bsiggel/espocrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Some big update

Browse Source
This commit is contained in:
bsiggel
2026-03-25 14:35:44 +01:00
parent 0abd37d7a5
commit 867da15823
111 changed files with 173994 additions and 2061 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
application/Espo/Core/Acl/Cache/Clearer.php
View File

@@ -63,7 +63,7 @@ class Clearer
return;
}
$part = $user->getId() . '.php';
$part = basename($user->getId() . '.php');
$this->fileManager->remove('data/cache/application/acl/' . $part);
$this->fileManager->remove('data/cache/application/aclMap/' . $part);
@@ -77,7 +77,7 @@ class Clearer
->find();
foreach ($portals as $portal) {
$part = $portal->getId() . '/' . $user->getId() . '.php';
$part = basename($portal->getId()) . '/' . basename($user->getId() . '.php');
$this->fileManager->remove('data/cache/application/aclPortal/' . $part);
$this->fileManager->remove('data/cache/application/aclPortalMap/' . $part);

3
application/Espo/Core/FileStorage/Storages/EspoUploadDir.php
View File

@@ -115,7 +115,8 @@ class EspoUploadDir implements Storage, Local
protected function getFilePath(Attachment $attachment)
{
$sourceId = $attachment->getSourceId();
$file = basename($sourceId);
return 'data/upload/' . $sourceId;
return 'data/upload/' . $file;
}
}

4
application/Espo/Core/Formula/Functions/ExtGroup/MarkdownGroup/TransformType.php
View File

@@ -33,7 +33,7 @@ use Espo\Core\Formula\EvaluatedArgumentList;
use Espo\Core\Formula\Exceptions\BadArgumentType;
use Espo\Core\Formula\Exceptions\TooFewArguments;
use Espo\Core\Formula\Func;
use Michelf\Markdown;
use Espo\Core\Utils\Markdown\Markdown;
/**
* @noinspection PhpUnused
@@ -52,6 +52,6 @@ class TransformType implements Func
throw BadArgumentType::create(1, 'string');
}
return Markdown::defaultTransform($string);
return Markdown::transform($string);
}
}

4
application/Espo/Core/Mail/Account/GroupAccount/Service.php
View File

@@ -89,7 +89,7 @@ class Service
if (
$params->getHost() &&
!$this->addressUtil->isAllowedAddress($params) &&
!$this->hostCheck->isNotInternalHost($params->getHost())
!$this->hostCheck->isHostAndNotInternal($params->getHost())
) {
throw new Forbidden("Not allowed internal host.");
}
@@ -124,7 +124,7 @@ class Service
if (
$params->getHost() &&
!$this->addressUtil->isAllowedAddress($params) &&
!$this->hostCheck->isNotInternalHost($params->getHost())
!$this->hostCheck->isHostAndNotInternal($params->getHost())
) {
throw new Forbidden("Not allowed internal host.");
}

4
application/Espo/Core/Mail/Account/PersonalAccount/Service.php
View File

@@ -103,7 +103,7 @@ class Service
if (
$params->getHost() &&
!$this->addressUtil->isAllowedAddress($params) &&
!$this->hostCheck->isNotInternalHost($params->getHost())
!$this->hostCheck->isHostAndNotInternal($params->getHost())
) {
throw new Forbidden("Not allowed internal host.");
}
@@ -144,7 +144,7 @@ class Service
if (
$params->getHost() &&
!$this->addressUtil->isAllowedAddress($params) &&
!$this->hostCheck->isNotInternalHost($params->getHost())
!$this->hostCheck->isHostAndNotInternal($params->getHost())
) {
throw new Forbidden("Not allowed host.");
}

4
application/Espo/Core/Portal/Api/Starter.php
View File

@@ -49,7 +49,9 @@ class Starter extends StarterBase
SystemConfig $systemConfig,
ApplicationState $applicationState
) {
$routeCacheFile = 'data/cache/application/slim-routes-portal-' . $applicationState->getPortalId() . '.php';
$part = basename($applicationState->getPortalId());
$routeCacheFile = 'data/cache/application/slim-routes-portal-' . $part . '.php';
parent::__construct(
$requestProcessor,

50
application/Espo/Core/Utils/Markdown/Markdown.php Normal file
View File

@@ -0,0 +1,50 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2026 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Utils\Markdown;
use Michelf\Markdown as MarkdownParser;
/**
* @internal
*/
class Markdown
{
/**
* @internal
*/
public static function transform(string $text): string
{
$parser = new MarkdownParser();
$parser->no_markup = true;
$parser->no_entities = true;
return $parser->transform($text);
}
}

174
application/Espo/Core/Utils/Security/HostCheck.php
View File

@@ -32,30 +32,35 @@ namespace Espo\Core\Utils\Security;
use const DNS_A;
use const FILTER_FLAG_NO_PRIV_RANGE;
use const FILTER_FLAG_NO_RES_RANGE;
use const FILTER_FLAG_HOSTNAME;
use const FILTER_VALIDATE_DOMAIN;
use const FILTER_VALIDATE_IP;
class HostCheck
{
public function isNotInternalHost(string $host): bool
/**
* Validates the string is a host and it's not internal.
* If not a host, returns false.
*
* @since 9.3.4
*/
public function isHostAndNotInternal(string $host): bool
{
$records = dns_get_record($host, DNS_A);
if (filter_var($host, FILTER_VALIDATE_IP)) {
return $this->ipAddressIsNotInternal($host);
}
if (!$records) {
return true;
if (!$this->isDomainHost($host)) {
return false;
}
foreach ($records as $record) {
/** @var ?string $idAddress */
$idAddress = $record['ip'] ?? null;
$ipAddresses = $this->getHostIpAddresses($host);
if (!$idAddress) {
return false;
}
if ($ipAddresses === []) {
return false;
}
foreach ($ipAddresses as $idAddress) {
if (!$this->ipAddressIsNotInternal($idAddress)) {
return false;
}
@@ -64,7 +69,66 @@ class HostCheck
return true;
}
private function ipAddressIsNotInternal(string $ipAddress): bool
/**
* @internal
* @since 9.3.4
*/
public function isDomainHost(string $host): bool
{
$normalized = $this->normalizeIpAddress($host);
if ($normalized !== false && filter_var($normalized, FILTER_VALIDATE_IP)) {
return false;
}
if (!filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) {
return false;
}
if (!$this->hasNoNumericItem($host)) {
return false;
}
if (filter_var($host, FILTER_VALIDATE_DOMAIN)) {
return true;
}
return false;
}
/**
* @return string[]
* @internal
* @since 9.3.4
*/
public function getHostIpAddresses(string $host): array
{
$records = dns_get_record($host, DNS_A);
if (!$records) {
return [];
}
$output = [];
foreach ($records as $record) {
/** @var ?string $idAddress */
$idAddress = $record['ip'] ?? null;
if (!$idAddress) {
continue;
}
$output[] = $idAddress;
}
return $output;
}
/**
* @internal
*/
public function ipAddressIsNotInternal(string $ipAddress): bool
{
return (bool) filter_var(
$ipAddress,
@@ -72,4 +136,90 @@ class HostCheck
FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
);
}
/**
* @deprecated Since 9.3.4. Use `isHostAndNotInternal`.
* @todo Remove in 9.4.0.
*/
public function isNotInternalHost(string $host): bool
{
return $this->isHostAndNotInternal($host);
}
private function normalizeIpAddress(string $ip): string|false
{
if (!str_contains($ip, '.')) {
return self::normalizePart($ip);
}
$parts = explode('.', $ip);
if (count($parts) !== 4) {
return false;
}
$result = [];
foreach ($parts as $part) {
if (preg_match('/^0x[0-9a-f]+$/i', $part)) {
$num = hexdec($part);
} else if (preg_match('/^0[0-7]+$/', $part) && $part !== '0') {
$num = octdec($part);
} else if (ctype_digit($part)) {
$num = (int)$part;
} else {
return false;
}
if ($num < 0 || $num > 255) {
return false;
}
$result[] = $num;
}
return implode('.', $result);
}
private static function normalizePart(string $ip): string|false
{
if (preg_match('/^0x[0-9a-f]+$/i', $ip)) {
$num = hexdec($ip);
} elseif (preg_match('/^0[0-7]+$/', $ip) && $ip !== '0') {
$num = octdec($ip);
} elseif (ctype_digit($ip)) {
$num = (int) $ip;
} else {
return false;
}
if ($num < 0 || $num > 0xFFFFFFFF) {
return false;
}
$num = (int) $num;
return long2ip($num);
}
private function hasNoNumericItem(string $host): bool
{
$hasNoNumeric = false;
foreach (explode('.', $host) as $it) {
if (!is_numeric($it) && !self::isHex($it)) {
$hasNoNumeric = true;
break;
}
}
return $hasNoNumeric;
}
private function isHex(string $value): bool
{
return preg_match('/^0x[0-9a-fA-F]+$/', $value) === 1;
}
}

123
application/Espo/Core/Utils/Security/UrlCheck.php
View File

@@ -29,9 +29,6 @@
namespace Espo\Core\Utils\Security;
use const FILTER_VALIDATE_URL;
use const PHP_URL_HOST;
class UrlCheck
{
public function __construct(
@@ -44,9 +41,11 @@ class UrlCheck
}
/**
* Checks whether a URL does not follow to an internal host.
* Checks whether it's a URL, and it does not follow to an internal host.
*
* @since 9.3.4
*/
public function isNotInternalUrl(string $url): bool
public function isUrlAndNotIternal(string $url): bool
{
if (!$this->isUrl($url)) {
return false;
@@ -58,6 +57,118 @@ class UrlCheck
return false;
}
return $this->hostCheck->isNotInternalHost($host);
return $this->hostCheck->isHostAndNotInternal($host);
}
/**
* @return ?string[] Null if not a domain name or not a URL.
* @internal
* @since 9.3.4
*/
public function getCurlResolve(string $url): ?array
{
if (!$this->isUrl($url)) {
return null;
}
$host = parse_url($url, PHP_URL_HOST);
$port = parse_url($url, PHP_URL_PORT);
$scheme = parse_url($url, PHP_URL_SCHEME);
if ($port === null && $scheme) {
$port = match (strtolower($scheme)) {
'http' => 80,
'https'=> 443,
'ftp' => 21,
'ssh' => 22,
'smtp' => 25,
default => null,
};
}
if ($port === null) {
return [];
}
if (!is_string($host)) {
return null;
}
if (filter_var($host, FILTER_VALIDATE_IP)) {
return null;
}
if (!$this->hostCheck->isDomainHost($host)) {
return null;
}
$ipAddresses = $this->hostCheck->getHostIpAddresses($host);
$output = [];
foreach ($ipAddresses as $ipAddress) {
$ipPart = $ipAddress;
if (filter_var($ipAddress, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
$ipPart = "[$ipPart]";
}
$output[] = "$host:$port:$ipPart";
}
return $output;
}
/**
* @deprecated Since 9.3.4. Use `isUrlAndNotIternal`.
* @todo Remove in 9.5.0.
*/
public function isNotInternalUrl(string $url): bool
{
return $this->isUrlAndNotIternal($url);
}
/**
* @param string[] $resolve
* @param string[] $allowed An allowed address list in the `{host}:{port}` format.
* @internal
*/
public function validateCurlResolveNotInternal(array $resolve, array $allowed = []): bool
{
if ($resolve === []) {
return false;
}
$ipAddresses = [];
foreach ($resolve as $item) {
$arr = explode(':', $item, 3);
if (count($arr) < 3) {
return false;
}
$ipAddress = $arr[2];
$port = $arr[1];
$domain = $arr[0];
if (in_array("$ipAddress:$port", $allowed) || in_array("$domain:$port", $allowed)) {
return true;
}
if (str_starts_with($ipAddress, '[') && str_ends_with($ipAddress, ']')) {
$ipAddress = substr($ipAddress, 1, -1);
}
$ipAddresses[] = $ipAddress;
}
foreach ($ipAddresses as $ipAddress) {
if (!$this->hostCheck->ipAddressIsNotInternal($ipAddress)) {
return false;
}
}
return true;
}
}

12
application/Espo/Core/Utils/TemplateFileManager.php
View File

@@ -124,7 +124,13 @@ class TemplateFileManager
?string $entityType = null
): string {
$type = basename($type);
$language = basename($language);
$name = basename($name);
if ($entityType) {
$entityType = basename($entityType);
return "custom/Espo/Custom/Resources/templates/{$type}/{$language}/{$entityType}/{$name}.tpl";
}
@@ -152,7 +158,13 @@ class TemplateFileManager
?string $entityType = null
): string {
$type = basename($type);
$language = basename($language);
$name = basename($name);
if ($entityType) {
$entityType = basename($entityType);
return "templates/{$type}/{$language}/{$entityType}/{$name}.tpl";
}

19
application/Espo/Core/Webhook/Sender.php
View File

@@ -95,11 +95,24 @@ class Sender
if (
!$this->addressUtil->isAllowedUrl($url) &&
!$this->urlCheck->isNotInternalUrl($url)
!$this->urlCheck->isUrlAndNotIternal($url)
) {
throw new Error("URL '$url' points to an internal host, not allowed.");
}
$resolve = $this->urlCheck->getCurlResolve($url);
if ($resolve === []) {
throw new Error("Could not resolve the host.");
}
/** @var string[] $allowedAddressList */
$allowedAddressList = $this->config->get('webhookAllowedAddressList') ?? [];
if ($resolve !== null && !$this->urlCheck->validateCurlResolveNotInternal($resolve, $allowedAddressList)) {
throw new Error("Forbidden host.");
}
$handler = curl_init($url);
if ($handler === false) {
@@ -118,6 +131,10 @@ class Sender
curl_setopt($handler, \CURLOPT_HTTPHEADER, $headerList);
curl_setopt($handler, \CURLOPT_POSTFIELDS, $payload);
if ($resolve) {
curl_setopt($handler, CURLOPT_RESOLVE, $resolve);
}
curl_exec($handler);
$code = curl_getinfo($handler, \CURLINFO_HTTP_CODE);