From d317c744bf511cb55b427dba5b1077636f9f3804 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 26 Feb 2014 22:31:01 +0100
Subject: [PATCH] fix security hole

missing check of passed parameters allows to place files on the server
---
 op/op.AddFile2.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/op/op.AddFile2.php b/op/op.AddFile2.php
index 7b3328cea..27ca3e58d 100644
--- a/op/op.AddFile2.php
+++ b/op/op.AddFile2.php
@@ -28,14 +28,16 @@ include("../inc/inc.Authentication.php");
 $file_param_name = 'file';
 $file_name = $_FILES[ $file_param_name ][ 'name' ];
 $source_file_path = $_FILES[ $file_param_name ][ 'tmp_name' ];
-$target_file_path =$settings->_stagingDir.$_POST['fileId']."-".$_POST['partitionIndex'];
+$fileId = basename($_POST['fileId']);
+$partitionIndex = (int) $_POST['partitionIndex'];
+$target_file_path =$settings->_stagingDir.$fileId."-".$partitionIndex;
 if( move_uploaded_file( $source_file_path, $target_file_path ) ) {
-	if($_POST['partitionIndex']+1 == $_POST['partitionCount']) {
-		$fpnew = fopen($settings->_stagingDir.$_POST['fileId'], 'w+');
+	if($partitionIndex+1 == $_POST['partitionCount']) {
+		$fpnew = fopen($settings->_stagingDir.$fileId, 'w+');
 		for($i=0; $i<$_POST['partitionCount']; $i++) {
-			$content = file_get_contents($settings->_stagingDir.$_POST['fileId']."-".$i, 'r');
+			$content = file_get_contents($settings->_stagingDir.$fileId."-".$i, 'r');
 			fwrite($fpnew, $content);
-			unlink($settings->_stagingDir.$_POST['fileId']."-".$i);
+			unlink($settings->_stagingDir.$fileId."-".$i);
 		}
 		fclose($fpnew);
 
@@ -56,7 +58,7 @@ if( move_uploaded_file( $source_file_path, $target_file_path ) ) {
 			echo getMLText("access_denied");
 		}
 
-		$userfiletmp = $settings->_stagingDir.$_POST['fileId'];;
+		$userfiletmp = $settings->_stagingDir.$fileId;
 		$userfiletype = $_FILES[ $file_param_name ]["type"];
 		$userfilename = $_FILES[ $file_param_name ]["name"];