Vulnerability fixes from Lion Tree

kirilkirkov · Jan 2, 2024 · d22b54e · d22b54e
1 parent cfff7c1
commit d22b54e
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 11 deletions.
diff --git a/application/modules/admin/controllers/advanced_settings/Languages.php b/application/modules/admin/controllers/advanced_settings/Languages.php
@@ -97,7 +97,7 @@ private function saveLanguageFiles()
             }
             $php_value = str_replace("'", '&#39;', $_POST['php_values'][$i]);
 			$php_value = str_replace('"', '&#34;', $php_value);
-            $phpFileInclude .= '$lang[\'' . htmlentities($_POST['php_keys'][$i]) . '\'] = \'' . $php_value . '\';' . "\n";
+            $phpFileInclude .= '$lang[\'' . htmlentities(addslashes($_POST['php_keys'][$i])) . '\'] = \'' . $php_value . '\';' . "\n";
             $prevFile = $phpFile;
             $i++;
         }
@@ -113,7 +113,7 @@ private function saveLanguageFiles()
                 savefile($prevFile, $jsFileInclude);
                 $jsFileInclude = "var lang = { \n";
             }
-            $jsFileInclude .= htmlentities($_POST['js_keys'][$i]) . ':' . '"' . htmlentities($_POST['js_values'][$i]) . '",' . "\n";
+            $jsFileInclude .= htmlentities(addslashes($_POST['js_keys'][$i])) . ':' . '"' . htmlentities(addslashes($_POST['js_values'][$i])) . '",' . "\n";
             $prevFile = $jsFile;
             $i++;
         }
@@ -123,12 +123,33 @@ private function saveLanguageFiles()
 
     private function getLangFolderForEdit()
     {
+        if(!ctype_alnum($_GET['editLang'])) {
+            redirect('admin/languages');
+        }
+
+        $dir = 'application' . DIRECTORY_SEPARATOR . 'language' . DIRECTORY_SEPARATOR . '' . $_GET['editLang'] . DIRECTORY_SEPARATOR;
+        if(!is_dir(rtrim($dir, DIRECTORY_SEPARATOR))) {
+            redirect('admin/languages');
+        }
+
         $langFiles = array();
-        $files = rreadDir('application' . DIRECTORY_SEPARATOR . 'language' . DIRECTORY_SEPARATOR . '' . $_GET['editLang'] . DIRECTORY_SEPARATOR);
+        $files = rreadDir($dir);
         $arrPhpFiles = $arrJsFiles = array();
         foreach ($files as $ext => $filesLang) {
             foreach ($filesLang as $fileLang) {
                 if ($ext == 'php') {
+
+                    $file_content = file_get_contents($fileLang);
+                    $tokens = token_get_all($file_content);
+                    foreach ($tokens as $tokenK => $token) {
+                        if ($token[0] == T_VARIABLE) {
+                            if($token[1] != '$lang') {
+                                throw new \Exception('Invalid variable name in file ' . $fileLang . ' on line ' . $token[2] . '');
+                            }
+                        }
+                        unset($tokens[$tokenK]);
+                    }
+
                     require $fileLang;
                     if (isset($lang)) {
                         $arrPhpFiles[$fileLang] = $lang;

diff --git a/application/modules/admin/controllers/ecommerce/Publish.php b/application/modules/admin/controllers/ecommerce/Publish.php
@@ -151,13 +151,16 @@ public function loadOthersImages()
     /*
      * called from ajax
      */
-
-    public function removeSecondaryImage()
-    {
+    public function removeSecondaryImage() {
         if ($this->input->is_ajax_request()) {
-            $img = '.' . DIRECTORY_SEPARATOR . 'attachments' . DIRECTORY_SEPARATOR . 'shop_images' . DIRECTORY_SEPARATOR . '' . $_POST['folder'] . DIRECTORY_SEPARATOR . $_POST['image'];
-            unlink($img);
+            $basePath = realpath('.' . DIRECTORY_SEPARATOR . 'attachments' . DIRECTORY_SEPARATOR . 'shop_images' . DIRECTORY_SEPARATOR);
+
+            $folder = realpath($basePath . DIRECTORY_SEPARATOR . $_POST['folder']);
+            $image = $_POST['image'];
+
+            if ($folder !== false && strpos($folder, $basePath) === 0 && is_file($folder . DIRECTORY_SEPARATOR . $image)) {
+                unlink($folder . DIRECTORY_SEPARATOR . $image);
+            }
         }
     }
-
 }
diff --git a/application/modules/admin/models/Orders_model.php b/application/modules/admin/models/Orders_model.php
@@ -78,14 +78,18 @@ private function manageQuantitiesAndProcurement($id, $to_status, $current)
         $arr = $result->row_array();
         $products = unserialize($arr['products']);
         foreach ($products as $product) {
+                if (!is_numeric($product['product_quantity']) || (int)$product['product_info']['id'] < 1) {
+                    continue;
+                }
+
                 if (isset($operator)) {
-                    if (!$this->db->query('UPDATE products SET quantity=quantity' . $operator . $product['product_quantity'] . ' WHERE id = ' . $product['product_info']['id'])) {
+                    if (!$this->db->query('UPDATE products SET quantity=quantity' . $operator . $product['product_quantity'] . ' WHERE id = ' . (int)$product['product_info']['id'])) {
                         log_message('error', print_r($this->db->error(), true));
                         show_error(lang('database_error'));
                     }
                 }
                 if (isset($operator_pro)) {
-                    if (!$this->db->query('UPDATE products SET procurement=procurement' . $operator_pro . $product['product_quantity'] . ' WHERE id = ' . $product['product_info']['id'])) {
+                    if (!$this->db->query('UPDATE products SET procurement=procurement' . $operator_pro . $product['product_quantity'] . ' WHERE id = ' . (int)$product['product_info']['id'])) {
                         log_message('error', print_r($this->db->error(), true));
                         show_error(lang('database_error'));
                     }