Dev: Merge pull request #1259

LimeSurvey · Apr 8, 2019 · 0c04bc6 · 0c04bc6
2 parents 0d6af97 + 7b14cba
commit 0c04bc6
Show file tree

Hide file tree

Showing 64 changed files with 8,630 additions and 8,443 deletions.
diff --git a/application/controllers/admin/tokens.php b/application/controllers/admin/tokens.php
@@ -1426,10 +1426,11 @@ public function email($iSurveyId)
                             if (!empty($aAttachments)) {
                                 if (isset($aAttachments[$sTemplate])) {
                                     LimeExpressionManager::singleton()->loadTokenInformation($aData['thissurvey']['sid'], $emrow['token']);
-
                                     foreach ($aAttachments[$sTemplate] as $aAttachment) {
-                                        if (LimeExpressionManager::singleton()->ProcessRelevance($aAttachment['relevance'])) {
-                                            $aRelevantAttachments[] = $aAttachment['url'];
+                                        if(Yii::app()->is_file($aAttachment['url'],Yii::app()->getConfig('uploaddir')."/surveys/{$iSurveyId}")) {
+                                            if (LimeExpressionManager::singleton()->ProcessRelevance($aAttachment['relevance'])) {
+                                                $aRelevantAttachments[] = $aAttachment['url'];
+                                            }
                                         }
                                     }
                                 }

diff --git a/application/core/LSYii_Application.php b/application/core/LSYii_Application.php
@@ -372,4 +372,37 @@ public function onException($event)
             }
         }
     }
+
+    /**
+     * Check if a file is inside a specific directory
+     * @var string $dirPath complete directory path
+     * @var string $baseDir the directory where it must be, default to upload dir
+     * @var boolean|null $throwException if security issue
+     * Throw Exception
+     * @return boolean
+     */
+    public function is_file($filePath,$baseDir = null,$throwException = null)
+    {
+        if(is_null($baseDir)) {
+            $baseDir = $this->getConfig('uploaddir');
+        }
+        if(is_null($throwException)) {
+            $throwException = boolval($this->getConfig('debug'));
+        }
+        $realFilePath = realpath($filePath);
+        if(!is_file($realFilePath)) {
+            /* Not existing file */
+            Yii::log("Try to read invalid file ".$filePath, 'warning', 'application.security.files.is_file');
+            return false;
+        }
+        if(substr($realFilePath, 0, strlen($baseDir)) !== $baseDir) {
+            /* Security issue */
+            Yii::log("Disable access to ".$realFilePath." directory", 'error', 'application.security.files.is_file');
+            if($throwException) {
+                throw new CHttpException(403,"Disable for security reasons.");
+            }
+            return false;
+        }
+        return $filePath;
+    }
 }
diff --git a/application/third_party/phpmailer/COMMITMENT b/application/third_party/phpmailer/COMMITMENT
@@ -0,0 +1,46 @@
+GPL Cooperation Commitment
+Version 1.0
+
+Before filing or continuing to prosecute any legal proceeding or claim
+(other than a Defensive Action) arising from termination of a Covered
+License, we commit to extend to the person or entity ('you') accused
+of violating the Covered License the following provisions regarding
+cure and reinstatement, taken from GPL version 3. As used here, the
+term 'this License' refers to the specific Covered License being
+enforced.
+
+    However, if you cease all violation of this License, then your
+    license from a particular copyright holder is reinstated (a)
+    provisionally, unless and until the copyright holder explicitly
+    and finally terminates your license, and (b) permanently, if the
+    copyright holder fails to notify you of the violation by some
+    reasonable means prior to 60 days after the cessation.
+
+    Moreover, your license from a particular copyright holder is
+    reinstated permanently if the copyright holder notifies you of the
+    violation by some reasonable means, this is the first time you
+    have received notice of violation of this License (for any work)
+    from that copyright holder, and you cure the violation prior to 30
+    days after your receipt of the notice.
+
+We intend this Commitment to be irrevocable, and binding and
+enforceable against us and assignees of or successors to our
+copyrights.
+
+Definitions
+
+'Covered License' means the GNU General Public License, version 2
+(GPLv2), the GNU Lesser General Public License, version 2.1
+(LGPLv2.1), or the GNU Library General Public License, version 2
+(LGPLv2), all as published by the Free Software Foundation.
+
+'Defensive Action' means a legal proceeding or claim that We bring
+against you in response to a prior proceeding or claim initiated by
+you or your affiliate.
+
+'We' means each contributor to this repository as of the date of
+inclusion of this file, including subsidiaries of a corporate
+contributor.
+
+This work is available under a Creative Commons Attribution-ShareAlike
+4.0 International license (https://creativecommons.org/licenses/by-sa/4.0/).