From 756c1687ab30cebe8849aa9ca9ffda79cd6ed647 Mon Sep 17 00:00:00 2001 From: Carsten Schmitz Date: Wed, 6 Jan 2021 17:59:30 +0100 Subject: [PATCH] Dev Refixed issue #15782: Remote Code Execution (RCE) in template options file uploader - this time properly --- application/config/config-defaults.php | 3 ++- application/controllers/admin/themes.php | 2 +- application/core/LSYii_ImageValidator.php | 8 +++++--- application/helpers/admin/template_helper.php | 2 +- application/views/admin/themes/templateeditorbar_view.php | 2 +- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/application/config/config-defaults.php b/application/config/config-defaults.php index 1ea9efd3ed7..885266f92f3 100644 --- a/application/config/config-defaults.php +++ b/application/config/config-defaults.php @@ -85,7 +85,8 @@ $config['customassetversionnumber'] = 1; // Used to generate the path of tmp assets (see: LSYii_AssetManager::generatePath() ) // Please be very careful if you want to allow SVG files - there are several XSS dangerous security issues -$config['allowedthemeuploads'] = 'gif,ico,jpg,png,css,js,map,json,eot,ttf,woff,txt,md,xml,woff2,twig'; // File types allowed to be uploaded in the themes section. +$config['allowedthemeimageformats'] = 'gif,ico,jpg,png'; // Image file types allowed to be uploaded in the themes section. +$config['allowedthemeuploads'] = 'css,js,map,json,eot,ttf,woff,txt,md,xml,woff2,twig'; // Other file types allowed to be uploaded in the themes section. $config['allowedresourcesuploads'] = '7z,aiff,asf,avi,bmp,csv,doc,docx,fla,flv,gif,gz,gzip,ico,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,mpg,ods,odt,pdf,png,ppt,pxd,qt,ram,rar,rm,rmi,rmvb,rtf,sdc,sitd,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,wmv,xls,xlsx,xml,zip,css,js'; // File types allowed to be uploaded in the resources sections, and with the HTML Editor $config['memory_limit'] = '256'; // This sets how much memory LimeSurvey can access in megabytes. 256 MB is the minimum recommended - if you are using PDF functions up to 512 MB may be needed diff --git a/application/controllers/admin/themes.php b/application/controllers/admin/themes.php index 5edbb3f0ecb..11ca1809e4a 100755 --- a/application/controllers/admin/themes.php +++ b/application/controllers/admin/themes.php @@ -391,7 +391,7 @@ public function uploadfile() LSUploadHelper::checkUploadedFileSizeAndRedirect('upload_file', $redirectUrl); $oEditedTemplate = Template::getInstance($templatename); - $allowedthemeuploads = Yii::app()->getConfig('allowedthemeuploads'); + $allowedthemeuploads = Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats'); $filename = sanitize_filename($_FILES['upload_file']['name'], false, false, false); // Don't force lowercase or alphanumeric $dirfilepath = $oEditedTemplate->filesPath; diff --git a/application/core/LSYii_ImageValidator.php b/application/core/LSYii_ImageValidator.php index 611175c8bdc..7de345f0884 100644 --- a/application/core/LSYii_ImageValidator.php +++ b/application/core/LSYii_ImageValidator.php @@ -27,11 +27,13 @@ public static function validateImage($file) { if (is_array($file)) { $path = $file['tmp_name']; + $extension = pathinfo($file['name'], PATHINFO_EXTENSION); $type = $file['type']; } elseif (is_string($file)) { $parts = explode('.', $file); $path = $file; - $type = 'image/' . $parts[count($parts) - 1]; + $extension = pathinfo($file, PATHINFO_EXTENSION); + $type = 'image/' . $extension; } else { return [ // No translation ? send $file ? @@ -62,13 +64,13 @@ public static function validateImage($file) ); if (!empty($checkImage) + && in_array($extension,explode(",",Yii::app()->getConfig('allowedthemeimageformats'))) && in_array($checkImage, $allowedImageFormats) && in_array(strtolower($type), $allowedImageFormats)) { $result['uploadresult'] = ''; $result['check'] = true; } else { - $result['uploadresult'] = - gT("This file is not a supported image - please only upload JPG,PNG,GIF or SVG type images."); + $result['uploadresult'] = gT("This file is not a supported image - please only upload JPG,PNG,GIF or SVG type images."); $result['check'] = false; } return $result; diff --git a/application/helpers/admin/template_helper.php b/application/helpers/admin/template_helper.php index 171f9429e84..865096fd85d 100644 --- a/application/helpers/admin/template_helper.php +++ b/application/helpers/admin/template_helper.php @@ -129,7 +129,7 @@ function is_template_editable($templatename) */ function templateExtractFilter($p_event, &$p_header) { - $aAllowExtensions = explode(',', Yii::app()->getConfig('allowedthemeuploads')); + $aAllowExtensions = explode(',', Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats')); $aAllowExtensions[] = 'twig'; $info = pathinfo($p_header['filename']); diff --git a/application/views/admin/themes/templateeditorbar_view.php b/application/views/admin/themes/templateeditorbar_view.php index 83b0068ffad..d749449bdcb 100644 --- a/application/views/admin/themes/templateeditorbar_view.php +++ b/application/views/admin/themes/templateeditorbar_view.php @@ -28,7 +28,7 @@ function copyprompt(text, defvalue, copydirectory, action) if(filename==""){ return false; // False click } - var allowedtypes=',getConfig('allowedthemeuploads'); ?>,'; + var allowedtypes=',getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats'); ?>,'; var lastdotpos=-1; var ext=''; if ((lastdotpos=filename.lastIndexOf('.')) < 0)