Merge pull request #11287 from jolelievre/fix-filemanager-175

Fix filemanager security breaches

admin-dev/filemanager/ajax_calls.php

@@ -24,30 +24,34 @@
             if (isset($_GET['descending'])) {
                 $_SESSION['descending'] = $_GET['descending'] === 'true';
             }
-            break;
-        case 'image_size':
-            if (realpath(dirname(_PS_ROOT_DIR_.$_POST['path'])) != realpath(_PS_ROOT_DIR_.$upload_dir)) {
-                die();
-            }
-            $pos = strpos($_POST['path'], $upload_dir);
-            if ($pos !== false) {
-                $info = getimagesize(substr_replace($_POST['path'], $current_path, $pos, strlen($upload_dir)));
-                echo json_encode($info);
-            }
-
             break;
         case 'save_img':
             $info = pathinfo($_POST['name']);
-            if (strpos($_POST['path'], '/') === 0
-                || strpos($_POST['path'], '../') !== false
-                || strpos($_POST['path'], './') === 0
-                || strpos($_POST['url'], 'http://featherfiles.aviary.com/') !== 0
-                || $_POST['name'] != fix_filename($_POST['name'], $transliteration)
+
+            $filename = $_POST['name'];
+            $path_pos = $_POST['path'];
+
+            if (preg_match('/\.{1,2}[\/|\\\]/', $path_pos) !== 0
+                || $filename !== fix_filename($filename, $transliteration)
                 || !in_array(strtolower($info['extension']), array('jpg', 'jpeg', 'png'))
+                || strpos($_POST['url'], 'http://featherfiles.aviary.com/') !== 0
+                || !isset($info['extension'])
+
             ) {
                 die('wrong data');
             }
+
             $image_data = get_file_by_url($_POST['url']);
+
+            $tmp = tempnam(sys_get_temp_dir(), 'img');
+            file_put_contents($tmp, $image_data);
+            $mime = mime_content_type($tmp);
+            unlink($tmp);
+
+            if (!in_array($mime, $mime_img)) {
+                die('wrong data');
+            }
+
             if ($image_data === false) {
                 die('file could not be loaded');
             }

admin-dev/filemanager/config/config.php

@@ -111,6 +111,14 @@
 
 $ext=array_merge($ext_img, $ext_file, $ext_misc, $ext_video, $ext_music); //allowed extensions
 
+//**********************
+//Allowed mime types
+//**********************
+$mime_img = array('image/jpeg', 'image/png', 'image/gif', 'image/bmp', 'image/tiff', 'image/svg');
+$mime_file = array('application/pdf');
+$mime_video = array('video/mpeg', 'video/mp4', 'video/x-msvideo', 'audio/x-ms-wma', 'video/x-flv', 'video/webm');
+
+$mime = array_merge($mime_img, $mime_file, $mime_video);
 
 /******************
  * AVIARY config

admin-dev/filemanager/execute.php

@@ -10,10 +10,13 @@
     die('wrong path');
 }
 
-$thumb_pos = strpos($_POST['path_thumb'], $thumbs_base_path);
-if ($thumb_pos === false
-    || preg_match('/\.{1,2}[\/|\\\]/', $_POST['path_thumb']) !== 0
+$realPath = realpath($current_path.$_POST['path']);
+$realPathThumb = realpath($_POST['path_thumb']);
+
+if (preg_match('/\.{1,2}[\/|\\\]/', $_POST['path_thumb']) !== 0
     || preg_match('/\.{1,2}[\/|\\\]/', $_POST['path']) !== 0
+    || ($realPath && strpos($realPath, realpath($current_path)) !== 0)
+    || ($realPathThumb && strpos($realPathThumb, realpath($thumbs_base_path)) !== 0)
 ) {
     die('wrong path');
 }
@@ -70,6 +73,7 @@
     switch ($_GET['action']) {
         case 'delete_file':
             if ($delete_files) {
+                stopIfSameDir($current_path, array($path, $path_thumb));
                 unlink($path);
                 if (file_exists($path_thumb)) {
                     unlink($path_thumb);
@@ -102,9 +106,11 @@
             break;
         case 'delete_folder':
             if ($delete_folders) {
+                stopIfSameDir($current_path, array($path, $path_thumb));
                 if (is_dir($path_thumb)) {
                     deleteDir($path_thumb);
                 }
+
                 if (is_dir($path)) {
                     deleteDir($path);
                     if ($fixed_image_creation) {
@@ -132,6 +138,7 @@
                 $name = str_replace('.', '', $name);
 
                 if (!empty($name)) {
+                    stopIfSameDir($current_path, array($path, $path_thumb));
                     if (!rename_folder($path, $name, $transliteration)) {
                         die(lang_Rename_existing_folder);
                     }
@@ -154,6 +161,7 @@
             if ($rename_files) {
                 $name = fix_filename($name, $transliteration);
                 if (!empty($name)) {
+                    stopIfSameDir($current_path, array($path, $path_thumb));
                     if (!rename_file($path, $name, $transliteration)) {
                         die(lang_Rename_existing_file);
                     }

admin-dev/filemanager/include/utils.php

@@ -358,3 +358,16 @@ function get_file_by_url($url)
 
     return $data;
 }
+
+/**
+ * @param string $sourcePath
+ * @param array $paths List of paths to compare
+ */
+function stopIfSameDir($sourcePath, array $paths)
+{
+    foreach ($paths as $path) {
+        if (realpath($sourcePath) === realpath($path)) {
+            die('wrong_path');
+        }
+    }
+}

admin-dev/filemanager/upload.php

@@ -38,7 +38,10 @@
 
 if (!empty($_FILES) && isset($_FILES['file']) && $_FILES['file']['size']) {
     $info = pathinfo($_FILES['file']['name']);
-    if (isset($info['extension']) && in_array(fix_strtolower($info['extension']), $ext)) {
+    if (isset($info['extension'])
+            && in_array(fix_strtolower($info['extension']), $ext)
+            && in_array(mime_content_type($_FILES['file']['tmp_name']), $mime)
+    ) {
         $tempFile = $_FILES['file']['tmp_name'];
 
         $targetPath = $storeFolder;

composer.json

@@ -7,6 +7,7 @@
         "ext-curl": "*",
         "ext-intl": "*",
         "ext-zip": "*",
+        "ext-fileinfo": "*",
         "beberlei/DoctrineExtensions": "^1.0",
         "composer/ca-bundle": "^1.0",
         "composer/installers": "^1.0.21",