gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-09-09 19:38:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

check POST vars for valid values, preventing access to arbitrary files on the server

Browse Source
This commit is contained in:
Uwe Steinmann 2014-03-21 08:09:07 +01:00
parent 21d5c868a3
commit fcca6049ac
2 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
op/op.AddMultiDocument.php
View File

@ -30,14 +30,16 @@ include("../inc/inc.Authentication.php");
$file_param_name = 'file'; $file_param_name = 'file';
$file_name = $_FILES[ $file_param_name ][ 'name' ]; $file_name = $_FILES[ $file_param_name ][ 'name' ];
$source_file_path = $_FILES[ $file_param_name ][ 'tmp_name' ]; $source_file_path = $_FILES[ $file_param_name ][ 'tmp_name' ];
$target_file_path =$settings->_stagingDir.$_POST['fileId']."-".$_POST['partitionIndex']; $fileId = basename($_POST['fileId']);
$partitionIndex = (int) $_POST['partitionIndex'];
$target_file_path =$settings->_stagingDir.$fileId."-".$partitionIndex;
if( move_uploaded_file( $source_file_path, $target_file_path ) ) { if( move_uploaded_file( $source_file_path, $target_file_path ) ) {
if($_POST['partitionIndex']+1 == $_POST['partitionCount']) { if($partitionIndex+1 == $_POST['partitionCount']) {
$fpnew = fopen($settings->_stagingDir.$_POST['fileId'], 'w+'); $fpnew = fopen($settings->_stagingDir.$fileId, 'w+');
for($i=0; $i<$_POST['partitionCount']; $i++) { for($i=0; $i<$_POST['partitionCount']; $i++) {
$content = file_get_contents($settings->_stagingDir.$_POST['fileId']."-".$i, 'r'); $content = file_get_contents($settings->_stagingDir.$fileId."-".$i, 'r');
fwrite($fpnew, $content); fwrite($fpnew, $content);
unlink($settings->_stagingDir.$_POST['fileId']."-".$i); unlink($settings->_stagingDir.$fileId."-".$i);
} }
fclose($fpnew); fclose($fpnew);
@ -166,7 +168,7 @@ if( move_uploaded_file( $source_file_path, $target_file_path ) ) {
} }
} }
$userfiletmp = $settings->_stagingDir.$_POST['fileId'];; $userfiletmp = $settings->_stagingDir.$fileId;
$userfiletype = $_FILES[ $file_param_name ]["type"]; $userfiletype = $_FILES[ $file_param_name ]["type"];
$userfilename = $_FILES[ $file_param_name ]["name"]; $userfilename = $_FILES[ $file_param_name ]["name"];

35
op/op.Download.php
View File

@ -116,6 +116,7 @@ if (isset($_GET["version"])) {
readfile($dms->contentDir . $file->getPath()); readfile($dms->contentDir . $file->getPath());
} elseif (isset($_GET["arkname"])) { } elseif (isset($_GET["arkname"])) {
$filename = basename($_GET["arkname"]);
// backup download // backup download
@ -123,17 +124,17 @@ if (isset($_GET["version"])) {
UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
} }
if (!isset($_GET["arkname"]) || !file_exists($settings->_contentDir.$_GET["arkname"]) ) { if (!isset($filename) || !file_exists($settings->_contentDir.$filename) ) {
UI::exitError(getMLText("admin_tools"),getMLText("unknown_id")); UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
} }
header('Content-Description: File Transfer'); header('Content-Description: File Transfer');
//header("Content-Type: application/force-download; name=\"" . $_GET["arkname"] . "\""); //header("Content-Type: application/force-download; name=\"" . $filename . "\"");
//header("Content-Type: application/octet-stream"); //header("Content-Type: application/octet-stream");
header("Content-Type: application/zip"); header("Content-Type: application/zip");
header("Content-Transfer-Encoding: binary"); header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($settings->_contentDir . $_GET["arkname"] )); header("Content-Length: " . filesize($settings->_contentDir . $filename ));
header("Content-Disposition: attachment; filename=\"" .$_GET["arkname"] . "\""); header("Content-Disposition: attachment; filename=\"" .$filename . "\"");
// header("Expires: 0"); // header("Expires: 0");
//header("Content-Type: " . $content->getMimeType()); //header("Content-Type: " . $content->getMimeType());
//header("Cache-Control: no-cache, must-revalidate"); //header("Cache-Control: no-cache, must-revalidate");
@ -141,9 +142,10 @@ if (isset($_GET["version"])) {
header("Cache-Control: public"); header("Cache-Control: public");
//header("Pragma: no-cache"); //header("Pragma: no-cache");
readfile($settings->_contentDir .$_GET["arkname"] ); readfile($settings->_contentDir .$filename );
} elseif (isset($_GET["logname"])) { } elseif (isset($_GET["logname"])) {
$filename = basename($_GET["logname"]);
// log download // log download
@ -151,17 +153,17 @@ if (isset($_GET["version"])) {
UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
} }
if (!isset($_GET["logname"]) || !file_exists($settings->_contentDir.$_GET["logname"]) ) { if (!isset($filename) || !file_exists($settings->_contentDir.$filename) ) {
UI::exitError(getMLText("admin_tools"),getMLText("unknown_id")); UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
} }
header("Content-Type: text/plain; name=\"" . $_GET["logname"] . "\""); header("Content-Type: text/plain; name=\"" . $filename . "\"");
header("Content-Transfer-Encoding: binary"); header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($settings->_contentDir . $_GET["logname"] )); header("Content-Length: " . filesize($settings->_contentDir . $filename ));
header("Content-Disposition: attachment; filename=\"" .$_GET["logname"] . "\""); header("Content-Disposition: attachment; filename=\"" .$filename . "\"");
header("Cache-Control: must-revalidate"); header("Cache-Control: must-revalidate");
readfile($settings->_contentDir .$_GET["logname"] ); readfile($settings->_contentDir .$filename );
} elseif (isset($_GET["vfile"])) { } elseif (isset($_GET["vfile"])) {
@ -192,6 +194,7 @@ if (isset($_GET["version"])) {
readfile($dms->contentDir . $document->getDir() .$settings->_versioningFileName); readfile($dms->contentDir . $document->getDir() .$settings->_versioningFileName);
} elseif (isset($_GET["dumpname"])) { } elseif (isset($_GET["dumpname"])) {
$filename = basename($_GET["dumpname"]);
// dump file download // dump file download
@ -199,22 +202,22 @@ if (isset($_GET["version"])) {
UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
} }
if (!isset($_GET["dumpname"]) || !file_exists($settings->_contentDir.$_GET["dumpname"]) ) { if (!isset($filename) || !file_exists($settings->_contentDir.$filename) ) {
UI::exitError(getMLText("admin_tools"),getMLText("unknown_id")); UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
} }
header("Content-Type: application/zip; name=\"" . $_GET["dumpname"] . "\""); header("Content-Type: application/zip; name=\"" . $filename . "\"");
//header("Content-Type: application/force-download; name=\"" . $_GET["dumpname"] . "\""); //header("Content-Type: application/force-download; name=\"" . $filename . "\"");
header("Content-Transfer-Encoding: binary"); header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($settings->_contentDir . $_GET["dumpname"] )); header("Content-Length: " . filesize($settings->_contentDir . $filename ));
header("Content-Disposition: attachment; filename=\"" .$_GET["dumpname"] . "\""); header("Content-Disposition: attachment; filename=\"" .$filename . "\"");
//header("Expires: 0"); //header("Expires: 0");
//header("Content-Type: " . $content->getMimeType()); //header("Content-Type: " . $content->getMimeType());
//header("Cache-Control: no-cache, must-revalidate"); //header("Cache-Control: no-cache, must-revalidate");
header("Cache-Control: must-revalidate"); header("Cache-Control: must-revalidate");
//header("Pragma: no-cache"); //header("Pragma: no-cache");
readfile($settings->_contentDir .$_GET["dumpname"] ); readfile($settings->_contentDir .$filename );
} }
add_log_line(); add_log_line();