Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed filemanager file upload validations, re: #287
  • Loading branch information
lux committed Sep 11, 2018
1 parent 5f9e2b2 commit 49ba8cc
Show file tree
Hide file tree
Showing 6 changed files with 22 additions and 17 deletions.
4 changes: 3 additions & 1 deletion apps/filemanager/handlers/embed.php
Expand Up @@ -110,7 +110,9 @@
return;
}

if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe)$/i', $_POST['newName'])) {
$_POST['newName'] = trim ($_POST['newName']);

if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe|htaccess|htpasswd)$/i', $_POST['newName'])) {
echo __ ('Invalid file type');
return;
}
Expand Down
4 changes: 2 additions & 2 deletions apps/filemanager/handlers/redactor/upload.php
Expand Up @@ -41,9 +41,9 @@
}

// some browsers may urlencode the file name
$_FILES['file']['name'] = urldecode ($_FILES['file']['name']);
$_FILES['file']['name'] = trim (urldecode ($_FILES['file']['name']));

if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe)$/i', $_FILES['file']['name'])) {
if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe|htaccess|htpasswd)$/i', $_FILES['file']['name'])) {
echo json_encode (array ('error' => __ ('Cannot upload executable files due to security.')));
return;
}
Expand Down
4 changes: 2 additions & 2 deletions apps/filemanager/handlers/upload.php
Expand Up @@ -49,7 +49,7 @@
}

for ($i = 0; $i < count ($_FILES['file']['name']); $i++) {
$_FILES['file']['name'][$i] = urldecode ($_FILES['file']['name'][$i]);
$_FILES['file']['name'][$i] = trim (urldecode ($_FILES['file']['name'][$i]));
if (@file_exists ($root . $_POST['path'] . '/' . $_FILES['file']['name'][$i])) {
$page->title = __ ('File Already Exists') . ': ' . $_FILES['file']['name'][$i];
echo '<p>' . __ ('A file by that name already exists.') . '</p>';
Expand All @@ -62,7 +62,7 @@
echo '<p><a href="/filemanager">' . __ ('Back') . '</a></p>';
return;
}
if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe)$/i', $_FILES['file']['name'][$i])) {
if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe|htaccess|htpasswd)$/i', $_FILES['file']['name'][$i])) {
$page->title = __ ('Invalid File Name') . ': ' . $_FILES['file']['name'][$i];
echo '<p>' . __ ('Cannot upload executable files due to security.') . '</p>';
echo '<p><a href="/filemanager">' . __ ('Back') . '</a></p>';
Expand Down
4 changes: 2 additions & 2 deletions apps/filemanager/handlers/upload/drop.php
Expand Up @@ -45,9 +45,9 @@
}

// some browsers may urlencode the file name
$_FILES['file']['name'] = urldecode ($_FILES['file']['name']);
$_FILES['file']['name'] = trim (urldecode ($_FILES['file']['name']));

if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe)$/i', $_FILES['file']['name'])) {
if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe|htaccess|htpasswd)$/i', $_FILES['file']['name'])) {
echo json_encode (array ('success' => false, 'error' => __ ('Cannot upload executable files due to security.')));
return;
}
Expand Down
18 changes: 9 additions & 9 deletions apps/filemanager/lib/API.php
Expand Up @@ -13,7 +13,7 @@ class API extends Restful {
* Handle list directory requests (/filemanager/api/ls).
*/
public function get_ls () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));

$res = FileManager::dir ($file);
if (! $res) {
Expand Down Expand Up @@ -43,7 +43,7 @@ public function get_dirs () {
* Handle Bitly link requests (/filemanager/api/bitly).
*/
public function get_bitly () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));
$link = $this->controller->absolutize ('/files/' . $file);
return BitlyLink::lookup ($link);
}
Expand All @@ -52,7 +52,7 @@ public function get_bitly () {
* Handle remove file requests (/filemanager/api/rm).
*/
public function post_rm () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));

$res = FileManager::unlink ($file);
if (! $res) {
Expand All @@ -71,7 +71,7 @@ public function post_rm () {
* Note: Erases the contents of the folder as well.
*/
public function post_rmdir () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));

$res = FileManager::rmdir ($file, true);
if (! $res) {
Expand All @@ -89,7 +89,7 @@ public function post_rmdir () {
* Handle rename requests (/filemanager/api/mv).
*/
public function post_mv () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));

$is_folder = FileManager::verify_folder ($file) ? true : false;

Expand All @@ -114,7 +114,7 @@ public function post_mv () {
* folders.
*/
public function post_drop () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));

if (! FileManager::move ($file, $_POST['folder'])) {
return $this->error (FileManager::error ());
Expand All @@ -133,7 +133,7 @@ public function post_drop () {
* Handle make directory requests (/filemanager/api/mkdir).
*/
public function post_mkdir () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));

if (! FileManager::mkdir ($file)) {
return $this->error (FileManager::error ());
Expand All @@ -153,7 +153,7 @@ public function post_mkdir () {
* be used to set an individual property's value.
*/
public function post_prop () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));
if (! FileManager::verify_file ($file)) {
return $this->error (__ ('Invalid file name'));
}
Expand Down Expand Up @@ -200,7 +200,7 @@ public function post_prop () {
* Handle unzip requests via (/filemanager/api/unzip).
*/
public function post_unzip () {
$file = urldecode (join ('/', func_get_args ()));
$file = trim (urldecode (join ('/', func_get_args ())));
if (! FileManager::verify_file ($file)) {
return $this->error (__ ('Invalid file name'));
}
Expand Down
5 changes: 4 additions & 1 deletion apps/filemanager/lib/FileManager.php
Expand Up @@ -160,6 +160,9 @@ public static function unlink ($file) {
} elseif (! self::verify_file ($file)) {
self::$error = __ ('File not found');
return false;
} elseif (! self::verify_file_name ($file)) {
self::$error = __ ('Invalid file name');
return false;
} elseif (! unlink (self::root () . $file)) {
self::$error = __ ('Unable to delete') . ' ' . $file;
return false;
Expand Down Expand Up @@ -405,7 +408,7 @@ public static function verify_file_name ($name) {
if (! preg_match ('/^[a-zA-Z0-9 _-]+\.[a-zA-Z0-9_-]+$/', $name)) {
return false;
}
if (preg_match ('/\.php$/i', $name)) {
if (preg_match ('/\.(php|phtml|pht|php3|php4|php5|phar|js|rb|py|pl|sh|bash|exe|htaccess|htpasswd)$/i', $name)) {
return false;
}
return true;
Expand Down

0 comments on commit 49ba8cc

Please sign in to comment.