Merge pull request #1584 from PecanProject/fix-remote-execution

fix for #1545
PecanProject · Aug 15, 2017 · 4b67541 · 4b67541
2 parents 8710a24 + de9e533
commit 4b67541
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 65 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@ For more information about this file see also [Keep a Changelog](http://keepacha
 
 ## [Unreleased]
 
+### Fixes
+- Fixed remote code execution #1545
+
 ## [1.5.10] - Prerelease
 ### Added
 - Added PEcAn.utils::download.file() to allow for use of alternative FTP programs

diff --git a/web/dataset.php b/web/dataset.php
@@ -12,11 +12,11 @@
 require("common.php");
 open_database();
 if ($authentication) {
-	if (!check_login()) {
-		close_database();
-		header('HTTP/1.1 403 Unauthorized');
-		exit;
-	}
+    if (!check_login()) {
+        close_database();
+        header('HTTP/1.1 403 Unauthorized');
+        exit;
+    }
     if (get_page_acccess_level() > $min_run_level) {
         header( "Location: history.php");
         close_database();
@@ -46,73 +46,87 @@
 
 // return dataset
 switch ($type) {
-	case "file":
-		if (!isset($_REQUEST['name'])) {
-			die("Need name.");
-		}
-		$name = $_REQUEST['name'];
-
-		$file = canonicalize("$folder/$name");
-		if (substr($file, 0, strlen($folder)) != $folder) {
-			die("Invalid file name specified.");			
-		}
-
-		if (substr($name, -4) === ".xml") {
-			$mime = "text/xml";
-		} else if (substr($name, -4) === ".txt") {
-			$mime = "text/plain";					
-		} else if (substr($name, -4) === ".log") {
-			$mime = "text/plain";					
-		} else if (substr($name, -4) === ".pdf") {
-			$mime = "application/pdf";					
-		} else {
-			$mime = "application/octet-stream";
-		}
-		break;
-
-	case "plot":
-		if (!isset($_REQUEST['run'])) {
-			die("Need run.");
-		}
-		$run=$_REQUEST['run'];
-		if (!isset($_REQUEST['year']) || !is_numeric($_REQUEST['year'])) {
-			die("Need year.");
-		}
-		$year=$_REQUEST['year'];
-    if (!isset($_REQUEST['xvar'])) {
-      die("Need xvar.");
-    }
-    $xvar=$_REQUEST['xvar'];
-    if (!isset($_REQUEST['yvar'])) {
-      die("Need yvar.");
-    }
-    $yvar=$_REQUEST['yvar'];
-		$datafile=$folder . "/out/" . $run . "/" . $year . ".nc";
-		$width=600;
-		if (isset($_REQUEST['width']) && ($_REQUEST['width'] > $width)) {
-			$width=$_REQUEST['width'];
-		}
-		$height=400;
-		if (isset($_REQUEST['height']) && ($_REQUEST['height'] > $height)) {
-			$height=$_REQUEST['height'];
-		}
-		$mime = "image/png";
-		$file = tempnam(sys_get_temp_dir(),'plot') . ".png";
-		shell_exec("R_LIBS_USER='${R_library_path}' PECANSETTINGS='$folder/pecan.xml' ${Rbinary} CMD BATCH --vanilla '--args $datafile $year $xvar $yvar $width $height $file' plot.netcdf.R /tmp/plot.out");
-		break;
-
-	default:
-		die("unknown type.");
+    case "file":
+        if (!isset($_REQUEST['name'])) {
+            die("Need name.");
+        }
+        $name = $_REQUEST['name'];
+
+        $file = canonicalize("$folder/$name");
+        if (substr($file, 0, strlen($folder)) != $folder) {
+            die("Invalid file name specified.");            
+        }
+
+        if (substr($name, -4) === ".xml") {
+            $mime = "text/xml";
+        } else if (substr($name, -4) === ".txt") {
+            $mime = "text/plain";                    
+        } else if (substr($name, -4) === ".log") {
+            $mime = "text/plain";                    
+        } else if (substr($name, -4) === ".pdf") {
+            $mime = "application/pdf";                    
+        } else {
+            $mime = "application/octet-stream";
+        }
+        break;
+
+    case "plot":
+        if (!isset($_REQUEST['run'])) {
+            die("Need run.");
+        }
+        $run = $_REQUEST['run'];
+        if (!isset($_REQUEST['year']) || !is_numeric($_REQUEST['year'])) {
+            die("Need year.");
+        }
+        $year = $_REQUEST['year'];
+        if (!isset($_REQUEST['xvar'])) {
+            die("Need xvar.");
+        }
+        $xvar = $_REQUEST['xvar'];
+        if (!isset($_REQUEST['yvar'])) {
+            die("Need yvar.");
+        }
+        $yvar = $_REQUEST['yvar'];
+        $width = 600;
+        if (isset($_REQUEST['width']) && ($_REQUEST['width'] > $width)) {
+            $width = $_REQUEST['width'];
+        }
+        $height = 400;
+        if (isset($_REQUEST['height']) && ($_REQUEST['height'] > $height)) {
+            $height = $_REQUEST['height'];
+        }
+        $datafile = $folder . "/out/" . $run . "/" . $year . ".nc";
+        $mime = "image/png";
+        $file = tempnam(sys_get_temp_dir(),'plot') . ".png";
+        if (!file_exists($datafile)) {
+            die("Invalid file name specified ${file}.");            
+        }
+
+        # make sure everything is shell safe
+        $datafile = escapeshellarg($datafile);
+        $year = escapeshellarg($year);
+        $xvar = escapeshellarg($xvar);
+        $yvar = escapeshellarg($yvar);
+        $width = escapeshellarg($width);
+        $height = escapeshellarg($height);
+        $escfile = escapeshellarg($file);
+
+        # execute command to create graph
+        shell_exec("R_LIBS_USER='${R_library_path}' PECANSETTINGS='$folder/pecan.xml' ${Rbinary} CMD BATCH --vanilla '--args $datafile $year $xvar $yvar $width $height $escfile' plot.netcdf.R /tmp/plot.out");
+        break;
+
+    default:
+        die("unknown type.");
 }
 
 if (!file_exists($file)) {
-	die("Invalid file name specified ${file}.");			
+    die("Invalid file name specified ${file}.");            
 }
 if ($mime != "") {
-	header("Content-type: $mime");
+    header("Content-type: $mime");
 }
 if (isset($name)) {
-	header('Content-Disposition: filename='.basename($name));
+    header('Content-Disposition: filename='.basename($name));
 }
 readfile($file);