Skip to content
Permalink
Browse files

check extension and path traversal

  • Loading branch information...
dignajar committed Mar 10, 2019
1 parent 3ab8c4c commit d0843a4070c7d7fa596a7eb2130be15383013487
@@ -252,6 +252,8 @@ public function uninstall()
return true;
}
// Returns TRUE if the plugin is installed
// This function just check if the database of the plugin is created
public function installed()
{
return file_exists($this->filenameDb);
@@ -271,13 +273,13 @@ public function init()
public function post()
{
$args = $_POST;
foreach ($this->dbFields as $key=>$value) {
if (isset($args[$key])) {
$value = Sanitize::html( $args[$key] );
if ($value==='false') { $value = false; }
elseif ($value==='true') { $value = true; }
settype($value, gettype($this->dbFields[$key]));
$this->db[$key] = $value;
foreach ($this->dbFields as $field=>$value) {
if (isset($args[$field])) {
$finalValue = Sanitize::html( $args[$field] );
if ($finalValue==='false') { $finalValue = false; }
elseif ($finalValue==='true') { $finalValue = true; }
settype($finalValue, gettype($value));
$this->db[$field] = $finalValue;
}
}
return $this->save();
@@ -2,7 +2,7 @@
<ul class="nav flex-column pt-4">

<li class="nav-item mb-4" style="margin-left: -4px;">
<img src="<?php echo HTML_PATH_ADMIN_THEME ?>img/logo.svg" width="20" height="20" alt="bludit-logo"><span class="ml-2 align-middle"><?php echo (defined('BLUDIT_PRO'))?'BLUDIT PRO':'BLUDIT' ?></span>
<img src="<?php echo HTML_PATH_CORE_IMG ?>logo.svg" width="20" height="20" alt="bludit-logo"><span class="ml-2 align-middle"><?php echo (defined('BLUDIT_PRO'))?'BLUDIT PRO':'BLUDIT' ?></span>
</li>

<li class="nav-item">
@@ -8,7 +8,7 @@
<meta name="generator" content="Bludit">

<!-- Favicon -->
<link rel="shortcut icon" type="image/x-icon" href="<?php echo DOMAIN_ADMIN_THEME.'img/favicon.png?version='.BLUDIT_VERSION ?>">
<link rel="shortcut icon" type="image/x-icon" href="<?php echo HTML_PATH_CORE_IMG.'favicon.png?version='.BLUDIT_VERSION ?>">

<!-- CSS -->
<?php
@@ -7,7 +7,7 @@
<meta name="robots" content="noindex,nofollow">

<!-- Favicon -->
<link rel="shortcut icon" type="image/x-icon" href="<?php echo HTML_PATH_ADMIN_THEME.'img/favicon.png?version='.BLUDIT_VERSION ?>">
<link rel="shortcut icon" type="image/x-icon" href="<?php echo HTML_PATH_CORE_IMG.'favicon.png?version='.BLUDIT_VERSION ?>">

<!-- CSS -->
<?php
@@ -10,7 +10,7 @@
$uuid = empty($_POST['uuid']) ? false : $_POST['uuid'];
// ----------------------------------------------------------------------------
if ($filename==false) {
if ($filename===false) {
ajaxResponse(1, 'The filename is empty.');
}
@@ -16,12 +16,27 @@
}
// File extension
$fileExtension = pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION);
$allowedExtensions = array('gif', 'png', 'jpg', 'jpeg', 'svg');
$fileExtension = pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION);
if (!in_array($fileExtension, $allowedExtensions) ) {
$message = 'File type is not supported. Allowed types: '.implode(', ',$allowedExtensions);
Log::set($message, LOG_TYPE_ERROR);
ajaxResponse(1, $message);
}
// Tmp filename
$tmpFilename = $username.'.'.$fileExtension;
// Final filename
$filename = $username.'.png';
// Check path traversal
if (Text::stringContains($username, '/', false)) {
$message = 'Path traversal detected.';
Log::set($message, LOG_TYPE_ERROR);
ajaxResponse(1, $message);
}
// Move from temporary directory to uploads folder
rename($_FILES['profilePictureInputFile']['tmp_name'], PATH_TMP.$tmpFilename);
@@ -61,11 +61,6 @@
define('DB_USERS', PATH_DATABASES.'users.php');
define('DB_SECURITY', PATH_DATABASES.'security.php');
// JSON pretty print
if (!defined('JSON_PRETTY_PRINT')) {
define('JSON_PRETTY_PRINT', 128);
}
// User environment variables
include(PATH_KERNEL.'boot'.DS.'variables.php');
@@ -54,17 +54,16 @@ function buildPlugins()
global $L;
global $site;
// List plugins directories
$list = Filesystem::listDirectories(PATH_PLUGINS);
// Get declared clasess BEFORE load plugins clasess
$currentDeclaredClasess = get_declared_classes();
// List plugins directories
$list = Filesystem::listDirectories(PATH_PLUGINS);
// Load each plugin clasess
foreach ($list as $pluginPath) {
// Check if the directory has the plugin.php
if (file_exists($pluginPath.DS.'plugin.php')) {
include($pluginPath.DS.'plugin.php');
include_once($pluginPath.DS.'plugin.php');
}
}
@@ -76,7 +75,7 @@ function buildPlugins()
// Check if the plugin is translated
$languageFilename = PATH_PLUGINS.$Plugin->directoryName().DS.'languages'.DS.$site->language().'.json';
if( !Sanitize::pathFile($languageFilename) ) {
if (!Sanitize::pathFile($languageFilename)) {
$languageFilename = PATH_PLUGINS.$Plugin->directoryName().DS.'languages'.DS.DEFAULT_LANGUAGE_FILE;
}
@@ -106,6 +105,7 @@ function buildPlugins()
}
}
// Sort the plugins by the position for the site sidebar
uasort($plugins['siteSidebar'], function ($a, $b) {
return $a->position()>$b->position();
}

Large diffs are not rendered by default.

@@ -30,30 +30,28 @@ public static function htmlDecode($text)
public static function pathFile($path, $file=false)
{
if($file!==false){
if ($file!==false){
$fullPath = $path.$file;
}
else {
} else {
$fullPath = $path;
}
// Fix for Windows on paths. eg: $path = c:\diego/page/subpage convert to c:\diego\page\subpages
$fullPath = str_replace('/', DS, $fullPath);
if(CHECK_SYMBOLIC_LINKS) {
if (CHECK_SYMBOLIC_LINKS) {
$real = realpath($fullPath);
}
else {
} else {
$real = file_exists($fullPath)?$fullPath:false;
}
// If $real is FALSE the file does not exist.
if($real===false) {
if ($real===false) {
return false;
}
// If the $real path does not start with the systemPath then this is Path Traversal.
if(strpos($fullPath, $real)!==0) {
if (strpos($fullPath, $real)!==0) {
return false;
}

Large diffs are not rendered by default.

@@ -105,10 +105,10 @@ public function p($string)
}
// Add keys=>values to the current dicionary
// This method overwrite the key=>value
// This method don't overwrite the current value
public function add($array)
{
$this->db = array_merge($array, $this->db);
$this->db = array_merge($this->db, $array);
}
// Returns an array with all dictionaries
@@ -88,7 +88,7 @@ public function adminBodyEnd()
addContentSimpleMDE("!['.$L->get('Image description').']("+filename+")");
}'.PHP_EOL;
$html .= '$(document).ready(function() { '.PHP_EOL;
//$html .= '$(document).ready(function() { '.PHP_EOL;
$html .= 'simplemde = new SimpleMDE({
element: document.getElementById("jseditor"),
status: false,
@@ -114,7 +114,7 @@ className: "oi oi-crop",
title: "'.$L->get('Pagebreak').'",
}]
});';
$html .= '}); </script>';
$html .= '</script>';
return $html;
}
}
@@ -583,7 +583,7 @@ function redirect($url) {
<meta name="robots" content="noindex,nofollow">

<!-- Favicon -->
<link rel="shortcut icon" type="image/x-icon" href="bl-kernel/admin/themes/booty/img/favicon.png?version=<?php echo time() ?>">
<link rel="shortcut icon" type="image/x-icon" href="bl-kernel/img/favicon.png?version=<?php echo time() ?>">

<!-- CSS -->
<link rel="stylesheet" type="text/css" href="bl-kernel/css/bootstrap.min.css?version=<?php echo time() ?>">

0 comments on commit d0843a4

Please sign in to comment.
You can’t perform that action at this time.