Fixed issue [security] #15848: Check that filename is not changed bef…

…ore moving/copying
LimeSurvey · Feb 12, 2020 · b6c1d1b · b6c1d1b
1 parent e324f82
commit b6c1d1b
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/application/controllers/admin/LimeSurveyFileManager.php b/application/controllers/admin/LimeSurveyFileManager.php
@@ -198,6 +198,8 @@ public function transitFiles()
         $checkDirectory = $this->_checkFolder($folder, $iSurveyId);
 
         foreach($files as $file) {
+            $this->checkChangedFilename($file);
+
             $realTargetPath = dirname(Yii::app()->basePath) . DIRECTORY_SEPARATOR . $folder;
             $fileDestination = realpath($realTargetPath) . DIRECTORY_SEPARATOR . $file['shortName'];
 
@@ -740,6 +742,29 @@ private function throwError()
             0
         );
     }
+
+    /**
+     * Throw exception if src and dest filename is different.
+     *
+     * @param array $file
+     * @return void
+     * @throws \Exception
+     */
+    private function checkChangedFilename(array $file)
+    {
+        /** @var string[] */
+        $pathParts = explode('/', $file['path']);
+        /** @var string */
+        $lastPart = $pathParts[count($pathParts) - 1];
+
+        if ($lastPart !== $file['shortName']) {
+            $this->_setError(
+                "FILENAME_CHANGED",
+                gT("The destination file name is not the same as the source file name")
+            );
+            $this->throwError();
+        }
+    }
 }
 
 class FileManagerError