-
Notifications
You must be signed in to change notification settings - Fork 986
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed issue: File upload question type directory traversal security i…
…ssue git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey@10485 b72ed6b6-b9f8-46b5-92b4-906544132732
- Loading branch information
Showing
1 changed file
with
126 additions
and
126 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,127 +1,127 @@ | ||
<?php | ||
require_once(dirname(__FILE__).'/classes/core/startup.php'); | ||
require_once(dirname(__FILE__).'/config-defaults.php'); | ||
require_once(dirname(__FILE__).'/common.php'); | ||
require_once($homedir.'/classes/core/class.progressbar.php'); | ||
require_once(dirname(__FILE__).'/classes/core/language.php'); | ||
|
||
if (isset($_GET['filegetcontents'])) | ||
{ | ||
$sFileName=sanitize_filename($_GET['filegetcontents'],true,true); | ||
readfile($tempdir."/upload/".$_GET['filegetcontents']); | ||
exit(); | ||
} | ||
|
||
if (!isset($surveyid)) | ||
{ | ||
$surveyid=returnglobal('sid'); | ||
} | ||
else | ||
{ | ||
//This next line ensures that the $surveyid value is never anything but a number. | ||
$surveyid=sanitize_int($surveyid); | ||
} | ||
|
||
// Compute the Session name | ||
// Session name is based: | ||
// * on this specific limesurvey installation (Value SessionName in DB) | ||
// * on the surveyid (from Get or Post param). If no surveyid is given we are on the public surveys portal | ||
$usquery = "SELECT stg_value FROM ".db_table_name("settings_global")." where stg_name='SessionName'"; | ||
$usresult = db_execute_assoc($usquery,'',true); //Checked | ||
if ($usresult) | ||
{ | ||
$usrow = $usresult->FetchRow(); | ||
$stg_SessionName=$usrow['stg_value']; | ||
if ($surveyid) | ||
{ | ||
if (isset($_GET['preview']) && $_GET['preview'] == 1) | ||
{ | ||
@session_name($stg_SessionName); | ||
} | ||
else | ||
{ | ||
@session_name($stg_SessionName.'-runtime-'.$surveyid); | ||
} | ||
} | ||
else | ||
{ | ||
@session_name($stg_SessionName.'-runtime-publicportal'); | ||
} | ||
} | ||
else | ||
{ | ||
session_name("LimeSurveyRuntime-$surveyid"); | ||
} | ||
session_set_cookie_params(0,$relativeurl.'/'); | ||
@session_start(); | ||
|
||
if (empty($_SESSION) || !isset($_SESSION['fieldname'])) | ||
{ | ||
die("You don't have a valid session !"); | ||
} | ||
|
||
$meta = '<script type="text/javascript"> | ||
var surveyid = "'.$surveyid.'"; | ||
var fieldname = "'.$_GET['fieldname'].'"; | ||
var questgrppreview = '.$_GET['preview'].'; | ||
</script>'; | ||
|
||
$meta .='<script type="text/javascript" src="scripts/ajaxupload.js"></script> | ||
<script type="text/javascript" src="scripts/uploader.js"></script> | ||
<link type="text/css" href="scripts/uploader.css" rel="stylesheet" />'; | ||
|
||
$baselang = GetBaseLanguageFromSurveyID($surveyid); | ||
$clang = new limesurvey_lang($baselang); | ||
|
||
$header = getHeader($meta); | ||
|
||
echo $header; | ||
|
||
echo "<script type='text/javascript'> | ||
var translt = { | ||
titleFld: '" . $clang->gT('Title','js') . "', | ||
commentFld: '" . $clang->gT('Comment','js') . "', | ||
errorNoMoreFiles: '" . $clang->gT('Sorry, no more files can be uploaded!','js') . "', | ||
errorOnlyAllowed: '" . $clang->gT('Sorry, only %s files can be uploaded for this question!','js') . "', | ||
uploading: '" . $clang->gT('Uploading','js') . "', | ||
selectfile: '" . $clang->gT('Select file','js') . "', | ||
errorNeedMore: '" . $clang->gT('Please upload %s more file(s).','js') . "', | ||
errorMoreAllowed: '" . $clang->gT('If you wish, you may upload %s more file(s); else you may return back to survey.','js') . "', | ||
errorMaxReached: '" . $clang->gT('The maximum number of files has been uploaded. You may return back to survey.','js') . "', | ||
errorTooMuch: '" . $clang->gT('The maximum number of files has been uploaded. You may return back to survey.','js') . "', | ||
errorNeedMoreConfirm: '" . $clang->gT("You need to upload %s more files for this question.\nAre you sure you want to exit?",'js') . "' | ||
}; | ||
</script>\n"; | ||
|
||
$fn = $_GET['fieldname']; | ||
$qid = $_GET['qid']; | ||
$qidattributes=getQuestionAttributes($qid); | ||
|
||
$body = ' | ||
<div id="notice"></div> | ||
<input type="hidden" id="ia" value="'.$fn.'" /> | ||
<input type="hidden" id="'.$fn.'_minfiles" value="'.$qidattributes['min_num_of_files'].'" /> | ||
<input type="hidden" id="'.$fn.'_maxfiles" value="'.$qidattributes['max_num_of_files'].'" /> | ||
<input type="hidden" id="'.$fn.'_maxfilesize" value="'.$qidattributes['max_filesize'].'" /> | ||
<input type="hidden" id="'.$fn.'_allowed_filetypes" value="'.$qidattributes['allowed_filetypes'].'" /> | ||
<input type="hidden" id="preview" value="'.$_SESSION['preview'].'" /> | ||
<input type="hidden" id="'.$fn.'_show_comment" value="'.$qidattributes['show_comment'].'" /> | ||
<input type="hidden" id="'.$fn.'_show_title" value="'.$qidattributes['show_title'].'" /> | ||
<input type="hidden" id="'.$fn.'_licount" value="0" /> | ||
<input type="hidden" id="'.$fn.'_filecount" value="0" /> | ||
<!-- The upload button --> | ||
<div align="center" class="upload-div"> | ||
<button id="button1" class="upload-button" type="button" >'.$clang->gT("Select file").'</button> | ||
</div> | ||
<p class="uploadmsg">'.sprintf($clang->gT("You can upload %s under %s KB each.",'js'),$qidattributes['allowed_filetypes'],$qidattributes['max_filesize']).'</p> | ||
<div class="uploadstatus" id="uploadstatus"></div> | ||
<!-- The list of uploaded files --> | ||
<ul id="'.$fn.'_listfiles"></ul> | ||
</body> | ||
</html>'; | ||
echo $body; | ||
<?php | ||
require_once(dirname(__FILE__).'/classes/core/startup.php'); | ||
require_once(dirname(__FILE__).'/config-defaults.php'); | ||
require_once(dirname(__FILE__).'/common.php'); | ||
require_once($homedir.'/classes/core/class.progressbar.php'); | ||
require_once(dirname(__FILE__).'/classes/core/language.php'); | ||
|
||
if (isset($_GET['filegetcontents'])) | ||
{ | ||
$sFileName=sanitize_filename($_GET['filegetcontents'],true,true); | ||
readfile($tempdir."/upload/".$sFileName); | ||
exit(); | ||
} | ||
|
||
if (!isset($surveyid)) | ||
{ | ||
$surveyid=returnglobal('sid'); | ||
} | ||
else | ||
{ | ||
//This next line ensures that the $surveyid value is never anything but a number. | ||
$surveyid=sanitize_int($surveyid); | ||
} | ||
|
||
// Compute the Session name | ||
// Session name is based: | ||
// * on this specific limesurvey installation (Value SessionName in DB) | ||
// * on the surveyid (from Get or Post param). If no surveyid is given we are on the public surveys portal | ||
$usquery = "SELECT stg_value FROM ".db_table_name("settings_global")." where stg_name='SessionName'"; | ||
$usresult = db_execute_assoc($usquery,'',true); //Checked | ||
if ($usresult) | ||
{ | ||
$usrow = $usresult->FetchRow(); | ||
$stg_SessionName=$usrow['stg_value']; | ||
if ($surveyid) | ||
{ | ||
if (isset($_GET['preview']) && $_GET['preview'] == 1) | ||
{ | ||
@session_name($stg_SessionName); | ||
} | ||
else | ||
{ | ||
@session_name($stg_SessionName.'-runtime-'.$surveyid); | ||
} | ||
} | ||
else | ||
{ | ||
@session_name($stg_SessionName.'-runtime-publicportal'); | ||
} | ||
} | ||
else | ||
{ | ||
session_name("LimeSurveyRuntime-$surveyid"); | ||
} | ||
session_set_cookie_params(0,$relativeurl.'/'); | ||
@session_start(); | ||
|
||
if (empty($_SESSION) || !isset($_SESSION['fieldname'])) | ||
{ | ||
die("You don't have a valid session !"); | ||
} | ||
|
||
$meta = '<script type="text/javascript"> | ||
var surveyid = "'.$surveyid.'"; | ||
var fieldname = "'.$_GET['fieldname'].'"; | ||
var questgrppreview = '.$_GET['preview'].'; | ||
</script>'; | ||
|
||
$meta .='<script type="text/javascript" src="scripts/ajaxupload.js"></script> | ||
<script type="text/javascript" src="scripts/uploader.js"></script> | ||
<link type="text/css" href="scripts/uploader.css" rel="stylesheet" />'; | ||
|
||
$baselang = GetBaseLanguageFromSurveyID($surveyid); | ||
$clang = new limesurvey_lang($baselang); | ||
|
||
$header = getHeader($meta); | ||
|
||
echo $header; | ||
|
||
echo "<script type='text/javascript'> | ||
var translt = { | ||
titleFld: '" . $clang->gT('Title','js') . "', | ||
commentFld: '" . $clang->gT('Comment','js') . "', | ||
errorNoMoreFiles: '" . $clang->gT('Sorry, no more files can be uploaded!','js') . "', | ||
errorOnlyAllowed: '" . $clang->gT('Sorry, only %s files can be uploaded for this question!','js') . "', | ||
uploading: '" . $clang->gT('Uploading','js') . "', | ||
selectfile: '" . $clang->gT('Select file','js') . "', | ||
errorNeedMore: '" . $clang->gT('Please upload %s more file(s).','js') . "', | ||
errorMoreAllowed: '" . $clang->gT('If you wish, you may upload %s more file(s); else you may return back to survey.','js') . "', | ||
errorMaxReached: '" . $clang->gT('The maximum number of files has been uploaded. You may return back to survey.','js') . "', | ||
errorTooMuch: '" . $clang->gT('The maximum number of files has been uploaded. You may return back to survey.','js') . "', | ||
errorNeedMoreConfirm: '" . $clang->gT("You need to upload %s more files for this question.\nAre you sure you want to exit?",'js') . "' | ||
}; | ||
</script>\n"; | ||
|
||
$fn = $_GET['fieldname']; | ||
$qid = $_GET['qid']; | ||
$qidattributes=getQuestionAttributes($qid); | ||
|
||
$body = ' | ||
<div id="notice"></div> | ||
<input type="hidden" id="ia" value="'.$fn.'" /> | ||
<input type="hidden" id="'.$fn.'_minfiles" value="'.$qidattributes['min_num_of_files'].'" /> | ||
<input type="hidden" id="'.$fn.'_maxfiles" value="'.$qidattributes['max_num_of_files'].'" /> | ||
<input type="hidden" id="'.$fn.'_maxfilesize" value="'.$qidattributes['max_filesize'].'" /> | ||
<input type="hidden" id="'.$fn.'_allowed_filetypes" value="'.$qidattributes['allowed_filetypes'].'" /> | ||
<input type="hidden" id="preview" value="'.$_SESSION['preview'].'" /> | ||
<input type="hidden" id="'.$fn.'_show_comment" value="'.$qidattributes['show_comment'].'" /> | ||
<input type="hidden" id="'.$fn.'_show_title" value="'.$qidattributes['show_title'].'" /> | ||
<input type="hidden" id="'.$fn.'_licount" value="0" /> | ||
<input type="hidden" id="'.$fn.'_filecount" value="0" /> | ||
<!-- The upload button --> | ||
<div align="center" class="upload-div"> | ||
<button id="button1" class="upload-button" type="button" >'.$clang->gT("Select file").'</button> | ||
</div> | ||
<p class="uploadmsg">'.sprintf($clang->gT("You can upload %s under %s KB each.",'js'),$qidattributes['allowed_filetypes'],$qidattributes['max_filesize']).'</p> | ||
<div class="uploadstatus" id="uploadstatus"></div> | ||
<!-- The list of uploaded files --> | ||
<ul id="'.$fn.'_listfiles"></ul> | ||
</body> | ||
</html>'; | ||
echo $body; | ||
?> |