Skip to content

Commit 93821c0

Browse files
committed
fix: [security] Sanitise paths for several file interactions
- remove :// anywhere we don't expect a protocol to be supplied - remove phar:// in certauth plugin's fetcher - as reported by Dawid Czarnecki of Zigrin Security
1 parent 0108f1b commit 93821c0

File tree

3 files changed

+256
-252
lines changed

3 files changed

+256
-252
lines changed

Diff for: app/Model/AppModel.php

+1
Original file line numberDiff line numberDiff line change
@@ -2588,6 +2588,7 @@ public function getKafkaPubTool()
25882588
App::uses('KafkaPubTool', 'Tools');
25892589
$kafkaPubTool = new KafkaPubTool();
25902590
$rdkafkaIni = Configure::read('Plugin.Kafka_rdkafka_config');
2591+
$rdkafkaIni = mb_ereg_replace("/\:\/\//", '', $rdkafkaIni);
25912592
$kafkaConf = array();
25922593
if (!empty($rdkafkaIni)) {
25932594
$kafkaConf = parse_ini_file($rdkafkaIni);

Diff for: app/Model/Feed.php

+4-2
Original file line numberDiff line numberDiff line change
@@ -126,12 +126,13 @@ public function validateInputSource($fields)
126126
public function urlOrExistingFilepath($fields)
127127
{
128128
if ($this->isFeedLocal($this->data)) {
129+
$path = mb_ereg_replace("/\:\/\//", '', $this->data['Feed']['url']);
129130
if ($this->data['Feed']['source_format'] == 'misp') {
130-
if (!is_dir($this->data['Feed']['url'])) {
131+
if (!is_dir($path)) {
131132
return 'For MISP type local feeds, please specify the containing directory.';
132133
}
133134
} else {
134-
if (!file_exists($this->data['Feed']['url'])) {
135+
if (!file_exists($path)) {
135136
return 'Invalid path or file not found. Make sure that the path points to an existing file that is readable and watch out for typos.';
136137
}
137138
}
@@ -1929,6 +1930,7 @@ private function downloadAndParseEventFromFeed($feed, $eventUuid, HttpSocket $Ht
19291930
private function feedGetUri($feed, $uri, HttpSocket $HttpSocket = null)
19301931
{
19311932
if ($this->isFeedLocal($feed)) {
1933+
$uri = mb_ereg_replace("/\:\/\//", '', $uri);
19321934
if (file_exists($uri)) {
19331935
return FileAccessTool::readFromFile($uri);
19341936
} else {

0 commit comments

Comments
 (0)