pictofixedwidth"') :
img_warning(
'',
'',
'pictofixedwidth nopaddingleft')).
"<strong>PHP session.use_strict_mode</strong> = ".(ini_get(
'session.use_strict_mode') ? ini_get(
'session.use_strict_mode') :
yn(0)).
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs",
'1').
")</span><br>\n";
133print (ini_get(
'session.use_only_cookies') ?
img_picto(
'',
'tick',
'class="pictofixedwidth"') :
img_warning(
'',
'',
'pictofixedwidth nopaddingleft')).
"<strong>PHP session.use_only_cookies</strong> = ".(ini_get(
'session.use_only_cookies') ? ini_get(
'session.use_only_cookies') :
yn(0)).
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs",
'1').
")</span><br>\n";
134print (ini_get(
'session.cookie_httponly') ?
img_picto(
'',
'tick',
'class="pictofixedwidth"') :
img_warning(
'',
'',
'pictofixedwidth nopaddingleft')).
"<strong>PHP session.cookie_httponly</strong> = ".(ini_get(
'session.cookie_httponly') ? ini_get(
'session.cookie_httponly') :
'').
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs",
'1').
")</span><br>\n";
135print (ini_get(
'session.cookie_samesite') ?
img_picto(
'',
'tick',
'class="pictofixedwidth"') :
img_warning(
'',
'',
'pictofixedwidth nopaddingleft')).
"<strong>PHP session.cookie_samesite</strong> = ".(ini_get(
'session.cookie_samesite') ? ini_get(
'session.cookie_samesite') :
'None');
136if (!ini_get(
'session.cookie_samesite') || ini_get(
'session.cookie_samesite') ==
'Lax') {
137 print
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs",
'Lax').
")</span>";
138} elseif (ini_get(
'session.cookie_samesite') ==
'Strict') {
139 print
' '.img_warning().
' <span class="opacitymedium">'.$langs->trans(
"WarningPaypalPaymentNotCompatibleWithStrict").
"</span>";
143print (ini_get(
'open_basedir') ?
img_picto(
'',
'tick',
'class="pictofixedwidth"') :
img_warning(
'',
'',
'pictofixedwidth nopaddingleft')).
"<strong>PHP open_basedir</strong> = ".(ini_get(
'open_basedir') ? ini_get(
'open_basedir') :
yn(0).
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs", $langs->transnoentitiesnoconv(
"ARestrictedPath").
', '.$langs->transnoentitiesnoconv(
"Example").
': '.$_SERVER[
"DOCUMENT_ROOT"].
','.DOL_DATA_ROOT).
')</span>').
"<br>\n";
145print ((empty(ini_get(
'short_open_tag')) || ini_get(
'short_open_tag') ==
'Off') ?
img_picto(
'',
'tick',
'class="pictofixedwidth"') :
img_warning(
'',
'',
'pictofixedwidth nopaddingleft')).
"<strong>PHP short_open_tag</strong> = ".((empty(ini_get(
'short_open_tag')) || ini_get(
'short_open_tag') ==
'Off') ?
yn(0) :
yn(1)).
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs", $langs->transnoentitiesnoconv(
"No")).
')</span>'.
"<br>\n";
147print (ini_get(
'allow_url_fopen') ?
img_picto($langs->trans(
"YouShouldSetThisToOff"),
'warning',
'class="pictofixedwidth nopaddingleft"') :
img_picto(
'',
'tick',
'class="pictofixedwidth"')).
"<strong>PHP allow_url_fopen</strong> = ".(ini_get(
'allow_url_fopen') ? ini_get(
'allow_url_fopen') :
yn(0)).
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs", $langs->transnoentitiesnoconv(
"No")).
", except if Yes is required by some external modules)</span><br>\n";
149print (ini_get(
'allow_url_include') ?
img_picto($langs->trans(
"YouShouldSetThisToOff"),
'warning',
'class="pictofixedwidth nopaddingleft"') :
img_picto(
'',
'tick',
'class="pictofixedwidth"')).
"<strong>PHP allow_url_include</strong> = ".(ini_get(
'allow_url_include') ? ini_get(
'allow_url_include') :
yn(0)).
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs", $langs->transnoentitiesnoconv(
"No")).
")</span><br>\n";
153 print
"<strong>PHP auto_prepend_file</strong> = ".(ini_get(
'auto_prepend_file') ? ini_get(
'auto_prepend_file') :
'').
"</span><br>\n";
155 print
"<strong>PHP sendmail_path</strong> = ".(ini_get(
'sendmail_path') ? ini_get(
'sendmail_path') :
'').
"</span><br>\n";
159print
"<strong>PHP disable_functions</strong>: ";
161$disablefunctionorign =
'';
163foreach ($phparray as $key => $value) {
164 foreach ($value as $keyparam => $keyvalue) {
165 if ($keyparam ==
'disable_functions') {
166 if (!empty($keyvalue[
'master'])) {
167 $disablefunctionorign = $keyvalue[
'master'];
178$arrayoffunctionsdisabled = explode(
',', $disablefunctionorign);
180$arrayoffunctionstodisable = explode(
',',
'dl,apache_note,apache_setenv,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,show_source,virtual');
183if ($execmethod == 1) {
184 $arrayoffunctionstodisable2 = explode(
',',
'passthru,shell_exec,system,proc_open,popen');
185 $functiontokeep =
'exec';
187 $arrayoffunctionstodisable2 = explode(
',',
'exec,passthru,shell_exec,system,proc_open');
188 $functiontokeep =
'popen';
191foreach ($arrayoffunctionsdisabled as $functionkey) {
195 print
'<span class="opacitymedium">'.$functionkey.
'</span>';
201foreach ($arrayoffunctionstodisable as $functiontodisable) {
202 if (\function_exists($functiontodisable)) {
204 $todisabletext .=
', ';
206 $todisabletext .=
' <span class="opacitymedium">'.$functiontodisable.
'</span>';
211 print
img_picto(
'',
'warning',
'class="pictofixedwidth nopaddingleft"').$langs->trans(
"YouShouldDisablePHPFunctions").
': '.$todisabletext;
216foreach ($arrayoffunctionstodisable2 as $functiontodisable) {
217 if (\function_exists($functiontodisable)) {
219 $todisabletext .=
', ';
221 $todisabletext .=
' <span class="opacitymedium">'.$functiontodisable.
'</span>';
226 print
img_picto(
'',
'warning',
'class="pictofixedwidth nopaddingleft"').$langs->trans(
"IfCLINotRequiredYouShouldDisablePHPFunctions").
': '.$todisabletext;
229if (!function_exists($functiontokeep)) {
230 print
img_picto($langs->trans(
"PHPFunctionsRequiredForCLI"),
'warning',
'class="pictofixedwidth"');
232 print
img_picto(
'',
'tick',
'class="pictofixedwidth"');
234print $langs->trans(
"PHPFunctionsRequiredForCLI").
': ';
235print
'<span class="opacitymedium" title="exec or popen can be used depending on MAIN_EXEC_USE_POPEN option, currently to '.getDolGlobalInt(
'MAIN_EXEC_USE_POPEN').
'">'.$functiontokeep.
'</span>';
241$loadedExtensions = array_map(
'strtolower', get_loaded_extensions(
false));
242$test = !in_array(
'json', $loadedExtensions);
243if ($test || function_exists(
'dol_json_decode')) {
244 print
img_picto(
'',
'error',
'class="pictofixedwidth nopaddingleft"');
246 print
img_picto(
'',
'tick',
'class="pictofixedwidth"');
248print
'<strong>JSON</strong>: ';
249if ($test || function_exists(
'dol_json_decode')) {
250 print $langs->trans(
"NotInstalled").
' - '.$langs->trans(
"VulnerableToRCEAttack");
252 print $langs->trans(
"Available").
' <span class="opacitymedium">(PHP native so not emulated, safe)</span>';
257$test = !function_exists(
'xdebug_is_enabled') && !extension_loaded(
'xdebug');
259 print
img_picto(
'',
'tick',
'class="pictofixedwidth"');
261 print
img_picto(
'',
'warning',
'class="pictofixedwidth nopaddingleft"');
263print
'<strong>XDebug</strong>: ';
265 print $langs->trans(
"NotInstalled").
' - '.$langs->trans(
"NotRiskOfLeakWithThis");
267 print $langs->trans(
"ModuleActivatedMayExposeInformation", $langs->transnoentities(
"XDebug"));
268 print
' - '.$langs->trans(
"MoreInformation").
' <a href="'.DOL_URL_ROOT.
'/admin/system/xdebug.php">XDebug admin page</a>';
279print
load_fiche_titre($langs->trans(
"OSSetup").
' - '.$langs->trans(
"PermissionsOnFiles"),
'',
'folder');
281print
'<div class="divsection wordbreak">';
283print
'<strong>'.$langs->trans(
"PermissionsOnFilesInWebRoot").
'</strong>: ';
284$arrayoffilesinroot =
dol_dir_list(DOL_DOCUMENT_ROOT,
'all', 1,
'', array(
'\/custom'),
'name', SORT_ASC, 4, 1,
'', 1);
285$fileswithwritepermission = array();
286foreach ($arrayoffilesinroot as $fileinroot) {
288 if (isset($fileinroot[
'perm']) && ($fileinroot[
'perm'] & 0222)) {
289 $fileswithwritepermission[] = $fileinroot[
'relativename'];
292if (empty($fileswithwritepermission)) {
293 print
img_picto(
'',
'tick').
' '.$langs->trans(
"NoWritableFilesFoundIntoRootDir");
295 print
img_warning().
' '.$langs->trans(
"SomeFilesOrDirInRootAreWritable");
296 print
' - <span class="classlink cursorpointer" onclick="javascript: console.log(\'Toggle examples\'); jQuery(\'#examplewritablefiles\').toggle();">'.$langs->trans(
"Examples").
'</span>';
297 print
'<span id="examplewritablefiles" class="hideobject"><br>'.$langs->trans(
"Example").
': ';
299 foreach ($fileswithwritepermission as $filewithwritepermission) {
303 print
'<span class="opacitymedium">'.$filewithwritepermission.
'</span>';
315print
'<strong>'.$langs->trans(
"PermissionsOnFile",
$conffile).
'</strong>: ';
316$perms = fileperms($dolibarr_main_document_root.
'/'.
$conffile);
318 if (($perms & 0x0004) || ($perms & 0x0002)) {
319 print
img_warning().
' '.$langs->trans(
"ConfFileIsReadableOrWritableByAnyUsers");
323 print
' '.$langs->trans(
"User").
': '.$labeluser.
':'.$labelgroup;
324 if (function_exists(
'posix_geteuid') && function_exists(
'posix_getpwuid')) {
325 $arrayofinfoofuser = posix_getpwuid(posix_geteuid());
326 print
' <span class="opacitymedium">(POSIX '.$arrayofinfoofuser[
'name'].
':'.$arrayofinfoofuser[
'gecos'].
':'.$arrayofinfoofuser[
'dir'].
':'.$arrayofinfoofuser[
'shell'].
')</span>';
337$installlock = DOL_DATA_ROOT.
'/install.lock';
338$upgradeunlock = DOL_DATA_ROOT.
'/upgrade.unlock';
339$installmoduleslock = DOL_DATA_ROOT.
'/installmodules.lock';
342$test = file_exists($installlock);
343print
'<strong>'.$langs->trans(
"DolibarrSetup").
'</strong>: ';
345 if (file_exists($upgradeunlock)) {
346 print
img_picto(
'',
'tick').
' '.$langs->trans(
"InstallLockedBy", $installlock);
348 print
img_picto(
'',
'tick').
' '.$langs->trans(
"InstallAndUpgradeLockedBy", $installlock);
351 print
img_warning().
' '.$langs->trans(
"WarningLockFileDoesNotExists", DOL_DATA_ROOT);
358if (file_exists($installlock)) {
359 if (file_exists($upgradeunlock)) {
360 print
'<strong>'.$langs->trans(
"DolibarrUpgrade").
'</strong>: ';
361 print
img_warning().
' '.$langs->trans(
"WarningUpgradeHasBeenUnlocked", $upgradeunlock);
368$test = file_exists($installmoduleslock);
369print
'<strong>'.$langs->trans(
"DolibarrAddonInstall").
'</strong>: ';
371 print
img_picto(
'',
'tick').
' '.$langs->trans(
"InstallAndUpgradeLockedBy", $installmoduleslock);
373 print $langs->trans(
"InstallOfAddonIsNotBlocked", DOL_DATA_ROOT);
386print
'<div class="divsection wordbreak">';
387print
'<strong>$dolibarr_main_prod</strong>: '.($dolibarr_main_prod ? $dolibarr_main_prod :
'0');
388if (empty($dolibarr_main_prod)) {
389 print
' '.img_picto(
'',
'warning').
' '.$langs->trans(
"IfYouAreOnAProductionSetThis", 1);
393if (!empty($dolibarr_nocsrfcheck)) {
394 print
'<strong>$dolibarr_nocsrfcheck</strong>: '.(empty($dolibarr_nocsrfcheck) ?
'0' : $dolibarr_nocsrfcheck);
395 print
' '.img_picto(
'',
'error').
' '.$langs->trans(
"IfYouAreOnAProductionSetThis", 0);
399print
'<strong>$dolibarr_main_restrict_ip</strong>: ';
400if (empty($dolibarr_main_restrict_ip)) {
401 print $langs->trans(
"None");
402 print
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs", $langs->transnoentitiesnoconv(
"StaticIPsOfUsers")).
')</span>';
404 print $dolibarr_main_restrict_ip;
409print
'<strong>$dolibarr_main_restrict_os_commands</strong>: ';
410if (empty($dolibarr_main_restrict_os_commands)) {
411 print $langs->trans(
"None");
413 print $dolibarr_main_restrict_os_commands;
415print
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs",
'mariadb-dump, mariadb, mysqldump, mysql, pg_dump, pg_restore, clamdscan').
')</span>';
419print
'<strong>$dolibarr_main_restrict_eval_methods</strong>: ';
420if (empty($dolibarr_main_restrict_eval_methods)) {
421 print $langs->trans(
"None");
423 print $dolibarr_main_restrict_eval_methods;
425print
' <span class="opacitymedium">('.$langs->trans(
"RecommendedValueIs",
'getDolGlobalString, getDolGlobalInt, getDolCurrency, getDolEntity, getDolDBType, fetchNoCompute, hasRight, isAdmin, isExternalUser, isModEnabled, isStringVarMatching, abs, min, max, round, dol_now, dol_concat, preg_match').
')</span>';
429print
'<strong>$dolibarr_website_allow_custom_php</strong>: ';
430if (!empty($dolibarr_website_allow_custom_php) && $dolibarr_website_allow_custom_php == 2) {
433if (empty($dolibarr_website_allow_custom_php)) {
436 print $dolibarr_website_allow_custom_php;
438print
' <span class="opacitymedium">(';
440 print $langs->trans(
"RecommendedValueIs",
'0 if you don\'t include PHP in your websites, else 1');
442 print $langs->trans(
"RecommendedValueIs",
'0');
449 print
'<strong>$dolibarr_main_db_pass</strong>: ';
450 if (!empty($dolibarr_main_db_pass) && empty($dolibarr_main_db_encrypted_pass)) {
451 print
img_picto(
'',
'warning').
' '.$langs->trans(
"DatabasePasswordNotObfuscated").
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': '.$langs->trans(
"SetOptionTo", $langs->transnoentitiesnoconv(
"MainDbPasswordFileConfEncrypted"),
yn(1)).
')</span>';
454 print
img_picto(
'',
'tick').
' '.$langs->trans(
"DatabasePasswordObfuscated");
460print
'<strong>$dolibarr_main_stream_to_disable</strong>: ';
462'@phan-var-force string[] $arrayofstreamtodisable';
463if (empty($dolibarr_main_stream_to_disable)) {
464 print
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
' = '.implode(
', ', $arrayofstreamtodisable).
'</span>';
466 print implode(
', ', $dolibarr_main_stream_to_disable);
468print
'<span class="bold"> -> Current PHP streams allowed = </span>';
469$arrayofstreams = stream_get_wrappers();
470if (!empty($arrayofstreams)) {
471 sort($arrayofstreams);
472 print
'<span class="wordbreak">'.implode(
',', $arrayofstreams).
'</span>';
473 print
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': '.$langs->trans(
"TryToKeepOnly",
'file,http,https,php,zip').
')</span>'.
"\n";
503print
load_fiche_titre($langs->trans(
"Menu").
' '.$langs->trans(
"SecuritySetup"),
'',
'folder');
505print
'<div class="divsection wordbreak">';
507print
'<strong>'.$langs->trans(
"UseCaptchaCode").
' - Login</strong>: ';
513print
'<strong>'.$langs->trans(
"UseCaptchaCode").
' - Ticket</strong>: ';
519print
'<strong>'.$langs->trans(
"UseCaptchaCode").
' - Thirdparty public contact form</strong>: ';
525print
'<strong>'.$langs->trans(
"UseCaptchaCode").
' - Membership subscription</strong>: ';
531$sessiontimeout = ini_get(
"session.gc_maxlifetime");
533 $conf->global->MAIN_SESSION_TIMEOUT = $sessiontimeout;
535print
'<strong>'.$langs->trans(
"SessionTimeOut").
'</strong>';
536if (!ini_get(
"session.gc_probability")) {
537 print $form->textwithpicto(
'', $langs->trans(
"SessionsPurgedByExternalSystem", ini_get(
"session.gc_maxlifetime")));
539 print $form->textwithpicto(
'', $langs->trans(
"SessionExplanation", ini_get(
"session.gc_probability"), ini_get(
"session.gc_divisor"), ini_get(
"session.gc_maxlifetime")));
541print
': '.getDolGlobalInt(
'MAIN_SESSION_TIMEOUT').
' '.strtolower($langs->trans(
"Seconds"));
544print
'<strong>'.$langs->trans(
"MaxNumberOfImagesInGetPost").
'</strong>: ';
545print(
getDolGlobalInt(
'MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT') ?
img_picto(
'',
'tick').
' ' :
'').
getDolGlobalInt(
'MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT').
' '.strtolower($langs->trans(
"Images"));
548print
'<strong>'.$langs->trans(
"MaxNumberOfPostOnPublicPagesByIP").
'</strong>: ';
549print(
getDolGlobalInt(
'MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS', 200) ?
img_picto(
'',
'tick').
' ' :
'').
getDolGlobalInt(
'MAIN_SECURITY_MAX_POST_ON_PUBLIC_PAGES_BY_IP_ADDRESS', 200).
' '.strtolower($langs->trans(
"Posts"));
552print
'<strong>'.$langs->trans(
"MaxNumberOfAttachementOnForms").
'</strong>: ';
553print(
getDolGlobalInt(
'MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS', 10) ?
img_picto(
'',
'tick').
' ' :
'').
getDolGlobalInt(
"MAIN_SECURITY_MAX_ATTACHMENT_ON_FORMS", 10).
' '.strtolower($langs->trans(
"Files"));
559print
'<strong>'.$langs->trans(
"DoNotStoreClearPassword").
'</strong>: ';
563 print
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
' '.
yn(1).
')</span>';
572print
'<strong>'.$langs->trans(
"UMask").
'</strong>: ';
573if (! in_array($umask, array(
'600',
'660',
'0600',
'0660'))) {
577if (! in_array($umask, array(
'600',
'660',
'0600',
'0660'))) {
578 print
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': 0600 | 0660)</span>';
616print
'<strong>'.$langs->trans(
"AntivirusEnabledOnUpload").
'</strong>: ';
620 print
' - <span class="opacitymedium">'.$langs->trans(
"Recommended").
': '.$langs->trans(
"DefinedAPathForAntivirusCommandIntoSetup", $langs->transnoentitiesnoconv(
"Home").
" - ".$langs->transnoentitiesnoconv(
"Setup").
" - ".$langs->transnoentitiesnoconv(
"Security")).
'</span>';
623 if (defined(
'MAIN_ANTIVIRUS_COMMAND') && !defined(
'MAIN_ANTIVIRUS_BYPASS_COMMAND_AND_PARAM')) {
624 print
' - <span class="opacitymedium">'.$langs->trans(
"ValueIsForcedBySystem").
'</span>';
632print
'<strong>'.$langs->trans(
"UploadExtensionRestriction").
'</strong>: ';
633print implode(
', ', explode(
',',
getDolGlobalString(
'MAIN_FILE_EXTENSION_UPLOAD_RESTRICTION', implode(
',', getExecutableContent()))));
634print
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': '.implode(
', ', getExecutableContent()).
')</span>';
639print
'<strong>'.$langs->trans(
"MAIN_SECURITY_MAXFILESIZE_DOWNLOADED").
'</strong> = '.
getDolGlobalString(
'MAIN_SECURITY_MAXFILESIZE_DOWNLOADED',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
' ('.$langs->trans(
"Recommended").
': < 100000)</span>').
"<br>";
645$eventstolog = $securityevent->eventstolog;
647print
'<strong>'.$langs->trans(
"AuditedSecurityEvents").
'</strong>: ';
649if (!empty($eventstolog) && is_array($eventstolog)) {
652 foreach ($eventstolog as $key => $arr) {
654 $key =
'MAIN_LOGEVENTS_'.$arr[
'id'];
660 $out .=
'<span class="opacitymedium">'.$key.
'</span>';
669 print
img_warning().
' '.$langs->trans(
"NoSecurityEventsAreAduited", $langs->transnoentities(
"Home").
' - '.$langs->transnoentities(
"Setup").
' - '.$langs->transnoentities(
"Security").
' - '.$langs->transnoentities(
"Audit")).
'<br>';
671 $s = $langs->trans(
"SeeSetupPage",
' {s1}'.$langs->transnoentities(
"Home").
' - '.$langs->transnoentities(
"Setup").
' - '.$langs->transnoentities(
"Security").
' - '.$langs->transnoentities(
"Audit").
'{s2}');
672 print
' - '.str_replace(
'{s2}',
'</a>', str_replace(
'{s1}',
'<a href="'.DOL_URL_ROOT.
'/admin/events.php" target="_blank">'.
img_picto(
'',
'url',
'class="pictofixedwidth"'), $s));
679print
'<strong>MAIN_SECURITY_FORCERP</strong> = '.getDolGlobalString(
'MAIN_SECURITY_FORCERP',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
" \"strict-origin-when-cross-origin\" or \"same-origin\" so browser doesn't send any referrer when going into another web site domain)</span><br>";
682print
'<strong>MAIN_SECURITY_FORCESTS</strong> = '.getDolGlobalString(
'MAIN_SECURITY_FORCESTS',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
": max-age=31536000; includeSubDomains)</span><br>";
685print
'<strong>MAIN_SECURITY_FORCEPP</strong> = '.getDolGlobalString(
'MAIN_SECURITY_FORCEPP',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
": camera=*, microphone=(), geolocation=*)</span><br>";
689 $examplecsprule =
"frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com *.dolistore.com *.githubusercontent.com";
690 print
'<strong>MAIN_SECURITY_FORCECSPRO</strong> = '.getDolGlobalString(
'MAIN_SECURITY_FORCECSPRO',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Example").
': "'.$examplecsprule.
'")</span><br>';
694$examplecsprule =
"frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com *.dolistore.com *.githubusercontent.com";
695print
'<strong>MAIN_SECURITY_FORCECSP</strong> = '.getDolGlobalString(
'MAIN_SECURITY_FORCECSP',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Example").
': "'.$examplecsprule.
'")</span><br>';
698$tmpurl = constant(
'DOL_MAIN_URL_ROOT');
699$tmpurl = preg_replace(
'/^(https?:\/\/[^\/]+)\/.*$/',
'\1', $tmpurl);
700print
'<strong>MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN</strong> = '.getDolGlobalString(
'MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
": 1 so browsers will accept answers of a page only if page was requested from the domain ".$tmpurl.
". Note: it is not possible to limit to several domains)</span><br>";
714print
'<div class="divsection wordbreak">';
717print
'<strong>'.$langs->trans(
"Syslog").
'</strong>: ';
720 print
img_picto(
'',
'tick').
' '.$langs->trans(
"NotInstalled").
' - '.$langs->trans(
"NotRiskOfLeakWithThis");
723 print
img_picto(
'',
'warning').
' '.$langs->trans(
"ModuleActivatedWithTooHighLogLevel", $langs->transnoentities(
"Syslog"));
725 print
img_picto(
'',
'tick').
' '.$langs->trans(
"ModuleSyslogActivatedButLevelNotTooVerbose", $langs->transnoentities(
"Syslog"),
getDolGlobalInt(
'SYSLOG_LEVEL'));
734print
'<strong>'.$langs->trans(
"DebugBar").
'</strong>: ';
737 print
img_picto(
'',
'tick').
' '.$langs->trans(
"NotInstalled").
' - '.$langs->trans(
"NotRiskOfLeakWithThis");
739 print
img_picto(
'',
'error').
' '.$langs->trans(
"ModuleActivatedDoNotUseInProduction", $langs->transnoentities(
"DebugBar"));
782print
'<div class="divsection wordbreak">';
785 print $langs->trans(
"APIsAreNotEnabled");
788 print
img_picto(
'',
'warning').
' '.$langs->trans(
'YouEnableDeprecatedWSAPIsUseRESTAPIsInstead').
"<br>\n";
792 print
'<strong>API_ENDPOINT_RULES</strong> = '.getDolGlobalString(
'API_ENDPOINT_RULES',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
' ('.$langs->trans(
"Example").
': login:0,users:0,setup:1,status:1,tickets:1,...)</span>').
"<br>\n";
796 print
'<strong>API_ENABLE_LOGIN_API</strong> = '.getDolGlobalString(
'API_ENABLE_LOGIN_API',
'0').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': 0)</span><br>';
812print
'<div class="divsection wordbreak">';
814print
'<strong>MAIN_ALLOW_SVG_FILES_AS_IMAGES</strong> = '.getDolGlobalString(
'MAIN_ALLOW_SVG_FILES_AS_IMAGES',
'0').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': 0)</span><br>';
817print
'<strong>MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE</strong> = '.getDolGlobalString(
'MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': 1)</span><br>';
820print
'<strong>MAIN_SECURITY_ANTI_SSRF_SERVER_IP</strong> = '.getDolGlobalString(
'MAIN_SECURITY_ANTI_SSRF_SERVER_IP',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span> <span class="opacitymedium">('.$langs->trans(
"Recommended").
': List of static IPs of server separated with coma - '.$langs->trans(
"Note").
': common loopback ip like 127.*.*.*, [::1] are already added)</span>').
"<br>";
823print
'<strong>MAIN_SECURITY_CSRF_WITH_TOKEN</strong> = '.getDolGlobalString(
'MAIN_SECURITY_CSRF_WITH_TOKEN',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
' 2)</span>'.
"<br>";
836print
'<div class="divsection wordbreak">';
839print
'<strong>'.$langs->trans(
"AlgorithmFor", $langs->transnoentitiesnoconv(
"Passwords"));
840print $form->textwithpicto(
'',
'non reversible encryption, defined into MAIN_SECURITY_HASH_ALGO');
841print
'</strong> = '.getDolGlobalString(
'MAIN_SECURITY_HASH_ALGO',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
" ";
843 print
'<span class="opacitymedium"> (If unset: \'md5\')</span>';
846 print
'<br><strong>MAIN_SECURITY_SALT</strong> = '.getDolGlobalString(
'MAIN_SECURITY_SALT',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
'<br>';
848 print
'<span class="opacitymedium">('.$langs->trans(
"Recommended").
': password_hash)</span>';
852 print
'<div class="info">The recommended value for MAIN_SECURITY_HASH_ALGO is now \'password_hash\' but setting it now will make ALL existing passwords of all users not valid, so update is not possible.<br>';
853 print
'If you really want to switch, you must:<br>';
854 print
'- Go on home - setup - other and add constant MAIN_SECURITY_HASH_ALGO to value \'password_hash\'<br>';
855 print
'- In same session, WITHOUT LOGGING OUT, go into your admin user record and set a new password<br>';
856 print
'- You can now logout and login with this new password. You must now reset password of all other users.<br>';
862$exampletodecrypt =
GETPOST(
'exampletodecrypt',
'password');
864print
'<strong>'.$langs->trans(
"AlgorithmFor", $langs->transnoentitiesnoconv(
"SensitiveData"));
865print $form->textwithpicto(
'',
'reversible encryption done with dolEncrypt/dolDecrypt');
866print
'</strong> = '.constant(
'MAIN_SECURITY_REVERSIBLE_ALGO').
' with a random seed + a crypt key defined into the conf.php file (in $dolibarr_main_instance_unique_id or $dolibarr_main_dolcrypt_key)<br>';
867print
'<form method="POST" action="'.dolBuildUrl($_SERVER[
"PHP_SELF"]).
'" spellcheck="false">';
868print
'<input type="hidden" name="action" value="doldecrypt">';
869print
'<input type="hidden" name="token" value="'.newToken().
'">';
870print
'<input type="hidden" name="page_y" value="">';
871print $langs->trans(
"ToolToDecryptAString").
': ';
872print
'<input type="text" class="minwidth500 valignmiddle" name="exampletodecrypt" placeholder="dolcrypt:ALGOXXXX:ABCDFEF1234" value="'.$exampletodecrypt.
'" spellcheck="false">';
873print
'<input type="submit" class="reposition button small smallpaddingimp valignmiddle" name="submit" value="'.$langs->transnoentitiesnoconv(
"Decrypt").
'">';
874if ($action ==
'doldecrypt' && $user->admin && $exampletodecrypt) {
876 $decryptedstring = $exampletodecrypt;
877 if (preg_match(
'/^dolobfuscationv1/', $exampletodecrypt)) {
879 unset($_SESSION[
'obfuscationkey_'.((
int)
$conf->entity)]);
880 unset(
$conf->cache[
'obfuscationkey_'.((int)
$conf->entity)]);
882 require_once DOL_DOCUMENT_ROOT.
'/blockedlog/class/blockedlog.class.php';
884 $obfuscationkey = $b->getObfuscationKey();
886 include_once DOL_DOCUMENT_ROOT.
'/blockedlog/lib/blockedlog.lib.php';
888 print
'<!-- registrationnumber '.$registrationnumber.
' -->'.
"\n";
889 print
'<!-- mysoc->idprof1 = '.$mysoc->idprof1.
' -->'.
"\n";
890 print
'<!-- session '.$_SESSION[
'obfuscationkey_'.((int)
$conf->entity)].
' -->'.
"\n";
891 print
'<!-- conf->cache = '. (
string)
$conf->cache[
'obfuscationkey_'.((int)
$conf->entity)].
' -->'.
"\n";
892 print
'<!-- obfuscationkey => '.$obfuscationkey.
' -->'.
"\n";
894 $decryptedstring =
dolDecrypt($exampletodecrypt, $obfuscationkey);
895 } elseif (preg_match(
'/^dolcrypt/', $exampletodecrypt)) {
896 $decryptedstring =
dolDecrypt($exampletodecrypt);
899 print
'<br> => <textarea rows="'.ROWS_1.
'" class="valignmiddle quatrevingtpercent">'.
dolPrintHTMLForTextArea($decryptedstring).
'</textarea>';
901 print
'<br><span class="error"> => Failed to decrypt. The crypting key saved into the conf.php file seems to not be the one used to encrypt the provided encrypted string</span>';
917 print
'<div class="divsection wordbreak">';
919 $sql =
"SELECT w.rowid as id, w.ref";
920 $sql .=
" FROM ".MAIN_DB_PREFIX.
"website as w";
921 $sql .=
" WHERE w.entity = ".((int)
$conf->entity);
922 $sql .=
" AND w.status = 1";
924 $resql =
$db->query($sql);
926 $num_rows =
$db->num_rows($resql);
929 while ($obj =
$db->fetch_object($resql)) {
930 print
"<strong>".$langs->trans(
"WebsiteSecurityOptions").
": ".$obj->ref.
"</strong>";
933 print
'<strong>WEBSITE_'.$obj->id.
'_SECURITY_FORCERP</strong> = '.
getDolGlobalString(
'WEBSITE_'.$obj->id.
'_SECURITY_FORCERP',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
'="strict-origin-when-cross-origin" '.$langs->trans(
"or").
' "same-origin"=more secured)</span><br>';
935 print
'<strong>WEBSITE_'.$obj->id.
'_SECURITY_FORCESTS</strong> = '.
getDolGlobalString(
'WEBSITE_'.$obj->id.
'_SECURITY_FORCESTS',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Example").
": \"max-age=31536000; includeSubDomains\")</span><br>";
937 print
'<strong>WEBSITE_'.$obj->id.
'_SECURITY_FORCEPP</strong> = '.
getDolGlobalString(
'WEBSITE_'.$obj->id.
'_SECURITY_FORCEPP',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>').
' <span class="opacitymedium">('.$langs->trans(
"Example").
": \"camera=(), microphone=(), geolocation=*\")</span><br>";
940 print
'<strong>WEBSITE_'.$obj->id.
'_SECURITY_FORCECSPPRO</strong> = '.
getDolGlobalString(
'WEBSITE_'.$obj->id.
'_SECURITY_FORCECSPPRO',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>');
941 print
' <span class="opacitymedium">('.$langs->trans(
"Example").
': "';
942 $examplecsprule =
"default-src 'self' 'unsafe-inline' matomo.".getDomainFromURL($_SERVER[
"SERVER_NAME"], 1).
" *.transifex.net *.transifex.com *.cloudflare.com *.cloudflareinsights.com *.google-analytics.com *.googletagmanager.com *.google.com *.gstatic.com *.googleapis.com *.googleadservices.com *.ads-twitter.com *.doubleclick.net; frame-ancestors 'self'; object-src *.youtube.com; frame-src 'self' *.twitter.com *.facebook.com *.youtube.com; img-src * data:;";
943 print $examplecsprule;
944 print
'")</span><br>';
947 print
'<strong>WEBSITE_'.$obj->id.
'_SECURITY_FORCECSP</strong> = '.
getDolGlobalString(
'WEBSITE_'.$obj->id.
'_SECURITY_FORCECSP',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>');
948 print
' <span class="opacitymedium">('.$langs->trans(
"Example").
': "';
949 $examplecsprule =
"default-src 'self' 'unsafe-inline' matomo.".getDomainFromURL($_SERVER[
"SERVER_NAME"], 1).
" *.transifex.net *.transifex.com *.cloudflare.com *.cloudflareinsights.com *.google-analytics.com *.googletagmanager.com *.google.com *.gstatic.com *.googleapis.com *.googleadservices.com *.ads-twitter.com *.doubleclick.net; frame-ancestors 'self'; object-src *.youtube.com; frame-src 'self' *.twitter.com *.facebook.com *.youtube.com; img-src * data:;";
950 print $examplecsprule;
951 print
'")</span><br>';
954 if ($i != $num_rows) {
959 print
'<span class="opacity">'.$langs->trans(
"NoWebsite").
'</span>';
973print
load_fiche_titre($langs->trans(
"OtherSetup").
' ('.$langs->trans(
"Experimental").
')',
'',
'folder');
975print
'<div class="divsection wordbreak">';
976print
'<strong>MAIN_EXEC_USE_POPEN</strong> = ';
978 print
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>';
982if ($execmethod == 1) {
983 print
'<span class="opacitymedium"> "exec" PHP method will be used for shell commands';
984 print
' ('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
' 1)';
987if ($execmethod == 2) {
988 print
'<span class="opacitymedium"> "popen" PHP method will be used for shell commands';
989 print
' ('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
' 1)';
995print
'<strong>MAIN_RESTRICTHTML_ONLY_VALID_HTML</strong> = '.(getDolGlobalString(
'MAIN_RESTRICTHTML_ONLY_VALID_HTML') ?
'1' :
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>');
996print
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
": 1 - does not work on HTML5 with some old libxml libs)</span>";
999$savMAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES =
getDolGlobalString(
'MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES');
1000$savMAIN_RESTRICTHTML_ONLY_VALID_HTML =
getDolGlobalString(
'MAIN_RESTRICTHTML_ONLY_VALID_HTML');
1001$savMAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY =
getDolGlobalString(
'MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY');
1002$conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0;
1003$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1;
1004$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0;
1005$result =
dol_htmlwithnojs(
'<img onerror<=alert(document.domain)> src=>0xbeefed');
1006$conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = $savMAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES;
1007$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = $savMAIN_RESTRICTHTML_ONLY_VALID_HTML;
1008$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = $savMAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY;
1010if ($result ==
'InvalidHTMLStringCantBeCleaned') {
1011 print
' - '.img_warning().
' Your libxml seems to old to work correctly with this option. Disable it !';
1013 print
' - Test of compatibility with this option seems ok';
1019print
'<strong>MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY</strong> = '.(getDolGlobalString(
'MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') ?
'1' :
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>');
1020print
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
': 1)</span> - Module "php-tidy" must be enabled (currently: '.((extension_loaded(
'tidy') && class_exists(
"tidy")) ?
'Enabled' :
img_picto(
'',
'warning').
' Not available').
")";
1021if (extension_loaded(
'tidy') && class_exists(
"tidy")) {
1023 $savMAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES =
getDolGlobalString(
'MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES');
1024 $savMAIN_RESTRICTHTML_ONLY_VALID_HTML =
getDolGlobalString(
'MAIN_RESTRICTHTML_ONLY_VALID_HTML');
1025 $savMAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY =
getDolGlobalString(
'MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY');
1026 $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0;
1027 $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
1028 $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1;
1029 $result =
dol_htmlwithnojs(
'<img onerror<=alert(document.domain)> src=>0xbeefed');
1030 $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = $savMAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES;
1031 $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = $savMAIN_RESTRICTHTML_ONLY_VALID_HTML;
1032 $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = $savMAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY;
1034 if ($result ==
'InvalidHTMLStringCantBeCleaned') {
1035 print
' - '.img_warning().
' Your libxml seems to old to work correctly with this option. Disable it !';
1037 print
' - Test of compatibility with this option seems ok';
1044print
'<strong>MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES</strong> = '.(getDolGlobalString(
'MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES') ?
'1' :
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>');
1045print
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
": 1 - does not work on HTML5 with some old libxml libs)</span><br>";
1050print
'<strong>MAIN_DISALLOW_URL_INTO_DESCRIPTIONS</strong> = '.getDolGlobalString(
'MAIN_DISALLOW_URL_INTO_DESCRIPTIONS',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
' ('.$langs->trans(
"Recommended").
': 1=only local links allowed (to wrapper document.php or image.php) or 2=no links at all)</span>').
"<br>";
1053print
'<strong>MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS</strong> = '.getDolGlobalString(
'MAIN_ALLOW_SVG_FILES_AS_EXTERNAL_LINKS',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
' ('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
' 0)</span>').
"<br>";
1056print
'<strong>MAIN_ALLOW_LINK_STARTING_WITH_FILE</strong> = '.getDolGlobalString(
'MAIN_ALLOW_LINK_STARTING_WITH_FILE',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
' ('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
' 0)</span>').
"<br>";
1059print
'<strong>MAIN_ALLOW_OBFUSCATION_METHODS_IN_DOL_EVAL</strong> = '.getDolGlobalString(
'MAIN_ALLOW_OBFUSCATION_METHODS_IN_DOL_EVAL',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
'</span>');
1060print
' <span class="opacitymedium">('.$langs->trans(
"Recommended").
": ".$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
" 0 - The value 1 allows the use of concatenation functions like . or dol_concat into extra fields conditions or formula but is not secured)</span><br>";
1065print
'<strong>MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL</strong> = '.getDolGlobalString(
'MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
' ('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
' 0)</span>').
"<br>";
1068print
'<strong>MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED</strong> = '.getDolGlobalString(
'MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED',
'<span class="opacitymedium">'.$langs->trans(
"Undefined").
' ('.$langs->trans(
"Recommended").
': '.$langs->trans(
"Undefined").
' '.$langs->trans(
"or").
' 0)</span>').
"<br>";
1085$request = $_SERVER[
'REQUEST_URI'];
1086if (strpos($request,
'%2F') !==
false) {
1087 echo
'<br><strong>AllowEncodedSlashes probably enabled (NoDecode)</strong>';
1088} elseif (strpos($request,
'/test/test') !==
false) {
1089 echo
'<br><strong>AllowEncodedSlashes enabled with decoding On</strong>';
1105print
'<div class="divsection wordbreak">';
1107print
'<span class="opacitymedium">';
1108print $langs->trans(
"RecommendMitigationOnURL").
'<br>';
1112$urlexamplebase =
'https://github.com/Dolibarr/dolibarr/blob/develop/dev/setup/fail2ban/filter.d/';
1113print
'<span class="fas fa-shield-alt"></span> Login or API authentication (see <a target="_blank" rel="noopener" href="'.$urlexamplebase.
'web-dolibarr-rulesbruteforce.conf">fail2ban example on GitHub</a>)<br>';
1114print
'<span class="fas fa-shield-alt"></span> '.DOL_URL_ROOT.
'/passwordforgotten.php (see <a target="_blank" rel="noopener" href="'.$urlexamplebase.
'web-dolibarr-rulespassforgotten.conf">fail2ban example on GitHub</a>)<br>';
1115print
'<span class="fas fa-shield-alt"></span> '.DOL_URL_ROOT.
'/public/* (see <a target="_blank" rel="noopener" href="'.$urlexamplebase.
'web-dolibarr-limitpublic.conf">fail2ban example on GitHub</a>)<br>';
1117$urlexamplebase =
'https://github.com/Dolibarr/dolibarr/blob/develop/dev/setup/apache/';
1118print
'<span class="fas fa-shield-alt"></span> You can also protect the application using a HTTP Basic authentication layer (see <a target="_blank" rel="noopener" href="'.$urlexamplebase.
'virtualhost">apache2 virtualhost example on GitHub</a>)<br>';
phpinfo_array()
Return the php_info into an array.
llxFooter($comment='', $zone='private', $disabledoutputofmessages=0)
Empty footer.
if(!defined('NOREQUIRESOC')) if(!defined( 'NOREQUIRETRAN')) if(!defined('NOTOKENRENEWAL')) if(!defined( 'NOREQUIREMENU')) if(!defined('NOREQUIREHTML')) if(!defined( 'NOREQUIREAJAX')) llxHeader($head='', $title='', $help_url='', $target='', $disablejs=0, $disablehead=0, $arrayofjs='', $arrayofcss='', $morequerystring='', $morecssonbody='', $replacemainareaby='', $disablenofollow=0, $disablenoindex=0)
Empty header.
getHashUniqueIdOfRegistration($algo='sha256')
Return a hash unique identifier of the registration (used to identify the registration of instance wi...
Class to manage Blocked Log.
dol_dir_list($utf8_path, $types="all", $recursive=0, $filter="", $excludefilter=null, $sortcriteria="name", $sortorder=SORT_ASC, $mode=0, $nohook=0, $relativename="", $donotfollowsymlinks=0, $nbsecondsold=0)
Scan a directory and return a list of files/directories.
version_php()
Return PHP version.
img_picto($titlealt, $picto, $moreatt='', $pictoisfullpath=0, $srconly=0, $notitle=0, $alt='', $morecss='', $marginleftonlyshort=2, $allowothertags=array())
Show picto whatever it's its name (generic function)
img_warning($titlealt='default', $moreatt='', $morecss='pictowarning')
Show warning logo.
dolPrintHTMLForTextArea($s, $allowiframe=0)
Return a string ready to be output on input textarea.
getDolGlobalInt($key, $default=0)
Return a Dolibarr global constant int value.
yn($yesno, $format=1, $color=0)
Return yes or no in current language.
ascii_check($str)
Check if a string is in ASCII.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
dol_print_error($db=null, $error='', $errors=null)
Displays error message system with all the information to facilitate the diagnosis and the escalation...
load_fiche_titre($title, $morehtmlright='', $picto='generic', $pictoisfullpath=0, $id='', $morecssontable='', $morehtmlcenter='', $morecssonpicto='widthpictotitle')
Load a title with picto.
dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox=0, $check='restricthtml')
Sanitize a HTML to remove js, dangerous content and external links.
getDolGlobalString($key, $default='')
Return a Dolibarr global constant string value.
isModEnabled($module)
Is Dolibarr module enabled.
print $langs trans("Show") . '< td style="' . $timeColor . '" align="center"> s</td > badge status0 badge status4 badge status3 Error badge status8< td align="center">< span class="badge ' . $badge . '"></span ></td >< td align="center">< a href="#" class="button button-small" onclick="openLogModal(this)" data-req="' . dol_escape_htmltag($reqSafe) . '" data-res="' . dol_escape_htmltag($resSafe) . '" data-err="' . dol_escape_htmltag($errSafe) . '">< span class="fa fa-search-plus"></span ></a ></td ></tr >< tr >< td colspan="' . $colspan . '" class="opacitymedium"></td ></tr ></table ></div ></form > logModal none logModal none s a JSON string
buildzip.php
dol_getwebuser($mode)
Return user/group account of web server.
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.
dolDecrypt($chain, $key='', $patterntotest='')
Decode a string with a symmetric encryption.