Skip to content
Permalink
Browse files Browse the repository at this point in the history
Change the fax file name to md5 to avoid characters that present a se…
…curity risk.
  • Loading branch information
markjcrane committed Nov 3, 2021
1 parent 57b7bf0 commit 487afc3
Showing 1 changed file with 4 additions and 22 deletions.
26 changes: 4 additions & 22 deletions app/fax/fax_send.php
Expand Up @@ -351,28 +351,10 @@ function fax_split_dtmf(&$fax_number, &$fax_dtmf){
$disallowed_file_extensions = explode(',','sh,ssh,so,dll,exe,bat,vbs,zip,rar,z,tar,tbz,tgz,gz');
if (in_array($fax_file_extension, $disallowed_file_extensions) || $fax_file_extension == '') { continue; }

$fax_name = $_files['name'][$index];
$fax_name = preg_replace('/\\.[^.\\s]{3,4}$/', '', $fax_name);
$fax_name = str_replace(" ", "_", $fax_name);

//lua doesn't seem to like special chars with env:GetHeader
$fax_name = str_replace(";", "_", $fax_name);
$fax_name = str_replace(",", "_", $fax_name);
$fax_name = str_replace("'", "_", $fax_name);
$fax_name = str_replace("!", "_", $fax_name);
$fax_name = str_replace("@", "_", $fax_name);
$fax_name = str_replace("#", "_", $fax_name);
$fax_name = str_replace("$", "_", $fax_name);
$fax_name = str_replace("%", "_", $fax_name);
$fax_name = str_replace("^", "_", $fax_name);
$fax_name = str_replace("`", "_", $fax_name);
$fax_name = str_replace("~", "_", $fax_name);
$fax_name = str_replace("&", "_", $fax_name);
$fax_name = str_replace("(", "_", $fax_name);
$fax_name = str_replace(")", "_", $fax_name);
$fax_name = str_replace("+", "_", $fax_name);
$fax_name = str_replace("=", "_", $fax_name);
//use a safe file name
$fax_name = md5($_files['name'][$index]);

//rename the file
$attachment_file_name = $_files['name'][$index];
if ($attachment_file_name != $fax_name.'.'.$fax_file_extension) {
rename($dir_fax_temp.'/'.$attachment_file_name, $dir_fax_temp.'/'.$fax_name.'.'.$fax_file_extension);
Expand All @@ -382,7 +364,7 @@ function fax_split_dtmf(&$fax_number, &$fax_dtmf){
if (!$included) {
//check if directory exists
if (!is_dir($dir_fax_temp)) {
event_socket_mkdir($dir_fax_temp);
mkdir($dir_fax_temp, 0770);
}
//move uploaded file
move_uploaded_file($_files['tmp_name'][$index], $dir_fax_temp.'/'.$fax_name.'.'.$fax_file_extension);
Expand Down

0 comments on commit 487afc3

Please sign in to comment.