fix aa2

openemr · Sep 25, 2022 · d10b1bf · d10b1bf
1 parent 4565d8d
commit d10b1bf
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 165 deletions.
diff --git a/interface/main/backup.php b/interface/main/backup.php
@@ -116,8 +116,8 @@ function gzopen($filename, $mode, $use_include_path = 0)
 $BACKUP_DIR = $TMP_BASE . "/emr_backup";
 $TAR_FILE_PATH = $TMP_BASE . DIRECTORY_SEPARATOR . $backup_file_prefix . $backup_file_suffix;
 $EXPORT_FILE = $GLOBALS['temporary_files_dir'] . "/openemr_config.sql";
-$MYSQL_PATH = $GLOBALS['mysql_bin_dir'];
-$PERL_PATH = $GLOBALS['perl_bin_dir'];
+$MYSQL_PATH = realpath($GLOBALS['mysql_bin_dir']);
+$PERL_PATH = realpath($GLOBALS['perl_bin_dir']);
 
 if ($form_step == 6) {
     header("Pragma: public");

diff --git a/interface/patient_file/education.php b/interface/patient_file/education.php
@@ -15,6 +15,7 @@
 require_once("../globals.php");
 require_once("$srcdir/options.inc.php");
 
+use OpenEMR\Common\Crypto\CryptoGen;
 use OpenEMR\Common\Csrf\CsrfUtils;
 use OpenEMR\Core\Header;
 
@@ -61,29 +62,31 @@
             $url .= '&informationRecipient.languageCode.c=es';
         }
 
-        // There are 2 different ways to get the data: have the server do it, or
-        // have the browser do it.
-        if (false) {
-            $data = file_get_contents($url);
-            echo text($data);
-        } else { // Removed opener because this is not a dialog. sjp 12/14/17
-            echo "<html><body>"
-            //."<script type=\"text/javascript\" src=\"". $webroot ."/interface/main/tabs/js/include_opener.js\"></script>"
-            . "<script>\n";
-            echo "document.location.href = " . js_escape($url) . ";\n";
-            echo "</script></body></html>\n";
-        }
+        echo "<html><body>"
+        //."<script type=\"text/javascript\" src=\"". $webroot ."/interface/main/tabs/js/include_opener.js\"></script>"
+        . "<script>\n";
+        echo "document.location.href = " . js_escape($url) . ";\n";
+        echo "</script></body></html>\n";
 
         exit();
     } else {
         $lang = 'en';
         if ($language == 'es' || $language == 'spanish') {
             $lang = 'es';
         }
-
         $filename = strtolower("{$codetype}_{$codevalue}_{$lang}.pdf");
+        check_file_dir_name($filename);
         $filepath = "$educationdir/$filename";
+
         if (is_file($filepath)) {
+            $fileData = file_get_contents($filepath);
+
+            // Decrypt file, if applicable.
+            $cryptoGen = new CryptoGen();
+            if ($cryptoGen->cryptCheckStandard($fileData)) {
+                $fileData = $cryptoGen->decryptStandard($fileData, null, 'database');
+            }
+
             header('Content-Description: File Transfer');
             header('Content-Transfer-Encoding: binary');
             header('Expires: 0');
@@ -92,10 +95,10 @@
             // attachment, not inline
             header("Content-Disposition: attachment; filename=\"$filename\"");
             header("Content-Type: application/pdf");
-            header("Content-Length: " . filesize($filepath));
+            header("Content-Length: " . strlen($fileData));
             ob_clean();
             flush();
-            readfile($filepath);
+            echo $fileData;
             exit();
         } else {
             $errmsg = xl('There is no local content for this topic.');

diff --git a/interface/super/manage_site_files.php b/interface/super/manage_site_files.php
@@ -16,6 +16,7 @@
 require_once('../globals.php');
 
 use OpenEMR\Common\Acl\AclMain;
+use OpenEMR\Common\Crypto\CryptoGen;
 use OpenEMR\Common\Csrf\CsrfUtils;
 use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
@@ -25,7 +26,6 @@
     exit;
 }
 
-$imagedir     = "$OE_SITE_DIR/images";
 $educationdir = "$OE_SITE_DIR/documents/education";
 
 if (!empty($_POST['bn_save'])) {
@@ -34,78 +34,7 @@
         CsrfUtils::csrfNotVerified();
     }
 
-    /** This is a feature that allows editing of configuration files. Uncomment this
-        at your own risk, since it is considered a critical security vulnerability if
-        OpenEMR is not configured correctly.
-    // Prepare array of names of editable files, relative to the site directory.
-    $my_files = array(
-    'config.php',
-    'faxcover.txt',
-    'faxtitle.eps',
-    'referral_template.html',
-    'statement.inc.php',
-    'letter_templates/custom_pdf.php',
-    );
-    // Append LBF plugin filenames to the array.
-    $lres = sqlStatement('SELECT grp_form_id FROM layout_group_properties ' .
-    "WHERE grp_form_id LIKE 'LBF%' AND grp_group_id = '' AND grp_activity = 1 ORDER BY grp_seq, grp_title");
-    while ($lrow = sqlFetchArray($lres)) {
-    $option_id = $lrow['grp_form_id']; // should start with LBF
-    $my_files[] = "LBF/$option_id.plugin.php";
-    }
-    $form_filename = $_REQUEST['form_filename'];
-    // Sanity check to prevent evildoing.
-    if (!in_array($form_filename, $my_files)) {
-    $form_filename = '';
-    }
-    $filepath = "$OE_SITE_DIR/$form_filename";
-    if ($form_filename) {
-        // Textareas, at least in Firefox, return a \r\n at the end of each line
-        // even though only \n was originally there.  For consistency with
-        // normal OpenEMR usage we translate those back.
-        file_put_contents($filepath, str_replace(
-            "\r\n",
-            "\n",
-            $_POST['form_filedata']
-        ));
-        $form_filename = '';
-    }
-    */
-
-    // Handle image uploads.
-    if (is_uploaded_file($_FILES['form_image']['tmp_name']) && $_FILES['form_image']['size']) {
-        $form_dest_filename = $_POST['form_dest_filename'];
-        if ($form_dest_filename == '') {
-            $form_dest_filename = $_FILES['form_image']['name'];
-        }
-
-        $form_dest_filename = basename($form_dest_filename);
-        if ($form_dest_filename == '') {
-            die(xlt('Cannot find a destination filename'));
-        }
-
-        $path_parts = pathinfo($form_dest_filename);
-        if (!in_array(strtolower($path_parts['extension']), array('gif','jpg','jpe','jpeg','png','svg'))) {
-            die(xlt('Only images files are accepted'));
-        }
-
-        $imagepath = "$imagedir/$form_dest_filename";
-        // If the site's image directory does not yet exist, create it.
-        if (!is_dir($imagedir)) {
-            mkdir($imagedir);
-        }
-
-        if (is_file($imagepath)) {
-            unlink($imagepath);
-        }
-
-        $tmp_name = $_FILES['form_image']['tmp_name'];
-        if (!move_uploaded_file($_FILES['form_image']['tmp_name'], $imagepath)) {
-            die(xlt('Unable to create') . " '" . text($imagepath) . "'");
-        }
-    }
-
-    // Handle PDF uploads for patient education.
+     // Handle PDF uploads for patient education.
     if (is_uploaded_file($_FILES['form_education']['tmp_name']) && $_FILES['form_education']['size']) {
         $form_dest_filename = $_FILES['form_education']['name'];
         $form_dest_filename = strtolower(basename($form_dest_filename));
@@ -123,8 +52,11 @@
             unlink($educationpath);
         }
 
-        $tmp_name = $_FILES['form_education']['tmp_name'];
-        if (!move_uploaded_file($tmp_name, $educationpath)) {
+        $fileData = file_get_contents($_FILES['form_education']['tmp_name']);
+        if ($GLOBALS['drive_encryption']) {
+            $fileData = (new Cryptogen())->encryptStandard($fileData, null, 'database');
+        }
+        if (file_put_contents($educationpath, $fileData) === false) {
             die(text(xl('Unable to create') . " '$educationpath'"));
         }
     }
@@ -283,79 +215,6 @@ function msfFileChanged() {
 
 <table class="table table-bordered border-dark">
 
-<?php /** This is a feature that allows editing of configuration files. Uncomment this
-at your own risk, since it is considered a critical security vulnerability if
-OpenEMR is not configured correctly. ?>
- <tr class='bg-light dehead'>
-  <td colspan='2' align='center'><?php echo xlt('Edit File in') . " " . text($OE_SITE_DIR); ?></td>
- </tr>
- <tr>
-  <td valign='top' class='detail' nowrap>
-   <select name='form_filename' onchange='msfFileChanged()' class="form-control">
-    <option value=''></option>
-<?php
-foreach ($my_files as $filename) {
-    echo "    <option value='" . attr($filename) . "'";
-    if ($filename == $form_filename) {
-        echo " selected";
-    }
-    echo ">" . text($filename) . "</option>\n";
-}
-?>
-   </select>
-   <br />
-   <textarea name='form_filedata' rows='25' class="w-100 form-control"><?php
-    if ($form_filename) {
-        echo text(@file_get_contents($filepath));
-    }
-?></textarea>
-  </td>
- </tr>
-<?php */ ?>
-
- <tr class='dehead bg-light'>
-  <td colspan='2' class='text-center'><?php echo text(xl('Upload Image to') . " $imagedir"); ?></td>
- </tr>
-
- <tr>
-  <td valign='top' class='detail' nowrap>
-    <?php echo xlt('Source File'); ?>:
-   <input type="hidden" name="MAX_FILE_SIZE" value="12000000" />
-   <input type="file" name="form_image" size="40" />&nbsp;
-    <?php echo xlt('Destination Filename'); ?>:
-   <select name='form_dest_filename' class='form-control'>
-    <option value=''>(<?php echo xlt('Use source filename'); ?>)</option>
-<?php
-  // Generate an <option> for each file already in the images directory.
-  $dh = opendir($imagedir);
-if (!$dh) {
-    die(text(xl('Cannot read directory') . " '$imagedir'"));
-}
-
-  $imagesslist = array();
-while (false !== ($sfname = readdir($dh))) {
-    if (substr($sfname, 0, 1) == '.') {
-        continue;
-    }
-
-    if ($sfname == 'CVS') {
-        continue;
-    }
-
-    $imageslist[$sfname] = $sfname;
-}
-
-  closedir($dh);
-  ksort($imageslist);
-foreach ($imageslist as $sfname) {
-    echo "    <option value='" . attr($sfname) . "'";
-    echo ">" . text($sfname) . "</option>\n";
-}
-?>
-   </select>
-  </td>
- </tr>
-
  <tr class='dehead bg-light'>
   <td colspan='2' align='center'><?php echo text(xl('Upload Patient Education PDF to') . " $educationdir"); ?></td>
  </tr>