Some big update

2026-03-25 14:35:44 +01:00
parent 0abd37d7a5
commit 867da15823
111 changed files with 173994 additions and 2061 deletions
--- a/application/Espo/Core/Utils/Markdown/Markdown.php
+++ b/application/Espo/Core/Utils/Markdown/Markdown.php
@@ -0,0 +1,50 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2026 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Utils\Markdown;
+
+use Michelf\Markdown as MarkdownParser;
+
+/**
+ * @internal
+ */
+class Markdown
+{
+    /**
+     * @internal
+     */
+    public static function transform(string $text): string
+    {
+        $parser = new MarkdownParser();
+        $parser->no_markup = true;
+        $parser->no_entities = true;
+
+        return $parser->transform($text);
+    }
+}
--- a/application/Espo/Core/Utils/Security/HostCheck.php
+++ b/application/Espo/Core/Utils/Security/HostCheck.php
@@ -32,30 +32,35 @@ namespace Espo\Core\Utils\Security;
 use const DNS_A;
 use const FILTER_FLAG_NO_PRIV_RANGE;
 use const FILTER_FLAG_NO_RES_RANGE;
+use const FILTER_FLAG_HOSTNAME;
+use const FILTER_VALIDATE_DOMAIN;
 use const FILTER_VALIDATE_IP;

 class HostCheck
 {
-    public function isNotInternalHost(string $host): bool
+    /**
+     * Validates the string is a host and it's not internal.
+     * If not a host, returns false.
+     *
+     * @since 9.3.4
+     */
+    public function isHostAndNotInternal(string $host): bool
    {
-        $records = dns_get_record($host, DNS_A);
-
        if (filter_var($host, FILTER_VALIDATE_IP)) {
            return $this->ipAddressIsNotInternal($host);
        }

-        if (!$records) {
-            return true;
+        if (!$this->isDomainHost($host)) {
+            return false;
        }

-        foreach ($records as $record) {
-            /** @var ?string $idAddress */
-            $idAddress = $record['ip'] ?? null;
+        $ipAddresses = $this->getHostIpAddresses($host);

-            if (!$idAddress) {
-                return false;
-            }
+        if ($ipAddresses === []) {
+            return false;
+        }

+        foreach ($ipAddresses as $idAddress) {
            if (!$this->ipAddressIsNotInternal($idAddress)) {
                return false;
            }
@@ -64,7 +69,66 @@ class HostCheck
        return true;
    }

-    private function ipAddressIsNotInternal(string $ipAddress): bool
+    /**
+     * @internal
+     * @since 9.3.4
+     */
+    public function isDomainHost(string $host): bool
+    {
+        $normalized = $this->normalizeIpAddress($host);
+
+        if ($normalized !== false && filter_var($normalized, FILTER_VALIDATE_IP)) {
+            return false;
+        }
+
+        if (!filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) {
+            return false;
+        }
+
+        if (!$this->hasNoNumericItem($host)) {
+            return false;
+        }
+
+        if (filter_var($host, FILTER_VALIDATE_DOMAIN)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * @return string[]
+     * @internal
+     * @since 9.3.4
+     */
+    public function getHostIpAddresses(string $host): array
+    {
+        $records = dns_get_record($host, DNS_A);
+
+        if (!$records) {
+            return [];
+        }
+
+        $output = [];
+
+        foreach ($records as $record) {
+            /** @var ?string $idAddress */
+            $idAddress = $record['ip'] ?? null;
+
+            if (!$idAddress) {
+                continue;
+            }
+
+            $output[] = $idAddress;
+        }
+
+        return $output;
+    }
+
+    /**
+     * @internal
+     */
+    public function ipAddressIsNotInternal(string $ipAddress): bool
    {
        return (bool) filter_var(
            $ipAddress,
@@ -72,4 +136,90 @@ class HostCheck
            FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
        );
    }
+
+    /**
+     * @deprecated Since 9.3.4. Use `isHostAndNotInternal`.
+     * @todo Remove in 9.4.0.
+     */
+    public function isNotInternalHost(string $host): bool
+    {
+        return $this->isHostAndNotInternal($host);
+    }
+
+    private function normalizeIpAddress(string $ip): string|false
+    {
+        if (!str_contains($ip, '.')) {
+            return self::normalizePart($ip);
+        }
+
+        $parts = explode('.', $ip);
+
+        if (count($parts) !== 4) {
+            return false;
+        }
+
+        $result = [];
+
+        foreach ($parts as $part) {
+            if (preg_match('/^0x[0-9a-f]+$/i', $part)) {
+                $num = hexdec($part);
+            } else if (preg_match('/^0[0-7]+$/', $part) && $part !== '0') {
+                $num = octdec($part);
+            } else if (ctype_digit($part)) {
+                $num = (int)$part;
+            } else {
+                return false;
+            }
+
+            if ($num < 0 || $num > 255) {
+                return false;
+            }
+
+            $result[] = $num;
+        }
+
+        return implode('.', $result);
+    }
+
+    private static function normalizePart(string $ip): string|false
+    {
+        if (preg_match('/^0x[0-9a-f]+$/i', $ip)) {
+            $num = hexdec($ip);
+        } elseif (preg_match('/^0[0-7]+$/', $ip) && $ip !== '0') {
+            $num = octdec($ip);
+        } elseif (ctype_digit($ip)) {
+            $num = (int) $ip;
+        } else {
+            return false;
+        }
+
+        if ($num < 0 || $num > 0xFFFFFFFF) {
+            return false;
+        }
+
+        $num = (int) $num;
+
+        return long2ip($num);
+    }
+
+
+    private function hasNoNumericItem(string $host): bool
+    {
+        $hasNoNumeric = false;
+
+        foreach (explode('.', $host) as $it) {
+            if (!is_numeric($it) && !self::isHex($it)) {
+                $hasNoNumeric = true;
+
+                break;
+            }
+        }
+
+        return $hasNoNumeric;
+    }
+
+    private function isHex(string $value): bool
+    {
+        return preg_match('/^0x[0-9a-fA-F]+$/', $value) === 1;
+    }
 }
--- a/application/Espo/Core/Utils/Security/UrlCheck.php
+++ b/application/Espo/Core/Utils/Security/UrlCheck.php
@@ -29,9 +29,6 @@

 namespace Espo\Core\Utils\Security;

-use const FILTER_VALIDATE_URL;
-use const PHP_URL_HOST;
-
 class UrlCheck
 {
    public function __construct(
@@ -44,9 +41,11 @@ class UrlCheck
    }

    /**
-     * Checks whether a URL does not follow to an internal host.
+     * Checks whether it's a URL, and it does not follow to an internal host.
+     *
+     * @since 9.3.4
     */
-    public function isNotInternalUrl(string $url): bool
+    public function isUrlAndNotIternal(string $url): bool
    {
        if (!$this->isUrl($url)) {
            return false;
@@ -58,6 +57,118 @@ class UrlCheck
            return false;
        }

-        return $this->hostCheck->isNotInternalHost($host);
+        return $this->hostCheck->isHostAndNotInternal($host);
+    }
+
+    /**
+     * @return ?string[] Null if not a domain name or not a URL.
+     * @internal
+     * @since 9.3.4
+     */
+    public function getCurlResolve(string $url): ?array
+    {
+        if (!$this->isUrl($url)) {
+            return null;
+        }
+
+        $host = parse_url($url, PHP_URL_HOST);
+        $port = parse_url($url, PHP_URL_PORT);
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+
+        if ($port === null && $scheme) {
+            $port = match (strtolower($scheme)) {
+                'http' => 80,
+                'https'=> 443,
+                'ftp' => 21,
+                'ssh' => 22,
+                'smtp' => 25,
+                default  => null,
+            };
+        }
+
+        if ($port === null) {
+            return [];
+        }
+
+        if (!is_string($host)) {
+            return null;
+        }
+
+        if (filter_var($host, FILTER_VALIDATE_IP)) {
+            return null;
+        }
+
+        if (!$this->hostCheck->isDomainHost($host)) {
+            return null;
+        }
+
+        $ipAddresses = $this->hostCheck->getHostIpAddresses($host);
+
+        $output = [];
+
+        foreach ($ipAddresses as $ipAddress) {
+            $ipPart = $ipAddress;
+
+            if (filter_var($ipAddress, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+                $ipPart = "[$ipPart]";
+            }
+
+            $output[] = "$host:$port:$ipPart";
+        }
+
+        return $output;
+    }
+
+    /**
+     * @deprecated Since 9.3.4. Use `isUrlAndNotIternal`.
+     * @todo Remove in 9.5.0.
+     */
+    public function isNotInternalUrl(string $url): bool
+    {
+        return $this->isUrlAndNotIternal($url);
+    }
+
+    /**
+     * @param string[] $resolve
+     * @param string[] $allowed An allowed address list in the `{host}:{port}` format.
+     * @internal
+     */
+    public function validateCurlResolveNotInternal(array $resolve, array $allowed = []): bool
+    {
+        if ($resolve === []) {
+            return false;
+        }
+
+        $ipAddresses = [];
+
+        foreach ($resolve as $item) {
+            $arr = explode(':', $item, 3);
+
+            if (count($arr) < 3) {
+                return false;
+            }
+
+            $ipAddress = $arr[2];
+            $port = $arr[1];
+            $domain = $arr[0];
+
+            if (in_array("$ipAddress:$port", $allowed) || in_array("$domain:$port", $allowed)) {
+                return true;
+            }
+
+            if (str_starts_with($ipAddress, '[') && str_ends_with($ipAddress, ']')) {
+                $ipAddress = substr($ipAddress, 1, -1);
+            }
+
+            $ipAddresses[] = $ipAddress;
+        }
+
+        foreach ($ipAddresses as $ipAddress) {
+            if (!$this->hostCheck->ipAddressIsNotInternal($ipAddress)) {
+                return false;
+            }
+        }
+
+        return true;
    }
 }
--- a/application/Espo/Core/Utils/TemplateFileManager.php
+++ b/application/Espo/Core/Utils/TemplateFileManager.php
@@ -124,7 +124,13 @@ class TemplateFileManager
        ?string $entityType = null
    ): string {

+        $type = basename($type);
+        $language = basename($language);
+        $name = basename($name);
+
        if ($entityType) {
+            $entityType = basename($entityType);
+
            return "custom/Espo/Custom/Resources/templates/{$type}/{$language}/{$entityType}/{$name}.tpl";
        }

@@ -152,7 +158,13 @@ class TemplateFileManager
        ?string $entityType = null
    ): string {

+        $type = basename($type);
+        $language = basename($language);
+        $name = basename($name);
+
        if ($entityType) {
+            $entityType = basename($entityType);
+
            return "templates/{$type}/{$language}/{$entityType}/{$name}.tpl";
        }