From fcca6049ac069cd7cd4a765b1e67c0ca2bef5f47 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Fri, 21 Mar 2014 08:09:07 +0100
Subject: [PATCH] check POST vars for valid values, preventing access to
 arbitrary files on the server

---
 op/op.AddMultiDocument.php | 14 ++++++++------
 op/op.Download.php         | 35 +++++++++++++++++++----------------
 2 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/op/op.AddMultiDocument.php b/op/op.AddMultiDocument.php
index 090ab68be..3de0805a4 100644
--- a/op/op.AddMultiDocument.php
+++ b/op/op.AddMultiDocument.php
@@ -30,14 +30,16 @@ include("../inc/inc.Authentication.php");
 $file_param_name = 'file';
 $file_name = $_FILES[ $file_param_name ][ 'name' ];
 $source_file_path = $_FILES[ $file_param_name ][ 'tmp_name' ];
-$target_file_path =$settings->_stagingDir.$_POST['fileId']."-".$_POST['partitionIndex'];
+$fileId = basename($_POST['fileId']);
+$partitionIndex = (int) $_POST['partitionIndex'];
+$target_file_path =$settings->_stagingDir.$fileId."-".$partitionIndex;
 if( move_uploaded_file( $source_file_path, $target_file_path ) ) {
-	if($_POST['partitionIndex']+1 == $_POST['partitionCount']) {
-		$fpnew = fopen($settings->_stagingDir.$_POST['fileId'], 'w+');
+	if($partitionIndex+1 == $_POST['partitionCount']) {
+		$fpnew = fopen($settings->_stagingDir.$fileId, 'w+');
 		for($i=0; $i<$_POST['partitionCount']; $i++) {
-			$content = file_get_contents($settings->_stagingDir.$_POST['fileId']."-".$i, 'r');
+			$content = file_get_contents($settings->_stagingDir.$fileId."-".$i, 'r');
 			fwrite($fpnew, $content);
-			unlink($settings->_stagingDir.$_POST['fileId']."-".$i);
+			unlink($settings->_stagingDir.$fileId."-".$i);
 		}
 		fclose($fpnew);
 
@@ -166,7 +168,7 @@ if( move_uploaded_file( $source_file_path, $target_file_path ) ) {
 			}
 		}
 
-		$userfiletmp = $settings->_stagingDir.$_POST['fileId'];;
+		$userfiletmp = $settings->_stagingDir.$fileId;
 		$userfiletype = $_FILES[ $file_param_name ]["type"];
 		$userfilename = $_FILES[ $file_param_name ]["name"];
 
diff --git a/op/op.Download.php b/op/op.Download.php
index a970f8df3..3d24b1605 100644
--- a/op/op.Download.php
+++ b/op/op.Download.php
@@ -116,6 +116,7 @@ if (isset($_GET["version"])) {
 	readfile($dms->contentDir . $file->getPath());
 
 } elseif (isset($_GET["arkname"])) {
+	$filename = basename($_GET["arkname"]);
 
 	// backup download
 	
@@ -123,17 +124,17 @@ if (isset($_GET["version"])) {
 		UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 	}
 
-	if (!isset($_GET["arkname"]) || !file_exists($settings->_contentDir.$_GET["arkname"]) ) {
+	if (!isset($filename) || !file_exists($settings->_contentDir.$filename) ) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
 	}
 
 	header('Content-Description: File Transfer');
-	//header("Content-Type: application/force-download; name=\"" . $_GET["arkname"] . "\"");
+	//header("Content-Type: application/force-download; name=\"" . $filename . "\"");
 	//header("Content-Type: application/octet-stream");
 	header("Content-Type: application/zip");
 	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($settings->_contentDir . $_GET["arkname"] ));
-	header("Content-Disposition: attachment; filename=\"" .$_GET["arkname"] . "\"");
+	header("Content-Length: " . filesize($settings->_contentDir . $filename ));
+	header("Content-Disposition: attachment; filename=\"" .$filename . "\"");
 //	header("Expires: 0");
 	//header("Content-Type: " . $content->getMimeType());
 	//header("Cache-Control: no-cache, must-revalidate");
@@ -141,9 +142,10 @@ if (isset($_GET["version"])) {
 	header("Cache-Control: public");
 	//header("Pragma: no-cache");	
 	
-	readfile($settings->_contentDir .$_GET["arkname"] );
+	readfile($settings->_contentDir .$filename );
 	
 } elseif (isset($_GET["logname"])) {
+	$filename = basename($_GET["logname"]);
 
 	// log download
 	
@@ -151,17 +153,17 @@ if (isset($_GET["version"])) {
 		UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 	}
 
-	if (!isset($_GET["logname"]) || !file_exists($settings->_contentDir.$_GET["logname"]) ) {
+	if (!isset($filename) || !file_exists($settings->_contentDir.$filename) ) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
 	}
 
-	header("Content-Type: text/plain; name=\"" . $_GET["logname"] . "\"");
+	header("Content-Type: text/plain; name=\"" . $filename . "\"");
 	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($settings->_contentDir . $_GET["logname"] ));
-	header("Content-Disposition: attachment; filename=\"" .$_GET["logname"] . "\"");
+	header("Content-Length: " . filesize($settings->_contentDir . $filename ));
+	header("Content-Disposition: attachment; filename=\"" .$filename . "\"");
 	header("Cache-Control: must-revalidate");
 	
-	readfile($settings->_contentDir .$_GET["logname"] );
+	readfile($settings->_contentDir .$filename );
 	
 } elseif (isset($_GET["vfile"])) {
 
@@ -192,6 +194,7 @@ if (isset($_GET["version"])) {
 	readfile($dms->contentDir . $document->getDir() .$settings->_versioningFileName);
 	
 } elseif (isset($_GET["dumpname"])) {
+	$filename = basename($_GET["dumpname"]);
 
 	// dump file download
 	
@@ -199,22 +202,22 @@ if (isset($_GET["version"])) {
 		UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 	}
 
-	if (!isset($_GET["dumpname"]) || !file_exists($settings->_contentDir.$_GET["dumpname"]) ) {
+	if (!isset($filename) || !file_exists($settings->_contentDir.$filename) ) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
 	}
 
-	header("Content-Type: application/zip; name=\"" . $_GET["dumpname"] . "\"");
-	//header("Content-Type: application/force-download; name=\"" . $_GET["dumpname"] . "\"");
+	header("Content-Type: application/zip; name=\"" . $filename . "\"");
+	//header("Content-Type: application/force-download; name=\"" . $filename . "\"");
 	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($settings->_contentDir . $_GET["dumpname"] ));
-	header("Content-Disposition: attachment; filename=\"" .$_GET["dumpname"] . "\"");
+	header("Content-Length: " . filesize($settings->_contentDir . $filename ));
+	header("Content-Disposition: attachment; filename=\"" .$filename . "\"");
 	//header("Expires: 0");
 	//header("Content-Type: " . $content->getMimeType());
 	//header("Cache-Control: no-cache, must-revalidate");
 	header("Cache-Control: must-revalidate");
 	//header("Pragma: no-cache");	
 	
-	readfile($settings->_contentDir .$_GET["dumpname"] );
+	readfile($settings->_contentDir .$filename );
 }
 
 add_log_line();