check extension and path traversal

bl-kernel/abstract/plugin.class.php

@@ -252,6 +252,8 @@ public function uninstall()
 		return true;
 	}
 
+	// Returns TRUE if the plugin is installed
+	// This function just check if the database of the plugin is created
 	public function installed()
 	{
 		return file_exists($this->filenameDb);
@@ -271,13 +273,13 @@ public function init()
 	public function post()
 	{
 		$args = $_POST;
-		foreach ($this->dbFields as $key=>$value) {
-			if (isset($args[$key])) {
-				$value = Sanitize::html( $args[$key] );
-				if ($value==='false') { $value = false; }
-				elseif ($value==='true') { $value = true; }
-				settype($value, gettype($this->dbFields[$key]));
-				$this->db[$key] = $value;
+		foreach ($this->dbFields as $field=>$value) {
+			if (isset($args[$field])) {
+				$finalValue = Sanitize::html( $args[$field] );
+				if ($finalValue==='false') { $finalValue = false; }
+				elseif ($finalValue==='true') { $finalValue = true; }
+				settype($finalValue, gettype($value));
+				$this->db[$field] = $finalValue;
 			}
 		}
 		return $this->save();

bl-kernel/admin/themes/booty/html/sidebar.php

@@ -2,7 +2,7 @@
 <ul class="nav flex-column pt-4">
 
 	<li class="nav-item mb-4" style="margin-left: -4px;">
-		<img src="<?php echo HTML_PATH_ADMIN_THEME ?>img/logo.svg" width="20" height="20" alt="bludit-logo"><span class="ml-2 align-middle"><?php echo (defined('BLUDIT_PRO'))?'BLUDIT PRO':'BLUDIT' ?></span>
+		<img src="<?php echo HTML_PATH_CORE_IMG ?>logo.svg" width="20" height="20" alt="bludit-logo"><span class="ml-2 align-middle"><?php echo (defined('BLUDIT_PRO'))?'BLUDIT PRO':'BLUDIT' ?></span>
 	</li>
 
 	<li class="nav-item">

bl-kernel/admin/themes/booty/index.php

@@ -8,7 +8,7 @@
 	<meta name="generator" content="Bludit">
 
 	<!-- Favicon -->
-	<link rel="shortcut icon" type="image/x-icon" href="<?php echo DOMAIN_ADMIN_THEME.'img/favicon.png?version='.BLUDIT_VERSION ?>">
+	<link rel="shortcut icon" type="image/x-icon" href="<?php echo HTML_PATH_CORE_IMG.'favicon.png?version='.BLUDIT_VERSION ?>">
 
 	<!-- CSS -->
 	<?php

bl-kernel/admin/themes/booty/login.php

@@ -7,7 +7,7 @@
 	<meta name="robots" content="noindex,nofollow">
 
 	<!-- Favicon -->
-	<link rel="shortcut icon" type="image/x-icon" href="<?php echo HTML_PATH_ADMIN_THEME.'img/favicon.png?version='.BLUDIT_VERSION ?>">
+	<link rel="shortcut icon" type="image/x-icon" href="<?php echo HTML_PATH_CORE_IMG.'favicon.png?version='.BLUDIT_VERSION ?>">
 
 	<!-- CSS -->
 	<?php

bl-kernel/ajax/delete-image.php

@@ -10,7 +10,7 @@
 $uuid = empty($_POST['uuid']) ? false : $_POST['uuid'];
 // ----------------------------------------------------------------------------
 
-if ($filename==false) {
+if ($filename===false) {
 	ajaxResponse(1, 'The filename is empty.');
 }
 

bl-kernel/ajax/upload-profile-picture.php

@@ -16,12 +16,27 @@
 }
 
 // File extension
-$fileExtension 	= pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION);
+$allowedExtensions = array('gif', 'png', 'jpg', 'jpeg', 'svg');
+$fileExtension = pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION);
+if (!in_array($fileExtension, $allowedExtensions) ) {
+	$message = 'File type is not supported. Allowed types: '.implode(', ',$allowedExtensions);
+	Log::set($message, LOG_TYPE_ERROR);
+	ajaxResponse(1, $message);
+}
+
 // Tmp filename
 $tmpFilename = $username.'.'.$fileExtension;
+
 // Final filename
 $filename = $username.'.png';
 
+// Check path traversal
+if (Text::stringContains($username, '/', false)) {
+	$message = 'Path traversal detected.';
+	Log::set($message, LOG_TYPE_ERROR);
+	ajaxResponse(1, $message);
+}
+
 // Move from temporary directory to uploads folder
 rename($_FILES['profilePictureInputFile']['tmp_name'], PATH_TMP.$tmpFilename);
 

bl-kernel/boot/init.php

@@ -61,11 +61,6 @@
 define('DB_USERS', PATH_DATABASES.'users.php');
 define('DB_SECURITY', PATH_DATABASES.'security.php');
 
-// JSON pretty print
-if (!defined('JSON_PRETTY_PRINT')) {
-	define('JSON_PRETTY_PRINT', 128);
-}
-
 // User environment variables
 include(PATH_KERNEL.'boot'.DS.'variables.php');
 

bl-kernel/boot/rules/60.plugins.php

@@ -54,17 +54,16 @@ function buildPlugins()
 	global $L;
 	global $site;
 
-	// List plugins directories
-	$list = Filesystem::listDirectories(PATH_PLUGINS);
-
 	// Get declared clasess BEFORE load plugins clasess
 	$currentDeclaredClasess = get_declared_classes();
 
+	// List plugins directories
+	$list = Filesystem::listDirectories(PATH_PLUGINS);
 	// Load each plugin clasess
 	foreach ($list as $pluginPath) {
 		// Check if the directory has the plugin.php
 		if (file_exists($pluginPath.DS.'plugin.php')) {
-			include($pluginPath.DS.'plugin.php');
+			include_once($pluginPath.DS.'plugin.php');
 		}
 	}
 
@@ -76,7 +75,7 @@ function buildPlugins()
 
 		// Check if the plugin is translated
 		$languageFilename = PATH_PLUGINS.$Plugin->directoryName().DS.'languages'.DS.$site->language().'.json';
-		if( !Sanitize::pathFile($languageFilename) ) {
+		if (!Sanitize::pathFile($languageFilename)) {
 			$languageFilename = PATH_PLUGINS.$Plugin->directoryName().DS.'languages'.DS.DEFAULT_LANGUAGE_FILE;
 		}
 
@@ -106,6 +105,7 @@ function buildPlugins()
 			}
 		}
 
+		// Sort the plugins by the position for the site sidebar
 		uasort($plugins['siteSidebar'], function ($a, $b) {
             		return $a->position()>$b->position();
         		}

bl-kernel/helpers/sanitize.class.php

@@ -30,30 +30,28 @@ public static function htmlDecode($text)
 
 	public static function pathFile($path, $file=false)
 	{
-		if($file!==false){
+		if ($file!==false){
 			$fullPath = $path.$file;
-		}
-		else {
+		} else {
 			$fullPath = $path;
 		}
 
 		// Fix for Windows on paths. eg: $path = c:\diego/page/subpage convert to c:\diego\page\subpages
 		$fullPath = str_replace('/', DS, $fullPath);
 
-		if(CHECK_SYMBOLIC_LINKS) {
+		if (CHECK_SYMBOLIC_LINKS) {
 			$real = realpath($fullPath);
-		}
-		else {
+		} else {
 			$real = file_exists($fullPath)?$fullPath:false;
 		}
 
 		// If $real is FALSE the file does not exist.
-		if($real===false) {
+		if ($real===false) {
 			return false;
 		}
 
 		// If the $real path does not start with the systemPath then this is Path Traversal.
-		if(strpos($fullPath, $real)!==0) {
+		if (strpos($fullPath, $real)!==0) {
 			return false;
 		}
 

bl-kernel/language.class.php

@@ -105,10 +105,10 @@ public function p($string)
 	}
 
 	// Add keys=>values to the current dicionary
-	// This method overwrite the key=>value
+	// This method don't overwrite the current value
 	public function add($array)
 	{
-		$this->db = array_merge($array, $this->db);
+		$this->db = array_merge($this->db, $array);
 	}
 
 	// Returns an array with all dictionaries

bl-plugins/simplemde/plugin.php

@@ -88,7 +88,7 @@ public function adminBodyEnd()
 				addContentSimpleMDE("!['.$L->get('Image description').']("+filename+")");
 			}'.PHP_EOL;
 
-		$html .= '$(document).ready(function() { '.PHP_EOL;
+		//$html .= '$(document).ready(function() { '.PHP_EOL;
 		$html .= 'simplemde = new SimpleMDE({
 				element: document.getElementById("jseditor"),
 				status: false,
@@ -114,7 +114,7 @@ className: "oi oi-crop",
 					title: "'.$L->get('Pagebreak').'",
 					}]
 		});';
-		$html .= '}); </script>';
+		$html .= '</script>';
 		return $html;
 	}
 }

install.php

@@ -583,7 +583,7 @@ function redirect($url) {
 	<meta name="robots" content="noindex,nofollow">
 
 	<!-- Favicon -->
-	<link rel="shortcut icon" type="image/x-icon" href="bl-kernel/admin/themes/booty/img/favicon.png?version=<?php echo time() ?>">
+	<link rel="shortcut icon" type="image/x-icon" href="bl-kernel/img/favicon.png?version=<?php echo time() ?>">
 
 	<!-- CSS -->
 	<link rel="stylesheet" type="text/css" href="bl-kernel/css/bootstrap.min.css?version=<?php echo time() ?>">